quality of service cat 6500
TRANSCRIPT
1
1 Copyright 2005
Quality of ServiceOn the Catalyst 6500
Ron Trunk, CCIE, CISSPSr. Consultant
Chesapeake Netcraftsmen, LLC
2 Copyright 2005
About Chesapeake NetCraftsmen
• Chesapeake NetCraftsmen delivers high-availability solutions for Network Design, Operating Systems, Applications, Security, Storage and IP Telephony with deeply experienced CCIEs who excel at Knowledge Transfer.
• Chesapeake NetCraftsmen consultants include some of the most experienced Cisco CCIEs in the country.
• In fact, many of our consultants were among the first to gain those credentials, which is why we have some of the earliest certification numbers.
• Our technical staff averages at least 10 years of experience in the networking industry and many have taught Cisco Certified training.
2
3 Copyright 2005
Topics
• Quality of Service Review
• QoS For Convergence• QoS for Security• QoS Technology and
Tools• QoS Best Practices• Configuring QoS on
Catalyst 6500
4 Copyright 2005
The Tao of Caffeine
• Caffeine is a highly complex bitter alkaloid– From the same family of plant derivatives as
• morphine• codeine
• Acts on the body’s dopamine receptors– Think of it like Prozac-lite
• Caffeine is the only psychoactive drug that does not have any legal restrictions – Approved by the FDA as a food additive
3
5 Copyright 2005
Caffeine Harmony
too little too much
Cranky, irritable, jittery, frustration
Side Effects
Sleepy, day dreaming, confusion
Side Effects
How do you spell QoS again!??
QoS. Yep, I get it. Now shut up!!
Wow, this is great! This Ron guy is REALLY
smart!
Happy, cheery, attentive, focused, think highly of other people
Side Effects
6 Copyright 2005
Caffeine Delivery Vectors
0102030405060708090
100
Tea
Coca-
Cola
Mou
ntai
n Dew Jo
lt
Red B
ull
Coffe
e (d
rip)
Level (mg)
4
7 Copyright 2005
What is Quality of Service (QoS)?
• Every application gets some QoS– You just may not like what it’s getting!
• A collection of technologies which allows applications/users to request and receive predictable service levels of bandwidth, delay and delay variations (jitter)
• Quality of Service is the acknowledgement that application performance depends on network performance
8 Copyright 2005
What is QoS? (con’t)
• Quality of service is “managed unfairness”
• Quality of service is the opposite of traffic engineering
• Quality of Service is the science (and art) of allocating limited network resources to various applications based on their needs and importance
5
9 Copyright 2005
Congestion The Root of the Problem
• Congestion is caused by lack of bandwidth
• It can happen even if your network is not overloaded
• Congestion occurs in many normal situations
10 Copyright 2005
Congestion
• Speed Mismatch
• Aggregation512K
512K
512K
T1
1000Mb 10Mb
6
11 Copyright 2005
Congestion Effects
• Congestion causes delay– Packets are buffered (queued) before being transmitted
• Congestion causes jitter– Buffered packets are transmitted with varying delays
• Congestion causes packet loss– Buffers fill up – additional packets are dropped
12 Copyright 2005
Congestion
• Packet Loss
Output Queue
When queue is full, additional packets are dropped
7
13 Copyright 2005
What Happens When Data Is Dropped?
• Tail Drop – queue fills up, all additional traffic is dropped
• UDP sources rely on application to detect drop and retransmit
• TCP sources slow down and retransmit– Tail Drop causes global synchronization of data flows– Greatly reduces efficiency of data links
14 Copyright 2005
Time
Bandwidth Utilization100%
Tail Drop
3 Traffic Flows Start at Different Times
Another Traffic FlowStarts at This Point
TCP Global Synchronization: The Need for Congestion Avoidance
All TCP Flows Synchronize inWaves Wasting Much of the Available Bandwidth
8
15 Copyright 2005
Topics
• Quality of Service Review
• QoS For Convergence• QoS for Security• QoS Technology and
Tools• QoS Best Practices• Configuring QoS on
Catalyst 6500
16 Copyright 2005
Voice QoS RequirementsEnd-to-End Latency
Delay Target
Avoid the “Human Ethernet”
Time (msec)0 100 200 300 400
CB ZoneCB Zone
Satellite QualitySatellite Quality
Fax Relay, BroadcastFax Relay, BroadcastHigh QualityHigh Quality
500 600 700 800
ITUITU’’s G.114 Recommendation: s G.114 Recommendation: ≤≤ 150msec One150msec One--Way DelayWay Delay
Hello? Hello?
9
17 Copyright 2005
Voice QoS RequirementsElements That Affect Latency and Jitter
Campus Branch Office
IP WAN
PSTN
EndEnd--toto--End Delay (Must Be End Delay (Must Be ≤≤ 150 ms)150 ms)
20–50 ms
Jitter Buffer
FixedFixed(6.3 (6.3 µµs/Km) +s/Km) +
Network DelayNetwork Delay(Variable)(Variable)
PropagationPropagationand Networkand Network
Variable
Serialization
VariableVariable
QueuingQueuing
G.729A: 25 msG.729A: 25 ms
CODECCODEC
18 Copyright 2005
Voice QoS RequirementsPacket Loss Limitations
• Cisco DSP codecs can use predictor algorithms to compensate for a single lost packet in a row
• Two lost packets in a row will cause an audible clip in the conversation
VoiceVoice
11
VoiceVoice
22
Voice
3
VoiceVoice
44
VoiceVoice
11
VoiceVoice
22
Voice
3
Voice
3
VoiceVoice
44
Voice
3
Voice
3
Voice
3
Voice
3 Reconstructed Voice Sample
10
19 Copyright 2005
Jitter
56KbpsWAN1 2 3
4 5 67 8 9
* 8 #
1 2 34 5 67 8 9
* 8 #
10 Mbps Ethernet
10 Mbps Ethernet
Voice packet60 bytesEvery 20 mS
Voice packet60 bytesEvery >214 mS
Voice packet60 bytesEvery 214 mS
20 Copyright 2005
Voice QoS RequirementsProvisioning for Voice
• Latency ≤ 150 ms• Jitter ≤ 30 ms• Loss ≤ 1%• 17–106 kbps guaranteed
priority bandwidth per call• 150 bps (+ Layer 2 overhead)
guaranteed bandwidth for Voice-Control traffic per call
• CAC must be enabled• Smooth• Benign• Drop sensitive• Delay sensitive• UDP priority
VoiceOne-WayRequirements
11
21 Copyright 2005
“P” and “B” Frames128–256 Bytes
“I” Frame1024–1518
Bytes
“I” Frame1024–1518
Bytes
15pps
30pps
450Kbps
32Kbps
Video QoS RequirementsVideo Conferencing Traffic Example (384 kbps)
• “I” frame is a full sample of the video• “P” and “B” frames use quantization via motion vectors
and prediction algorithms
22 Copyright 2005
Video QoS RequirementsVideo Conferencing Traffic Packet Size Breakdown
65–128 Bytes 1%
129–256 Bytes 34%513–1024 Bytes
20%
1025–1500 Bytes 37%
257–512 Bytes 8%
12
23 Copyright 2005
Video QoS RequirementsProvisioning for Interactive Video
• Latency ≤ 150 ms• Jitter ≤ 30 ms• Loss ≤ 1%• Minimum priority bandwidth
guarantee required is:– Video-stream + 10-20% – e.g. a 384 kbps stream could
require up to 460 kbps of priority bandwidth
• CAC must be enabled
• Bursty• Drop sensitive• Delay sensitive• UDP priority
VideoOne-WayRequirements
24 Copyright 2005
Data QoS RequirementsApplication Differences
Oracle SAP R/3
0–64Bytes
1024–1518Bytes
512–1023Bytes
253–511Bytes
128–252Bytes
65–127Bytes
1024–1518Bytes
512–1023Bytes
253–511Bytes
128–252 Bytes65–127 Bytes
0–64 Bytes
13
25 Copyright 2005
Data QoS Requirements Version Differences
Client VersionVA01 # of
Bytes
