BRKRST-2501 (2018) (QoS)

#CLUS
Enterprise QoS
Design 5.0
Tim Szigeti
Principal Engineer-Technical Marketing
szigeti@cisco.com
BRKRST-2501
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKRST-2501

by the speaker until June 18, 2018.
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Introduction to Intent-Based QoS Design
Agenda • WAN / VPN QoS Design
• WAN
• MPLS VPN
• DMVPN
• Campus QoS Design
• Access (Catalyst 3650/3850/9300)
• Distribution (Catalyst 4500)
• Core (Catalyst 6500)
• WLAN QoS Design
• How is Cisco Making QoS Better and Simpler?
• Summary and References
• Appendices
#CLUS BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introduction to Intent-based
QoS Design
Cisco Enterprise QoS Design
• 1.0: Cisco’s first QoS Design Guide for Enterprise
was published in 2000 for VoIP (only!)
• 2.0: Multiple classes of data were added in 2002
• 3.0: Basic Video (conferencing and streaming)
were added in 2006
• 4.1: Extended video (TelePresence, Video 328 pages
Surveillance, Digital Signage, etc.) and Medianet
were added in 2010 208 pages
154 pages
1043 pages
• 4.2: Wireless, Data-Center, DMVPN and GETVPN
were added in 2014
302 pages +
• 5.0: Policy-Abstraction, including support for APIC-EM 1.6 SW
or DNAC 1.12 SW
1400+ applications were added in 2017
The Why / How / What of Enterprise Networking
Cisco
Enterprise
Vision
Transform our customers’ businesses

Why
through powerful yet simple networks.
How What
What Do You Consider First?
Where to Begin?
Always, Always, Always Start with Defining Your Business Goals of QoS
• Guaranteeing voice quality meets enterprise standards
• Ensuring a high Quality of Experience for video applications
• Improving user productivity by minimizing network response times
• Managing business applications that are “bandwidth hogs”
• Identifying and de-prioritizing non-business applications
• Improving network availability by protecting the control planes
• Hardening the network infrastructure to deal with abnormal events
Determining Application Business Relevance
How Important is an Application to Your Business?
PROTECT
IMPORTANT LEAVE
NEUTRAL
ALONE UNIMPORTANT
PENALIZE
Relevant Default Irrelevant

• These applications directly • These applications may/may not • These applications do not
support business support business objectives support business objectives
objectives (e.g. HTTP/HTTPS/SSL) and are typically consumer-
oriented
• Applications should be • Applications of this type should
classified, marked and be treated with a Default • Applications of this type should
treated marked according to Forwarding service be treated with a “less-than Best
industry best-practice Effort” service
recommendations
RFC 4594 RFC 2474 RFC 3662
#CLUS BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Translating Business-Relevance to QoS Treatments
Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application Per-Hop Queuing & Application
Class Behavior Dropping Exam ples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Tim e Interactive CS4 (Optional) PQ Cisco TelePresence
Multim edia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multim edia Stream ing AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Relevant
Netw ork Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Adm in / Mgm t (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-m ail, FTP, Backup Apps, Content Distribution
Default Default Forw arding DF Default Queue + RED Default Class
Irrelevant Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live
Translating Business-Relevance to QoS Treatments
Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application Per-Hop Queuing & Application
Class Behavior Dropping Exam ples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Tim e Interactive CS4 (Optional) PQ Cisco TelePresence
Multim edia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multim edia Stream ing AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Relevant
Netw ork Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Adm in / Mgm t (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-m ail, FTP, Backup Apps, Content Distribution
Default Default Forw arding DF Default Queue + RED Default Class
Irrelevant Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live
Application Classification Rules
Is the Protocol a Control Plane Protocol?
Control Yes Network Yes
Network Control
Plane? Control?
No No Yes
Signaling? Signaling
Yes
No OAM? OAM
• Network Control protocol?
• network routing and control-plane protocols
• E.g. BGP, OSPF, EIGRP, HSRP, IKE, etc.
• Signaling protocol?
• call signaling / bandwidth reservation protocols
• E.g. SIP, Skinny, H.323, RSVP etc.
• Operations / Administration / Management protocol?

