Quality of Service

Deploying Cisco QoS in the Enterprise

Tanner HilandMay 17, 2007

Updated March 25, 2010

2

AcronymsDo you know what these stand for?

CoSToSDSCPPHBEF / AF / CSIPP1p3q8tPQ / CQ / CBWFQ / LLQWREDWTD

3

Overview

• Main CategoriesPreferential Traffic TreatmentSquelch Traffic TreatmentEverything Else

• ReasoningBuild networks to withstand the unexpectedSaturated network linksNetwork Attacks

4

QoS Components

Classification and Marking

Congestion Management• Scheduling and Queuing

Congestion Avoidance• WRED

Bandwidth Management• Policing and Markdown

Monitoring

5

CLASSIFICATION

6

7

ClassificationWhat traffic do you want to match?

•MAC Address

•802.1p CoS

Layer 2•IP

Address

•DSCP/IPP

Layer 3

•Protocol (TCP/UDP)

•TCP/UDP Port Number

Layer 4

•Network-Based Application Recognition (NBAR)

Layer 7

8

Classification Configuration Example

access-list 100 permit tcp host 1.1.1.1 any eq 80

class-map match-all CLASS-VOICE match dscp ef

ip nbar custom SYSLOG_CUSTOM 1 variable priority 3 udp 514

class-map match-any CLASS-POLICE-SYSLOG match protocol SYSLOG_CUSTOM priority 190

Match by Access-List

Match by existing DSCP value

Match by Payload with NBAR

9

Classification NBAR In-(not-so-much) Depth

• Full layer-7 inspection– Match protocols + payload data

• ExamplesMatch Citrix applicationMatch HTTP URL’sMatch syslog levelMatch RTP stream based on codec (G.711/G.729a)

• Does it slow down traffic?Yes, but not much. First packet deeply inspected,

subsequent packets are CEF-switched

class-map match-any CLASS-CRITICAL match protocol citrix app WORD match protocol http url *.site.com* match protocol http mime image/jpeg

10

MARKING

11

MarkingHow do you want to indicate packet priority?

Layer 2

• CoS (3-bits)

Layer 3

• IPP (3-bits)• DSCP (6-bits)• ECN

Let’s look at the packet…

12

MarkingIP Header

802.1Q/p VLAN Frame Format

DSCP FormatIP Precedence (IPP) Format

IPv4 ToS Bits

13

Marking Example

policy-map POLICY-QOS-INGRESS class CLASS-VOICE-STREAM set cos 5

policy-map POLICY-QOS-INGRESS class CLASS-VOICE-STREAM set dscp ef

Mark to CoS Value

Mark to DSCP Value

14

MarkingDSCP Terminology

• DSCP– Value in numeric form (e.g., DSCP 46, 24)

• Per-Hop Behaviors (PHBs)– Define forwarding behavior• Class Selectors (CS1-7, maps to IPP values)• Assured Forwarding (AFxy)

x = DiffServ Class ranging from 1-4y = Drop Preference from 1-3 (3 being dropped most often)

• Expedited Forwarding (EF)

15

MarkingEndpoints and Trust

Untrusted

WorkstationsServers

Uncontrolled Nodes

Trusted

CallManagerWireless Access Points

Voice GatewaysFaxes

Conference Phones

Conditionally-Trusted

Cisco IP Phones

16

MarkingEndpoints and Trust

17

Classification and Marking DesignQoS Baseline Marking Recommendations

ApplicationL3 Classification

DSCPPHBIPP CoS

Transactional Data 18AF212 2

Call Signaling 24CS3*3 3

Streaming Video 32CS44 4

Video Conferencing 34AF414 4

Voice 46EF5 5

Network Management 16CS22 2

L2

Bulk Data 10AF111 1

Scavenger 8CS11 1

Best Effort 000 0

Routing 48CS66 6

Mission-Critical Data 26AF31*3 3

18

RFC 4594 - Configuration Guidelines for DiffServ Service ClassesNew

(ish)

19

Marking Notes

• External Packet Prioritization TagsTransmitted IGP/EGP packets are auto-marked DSCP

CS6 by default• Internal Packet Prioritization Tags

IGP’s (EIGRP, OSPF, etc.) are internally marked “PAK_PRIORITY” for intra-router preferential treatment