SAP GUI Release 3.0 F 14,000SAP GUI Release 4.6C, No Cache 57,000
SAP GUI Release 4.6C, with Cache 33,000
SAP GUI for HTML, Release 4.6C 490,000
SAP Sales OrderEntry Transaction
• Same transaction takes over 35 times more traffic from one version of an application to another
0
100,000
200,000
300,000
400,000
500,000
SAP GUI,Release
3.0F
SAP GUI,Release
4.6C, withCache
SAP GUI,Release4.6C, noCache
SAP GUI(HTML),Release
4.6C
26 Copyright 2005
Data QoS Requirements Provisioning for Data
• Use four/five main traffic classes:– Mission-critical apps—business-critical client-server
applications– Transactional/interactive apps—foreground apps: client-server
apps or interactive applications– Bulk data apps—background apps: FTP, e-mail, backups,
content distribution– Best effort apps—(default class)– Optional: Scavenger apps—peer-to-peer apps, gaming traffic
• Additional optional data classes include internetwork-control (routing) and network-management
• Most apps fall under best-effort, make sure that adequate bandwidth is provisioned for this default class
14
27 Copyright 2005
Data QoS Requirements Provisioning for Data
• Different applications have different traffic characteristics
• Different versions of the same application can have different traffic characteristics
• Classify data into four/five data classes model:– Mission-critical apps– Transactional/interactive apps– Bulk data apps– Best effort apps– Optional: Scavenger apps
Data
• Smooth/bursty• Benign/greedy• Drop insensitive• Delay insensitive• TCP retransmits
28 Copyright 2005
Topics
• Quality of Service Review
• QoS For Convergence• QoS for Security• QoS Technology and
Tools• QoS Best Practices• Configuring QoS on
Catalyst 6500
15
29 Copyright 2005
Business Security Threat EvolutionExpanding Scope of Theft and Disruption
Scop
e of
Dam
age
1980’s 1990’s Today Future
IndividualComputer
1st GenBoot Viruses
Sophistication of Threats
Next GenInfrastructure
Hacking, Flash Threats,
Massive Worm Driven DDoS,
Negative Payload Viruses,
Worms and Trojans
GlobalImpact
RegionalNetworks
3rd GenMulti-Server DoS, DDoS,
Blended Threat (Worm+ Virus+ Trojan), Turbo
Worms, Widespread
System Hacking
MultipleNetworks
2nd GenMacro Viruses, Trojans, Email, Single Server DoS, Limited
Targeted Hacking
IndividualNetworks
30 Copyright 2005
Emerging Speed of Network AttacksDo You Have Time To React?
1980s-1990sUsually had Weeks
or Months to Put Defense in Place
2000-2002Attacks ProgressedOver Hours, Time
to Assess Danger and Impact;Time to Implement Defense
2003-FutureAttacks Progress on the
Timeline of Seconds
SQL Slammer Worm:Doubled Every 8.5 SecondsAfter 3 Min: 55M Scans/Sec1Gb Link Is Saturated After
One MinuteIn Half the Time It Took to Read
This Slide, Your Networkand All of Your Applications Would
Have Become UnreachableSQL Slammer Was A Warning,
Newer “Flash” Worms AreExponentially Faster
16
31 Copyright 2005
1—The Enabling Vulnerability
Impact of an Internet WormAnatomy of a Worm: Why It Hurts
2—Propagation Mechanism
3—Payload
2—Propagation Mechanism
32 Copyright 2005
Impact of an Internet Worm – Part 1 Direct and Collateral Damage
Inte
rnet
Inte
rnet
Inte
rnet
SiSi
SiSi
Primary Data Center
L2VPNBBDSL
L3VPN
SiSi
SiSi
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
Campus Branch
Teleworker
Secondary Data Center
MetroE
End SystemsOverloaded
Control PlaneOverloaded
Data PlaneOverloaded
17
33 Copyright 2005
QoS Tools and Tactics for SecurityQoS for Self-Defending Networks
• Control Plane Policing• Data Plane Policing (Scavenger-Class QoS)• NBAR for Known-worm Policing
34 Copyright 2005
• All end systems generate traffic spikes, but worms create sustained spikes
• Normal/Abnormal threshold set at approx 95% confidence• No dropping at campus access-edge! Only remarking
Policing and Remarking (if necessary)
Data Plane Policing Part 1 - First Order Anomaly Detection
Normal/Abnormal Threshold
18
35 Copyright 2005
Data Plane Policing
• Queuing only engages if links become congestedWhen congestion occurs, drops will also occur
• Scavenger-class QoS allows for increased intelligence in the dropping decision
‘abnormal’ traffic flows will be dropped aggressively‘normal’ traffic flows will continue to receive network service
Police
Queuing will engage when links become congestedand traffic previously marked as Scavenger is dropped aggressively
WAN/VPN links will likely congest firstCampus uplinks may also congest
36 Copyright 2005
Impact of an Internet Worm – Part 2 Integrating Security and QoS
Inte
rnet
Inte
rnet
Inte
rnet
SiSi
SiSi
Primary Data Center
L2VPNBBDSL
L3VPN
SiSi
SiSi
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
Campus Branch
Teleworker
Secondary Data Center
MetroE
End SystemsOverloaded
Control PlaneOverloaded
Data PlaneOverloaded
Prevent the Attack• Intrusion Detection • Cisco Guard• Firewall• ACLs & NBAR
Protect the End Systems• Cisco Security Agent
Protect the Control Plane• Control Plane Policing
Protect the Data Plane• Data Plane Policing(Scavenger-Class QoS)
19
37 Copyright 2005
Topics
• Quality of Service Review
• QoS For Convergence• QoS for Security• QoS Technology and
Tools• QoS Best Practices• Configuring QoS on
Catalyst 6500
38 Copyright 2005
QoS Technologies
• Best Effort• Integrated Services (IntServ)• Differentiated Services (DiffServ)
20
39 Copyright 2005
Best Effort
• Best Effort is really no QoS.• It’s what you are probably using now.• Everything gets treated the same.
40 Copyright 2005
Best Effort
• With no QoS, variations in traffic rates will cause unpredictable delay and jitter
• Traffic peaks can bring down entire network– Flash crowds– Slammer– Code Red– The “social user”– Etc.
To: All Users in Company
From: The Social User
Subject: Really funny video
Hey! You gotta check out this video clip of (pick one)
Dancing baby
Politician/Celebrity doing something undignified
Cute animal in human-like pose
You can get it at www.use-all-my-bandwidth.com
21
41 Copyright 2005
Integrated Services (IntServ)
• Allows end device to request network services• End device requests bandwidth for application
• Resource reSerVation Protocol (RSVP) used to signal
42 Copyright 2005
Integrated Services
• Uses RSVP Resource Reservation Protocol• Receiver requests resources from the network• Each device along the path reserves resources• When flow is done, devices release resources
22
43 Copyright 2005
RSVP At A Glance
1 2 3
4 5 67 8 9
* 8 #
1 2 34 5 67 8 9
* 8 #
1 2 34 5 67 8 9
* 8 #
Sender
Receiver
Data flow
Reserve 15KBandwidth
RSVP msg
RSVP msg
Reserve 15KBandwidth
Reserve 15KBandwidth
Note: Two separate reservations are required for 2-way voice!
RSVP msg
44 Copyright 2005
RSVP Pros and Cons
• Pros– Automatic QoS– Granular
• Cons– Doesn’t scale well– Network overhead for signaling messages– Requires recent software– Not yet integrated with gateways
• RSVP goes in and out of favor.
23
45 Copyright 2005
Differentiated Services (DiffServ)
• Acknowledges that different kinds of traffic need to be treated differently.