• network management protocols (e.g. SNMP, Telnet, SSH, Syslog, NetFlow, etc.)
Application Classification Rules (cont.)
Is the Application Voice?
Yes
Voice? Voice
No
• Voice?
• Audio-only media (e.g. G.711, G.729 etc.)
• Note: This class may be used for the audio-component of multimedia applications, such as Cisco
Jabber and/or Spark; however, this option should ONLY be considered if this causes no conflict
with your overall Call Admission Control strategy and voice-queue provisioning
Is the Application Video?
Yes
Yes Yes
Video? Unidirectional? Elastic? Multimedia-Streaming
No No No
(Bidirectional)
Broadcast Video
(Inelastic)
Yes
Elastic? Multimedia-Conferencing
No Realtime-Interactive
(Inelastic)
• Video?
• Is the application is unidirectional or bidirectional?
• Is the application is elastic (i.e. adaptive to congestion/drops) or inelastic?
Is the Application Data?
Yes Yes
Data? Foreground? Transactional Data
No No
(Background)
Bulk Data
Best Effort
• Data?
• Is the application foreground or background?
• Foreground applications will directly impact user-productivity with network delays
• Background applications will not (as these are typically machine-to-machine flows)
• However, these apps can be very bandwidth intensive (if unrestrained)
• If it is not known if a data app is foreground, then assume it is background
• Otherwise – the application/protocol remains in the default class (Best Effort)
Strategic QoS Design At-A-Glance
https://cisco.box.com/v/QoS-AAGs
• WAN
• MPLS VPN
• DMVPN
• WLAN QoS Design
• Appendices
WAN / VPN QoS Design
LAN Edge QoS Design
NBAR2 Application Library
Deployment Challenge
• NBAR2 library is very large (1400+ apps)
• While powerful this toolset is not simple to wield
• To make the library more wieldy, every application has descriptive attributes
Category First level grouping of applications with similar functionalities
Sub-category Second level grouping of applications with similar functionalities
Application-group Grouping of applications based on brand or application suite
P2P-technology? Indicates application is peer-to-peer
Encrypted? Indicates application is encrypted
Tunneled? Indicates application uses tunneling technique
BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Where Can I Find NBAR2 Attribute Details?
Google Search: “NBAR Protocol Pack”
Cisco Protocol Pack Library: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html
Protocol Pack 37: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/pp3700/nbar-prot-pack3700.html
3COM-AMP3
3COM-TSMUX
3PC
4CHAN
58-CITY
914C G
9PFS
ABC-NEWS
ACAP
ACAS
ACCESSBUILDER
ACCESSNETWORK
ACCUWEATHER
ACP
ACR-NEMA
ACTIVE-DIRECTORY
ACTIVESYNC
ADCASH
ADDTHIS
ADOBE-CONNECT
ADP
ADWEEK BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
NBAR2 QoS Attributes
New QoS Attributes: Traffic-Class and Business-Relevance
Introduced in: IOS 15.5(3)M and IOS XE 3.16S
show ip nbar protocol-attribute airbnb

encrypted encrypted-no
tunnel tunnel-no
category browsing
sub-category Other
application-group Other
p2p-technology p2p-tech-no
traffic-class transactional-data
business-relevance business-irrelevant
NBAR2 QoS Attributes
New QoS Attributes: Traffic-Class and Business-Relevance
Introduced in: IOS 15.5(3)M and IOS XE 3.16S
show ip nbar protocol-attribute airbnb

encrypted encrypted-no
tunnel tunnel-no
category browsing
sub-category Other
application-group Other
p2p-technology p2p-tech-no
traffic-class transactional-data
business-relevance business-irrelevant
Changing the Business-Relevancy of an Application
Step 1: Create an Attribute-Map with the Desired Setting
ip nbar attribute-map BUSINESS-RELEVANT-MAP attribute business-relevance business-relevant
Step 2: Associate the Application with the Desired Attribute-Map
ip nbar attribute-set airbnb BUSINESS-RELEVANT-MAP
Changing Application Business-Relevance
All Options
Scenario 1: Making an Application Business-Relevant

ip nbar attribute-map ATTIBUTE_MAP-RELEVANT attribute business-relevance business-relevant
ip nbar attribute-set application-name ATTIBUTE_MAP-RELEVANT
Scenario 2: Making an Application Default

ip nbar attribute-map ATTRIBUTE_MAP-DEFAULT attribute business-relevance default
ip nbar attribute-set application-name ATTRIBUTE_MAP-DEFAULT
Scenario 3: Making an Application Business-Irrelevant

ip nbar attribute-map ATTRBUTE_MAP-SCAVENGER attribute business-relevance business-irrelevant
ip nbar attribute-set application-name ATTRBUTE_MAP-SCAVENGER
“Holy Grail” QoS Configuration: NBAR2 1400+ App / 12-Class Model
class-map match-all VOICE policy-map MARKING
match protocol attribute traffic-class voip-telephony class VOICE
match protocol attribute business-relevance business-relevant set dscp ef
class-map match-all BROADCAST-VIDEO class BROADCAST-VIDEO
match protocol attribute traffic-class broadcast-video set dscp cs5
match protocol attribute business-relevance business-relevant
class REAL-TIME-INTERACTIVE
class-map match-all REAL-TIME-INTERACTIVE
match protocol attribute traffic-class real-time-interactive
set dscp cs4
class MULTIMEDIA-CONFERENCING
class-map match-all MULTIMEDIA-CONFERENCING set dscp af41
match protocol attribute traffic-class multimedia-conferencing class MULTIMEDIA-STREAMING
match protocol attribute business-relevance business-relevant set dscp af31
class-map match-all MULTIMEDIA-STREAMING class SIGNALING
match protocol attribute traffic-class multimedia-streaming set dscp cs3
match protocol attribute business-relevance business-relevant class NETWORK-CONTROL
class-map match-all SIGNALING set dscp cs6
match protocol attribute traffic-class signaling class NETWORK-MANAGEMENT
match protocol attribute business-relevance business-relevant set dscp cs2
class-map match-all NETWORK-CONTROL class TRANSACTIONAL-DATA
match protocol attribute traffic-class network-control set dscp af21
match protocol attribute business-relevance business-relevant class BULK-DATA
class-map match-all NETWORK-MANAGEMENT set dscp af11
match protocol attribute traffic-class ops-admin-mgmt class SCAVENGER
set dscp cs1
class-map match-all TRANSACTIONAL-DATA
class class-default
match protocol attribute traffic-class transactional-data
set dscp default
class-map match-all BULK-DATA
match protocol attribute traffic-class bulk-data
class-map match-all SCAVENGER
match protocol attribute business-relevance business-irrelevant
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 QoS Attributes At-A-Glance
WAN Edge QoS Design
QoS Tools Review: Queuing & Dropping Tools
(Flow-Based) Fair-Queuing
policy-map FQ
class class-default
fair-queue
Packets In Fair-Queuing
Sorter/Pre-Sorter
Packets Out
A flow is defined by five matching tuples:

Source Address + Source Port
Destination Address + Destination Port
Layer 4 Protocol (TCP or UDP)
policy-map WAN
CBWFQ IOS Interface Buffers
class NETWORK-CONTROL
bandwidth remaining percent 5
class CALL-SIGNALING
Network Control CBWFQ bandwidth remaining percent 4
class STREAMING-VIDEO
Call Signaling CBWFQ fair-queue
random-detect dscp-based
class MM-CONFERENCING
OAM CBWFQ bandwidth remaining percent 30
fair-queue
FQ random-detect dscp-based
Multimedia Conferencing CBWFQ …
Packets In FQ CBWFQ
Multimedia Streaming CBWFQ Scheduler
Tx-Ring Packets Out
FQ
Transactional Data CBWFQ
FQ
Bulk Data CBWFQ
FQ
Best Effort / Default CBWFQ
FQ
Pre-Sorters
Scavenger CBWFQ
LLQ: Single-LLQ Operation and Configuration
IOS Interface Buffers

10% Strict
VOICE policy-map WAN
Policer
class VOICE
LLQ
priority percent 10
Packets In
Packets Out
CBWFQ
Scheduler
Tx-Ring
FQ
CBWFQs
Pre-Sorters
The Need for Congestion Avoidance
 All TCP flows synchronize in waves

 TCP synchronization wastes available bandwidth
Bandwidth
100%
Utilization
BW
Time
Tail Drop
Three Traffic Flows Another Traffic Flow

Start at Different Times Starts at This Point
DSCP-Based WRED
policy-map BULK-WRED
class BULK
Tail Front
of of
Queue Bulk Data CBWFQ Queue
Fair- Direction
Queuing
Pre-Sorter of
Packet
Flow
AF13 Minimum WRED Threshold:
Begin randomly dropping AF13 packets


Maximum WRED Thresholds for AF11, AF12 and AF13 are set to the tail of the queue in this example
RFC 4594-Based 12-
Class WAN-Edge
Queuing Model
Network Control Multimedia Streaming

2% 10% © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
RFC 4594-Based 12-Class policy-map WAN_EDGE-QUEUING
class VOICE-DSCP
priority percent 10
Queuing Model Configuration class BROADCAST_VIDEO-DSCP
priority percent 10
class REALTIME_INTERACTIVE-DSCP
priority percent 13
class-map match-all VOICE-DSCP class NETWORK-CONTROL-DSCP
match dscp ef bandwidth percent 2
class-map match-all BROADCAST_VIDEO-DSCP class SIGNALING-DSCP
match dscp cs5 bandwidth percent 2
class-map match-all REALTIME_INTERACTIVE-DSCP class OAM-DSCP
match dscp cs4 bandwidth percent 3
class-map match-all NETWORK-CONTROL-DSCP class MULTIMEDIA_CONFERENCING-DSCP
match cs6 bandwidth percent 10
class-map match-all SIGNALING-DSCP fair-queue
match cs3 random-detect dscp-based
class-map match-all OAM-DSCP class MULTIMEDIA_STREAMING-DSCP
match cs2 bandwidth percent 10
class-map match-all MULTIMEDIA_CONFERENCING-DSCP fair-queue
match dscp af41 random-detect dscp-based
class-map match-all MULTIMEDIA_STREAMING-DSCP class TRANSACTIONAL-DATA-DSCP
match dscp af31 bandwidth percent 10
fair-queue
class-map match-all TRANSACTIONAL-DATA-DSCP
match dscp af21
class BULK-DATA-DSCP
class-map match-all BULK-DATA-DSCP
bandwidth percent 4
match dscp af11 fair-queue
class-map match-all SCAVENGER-DSCP random-detect dscp-based
match dscp cs1 class SCAVENGER-DSCP
bandwidth percent 1
Note: Appending “-DSCP” to the class-map names class class-default
distinguishes WAN-Edge egress-queuing class-maps bandwidth percent 25
(matching on DSCP values) from the LAN-Edge ingress fair-queue
class-maps (matching via NBAR2). random-detect dscp-based
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
What Changes for Sub-Line-Rate Interfaces?
policy-map QUEUING policy-map HQoS-50MBPS
class REALTIME class class-default
priority 1000 shape average 50000000
class SIGNALING service-policy QUEUING
bandwidth x
class TRANSACTIONAL  Queuing policies will not engage unless the interface is congested
bandwidth y…  A shaper will guarantee that traffic will not exceed the contracted rate
class class-default  A nested queuing policy will force queuing to engage at the contracted sub-
fair-queue line-rate to prioritize packets prior to shaping
GE Interface
1 Mbps
with a sub-line-rate
REALTIME 1 Mbps LLQ access service
Policer (e.g. 50 Mbps)
Class-
Based TX
Signaling CBWFQ Ring
CBWFQ Shaper
FQ Transactional CBWFQ Scheduler
FQ Default Queue
Hierarchical (Shaping + Queuing) QoS Policy Config
policy-map HQOS-50M-OUT A Parent QoS Policy is required to shape to the contracted rate
class class-default
shape average 50M
service-policy WAN-EDGE-QUEUING A (nested) Child QoS Policy queues traffic within the shaped rate
interface GigabitEthernet0/2
description AT&T Circuit from SJ-13-12 to RTP-Ridge-7 @ 50 Mbps Contracted Rate
service-policy output HQOS-50M-OUT
The Parent QoS Policy (shaper with nested queuing policy) is

applied to the sub-line-rate interface
DMVPN QoS Design
DMVPN Per Tunnel QoS CE
Per-Site Shaping to Avoid Overruns 50 Mbps
CE
50 Mbps
Service Rate
100 Mbps CE
CE
CE 20 Mbps
CE
CE
Shape only 20 Mbps
(100 Mbps)
CE
10 Mbps
100 Mbps in to DMVPN cloud can easily CE
overrun the lower speed committed rates at CE
spoke sites
10 Mbps
Remote Site Tunnel Configurations
DMVPN Hub Per Tunnel QoS interface GigabitEthernet0/0
bandwidth 100000
service-policy output POLICY-TRANSPORT-1
Implementing Per-Site Traffic Shaping 10 Mbps spoke !
interface Tunnel10
bandwidth 10000
policy-map GROUP-50MBPS-POLICY
Signal from the nhrp group GROUP-10MBPS
tunnel source GigabitEthernet0/0
class class-default spoke to the hub tunnel vrf DNVPN-TRANSPORT-1
shape average 50 Mbps
bandwidth remaining ratio 50 to use the correct interface GigabitEthernet0/0
bandwidth 20000
service-policy WAN-EDGE-QUEUING
policy for each service-policy output POLICY-TRANSPORT-1
service-policy WAN
class class-default 20 Mbps spoke !
remote site interface Tunnel10
bandwidth 20000
bandwidth remaining ratio 20 nhrp group GROUP-20MBPS
service-policy WAN-EDGE-QUEUING tunnel source GigabitEthernet0/0
Bandwidth remaining tunnel vrf DNVPN-TRANSPORT-1
class class-default ratio provides interface GigabitEthernet0/0
bandwidth 50000
bandwidth remaining ratio 10 proportional sharing service-policy output POLICY-TRANSPORT-1
service-policy WAN-EDGE-QUEUING
between tunnels 50 Mbps spoke !
interface Tunnel10
Separate parent shaper policies for bandwidth 50000
nhrp group GROUP-50MBPS
each remote-site bandwidth tunnel source GigabitEthernet0/0
tunnel vrf DNVPN-TRANSPORT-1
policy-map TRANSPORT-1-SHAPE-ONLY
class class-default
!
shape average 100 Mbps Per-Tunnel shapers
interface GigabitEthernet0/0/3
bandwidth 100000 50 Mbps BRR=50
Service rate
service-policy output TRANSPORT-1-SHAPE-ONLY
50 Mbps BRR=50 shaper
interface Tunnel10
bandwidth 100000 20 Mbps BRR=20
nhrp map group GROUP-10MBPS service-policy output GROUP-10MBPS-POLICY Shape
nhrp map group GROUP-20MBPS service-policy output GROUP-20MBPS-POLICY (100 Mbps)
nhrp map group GROUP-50MBPS service-policy output GROUP-50MBPS-POLICY 20 Mbps BRR=20
10 Mbps BRR=10
List all available policies as map groups on hub tunnel interface
10 Mbps BRR=10
Add a class-default shape-only policy on the hub physical interface
for the service rate
MPLS VPN QoS Design
MPLS VPN QoS
Enterprise to Service Provider Mapping—4 Class SP Model Example
CS6 Sent
Application DSCP SPP1 (4-Class Model)
Unchanged
Internetwork Control CS6 EF SP-VOICE
PQ-10% BW
VoIP EF
Broadcast Video CS5  AF31
Multimedia Conferencing AF41  AF31 SP-CLASS1DATA
AF31 (UDP)
Real-Time Interactive CS4  AF31 44% BWR
Multimedia Streaming AF31
Signaling CS3  AF21
SP-CLASS2DATA
Transactional Data AF21
AF21 (TCP)
Network Management CS2  AF21 25% BWR
Bulk Data AF11  AF21

Scavenger CS1 DF SP-DEFAULT BWR =
31% BWR Bandwidth
Best Effort DF Remaining
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS VPN QoS Voice
10%
Bandwidth Alignment
4-Class SP Model Example
Best Effort
28% SP-VOICE Broadcast Video
10% 10%
SP-DEFAULT
28%
Real-Time Interactive
SP-CLASS1DATA 10%
40%
Scavenger
1% SP-CLASS2DATA
Bulk Data 23%
4%
Multimedia Conferencing
10%
Transactional Data
14%
Signaling
2% Multimedia Streaming
OAM 10%
3% #CLUS BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
MPLS VPN CE Edge Config—4 Class Model
policy-map QUEUING-4CLASS-OUT …
class VOICE-DSCP class CONTROL-DSCP
priority percent 10 bandwidth percent 2
class BROADCAST-DSCP class SIGNALING-DSCP
priority percent 10 bandwidth percent 2
set dscp af31 set dscp af21 policy-map HQOS-50M-4CLASS
class REALTIME-DSCP class OAM-DSCP class class-default
priority percent 10 bandwidth percent 3 shape average 50M
set dscp af31 set dscp af21 service-policy QUEUING-4CLASS-OUT
class MM_CONF-DSCP class TRANS-DATA-DSCP
bandwidth percent 10 bandwidth percent 13
fair-queue fair-queue
random-detect dscp-based random-detect dscp-based
set dscp af31 class BULK-DATA-DSCP
class MM_STREAM-DSCP bandwidth percent 4
bandwidth percent 10 fair-queue
fair-queue random-detect dscp-based
random-detect dscp-based set dscp af21
class SCAVENGER-DSCP
bandwidth percent 1
class class-default
bandwidth percent 25
fair-queue
interface GigabitEthernet0/2
description MPLS VPN Circuit from SJ-13-12 to RTP-Ridge-7 #WAN#50M#4-CLASS#
service-policy output policy-map HQOS-50M-4CLASS
• WAN
• MPLS VPN
• DMVPN
• WLAN QoS Design
• Appendices
Campus QoS Design
The Case for Campus QoS
• The primary role of QoS in campus networks is to manage packet loss

• In campus networks, it takes only a few milliseconds of congestion to cause drops
• Rich media applications are extremely sensitive to packet drops
• Queuing policies at every node can prevent packet loss for real-time apps
• The secondary role of QoS in campus networks is to condition traffic at the access
edge, which can include any/all of the following:
• Trust
• Classify and Mark
• Police
Why Is Video So Sensitive to Packet Loss?
1920 lines of Vertical Resolution (Widescreen Aspect Ratio is 16:9)
1080p60
1080 lines of Horizontal Resolution
1080 x 1920 lines =
2,073,600 pixels per frame
x 24 bits of color per pixel
x 60 frames per second
= 2,985,984,000 bps
or 3 Gbps Uncompressed!
Cisco (H.264/H.265) codecs transmit 3-5 Mbps per 1080p60 video stream
which represents over 99.8% compression (~ 1000:1)
Packet loss is proportionally magnified by compression ratios
Users can notice a single packet lost in 10,000—
Making HD Video One Hundred Times More Sensitive to Packet Loss
© 2018 Cisco than
and/or its affiliates. VoIP!
All rights reserved. Cisco Public 49
VoIP vs. HD Video—At the Packet Level
Voice Packets Video Packets
1400 1400
Frame Frame Frame
1000 1000
Bytes
Audio
600 Samples 600
200 200
20 msec 33 msec
Campus QoS Design Considerations
How Long Can Queue-Buffers Accommodate Line-Rate Bursts?
Begin dropping at 11 ms
but overall utilization is only 1%!
140
Gbps Line Rate GE Linecard Example (WS-X6148)
120
KBytes Per ms
100 Total Per-Port Buffer: 5.4 MB

80
60 Total Per-Queue Buffer*: 1.35 MB
40
20
Gbps Line Rate: 1 Gbps = 125 MB/s
0
or 125 KB/ms
130
170
210
650
690
730
770
810
850
890
930
250
290
330
370
410
450
490
530
570
610
970
10
50
90
Total Per-Queue Buffering Capacity: 10.8 ms

msec
*Assuming (4) equal-sized queues

1 second
Campus QoS Design Considerations
How Long Can Queue-Buffers Accommodate Line-Rate Bursts
Begin dropping at 9 ms
but overall utilization is still only 1%!
1400
1200
10 Gbps Line Rate 10 GE Linecard Example (WS-X6908)
KBytes Per ms
1000 Total Per-Port Buffer: 90 MB

800
600 Total Per-Queue Buffer*: 11.25 MB
400
200 Gbps Line Rate: 10 Gbps = 1.25 GB/s
0 or 1250 KB/ms
10
50
130
170
210
250
290
330
370
410
450
490
530
570
610
650
690
730
770
810
850
890
930
970
90
Total Per-Queue Buffering Capacity: 9.0 ms

msec
*Assuming (8) equal-sized queues

1 second
Congestion at the Access Layer of the Campus
GE Link
10GE Link
40GE Link
Congestion at the Access Layer of the Campus
GE Link
10GE Link
40GE Link
x 11
Congestion at the Distribution Layer of the Campus
GE Link
10GE Link
40GE Link
Congestion at the Core Layer of the Campus
GE Link
10GE Link
40GE Link
Know Your Tools
• Catalyst switch hardware
• Software and Syntax
• Global Default QoS Settings
• Trust States and Conditional Trust
• Logical vs. Physical Interface QoS
• Ingress and Egress Queuing Models
Economy
Hardware Varies
American Version
2018 Cisco Live Orlando
Utility
Performance
Economy
Hardware Varies
German Version
2017 Cisco Live Berlin
Utility
Performance
Economy
Hardware Varies
Italian Version
2015 Cisco Live Milan
Utility
Performance
Economy
Hardware Varies
Canadian Version
2017 Cisco Connect Toronto
Utility
Performance
Catalyst Hardware Queuing
1P3Q1T Example
Each queue has 1 Drop Threshold
1 Priority Queue
(the tail of the queue)
3 Non-Priority
Queues
1P3Q1T
Catalyst Hardware Queuing
1P3Q1T Example
Resume
Interrupt
Scheduling
Scheduling
Weighted Tail Drop (WTD) Operation
3T WTD Example
Tail of Front of
Queue Queue
Packet
Flow
Direction
Red Minimum WTD Threshold 1:

Begin tail dropping red packets
Yellow Minimum WTD Threshold 2:

Begin tail dropping yellow packets
Tail of Queue is WTD Threshold 3
Weighted Random Early Detect (WRED) Operation
4T WTD Example
Tail of Front of
Queue Queue
Packet
Flow
Direction
Begin randomly dropping AF13
Packets
Begin randomly dropping AF12 Packets
Begin randomly dropping AF11 Packets
Maximum WRED Thresholds for AF11, AF12 and AF13

are set to the tail of the queue in this example
Software and Syntax Variations
• Catalyst 2960-X / 3560 / 3750 are the last platforms to use Multilayer Switch QoS (MLS QoS)
• QoS is disabled by default and must be globally enabled with mls qos command
• Once enabled, all ports are set to an untrusted port-state
• Catalyst 3650/3850/9300/9400/9500 and 4500 use IOS Modular QoS Command Line Interface
(MQC)
• QoS is enabled by default
• All ports are trusted at layer 2 and layer 3 by default
• Catalyst 6500/6800 use Cisco Common Classification Policy Language (C3PL) QoS
• QoS is enabled by default (Sup2T) – Disabled by default (Sup720)
• C3PL presents queuing policies similar to MQC, but as a defined “type” of policy
• Nexus 7000/7700 use NX-OS QoS
• NX-OS presents queuing policies similar to MQC, but as a defined “type” and with default class-map names
Trust Boundary
Trust Boundaries
Untrusted / User-
Administered Devices
no mls qos trust
Trust Boundary
The trust boundary is the edge
where Layer 2 (CoS / UP)
Trusted Centrally-
and/or Layer 3 (DSCP) markings
Administered Devices
are accepted or rejected mls qos trust dscp
Trust Boundary
Centrally-Administered &
Conditionally-Trusted Devices
mls qos trust device
• cisco-phone
• cts
• ip-camera
• media-player
Policy Enforcement Points (PEPs)
• The Policy Enforcement Point (PEP) is the edge where classification and marking policies are enforced
• The PEP may or may not be the same as the trust boundary
• Multiple PEPs may exist for different types of network devices
• e.g. switch PEP vs. router PEP
Note: For the sake of simplification, in this deck PEP will refer to
Trust Boundary
classification and marking policy enforcement points (only)
Sw itch Router and will not include other policy enforcement points (e.g. queuing).
PEP PEP
EtherChannel QoS
• EtherChannels are comprised of logical (port-channel) interfaces and physical
(port-member) interfaces
Platform QoS Policies Applied to the QoS Policies Applied to the
(Logical) Port-Channel Interface (Physical) Port-Member Interfaces
Catalyst 2960-X  Classification & Marking (Ingress)
and Queuing (Egress)
Catalyst 3650/3850  Classification & Marking (Ingress)
Catalyst 4500  Classification & Marking  Queuing (Egress)
(Ingress)
Catalyst 6500  Classification & Marking  Queuing (Ingress & Egress)
(Ingress)
Cisco Nexus 7000/7700  Classification & Marking
(Ingress) and Queuing (Ingress
& Egress)
Campus QoS Design Best Practices
• Always perform QoS in hardware rather than software when a choice exists
• Classify and mark applications as close to their sources as technically and
administratively feasible
• Police unwanted traffic flows as close to their sources as possible
• Enable queuing policies at every node where the potential for congestion exists
Campus Port QoS Roles Untrusted Endpoint:
• Port Set to Untrusted State
(or Explicit Policy to Mark to DSCP 0)
• [Optional Ingress Marking and/or Policing]
• [Ingress and] Egress Queuing
Trusted Port
Conditionally-Trusted Endpoint • Trust DSCP
• Conditional-Trust with Trust-CoS or DSCP (Default on all non-MLS QoS platforms)
• [Optional Ingress Marking and/or Policing] • [Ingress and] Egress Queuing
• [Ingress and] Egress Queuing
Campus QoS Design—At-A-Glance
Catalyst 3650/3850
and Catalyst 9300/9400/9500
QoS Design
Catalyst 3650/3850/9300
QoS Roles in the Campus Access
No Trust +
C3650/3850 Egress Queuing
Access
Switch Trust DSCP +
Egress Queuing
Conditional Trust +
Egress Queuing
Classification/Marking +
[Optional Policing] +
Distribution
Egress Queuing
Switches
Catalyst 3650/3850/9300
QoS Design Steps
1. Configure Ingress QoS Model(s):
 Trust DSCP Model*
 Conditional Trust Models
 Service Policy Models
2. Configure Egress Queuing
 Wired Queuing Models (2P6Q3T)
*Note: Catalyst 3650/3850/9300 use IOS MQC, which trusts by default;

therefore no explicit policy is required for DSCP trust
Catalyst 3650/3850/9300
Conditional Trust Models
“match-all” supported as of IOX XE 16.8 Conditional-Trust (Cisco Conditional
IP Phone) Example:
Cisco IP Phone Trust Example
class-map match-any VOICE
match cos 5
Conditional-Trust Models: class-map match-any SIGNALING
interface GigabitEthernet 1/0/1 match cos 3
CoS must be
trust device cisco-phone [or] matched as
trust device cts [or] policy-map CISCO-IPPHONE
class VOICE Cisco IP Phones
trust device ip-camera [or] only remark at
trust device media-player set dscp ef
class SIGNALING Layer 2
set dscp cs3
class class-default
set dscp default
Only one type of device can be
configured for conditional trust on interface GigabitEthernet 1/0/1
an interface at a given time trust device cisco-phone
service-policy input CISCO-IPPHONE
Catalyst 3650/3850/9300
Classification Options
• ACL-based classification: match access-group ACL_NAME

• Syntax is identical to Catalyst 2K ACL-based classification & marking examples
• NBAR2 classification (as of IOS XE 16.3): match protocol APPLICATION
NBAR in Hardware—Yesterday
• Cisco Catalyst 6500 Sup32 Programmable Intelligent Services Accelerator
(PISA)—Jan 2007
• Supported 90+ protocols
• Maximum Throughput: 2 Gbps
• MSRP ~$30K
NBAR2 in Hardware—Today
• UADP-based platforms:
• Catalyst 3650
• Catalyst 3850
• Catalyst 9000-series (UADP 2.0)
• Supports 1400+ protocols 1400% increase

• Maximum Throughput (Catalyst 3850 / 3650):
• ~500 connections per second
• Up to 5,000 bi-directional flows (24 access ports)
• Up to 10,000 bi-directional flows (48 access ports)
• MSRP (beginning at) ~$3K 90% decrease
match protocol enables NBAR2 classification
Catalyst 3650/3850 IOS XE 16.3 Note: Up to 16 match protocol statements are
supported per class-map
Configuring NBAR2 QoS Policies policy-map NBAR-MARKING
class-map match-any VOICE class VOICE
match protocol cisco-phone set dscp ef
match protocol cisco-jabber-audio class BROADCAST-VIDEO
match protocol ms-lync-audio set dscp cs5
match protocol citrix-audio class REAL-TIME-INTERACTIVE
class-map match-any BROADCAST-VIDEO set dscp cs4
match protocol cisco-ip-camera class CALL-SIGNALING
class-map match-any REAL-TIME-INTERACTIVE set dscp cs3
match protocol telepresence-media class TRANSACTIONAL-DATA
class-map match-any CALL-SIGNALING set dscp af21
match protocol skinny class BULK-DATA
match protocol telepresence-control set dscp af11
class-map match-any TRANSACTIONAL-DATA class SCAVENGER
match protocol citrix set dscp cs1
match protocol sap class class-default
class-map match-any BULK-DATA set dscp default
match protocol attribute category email
match protocol attribute category file-sharing Note: Multiple application protocols can be
match protocol attribute sub-category backup-systems identified using attributes, including:
class-map match-any SCAVENGER • category
match protocol attribute category gaming • sub-category
match protocol attribute application-group skype-group • application-group
Catalyst 3650/3850/9300/9400/8500 IOS XE 16.8
NBAR2 QoS Attributes Support
class-map match-all VOICE policy-map MARKING
match protocol attribute traffic-class voip-telephony class VOICE
match protocol attribute business-relevance business-relevant set dscp ef
class-map match-all BROADCAST-VIDEO class BROADCAST-VIDEO
match protocol attribute traffic-class broadcast-video set dscp cs5
match protocol attribute business-relevance business-relevant class REAL-TIME-INTERACTIVE
class-map match-all REAL-TIME-INTERACTIVE set dscp cs4
match protocol attribute traffic-class real-time-interactive class MULTIMEDIA-CONFERENCING
match protocol attribute business-relevance business-relevant set dscp af41
class-map match-all MULTIMEDIA-CONFERENCING
class MULTIMEDIA-STREAMING
match protocol attribute traffic-class multimedia-conferencing
set dscp af31
class SIGNALING
class-map match-all MULTIMEDIA-STREAMING
match protocol attribute traffic-class multimedia-streaming
set dscp cs3
match protocol attribute business-relevance business-relevant class NETWORK-CONTROL
class-map match-all SIGNALING set dscp cs6
match protocol attribute traffic-class signaling class NETWORK-MANAGEMENT
class-map match-all NETWORK-CONTROL class TRANSACTIONAL-DATA
match protocol attribute traffic-class network-control set dscp af21
match protocol attribute business-relevance business-relevant class BULK-DATA
class-map match-all NETWORK-MANAGEMENT set dscp af11
match protocol attribute traffic-class ops-admin-mgmt class SCAVENGER
class-map match-all TRANSACTIONAL-DATA class class-default
match protocol attribute traffic-class transactional-data set dscp default
class-map match-all BULK-DATA
match protocol attribute traffic-class bulk-data
class-map match-all SCAVENGER
match protocol attribute business-relevance business-irrelevant
All markdown and/or
Catalyst 3650/3850/9300 mapping operations
are configured
Marking & Policing Policy Example through table-maps
policy-map MARKING&POLICING …[continued]

