BRKRST2500

Octubre 5-8, 2009 Santiago, Chile

Advanced Campus QoS Design BRKRST-2500 Marta Ferreyra Network Consulting Engineer Advanced Services CCIE CCI E # 8672 8672 - R& R&S S – Voice oice

Agenda 

Introduction and Best Practices



Campus QoS Design Considerations



Cisco Catalyst ® QoS Capabilities 2960/3560/3750 and 3560-E/3750-E Cisco Catalyst 4500 and 4948 QoS Design (Sup II+ through Sup 6-E) Cisco Catalyst 6500 QoS Design



QoS Deployment Trust Boundary—Access Edge Distribution/Core Queuing



Catalyst 4500 and 6500 Control Plane Policing



Summary

Agenda 







Cisco Catalyst ® QoS Capabilities 2960/3560/3750 and 3560-E/3750-E Cisco Catalyst 4500 and 4948 QoS Design (Sup II+ through Sup 6-E) Cisco Catalyst 6500 QoS Design









Summary

Why Enable QoS? HA, Security, and QoS Are Interdependent Technologies QoS: Security



Enables UC and other collaborative applications



Drives productivity by enhancing service levels to mission-critical applications



Cuts costs by bandwidth optimization



Helps maintain network availability in the event of DoS/worm attacks

Quality of Service

High Availability

Enabling QoS in the Network Traffic Profiles and Requirements Voice

    

Video

Smooth Benign Drop sensitive Delay sensitive UDP priority

    

Bursty Greedy Drop sensitive Delay sensitive UDP priority

Data

    

Smooth/bursty Benign/greedy Drop insensitive Delay insensitive TCP retransmits

Bandwidth per Call Depends on Codec, Sampling-Rate, and Layer 2 Media

Network requirements for video traffic can vary greatly, based on the type of application being used, as well as whether the media flows are standard or high definition.

Traffic Traffic patterns for Data Vary Among Applications

Latency ≤ 150 ms  Jitter ≤ 30 ms  Loss ≤ 1% One-Way Requirements



Latency ≤ 150 –300ms  Jitter ≤ 10 ms –50ms  Loss ≤ .05% One-Way Requirements

Data Classes: Mission-Critical Apps Transactional/Interact Transactio nal/Interactive ive Apps Bulk Data Apps Best Effort Apps (Default)



Enabling QoS Elements that Affect End-to-End Delay Cisco CallManager Cluster

PSTN SRST Router

IP WAN Campus

CODEC

G.729A: 25 ms

Branch Office

Queuing

Serialization

Propagation and Network

Jitter Buffer

Variable

Variable

(Can Be Reduced Using LLQ)

(Can Be Reduced Using LFI)

6.3 µs/Km + Network Delay

20–50 ms

(Variable)

End-to-End Delay (Should Be < 150 ms)

Classification and Marking How Should It Be Done? QoS is implemented in Hardware on the Catalyst switching platforms. Depending on the platform, Qos functions may be split across the Supervisor and linecards

QoS features and capabilities could have dependencies on the specific forwarding engine and/or Linecard hardware versions

Classification and Marking Where Should It Be Done? Classification and marking should be performed as close as technically feasible to the sources so that prioritization may be implemented at congestion points throughout the network; DSCP should be used wherever possible… Trust Boundary

WAN Edge Subsequent points in the network can now “trust” the marked values and queue based on these baseline values outlined below

Classify and mark traffic at the physical port. Queue on uplinks to Distribution

LAN Edge

Core

Distribution Trust Boundary

Access

WAN

Classification and initial marking Trust Pre-Assigned DSCP Markings

DiffServ QoS Recommendations (RFC 4594-Based) How Should Traffic Be Marked? Application

Per-Hop

Admission

Queuing &

Application

Class

Behavior

Control

Dropping

Examples

VoIP Telephony

EF

Required

Priority Queue (PQ)

Cisco IP Phones (G.711, G.729)

Broadcast Video

CS5

Required

(Optional) PQ

Cisco IP Video Surveillance / Cisco Enterprise TV

Realtime Interactive

CS4

Required

(Optional) PQ

Cisco TelePresence ™

Multimedia Conferencing

AF4

Required

BW Queue + DSCP WRED

Cisco Unified Personal Communicator

Multimedia Streaming

AF3

Recommended


Cisco Digital Media System (VoDs)

Network Control

CS6

BW Queue

EIGRP, OSPF, BGP, HSRP, IKE

Call-Signaling

CS3

BW Queue

SCCP, SIP, H.323

Ops / Admin / Mgmt (OAM)

CS2

BW Queue

SNMP, SSH, Syslog

Transactional Data

AF2


Cisco WebEx ®™ / MeetingPlace ® / ERP Apps

Bulk Data

AF1


E-mail, FTP, Backup Apps, Content Distribution

Best Effort

DF

Default Queue + RED

Default Class

Scavenger

CS1

Min BW Queue (Deferential)

YouTube, iTunes, BitTorent, Xbox Live

Policing Design Principles Where and How Should Policing Be Done? Policing shall be applied as close to the traffic source as possible; in general, policing should be applied at the access layer of the network at the “Trust Boundary” during the initial classification and marking process; policing policies can be configured to drop offending traffic, or they can be configured to mark down excess traffic, specifying a different PHB or method of treatment

Egress Queuing Policy Ingress Marking Policy w/ policer

Ingress policy includes a policer for voice bearer traffic, based on the codec type and the number of concurrent calls. Excess traffic is dropped by the policer. Ingress policy includes a policer for data traffic. A baseline value is used. Traffic conforming to the policer is marked as 0. For excess traffic, the policer will ‘mark down’ to CS1 (DSCP 8), as opposed to dropping (Scavenger – RFC 3662)

Ingress policy for video conferencing marks conforming traffic to AF41, whil e excess traffic is tagged as AF42 and violating traffic is marked as AF43 (Assured Forwarding – RFC 2597)

Queuing policy will queue traffic on uplink to Distribution/Core, where CS1 is allocated minimal bandwidth.

Scavenger-Class What Is the Scavenger Class? 

The Scavenger class is based on RFC 3662— “A Lower Effort Per-Domain Behavior (PDB) for Differentiated Services”



There is an implied “good faith” commitment for the “best effort” traffic class It is generally assumed that at least some network resources will be available for the default class



Scavenger class markings can be used to distinguish out-ofprofile/abnormal traffic flows from in-profile/normal flows The Scavenger class marking is CS1 (DSCP 8)



Scavenger traffic is assigned a “less-than-best effort” queuing treatment whenever congestion occurs

Queuing Design Principles Where Should It Be Done? Queuing should be performed wherever there may be potential for congestion (even if a rare occurrence), ensuring consistency between Campus/WAN/VPN networks… Recommended Guidelines:

Administrative Trust Domain 10 Gigabit Ethernet

1)

2)

3)

4)

25% minimum allocated to Best Effort (BE) Class Priority Queue (PQ) given maximum of 33% Scavenger should be provisioned with a minimal bandwidth allocation ~ 5% Congestion Avoidance enabled on select TCP flows

1 Gigabit Ethernet

Core

Distribution

Access

8 Egress Queues 4 Egress Queues

Campus Queuing Design Real-Time, Best Effort, and Scavenger Queuing Rules Best Effort ≥ 25% Scavenger/Bulk ≤ 5%

Real-Time ≤ 33% Critical Data

Agenda 







Cisco Catalyst QoS Capabilities 2960/3560/3750 and 3560-E/3750-E Cisco Catalyst 4500 and 4948 QoS Design (Sup II+ through Sup 6-E) Cisco Catalyst 6500 QoS Design