• Separates data flows into classes– Uses layer 2,3 and 4 info
• Classes of data are treated according to predefined rules– Maximum, minimum bandwidth, delay, etc
46 Copyright 2005
General DiffServ Strategy
• Classify traffic– Use predefined classes according to layer 2,3 or 4
information• Mark Traffic
– Tag traffic so that its class can easily be determined by downstream devices
• Police and/or shape traffic– Limit data flows to maximum rates
• Schedule flows on downstream devices to allocate resources– Use congestion management and avoidance techniques
24
47 Copyright 2005
Classification ToolsEthernet 802.1Q/p Class of Service
• 802.1p user priority field also called Class of Service (CoS)
• Different types of traffic are assigned different CoS values
• CoS 6 and 7 are reserved for network use
TAGTAG4 Bytes4 Bytes
Three Bits Used for CoS(802.1p User Priority)
Data FCSPTSADASFDPream. Type
802.1Q/pHeader
PRIPRI VLAN IDVLAN IDCFICFI
Ethernet Frame
1
2
3
4
5
66
7
00 Best Effort DataBest Effort Data
Bulk Data
Critical Data
Call Signaling
Video
Voice
RoutingRouting
ReservedCoS Application
48 Copyright 2005
Classification ToolsIP Precedence and DiffServ Code Points
• IPv4: Three most significant bits of ToS byte are called IP Precedence (IPP)—other bits unused
• DiffServ: Six most significant bits of ToS byte are called DiffServ Code Point (DSCP)—remaining two bits used forflow control
• DSCP is backward-compatible with IP precedence
77 66 55 44 33 22 11 00
ID Offset TTL Proto FCS IP SA IP DA DataLenVersionLength
ToSToSByteByte
DiffServ Code Point (DSCP)DiffServ Code Point (DSCP) IP ECN
IPv4 Packet
IP PrecedenceIP Precedence UnusedUnusedStandard IPv4
DiffServ Extensions
25
49 Copyright 2005
Classification ToolsDSCP Per-Hop Behaviors
• IETF RFCs have defined special keywords, called Per-Hop Behaviors, for specific DSCP markings
• EF: Expedited Forwarding (RFC3246, formerly RFC2598)– (DSCP 46)
• CSx: Class Selector (RFC2474)– Where x corresponds to the IP Precedence value (1-7)– (DSCP 8, 16, 24, 32, 40, 48, 56)
• AFxy: Assured Forwarding (RFC2597)– Where x corresponds to the IP Precedence value
(only 1-4 are used for AF Classes)• And y corresponds to the Drop Preference value (either 1 or 2 or 3)
– With the higher values denoting higher likelihood of dropping– (DSCP 10/12/14, 18/20/22, 26/28/30, 34/36/38)
• BE: Best Effort or Default Marking Value (RFC2474)– (DSCP 0)
50 Copyright 2005
Scavenger ClassLess than Best Effort
• The Scavenger class is an Internet 2 Draft Specification for a “less-than best effort” service
• There is an implied “good faith” commitment for the “best effort” traffic class– It is generally assumed that at least some network resources
will be available for the default class– That assumption is not true for scavenger
• Scavenger class markings can be used to distinguish out-of-profile/abnormal traffic flows from in-profile/normal flows– The Scavenger class marking is DSCP CS1 (8)
• Scavenger traffic is assigned a “less-than best effort”queuing treatment whenever congestion occurs
26
51 Copyright 2005
Policing
• Policers can take different actions when traffic exceeds level– Drop Traffic– Change classification i.e. Markdown
52 Copyright 2005
Policing ToolsRFC 2697 Single Rate Three Color Policer
Action ActionAction
Overflow
B<Tc B<Te
ConformConform Exceed ViolateViolate
CBS EBS
CIR
Yes Yes
No No
ActionAction
Packet ofSize B
27
53 Copyright 2005
Shaping ToolsTraffic Shaping
• Policers typically drop traffic• Shapers typically delay excess traffic, smoothing bursts
and preventing unnecessary drops• Very common on Non-Broadcast Multiple-Access (NBMA)
network topologies such as Frame-Relay and ATM
With Traffic Shaping
Without Traffic ShapingLineRate
ShapedRate
Traffic Shaping Limits the Transmit Rate to a Value Lower than Line Rate
54 Copyright 2005
Scheduling ToolsQueuing Algorithms
• Congestion can occur at any point in the network where there are speed mismatches
• Routers use Cisco IOS-based software queuing– Low-Latency Queuing (LLQ) used for highest-priority traffic
(voice/video)– Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing
bandwidth to data applications
• Cisco Catalyst® switches use hardware queuing
Voice
Video
Data33
2 2
1 1
28
55 Copyright 2005
312302021201
TAIL DROP
3
3
3
WRED
01
0
1
0
3
Queue
Scheduling ToolsCongestion Avoidance Algorithms
• Queueing algorithms manage the front of the queue– i.e. which packets get transmitted first
• Congestion avoidance algorithms, like Weighted-Random Early-Detect (WRED), manage the tail of the queue
– i.e. which packets get dropped first when queuing buffers fill• WRED can operate in a DiffServ compliant mode which will drop
packets according to their DSCP markings• WRED works best with TCP-based applications, like data
56 Copyright 2005
WRED Operation (1)
• Two classes, two thresholds each:
– Gold• 100% high• 60% low
– Blue• 80% high• 30% low
• When queue depth exceeds 30%, some random blue packets are dropped
0%
100%
Bit Bucket
Gold High 100%
Blue High 80%
Gold Low 60%
Blue Low 30%
29
57 Copyright 2005
WRED Operation (2)
• Two classes, two thresholds each:
– Gold• 100% high• 60% low
– Blue• 80% high• 30% low
• As queue depth increases, drop rate for blue packets increases
0%
100% Gold High 100%
Blue High 80%
Gold Low 60%
Blue Low 30%
Bit Bucket
58 Copyright 2005
WRED Operation (3)
• Two classes, two thresholds each:
– Gold• 100% high• 60% low
– Blue• 80% high• 30% low
• When queue depth exceeds 60%, drop rate for blue packets increases and gold packets become subject to random drops
0%
100% Gold High 100%
Blue High 80%
Gold Low 60%
Blue Low 30%
Bit Bucket
30
59 Copyright 2005
Bit Bucket
WRED Operation (4)
• Two classes, two thresholds each:– Gold
• 100% high• 60% low
– Blue• 80% high• 30% low
• When queue depth exceeds 80%, tail-drop occurs for blue packets (all exceed packets dropped), and drop rate for gold packets increases
0%
100% Gold High 100%
Blue High 80%
Gold Low 60%
Blue Low 30%
60 Copyright 2005
Scheduling ToolsDSCP-Based WRED Operation
AverageQueueSize
100%
0
DropProbability
BeginDropping
AF13
Drop AllAF11
AF = (RFC 2597) Assured Forwarding
Max QueueLength
(Tail Drop)
Drop AllAF12
Drop AllAF13
BeginDropping
AF12
BeginDropping
AF11
50%
31
61 Copyright 2005
Topics
• Quality of Service Review
• QoS For Convergence• QoS for Security• QoS Technology and
Tools• QoS Best Practices• Configuring QoS on
Catalyst 6500
“I haven’t the slightest idea who he is. He came bundled with the software.”
62 Copyright 2005
1) Strategically define the business objectives to be achieved via QoS.
2) Analyze the service-level requirements of the various traffic classes to be provisioned for.
3) Design and test the QoS policies prior to production-network rollout.
4) Roll-out the tested QoS designs to the production-network in phases, during scheduled downtime.
5) Monitor service levels to ensure that the QoS objectives are being met.
How is QoS Optimally Deployed?
32
63 Copyright 2005
How is QoS Usually Deployed?
“The CEO says our new expensive IP Phone system
sounds like இ¥‽✺!♐.
Fix it!! Now!!!”