• CoS-DSCP Maps, DSCP Mutation, etc.• DSCP passes through if switch QoS disabled

20

SCHEDULING & QUEUING

21

Scheduling & Queuing

Output Queue

Priority Queuing

(PQ)

Custom Queuing (CQ)

Weighted Fair Queuing

(WFQ) Class-Based Weighted Fair

Queuing (CBWFQ)

Low Latency Queuing (LLQ)

TxRing

22

Queuing• Why queuing?– Rearrange packets waiting to be

transmitted• LLQ– Combo of PQ (strict) + CBWFQ– Typically PQ (strict) + CBWFQ + FQ

• Caveats– Platform specific priority and transmit

queues (Q1 vs Q4, 1P2Q2T)

23

QueuingLLQ Diagram

24

VoIP Bandwidth Requirements

Calculate bandwidth per call• Stream (codec + L3 + L2 overhead)– G.711 = 77-93 Kbps (without cRTP)– G.729A = 21-37 Kbps (without cRTP)

• Call Signaling– 150 bytes per phone for voice control

• Call Admission Control (CAC)– Prevents CUCM from placing WAN call if not enough

priority bandwidth

25

QueuingExample

policy-map POLICY-QOS-EGRESS class CLASS-ROUTING bandwidth percent 2 class CLASS-VOICE-STREAM priority percent 20 class CLASS-VIDEO-INTERACTIVE bandwidth percent 29 class CLASS-CALL-SIGNALING bandwidth percent 3 class CLASS-MISSION-CRITICAL bandwidth percent 24 random-detect dscp-based class CLASS-SCAVENGER bandwidth percent 1 random-detect dscp-based class class-default bandwidth percent 21 random-detect dscp-based

interface Serial 0/1/0 bandwidth 1536 ip nbar protocol-discovery max-reserved-bandwidth 100 service-policy output POLICY-QOS-EGRESS

26

CONGESTION AVOIDANCE

27

Congestion Avoidance• Why care about congestion avoidance?

– Manages the tail of the queue– Queue full = no QoS

• Mechanisms– Random Early Detect (RED)– Weighted Random Early Detect (WRED)– DSCP-based WRED– WRED sets IP ECN bits

• Examplepolicy-map POLICY-QOS-EGRESSclass CLASS-SCAVENGER bandwidth percent 1 random-detect dscp-based

28

Congestion AvoidanceMonitoring Drops

Check Total Interface Drops

sh int s1/0 | i drop Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops:

344321

Check Drop Detailssh policy-map int s1/0 output Class-map: CLASS-SCAVENGER (match-any) (depth/total drops/no-buffer drops) 0/336172/0 dscp Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh probaf42 0/0 0/0 0/0 28 40 1/10af43 0/0 0/0 0/0 24 40 1/10 cs1 1714453/21300774 330232/478897145 5940/8446381 22 40 1/10 cs2 0/0 0/0 0/0 24 40 1/10 cs3 0/0 0/0 0/0 26 40 1/10

29

POLICING & MARKDOWN

30

Policing & Markdown• Switch

– Only supports single-rate policerpolicy-map POLICY-QOS-INGRESS class CLASS-VOICE-STREAM set dscp ef police 128000 8000 exceed-action {drop|policed-dscp-transmit}

• Router– Two-Rate Policerpolice 128000 8000 conform-action transmit exceed-action set-dscp-

transmit af32 violate-action set-dscp-transmit af33• exceed-action :: action when rate is within conform and conform + exceed burst• violate-action :: action when rate is greater than conform + exceed burst

31

ExamplesSwitch (Mapping on Catalyst 3750)

mls qos map cos-dscp 0 8 16 24 32 46 48 54mls qos map policed-dscp 0 10 18 24 25 26 34 to 8

mls qos srr-queue output cos-map queue 1 threshold 3 5mls qos srr-queue output cos-map queue 2 threshold 1 2 4mls qos srr-queue output cos-map queue 2 threshold 2 3mls qos srr-queue output cos-map queue 2 threshold 3 6 7mls qos srr-queue output cos-map queue 3 threshold 3 0mls qos srr-queue output cos-map queue 4 threshold 3 1