Summary

Campus QoS Considerations Establishing Trust Boundaries Endpoints

1

Access

Distribution Si

Core

WAN Aggregators

Si

2 3

Si

Si

Trust Boundary

4

Trust boundary defined on ingress port of distribution switch

1

Optimal Trust Boundary: Trusted Endpoint

2

Optimal Trust Boundary: Untrusted Endpoint

3

Trust Boundary: Cisco Security Agent

4

Sub-optimal Trust Boundary: Untrusted Endpoint

Campus QoS Considerations Endpoints and Endpoint Trust-Categories Endpoints

Endpoint Trust-Categories



Analog gateways



Trusted endpoints



IP-conferencing stations



Untrusted endpoints



Videoconferencing gateways and systems



Conditionally-trusted endpoints



Video surveillance units



Wireless access points



Wireless IP phones



Servers



Client PCs

Campus QoS Considerations Conditional-Trust Boundary Extension and Operation 1

“I See You’re an IP Phone,

PC VLAN = 10

So I Will Trust Your CoS”

Phone VLAN = 110

4 “CoS 5 = DSCP 46” “CoS 3 = DSCP 24” “CoS 0 = DSCP 0”

1 2 3 4

Trust Boundary Voice CoS 5 - Signaling CoS 3 All PC Traffic Is Reset to CoS 0

2 3

PC Sets CoS 5 for All Traffic

Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone Phone Sets CoS 5 for VoIP and CoS 3 for Call-Signaling Traffic Phone Rewrites CoS from PC Port to 0 Switch Trusts CoS from Phone and Maps CoS

DSCP for Output Queuing

Campus QoS Considerations Conditional-Trust Boundary for Cisco TelePresence Trust Boundary Successful “Condition” Met (i.e. CDP negotiation successful) Trust is Dynamically Extended to Cisco 7970G IP Phone

2

1

Cisco 7979G: Voice CoS 5 & DSCP 46 Call-Signaling CoS 3 & DSCP CS3

3 TelePresence Primary Codec: Voice + Video Call-Signaling

CoS 4 & DSCP CS4 CoS 3 & DSCP CS3

4 CoS-to-DSCP Map: CoS 5 DSCP EF (46) CoS 4 DSCP CS4 (32) CoS 3 DSCP CS3 (24)

Note: As 2–6 data ports are available for PC connections (as part of the TelePresence tables), it is recommended to disable the PC port in the back of the Cisco Unified 7970G IP Phone (from within CallManager)

Campus QoS Access Edge Trust Models 

Trusted endpoint model



AutoQoS—VoIP model



Modular QoS CLI based model

Access Edge Trust Boundary Ingress Policy Enforcement—End User Policy (VLAN-Based Policy) Voice VLAN

Network Control

Class-map VOICE-BEARER (w/ policer)

VoIP Telephony

Class-map SIGNALING (w/ policer) Class class-default

Call-Signaling Multimedia Conferencing Real-Time Interactive / TelePresence Multimedia Streaming Broadcast Video (VLAN-Based Policy)

Low-Latency / Transactional Data Operations / Administration / Management

Data VLAN Class-map VOICE-BEARER (w/ policer) Class-map SIGNALING (w/ policer)

High-Throughput / Bulk Data

Class-map TRANSACTIONAL-DATA Class-map OAM**

Best Effort Low-Priority / Scavenger Data

Class-map BULK

Traffic Markings:

Class-map SCAVENGER Class class-default

VOICE-BEARER SIGNALING TRANSACTIONAL-DATA OAM BULK SCAVENGER class-default

EF CS3 AF2 x CS2 AF1x CS1 0

Access Edge Trust Boundary Ingress Policy Enforcement—Media Endpoints Traffic Markings: VOD AF3x BROADCAST-VID class-default

Network Control VoIP Telephony Call-Signaling

End User Policy

WAN

Internet

Multimedia Conferencing Real-Time Interactive / TelePresence Multimedia Streaming Broadcast Video

Port-Based Policy Specific Port-Based Policy identifying media flows

Class-map VOD Class-map BROADCAST-VID (w/ optional policer)

Low-Latency / Transactional Data Operations / Administration / Management High-Throughput / Bulk Data Best Effort

End User Policy

Live Broadcasts & VODs

Digital Media System

Low-Priority / Scavenger Data

**Class-maps match on media source IP address and/or destination multicast group address

CS5 0

Access Edge Trust Boundary Ingress Policy Enforcement—Video Conferencing Traffic Markings: VIDEO-CONF AF4x RT-INTERACTIVE class-default

Network Control VoIP Telephony Call-Signaling Multimedia Conferencing Real-Time Interactive / TelePresence Multimedia Streaming

CS4 0

End User Policy

Specific Port-Based Policy identifying media flows

WAN

Internet

Media Endpoint Policy

Broadcast Video Low-Latency / Transactional Data

Telepresence

Operations / Administration / Management High-Throughput / Bulk Data

Port-Based Policy

End User Policy

Class-map VIDEO-CONF (w/ policer) Class-map RT-INTERACTIVE (w/ policer)

Best Effort Videoconferencing Low-Priority / Scavenger Data

**Class-maps match on video conferencing station source IP address

Campus QoS Design Considerations Port-Based vs. VLAN-Based QoS Port Based QoS

VLAN 10

Policy Map

VLAN 20

Policy Map With Port Based QoS, QoS policies are applied to a physical interface. The policy manages traffic only the port the policy is applied.

VLAN 10

VLAN Based QoS

VLAN 20

*Requires “[mls] qos vlan-based” command

With VLAN Based QoS, the QoS policy is applied to the VLAN interface. Traffic through all associated Switch ports is managed by that policy.

By default, Catalyst switches will refer to policies assigned to the physical port. Ports defined as a “switchport” can be told to use the policy attached to its parent VLAN interface—this is known as VLAN-based QoS

Campus QoS Design Considerations Per Port-/Per VLAN-Based QoS Data

Data

Voice VLAN Policy:

Voice VLAN Policy: Trust Voice VLAN

Police Voice Traffic Mark Voice Bearer Mark Voice Signaling

IP Phone Data VLAN Policy:

Trunk Switch

Apply default marking to all data traffic.

Switchports are configured as trunks or voice ports. Advanced QoS policies can be applied independently to multiple VLANs on a given interface.

Data VLAN Policy: Apply flow based policing policy to limit traffic on a per source basis.

VLAN A VLAN B (Voice) VLAN C (Data) VLAN D

Campus QoS Considerations Internal Mapping Tables Ingress mapping tables are used to take an existing layer 2 or layer 3 marking and map it to an internal DSCP value used by the switch to assign service levels to the frame as it is in transit.

CoS Assigned Marking Value

IPP DSCP

t r e o t a P t s S s t e r s g u r T n I

DSCP

CoS

Egress mapping tables are used to rewrite CoS for applicable frames from the internal DSCP on egress from the switch.

Campus QoS Considerations Internal Mapping Tables (Cont.)—Default Behavior 802.1p = 1 IPP=5 DSCP=44

802.1p = 1 IPP=5 DSCP=44

802.1p = 1 IPP=5 DSCP=44

802.1p = 1 IPP=5 DSCP=44

Untrusted

internal dscp = 0

Trust CoS

internal dscp = 8

Trust IPP

internal dscp = 40

Trust DSCP

internal dscp = 44

802.1p = 0 IPP=0 DSCP=0

802.1p = 1 IPP=1 DSCP=8

802.1p = 5 IPP=5 DSCP=40

802.1p = 5 IPP=5 DSCP=44

Campus QoS Considerations Typical Campus Oversubscription Ratios Campus networks are always designed with oversubscription in mind to take advantage of the bursty nature of traffic and the assumption that not all users are requiring bandwidth simultaneously…

Typically 4:1 Ratio

Core

Distribution

Typically 20:1 Ratio

Access

Campus QoS Design Considerations Catalyst Hardware Queuing All Catalyst switches have hardware based queues, which can differ depending on the module, supervisor or port ASIC used. They are depicted using the notation of 1PxQyT, where x represents the number of normal Queues and y represents number of thresholds within those normal Queues… 1p3q8t Single Port

1 Priority Queue

Normal Queue Drop Threshold 8

3 Normal Queues

Drop Threshold 1

ws-x6748-SFP = 1p3q8t queue structure 1p3q8t = 1 Priority Queue with 3 Normal Queues, with each normal queue containing 8 Drop Thresholds

Campus QoS Design Considerations Allocating Buffer Capacity Each port has a finite amount of memory that is specifically specifical ly reserved for buffering traffic during times of contention. Although the total amount of buffer capacity for egress traffic may be fixed for a given port, how that memory is distributed amongst the queues is configurable.

SP Queue

Small buffer allocation for critical data (queue 2), with heavier bandwidth weighting

Real Time Traffic B/W SP Queue

Queue 3

Control Traffic B/W Queue 3

Queue 2

Critical Data

Transactional Transactional TCPbased applications with specific strict latency requirements.

B/W Queue 2

Low Priority/ BE

Queue 1 Mixed TCP and UDP applications applications with no real latency requirements.

B/W Queue 1

Large buffer allocation for BE traffic (queue 1), with minimal bandwidth weighting

***Allocating more memory to a given queue can increase packet latency, latency, which could impact application performance.

Campus QoS Consideratio Considerations ns Where Is QoS Required Within the Campus? No Trust + Policing + Queuing Conditional Trust + Policing + Queuing Trust DSCP + Queuing

FastEthernet GigabitEthernet Ten GigabitEthernet

Per-User Microflow Policing + CoPP

Cisco Catalyst 6500 PFC3

WAN Aggregator

Server Farms

IP Phones + PCs

IP Phones + PCs

Trust Boundary Defined!!!

Agenda 
















Summary

Catalyst 2960/3560/3750 + 3560-E and 3750-E QoS Model

Traffic

Policer

Marker

Policer

Marker

Ingress Queues

Classify

Ingress

Stack Ring

Egress Queues

SRR

SRR Policer

Marker

Policer

Marker

Classification

Policing

• Inspect incoming packets • Based on ACLs or configuration, determine classification label

• Ensure conformance to a specified rate • On an aggregate or individual flow basis • Up to 256 policers per Port ASIC • Support for rate and burst

Egress Marking

Ingress Queue/ Schedule Congestion Control

• Act on policer decision • Two queues/port • Reclass or drop ASIC shared out-of-profile servicing • One queue is configurable for strict priority servicing • WTD for congestion control (three thresholds per queue) • SRR is performed

Egress Queue/ Schedule Congestion Control • Four SRR queues/port shared or shaped servicing • One queue queue is configur configurable able for strict priority servicing • WTD for congestion control (three thresholds per queue) • Egres gress s queue shaping • Egres gress s port rate limiting

Catalyst 2960/3560/3750 + 3560-E and 3750-E Platform-Specific QoS Design Considerations 

QoS disabled by default



Full DSCP-range is supported



Classification can be done by trust states, standard and advanced IP ACLs, or MAC ACLs



Supports classification, marking, and policing by port or by Switched Virtual Interface (SVI) via hierarchical class maps on Cisco Catalyst 2970, 3650, and 3750 (not yet on Cisco Catalyst 2960)



Minimum policing granularity is 8 kbps



Supports 4Q3T queuing or 1P3Q3T queuing (Egress) Q1 can be configured as a priority queue Queues can operate in shaped or sharing modes Each interface can be assigned to one of two queue-sets Congestion avoidance algorithm is Weighted Tail Drop (WTD)



Catalyst 3550, 2950G, 2950T, 2950 LRE are End-of-Life

Catalyst 2960/3560/3750 + 3650-E and 3750-E Shaping vs. Sharing Queue Management 

Sharing Get portion of output bytes, i.e. 25 share equates to 25% of the link bandwidth Can expand into other shared or shaped queues Cat3750-E(config-if)# srr-queue bandwidth share 1 70 25 5



Shaping Throttles the outbound traffic to achieve a predefined average rate; a shape value of 10 means the queue will shape traffic to 1/10th of the interface speed Does not exceed the shaped value *Takes precedence over sharing Cat3750-E(config-if)# srr-queue bandwidth shape 3 0 0 0



**Priority-queue out, when applied to the interface, supersedes both sharing and shaping parameters Cat3750-E(config-if)# priority-queue out

Catalyst 2960/3560/3750 + 3650-E and 3750-E Egress Port Rate-Limiting Flow of traffic

Flow of traffic

INPUT

OUTPUT Catalyst 3750-E

Egress Port Rate Limiter

Port-based bandwidth limiting can be configured from 10% to 90%.

Cat3750-E(config-if)# srr-queue bandwidth limit Port-based rate limiting is not recommended for MetroE handoffs, where the service subscription rate/ CIR is less than the physical port rate.

Cisco Catalyst 4500 (Sup II+ Through Sup V-10GE) and 4948 QoS Model 



Catalyst 4500 implements a sophisticated suite of QoS features These QoS features are implemented with three major components

NFL

FWD ASIC

TCAM TCAM

DBL

Sched ASIC

TCAMs (Policers) Netflow Feature (UBRL on SupV-10GE) Dynamic Buffer Limiting (DBL) Enters Fabric

QoS Actions at Supervisor Forwarding ASIC

QoS Actions at Scheduling ASIC

Leaves Fabric

Queue 1

RX

Classify

Ingress/ Egress Police

Dynamic Buffer Limiting

NFL2 (Enhanced QoS)

Queue 2 Queue 3 Queue 4

Shaping Sharing Scheduling

TX

Cisco Catalyst 4500 (Sup II+ Through Sup V-10GE) and 4948 Platform-Specific QoS Design Considerations 




Classification can be done by trust states, standard and advanced IP ACLs



No “mls” prefix in command syntax



Policing rates can use ‘k’, ‘m,’ or ‘g’ for kbps, mbps, or gbps



Supports per-port/per-VLAN policing



SupV-10GE supports User-Based Rate Limiting (UBRL)



Minimum policing granularity is 8 kbps



Supports 4Q1T queuing or 1P3Q1T queuing Q3 can be configured as a priority queue DSCP values can be mapped to queues Supports bandwidth allocation and shaping (per queue) on certain linecards Congestion avoidance algorithm is Dynamic Buffer Limiting (DBL)

Cisco Catalyst 4500 Supervisor 6-E QoS QoS Model 

Catalyst 4500 Supervisor 6-E implements an enhanced flexible suite of QoS features

Line Cards

IPP

VFE

LineCards

IPP

VFE

TCAM4

TCAM 4

Packet Buffers



These QoS features are implemented with three major components

Packet Buffers

CenterFlex ASICs IPP VFE TCAM IV (Policers/Classification)

Enters Fabric

RX

QoS Actions at VFE Forwarding ASIC

Per Port Classify

Ingress/ Egress Police

Egress Classify On Ingress Actions

QoS Actions at IPP ASIC

Leaves Fabric

Queue 1 Dynamic Buffer Limiting

Queue 2 User Defined SP Queue

Shaping Sharing Scheduling

TX

Cisco Catalyst 4500 Supervisor-6E QoS Platform-Specific QoS Design Considerations 

QoS enabled (QoS does not have to be explicitly globally enabled)



By default, inbound traffic on a given port is considered “trusted”



“Internal DSCP” does not apply Global mappings tables are not used to influence “internal DSCP” or egress markings



Classification can be done by standard and advanced IP ACLs, or MAC ACLs



Supports 8Q1T queuing or 1P7Q1T queuing Queues can operate in shaped or shared modes Configurable queue size Class-based queuing via Modular QoS CLI User configurable priority queue Congestion avoidance algorithm is Dynamic Buffer Limiting (DBL)

Cisco Catalyst 4500 Supervisor-6E QoS QoS Design Considerations (QoS-Groups) 

QoS-Groups instead of “internal DSCP”



“internal DSCP” used to queue packets, we no longer rely on DSCP



L2 and L3 traffic can be grouped together



Useful tool for combining a wide variety of traffic types

class-map egress-group1

class-map input-one

match qos-group 1

match dscp 8

policy-map out-policy

class-map input-two

class egress-group1

match access-group 1

bandwidth 1000000 policy-map qos-group-port1 class-map input-one set qos-group 1

Set QoS-Group 1 Match QoS-Group 1

policy-map qos-group-port2 class-map input-two set qos-group 1

DSCP 8

Port1 Port3

MAC 00.13.02.67.59

Port2

Catalyst 6500 QoS QoS Model Scheduling: Queue and Threshold - select based on received CoS through configurable MAP I/F CoS can be overwritten if port untrusted

Scheduling: Queue and Threshold selected based on CoS through a Map

ARB

INGRESS Classify & Police

EGRESS Classify & Police

TX Queue

WRR

Rewrite Queue

Priority Q

Incoming encap can be ISL, 802.1Q or None

De-queue uses WRR or SRR between the round robin queues

Queue

Queue RX

Police via ACLs - Police actions include Forward, Mark and Drop. Based on Burst (Token Bucket) and Byte Rate

ARB

Priority Q

DSCP based classification based on “trusted port” and layer 2 info with ACL, layer 3 info with ACL and layer 4 info with ACL

Rewrite TOS field in IP Header and 802.1p/IS L CoS field

Each queue has configurable thresholds some have WRED (except PQ)

Outgoing encap can be ISL, 802.1Q or None

Cisco Catalyst 6500 (PFC2/PFC3) Platform Specific QoS Design Considerations 




Configuration may be CatOS or Cisco IOS ® Cisco IOS currently does not support conditional trust (“mls qos trust device”) nor AutoQoS



Classification can be done by trust states, standard and advanced IP ACLs, or MAC ACLs



PFC3 supports per-user microflow policing and control plane policing (Sup720 and Sup32)



Deep packet inspection supported with Sup32 and PISA



CoS and DSCP to egress queue and threshold mappings



Linecards determine queuing structure *2Q2T

1p3Q4T

1P2Q1T

1P2Q2T

1P3Q1T

1P3Q8T

1P7Q8T

1P7Q4T

*Linecards supporting 2Q2T queue structure are approaching EoL, and are not recommended for converged networks.

NBAR on Supervisor 32 PISA Network-Based Application Recognition NBAR Policy can mark HTTP data as high priority and rate limit both E-Donkey and Netshow traffic ensuring priority for internal HTTP traffic

Link Utilization E-Donkey Netshow HTTP E-mail

60% 30% 5% 25%

PISA – Enhanced QoS Trust Boundary Dynamic detection of CUCM signaled media NBAR identifies the RTP stream associated with a call setup OpenReceiveChannelAck StartMediaTransmission

RTP Traffic originated by phone RTP flow identified, marked, policed by PISA 

PDLM matches on the bearer path (RTP media stream) associated with SCCP call setup – (12.2(18)ZYA)



Unique RTP flow originating from phone is determined based on the Source and Destination IP address and UDP port numbers identified in the SCCP signaling messages



QoS policy is applied to the CUCM approved media streams

Agenda 
















Summary

Cisco Catalyst QoS Deployment Globally Enabling QoS in Cisco IOS Cisco IOS Catalyst-IOS# show mls qos

QoS is disabled globally

! By default QoS is disabled

Catalyst-IOS#

Catalyst-IOS# config t Catalyst-IOS(config)# mls qos Catalyst(config)#end

! Enables QoS globally

Catalyst-IOS# show mls qos

QoS is enabled globally

! Verifies QoS is enabled

Microflow policing is enabled globally Vlan or Portchannel(Multi-Earl) policies supported: Yes ----- Module [2] ----QoS global counters: Total packets: 65 IP shortcut packets: 0 Packets dropped by policing: 0 IP packets with TOS changed by policing: 0 IP packets with COS changed by policing: 0 Non-IP packets with COS changed by policing: 0 Catalyst-IOS#

Cisco Catalyst QoS Deployment Globally Enabling QoS in Cisco IOS (Catalyst 4500) CAT4500#show qos

QoS is disabled globally

! By default QoS is disabled

IP header DSCP rewrite is enabled

CAT4500#conf term Enter configuration commands, one per line. CAT4500(config)# qos

End with CNTL/Z.

! Enables QoS globally for the Cat4500

CAT4500(config)#end CAT4500#

CAT4500#show qos

QoS is enabled globally

! Verifies that QoS is enabled globally

IP header DSCP rewrite is enabled CAT4500#

***Catalyst 4500 Sup-6E Does Not require QoS to be globally enabled.

Cisco Catalyst QoS Deployment Trust Boundary Policy—Access Edge (Port-Based Policy) Catalyst(config)# ip access-list extended Catalyst(config-ext-nacl)# permit udp any Catalyst(config)# ip access-list extended Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit udp any

RealTime-Voice-ACL any range 16384 32767 Signaling-ACL any range 1718 1721 any range 2000 2002 any range 2427 2428 any range 3230 3235 any eq 1731 any eq 1560 any range 11000 11999

Catalyst(config)# class-map match-all Voice-Bearer Catalyst(config-cmap)# match access-group name RealTime-Voice-ACL Catalyst(config)# class-map match-all Voice-Signaling Catalyst(config-cmap)# match access-group name Signaling-ACL Catalyst(config)# policy-map Mark Catalyst(config-pmap)# class Voice-Bearer Catalyst(config-pmap-c)# set dscp ef Catalyst(config-pmap-c)# police 128000 16000 exceed-action drop Catalyst(config-pmap)# class Voice-Signaling Catalyst(config-pmap-c)# set dscp cs3 Catalyst(config-pmap-c)# police 32000 8000 exceed-action drop class class-default Catalyst(config-pmap)# Catalyst(config-pmap-c)# set dscp default Catalyst(config)# interface FastEthernetx/y Cat3750-E(config-if)# Description ***Access port with port-based trust boundary** Cat3750-E(config-if)# switchport access vlan 10 Cat3750-E(config-if)# switchport mode access Cat3750-E(config-if)# switchport voice vlan 100 Cat3750-E(config-if)# service-policy input Mark

Cisco Catalyst QoS Deployment Trust Boundary Policy—Access Edge (VLAN-Based Policy) Catalyst(config)# ip access-list extended Catalyst(config-ext-nacl)# permit udp any Catalyst(config)# ip access-list extended Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit tcp any Catalyst(config-ext-nacl)# permit udp any

RealTime-Voice-ACL any range 16384 32767 Signaling-ACL any range 1718 1721 any range 2000 2002 any range 2427 2428 any range 3230 3235 any eq 1731 any eq 1560 any range 11000 11999

Catalyst(config)# class-map match-all Voice-Bearer Catalyst(config-cmap)# match access-group name RealTime-Voice-ACL Catalyst(config)# class-map match-all Voice-Signaling Catalyst(config-cmap)# match access-group name Signaling-ACL Catalyst(config)# policy-map Mark-VVLAN Catalyst(config-pmap)# class Voice-Bearer Catalyst(config-pmap-c)# police 12800000 400000 conform-action set-dscp-transmit ef exceedaction drop Catalyst(config-pmap)# class Voice-Signaling Catalyst(config-pmap-c)# police 3200000 100000 conform-action set-dscp-transmit cs3 exceedaction drop class class-default Catalyst(config-pmap)# Catalyst(config-pmap-c)# set dscp default Catalyst(config)# policy-map Mark-DVLAN Catalyst(config-pmap)# class class-default Catalyst(config-pmap-c)# set dscp default

When configuring VLAN-Based policies on the 4500 and 6500, since aggregate policers are being used, the police rate should account for the total aggregate of traffic through the SVI.

Cisco Catalyst QoS Deployment Trust Boundary Policy—Access Edge (VLAN-Based Policy) (Cont.) Catalyst(config)# interface FastEthernetx/y Catalyst(config-if)# Description ***Access port with VLAN-based trust boundary** Catalyst(config-if)# switchport access vlan 10 Catalyst(config-if)# switchport mode access Catalyst(config-if)# switchport voice vlan 100 [“qos vlan-based” for 4500] Catalyst(config-if)# mls qos vlan-based Catalyst(config)# interface Vlan100 Catalyst(config-if)# service-policy input Mark-VVLAN Catalyst(config)# interface Vlan10 Catalyst(config-if)# service-policy input Mark-DVLAN

Cisco Catalyst QoS Deployment Trust Boundary Policy—Access Edge (Advanced) *Per VLAN/ Per Port Policing

3750-E

Cat3750-E(config)# mls qos map policed-dscp 0 24 to 8 Cat3750-E(config)# ip access-list extended Voice-Bearer Cat3750-E(config-ext-nacl)# permit udp any any range 16384 32767 dscp 46 !Extended ACL matching voice bearer traffic on voice VLAN Cat3750-E(config)# ip access-list extended Voice-Signal Cat3750-E(config-ext-nacl)# permit tcp any any range 2000 2002 dscp 24 !Extended ACL matching voice signaling traffic on voice VLAN Cat3750-E(config)# ip access-list extended All-IP Cat3750-E(config-ext-nacl)# permit ip any any !Extended ACL matching all IP traffic Cat3750-E(config)# class-map match-all User-Ports Cat3750-E(config-cmap)# match input-interface FastEthernet1/0/1 - FastEthernet1/0/48 Cat3750-E(config)# class-map match-any Voice-Bearer Cat3750-E(config-cmap)# match access-group name Voice-Bearer Cat3750-E(config)# class-map match-any Voice-Signal Cat3750-E(config-cmap)# match access-group name Voice-Signal Cat3750-E(config)# class-map match-any All-Traffic Cat3750-E(config-cmap)# match access-group name All-IP Cat3750-E(config)# policy-map Police-128k Cat3750-E(config-pmap)# class User-Ports Cat3750-E(config-pmap-c)# police 128000 8000 exceed-action drop Cat3750-E(config)# policy-map Police-32k Cat3750-E(config-pmap)# class User-Ports Cat3750-E(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

Cisco Catalyst QoS Deployment Trust Boundary Policy—Access Edge (Advanced) (Cont.) *Per VLAN/ Per Port Policing

3750-E Cat3750-E(config)# policy-map Mark-VVLAN Cat3750-E(config-pmap)# class Voice-Bearer Cat3750-E(config-pmap-c)# set dscp ef Cat3750-E(config-pmap-c)# service-policy Police-128k Cat3750-E(config-pmap)# class Voice-Signal Cat3750-E(config-pmap-c)# set dscp cs3 Cat3750-E(config-pmap-c)# service-policy Police-32k Cat3750-E(config)# policy-map Mark-DVLAN Cat3750-E(config-pmap)# class All-Traffic Cat3750-E(config-pmap-c)# set dscp default

Cat3750-E(config)# interface FastEthernet 1/0/1 Cat3750-E(config-if)# Description ***Access port with vlan based trust boundary** Cat3750-E(config-if)# switchport access vlan 10 Cat3750-E(config-if)# switchport mode access Cat3750-E(config-if)# switchport voice vlan 100 Cat3750-E(config-if)# mls qos vlan-based

Cat3750-E(config)# interface Vlan10 Cat3750-E(config-if)# service-policy input Mark-DVLAN Cat3750-E(config)# interface Vlan100 Cat3750-E(config-if)# service-policy input Mark-VVLAN

Cisco Catalyst QoS Deployment Trust Boundary Policy—Access Edge (Auto QoS) CAT3750-E(config-if)#auto qos voip cisco-phone

mls qos map policed-dscp 24 26 46 to 0 mls qos map cos-dscp 0 8 16 24 32 46 48 56

Options: auto qos voip cisco-phone auto qos voip cisco-softphone auto qos voip trust

mls qos ! class-map match ip class-map match ip

match-all AutoQoS-VoIP-RTP-Trust dscp ef match-all AutoQoS-VoIP-Control-Trust dscp cs3 af31

policy-map AutoQoS-Police-CiscoPhone class AutoQoS-VoIP-RTP-Trust set dscp ef police 320000 8000 exceed-action policed-dscp-transmit class AutoQoS-VoIP-Control-Trust set dscp cs3 police 32000 8000 exceed-action policed-dscp-transmit !

AutoQoS is available starting in IOS on the 6500 in 12.2(33)SXH

interface GigabitEthernet1/0/1 srr-queue bandwidth share 10 10 60 20 queue-set 2 priority-queue out mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone service-policy input AutoQoS-Police-CiscoPhone

Cisco Catalyst QoS Deployment Trust Boundary Policy—Access Edge (Smartport Macros) Catalyst(config)# macro name UNTRUST-ENDPT

! Define Macro Name Enter macro commands one per line. End with the character '@'.

service-policy input MARK ! Define commands to apply to interface @ Catalyst(config)#

Global Policy Defined: policy-map MARK class Voice-Bearer set dscp ef police 128000 16000 exceed-action drop class Signaling set dscp cs3 police 32000 8000 exceed-action drop class All-Traffic set dscp default

Catalyst(config)# macro name TRUST-ENDPT

! Define Macro Name Enter macro commands one per line. End with the character '@'.

mls qos trust dscp

Trusted Endpoints

! Define commands to apply to interface @ Catalyst(config)# Untrusted Endpoints

Catalyst(config)# interface range FastEthernet 1/0/5 – 10 Catalyst(config-if-range)# macro apply UNTRUST-ENDPT

! Apply defined macro to appropriate interface(s) Catalyst(config)# int range gigabitEthernet 1/0/1 – 2 Catalyst(config-if-range)# macro apply TRUST-ENDPT

! Apply defined macro to appropriate interface(s)

Cisco Catalyst QoS Deployment Distribution/Core Layer QoS—Preserving Markings Once the trust boundary is defined and the DSCP markings are established at the access edge, measures must be taken to ensure those markings are preserved through the campus infrastructure.

Preserving DSCP Markings: Catalyst(config)# interface GigabitEthernet 0/1 Catalyst(config-if)# mls qos trust dscp

Catalyst 4500 (Sup II+ - SupV-10GE): CAT4500-IOS(config)# interface FastEthernet3/1 CAT4500-IOS(config-if)# qos trust dscp

Regardless of the interswitch connection being layer 2 or layer 3, it is always recommended to configure interswitch connections and uplinks to trust the incoming DSCP markings.

Trust Boundary Policy

Catalyst 2960/3560/3750 + 3650-E and 3750-E Queuing Design: 1P3Q3T Application

DSCP

CoS

1P3Q3T DSCP 0

Queue 4

Q4T3

Network Control

CS6

CoS 6

VoIP Telephony

EF

CoS 5

AF11

Broadcast Video

CS5

CoS 5

CS1

Q4T1


AF4x

CoS 4

AF21

Q3T3

Real-Time Interactive

CS4

CoS 4

Q3T2


AF3x

CoS 3

CS4/ AF41

Call Signaling

CS3

CoS 3

Transactional Data

AF2x

CoS 2

Ops/ Admin/ Mgt

CS2

CoS 2

High Throughput

AF1x

CoS 1

Low Priority

CS1

CoS 1

Best Effort

DF

0

(35%)

Queue 3 (50%)

AF31 CS6 CS3 CS2 EF CS5

Q4T2

Q3T1

Q2T3

Queue 2 (15%)

Q2T2 Q2T1

Queue 1 (PQ)

Q1T3

Catalyst 2960/3560/3750 + 3650-E and 3750-E Queuing Design: 1P3Q3T—Part 2 mls qos srr-queue output dscp-map queue 1 threshold 3 CAT3750(config)#

40 46

! Maps DSCP EF (Voice) to Queue 1 Threshold 3 CAT3750(config)# mls qos srr-queue output dscp-map queue 2 threshold 1

! Maps DSCP mls CAT3750(config)# ! Maps DSCP CAT3750(config)# mls ! Maps DSCP CAT3750(config)# mls ! Maps DSCP CAT3750(config)# mls ! Maps DSCP mls CAT3750(config)# ! Maps DSCP CAT3750(config)# mls ! Maps DSCP mls CAT3750(config)# ! Maps DSCP CAT3750(config)# mls ! Maps DSCP CAT3750(config)# mls ! Maps DSCP CAT3750(config)#

16

CS2 (Network Management) to Queue 2 Threshold 1 qos srr-queue output dscp-map queue 2 threshold 2 24 CS3 (Call-Signaling) to Queue 2 Threshold 2 qos srr-queue output dscp-map queue 2 threshold 3 48 CS6 (Network Control) to Queue 2 Threshold 3 qos srr-queue output dscp-map queue 3 threshold 1 26 CS3 (Streaming Media) to Queue 3 Threshold 1 qos srr-queue output dscp-map queue 3 threshold 2 32 CS4 (Real-Time Interactive-Video) to Queue 3 Threshold 1 qos srr-queue output dscp-map queue 3 threshold 2 34 36 38 AF41, AF42, AF43 (Multimedia Conf) to Queue 3 Threshold 1 qos srr-queue output dscp-map queue 3 threshold 3 18 20 22 AF21, AF22, AF23 (Transactional Data) to Queue 3 Threshold 3 qos srr-queue output dscp-map queue 4 threshold 1 8 CS1 (Scavenger) to Queue 4 Threshold 1 qos srr-queue output dscp-map queue 4 threshold 2 10 12 14 AF1x (Bulk/High Throughput) to Queue 4 Threshold 2 qos srr-queue output dscp-map queue 4 threshold 3 0 0 (Best Effort) to Queue 4 Threshold 3

Catalyst 2960/3560/3750 + 3650-E and 3750-E Queuing Design: 1P3Q3T—Part 3 CAT3750(config)# mls qos queue-set output 1 buffers 15 20 25 40

! Assigns buffers to queues: Q1 15%; Q2 20%; Q3 CAT3750(config)# mls qos queue-set output 1 threshold 1 ! Sets Q1 Threshold 1 to 75% and Q2 Threshold 2 CAT3750(config)# mls qos queue-set output 1 threshold 2 ! Sets Q2 Threshold 1 to 80% and Q2 Threshold 2 CAT3750(config)# mls qos queue-set output 1 threshold 3 ! Sets Q3 Threshold 1 to 60% and Q2 Threshold 2 CAT3750(config)# mls qos queue-set output 1 threshold 4 ! Sets Q4 Threshold 1 to 40% and Q4 Threshold 2

25%; Q4 40% 75 200 100 400 to 200% 80 100 100 400 to 100% 60 100 100 400 to 100% 40 800 50 1600 to 800%

CAT3750(config)#

CAT3750(config)# interface range GigabitEthernet0/1 - 28 CAT3750(config-if-range)# queue-set 1

! Assigns interface to Queue-Set 1 (default) CAT3750(config-if-range)# srr-queue bandwidth share 1 15 50 35

! Q2 gets 15% of remaining BW; Q3 gets 50% and Q4 gets 35% CAT3750(config-if-range)# priority-queue out ! Q1 is enabled as a PQ CAT3750(config-if-range)#end CAT3750#

Cisco Catalyst 4500 Sup II+ - SupV-10GE Queuing Design: (1P3Q1T + DBL) Application

DSCP

Network Control

CS6

VoIP Telephony

EF

Broadcast Video

CS5


AF4x


CS4


AF3x

Call Signaling

CS3

Transactional Data

AF2x

Ops/Admin/Management

CS2

High Throughput

AF1x

CS6 CS3 CS2

Low Priority

CS1

DF

Best Effort

DF

1P3Q1T

CS4/ AF4x Queue 4 (30%) AF2x AF3x CS5 Q3 (30%) EF Priority Queue Queue 2 (15%)

Queue 1 CS1/ AF1x (25%)

Cisco Catalyst 4500 QoS Dynamic Buffer Limiting 

Problem: DoS flows with large number of packets per second (pps) Take as much bandwidth as possible Not responding to congestion notification Causing transmitting queue full and performance degradation



Solution: DBL (Dynamic Buffer Limiting) Automatically drop packets from Belligerent Traffic Flows

Cisco Catalyst 4500 Sup II+ - SupV-10GE Queuing Design: (1P3Q1T + DBL)—Part 1 CAT4500-SUP4(config)# qos dbl ! Globally enables DBL CAT4500-SUP4(config)# qos dbl exceed-action ecn ! Optional: Enables DBL to mark RFC 3168 ECN bits in the IP ToS Byte CAT4500-SUP4(config)# CAT4500-SUP4(config)# qos map dscp 0 to tx-queue 1 ! Maps DSCP 0 (Best Effort) to Q1 CAT4500-SUP4(config)# qos map dscp 8 10 12 14 to tx-queue 1 ! Maps DSCP CS1 (Scavenger) and AF11/AF12/AF13 (Bulk) to Q1 CAT4500-SUP4(config)# qos map dscp 16 to tx-queue 2 ! Maps DSCP CS2 (Net-Mgmt) to Q2 CAT4500-SUP4(config)# qos map dscp 18 20 22 to tx-queue 4 ! Maps DSCP AF21/AF22/AF23 (Transactional) to Q4 CAT4500-SUP4(config)# qos map dscp 24 to tx-queue 2 ! Maps DSCP CS3 (Call-Signaling) to Q2 CAT4500-SUP4(config)# qos map dscp 26 28 30 to tx-queue 4 ! Maps DSCP AF31/AF32/AF33 to Q4 CAT4500-SUP4(config)# qos map dscp 32 34 36 38 to tx-queue 4 ! Maps DSCP CS4 (Str-Video) and AF41/AF42/AF43 (Int-Video) to Q4 CAT4500-SUP4(config)# qos map dscp 40 46 to tx-queue 3 ! Maps DSCP EF (VoIP) to Q3 (PQ) CAT4500-SUP4(config)# qos map dscp 48 to tx-queue 2 ! Maps DSCP CS6 (Network Control) to Q2 CAT4500-SUP4(config)# policy-map DBL CAT4500-SUP4(config-pmap)# class Internetwork Control CAT4500-SUP4(config-pmap)# class Voice CAT4500-SUP4(config-pmap)# class Telepresence CAT4500-SUP4(config-pmap)# class class-default ! Enables DBL for targeted traffic flows CAT4500-SUP4(config-pmap-c)# dbl

Cisco Catalyst 4500 Sup II+ - SupV-10GE Queuing Design: (1P3Q1T + DBL)—Part 2 (FE + GE) CAT4500-SUP4(config)#interface range FastEthernet2/1 - 48 CAT4500-SUP4(config-if-range)# service-policy output DBL CAT4500-SUP4(config-if-range)# tx-queue 3 CAT4500-SUP4(config-if-tx-queue)# priority high CAT4500-SUP4(config-if-tx-queue)# shape percent 30 CAT4500-SUP4(config-if-tx-queue)# exit CAT4500-SUP4(config-if-range)#exit CAT4500-SUP4(config)#

CAT4500-SUP4(config)#interface range GigabitEthernet1/1 - 2 CAT4500-SUP4(config-if-range)# service-policy output DBL CAT4500-SUP4(config-if-range)# tx-queue 1 CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 25 CAT4500-SUP4(config-if-tx-queue)# tx-queue 2 CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 15 CAT4500-SUP4(config-if-tx-queue)# tx-queue 3 CAT4500-SUP4(config-if-tx-queue)# priority high CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 30 CAT4500-SUP4(config-if-tx-queue)# shape percent 30 CAT4500-SUP4(config-if-tx-queue)# tx-queue 4 CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 30 CAT4500-SUP4(config-if-tx-queue)#end CAT4500-SUP4#

! Enables Q3 as PQ ! Shapes PQ to 30%

! Q1 gets 25% ! Q2 gets 15% ! Enables Q3 as PQ ! PQ gets 30% ! Shapes PQ to 30% ! Q4 gets 30%

Cisco Catalyst 4500—Sup-6E Queuing Design (1P7Q1T + DBL) Application

DSCP

Network Control

CS6

VoIP Telephony

EF

Broadcast Video

CS5


AF41


CS4


AF31

Call Signaling

CS3

Transactional Data

AF21

Ops/Admin/Mgt

CS2

High Throughput

AF11

Low Priority

CS1

Best Effort

DF

1P7Q1T (30%) EF CS5 Priority Queue CS6 CS3 CS2

(10%) Control/ OAM

CS4/ AF4x

AF3x

(30%) Critical

AF2x DF

(25%) Best Effort

CS1/AF11 (5%)

Bulk

Cisco Catalyst 4500—Sup-6E Queuing Design (1P7Q1T + DBL)—Part 1 4500-SUP6E(config)# class-map match-any REALTIME 4500-SUP6E(config-cmap)# match dscp ef cs5 4500-SUP6E(config)# class-map match-any CONTROL 4500-SUP6E(config-cmap)# match dscp cs6 cs3 cs2 4500-SUP6E(config-cmap)# match access-group name ROUTING 4500-SUP6E(config)# class-map match-any CRITICAL 4500-SUP6E(config-cmap)# match qos-group 3 4500-SUP6E(config-cmap)# match dscp cs4 af41 af31 af21 4500-SUP6E(config)# class-map match-any BULK 4500-SUP6E(config-cmap)# match dscp cs1 af11 4500-SUP6E(config)# policy-map EGRESS-QUEUE

! Defines Egress Queuing Policy 4500-SUP6E(config-pmap)# class REALTIME 4500-SUP6E(config-pmap-c)# police rate percent 30 conform-action transmit exceed-action drop

! Limits strict priority queue traffic to 30% of the available B/W 4500-SUP6E(config-pmap-c-police)# priority

! Enables strict priority queue 4500-SUP6E(config-pmap)# class CONTROL 4500-SUP6E(config-pmap-c)#

set dscp cs6

! Assigns DSCP marking to egress traffic 4500-SUP6E(config-pmap-c)# bandwidth percent 10

! Defines minimum bandwidth allocation for class

Cisco Catalyst 4500—Sup-6E Queuing Design (1P7Q1T + DBL)—Part 2 4500-SUP6E(config-pmap)# class CRITICAL 4500-SUP6E(config-pmap-c)# bandwidth percent 30

! Defines minimum bandwidth allocation for class 4500-SUP6E(config-pmap-c)#

dbl

! Applies DBL to the defined class 4500-SUP6E(config-pmap)# class BULK 4500-SUP6E(config-pmap-c)# bandwidth percent 5


dbl

! Applies DBL to the defined class 4500-SUP6E(config-pmap)# class class-default 4500-SUP6E(config-pmap-c)# bandwidth percent 25


dbl

! Applies DBL to the defined class

4500-SUP6E(config)# interface GigabitEthernet 5/7 4500-SUP6E(config-if)# service-policy output EGRESS-QUEUE

! Assigns egress queuing policy to interface 4500-SUP6E(config-if)# end

Cisco Catalyst 6500 QoS Design Queuing Design (1P3Q8T) Application

DSCP

CoS

Network Control

CS6 –

CoS 6 7

Internetwork VoIP Telephony Control

CS6 EF

CoS 5 6

Broadcast VoiceVideo

CS5 EF

CoS 5

CoS 6 7

Multimedia Interactive Conferencing Video

AF41

CoS 4

CoS 6 CoS 3 CoS 2

Real-Time Streaming Interactive Video

CS4

CoS 4

Multimedia Mission-Critical Streaming Data

AF31

CoS 3

Call Signaling

CS3

CoS 3

Transactional Data

AF21

CoS 2

Network Ops/ Admin/ Management Mgt

CS2

CoS 2

High Bulk Throughput Data

AF11

CoS 1

Low Scavenger Priority

CS1

CoS 1

Best Effort

DF 0

0

1P3Q8T CoS 5

Q4 Priority Queue Q3T4

Q3T3 Q3T2

Queue 3 (70%)

Q3T1

CoS 4 Q2T1

CoS 0

Queue 2 (25%)

CoS 1 Queue 1 (5%)

Q1T1

Cisco Catalyst 6500 QoS Design Queuing Design (1P3Q8T)—Part 1 CAT6500-IOS(config)# interface range GigabitEthernet1/1 - 48 CAT6500-IOS(config-if)# wrr-queue queue-limit 25 35 20

! Allocates 25% for Q1, 35% for Q2 and 20% for Q3 CAT6500-IOS(config-if)# priority-queue queue-limit 20 ! Allocates 20% of the buffers to the strict priority queue CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 70 ! Sets the WRR weights for 5:25:70 (Q1:Q2:Q3) bandwidth servicing CAT6500-IOS(config-if-range)# wrr-queue random-detect 1 CAT6500-IOS(config-if-range)# wrr-queue random-detect 2 CAT6500-IOS(config-if-range)# wrr-queue random-detect 3 CAT6500-IOS(config-if)#

! Enables WRED on Q1 ! Enables WRED on Q2 ! Enables WRED on Q3

CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 1 70

100 100 100 100 100 100 100 ! Sets Min WRED Threshold for Q1T1 to 70% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100 ! Sets Max WRED Threshold for Q1T1 to 100% and all others to 100% CAT6500-IOS(config-if)# CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 2 80

100 100 100 100 100 100 100 ! Sets Min WRED Threshold for Q2T1 to 80% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100 ! Sets Max WRED Threshold for Q2T1 to 100% and all others to 100%

Cisco Catalyst 6500 QoS Design Queuing Design (1P3Q8T)—Part 2 CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 3 50

60 80 100 100 100 100 100 ! Sets Min WRED Threshold for Q3T1 to 50%, Q3T2 to 60%, Q3T3 to 80% ! and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 3 60 70 80 100 100 100 100 100 ! Sets Max WRED Threshold for Q3T1 to 60%, Q3T2 to 70%, Q3T3 to 80% ! and all others to 100% CAT6500-IOS(config-if)# wrr-queue cos-map 1 1 1

! Maps Scavenger/Bulk to Q1 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue cos-map 2 1 0 ! Maps Best Effort to Q2 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue cos-map 3 1 4 ! Maps Video to Q3 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue cos-map 3 2 2 ! Maps Net-Mgmt and Transactional Data to Q3 WRED T2 CAT6500-IOS(config-if)# wrr-queue cos-map 3 3 3 ! Maps Call-Signaling and Mission-Critical Data to Q3 WRED T3 CAT6500-IOS(config-if)# wrr-queue cos-map 3 4 6 7 ! Maps Internetwork-Control and Network Control to Q3 WRED T4 CAT6500-IOS(config-if)# priority-queue cos-map 1 5 ! Maps VoIP to the PQ (Q4) CAT6500-IOS(config-if)#end CAT6500-IOS#

Cisco Catalyst 6500 QoS Design Queuing Design (1P7Q4T) Application

DSCP

CoS

Network Control

CS6

CoS 6

VoIP Telephony

EF

CoS 5

EF Q8 CS5 Priority Queue

Broadcast Video

CS5

CoS 5

CS6


AF41

CoS 4

CS3 CS2

Real-Time Interactive

CS4

CoS 4


AF31

CoS 3

Call Signaling

CS3

CoS 3

Transactional Data

AF21

CoS 2

Ops/ Admin/ Mgt

CS2

CoS 2

High Throughput

AF11

CoS 1

Low Priority

CS1

CoS 1

Best Effort

DF

0

1P7Q4T

Queue 4 (10%)

Q4T3 Q4T2 Q4T1

AF21

Q3T3

CS4/ AF41

Q3T2

AF31

Queue 3 (60%)

Q3T1

Q2T1

Queue 2 DSCP 0 (25%) AF11 CS1

Queue 1 (5%) Q1T3 Q1T1

Cisco Catalyst 6500 QoS Design Queuing Design (1P7Q4T)—Part 1 CAT6500-IOS(config)# mls qos 10g-only ! Disables Gigabit interfaces on the supervisor, allowing DSCP to queue and threshold mapping capability CAT6500-IOS(config)# interface TenGigabitEthernet 5/4 CAT6500-IOS(config-if)# wrr-queue queue-limit 15 35 20 10 0 0 0 ! Allocates Buffers: 15% for Q1, 35% for Q2, 20% for Q3, 10% for Q4 CAT6500-IOS(config-if)# priority-queue queue-limit 20 ! Allocates 20% of the buffers to the strict priority queue CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 60 10 0 0 0 ! Sets the WRR percentages for 5:25:60:10 (Q1:Q2:Q3:Q4) B/W servicing CAT6500-IOS(config-if-range)# CAT6500-IOS(config-if-range)# CAT6500-IOS(config-if-range)# CAT6500-IOS(config-if-range)# CAT6500-IOS(config-if)#

wrr-queue random-detect 1 wrr-queue random-detect 2 wrr-queue random-detect 3 no wrr-queue random-detect 4

! ! ! !

Enables WRED on Q1 Enables WRED on Q2 Enables WRED on Q3 Disables WRED on Q4

CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 1 70 100 100 100 ! Sets Min WRED Threshold for Q1T1 to 70% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 1 100 100 100 100 ! Sets Max WRED Threshold for Q1T1 to 100% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 2 80 100 100 100 ! Sets Min WRED Threshold for Q2T1 to 80% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 2 100 100 100 100 ! Sets Max WRED Threshold for Q2T1 to 100% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 3 50 60 80 100 ! Sets Min WRED Threshold for Q3T1 to 50%, Q3T2 to 60%, Q3T3 to 80% ! and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 3 60 70 80 100 ! Sets Max WRED Threshold for Q3T1 to 60%, Q3T2 to 70%, Q3T3 to 80%

Cisco Catalyst 6500 QoS Design Queuing Design (1P7Q4T)—Part 2 CAT6500-IOS(config-if)# wrr-queue threshold 4 60 80 100 100

! Sets Min WRED Threshold for Q4T1 to 60%, Q4T2 to 80%, Q4T3 to 100% ! and all others to 100%

CAT6500-IOS(config-if)# mls qos queue-mode mode-dscp

! Enables DSCP to queue and threshold mapping CAT6500-IOS(config-if)# wrr-queue dscp-map 1 1 8 10 ! Maps Scavenger/Bulk to Q1 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue dscp-map 2 1 0 ! Maps Best Effort to Q2 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue dscp-map 3 1 26 28 30 ! Maps Streaming Video to Q3 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue dscp-map 3 2 32 34 36 38 ! Maps Interactive Video and Multimedia Conferencing to Q3 WRED T2 CAT6500-IOS(config-if)# wrr-queue dscp-map 3 3 18 20 22 ! Maps Transactional Data to Q3 WRED T3 CAT6500-IOS(config-if)# wrr-queue dscp-map 4 1 16 ! Maps Operations/Administration/Management to Q4 WRED T1 CAT6500-IOS(config-if)# wrr-queue dscp-map 4 2 24 ! Maps Call-Signaling to Q4 WRED T2 CAT6500-IOS(config-if)# wrr-queue dscp-map 4 3 48 56 ! Maps Network Control to Q4 WRED T3 CAT6500-IOS(config-if)# priority-queue dscp-map 1 46 ! Maps VoIP to the PQ (Q8) CAT6500-IOS(config-if)#end

Cisco Catalyst QoS Deployment Queuing Design—(Auto QoS) CAT6500(config-if)#auto qos voip trust

interface GigabitEthernet3/24 wrr-queue bandwidth 20 100 200 priority-queue queue-limit 5 wrr-queue queue-limit 65 15 15 wrr-queue random-detect min-threshold wrr-queue random-detect min-threshold wrr-queue random-detect min-threshold wrr-queue random-detect max-threshold wrr-queue random-detect max-threshold wrr-queue random-detect max-threshold wrr-queue cos-map 2 1 1 2 wrr-queue cos-map 3 5 3 4 wrr-queue cos-map 3 7 6 7 mls qos trust dscp auto qos voip trust end

Trust policy applied to the port will vary based on port configuration.

1 2 3 1 2 3

70 100 100 100 100 100 100 100 70 100 100 100 100 100 100 100 40 40 50 50 60 60 70 70 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 70 70 80 80 90 90 100 100

Cisco Catalyst QoS Deployment Queuing Design—(Smartport Macros) Catalyst(config)# macro name UPLINK

! Define macro name Enter macro commands one per line. End with the character '@'.

priority-queue out srr-queue bandwidth share 1 70 25 5 queue-set 2 ! Define commands to apply to interface @ Catalyst(config)# Catalyst(config)# macro name Tenant

! Define macro name Enter macro commands one per line. End with the character '@'.

srr-queue bandwidth share 1 40 30 30 srr-queue bandwidth shape 5 0 0 0 queue-set 1 ! Define commands to apply to interface @ Catalyst(config)#

Catalyst(config)# int range GigabitEthernet 1/0/1 - 2 Catalyst(config-if-range)# macro apply UPLINK

! Apply defined macro to appropriate interface(s) Catalyst(config)# int fastEthernet 1/0/11 Catalyst(config-if)# macro apply Tenant

! Apply defined macro to appropriate interface(s)

Agenda 
















Summary

Control Plane Policing Control Plane vs. Data Plane 



Most packets are processed in hardware (data plane); however, some packets need to be processed by the CPU (control plane) Packets bound to the CPU include usual control-plane and management-plane traffic: Routing protocol packets First hop redundancy protocol packets

Mgmt SNMP, Telnet

ICMP

Routing IP Updates Options

Control Plane

Multicast control packets Remote access and management Monitoring and troubleshooting traffic Address Resolution Protocol (ARP) Layer 2 control packets 

Special data-plane traffic may have to be processed in software (data-plane "punt" traffic):

Data Plane

Packets with IP options Packets with TTL=1 Packets that don’t match any FIB route ("FIB-miss“) Packets that require ACL logging Packets with non-hardware-supported features applied

Switch

Control Plane Policing Hardening the Switches n o i t c e t IP Normal o r Queue P Control-Plane e r Policing a w t SPD Check f o S n o i t c e t o r P e r a w d r a H

IP Priority Queue

Process Level Queues Software Control Plane Policing Selective Packet Discard (SPD) Check

…

Hardware Control Plane Queues

Control-Plane Policing Hardware Rate Limiter

Traffic to the CPU

Hardware Control Plane Policing Hardware Rate limiters Storm Control ACL QoS

Catalyst 4500 CoPP for DoS Mitigation Switch CPU

…

16 CPU Queues

User Defined Police Actions Control and CPU bound traffic

Ingress Control Plane



Apply



Pre-configured System Traffic Types and / or User Configurable Traffic Types

Forwarding ASICs Data traffic

Backplane

Linecard

Create the system-cpp-policy policy-map and attach it to the control-plane “macro global apply system-cpp”

Linecard MQC-based Commands **Available 12.2(31)SG

Control Plane Policing Catalyst 6500 Multi-Level HW and SW Protection Special-Case Rate Limiters Override Hardware Control Plane Policing Special Cases Traffic to CPU

Matches Policy If a HWRL Is Configured, Those Packets that match a HWRL will Bypass HW CoPP and Be Processed by HWRL

PFC3/DFC3 Hardware Rate-Limiters

Special Case Traffic

Software “ControlPlane”

CPU

Hardware “Control-Plane”

If a HWRL Is Not Configured or there is no match, Those Packets Will Be Processed By by HW CoPP

All Packets Processed by Both HW CoPP and HWRL Will Be Processed Again by SW CoPP

Catalyst 6500 (PFC3) QoS Design CPP Deployment Guide 

Explicitly allow needed, known critical protocols such as BGP and EIGRP Conform and exceed action  transmit



Define other required but not critical traffic such as ICMP, SNMP, SSH, telnet, and default Conform action  transmit, exceed action  drop



Drop all other undesirable traffic



Depending on class defined, apply appropriate policy Routing protocol traffic (BGP, IGP)—no rate limit Management traffic (SNMP, SSH, NTP, etc.)— conservative rate limit Reporting traffic (SAA combined with DSCP)—conservative rate limit Monitoring traffic (ICMP, trace route)—conservative rate limit Critical traffic (HSRP, SIP/VoIP, DLSw)—conservative rate limit Default traffic—low rate limit Undesirable traffic (DoS attacks)—drop

Agenda 
















Summary

Q and A

Complete Your Session Evaluation 

Please give us your feedback!! Complete the evaluation form you were given when you entered the room



This is session BRKRST-2500

Don’t forget to complete the overall event evaluation form included in your registration kit

YOUR FEEDBACK IS VERY IMPORTANT FOR US!!! THANKS

Recommended Reading BRKRST-2500

Source: Cisco Press ®

BRKRST2500

Recommend Documents