64 Copyright 2005
Classification and Marking DesignQoS Baseline Marking Recommendations
ApplicationL3 Classification
DSCPPHBIPP CoS
Transactional Data 18AF212 2
Call Signaling 24CS3*3 3
Streaming Video 32CS44 4
Video Conferencing 34AF414 4
Voice 46EF5 5
Network Management 16CS22 2
L2
Bulk Data 10AF111 1
Scavenger 8CS11 1
Best EffortBest Effort 000000 00
RoutingRouting 4848CS6CS666 66
Mission-Critical Data 26AF31*3 3
33
65 Copyright 2005
How Many Classes of Service Do I Need?Example Strategy for Expanding the Number of Classes over Time
4/5 Class Model
Scavenger
Critical Data
Call Signaling
Best EffortBest Effort
Realtime
8 Class Model
Critical Data
Video
Call Signaling
Best EffortBest Effort
Voice
Bulk Data
Network ControlNetwork Control
Scavenger
QoS Baseline Model
Network Management
Call SignalingStreaming Video
Transactional Data
Interactive-VideoVoice
Best EffortBest Effort
IP RoutingIP Routing
Mission-Critical Data
Scavenger
Bulk Data
Time
66 Copyright 2005
Mission Critical Applications
• Classify mission critical applications for preferred handling
• Think long and hard before you do this• If you still want to do it, take some aspirin and lie
down for a while• Assumes you know
– Traffic characteristics of application– Understand how network performance affects application
• Hint: probably less than you think
• Assumes you can (and want to) navigate through the managerial and political implications.
34
67 Copyright 2005
A Better Idea
• Classify time insensitive traffic “Bulk Traffic”– Bulk traffic– FTP– File Backup– Database Synchronization– Email transfer
• Bulk gets limited best effort and scavenger treatment
68 Copyright 2005
Classification and Marking DesignWhere and How Should Marking Be Done?
• QoS policies (in general) should always be performed in hardware, rather than software, whenever a choice exists
• Classify and mark applications as close to their sources as technically and administratively feasible
• Use DSCP markings whenever possible • Follow standards-based DSCP PHBs to ensure
interoperation and future expansion – RFC 2474 Class Selector code points– RFC 2597 Assured Forwarding classes– RFC 3246 Expedited Forwarding
35
69 Copyright 2005
Campus Queuing DesignRealtime, Best Effort and Scavenger Queuing Rules
Real-Time ≤ 33%
Critical Data
Best Effort≥ 25%
Scavenger/Bulk ≤ 5%
70 Copyright 2005
Best Practices Summary
• Allocate 33% bandwidth for realtime (voice) traffic• Allocate no less than 25% for best effort• Don’t drive yourself nuts with classifications. Keep
it simple.– There are plenty of other things that will drive you nuts
• Resist classifying Mission-critical traffic• Consider a Bulk class• Allocate 5% or less to Scavenger• Keep your queuing policies consistent throughout
your campus as hardware allows
• These are “rules of thumb.” Your thumbs may be different
36
71 Copyright 2005
Topics
• Quality of Service Review
• QoS For Convergence• QoS for Security• QoS Technology and
Tools• QoS Best Practices• Configuring QoS on
Catalyst 6500
72 Copyright 2005
Configuring QoS on CAT 6500
• QoS features are rapidly emerging• Hardware and software have not caught up to
theoretical design• The availability of QoS features is highly
dependent on:– Hybrid (CatOS) vs. Native (IOS)– Supervisor and daughter cards (PFC1, PFC2 PFC3)– Line Cards (Queue configuration and ASIC type)– FlexWAN or OSM cards– Software Version
• Read release notes on hardware and software carefully!!! Otherwise you may be in for a nasty surprise.
37
73 Copyright 2005
ClassifyClassify
Catalyst 6500 QoS Model
IngressIngressPolicePolice
ReceiveInterface
EgressEgressPolicePolice
InputInputQueueQueue
ScheduleSchedule
CongestionAvoidance
TransmitInterface
OutputQueue
Schedule
QoS Actions at Ingress Port ASIC
QoS Actions at PFC/DFC
QoS Actions at Egress Port ASIC
MarkMark
74 Copyright 2005
Input Queues vs. Output Queues
• Typical example:– Traffic from core over Gigabit uplink– Destination is user port (10Mb)
• Q: Which queue buffers packets? • A: Output Queue
• So why have input queues?
1000Mb 10Mb
38
75 Copyright 2005
Why Input Queues
• Switching fabric is 256Gbps• But older linecards have 8 Gbps (full duplex)
connection to fabric• So a WS-X6516 (16 port GBIC linecard) can, in
theory, drop packets if all ports are running at line rate.
• Input queuing and scheduling controls flow from input queue to switching fabric/bus
• So we have to guarantee that we drop low priority traffic first
• In practice, it is very hard to fill input queues
76 Copyright 2005
Input Queue Scheduling
• Input scheduling only performed if port configured to trust COS
• Scheduling based on input COS• Input must be a VLAN trunk (or Aux VLAN)• Implements tail-drop thresholds
– Thresholds at which packets with different COS values are dropped
• Queue structure example: 1p1q4t– One strict-priority queue, one standard queue
with four tail-drop thresholds
FAQ: What Are The Buffer Sizes and Queue Structures for the Different Modules?http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/buffe_wp.pdf
39
77 Copyright 2005
Why Not Input Scheduling?
• Input scheduling only performed if port configured to trust COS
• If port trusts COS, then it ignores DSCP value– New DSCP value is set according to COS-DSCP map table
• Since CoS has only 8 values, your DSCP values may change– AF41, AF42, AF43 all re-written to AF41, assuming you
have consistent mapping tables
• Requires that input is a VLAN trunk (or use Aux VLAN) in order to carry 802.1p info
78 Copyright 2005
Classification
• Selects traffic for further QoS processing– Marking– Policing
• Based on—– Port trust– QoS ACLs
40
79 Copyright 2005
QoS ACLs
• Used to classify traffic based on Layer 3 and Layer 4 information
• Hardware support for standard and extended IPv4 and MAC QoS ACLs
• Use QoS TCAM and other ACL resources to classify traffic for marking and policing
• Dedicated QoS TCAM– 32K entries/4K masks
• Share other resources (LOUs and labels) with security ACLs
80 Copyright 2005
Marking
• Untrusted port—Set a default QoS value
• Trusted port—Use the marking (COS, precedence, DSCP) provided by upstream device
• QoS ACLs—Set QoS values based on standard or extended ACL match
41
81 Copyright 2005
Campus QoS ConsiderationsEstablishing Trust-Boundaries
SiSi
SiSi
SiSi
SiSi
Endpoints Access Distribution Core WAN Aggregators
TRUST BOUNDARY
11
22
33
112233
Optimal Trust Boundary: Trusted Endpoint
Sub-Optimal Trust Boundary
Optimal Trust Boundary: Untrusted Endpoint
82 Copyright 2005
Catalyst 6500 Trust Modes
• Port can be set to trust– CoS value of incoming frame– DSCP value of incoming packet– IP Precedence of incoming packet
• If port is trusted, value is preserved – (sort of)
• Port can be set to untrusted– CoS value is re-written to default value (0)
• Port can be set to conditional trust– Trust only if endpoint is Cisco phone
• Uses CDP to determine
42
83 Copyright 2005
Should You Trust?
• Trust model was based on IP telephony application• Trusting CoS doesn’t fit QoS baseline• Goal was to prevent user from generating
unauthorized high priority traffic– But CDP can be spoofed
• With a Cisco Phone, data always re-written to CoS 0 by default– Can configure to trust data port
84 Copyright 2005
Practical Trust Model
• Access Layer– All ports UNTRUSTED– Use ACLs for classification and policing– Limit (police) high priority traffic to expected values
• e.g. 128K for voice• 460K for Video conferencing• Other as needed
– Drop or markdown violating traffic
• Distribution/Core– Trust DSCP as a general rule– Trust CoS if you need input scheduling
• Be careful with rewriting DSCP values
43
85 Copyright 2005
QoS Marking within the 6500
• When CoS is trusted, the Catalyst uses a table to map a CoS value into a DSCP value.
• When the packet leaves the switch, another table is used to map DSCP back to CoS.
• The DSCP value is retained in the sent packet• ONLY CoS is used in scheduling and WRED for
Ethernet linecards.
1 8Received CoS Value
CoS to DSCP Map
8 1
DSCP to CoS Map
Xmitted CoS ValueInternal DSCP Value
86 Copyright 2005
DSCP to CoS
• Switch uses DSCP-CoSmap table to derive CoSvalue from DSCP value
• CoS value is used in output queue scheduling
• Also written to packet if interface is a trunk
756 - 63648 – 55540 – 47432 – 39324 – 31216 – 2318 – 1500 – 7CoSDSCP
Default DSCP-CoS map
44
87 Copyright 2005
Policing
• Defines a policy for traffic on a port or VLAN, based on the rate at which traffic is received
• Based on a classic token bucket scheme– Tokens (1 byte each) added to bucket at fixed
rate (up to max)– Packets with adequate tokens are “in profile”:
packet transmitted, tokens removed from bucket
– Packets without adequate tokens are dropped or marked down
• Note! PFC2 uses Layer 3 packet size; PFC3 uses Layer 2 frame size
88 Copyright 2005
Policing Details
• Aggregate policers—Bandwidth limit applied cumulatively to all flows that match the ACL
– Example—All FTP flows limited in aggregate to configured rate
• Microflow policers—Bandwidth limit applied separately to each individual flow that matches the ACL
– Leverages NetFlow table
• Sup 2 supports “full flow” microflow policing only.– Full flow means source/destination address/port (layer 4)– Ex: multiple FTP sessions from one host are policed separately– Think “BitTorrent”
• Sup 720 and 32 allow “source only” or “destination only” mask– Source only means only source address defines flow– Multiple FTP flows from source are policed together
45
89 Copyright 2005
Reclassification/Remarking
• Policing action may reclassify and remark certain traffic– For example, transmit with
marked-down DSCP– Catalyst switches use a
“markdown” table to determine new DSCP value
CAT6500-PFC2-CATOS> (enable) set qos policed-dscp-map 0,24,46:8
CAT6500-IOS(config)# mls qos map policed-dscp 0 24 46 to 8
90 Copyright 2005
Policing Design PrinciplesWhere and How Should Policing Be Done?
• Police traffic flows as close to their sources as possible
• Perform markdown according to standards-based rules, whenever supported
RFC 2597 specifies how assured forwarding traffic classes should be marked down (AF11 AF12 AF13) which should be done whenever DSCP-based WRED is supported on egress queuesCisco Catalyst platforms currently do not support DSCP-based WRED, so Scavenger-class remarking is a viable alternativeAdditionally, non-AF classes do not have a standards-based markdown scheme, so Scavenger-class remarking is a viable option
46
91 Copyright 2005
Cisco Catalyst 6500 QoS Design Globally Enabling QoS in Cisco Catalyst OS and Cisco IOS
CAT6500-PFC2-CATOS> (enable) set qos enableQoS is enabled.CAT6500-PFC2-CATOS> (enable)CAT6500-PFC2-CATOS> (enable) show qos statusQoS is enabled on this switch.CAT6500-PFC2-CATOS> (enable)
CAT6500-PFC2-IOS(config)# mls qosCAT6500-PFC2-IOS(config)#endCAT6500-PFC2-IOS#CAT6500-PFC2-IOS# show mls qosQoS is enabled globallyMicroflow policing is enabled globallyVlan or Portchannel(Multi-Earl) policies supported: Yes----- Module [2] -----QoS global counters:Total packets: 65IP shortcut packets: 0Packets dropped by policing: 0IP packets with TOS changed by policing: 0IP packets with COS changed by policing: 0Non-IP packets with COS changed by policing: 0
CAT6500-PFC2-IOS#
92 Copyright 2005
Policing Example (Part 1)
CAT6500-IOS(config)# class-map match-all VOICE_TRAFFICCAT6500-IOS(config-cmap)# match access-group name VOICE_TRAFFICCAT6500-IOS(config-cmap)#
CAT6500-IOS(config-cmap)# class-map match-all CALL_SIGNALINGCAT6500-IOS(config-cmap)# match access-group name
CALL_SIGNALINGCAT6500-IOS(config-cmap)#CAT6500-IOS(config-cmap)# class-map match-all VIDEO_TRAFFICCAT6500-IOS(config-cmap)# match access-group name VIDEO_TRAFFICCAT6500-IOS(config-cmap)#CAT6500-IOS(config-cmap)# class-map match-all CRITICAL_DATACAT6500-IOS(config-cmap)# match access-group name CRITICAL_DATACAT6500-IOS(config-cmap)#
CAT6500-IOS(config-cmap)# class-map match-all BULK_DATACAT6500-IOS(config-cmap)# match access-group name BULK_DATACAT6500-IOS(config-cmap)# exitCAT6500-IOS(config)#
47
93 Copyright 2005
Policing Example (part 2)
CAT6500-IOS(config)# policy-map ACCESS_LAYERCAT6500-IOS(config-pmap-c)# class VOICE_TRAFFICCAT6500-IOS(config-pmap-c)# set ip dcsp 46CAT6500-IOS(config-pmap-c)# police 128000 8000 exceed-action dropCAT6500-IOS(config-pmap-c)# CAT6500-IOS(config-pmap-c)# class CALL_SIGNALINGCAT6500-IOS(config-pmap-c)# set ip dscp 24CAT6500-IOS(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmitCAT6500-IOS(config-pmap-c)# CAT6500-IOS(config-pmap-c)# class VIDEO_TRAFFICCAT6500-IOS(config-pmap-c)# set ip dscp 34CAT6500-IOS(config-pmap-c)# police 496000 8000 exceed-action policed-dscp-transmitCAT6500-IOS(config-pmap-c)# CAT6500-IOS(config-pmap-c)# class CRITICAL_DATACAT6500-IOS(config-pmap-c)# set ip dscp 25CAT6500-IOS(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmitCAT6500-IOS(config-pmap-c)# CAT6500-IOS(config-pmap-c)# class BULK_DATACAT6500-IOS(config-pmap-c)# set ip dscp 10CAT6500-IOS(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmitCAT6500-IOS(config-pmap-c)# CAT6500-IOS(config-pmap-c)# class class-defaultCAT6500-IOS(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmitCAT6500-IOS(config-pmap-c)# ExitCAT6500-IOS(config)#
94 Copyright 2005
Policing Example (part 3)
CAT6500-IOS(config)# mls qos map policed-dscp 0 10 18 24 25 34 to 8CAT6500-IOS(config)# interface gigabitEthernet 1/1CAT6500-IOS(config-if)# switchport access vlan 10CAT6500-IOS(config-if)# switchport voice vlan 110CAT6500-IOS(config-if)# service-policy input ACCESS_LAYERCAT6500-IOS(config-if)#exitCAT6500-IOS(config)# access-list extended VOICE_TRAFFICCAT6500-IOS(config-ext-nacl)# permit udp 172.25.0.0 0.0.255.255 any range
16384 32767CAT6500-IOS(config-ext-nacl)# access-list extended CALL_SIGNALNGCAT6500-IOS(config-ext-nacl)# permit tcp 172.25.0.0 0.0.255.255 eq h323-
rasCAT6500-IOS(config-ext-nacl)# access-list extended VIDEO_TRAFFICCAT6500-IOS(config-ext-nacl)# permit udp any any range 16384 32767CAT6500-IOS(config-ext-nacl)# access-list extended CRITICAL_DATACAT6500-IOS(config-ext-nacl)# permit tcp any any eq sqlnetCAT6500-IOS(config-ext-nacl)# access-list extended BULK_DATACAT6500-IOS(config-ext-nacl)# permit any any eq ftp-dataCAT6500-IOS(config-ext-nacl)# end
48
95 Copyright 2005
Monitoring Service Policies (Marking and Policing)
6506#show policy-map interface vlan 100
Service-policy input: VLAN-100
class-map: NET-44-TCP (match-all)
Match: access-group name POL-44-TCP
police :
100000000 bps 100000 limit 100000 extended limit
Earl in slot 6 :
2940073472 bytes
5 minute offered rate 358172704 bps
aggregate-forwarded 608631808 bytes action: transmit
exceeded 2331441664 bytes action: drop
aggregate-forward 100352000 bps exceed 384495616 bps
class-map: NET-55 (match-all)
Match: access-group name MARK-55
set precedence 5:
Earl in slot 6 :
2940069888 bytes
5 minute offered rate 358172616 bps
aggregate-forwarded 2940069888 bytes
6506#
• Cisco IOS: show policy-map interface*
• Catalyst OS: show qos statistics {aggregate-policer | l3stats}
PolicedClass
MarkedClass
* Shows aggregate policer stats only; use NetFlow table to monitor UBRL
96 Copyright 2005
Queuing Design PrinciplesWhere and How Should Queuing Be Done?