mls qos srr-queue output dscp-map queue 1 threshold 3 46mls qos srr-queue output dscp-map queue 2 threshold 1 16mls qos srr-queue output dscp-map queue 2 threshold 1 18 20 22mls qos srr-queue output dscp-map queue 2 threshold 1 32mls qos srr-queue output dscp-map queue 2 threshold 1 34 36 38mls qos srr-queue output dscp-map queue 2 threshold 2 24 26mls qos srr-queue output dscp-map queue 2 threshold 3 48 56mls qos srr-queue output dscp-map queue 3 threshold 3 0mls qos srr-queue output dscp-map queue 4 threshold 1 8mls qos srr-queue output dscp-map queue 4 threshold 3 10 12 14

mls qos queue-set output 1 threshold 2 70 80 100 100mls qos queue-set output 1 threshold 4 40 100 100 100mls qos

Output Queuing using CoS

Output Queuing

using DSCP

Queue Drop

Thresholds

32

ExamplesSwitch (Mark and Police)

mls qos map policed-dscp 0 10 18 24 25 26 34 to 8

ip access-list extended ACL-VOICE-STREAM remark --- VoIP RTP Call Stream permit udp 10.0.0.0 0.0.0.255 any range 16384 32768

class-map match-all CLASS-VOICE-STREAM match access-group name ACL-VOICE-STREAM

policy-map POLICY-QOS-INGRESS class CLASS-VOICE-STREAM set dscp ef police 128000 8000 exceed-action drop class class-default set dscp 0 police 5000000 8000 exceed-action policed-dscp-transmit

interface FastEthernet 1/0/1 srr-queue bandwidth share 1 70 25 5 srr-queue bandwidth shape 3 0 0 0 priority-queue out service-policy input POLICY-QOS-INGRESS

33

ExamplesRouter LAN (Marking)class-map match-all CLASS-MARK-MISSION-CRITICAL match protocol http url orders.cisco.com* match input-interface FastEthernet 0/0

class-map match-any CLASS-MARK-SCAVENGER match protocol bittorrent match protocol edonkey match protocol fasttrack match protocol gnutella match protocol kazaa2 match protocol napster match protocol winmx

policy-map POLICY-QOS-INGRESS class CLASS-MARK-MISSION-CRITICAL set dscp af31 class CLASS-MARK-SCAVENGER set dscp cs1

interface FastEthernet 0/1 description --- FROM LAN ip nbar protocol-discovery service-policy input POLICY-QOS-INGRESS

34

ExamplesRouter WAN (Queuing)class-map match-all CLASS-ROUTING match dscp cs6class-map match-all CLASS-VOICE-STREAM match dscp efclass-map match-any CLASS-SCAVENGER match dscp cs1

policy-map POLICY-QOS-EGRESS class CLASS-ROUTING bandwidth percent 2 class CLASS-VOICE-STREAM priority percent 20 class CLASS-SCAVENGER bandwidth percent 1 random-detect dscp-based class class-default bandwidth percent 21 random-detect dscp-based

interface Serial 0/1/0 max-reserved-bandwidth 100 ip nbar protocol-discovery service-policy output POLICY-QOS-EGRESS

35

ExamplesRouter WAN (Remark)

class-map match-any CLASS-REMARK-AF31-TO-AF41 match dscp af31class-map match-any CLASS-REMARK-AF21-TO-AF31 match dscp af21

policy-map POLICY-QOS-WAN-INGRESS description --- Remark DSCP values from carrier class CLASS-REMARK-AF31-TO-AF41 set dscp af41 class CLASS-REMARK-AF21-TO-AF31 set dscp af31

interface Serial 0/1/0 service-policy input POLICY-QOS-WAN-INGRESS

36

Best Practices

• Classify and mark applications as close to their sources as technically and administratively feasible.

• Use DSCP markings whenever possible• Always enable QoS policies in hardware (switch)— rather than software

(router)—whenever a choice exists• Follow standards-based DSCP PHB markings to ensure interoperability

and future expansion• Police traffic flows as close to their sources as possible.• Whenever supported, markdown should be done according to

standards-based rules• The only way to provide service guarantees is to enable queuing at any

node that has the potential for congestion• Limit the amount of strict priority queuing to no more than 33 percent

of link capacity

37

More

• SRND– http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmig

ration_09186a008049b062.pdf

• CallManager CAC– http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_impleme

ntation_design_guides_list.html

• Crypto and QoS– http://

cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml