1© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Agenda
• QoS Introduction
• QoS Technologies Overview
• QoS Best Pratice Design Principle
• QoS Design for WAN 、 Branch 、 VPN
• QoS Design for Campus
2© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to QoS Tools and Design
Cisco
3© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
QoS Introduction
4© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
What Is Quality of Service? Two Perspectives
• The user perspective
Users perceive that their applications are performing properly
Voice, video, and data
• The network manager perspective
Need to manage bandwidth allocations to deliver the desired application performance
Control delay, jitter, andpacket loss
5© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Why Enable QoS? HA, Security, and QoS Are Interdependent Technologies
• Enables VoIP and IP telephony
• Drives productivity by enhancing service-levels to mission-critical applications
• Cuts costs by bandwidth optimization
• Helps maintain network availability in the event of DoS/worm attacks
Quality ofService
High Availability
Security
QoS
6© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
What Causes ...
Lack of bandwidth – multiple flows are contesting for a limited amount of bandwidth
Too much delay – packets have to traverse many network devices and links that add up to the overall delay
Variable delay – sometimes there is a lot of other traffic which results in more delay
Drops – packets have to be dropped when a link is congested
7© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Available Bandwidth
Maximum available bandwidth equals the bandwidth of the weakest link
Multiple flows are contesting for the same bandwidth resulting in much less bandwidth being available to one single application.
IP IP IP IP
10 Mbps
256 kbps 512 kbps
100 Mbps
BWmax = min(10M, 256k, 512k, 100M)=256kbpsBWavail = BWmax /Flows
8© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
How to Increase Available Bandwidth?
Upgrade the link. The best solution but also the most expensive.
FIFO queuingIP TCP data Fancy queuing
• Take some bandwidth from less important applications.
Compress the Headers
cTCP data
• Compress the header of IP packets.
Compress the Payload
Compressed packet
• Compress the payload of layer-2 frames.
Priority Queuing (PQ)Custom Queuing (CQ)
Modified Deficit Round Robin (MDRR)Class-based Weighted Fair Queing (CB-WFQ)
StackerPredictor
TCP Header CompressionRTP Header Compression
9© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
End-to-End Delay
End-to-end delay equals a sum of all propagation, processing and queuing delays in the path
Propagation delay is fixed, processing and queuing delays are unpredictable in best-effort networks
IP
Propagation delay (P1)
Processing and queuing delay (Q1)
IP IP IP
Propagation delay (P2)
Processing and queuing delay (Q2)
Propagation delay (P3)
Processing and queuing delay (Q3)
Delay = P1 + Q1 + P2 + Q2 + P3 + Q3 + P4 = X ms
Propagation delay (P4)
10© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
How to Reduce Delay?
Upgrade the link. The best solution but also the most expensive.
FIFO queuingIP UDP data Fancy queuing
• Forward the important packets first.
Compress the Headers
cRTP data
• Compress the header of IP packets.
Priority Queuing (PQ)Custom Queuing (CQ)Strict Priority MDRRIP RTP prioritization
Class-based Low-latency Queuing (CB-LLQ)
TCP Header CompressionRTP Header Compression
RTP
Compress the Payload
Compressed packet
• Compress the payload of layer-2 frames (it takes time).
StackerPredictor
11© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Packet Loss
Tail-drops occur when the output queue is full. These are the most common drops which happen when a link is congested.
There are also many other types of drops that are not as common and may require a hardware upgrade (input drop, ignore, overrun, no buffer, ...). These drops are usually a result of router congestion.
IP
Forwarding
IPIPIPIP
Tail-drop
12© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
How to Prevent Packet Loss?
Upgrade the link. The best solution but also the most expensive.
FIFO queuingIP data Fancy queuing
• Guarantee enough bandwidth to sensitive packets.
Custom Queuing (CQ)Modified Deficit Round Robin (MDRR)
Class-based Weighted Fair Queuing (CB-WFQ)
Dropper
• Prevent congestion by randomly dropping less important packets before congestion occurs
Weighted Random Early Detection (WRED)
13© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Quality of Service OperationsHow Do QoS Tools Work?
Classification and Marking
Queuing and (Selective) Dropping
Post-Queuing Operations
14© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco IOS QoS Behavioral Model
Packet Stream
OptionalPre-
QueuingOperators
Queuing System
Queue
OptionalPost-
QueuingOperatorsClassification
Sche-dulerQueue
Queue
15© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Policy Actions
Queuing System
Sche-dulerQueue
Classification
OptionalPost-
QueuingOperators
Queue
QueueOptional
Pre-Queuing
Operators
Specify Match Conditions andPolicy Actions
Match Conditions
Classification Pre-QueuingQueuing and Scheduling
Post-Queuing
Classify Traffic Immediate ActionsCongestion
Management and Avoidance
Link Efficiency Mechanisms
16© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Operators for Traffic Classification and QoS Policy Actions
Match Conditions Keyword: class-map
Policy ActionsKeyword: policy-map
Classification Pre-QueuingQueuing and Scheduling
Post-Queuing
Classify Traffic Immediate ActionsCongestion
Management and Avoidance
Link Efficiency Mechanisms
Match One or More Attributes (partial list)• ACL list• COS • Differentiated Services Code Point (DSCP)• Input-interface• Media Access Control (MAC) address• Packet length• Precedence• Protocol• VLAN
• Mark (Set QoS values)
• Police• Drop• Count
• Queue-Limit• Random-Detect• Bandwidth• Fair-Queue• Priority• Shape
• Compress header
• Fragment (Link fragmentation
and interleaving, layer two)
17© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco QoS Architectural Framework
Business Objectives
Architecture Standards
QoS forConvergence
QoS forSecurity
QoS forTiered Services
Vid
eo
Vo
ice
Dat
a
DiffServStandards
IntServStandards
HybridStandards
18© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Automating and Management
Cisco QoS Architectural Framework
Cisco QoS Tools
Pro
vis
ion
ing
/A
uto
-Pro
vis
ion
ing
PolicingClassificationand Marking
CongestionMgmt
CongestionAvoidance
Link-Specific
Signaling
Router Cisco IOS®
QoS
CoS, DSCP, MPLS EXP,
NBAR
Single-Rate, Dual-Rate
LLQ, CBWFQ
WRED, ECN
Shaping, cRTP, LFI
RSVP
CiscoCatalyst®
QoS
CoS,
DSCP
Single Rate, Dual Rate, Microflow
1PxQyTWTD,
WRED, ECN ShapingRSVP, COPS
QoS forConvergence
QoS forSecurity
QoS forTiered Services
Vid
eo
Vo
ice
Dat
a
DiffServStandards
IntServStandards
HybridStandards
Man
ag
emen
t T
ech
no
log
ies
Man
ag
emen
t A
pp
lica
tio
ns
19© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
How Is QoS Optimally Deployed?
1. Strategically define the business objectives to be achieved via QoS
2. Analyze the service-level requirements of the various traffic classes to be provisioned for
3. Design and test the QoS policies prior to production-network rollout
4. Roll-out the tested QoS designs to the production-network in phases, during scheduled downtime
5. Monitor service levels to ensure that the QoS objectives are being met
20© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
General QoS Design PrinciplesStart with the Objectives, Not the Tools
• Clearly define the organizational objectives
Protect voice? Video? Data?
DoS/worm mitigation?
• Assign as few applications as possible to be treated as “mission-critical”
• Seek executive endorsement of the QoS objectives prior to design and deployment
• Determine how many classes of traffic are required to meet the organizational objectives
More classes = more granular service-guarantees
21© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
How Many Classes of Service Do I Need?Example Strategy for Expanding the Number of Classes of Service over Time
4/5 Class Model
Scavenger
Critical Data
Call Signaling
Realtime
8 Class Model
Critical Data
Video
Call Signaling
Best Effort
Voice
Bulk Data
Network Control
Scavenger
11 Class Model
Network Management
Call Signaling
Streaming Video
Transactional Data
Interactive-Video
Voice
Best Effort
IP Routing
Mission-Critical Data
Scavenger
Bulk Data
Time
Best Effort
25© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Voice QoS RequirementsProvisioning for Voice
• Latency ≤ 150 ms
• Jitter ≤ 30 ms
• Loss ≤ 1%
• 17–106 kbps guaranteed priority bandwidth per call
• 150 bps (+ layer 2 overhead) guaranteed bandwidth forvoice-control traffic per call
• CAC must be enabled
• Smooth
• Benign
• Drop sensitive
• Delay sensitive
• UDP priority
VoiceOne-Way
Requirements
28© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Video QoS RequirementsProvisioning for Interactive Video
• Latency ≤ 150 ms
• Jitter ≤ 30 ms
• Loss ≤ 1%
• Minimum priority bandwidth guarantee required is
Video-stream + 10–20%
e.g., a 384 kbps stream could require up to 460 kbps of priority bandwidth
• CAC must be enabled
VideoOne-Way
Requirements
• Bursty
• Drop sensitive
• Delay sensitive
• UDP priority
32© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Data QoS Requirements Provisioning for Data
• Different applications have different traffic characteristics
• Different versions of the same application can have different traffic characteristics
• Classify data into four/five data classes model
Mission-critical apps
Transactional/interactive apps
Bulk data apps
Best effort apps
Optional: Scavenger apps
Data
• Smooth/bursty
• Benign/greedy
• Drop insensitive
• Delay insensitive
• TCP retransmits
33© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Scavenger-Class What Is the Scavenger Class?
• The Scavenger class is an Internet 2 draft specification for a “less than best effort” service
• There is an implied “good faith” commitment for the “best effort” traffic class
It is generally assumed that at least some network resources will be available for the default class
• Scavenger class markings can be used to distinguish out-of-profile/abnormal traffic flows from in-profile/normal flows
The Scavenger class marking is CS1, DSCP 8
• Scavenger traffic is assigned a “less-than-best effort” queuing treatment whenevercongestion occurs
34© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
QoS Technology Overview
35© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
QoS Technologies Overview
• Classification tools
• Scheduling tools
• Policing and shaping tools
• Link-Specific tools
• Signaling tools (RSVP)
• AutoQoS tools
• QoS for Security
36© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Classification ToolsEthernet 802.1Q Class of Service---L2
• 802.1p user priority field also called Class of Service (CoS)
• Different types of traffic are assigned different CoS values
• CoS 6 and 7 are reserved for network use
TAG4 Bytes
Three Bits Used for CoS(802.1p User Priority)
Data FCSPTSADASFDPream. Type
802.1Q/pHeader
PRI VLAN IDCFI
Ethernet Frame
1
2
3
4
5
6
7
0 Best Effort Data
Bulk Data
Critical Data
Call Signaling
Video
Voice
Routing
Reserved
CoS Application
37© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Classification ToolsIP Precedence and DiffServ Code Points---L3
• IPv4: three most significant bits of ToS byte are called IP Precedence (IPP)—other bits unused
• DiffServ: six most significant bits of ToS byte are called DiffServ Code Point (DSCP)—remaining two bits used for flow control
• DSCP is backward-compatible with IP precedence
7 6 5 4 3 2 1 0
ID Offset TTL Proto FCS IP SA IP DA DataLenVersion Length
ToSByte
DiffServ Code Point (DSCP) IP ECN
IPv4 Packet
IP Precedence UnusedStandard IPv4
DiffServ Extensions
38© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Payload
Label Header
Label Header
Label Stack Layer-2 Header
Classification ToolsMPLS EXP Bits
• Packet class and drop precedence inferred from EXP (three-bit) field
• RFC3270 does not recommend specific EXP values for DiffServ PHB (EF/AF/DF)
• Used for frame-based MPLS
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Label EXP S TTL
MPLS Shim Header
EXP
Frame Encapsulation
3 2 1 0
MPLS EXP S
39© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Classification ToolsDSCP Per-Hop Behaviors
• IETF RFCs have defined special keywords, called Per-Hop Behaviors, for specific DSCP markings
• EF: Expedited Forwarding (RFC3246)(DSCP 46)
• CSx: Class Selector (RFC2474)Where x corresponds to the IP Precedence value (1–7)
(DSCP 8, 16, 24, 32, 40, 48, 56)
• AFxy: Assured Forwarding (RFC2597)Where x corresponds to the IP Precedence value (only 1–4 are used for AF Classes)
And y corresponds to the Drop Preference value (either 1 or 2 or 3)
With the higher values denoting higher likelihood of dropping
(DSCP 10/12/14, 18/20/22, 26/28/30, 34/36/38)
• BE: Best Effort or Default Marking Value (RFC2474)(DSCP 0)
40© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Classification ToolsNetwork-Based Application Recognition
• Identifies over 90 applications and protocols TCP and UDP port numbers
Statically assigned
Dynamically assigned during connection establishment
• Non-TCP and non-UDP IP protocols
• Data packet inspection for matching values
ToS SourceIP Addr
DestIP Addr
SrcPort Sub-Port/Deep Inspection
DstPort
Protocol
TCP/UDP Packet Data AreaIP Packet
Stateful and Dynamic Inspection
41© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Policing ToolsRFC 2697 Single Rate Three Color Policer
Action Action
Overflow
B<Tc B<Te
Conform Exceed Violate
CBS EBS
CIR
Yes Yes
No No
Action
Packet ofSize B
42© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Policing ToolsRFC 2698 Two Rate Three Color Policer
ActionAction
B>Tp B>Tc
ExceedViolate
PBS CBS
PIR
Yes Yes
No No
Conform
Action
Packet ofSize B
CIR
43© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Scheduling ToolsQueuing Algorithms
• Congestion can occur at any point in the network where there are speed mismatches
• Routers use Cisco IOS-based software queuing
Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video)
Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth to data applications
• Cisco Catalyst switches use hardware queuing
Voice
Video
Data 33
2 2
1 1
44© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Time
Bandwidth Utilization100%
Tail Drop
Three Traffic Flows Start at Different Times
Another Traffic FlowStarts at This Point
TCP Global Synchronization: The Need for Congestion Avoidance
• All TCP flows synchronize in waves
• Synchronization wastes available bandwidth
45© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
312302021201
TAIL DROP
3
3
3
WRED
01
0
1
0
3
Queue
Scheduling ToolsCongestion Avoidance Algorithms
• Queueing algorithms manage the front of the queue Which packets get transmitted first
• Congestion avoidance algorithms manage the tail ofthe queue
Which packets get dropped first when queuing buffers fill
• Weighted Random Early Detection (WRED)WRED can operate in a DiffServ-compliant mode
Drops packets according to their DSCP markings
WRED works best with TCP-based applications, like data
46© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Scheduling ToolsDSCP-Based WRED Operation
AverageQueueSize
100%
0
DropProbability
BeginDropping
AF13
Drop AllAF11
Max QueueLength
(Tail Drop)
Drop AllAF12
Drop AllAF13
BeginDropping
AF12
BeginDropping
AF11
50%
AF = (RFC 2597) Assured Forwarding
47© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Congestion Avoidance
• IP header Type of Service (ToS) byte
• Explicit Congestion Notification (ECN) bits
ECT Bit:ECN-Capable Transport
CE Bit:Congestion Experienced
7 6 5 4 3 2 1 0
ID Offset TTL Proto FCS IP SA IP DA DataLenVersionLength
ToSByte
DiffServ Code Point (DSCP) CE
IPv4 Packet
ECT
RFC3168: IP Explicit Congestion Notification
48© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Shaping
• Policers typically drop traffic
• Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops
• Very common on Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame Relay and ATM
With Traffic Shaping
Without Traffic ShapingLineRate
ShapedRate
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
49© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Link-Specific ToolsLink-Fragmentation and Interleaving
• Serialization delay is the finite amount of time required to put frames on a wire
• For links ≤ 768 kbps serialization delay is a major factor affecting latency and jitter
• For such slow links, large data packets need to be fragmented and interleaved with smaller, more urgent voice packets
Voice
Voice DataDataDataData
DataSerializationCan Cause
Excessive Delay
With Fragmentation and Interleaving Serialization Delay Is Minimized
50© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Link-Specific ToolsIP RTP Header Compression
• cRTP reduces L3 VoIP BW by:
~ 20% for G.711
~ 60% for G.7292–5
Bytes
RTP Header12 Bytes
VoicePayload
IP Header20 Bytes
UDP Header8 Bytes
51© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
AutoQoS AutoQoS VoIP for Cisco Catalyst Switches
!mls qos map cos-dscp 0 8 16 26 32 46 48 56mls qos srr-queue output cos-map queue 1 threshold 3 5mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7mls qos srr-queue output cos-map queue 3 threshold 3 2 4mls qos srr-queue output cos-map queue 4 threshold 2 1mls qos srr-queue output cos-map queue 4 threshold 3 0mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39mls qos srr-queue output dscp-map queue 4 threshold 1 8mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7mls qos queue-set output 1 threshold 1 138 138 92 138mls qos queue-set output 1 threshold 2 138 138 92 400mls qos queue-set output 1 threshold 3 36 77 100 318mls qos queue-set output 1 threshold 4 20 50 67 400mls qos queue-set output 2 threshold 1 149 149 100 149mls qos queue-set output 2 threshold 2 118 118 100 235mls qos queue-set output 2 threshold 3 41 68 100 272mls qos queue-set output 2 threshold 4 42 72 100 242mls qos queue-set output 1 buffers 10 10 26 54mls qos queue-set output 2 buffers 16 6 17 61mls qos!!interface GigabitEthernet0/1 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone!
CAT2970(config-if)#auto qos voip cisco-phone
52© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
AutoQoS AutoQoS VoIP: WAN
interface Serial2/0 bandwidth 768 ip address 10.1.102.2 255.255.255.0 encapsulation ppp auto qos voip trust
!interface Multilink2001100117 bandwidth 768 ip address 10.1.102.2 255.255.255.0 service-policy output AutoQoS-Policy-Trust ip tcp header-compression iphc-format no cdp enable ppp multilink ppp multilink fragment delay 10 ppp multilink interleave ppp multilink group 2001100117 ip rtp header-compression iphc-format!…!interface Serial2/0 bandwidth 768 no ip address encapsulation ppp auto qos voip trust no fair-queue ppp multilink ppp multilink group 2001100117!
! class-map match-any AutoQoS-VoIP-RTP-Trust match ip dscp ef class-map match-any AutoQoS-VoIP-Control-Trust match ip dscp cs3 match ip dscp af31!! policy-map AutoQoS-Policy-Trust class AutoQoS-VoIP-RTP-Trust priority percent 70 class AutoQoS-VoIP-Control-Trust bandwidth percent 5 class class-default fair-queue!
53© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
AutoQoS AutoQoS Enterprise: WAN DiffServ Classes
Traffic Class
Transactional/Interactive AF21
Telephony Signaling CS3
Streaming Video CS4
Interactive Video AF41
Interactive Voice EF
Network Management CS2
Bulk Data AF11
Scavenger CS1
Best Effort 0
IP Routing CS6
DSCPAutoDiscoveryCisco AutoQoS
Policy
Application and Protocol Types
Cisco AutoQoS Class-Maps
Match Statements
Offered Bit Rate (Average
and Peak)
Minimum Bandwidth to Class Queues,
Scheduling and WRED
54© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
interface Serial4/0 point-to-pointencapsulation frame-relaybandwidth 256ip address 10.1.71.1 255.255.255.0frame-relay interface-dlci 100 auto discovery qos
AutoQoS AutoQoS Enterprise: WAN, Part One: Discovery
• Command should be enabled on interface of interest
• Do not change interface bandwidth when running auto discovery
• Cisco Express Forwarding must be enabled
• All previously attached QoS policies must be removed from the interface
AutoDiscovery Notes
55© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Router# show auto discovery qos
AutoQoS Discovery enabled for applications Discovery up time: 2 days, 55 minutes AutoQoS Class information: Class VoIP: Recommended Minimum Bandwidth: 517 Kbps/50% (PeakRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp audio 76/7 517/50 703104 Class Interactive Video: Recommended Minimum Bandwidth: 24 Kbps/2% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp video 24/2 5337/52 704574 Class Transactional: Recommended Minimum Bandwidth: 0 Kbps/0% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) citrix 36/3 74/7 30212 sqlnet 12/1 7/<1 1540
AutoQoS Enterprise: WAN, Part One: Discovery (Cont.)
56© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
interface Serial4/0 point-to-point bandwidth 256 ip address 10.1.71.1 255.255.255.0 frame-relay interface-dlci 100 auto qos
AutoQoS Enterprise: WAN, Part Two: Provisioning
class-map match-any AutoQoS-Voice-Se4/0 match protocol rtp audio class-map match-any AutoQoS-Inter-Video-Se4/0 match protocol rtp video class-map match-any AutoQoS-Transactional-Se4/0 match protocol sqlnet match protocol citrix!policy-map AutoQoS-Policy-Se4/0 class AutoQoS-Voice-Se4/0 priority percent 70 set dscp ef class AutoQoS-Inter-Video-Se4/0 bandwidth remaining percent 10 set dscp af41 class AutoQoS-Transactional-Se4/0 bandwidth remaining percent 1 set dscp af21 class class-default fair-queue!
57© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
AutoQoS Enterprise: WAN, Part Two: Provisioning (Cont.)
<policy continued>!policy-map AutoQoS-Policy-Se4/0-Parent class class-default shape average 256000 service-policy AutoQoS-Policy-Se4/0!interface Serial4/0 point-to-point frame-relay interface-dlci 100 class AutoQoS-FR-Serial4/0-100!map-class frame-relay AutoQoS-FR-Serial4/0-100frame-relay cir 256000frame-relay mincir 256000frame-relay fragment 320service-policy output AutoQoS-Policy-Se4/0-Parent
interface Serial4/0 point-to-point bandwidth 256 ip address 10.1.71.1 255.255.255.0 frame-relay interface-dlci 100 auto qos
58© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
AutoQoS Enterprise: WAN, Part Three: Monitoring
• Thresholds are activated in RMON alarm table to monitor drops in Voice Class
• Default drop threshold is 1bps
rmon event 33333 log trap AutoQoS description “AutoQoSSNMP traps for Voice Drops” owner AutoQoS rmon alarm 33350 cbQoSCMDDropBitRate.2881.2991 30Absolute rising-threshold 1 33333 falling-threshold 0 Owner AutoQoS
RMON Event Configured and Generated by Cisco AutoQoS
Monitoring Drops in LLQ
59© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Handset
Multimedia Server
Multimedia Station
Handset
Reserve 16KBW on this Line
I Need 16KBW and
100 msec Delay
This App Needs16K BW and
100 msec Delay
Signaling ToolsResource Reservation Protocol (RSVP)
• RSVP QoS services
Guaranteed service
Mathematically provable bounds on end-to-end datagram queuing delay/bandwidth
Controlled service
Approximate QoS from an unloaded network for delay/bandwidth
• RSVP provides the policy to WFQ and LLQ
60© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
QoS for Security
64© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Inte
rnet
Inte
rnet
Primary Data Center
L2VPN
BBDSL
L3VPN
Campus Branch
Teleworker
Secondary Data Center
MetroE
Impact of an Internet Worm: Part One Direct and Collateral Damage
Data PlaneOverloaded
Control PlaneOverloaded
End SystemsOverloaded
65© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
QoS Tools and Tactics for SecurityQoS for Self-Defending Networks
• Control plane policing
• Data plane policing (Scavenger-Class QoS)
• NBAR for known-worm policing
66© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Control Plane Policing(Alleviating DoS Attack)
Silent Mode(Reconnaissance Prevention)
ProcessorSwitched Packets
Outputfrom the Control
PlaneInput to the
Control Plane
Control PlaneManagement SNMP, Telnet
ICMP IPv6Routing Updates
Management SSH, SSL
…..
PacketBuffer
Output Packet Buffer
CEF/FIB Lookup
AC
L
UR
PF
NA
T
CEF Input Forwarding Path
Control Plane PolicingOverview
67© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Policing and Remarking (If Necessary)
Normal/Abnormal Threshold
Data Plane Policing (Scavenger-Class QoS)Part One: First Order Anomaly Detection
• All end systems generate traffic spikes, but worms create sustained spikes
• Normal/abnormal threshold set at approx 95% confidence
• No dropping at campus access-edge; only remarking
68© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Data Plane Policing (Scavenger-Class QoS)Part Two: Second Order Anomaly Reaction
• Queuing only engages if links become congestedWhen congestion occurs, drops will also occur
• Scavenger-class QoS allows for increased intelligence in the dropping decision
“Abnormal” traffic flows will be dropped aggressively
“Normal” traffic flows will continue to receive network service
Police
Queuing Will Engage When Links Become Congested and Traffic Previously Marked as Scavenger Is Dropped Aggressively
WAN/VPN Links Will Likely Congest FirstCampus Uplinks May Also Congest
69© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 69696969
NBAR Known-Worm PolicingNBAR vs. Code Red Example
• First released in May 2001
• Exploited a vulnerability in Microsoft IIS and infected 360,000 hosts in 14 hours
• Several strains (CodeRed, CodeRedv2, CodeRed II, Code, Redv3, CodeRed.C.)
• Newer strains replaced home page of Web servers and caused DoS flooding-attacks
• Attempts to access a file with “.ida” extension
class-map match-any CODE-RED match protocol http url “*.ida*” match protocol http url “*cmd.exe*” match protocol http url “*root.exe*”
DATA
Frame IP Packet
ToS/
DSCP
Source
IP
Dest
IP
TCP Segment
Src
Port
Dst
Port
Data Payload
*HTTP GET/*.ida*
BranchSwitch
BranchRouter
70© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Inte
rnet
Inte
rnet
Primary Data Center
L2VPN
BBDSL
L3VPN
Campus Branch
Teleworker
Secondary Data Center
MetroE
Data PlaneOverloaded
Control PlaneOverloaded
Prevent the Attack• Intrusion detection • Cisco Guard• Firewall• ACLs and NBAR
Protect the End Systems• Cisco security agent
Protect the Control Plane• Control plane policing
Impact of an Internet Worm: Part Two Integrating Security and QoS
Protect the Data Plane• Data plane policing
(Scavenger-Class QoS)
End SystemsOverloaded
71© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
QoS Best-PracticeDesign Principles
72© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Classification and Marking DesignWhere and How Should Marking Be Done?
• QoS policies (in general) should always be performed in hardware, rather than software, whenever a choice exists
• Classify and mark applications as close to their sources as technically and administratively feasible
• Use DSCP markings whenever possible
• Follow standards-based DSCP PHBs to ensure interoperation and future expansion
RFC 2474 Class Selector Code Points
RFC 2597 Assured Forwarding Classes
RFC 3246 Expedited Forwarding
73© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Classification and Marking DesignQoS Baseline Marking Recommendations
ApplicationL3 Classification
DSCPPHBIPP CoS
Transactional Data 18AF212 2
Call Signaling 24CS3*3 3
Streaming Video 32CS44 4
Video Conferencing 34AF414 4
Voice 46EF5 5
Network Management 16CS22 2
L2
Bulk Data 10AF111 1
Scavenger 8CS11 1
Routing 48CS66 6
Mission-Critical Data 26AF31*3 3
Best Effort 000 0
74© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Queuing Design PrinciplesWhere and How Should Queuing Be Done?
• The only way to provide service guarantees is to enable queuing at any node that has the potential for congestion
Regardless of how rarely—in fact—this may occur
• At least 25 percent of a link’s bandwidth should be reserved for the default Best Effort class
• Limit the amount of strict-priority queuing to 33 percent of a link’s capacity
• Whenever a Scavenger queuing class is enabled, it should be assigned a minimal amount of bandwidth
• To ensure consistent PHBs, configure consistent queuing policies in the Campus + WAN + VPN, according to platform capabilities
• Enable WRED on all TCP flows, whenever supportedPreferably DSCP-based WRED
75© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Campus Queuing DesignRealtime, Best Effort, and Scavenger Queuing Rules
Real-Time ≤ 33%
Critical Data
Best Effort≥ 25%
Scavenger/Bulk ≤ 5%
76© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Campus and WAN/VPN Queuing DesignCompatible Four-Class and Eleven-Class Queuing Models Following Realtime, Best Effort, and Scavenger Queuing Rules
Voice18%
Scavenger 1%
Best Effort25%
Bulk4%
Streaming-Video
Mission-Critical Data
Internetwork-Control
Interactive Video 15%
Call-Signaling
Network Management
Transactional Data
Real-Time ≤ 33%
Critical Data
Best Effort≥ 25%
Scavenger/Bulk 5%
77© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Policing Design PrinciplesWhere and How Should Policing Be Done?
• Police traffic flows as close to their sources as possible
• Perform markdown according to standards-based rules, whenever supported
RFC 2597 specifies how assured forwarding traffic classes should be marked down (AF11 AF12 AF13) which should be done whenever DSCP-based WRED is supported on egress queues
Cisco Catalyst platforms currently do not support DSCP-based WRED, so Scavenger-class remarking is a viable alternative
Additionally, non-AF classes do not have a standards-based markdown scheme, so Scavenger-class remarking is a viable option
78© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Enterprise LAN, WAN, Branch,and VPN QoS
Design Overview
79© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
FastEthernet
GigabitEthernetTenGigabitEthernet
Campus QoS ConsiderationsWhere Is QoS Required Within the Campus?
No Trust + Policing+ QueuingConditional Trust +Policing + QueuingTrust DSCP + Queuing
Per-User MicroflowPolicing
WAN Aggregator
Cisco Catalyst 6500 Sup720
Server Farms IP Phones + PCs IP Phones + PCs
80© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
WAN Edge QoS Design ConsiderationsQoS Requirements of WAN Aggregators
WAN Aggregator
WAN Edges
CampusDistribution/
Core Switches
LAN Edges
WAN
Queuing/Dropping/Shaping/Link-Efficiency Policies for Campus-to-Branch Traffic
81© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Branch Router QoS DesignQoS Requirements for Branch Routers
Branch Router
WAN Edge
WAN
Queuing/Dropping/Shaping/Link-Efficiency Policies forBranch-to-Campus Traffic
Optional: DSCP-to-CoS Mapping Policies for Campus-to-Branch Traffic
LAN Edge
Classification and Marking (+ NBAR)Policies for Branch-to-Campus Traffic
BranchSwitch
82© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
MPLS VPN QoS DesignQoS Requirements in MPLS VPN Architectures
CE Router
MPLS VPN
PE Router
P Routers
CE RouterPE Router
Required
Optional
CE-to-PE Queuing/Shaping/Remarking/LFI
PE Ingress Policing and Remarking
PE-to-CE Queuing/Shaping/LFI
Optional: Core DiffServ or MPLS TE Policies
83© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
IPSec VPN QoS DesignQoS Requirements in IPSec VPN Architectures
InternetVPN HeadEnd/Edge Router
Branch Router
Queuing/Dropping/Shaping/Link-Efficiency PoliciesLLQ for CryptoQoS Pre-ClassificationISAKMP ProtectionAnti-Replay Tuning
IPSec VPN Tunnel
84© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public