• The only way to provide service GUARANTEES is to enable queuing at any node that has the potential for congestion– Regardless of how rarely—in fact—this may occur
• At least 25 percent of a link’s bandwidth should be reserved for the default Best Effort class
• Limit the amount of strict-priority queuing to 33 percent of a link’s capacity
• Whenever a Scavenger queuing class is enabled, it should be assigned a minimal amount of bandwidth
• To ensure consistent PHBs, configure consistent queuing policies in the Campus + WAN + VPN, according to platform capabilities
• Enable WRED on all TCP flows, whenever supported– Preferably DSCP-based WRED
49
97 Copyright 2005
Congestion Avoidance
• Congestion AVOIDANCEmechanism
• Weighted because some classes of traffic are more important or sensitive than others
• Random in that the packets to discard are randomly chosen within a class– Which classes are more subject to discards is
configurable• Prevents global TCP window synchronization and
other disruptions
Weighted Random Early Detection (WRED):
98 Copyright 2005
WRED Thresholds
• Each queue has multiple WRED thresholds• Low threshold is the point at which random
discards will begin for a particular class• High threshold is the point at which tail-drop for
the particular class begins• As buffers fill…
– Rate of discards increases for traffic associated with lower thresholds
– Higher thresholds are reached, and new traffic classes are subject to random discards
50
99 Copyright 2005
Output Queue Scheduling
• Scheduling based on COS– Even if you’re trusting DSCP– CoS derived from DSCP value
• Implements tail-drop or WREDthresholds
• PFC3 supports per-user microflow policing and control plane policing (Sup720 & Sup32)
• Linecards determine queuing structure– 2Q2T– 1P2Q1T 1P2Q2T– 1P3Q1T 1P3Q8T– 1P1Q8T
100 Copyright 2005
Understanding Queuing Nomenclature
2Q2T
Two standard priority queues
Each standard queue has two configurable TAIL-DROP thresholds
51
101 Copyright 2005
Understanding Queuing Nomenclature
1P2Q2T
One strict priority queue
Two standard priority queues
Each standard queue has two configurable WRED thresholds
(and one non-configurable at 100%)
Priority
102 Copyright 2005
Cisco Catalyst 6500 QoS DesignQueuing Structures by Linecard
128KB per Port2Q2T1Q4TCatalyst 6500 48-Port 10/100 Inline Power RJ-45 ModuleWS-X6348-RJ45V
128KB per Port2Q2T1Q4TCatalyst 6500 48-Port 10/100 RJ-45 Module (Upgradable to Voice)WS-X6348-RJ-45
128KB per Port2Q2T1Q4TCatalyst 6000 48-Port 10/100 Inline Power RJ-21 ModuleWS-X6348-RJ21V
128KB per Port2Q2T1Q4TCatalyst 6000 48-Port 10/100 RJ-21 ModuleWS-X6348-RJ-21
128KB per Port2Q2T1Q4TCatalyst 6000 24-Port 100FX MT-RJ SMF Module (with Enhanced QoS)WS-X6324-100FX-SM
128KB per Port2Q2T1Q4TCatalyst 6000 24-Port 100FX MT-RJ MMF Module (with Enhanced QoS)WS-X6324-100FX-MM
512KB per Port1P2Q2T1P1Q4TCatalyst 6000 16-Port 1000TX GigabitEthernet RJ-45 ModuleWS-X6316-GE-TX
1MB per 8 Ports1P2Q2T1Q2TCatalyst 6500 48-Port 10/100/1000 Inline Power RJ-45 Module WS-X6148V-GE-TX
1MB per 8 Ports1P2Q2T1Q2TCatalyst 6500 48-Port 10/100/1000 RJ-45 ModuleWS-X6148-GE-TX
128KB per Port2Q2T1Q4TCatalyst 6500 48-Port 10/100 Inline Power RJ-45 ModuleWS-X6148-RJ45V
128KB per Port2Q2T1Q4TCatalyst 6500 48-Port 10/100; RJ-45 Module (Upgradable to Voice)WS-X6148-RJ45
128KB per Port2Q2T1Q4TCatalyst 6500 48-Port 10/100 Inline Power RJ-21 ModuleWS-X6148-RJ21V
128KB per Port2Q2T1Q4TCatalyst 6500 48-Port 10/100 RJ-21 Module (Upgradable to Voice)WS-X6148-RJ21
64KB per Port2Q2T1Q4TCatalyst 6000 24-Port 10BaseFL MT-RJ ModuleWS-X6024-10FL-MT
Buffer SizeTx QueuingRx QueuingDescriptionClassic/CEF256 Ethernet Modules
52
103 Copyright 2005
Cisco Catalyst 6500 QoS DesignQueuing Structures by Linecard
512KB per Port1P2Q2T1P1Q4TCatalyst 6500 16-Port GigabitEthernet Module (Fabric-Enabled; Requires GBICs)WS-X6816-GBIC
1MB per 8 Ports1P2Q2T1Q2TCatalyst 6500 48-Port 10/100/1000 RJ-45 Module (Fabric-Enabled)WS-X6548-GE-TX
1MB per 8 Ports1P2Q2T1Q2TCatalyst 6500 48-Port 10/100/1000 Inline Power RJ-45 Module (Fabric-Enabled)WS-X6548V-GE-TX
1MB per Port1P3Q1T1P1Q0TCatalyst 6500 48-Port 10/100 RJ-45 Module (Crossbar-Enabled)WS-X6548-RJ-45
1MB per Port1P3Q1T1P1Q0TCatalyst 6500 48-Port 10/100 RJ-21 Module (Fabric-Enabled)WS-X6548-RJ-21
1MB per Port1P3Q1T1P1Q0TCatalyst 6500 24-Port 100FX MT-RJ Module (Fabric-Enabled)WS-X6524-100FX-MM
512KB per Port1P2Q2T1P1Q4TCatalyst 6500 16-Port GigabitEthernet Copper Module; (Crossbar-Enabled)WS-X6516-GE-TX
512KB per Port1P2Q2T1P1Q4TCatalyst 6500 16-Port GigabitEthernet Module (Fabric-Enabled; Requires GBICs)WS-X6516-GBIC
1MB per Port1P2Q2T1P1Q4TCatalyst 6500 16-Port GigabitEthernet Module (Fabric-Enabled; Requires GBICs)WS-X6516A-GBIC
64MB per Port1P2Q1T1P1Q8TCatalyst 6500 10 GigabitEthernet Base Module (Requires OIM)WS-X6502-10GE
64MB per Port1P2Q1T1P1Q8TPort 10 GigabitEthernet Module WS-X6501-10GEX4
512KB per Port1P2Q2T1P1Q4TCatalyst 6000 16-Port GigabitEthernet MT-RJ Module WS-X6416-GE-MT
512KB per Port1P2Q2T1P1Q4TCatalyst 6000 16-Port GigabitEthernet Module (Requires GBICs)WS-X6416-GBIC
512KB per Port1P2Q2T1P1Q4TCatalyst 6000 8 Port GigabitEthernet Module (with Enhanced QoS; Requires GBICs)WS-X6408A-GBIC
Buffer SizeTx QueuingRx QueuingDescriptionClassic/CEF256 Ethernet Modules
104 Copyright 2005
Cisco Catalyst 6500 QoS DesignQueuing Structures by Linecard
1MB per Port1P3Q8T1Q8T;
(2Q8T with DFC3a)
Catalyst 6500 48-Port GigabitEthernet SFP ModuleWS-X6748-SFP
1MB per Port1P3Q8T1Q8T;
(2Q8T with DFC3a)
Catalyst 6500 48-Port 10/100/1000 RJ-45 ModuleWS-X6748-GE-TX
1MB per Port1P3Q8T1Q8T;
(2Q8T with DFC3a)
Catalyst 6500 24-Port GigabitEthernet SFP ModuleWS-X6724-SFP
16MB per Port1P7Q8T
1Q8T (8Q8T with
DFC3a)
Catalyst 6500 4-Port 10 GigabitEthernet ModuleWS-X6704-10GE
Buffer SizeTx-QueuingRx-QueuingDescriptionC2 (xCEF720)
Modules
53
105 Copyright 2005
Output Queue Scheduling Operation
Strict Priority Queue Serviced First if Traffic Present
(D)WRRUsed to
Schedule Between
NormalQueues
1p3q8t
Switch Fabric
Low Med High Strict
(D)WRREgress
Port
Weights (Expressed as Ratio) Determine How Much Traffic Is Transmitted from Each Queue
100100 150150 200200
106 Copyright 2005
WRR and DWRR Scheduling
• Weighted Round Robin (WRR)– Uses ratio to determine number of packets to transmit
from one queue before moving to the next queue– Higher weight = more packets transmitted from that queue– Unfair with variable-length packets in different queues
• Deficit WRR– Also uses ratio, but tracks bytes in each queue using
deficit counter– Packet(s) transmitted during queue servicing
only if size of next packet to transmit is <= deficit counter
– Deficit counter “refreshed” at beginning of each queue servicing period
– Results in fair scheduling over time
54
107 Copyright 2005
Monitoring Ingress and Egress Queuing
• Cisco IOS: show queuing interface• Catalyst OS: show qos statistics <mod/port>
– 6506#show queuing interface gig 1/2 | begin Packets dropped
– Packets dropped on Transmit:
– BPDU packets: 0
– queue thresh dropped [cos-map]
– ---------------------------------------------------
– 1 1 5994368 [0 1 ]
– 1 2 8 [2 3 ]
– 2 1 3444 [4 6 ]
– 2 2 0* [7 ]
– 3 1 0* [5 ]
– * - shared transmit counter
108 Copyright 2005
2Q2T
Queue 2(70%)
CoS 3
CoS 2
CoS 4CoS 6CoS 7
Queue 1Queue 1(30%)(30%)CoS 0
CoS 1
Q1T2
Q1T1
Q2T1
Q2T2
CoS 5
Cisco Catalyst 6500 QoS DesignQueuing Design (2Q2T)
Network Management
Call Signaling
Streaming Video
Transactional Data
Interactive Video
Voice
Application
Bulk Data
AF21
CS3
CS4
AF41
EF
CS2
AF11
Scavenger CS1
Best EffortBest Effort 00
Internetwork ControlInternetwork Control CS6CS6
Mission-Critical Data AF31
DSCP
Network ControlNetwork Control --
CoS 2
CoS 3
CoS 4
CoS 4
CoS 5
CoS 2
CoS 1
CoS 1
00
CoS 6CoS 6
CoS 3
CoS
CoS 7CoS 7
Critical Traffic AF31
Video Traffic AF41
Scavenger CS1
55
109 Copyright 2005
Cisco Catalyst 6500 QoS Design Queuing Design (2Q2T: Cisco IOS)
CAT6500-PFC3-IOS(config)# interface range FastEthernet6/1 - 48CAT6500-PFC3-IOS(config-if)# wrr-queue queue-limit 30 70
! Sets the buffer allocations to 30% for Q1 and 70% for Q2CAT6500-PFC3-IOS(config-if)# wrr-queue bandwidth 30 70
! Sets the WRR weights for 30:70 (Q1:Q2) bandwidth servicingCAT6500-PFC3-IOS(config-if)#
CAT6500-PFC3-IOS(config-if)# wrr-queue threshold 1 40 100! Sets Q1T1 to 40% to limit Scavenger/Bulk within Q1
CAT6500-PFC3-IOS(config-if)# wrr-queue threshold 2 80 100! Sets Q2T1 to 80% to always have room in Q2 for VoIP
CAT6500-PFC3-IOS(config-if)#
CAT6500-PFC3-IOS(config-if)# wrr-queue cos-map 1 1 1! Maps Scavenger/Bulk to Q1T1
CAT6500-PFC3-IOS(config-if)# wrr-queue cos-map 1 2 0! Maps Best Effort to Q1T2
CAT6500-PFC3-IOS(config-if)# wrr-queue cos-map 2 1 2 3 4 6 7! Maps CoS 2,3,4,6 and 7 to Q2T1
CAT6500-PFC3-IOS(config-if)# wrr-queue cos-map 2 2 5! Maps VoIP to Q2T2
CAT6500-PFC3-IOS(config-if)#endCAT6500-PFC3-IOS#
110 Copyright 2005
1P2Q2T
Queue 2(30%)
CoS 3
CoS 2
CoS 4
CoS 6
CoS 7
Q2T1
Q2T2
Q3 (30%)Priority Queue
CoS 5
Cisco Catalyst 6500 QoS DesignQueuing Design (1P2Q2T)
Queue 1Queue 1(40%)(40%)
CoS 0CoS 0
CoS 1CoS 1 Q1T1
Q1T2Network Management
Call Signaling
Streaming Video
Transactional Data
Interactive Video
Voice
Application
Bulk Data
AF21
CS3
CS4
AF41
EF
CS2
AF11
Scavenger CS1
Best EffortBest Effort 00
Internetwork ControlInternetwork Control CS6CS6
Mission-Critical Data AF31
DSCP
Network ControlNetwork Control --
CoS 2
CoS 3
CoS 4
CoS 4
CoS 5
CoS 2
CoS 1
CoS 1
00
CoS 6CoS 6
CoS 3
CoS
CoS 7CoS 7
Critical Traffic AF31
Video Traffic AF41
Scavenger CS1
56
111 Copyright 2005
Cisco Catalyst 6500 QoS Design Queuing Design (1P2Q2T: Cisco Catalyst OS)
CAT6500-PFC2-CATOS> (enable) set qos txq-ratio 1p2q2t 40 30 30! Allocates buffers: 40% for Q1, 30% for Q2, 30% for Q3 (PQ)
CAT6500-PFC2-CATOS> (enable) set qos wrr 1p2q2t 30 70! Sets the WRR weights for 30:70 (Q1:Q2) bandwidth servicing
CAT6500-PFC2-CATOS> (enable)
CAT6500-PFC2-CATOS> (enable) set qos wred 1p2q2t tx queue 1 40:80 80:100! Sets Q1 WRED T1 to 40:80 to limit Scavenger/Bulk within Q1! Sets Q1 WRED T2 to 80:100 for congestion-avoidance for Best Effort
CAT6500-PFC2-CATOS> (enable) set qos wred 1p2q2t tx queue 2 70:80 80:100! Sets Q2 WRED T1 to 70:80 to provide congestion-avoidance! Sets Q2 WRED T2 to 80:100 to force room for Network Control traffic
CAT6500-PFC2-CATOS> (enable)
CAT6500-PFC2-CATOS> (enable) set qos map 1p2q2t tx 1 1 cos 1! Maps Scavenger/Bulk to Q1 WRED Threshold 1
CAT6500-PFC2-CATOS> (enable) set qos map 1p2q2t tx 1 2 cos 0! Maps Best Effort to Q1 WRED Threshold 2
CAT6500-PFC2-CATOS> (enable) set qos map 1p2q2t tx 2 1 cos 2,3,4! Maps CoS 2,3,4 to Q2 WRED Threshold 1
CAT6500-PFC2-CATOS> (enable) set qos map 1p2q2t tx 2 2 cos 6,7! Maps Network/Internetwork Control to Q2 WRED Threshold 2
CAT6500-PFC2-CATOS> (enable) set qos map 1p2q2t tx 3 1 cos 5! Maps VoIP to PQ
CAT6500-PFC2-CATOS> (enable)
112 Copyright 2005
Cisco Catalyst 6500 QoS Design Queuing Design (1P2Q2T: Cisco IOS): Part 1
CAT6500-PFC3-IOS(config)#interface range GigabitEthernet4/1 - 8CAT6500-PFC3(config-if-range)# wrr-queue queue-limit 40 30
! Sets the buffer allocations to 40% for Q1 and 30% for Q2! Indirectly sets PQ (Q3) size to equal Q2 (which is set to 30%)
CAT6500-PFC3(config-if-range)# wrr-queue bandwidth 30 70 ! Sets the WRR weights for 30:70 (Q1:Q2) bandwidth servicing
CAT6500-PFC3(config-if-range)#
CAT6500-PFC3(config-if-range)# wrr-queue random-detect min-threshold 1 40 80! Sets Min WRED Thresholds for Q1T1 and Q1T2 to 40 and 80, respectively
CAT6500-PFC3(config-if-range)# wrr-queue random-detect max-threshold 1 80 100! Sets Max WRED Thresholds for Q1T1 and Q1T2 to 80 and 100, respectively
CAT6500-PFC3(config-if-range)# wrr-queue random-detect min-threshold 2 70 80! Sets Min WRED Thresholds for Q2T1 and Q2T2 to 70 and 80, respectively
CAT6500-PFC3(config-if-range)# wrr-queue random-detect max-threshold 2 80 100! Sets Max WRED Thresholds for Q2T1 and Q2T2 to 80 and 100, respectively
57
113 Copyright 2005
Cisco Catalyst 6500 QoS Design Queuing Design (1P2Q2T: Cisco IOS): Part 2
CAT6500-PFC3(config-if-range)# wrr-queue cos-map 1 1 1! Maps Scavenger/Bulk to Q1 WRED Threshold 1
CAT6500-PFC3(config-if-range)# wrr-queue cos-map 1 2 0! Maps Best Effort to Q1 WRED Threshold 2
CAT6500-PFC3(config-if-range)# wrr-queue cos-map 2 1 2 3 4! Maps CoS 2,3,4 to Q2 WRED Threshold 1
CAT6500-PFC3(config-if-range)# wrr-queue cos-map 2 2 6 7! Maps Network/Internetwork Control to Q2 WRED Threshold 2
CAT6500-PFC3(config-if-range)# priority-queue cos-map 1 5! Maps VoIP to PQ
CAT6500-PFC3(config-if-range)#endCAT6500-PFC3-IOS#
114 Copyright 2005
Cisco Catalyst 6500 QoS Design PC + SoftPhone + Scavenger Model – CatOS Example
CAT6500-PFC2-CATOS> (enable) set qos policed-dscp-map 0,24,46:8! Excess traffic marked DSCP 0 or CS3 or EF will be remarked to CS1
CAT6500-PFC2-CATOS> (enable) CAT6500-PFC2-CATOS> (enable) set qos policer aggregate SOFTPHONE-VOICE-3-1
rate 128 burst 8000 policed-dscp! Defines the policer for SoftPhone VoIP traffic
CAT6500-PFC2-CATOS> (enable) set qos policer aggregate SOFTPHONE-SIGNALING-3-1rate 32 burst 8000 policed-dscp! Defines the policer for SoftPhone Call-Signaling traffic
CAT6500-PFC2-CATOS> (enable) set qos policer aggregate PC-DATA-3-1rate 5000 burst 8000 policed-dscp! Defines the policer for PC Data traffic
CAT6500-PFC2-CATOS> (enable) CAT6500-PFC2-CATOS> (enable) set qos acl ip SOFTPHONE-PC-3-1 dscp 46
aggregate SOFTPHONE-VOICE-3-1 udp any any range 16384 32767! Binds ACL to policer and marks in-profile SoftPhone VoIP to DSCP EF
CAT6500-PFC2-CATOS> (enable) set qos acl ip SOFTPHONE-PC-3-1 dscp 24aggregate SOFTPHONE-SIGNALING-3-1 tcp any any range 2000 2002! Binds ACL to policer marks in-profile Call-Signaling to DSCP CS3
CAT6500-PFC2-CATOS> (enable) set qos acl ip SOFTPHONE-PC-3-1 dscp 0aggregate PC-DATA-3-1 any! Binds ACL to policer and marks in-profile PC Data traffic to DSCP 0
CAT6500-PFC2-CATOS> (enable) CAT6500-PFC2-CATOS> (enable) commit qos acl SOFTPHONE-PC-3-1
! Commits ACL to PFC memoryCAT6500-PFC2-CATOS> (enable) set port qos 3/1 trust untrusted
! Sets the port trust state to untrustedCAT6500-PFC2-CATOS> (enable) set port qos 3/1 cos 0
! Sets the CoS value for untrusted packets to 0CAT6500-PFC2-CATOS> (enable) set qos acl map SOFTPHONE-PC-3-1 3/1
! Attaches ACL to switch portCAT6500-PFC2-CATOS> (enable)
58
115 Copyright 2005
Cisco Catalyst 6500 AutoQoS VoIP (CatOS Only)
Options: autoqos voip cisco-phone autoqos voipciscosoftphoneauto qos voip trust
IOS does not (yet) support Conditional Trust or AutoQoS
set qos enableset qos map 2q2t tx 2 1 cos 1set qos map 2q2t tx 2 1 cos 2set qos map 2q2t tx 2 1 cos 3set qos map 2q2t tx 2 2 cos 5set qos drop-threshold 2q2t tx queue 1 100 100…set qos cos-dscp-map 0 10 18 26 34 46 48 56set qos ipprec-dscp-map 0 10 18 26 34 46 48 56set qos policed-dscp-map 0,26,46:0set qos policed-dscp-map 1:1…set qos policed-dscp-map 63:63clear qos acl all#ACL_IP-PHONESset qos acl ip ACL_IP-PHONES trust-cos ip any any#commit qos acl all!set vlan 100 3/1set port qos 3/1 trust-device ciscoipphoneset trunk 3/1 off negotiate 1-1005,1025-4094set spantree portfast 3/1 enableset port qos 3/1 trust trust-cosset qos acl map ACL_IP-PHONES 3/1set port qos 3/1-48 policy-source localset port channel 3/1 mode off
set qos autoqosset port qos 3/1 autoqos voip ciscoipphone
116 Copyright 2005
Topics
• Quality of Service Review
• QoS For Convergence• QoS for Security• QoS Technology and
Tools• QoS Best Practices• Configuring QoS on
Catalyst 6500
59
117 Copyright 2005
Summing It Up
• Know what problem you are trying to solve– Protect Voice, Protect Network, etc
• Know your application requirements • Understand your hardware and software limitations
– Defines your set of QoS tools and strategies• For now, no more than 5 or 6 data classes• Think long and hard before defining a “mission
critical” application• Deploy QoS end to end
– Not just on a router or two
118 Copyright 2005
Summing It Up
• Classify and mark your traffic as close to the source as feasible
• Police as close to the source as feasible• Policing w/DSCP markdown/scavenger is an
important DoS mitigation strategy• No trust at user ports• Trust DSCP at distribution and core• Trust CoS only if you have to
60
119 Copyright 2005
Thank You
• Questions?• Coffee?
• Contact Info:– Ron Trunk– Chesapeake Netcraftsmen, LLC– (301) 943-0173– [email protected]