iwan avc/qos designd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brkrst-2043.pdf · iwan avc/qos...

IWAN AVC/QoS Design

Kelly Fleshner, Communications Architect

CCIE #1852 – 20 years

BRKRST-2043

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Housekeeping

• Who am I? ([email protected])

• “Intermediate” Class

This is not an ‘Introduction to IWAN’ session

This is not an ‘IWAN Design’ session (Some design aspects will be discussed)

This session is about how to configure AVC/QoS with your Cisco Intelligent WAN

Session Abstract:

The most expensive bandwidth in the enterprise is in the WAN; as such, it should be fully optimized to deliver maximum ROI. Thissession focuses on how to deliver such optimization by deploying Application Visibility and Control (AVC) and Quality of Service (QoS) over the Intelligent WAN (IWAN). Cisco’s QoS paradigm will be reviewed and applied to the IWAN, along with best practice QoS design recommendations. Practical and detailed design configurations will be presented for hierarchical QoS policies for sub-line rate Ethernet handoffs, MPLS VPN Class-of-Service mapping and DMVPN per-tunnel QoS. Additionally, new AVC/QoStechnologies, such as NBAR2 QoS attributes will be introduced and applied to the IWAN. Cisco Prime Infrastructure templates for deploying and managing the IWAN will be reviewed, as will Cisco’s SD-WAN solution, the APIC-EM IWAN application, to show how the IWAN QoS and PfR can be centrally controlled.

BRKRST-2043 3

• Cisco’s Approach to AVC/QoS

• Ingress LAN AVC/QoS Design

• Egress WAN AVC/QoS Design

• SD-WAN QoS (APIC-EM IWAN App)

• Summary and References

Agenda


The Why of AVC/QoS

AVC & QoS

Transform your business through

powerful yet simple networks

that are customized and optimized

to meet your needs

Why

BRKRST-2043 5

Cisco’s Approach to AVC/QoS

6

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKRST-2043

Where to start?Strategic vs Tactical

VS

http://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.123plans.co.uk/services/&ei=qqBoVdaiMKXksATt7ICIDg&bvm=bv.94455598,d.cWc&psig=AFQjCNGIzU3LAETaAgHZ3hfzuO5hkOAuDw&ust=1433006605900115


© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKRST-2043

Levels of QoS Policy AbstractionStrategic vs. Tactical

• Strategic QoS Policy (WHY you want QoS)

• reflects business intent

• is not constrained by any technical or administrative limitation

• is end-to-end

• Tactical QoS Policy (HOW you are going to do it / WHAT you configure)

• adapts the strategic business intent to the maximum of platform’s capabilities

• is limited by various tactical constraints, including:• Media constraints (e.g. the WLAN has only 4 levels of service [access categories])

• Platform constraints (e.g. a Catalyst 3750 has only 4 hardware queues)

• Interface constraints (e.g. a T1 WAN link has limited bandwidth)

• Role constraints (e.g. a CE may need to map into a reduced set of SP Classes-of-Service)


Strategic QoS Design

• Guaranteeing voice quality meets enterprise standards

• Ensuring a high Quality of Experience for video applications

• Improving user productivity by minimizing network response times

• Managing business applications that are “bandwidth hogs”

• Identifying and de-prioritizing non-business applications

• Improving network availability by protecting the control planes

• Hardening the network infrastructure to deal with abnormal events

Part 1 of 4: Always Start with Defining the Business Goals of QoS

BRKRST-2043 9




Strategic QoS DesignPart 2 of 4: Assign Business-Relevance to Applications

Relevant IrrelevantDefault

• These applications directly supports business objectives

• Applications should be classified and marked according to RFC 4594-based rules

• These applications may/may not support business objectives

• E.g. HTTP/HTTPS

• Alternatively, administrator may not know the application (or how its being used in the org)

• Applications in this class should be marked DF and provisioned with a default best-effort service (RFC 2474)

• These applications are known and do not directly support any business objectives; this class includes all personal/consumer applications

• Applications in this class should be marked CS1 and provisioned with a “less-than-best-effort” service , per (RFC 3662)

BRKRST-2043 10


• Is the protocol a Network Control protocol?

• This includes all network routing and control-plane protocols• E.g. BGP, OSPF, EIGRP, HSRP, IKE, etc.

• Is the protocol a Signaling protocol?

• This includes all call signaling / bandwidth reservation protocols• E.g. SIP, Skinny, H.323, RSVP etc.

• Is the protocol an Operations / Administration / Management protocol?

• This includes all network management protocols (e.g. SNMP, Telnet, SSH, Syslog, NetFlow, etc.)

Control

Plane?

Network

Control?

Yes

Network ControlYes

SignalingYes

OAMYes

OAM?No

Signaling?No

No

Strategic QoS DesignPart 3a of 4: Assign Control Plane to traffic-classes

BRKRST-2043 11


• Is the application voice?• Audio-only media (e.g. G.711, G.729 etc.)

• Note: This class may be used for the audio-component of multimedia applications, such as Cisco Jabber and/or Microsoft Lync; however, this option should ONLY be considered if this causes no conflict with your overall Call Admission Control strategy and voice-queue provisioning

Voice? VoiceYes

No

Strategic QoS DesignPart 3b of 4: Assign Voice applications / sub-components to voice traffic-class

BRKRST-2043 12


• If the application is video?

• If yes: determine if the application is unidirectional or bidirectional?

• Then determine if the application is elastic (i.e. adaptive to congestion/drops) or inelastic?

Video? Unidirectional?

Yes

Multimedia-ConferencingYes

No

Elastic?

No

(Bidirectional)

YesElastic?

Broadcast VideoNo

(Inelastic)

Multimedia-StreamingYes

No

(Inelastic)

Realtime-Interactive

Strategic QoS DesignPart 3c of 4: Assign Video applications / sub-components to traffic-classes

BRKRST-2043 13


• Is the application Data?

• Then determine: Is the application foreground or background?

• Foreground applications will directly impact user-productivity with network delays

• Background applications will not (as these are typically machine-to-machine flows)

• However, these apps can be very bandwidth intensive (if unrestrained)

• If it is not known if a data app is foreground, then assume it is background

• Otherwise – the application/protocol remains in the default class (Best Effort)

Data? Foreground?Yes

Bulk DataNo

(Background)

Transactional DataYes

No

Best Effort

Strategic QoS DesignPart 3d of 4: Assigning Data applications to traffic-classes

BRKRST-2043 14


Strategic QoS DesignPart 3e of 4: Apply RFC 4594-based Marking / Queuing / Dropping Treatments

Application

Class

Per-Hop

Behavior

Queuing &

Dropping

Application

Examples

VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)

Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV

Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence

Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx

Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)

Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE

Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog

Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps

Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution

Best Effort DF Default Queue + RED Default Class

Scavenger CS1 BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live

Relevant

Default

Irrelevant

BRKRST-2043 15


Part 4 of 4: Assign bandwidth allocation targets

VOICE10%

INTERACTIVE-VIDEO

27%

STREAMING-VIDEO

9%NET-CTRL

5%

CRITICAL-DATA22%

CALL-SIG4%

DEFAULT22%

Strategic QoS Design

Example:Map 12-classes to 8-queues for IWAN

SCAVENGER 1%

16


Strategic QoS Design: At-A-Glance

http://tinyurl.com/hw4sbj6

Reference

BRKRST-2043 17


IWAN-Specific QoSDesign Considerations

18


What is IWAN from a QoS Perspective?

• Replacing expensive MPLS service with business class internet

• Performance Routing (PfR) to load balance / provide resiliency / best path

• Dynamic Multipoint VPN (DMVPN) overlay on MPLS and Internet

• Up to 2,000 remote sites per hub router in a single domain

• MPLS will have Service Provider QoS, but with Internet we assume none

BRKRST-2043 19




Hub

BR

T1

Branch

T1

Branch

T3

Branch

10

Mbps

Branch

T3

Branch

Hybrid Model – MPLS and Internet

INET

MPLS

Hub

BR

BRKRST-2043

Hub

MC

20


Hub

BR

T1

Branch

T1

Branch

T3

Branch

10 Mbps

Branch

T3

Branch

Hub Site QoS Scheduling Requirements

80 Mbps

1.5 Mbps

1.5 Mbps

45 Mbps

10 Mbps

45 Mbps

Service

Rate

GE

Shape for

Service Rate

Per Site

Bandwidth Sharing

Within Tunnel

Shape for

Remote Site

Last Mile

Bandwidth Sharing

Between Tunnels

BRKRST-2043 21


P1 P1

Per-SA QoS Site1 – T1

Hub Site QoS Scheduling Hierarchy We Have Today

Police

150KPolice

4.5M

priority prioritydata dataclass-default class-default

P1

Police

1M

priority data class-default

To Physical

Per-SA QoS Site2 – T3 Per-SA QoS Site N – 10 Mbps

Parent

Policy on

Tunnel

Child

Policy on

Tunnel

Class Default

Policy on Physical

Shape for Service Rate

on Physical interface

Bandwidth Sharing

between tunnels

Bandwidth sharing

within tunnel

22

Shape for remote

site last mile

BRKRST-2043


Aggregate Priority LoadPriority Queue with Conditional Policer (Implicit Policer)

P1

Police

20M


100 Mbps

Interface

30 Mbps

30 Mbps

Offered

Load

Congestion

Feedback

30 Mbps

Expected

Throughput

Per Class

Behavior with No Congestion

P1

Police

20M


100 Mbps

Interface

30 Mbps

20 Mbps

Congestion

Feedback

20 Mbps

Behavior with Congestion

90 Mbps

80 Mbps

policy-map CONDITIONAL-POLICER

class PRIORITY

priority 200000

No Congestion

No Policing

BRKRST-2043 23


Aggregate Priority LoadPriority Queue with Always On Policer (Explicit Policer)

P1

Police

20M


100 Mbps

Interface

30 Mbps

20 Mbps

Offered

Load

20 Mbps

Expected

Throughput

Per Class


P1

Police

20M


100 Mbps

Interface

30 Mbps

20 Mbps

20 Mbps


90 Mbps

80 Mbps

policy-map ALWAYS-ON-POLICER

class PRIORITY

priority level 1

police cir 200000

Always On

Policer

BRKRST-2043 24


P1 P1

Police

150K

Police

4.5M

prioritypriority

data dataclass-default class-default

P1

Police

1M


To Physical

WAN

Aggregation

Node

Priority Propagation / Passing Lanes

Aggregate Priority Load

25BRKRST-2043


Aggregate Priority LoadIWAN Details

• IWAN supports 2,000 remote sites in a single domain

• Consider an average 2 Mbps access rate for remote sites – Aggregate: 4 Gbps

• On a GE connected Hub BR, we are already 4:1 oversubscribed

• If service-rate is less than GE (likely – say 500 Mbps) the oversubscription increases to 8:1

• An Aggregate Priority Load greater than Service Rate will starve non-Priority (including network control)

• Voice at 10% – Potential aggregate voice = 400 Mbps (10% of 4 Gbps sum of shapers)

• Always On Policer for Voice means we stay under the service rate

• Conditional Policer means individual sites could send more and over run the service rate

• Realtime Interactive – Another 27% of Priority queue (30% * .90)

• Potential Aggregate Priority Load – 37% of 4 Gbps = 1.48 Gbps (Greater than access rate)

• If these are Cisco Adaptive Video codecs that ‘Like’ to grow => your risk is greater

26BRKRST-2043


Aggregate Priority LoadIWAN Conclusion

• For Voice, use an Always On policer, rather than a Conditional policer

class VOICE

priority level 1

police cir percent 10

• For Video, use a Bandwidth Remaining Percent queue with DSCP-based WRED, rather

than a level 2 Priority queue

class INTERACTIVE-VIDEO

bandwidth remaining percent 30

random-detect dscp-based

P1

Police

10%

voice video class-default

Always On

Policer

data

BWR

30%

Class-Based WFQ

DSCP-based WRED

BRKRST-2043 27


Latency for ‘Low Speed’ Sites

P1

Police

150K


64 Packets

• Bandwidth remaining percent means each queue gets a

queue limit as if it had full bandwidth of parent (means

high speed links will buffer 0.5 sec of data)

• Queue-Limit = (Intf Speed * .05) / 8 / 1500

• Anything less than 15M service rate gets 64 packets

• Aggregate T1: ~1.5 Sec of buffering IMIX

(12 queues * 64 packets * 8 bits * 350 bytes / 1.5M)

IWAN Conclusion: Use appropriate number of queues for

the 12 classes on the WAN depending on the service rate

Example:

4 queues for service rate < 5 Mbps

8 queues for service rate => 5 Mbps and < 100 Mbps

12 queues for service rate => 100 Mpbs

Traffic Type /

Percentage

Service

Rate

Drain 64 - 350

Byte Packets

Drain 64 - 1500

Byte Packets

Transactional Data / 10% 150K 1.2 secs 5 secs

Bulk Data / 4% 60K 3 secs 13 secs

Network Control / 2% 30K 6 secs 26 secs

BRKRST-2043 28


IPSec Anti-Replay

Crypto Engine

(Adds Sequence

Number)

22

Packets In

P1


Police

2123 Enqueue

2426

2223

21

26 242227 21

Packets Out

25Dropped

By Policer27 28

Queue

Tail Drop

23

• Decryption side keeps a sliding history of packets

received (default is 64 packets)

• Provides anti-replay protection against an attacker

duplicating encrypted packets

• Increasing the anti-replay window size has no impact on

throughput or security

• The impact on memory is insignificant because only an

extra 128 bytes per incoming IPsec SA is needed

IWAN Conclusion: Use the maximum replay

window-size of 1024 for each supported platform

crypto ipsec security-association replay window-size 1024

BRKRST-2043 29

Ingress LANAVC/QoS Design

30


NBAR2 Overview• Cisco Network Based Application Recognition (NBAR) can identify

~1400 applications/protocols via deep-packet inspection (DPI)

• To assist in policy-definition and in browsing, the extensive application library is grouped by various attributes, such as categories and sub-categories

Category First level grouping of applications with similar functionalities

Sub-category Second level grouping of applications with similar functionalities

Application-group Grouping of applications based on brand or application suite

P2P-technology? Indicates application is peer-to-peer

Encrypted? Indicates application is encrypted

Tunneled? Indicates application uses tunneling technique

BRKRST-2043 31




New NBAR2 Attribute: Traffic-ClassName Description

voip-telephony VoIP telephony (bearer-only) traffic

broadcast-video Broadcast TV, live events, video surveillance

real-time-interactive High-definition interactive video applications

multimedia-conferencing Desktop software multimedia collaboration applications

multimedia-streaming Video-on-Demand (VoD) streaming video

network-control Network control plane traffic

signaling Signaling traffic that supports IP voice and video telephony

ops-admin-mgmt Network operations, administration, and management

traffic

transactional-data Interactive data applications

bulk-data Non-interactive data applications

32

Introduced in IOS XE 3.16S and IOS 15.5(3)M

BRKRST-2043


New NBAR2 Attribute: Business-Relevance

Name Description

business-relevant Business critical applications

default Related business applications

business-irrelevant Non business applications

33

Introduced in IOS XE 3.16S and IOS 15.5(3)M

BRKRST-2043


New NBAR2 QoS Attributes Business Relevance Attribute and Traffic-Class Attribute

show ip nbar protocol-attribute skype

encrypted encrypted-yes

tunnel tunnel-no

category consumer-messaging

sub-category consumer-multimedia-messaging

application-group skype-group

p2p-technology p2p-tech-yes

traffic-class Multimedia-conferencing

business-relevance business-irrelevant

BRKRST-2043 34


Changing Business-Relevancy

ip nbar attribute-map ATTRIBUTE_MAP-RELEVANT attribute business-relevance business-relevant

Step 1: Create an Attribute-Map with the Desired Setting

ip nbar attribute-set skype ATTRIBUTE_MAP-RELEVANT

Step 2: Associate the Application with the Desired Attribute-Map

BRKRST-2043 35


Changing Application Business-RelevanceProtocol Pack 14+ (All Options)

ip nbar attribute-map ATTIBUTE_MAP-RELEVANT attribute business-relevance business-relevant

ip nbar attribute-set application-name ATTIBUTE_MAP-RELEVANT

Scenario 1: Making an Application Business-Relevant

ip nbar attribute-map ATTRIBUTE_MAP-DEFAULT attribute business-relevance default

ip nbar attribute-set application-name ATTRIBUTE_MAP-DEFAULT

Scenario 2: Making an Application Best-Effort/Default

ip nbar attribute-map ATTRBUTE_MAP-SCAVENGER attribute business-relevance business-irrelevant

ip nbar attribute-set application-name ATTRBUTE_MAP-SCAVENGER

Scenario 3: Making an Application Business-Irrelevant

BRKRST-2043 36


class-map match-all VOICE—NBAR

match protocol attribute traffic-class voip-telephony

match protocol attribute business-relevance business-relevant

class-map match-all BROADCAST_VIDEO—NBAR

match protocol attribute traffic-class broadcast-video


class-map match-all REAL_TIME_INTERACTIVE-NBAR

match protocol attribute traffic-class real-time-interactive


class-map match-all MULTIMEDIA_CONFERENCING-NBAR

match protocol attribute traffic-class multimedia-conferencing


class-map match-all MULTIMEDIA_STREAMING-NBAR

match protocol attribute traffic-class multimedia-streaming


class-map match-all SIGNALING-NBAR

match protocol attribute traffic-class signaling


class-map match-all NETWORK_CONTROL-NBAR

match protocol attribute traffic-class network-control


class-map match-all NETWORK_MANAGEMENT-NBAR

match protocol attribute traffic-class ops-admin-mgmt


class-map match-all TRANSACTIONAL_DATA-NBAR

match protocol attribute traffic-class transactional-data


class-map match-all BULK_DATA-NBAR

match protocol attribute traffic-class bulk-data


class-map match-all SCAVENGER-NBAR

match protocol attribute business-relevance business-irrelevant

policy-map MARKING

class VOICE-NBAR

set dscp ef

class BROADCAST_VIDEO-NBAR

set dscp cs5

class REAL_TIME_INTERACTIVE-NBAR

set dscp cs4

class MULTIMEDIA_CONFERENCING-NBAR

set dscp af41

class MULTIMEDIA_STREAMING-NBAR

set dscp af31

class SIGNALING-NBAR

set dscp cs3

class NETWORK_CONTROL-NBAR

set dscp cs6

class NETWORK_MANAGEMENT-NBAR

set dscp cs2

class TRANSACTIONAL_DATA-NBAR

set dscp af21

class BULK_DATA-NBAR

set dscp af11

class SCAVENGER-NBAR

set dscp cs1

class class-default

set dscp default

LAN Edge AVC/QoS Config for 1400+ Applications

37BRKRST-2043


NBAR QoS Attributes: At-A-Glance


Reference

BRKRST-2043 38


Egress WANAVC/QoS Design

39


QoS MappingExample: Combining 12 Classes into an 8-Class Model

8-Class Model

VOICE

PQ-10%

STREAMING-VIDEO

10% BWR

CRITICAL-DATA

25% BWR

DEFAULT

25% BWR

Network Management (OAM)

Signaling

Real-Time Interactive

Transactional Data

Multimedia Conferencing

Bulk Data

Scavenger

Best Effort

Multimedia Streaming

Broadcast Video

VoIP

Application

Internetwork Control

AF21

CS3

CS4

AF41

CS2

AF11

CS1

DF

AF31

CS5

EF

CS6

DSCP

SCAVENGER—1% BWR

INTERACTIVE-VIDEO

30% BWR

NET-CTRL

5% BWR

CALL-SIGNALING

4% BWR

PQ = Priority QueueBWR = Bandwidth Remaining

Note: Bandwidth Remaining Percentages must equal 100%

BRKRST-2043 40


8-Class QoS Model

class-map match-any VOICE

match dscp ef

class-map match-any INTERACTIVE-VIDEO

match dscp cs4 af41 af42 af43

class-map match-any STREAMING-VIDEO

match dscp cs5 af31 af32 af33

class-map match-any NET-CTRL

match dscp cs6

class-map match-any CALL-SIGNALING

match dscp cs3

class-map match-any CRITICAL-DATA

match dscp cs2 af11 af12 af13 af21 af22 af23

class-map match-any SCAVENGER

match dscp cs1

policy-map WAN




class STREAMING-VIDEO



class NET-CTRL


class CALL-SIGNALING


class CRITICAL-DATA



class SCAVENGER


class VOICE

priority level 1


class class-default


random-detect

IWAN 8-Class Class-Maps IWAN 8-Class Policy-Map

41

Child Policy

BRKRST-2043


Traffic Shaping

42

• Policers typically drop traffic

• Shapers delay excess traffic, smooth bursts and prevent unnecessary drops

• Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame-Relay and ATM

With Traffic Shaping

Without Traffic ShapingLineRate

ServiceRate

Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate

BRKRST-2043


policy-map WAN









class NET-CTRL


class CRITICAL-DATA



class SCAVENGER


class VOICE

priority level 1


class class-default


random-detect

policy-map POLICY-TRANSPORT-1

class class-default

shape average 10 Mbps

service-policy WAN

GigE Interface with service rate of 10 Mbps

A shaper will guarantee that traffic will not exceed the contracted rate

A nested queuing policy will force queuing to engage at the contracted sub-line-rate to prioritize packets prior to shaping

Line Rate Different from Service Rate

P1

Min: 0

Max: 10M

Excess: 10

Police

1M


interface GigabitEthernet0/0

bandwidth 10000

service-policy output POLICY-TRANSPORT-1

Always On

Policer

43

Parent Policy

BRKRST-2043


CE

CE

CE

CE

CE

CE

CE

CE

CE

CE

100 Mbps

50 Mbps

50 Mbps

20 Mbps

20 Mbps

10 Mbps

10 Mbps

Shape only(100 Mbps)

100 Mbps in to DMVPN cloud can easily

overrun the lower speed committed rates at

spoke sites

DMVPN Per Tunnel QoSPer-Site Shaping to Avoid Overruns

44BRKRST-2043


policy-map TRANSPORT-1-SHAPE-ONLY

class class-default


!

interface GigabitEthernet0/0/3

bandwidth 100000

service-policy output TRANSPORT-1-SHAPE-ONLY

interface Tunnel10

bandwidth 100000

nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY



policy-map RS-GROUP-50MBPS-POLICY

class class-default


bandwidth remaining ratio 50

service-policy WAN

service-policy WAN

Separate parent shaper policies for

each remote-site bandwidth

DMVPN Hub Per Tunnel QoSImplementing Per-Site Traffic Shaping


class class-default



service-policy WAN


class class-default



service-policy WAN

Add a class-default shape-only policy on the hub physical interface

for the service rate


bandwidth 100000


!

interface Tunnel10

bandwidth 10000

nhrp group RS-GROUP-10MBPS

tunnel source GigabitEthernet0/0

tunnel vrf IWAN-TRANSPORT-1


bandwidth 20000


!

interface Tunnel10

bandwidth 20000





bandwidth 50000


!

interface Tunnel10

bandwidth 50000




Remote Site Tunnel Configurations

10 Mbps spoke

20 Mbps spoke

50 Mbps spoke

Shape(100 Mbps)

BRR=50

BRR=50

BRR=20

BRR=20

BRR=10

BRR=10

50 Mbps

50 Mbps

20 Mbps

20 Mbps

10 Mbps

10 Mbps

Per-Tunnel shapers

Service rate

shaper

Signal from the

spoke to the hub

to use the correct

policy for each

remote site

List all available policies as map groups on hub tunnel interface

Bandwidth remaining

ratio provides

proportional sharing

between tunnels

45BRKRST-2043


Bandwidth Remaining Ratio (BRR) provides proportional sharing to child shapers during times of congestion.

If you over-subscribe your hub BR outbound bandwidth with per-tunnel policies that exceed the service rate, the BRR commands on each child policy means they will get their “fair share” of the remaining bandwidth as compared to the other branch sites.

• If all the per-tunnel BW amounts are 5 Mbps or greater, we use a BRR value of BW / 1 Mbps. (i.e. 10 Mbps is BRR of 10, 50 Mbps is BRR of 50, etc.)

• If any of the per-tunnel BW values are less than 5 Mbps, we use a BRR value of BW / 100 Kbps. (i.e. 3 Mbps is BRR of 30, 1.5 Mbps is BRR of 15, etc.)

Bandwidth Remaining Ratio

Shape(100 Mbps)

BRR=50

BRR=50

BRR=20

BRR=20

BRR=10

BRR=10

50 Mbps

50 Mbps

20 Mbps

20 Mbps

10 Mbps

10 Mbps

Per-Tunnel shapers

Service rate

shaper

If the total bandwidth exceeds 100 Mbps, each of the

per-tunnel shapers will get their fair share based on

their BRR values.

Example:

50 Mbps site gets 50 / 160 or 31.25%

20 Mbps site gets 20 / 160 or 12.5%

10 Mbps site gets 10 / 160 or 6.25%

46BRKRST-2043

Enterprise to SP Mapping

47


The 12-class view is preserved across the enterprise even though we treat it differently at the egress of the router and send it to different channels within the SP network

The twelve classes remain intact on the inner header and the outer tunnel header is remarked as the traffic leaves the tunnel interface

The remarked outer header is discarded after arriving at the tunnel interface on the receiving router, thus leaving the inner header marking unchanged


48BRKRST-2043


class-map INTERACTIVE-VIDEO

match dscp af41

policy-map egress-queuing


set dscp af31


service-policy output egress-queuing

Term-A

Term-B

GRE

Tunnel

10.1.0.1

Gig0/0/0

10.1.0.2

10.2.0.1

10.2.0.2

SP

Network

L2

Dest

L2

SrcType

User IP

Header

User

Data

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: 0

Packet View 1

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: af41

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: af41

Src IP: 172.16.0.1

Dst IP: 172.16.0.2

DSCP: af31

Packet View 3

Tun10

172.16.0.1

Tun10

172.16.0.2

Gig0/0/1

192.168.0.1

192.168.0.2

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: af41

L2

Dest

L2

SrcType

User IP

Header

User

Data

Packet View 2

L2

Dest

L2

SrcType

User IP

Header

User

Data

GRE IP

Header

L2

Dest

L2

SrcType

User IP

Header

User

Data

Packet View 4

DSCP copied Inner-to-Outer *BUT*

we over-write Outer after the copy

10.3.0.1

10.3.0.2

Enterprise to SP MappingSet dscp outbound on physical (Branch)

Video Flow from

Term-A To Term-B

49




policy-map traffic-marking


set dscp af41


service-policy input traffic-marking

BRKRST-2043


class-map INTERACTIVE-VIDEO

match dscp af41

policy-map egress-queuing


set dscp tunnel af31

interface Tunnel10

service-policy output egress-queuing

Term-A

Term-B

GRE

Tunnel

10.1.0.1

Gig0/0/0

10.1.0.2

10.2.0.1

10.2.0.2

SP

Network

L2

Dest

L2

SrcType

User IP

Header

User

Data

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: 0

Packet View 1

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: af41

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: af41

Src IP: 172.16.0.1

Dst IP: 172.16.0.2

DSCP: af31

Packet View 3

Tun10

172.16.0.1

Tun10

172.16.0.2

Gig0/0/1

192.168.0.1

192.168.0.2

Src IP: 10.1.0.1

Dst IP: 10.3.0.1

DSCP: af41

L2

Dest

L2

SrcType

User IP

Header

User

Data

Packet View 2

L2

Dest

L2

SrcType

User IP

Header

User

Data

GRE IP

Header

L2

Dest

L2

SrcType

User IP

Header

User

Data

Packet View 4

10.3.0.1

10.3.0.2

Enterprise to SP MappingSet dscp tunnel outbound on tunnel (Hub)

‘Set dscp tunnel’ means don’t copy

but instead remember and mark this

value once tunnel header is imposed

Video Flow from

Term-A To Term-B

50




policy-map traffic-marking


set dscp af41


service-policy input traffic-marking

BRKRST-2043


Enterprise to SP MappingExample: 4-Class SP Model

4-Class Model

SP-VOICEEF

SP-CLASS1DATA

(UDP)AF31

SP-CLASS2DATA

(TCP)

SP-DEFAULTDF

AF21

Network Management

Signaling


Transactional Data


Bulk Data

Scavenger

Best Effort


Broadcast Video

VoIP

Application


AF21

CS3 AF21

CS4 AF31

AF41 AF31

CS2 AF21

AF11 AF21

CS1

DF

AF31

CS5 AF31

EF

CS6

DSCPCS6 Sent

Unchanged

51BRKRST-2043


4-Class SP QoS Model ConfigurationTunnel Interface IWAN Hub BR

policy-map WAN









class NET-CTRL-MGMT


set dscp tunnel cs6




class CRITICAL-DATA




class SCAVENGER


set dscp tunnel default

class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect

set dscp tunnel default


class class-default



service-policy WAN

interface Tunnel10

bandwidth <service-rate>

nhrp map group RS-GROUP-10MBPS service-policy

output RS-GROUP-10MBPS-POLICY


bandwidth 10000


!

interface Tunnel10

bandwidth 10000




Hub Router:

Branch Router:

52BRKRST-2043


4-Class SP QoS Model ConfigurationPhysical Interface IWAN Branch

policy-map WAN




set dscp af31




set dscp af31

class NET-CTRL-MGMT


set dscp cs6



set dscp af21

class CRITICAL-DATA



set dscp af21

class SCAVENGER


set dscp default

class VOICE

priority level 1


set dscp ef

class class-default


random-detect

set dscp default


class class-default


service-policy WAN


bandwidth 10000


Branch Router:

53BRKRST-2043



5-Class Model

SP-VOICEEF

SP-CLASS1DATA

(UDP)AF31

SP-CLASS2DATA

(TCP)

SP-DEFAULTDF

AF21

Network Management

Signaling


Transactional Data


Bulk Data

Scavenger

Best Effort


Broadcast Video

VoIP

Application


AF21

CS3 AF21

CS4 AF31

AF41 AF31

CS2 AF21

AF11 AF21

CS1 AF11

DF

AF31

CS5 AF31

EF

CS6

DSCPCS6 Sent

Unchanged

SP-CLASS3DATAAF11

* - Specified by ISP

*

Reference

54BRKRST-2043


5-Class QoS Model ConfigurationPhysical InterfaceIWAN Branch

policy-map WAN




set dscp af31




set dscp af31

class NET-CTRL-MGMT


set dscp cs6



set dscp af21

class CRITICAL-DATA



set dscp af21

class SCAVENGER


set dscp AF11

class VOICE

priority level 1


set dscp tunnel ef

class class-default


random-detect

set dscp default


class class-default


service-policy WAN


bandwidth 10000


Branch Router:

Reference

55BRKRST-2043



6-Class Model

SP-VOICEEF

SP-CLASS1DATA

(UDP)AF31

SP-CLASS2DATA

(TCP)

SP-DEFAULTDF

AF21

Network Management

Signaling


Transactional Data


Bulk Data

Scavenger

Best Effort


Broadcast Video

VoIP

Application


AF21

CS3 AF21

CS4 AF41

AF41

CS2 AF21

AF11 AF21

CS1 AF11

DF

AF31

CS5 AF1

EF

CS6

DSCPCS6 Sent

Unchanged

SP-CLASS3DATAAF11

SP-VIDEOAF41

* - Specified by ISP

*

Reference

56BRKRST-2043


6-Class QoS Model ConfigurationPhysical InterfaceIWAN Branch

policy-map WAN




set dscp af41




set dscp af31

class NET-CTRL-MGMT


set dscp cs6



set dscp af21

class CRITICAL-DATA



set dscp af21

class SCAVENGER


set dscp af11

class VOICE

priority level 1


set dscp ef

class class-default


random-detect

set dscp default


class class-default


service-policy WAN


bandwidth 10000


Branch Router:

Reference

57BRKRST-2043


Application

Class

Per-Hop

Behavior

Queuing &

Dropping

12-Class 8-Class

For IWAN Router

6-Class For

Tunnel

5-class For

Tunnel

4-Class For

Tunnel


CS6 BR Queue Net-Ctrl NET-CTRL CS6 CS6 CS6

VoIP Telephony EF Priority Queue (PQ) Voice VOICE EF EF EF


AF4 BR Queue + DSCP WRED

Interactive-Video INTERACTIVE-VIDEO AF41 AF31 AF31


CS4 BR Queue + DSCP WRED

Real-Time INTERACTIVE-VIDEO AF41 AF31 AF31

Broadcast Video CS5 BR Queue + DSCP WRED

Broadcast-Video STREAMING-VIDEO AF31 AF31 AF31


AF3 BR Queue + DSCP WRED

Streaming-Video STREAMING-VIDEO AF31 AF31 AF31

Signaling CS3 BR Queue Call-Signaling CALL-SIGNALING AF21 AF21 AF21

Ops / Admin / Mgmt CS2 BR Queue + DSCP WRED

Net-Mgmt CRITICAL-DATA AF21 AF21 AF21

Transactional Data AF2 BR Queue + DSCP WRED

Transactional-Data

CRITICAL-DATA AF21 AF21 AF21

Bulk Data AF1 BR Queue + DSCP WRED

Bulk-Data CRITICAL-DATA AF21 AF21 AF21

Best Effort DF BR Queue + RED Default DEFAULT Default Default Default

Scavenger CS1 Min BR Queue Scavenger SCAVENGER AF11 AF11 Default

Enterprise to SP Mapping: Summary

Relevant

Default

Irrelevant BRKRST-2043 58


IWAN QoS Design: At-A-Glance


Reference

BRKRST-2043 59


SD-WAN QoSAPIC-EM IWAN App

60

APIC-EM IWAN AppDemo


Click to administer

application policies

APIC-EM – IWAN App

62BRKRST-2043


Business-Relevant Class-Map (List of Categories that are Business-Relevant)

class-map match-any prm-biz-relevant-cats

match protocol attribute category business-and-productivity-tools

match protocol attribute category voice-and-video

match protocol attribute category backup-and-storage

match protocol attribute category software-updates

match protocol attribute category file-sharing

match protocol attribute category email

match protocol attribute category database

match protocol attribute category browsing

class-map match-all prm-nbar-12-cls#BROADCAST-VIDEO


match class-map prm-biz-relevant-cats

class-map match-all prm-nbar-12-cls#BULK-DATA



class-map match-all prm-nbar-12-cls#INTERACTIVE-VIDEO



class-map match-all prm-nbar-12-cls#NETWORK-CONTROL



class-map match-all prm-nbar-12-cls#MULTIMEDIA-CONFERENCING



class-map match-all prm-nbar-12-cls#VOICE



class-map match-all prm-nbar-12-cls#SIGNALING



class-map match-all prm-nbar-12-cls#NETWORK-MANAGEMENT



class-map match-all prm-nbar-12-cls#TRANSACTIONAL-DATA



class-map match-all prm-nbar-12-cls#MULTIMEDIA-STREAMING



class-map match-all prm-nbar-12-cls#SCAVENGER

match class-map prm-biz-irrelevant-cats

Parent Class-Maps to Combine

Category-Based BR with Traffic-Classes

IWAN-App QoS ConfigClassification and Marking Policy

class-map match-any prm-biz-irrelevant-cats

match protocol attribute category consumer-file-sharing

match protocol attribute category consumer-messaging

match protocol attribute category consumer-internet

match protocol attribute category consumer-streaming

match protocol attribute category gaming

match protocol attribute category social-networking

match protocol attribute category instant-messaging

Business-Irrelevant Class-Map

(List of Categories that are Business-Irrelevant)

policy-map prm-nbar-12-cls

class prm-nbar-12-cls#VOICE

set dscp ef

class prm-nbar-12-cls#BROADCAST-VIDEO

set dscp cs5

class prm-nbar-12-cls#INTERACTIVE-VIDEO

set dscp cs4

class prm-nbar-12-cls#MULTIMEDIA-CONFERENCING

set dscp af41

class prm-nbar-12-cls#MULTIMEDIA-STREAMING

set dscp af31

class prm-nbar-12-cls#SIGNALING

set dscp cs3

class prm-nbar-12-cls#NETWORK-CONTROL

set dscp cs6

class prm-nbar-12-cls#NETWORK-MANAGEMENT

set dscp cs2

class prm-nbar-12-cls#TRANSACTIONAL-DATA

set dscp af21

class prm-nbar-12-cls#BULK-DATA

set dscp af11

class prm-nbar-12-cls#SCAVENGER

set dscp cs1

class class-default

set dscp default

RFC 4594-Based Marking Policy-Map

Implements Category-to-Business-Relevance mapping

Vs.

Application-to-Business-Relevance mapping

63BRKRST-2043


Ingress Marking on LAN

interface GigabitEthernet0/0/0.10

description Data

encapsulation dot1Q 10

ip address 10.5.10.3 255.255.255.0

ip helper-address 10.4.49.10

ip pim sparse-mode

standby version 2

standby 1 ip 10.5.10.1

standby 1 priority 105

standby 1 authentication md5 key-string c1sco123

performance monitor context IWAN-Context

service-policy input prm-nbar-12-cls

policy-map prm-dscp#iwan-8-id0

class prm-iwan8#VOICE

priority level 1


set dscp ef

class prm-iwan8#STREAMING-VIDEO


set dscp af31


class prm-iwan8#CALL-SIGNALING


set dscp cs3

class prm-iwan8#NET-CTRL-MGMT


set dscp cs6

class prm-iwan8#INTERACTIVE-VIDEO


set dscp af41


class prm-iwan8#CRITICAL-DATA


set dscp af21


class prm-iwan8#SCAVENGER


set dscp cs1

class class-default


set dscp default


Child Policy:

8-class WAN queuing and 6-class SP

IWAN-App QoS ConfigIngress Marking and Egress Queuing in Branch

64


bandwidth 30000

ip vrf forwarding IWAN-TRANSPORT-1

ip address 10.5.5.102 255.255.255.252

media-type rj45

negotiation auto

no cdp enable

service-policy output prm-dscp#iwan-8-id0#shape#30.0

Egress Queuing on Physical Interface

policy-map prm-dscp#iwan-8-id0#shape#30.0

class class-default

shape average 30000000

service-policy prm-dscp#iwan-8-id0

Parent Policy:


Marking Policy Map on Previous Page

BRKRST-2043

Summary and References

65


Key Takeaways

IWAN Considerations

Design Issues

Aggregate Priority Load

Latency for Low Speed

IPSec Anti-Replay

IWAN 2.1 CVD

Ingress LAN Marking

NBAR2 QoS Attributes

Traffic-Class

Business-Relevance

Coming in IWAN 2.1.1 CVD

Egress WAN Queuing

QoS and App Control

WAN Queuing

Sub-Line Rate Interfaces

DMVPN Per Tunnel QoS


IWAN 2.1 CVD

66BRKRST-2043

Or … just click on the “Easy” button with the APIC-EM IWAN App!


Cisco Design Guides for Intelligent WAN

IWAN Technology Design Guide

IWAN DIA and Guest Wireless Design Guide

IWAN WAAS and Akamai Design Guide

http://www.cisco.com/go/cvd/wan

Technical Design Guide Profile Type Design Models

IWAN Technology

IWAN Config FilesBase

ASR 1K

CSR 1K (Hub MC)

ISR 4K

ISR G2

Hybrid

Dual Internet

Single Router

Dual Router

Transit Site

Hub BR Scaling

IWAN DIA and Guest Advanced ISR 4KRemote Site Direct Internet Access

Remote Site Guest Wireless

IWAN WAAS and Akamai Advanced ISR 4KWAAS

Akamai Connect

Design Overview Technology Type Design Models

WAN Design IWAN / WAN All Overview

IWAN 2.1 CVD

Feb 2016

67BRKRST-2043


Recommended Reading

68

Coming

Soon

BRKRST-2043


• TECCRS-2004 – Implementing the Intelligent WAN

• BRKCRS-2000 – Intelligent WAN Architecture

• BRKRST-2043 – IWAN AVC/QoS Design

• BRKRST-2362 – IWAN Implementing Performance Routing (PfRv3)

• BRKRST-2514 – Cisco Intelligent WAN (IWAN) & Application Optimization

• BRKRST-3413 – IWAN Serviceability: Deploying, Monitoring, and Operating

• BRKCRS-2007 – Migrating Your Existing WAN to Cisco’s IWAN

• BRKCRS-1244 – SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)

• BRKNMS-1040 – IWAN and AVC Management with Cisco Prime Infrastructure

• BRKSDN-2099 – IWAN Management via APIC-EM (SDN Controller)

• BRKARC-3004 – APIC-EM: Controller Workflow and Use Cases

Other IWAN Related Sessions

69BRKRST-2043


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

70BRKRST-2043

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

71BRKRST-2043

Please join us for the Service Provider Innovation Talk featuring:

Yvette Kanouff | Senior Vice President and General Manager, SP Business

Joe Cozzolino | Senior Vice President, Cisco Services

Thursday, July 14th, 2016

11:30 am - 12:30pm, In the Oceanside A room

What to expect from this innovation talk

• Insights on market trends and forecasts

• Preview of key technologies and capabilities

• Innovative demonstrations of the latest and greatest products

• Better understanding of how Cisco can help you succeed

Register to attend the session live now or

watch the broadcast on cisco.com

Thank you

Reference Slides

75


R&S Related Cisco Education Offerings

Course Description Cisco Certification

CCIE R&S Advanced Workshops (CIERS-1 &

CIERS-2) plus

Self Assessments, Workbooks & Labs

Expert level trainings including: instructor led workshops, self

assessments, practice labs and CCIE Lab Builder to prepare candidates

for the CCIE R&S practical exam.

CCIE® Routing & Switching

• Implementing Cisco IP Routing v2.0

• Implementing Cisco IP Switched

Networks V2.0

• Troubleshooting and Maintaining

Cisco IP Networks v2.0

Professional level instructor led trainings to prepare candidates for the

CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in

self study eLearning formats with Cisco Learning Labs.

CCNP® Routing & Switching

Interconnecting Cisco Networking Devices:

Part 2 (or combined)

Configure, implement and troubleshoot local and wide-area IPv4 and IPv6

networks. Also available in self study eLearning format with Cisco Learning

Lab.

CCNA® Routing & Switching

Interconnecting Cisco Networking Devices:

Part 1

Installation, configuration, and basic support of a branch network. Also

available in self study eLearning format with Cisco Learning Lab.

CCENT® Routing & Switching

76

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-2043

http://learningnetwork.cisco.com/

mailto:[email protected]

QOS Tools Classification and Marking

77


QoS Tools Review: Classification & Marking

• Classification:

• An action that organizes packets into different traffic types, to which different policies can then be applied

• Classification of packets can happen without marking

• Marking:

• Writes a value into the packet header

• Establishes a trust boundary at the network edge

• Can be used in other locations in the network and is not always used solely for purposes of classification

Classification vs. Marking

BRKRST-2043 78


QoS Tools Review: Classification & Marking Tools

• Classification can be done on:

• Layer 1 criteria—such as ingress physical interface

• Layer 2 criteria—such as IEEE 802.1Q/p CoS

• Layer 3 criteria—such as IP DSCP

• Layer 4 criteria—such as TCP/UDP port(s)

• Layer 7 criteria—such as NBAR application signatures

• Marking can be done on:

• Layer 2 fields—such as IEEE 802.1Q/p CoS

• Layer “2.5” fields—such as MPLS EXP

• Layer 3 fields—such as IP DSCP

• Internal fields—such as QoS Group

Classification and Marking Options for the WAN

BRKRST-2043 79


ToS IP SA IP DA SrcPort

DstPort

Protocol

• Identifies ~1400 applications and protocols

• Application payload deep packet inspection

• Supports application media-sub-component classification

TCP/UDP Segment

Deep Packet Inspection

Data PayloadIP Packet

QoS Tools Review: Classification & Marking ToolsLayer 7 Classification: Network Based Application Recognition (NBAR/NBAR2)

class-map CISCO-JABBER-VOICE

match protocol cisco-jabber-audio

class-map CISCO-JABBER-VIDEO

match protocol cisco-jabber-video

class-map CISCO-JABBER-MESSAGING

match protocol cisco-jabber-im

class-map CISCO-JABBER-SIGNALING

match protocol cisco-jabber-control

BRKRST-2043 80


• 802.1p User Priority field also called Class of Service (CoS)

• Different types of traffic are assigned different CoS values

• CoS 6 and 7 are reserved for network use

802.1Q

4 Bytes

Three Bits Used for CoS

(802.1p Class of Service)

Data FCSPTSADASFDPream Type

PRI VLAN IDCFI

Ethernet Frame

CoS Acronym Traffic characteristics

0 BE Best Effort

1 BK Background

2 EE Excellent Effort

3 CA Critical Applications

4 VI Video, < 100 ms latency

5 VO Voice, < 10 ms latency

6 IC Internetwork Control

7 NC Network Control

IEEE 802.1Q-2005

QoS Tools Review: Classification & Marking ToolsLayer 2 Marking: IEEE 802.1Q/p CoS

class-map VOICE

match cos 5

policy-map MARKING


set cos 4

BRKRST-2043 81


• IP Precedence (relegated): Three most significant bits of ToS byte are called IP

Precedence (IPP)—other bits unused

• Differentiated Services: Six most significant bits of ToS byte are called DiffServ

Code Point (DSCP)—remaining two bits used for Explicit Congestion Notification

(ECN)

• DSCP and ECN are also used in IPv6

7 6 5 4 3 2 1 0

ID Offset TTL Protocol FCS IP SA IP DA DataLengthVersion/

Header_Len

ToS

Byte

DiffServ Code Point (DSCP) IP ECN

IPv4 Packet

IP Precedence Unused

QoS Tools Review: Classification & Marking ToolsLayer 3 Marking: IP Type of Service (ToS) Byte

BRKRST-2043 82


x x x y y 0AFxy

Class Drop

Precedence

DSCP

IP Header ToS Byte

EF

Default Forwarding

(Best Effort)

RFC 2474

AF11

AF21

AF31

AF41

AF12

AF22

AF32

AF42

Expedited Forwarding

RFC 3246

Assured Forwarding

RFC 2597

Per-Hop Behaviors (PHB) Diff-Serv Code Points

101110

001010 001100 001110

010010 010100 010110

011010 011100 011110

100010 100100 100110

Class 1

Class 2

Class 3

Class 4

Low Drop

Pref

Med Drop

Pref

High Drop

Pref

000000

46

10 12 14

18 20 22

26 28 30

34 36 38

0DF

QoS Tools Review: Classification & Marking ToolsLayer 3 Marking: DSCP Per-Hop Behaviors (PHBs)

class-map VOICE

match dscp ef

policy-map MARKING


set dscp af41

Class Selector

(Matches IP Precedence)

RFC 2474

0010008

CS1

AF13

AF23

AF33

AF43

83

CS2 CS3

CS4 CS5 CS6

01000016

01100024

10000032

10100040

11000048

CS0

CS7 11100056

BRKRST-2043

QoS ToolsPolicing and Shaping

84


QoS Tools Review: Policing & Shaping Tools

• Policers:

• Perform checks for traffic violations against a configured rate and take immediate prescribed actions (such as remarking or dropping)

• Policers do not delay traffic

• Policers may be applied to the data plane or the control plane

• Shapers:

• Smooth out traffic flows so that it never exceeds the configured rate

• If the offered traffic momentarily spikes above the contracted rate, the excess traffic is buffered and delayed until the offered traffic once again dips below the defined rate

• Shapers usually are employed to meet a Service Level Agreement (SLA)

Policers vs. Shapers

BRKRST-2043 85


Action Action

Overflow

B<Tc B<Te

Conform Exceed Violate

CBS EBS

CIR

Yes Yes

No No

Action

Packet of

Size B

QoS Tools Review: Policing & Shaping ToolsRFC 2697 Single-Rate Three-Color Marker

CIR = Committed Information Rate

CBS = Committed Burst Size

EBS = Excess Burst Size

Tc = Token Committed (CBS)

Te = Token Excess (EBS)

Bc = Burst Committed (CBS)

Be = Burst Excess (EBS)BRKRST-2043 86


Action Action

Overflow

B<Tc B<Te

Conform Exceed Violate

CBS EBS

CIR

Yes Yes

No No

Action

Packet of

Size B

QoS Tools Review: Policing & Shaping ToolsRFC 2697 Single-Rate Three-Color Marker

policy-map RFC2697-POLICER

class CLASS-1

police cir 500000 bc 10000 be 10000

conform-action set-dscp-transmit af11

exceed-action set-dscp-transmit af12

violate-action set-dscp-transmit af13



EBS = Excess Burst Size


Te = Token Excess (EBS)


Be = Burst Excess (EBS)BRKRST-2043 87


ActionAction

B>Tp B>Tc

ExceedViolate

PBS CBS

PIR

Yes Yes

No No

Conform

Action

Packet of

Size B

CIR

QoS Tools Review: Policing & Shaping ToolsRFC 2698 Two-Rate Three-Color Marker

PIR = Peak Information Rate

PBS = Peak Burst Size



Tp = Token Peak (PBS)



Be = Burst Excess (PBS)BRKRST-2043 88


ActionAction

B>Tp B>Tc

ExceedViolate

PBS CBS

PIR

Yes Yes

No No

Conform

Action

Packet of

Size B

CIR

QoS Tools Review: Policing & Shaping ToolsRFC 2698 Two-Rate Three-Color Marker

policy-map RFC2698-POLICER

class CLASS-2

police cir 500000 bc 10000 pir 100000 be 10000

conform-action set-dscp-transmit af11

exceed-action set-dscp-transmit af12

violate-action set-dscp-transmit af13

PIR = Peak Information Rate

PBS = Peak Burst Size



Tp = Token Peak (PBS)



Be = Burst Excess (PBS)BRKRST-2043 89


QoS Tools Review: Policing & Shaping ToolsPriority Queue with Conditional Policer

P1

Police

20M


100 Mbps

Interface

30 Mbps

30 Mbps

Offered

Load

Congestion

Feedback

30 Mbps

Expected

Throughput

Per Class


P1

Police

20M


100 Mbps

Interface

30 Mbps

20 Mbps

Congestion

Feedback

20 Mbps


90 Mbps

80 Mbps

policy-map CONDITIONAL-POLICER

class PRIORITY

priority 200000

No Congestion

No Policing

BRKRST-2043 90


Aggregate Priority LoadPriority Queue with Always On Policer (Explicit Policer)

P1

Police

20M


100 Mbps

Interface

30 Mbps

20 Mbps

Offered

Load

20 Mbps

Expected

Throughput

Per Class


P1

Police

20M


100 Mbps

Interface

30 Mbps

20 Mbps

20 Mbps


90 Mbps

80 Mbps

policy-map ALWAYS-ON-POLICER

class PRIORITY

priority level 1

police cir 200000

Always On

Policer

BRKRST-2043 91


QoS Tools Review: Policing & Shaping ToolsShaping Effect on Traffic Patterns

With Traffic Shaping

Without Traffic ShapingLineRate

ServiceRate

Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate

policy-map CLASS-BASED-SHAPER

class class-default


service-policy WAN

• Policers typically drop traffic

• Shapers delay excess traffic, smooth bursts

and prevent unnecessary drops

BRKRST-2043 92

QoS ToolsQueuing and Dropping

93


Packets In Packets OutTx-Ring

IOS Interface Buffers

If the Tx-Ring is filled to capacity,

then the IOS software knows that the interface

is congested and it should activate any

LLQ/CBWFQ policies that have been

applied to the interface

QoS Tools Review: Queuing & Dropping ToolsTx-Ring

interface Serial2/0

tx-ring-limit 4

BRKRST-2043 94


Packets In

Packets Out

A flow is defined by five matching tuples:

Source Address + Source Port

Destination Address + Destination Port

Layer 4 Protocol (TCP or UDP)

QoS Tools Review: Queuing & Dropping Tools(Flow-Based) Fair-Queuing

policy-map FQ

class class-default

fair-queue

Fair-Queuing

Sorter/Pre-Sorter

BRKRST-2043 95


Packets In

Packets Out


Tx-Ring

Multimedia Conferencing CBWFQ

Multimedia Streaming CBWFQ

Network Control CBWFQ

Call Signaling CBWFQ

OAM CBWFQ

Transactional Data CBWFQ

Bulk Data CBWFQ

Best Effort / Default CBWFQ

Scavenger CBWFQ

CBWFQ

Scheduler

FQ

FQ

FQ

FQ

Pre-Sorters

FQ

FQ

QoS Tools Review: Queuing & Dropping ToolsCBWFQ policy-map WAN

class NETWORK-CONTROL






fair-queue


class MM-CONFERENCING


fair-queue


…

BRKRST-2043 96


Packets InPackets Out


Tx-Ring

CBWFQ

Scheduler

LLQ

10% Strict

VOICE

Policer

FQ

Pre-SortersCBWFQs

policy-map WAN

class VOICE

priority level 1


QoS Tools Review: Queuing & Dropping ToolsLLQ: Single-LLQ Operation and Configuration

BRKRST-2043 97


Packets InPackets Out

Tx-Ring

CBWFQ

Scheduler

LLQ

1 Mbps

VOICE

Policer

4 Mbps

Bscst-Video

Policer

5 Mbps

RT-Interactive

Policer

CBWFQs

policy-map MULTI-LLQ

class VOICE

priority 1000

class BROADCAST-VIDEO

priority 4000

class REALTIME-INTERACTIVE

priority 5000

QoS Tools Review: Queuing & Dropping ToolsLLQ: Multi-LLQ Operation and Configuration

BRKRST-2043 98


Time

Bandwidth

Utilization100%

BW

Tail Drop

Three Traffic Flows

Start at Different Times

Another Traffic Flow

Starts at This Point

QoS Tools Review: Queuing & Dropping ToolsThe Need for Congestion Avoidance

All TCP flows synchronize in waves

TCP synchronization wastes available bandwidth

BRKRST-2043 99


Bulk Data CBWFQ

Fair-

Queuing

Pre-Sorter

AF13 Minimum WRED Threshold:

Begin randomly dropping AF13 packets





Maximum WRED Thresholds for AF11, AF12 and AF13 are set to the tail of the queue in this example

Front

of

Queue

Tail

of

Queue

Direction

of

Packet

Flow

policy-map BULK-WRED

class BULK



QoS Tools Review: Queuing & Dropping ToolsDSCP-Based WRED

BRKRST-2043 100

PfR and QoS Interaction

101


IWAN Layers

MPLS Routing Internet Routing

Overlay Routing Protocol (BGP, EIGRP)

Transport Independent Design (DMVPN)

PfRAVC QoS

Infrastructure Routing

Transport Overlay

Overlay routing

over tunnels

Intelligent Path

Selection

ZBFW

CWS

BRKRST-2043 102


PfRv3 – How it Works

Path Enforcement

Define path optimization

policies on the Hub MC

load balancing,

path preference, application

metrics

DSCP Based Policies

Application Based Policies

Traffic flowing through the

Border Routers (BRs) that

match a policy are learned

Traffic Classes

Unified Performance

Monitor

Report the measured TC

performance metrics to

the Master Controller for

policy compliance

Unified Performance

Monitor

Master Controller directs

BR path changes to keep

traffic within policy

Route Enforcement

module in feature path

MeasurementLearn the TrafficDefine your Traffic Policy

ISR G2

ASR1K MC

BR BR

MC

BR BR

Performance

MeasurementsMC

BR BR

Learning

Active TCs

Traffic

Classes

TC Path

BRKRST-2043 103


IWAN Design – PfR Policy

• Create the PfR classes with matching policy names and DSCP values to simplify the configuration

• Define the path preference for traffic

• Load balance non-priority traffic

domain IWAN

vrf default

master hub

load-balance

class VOICE sequence 10

match dscp ef policy voice

path-preference MPLS fallback INET

class INTERACTIVE_VIDEO sequence 20

match dscp cs4 policy real-time-video

match dscp af41 policy real-time-video




class LOW_LATENCY_DATA sequence 30

match dscp cs2 policy low-latency-data

match dscp cs3 policy low-latency-data

match dscp af21 policy low-latency-data




IWAN Master Controller

class BULK_DATA sequence 40

match dscp af11 policy bulk-data




class SCAVENGER sequence 50

match dscp cs1 policy scavenger

path-preference INET fallback MPLS

class DEFAULT sequence 60

match dscp default policy best-effort

path-preference INET fallback MPLS

BRKRST-2043 104


PfR Built-in Policy Templates

Pre-defined

Template

Threshold Definition

Voice priority 1 one-way-delay threshold 150 threshold 150 (msec)

priority 2 packet-loss-rate threshold 1 (%)

priority 2 byte-loss-rate threshold 1 (%)

priority 3 jitter 30 (msec)

Real-time-video priority 1 packet-loss-rate threshold 1 (%)


priority 2 one-way-delay threshold 150 (msec)

priority 3 jitter 20 (msec)

Low-latency-

data

priority 1 one-way-delay threshold 100 (msec)



Pre-defined

Template

Threshold Definition

Bulk-data priority 1 one-way-delay threshold 300 (msec)



Best-effort priority 1 one-way-delay threshold 500 (msec)



Scavenger priority 1 one-way-delay threshold 500 (msec)



BRKRST-2043 105


PfR Manages Traffic Class

INETMPLS

10.1.10.0/24 10.1.11.0/2410.1.12.0/2410.1.13.0/24

IWAN POP

MC1

BR1 BR2

R10 R11 R12 R13

Traffic Class

Destination Prefix

DSCP Value

Application (N/A when DSCP policies used)

Prefix DSCP AppID Dest SiteNext-Hop

10.1.11.0/24 EF N/A Site 11 ?

10.1.11.0/24 AF41 N/A Site 11 ?

10.1.11.0/24 AF31 N/A Site 11 ?

10.1.11.0/24 0 N/A Site 11 ?

10.1.10.0/24 EF N/A Site 10 ?

10.1.10.0/24 AF41 N/A Site 10 ?

10.1.10.0/24 AF31 N/A Site 10 ?

10.1.10.0/24 0 N/A Site 10 ?

Traffic with EF, AF41, AF31 and 0

BRKRST-2043 106

SDWAN QoSAPIC-EM IWAN App

107


Click to administer

application policies

APIC-EM – IWAN App

108BRKRST-2043


Categorize applications

Add custom applications

IWAN App – Categorize Applications

109BRKRST-2043


Drag and drop each application

(one ore more) from one

business class to the other

IWAN App – Categorize Applications

110BRKRST-2043


Application priority policy

setting in IWAN app

Path preference: Set

primary and action on

threshold crossing, which

can be a second path or

drop traffic

Drag and drop

business buckets

Drag and Drop a business

category among: business

critical | scavenger | default

IWAN App – Define Application Policy

111BRKRST-2043


Business-Relevant Class-Map (List of Categories that are Business-Relevant)

class-map match-any prm-biz-relevant-cats

match protocol attribute category business-and-productivity-tools

match protocol attribute category voice-and-video

match protocol attribute category backup-and-storage

match protocol attribute category software-updates

match protocol attribute category file-sharing

match protocol attribute category email

match protocol attribute category database

match protocol attribute category browsing

class-map match-all prm-nbar-12-cls#BROADCAST-VIDEO



class-map match-all prm-nbar-12-cls#BULK-DATA



class-map match-all prm-nbar-12-cls#INTERACTIVE-VIDEO



class-map match-all prm-nbar-12-cls#NETWORK-CONTROL



class-map match-all prm-nbar-12-cls#MULTIMEDIA-CONFERENCING



class-map match-all prm-nbar-12-cls#VOICE



class-map match-all prm-nbar-12-cls#SIGNALING



class-map match-all prm-nbar-12-cls#NETWORK-MANAGEMENT



class-map match-all prm-nbar-12-cls#TRANSACTIONAL-DATA



class-map match-all prm-nbar-12-cls#MULTIMEDIA-STREAMING



class-map match-all prm-nbar-12-cls#SCAVENGER

match class-map prm-biz-irrelevant-cats

Parent Class-Maps to Combine

Category-Based BR with Traffic-Classes

IWAN-App QoS ConfigClassification and Marking Policy

class-map match-any prm-biz-irrelevant-cats

match protocol attribute category consumer-file-sharing

match protocol attribute category consumer-messaging

match protocol attribute category consumer-internet

match protocol attribute category consumer-streaming

match protocol attribute category gaming

match protocol attribute category social-networking

match protocol attribute category instant-messaging

Business-Irrelevant Class-Map

(List of Categories that are Business-Irrelevant)

policy-map prm-nbar-12-cls

class prm-nbar-12-cls#VOICE

set dscp ef

class prm-nbar-12-cls#BROADCAST-VIDEO

set dscp cs5

class prm-nbar-12-cls#INTERACTIVE-VIDEO

set dscp cs4

class prm-nbar-12-cls#MULTIMEDIA-CONFERENCING

set dscp af41

class prm-nbar-12-cls#MULTIMEDIA-STREAMING

set dscp af31

class prm-nbar-12-cls#SIGNALING

set dscp cs3

class prm-nbar-12-cls#NETWORK-CONTROL

set dscp cs6

class prm-nbar-12-cls#NETWORK-MANAGEMENT

set dscp cs2

class prm-nbar-12-cls#TRANSACTIONAL-DATA

set dscp af21

class prm-nbar-12-cls#BULK-DATA

set dscp af11

class prm-nbar-12-cls#SCAVENGER

set dscp cs1

class class-default

RFC 4594-Based Marking Policy-Map

Implements Category-to-Business-Relevance mapping

Vs.

Application-to-Business-Relevance mapping

112BRKRST-2043


Ingress Marking on LAN

interface GigabitEthernet0/0/0.10

description Data

encapsulation dot1Q 10

ip address 10.5.10.3 255.255.255.0

ip helper-address 10.4.49.10

ip pim sparse-mode

standby version 2

standby 1 ip 10.5.10.1

standby 1 priority 105

standby 1 authentication md5 key-string c1sco123

performance monitor context IWAN-Context

service-policy input prm-nbar-12-cls

policy-map prm-dscp#iwan-8-id0

class prm-iwan8#VOICE

priority level 1


set dscp ef

class prm-iwan8#STREAMING-VIDEO


set dscp af31


class prm-iwan8#CALL-SIGNALING


set dscp cs3

class prm-iwan8#NET-CTRL-MGMT


set dscp cs6

class prm-iwan8#INTERACTIVE-VIDEO


set dscp af41


class prm-iwan8#CRITICAL-DATA


set dscp af21


class prm-iwan8#SCAVENGER


set dscp cs1

class class-default


set dscp default


Child Policy:

8-class WAN queuing and 6-class SP

IWAN-App QoS ConfigIngress Marking and Egress Queuing in Branch

113


bandwidth 300000

ip vrf forwarding IWAN-TRANSPORT-1

ip address 10.5.5.102 255.255.255.252

media-type rj45

negotiation auto

no cdp enable

service-policy output prm-dscp#iwan-8-id0#shape#300.0

Egress Queuing on Physical Interface

policy-map prm-dscp#iwan-8-id0#shape#300.0

class class-default

shape average 300000000

service-policy prm-dscp#iwan-8-id0

Parent Policy:


Marking Policy Map on Previous Page

BRKRST-2043

Adaptive QoS

114


• Monitoring at the Receiver• Short Term: Monitor loss per tunnel OR Rx-rate per tunnel (aggregate tunnel monitoring)

• Long term: Monitor loss per policy/class on a tunnel

• Monitoring & Feedback is a recurring/periodic process

• Feed-back loss per tunnel to the sender (any transport of choice)

• Processing at the Sender• Receive feedback from receiver

• Read relevant tunnel’s Tx-rate at the sender

• Evaluate loss based on difference between Rx-rate and Tx-rate

• Once loss is known at the sender (through explicit feed-back of loss or via <Rx-rate, Tx-rate> calculation), map it to QoS policy/class

• Adjust shape rate to dynamically adjust to the current Internet BW if required

Adaptive QoS with DMVPNHow To Compute Available BW & Adjust Shapers

Static Bandwidth Management - Not adapting shapers in fluctuating BW environments can make the

shapers irrelevant and admins would lose control of which applications are getting dropped!

BRKRST-2043 115


DMVPN

Spoke Site

Internet

based

WAN

DMVPN

Hub Site

5 Mbps

Shaper towards this spoke

= 6 Mbps (offered)

Egress shaper

= 5 Mbps (offered)

6 Mbps

Adaptive QoSHow To Compute Available BW & Adjust Shapers

BRKRST-2043 116


DMVPN

Spoke Site

Internet

based

WAN

DMVPN

Hub Site

Egress shaper

= 3 Mbps available)

Shaper towards this spoke

= 4 Mbps (available)

Available BW check:Tunnel Rx Loss,Rx/Tx compute

Algorithm to compute available upstream and downstream BW

Available downstream BW = 4 Mbps

Available upstream BW = 3 Mbps

• Accurate view of available BW in

non SLA environments

• Adapting business critical

applications to what is available

on link

• No more indiscriminate drops -

tighter control of business

policies for IWAN

Benefits:

Compute

Available

BW -

function of

the router

Adaptive QoSHow To Compute Available BW & Adjust Shapers

BRKRST-2043 117


Adaptive QoS For DMVPNHow Does It Work?

Adapt shaping rate at the Sender based on the available bandwidth between specific Sender and Receiver (two end-points of a DMVPN tunnel)

Sender Receiver

• Configure MQC Policy with Adaptive Shaping

• Attach service-policy to nhrp-group in Egress

DMVPN Tunnel

Transport Monitoring Enablement Message

Create State for Periodic Collection of Stats

on a Relevant Target

Transport Received Rate

1) Calculate Available Bandwidth in the Cloud

2) Adapt Egress Shaper to New Calculated Rate

BRKRST-2043 118


High Level Algorithm to Compute Available BW

• Use a Training Period to estimate Transmit and Receive Counter Clock Shift (roughly)

• After Compensating for the Clock Shift, use transmit and receive count values difference to determine whether losses have occurred

• Transmitter shapes the traffic to a configured percentage of bottleneck link bandwidth once drops are detected

• If no drop is detected for a period of time, the shaper will increase its rate

BRKRST-2043 119


Algorithm To Compute Available BWDRAC (Dynamic Rate Control)

Sink

Sent pkt

Received pkt

Source

DroppedShaped Rate

Transmit

Intelligent, determine shaper rate based on transmit and

receive count difference

Receive

Passive, feedback receive counter values every 10sec

BRKRST-2043 120


Adaptive QoS for DMVPNConfiguration (Hub)

interface Tunnel1

ip address 192.168.1.1 255.255.255.0no ip redirectsip nhrp authentication GetDm0ip nhrp group 1ip nhrp map multicast dynamic

ip nhrp map group 1 service-policy output qosip nhrp network-id 1ip tcp adjust-mss 1360load-interval 30cdp enabletunnel source Loopback1tunnel mode gre multipointtunnel key 10001tunnel protection ipsec profile P1

HUB

policy-map qosclass class-default

shape adaptive upper-bound 6000000 lower-bound 2000000 service-policy child

policy-map childclass prec5priority percent 20class class-defaultbandwidth percent 80

Policy on DMVPN Tunnel -Assigned per NHRP spoke - consistent with Per Tunnel QoS

Hub->Spoke, Spoke-Hub- Adaptive shapers supported on hub->spoke & spoke->hub

- spoke->spoke in roadmap

Adaptive Shaper on Parent Class -Not allowed to configuring in Child Class

shape adaptive upper-bound <<bps> | percent <value>>

[lower-bound <<bps> | percent <value>>]

upper-bound : Mandatory (max ceiling for shaper) & Initial Value

lower-bound : Optional (0 if not specified)

BRKRST-2043 121


Adaptive QoS for DMVPNConfiguration (Spoke)

interface Tunnel1

ip address 192.168.1.2 255.255.255.0no ip redirectsip nhrp authentication GetDm0ip nhrp group 1ip nhrp map 192.168.1.1 11.1.1.1ip nhrp map multicast 11.1.1.1

ip nhrp map group 1 service-policy output qosip nhrp network-id 1ip nhrp nhs 192.168.1.1ip nhrp server-onlyip nhrp hold-time 360ip tcp adjust-mss 1360load-interval 30cdp enabletunnel source Loopback1tunnel mode gre multipointtunnel key 10001tunnel protection ipsec profile P1

Spoke

policy-map qosclass class-default

shape adaptive upper-bound 6000000 lower-bound 2000000 service-policy child

policy-map childclass class-defaultbandwidth percent 80service-policy grand_child

policy-map grand_childclass class-default

Policy on DMVPN Tunnel -Assigned per NHRP spoke - consistent with Per Tunnel QoS

Hub->Spoke, Spoke-Hub- Adaptive shapers supported on hub->spoke & spoke->hub

- spoke->spoke in roadmap

Adaptive Shaper on Parent Class -Not allowed to configuring in Child Class

shape adaptive upper-bound <<bps> | percent <value>>

[lower-bound <<bps> | percent <value>>]

upper-bound : Mandatory (max ceiling for shaper) & Initial Value

lower-bound : Optional (0 if not specified)

BRKRST-2043 122


Adaptive QoS Summary

The Adaptive QoS feature is not going to be documented in the CVD, but

is a valid corner case that can be used in portions of a customers network.

Adaptive QoS conflicts with PfR, because they are both trying to control

traffic on the same interface at the same time.

Adaptive QoS and PfR have not been officially tested together. Using it

with IWAN is considered a custom design.

123BRKRST-2043

Ethernet Overhead Accounting

124


Ethernet Overhead Accounting

The Ethernet Overhead Accounting feature enables the router to

account for downstream Ethernet frame headers when applying

shaping to packets.

Overhead can be calculated using keywords or with the user defining

the value for themselves.

Example for 14 bytes of Ethernet:

policy-map ethernet_overhead

class class-default

shape average 200000 account user-defined 14


service-policy output ethernet_overhead

125

http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/qos/configuration/guide/2_xe/qos_xe_book/eth_overhead_acctng_xe.html

BRKRST-2043

http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/qos/configuration/guide/2_xe/qos_xe_book/eth_overhead_acctng_xe.html

iwan avc/qos designd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brkrst-2043.pdf · iwan avc/qos...

Documents