class VVLAN-VOIP class TRANSACTIONAL-DATA
set dscp ef set dscp af21 table-map TABLE-MAP
police 128k police 10m map from 0 to 8
conform-action transmit conform-action transmit map from 10 to 8
exceed-action drop exceed-action TABLE-MAP map from 18 to 8
class VVLAN-SIGNALING class BULK-DATA
set dscp cs3 set dscp af11
police 32k police 10m
conform-action transmit conform-action transmit
exceed-action drop exceed-action TABLE-MAP
class MULTIMEDIA-CONFERENCING class SCAVENGER
set dscp af41 set dscp cs1 Policing to remark traffic
police 5m police 10m is done by referencing
conform-action transmit conform-action transmit the previously-configured
exceed-action drop exceed-action drop table-map
class SIGNALING class class-default
set dscp cs3 set dscp default
police 32k police 10m
conform-action transmit conform-action transmit
exceed-action drop exceed-action TABLE-MAP
… Policers can may be set to either remark or drop excess traffic
Catalyst Hardware Queuing PQ1
2P6Q3T Example
PQ2
Interrupt
Scheduling
Interrupt
Scheduling
Catalyst 3650/3850/9300/9400/9500
2P6Q3T with Weighted Tail Drop (WTD) Wired Port Egress Queuing Model
Application DSCP 2P6Q3T BWR =
Bandwidth
Network Control (CS7) EF PQ Level 1 (10%) Remaining
Internetwork Control CS6 CS5
PQ Level 2 (20%) WTD =
CS4
VoIP EF Weighted
CS7 & CS6 Tail
Broadcast Video CS5 Q6
Drop
CS3 & CS2 (BWR 10%)
Multimedia Conferencing AF4
Q5
AF4
Realtime Interactive CS4 (BWR 10% + WTD)
Multimedia Streaming AF3 AF3 Q4
(BWR 10% + DSCP-Based WTD)
Signaling CS3
Q3
Transactional Data AF2 AF2
(BWR 10% + DSCP-Based WTD)
Network Management CS2
AF1 Q2
Bulk Data AF1 (BWR 5% + DSCP-Based WTD)
CS1
Scavenger CS1
Best Effort DF DF Q1 (BWR 25%)
Catalyst 3650/3850/9300/9500
2P6Q3T+WTD Wired Port Egress Queuing Config – Part 1of 2
class-map match-any VOICE-PQ1
match dscp ef
class-map match-any VIDEO-PQ2
match dscp cs4
match dscp cs5
class-map match-any CONTROL-MGMT-QUEUE
match dscp cs7 cs6 cs3 cs2
class-map match-any MULTIMEDIA-CONFERENCING-QUEUE
match dscp af41 af42 af43
class-map match-any MULTIMEDIA-STREAMING-QUEUE
class-map match-any TRANSACTIONAL-DATA-QUEUE
class-map match-any SCAVENGER-BULK-DATA-QUEUE
match dscp cs1 af11 af12 af13
Catalyst 3650/3850/9300/9500
If a PQ is enabled then
2P6Q3T+WTD Wired Port Egress Queuing Config – Part 2 of 2 non-PQs must use
bandwidth remaining
policy-map 2P6Q3T [continued]
Two-levels of priority class MULTIMEDIA-STREAMING-QUEUE
class VOICE-PQ1
queuing are supported bandwidth remaining percent 10
priority level 1 Allocates
police rate percent 10 queue-buffers ratio 10 buffers to
class VIDEO-PQ2 queue-limit dscp af33 percent 80 queues
priority level 2 queue-limit dscp af32 percent 90
police rate percent 20 class TRANSACTIONAL-DATA-QUEUE
class CONTROL-MGMT-QUEUE bandwidth remaining percent 10
bandwidth remaining percent 10 queue-buffers ratio 10
queue-buffers ratio 10 queue-limit dscp af23 percent 80 Tunes
class MULTIMEDIA-CONFERENCING-QUEUE queue-limit dscp af22 percent 90 WTD to
bandwidth remaining percent 10 class SCAVENGER-BULK-DATA-QUEUE align to an
queue-buffers ratio 10 bandwidth remaining percent 5 AF PHB
queue-limit dscp af43 percent 80 queue-buffers ratio 10
queue-limit dscp af42 percent 90 queue-limit dscp values af13 cs1 percent 80
… queue-limit dscp values af12 percent 90
class class-default
interface range GigabitEthernet 1/0/1-48 bandwidth remaining percent 25
service-policy output 2P6Q3T queue-buffers ratio 25
Catalyst 3650/3850/9300/9400/9500
Hierarchical QoS Policies—Queuing within Shaped Rate Example
Defines the sub-line rate (CIR)

policy-map 50MBPS-SHAPER
class class-default
shape average 50000000
service-policy 2P6Q3T Provides back-pressure to the system
to engage the (previously-defined)
interface GigabitEthernet 1/0/1 queuing policy, so that packets are
service-policy output 50MBPS-SHAPER properly prioritized within the sub-line
rate
Only the Hierarchical Shaping policy is

attached to the interface(s)
Catalyst 3650/3850 QoS Design—At-A-Glance
Catalyst 4500
QoS Design
Catalyst 4500
QoS Roles in the Campus Distribution
Trust DSCP +
Egress Queuing
Core Switches
Access
Switches
Catalyst 4500
Distribution
Switches
Catalyst 4500
QoS Design Steps
1. Configure Ingress QoS Model(s):
 DSCP-Trust Model*
 Conditional Trust Model
*Note: Catalyst 4500 uses IOS MQC, which trusts by default;

Catalyst 4500
Conditional Trust Example
class-map match-all VOICE Catalyst 4500 supports both match-
match cos 5 all (logical AND) and match-any
class-map match-all SIGNALING (logical OR) operators
match cos 3
policy-map CISCO-IPPHONE
class VOICE
set dscp ef
class SIGNALING
set dscp cs3
class class-default
set dscp default
interface GigabitEthernet 3/1

qos trust device cisco-phone Conditional trust command
service-policy input CISCO-IPPHONE (trust device) must be prefaced
by qos on the Catalyst 4500
Catalyst 4500
Part 1 of 2 – Marking & Policing Policy Example
policy-map MARKING&POLICING
class VOIP
police 128k bc 8000
conform-action set-dscp-transmit ef
exceed-action drop
class SIGNALING
police 32k bc 8000
conform-action set-dscp-transmit cs3 Marking/remarking is configured
exceed-action drop as part of the policing action (i.e.
class MULTIMEDIA-CONFERENCING no table-map or markdown-map
police 5m bc 8000 is referenced)
conform-action set-dscp-transmit af41
exceed-action set-dscp-transmit af42
class TRANSACTIONAL-DATA
police 10m bc 8000
Catalyst 4500
Part 2 of 2 – Marking & Policing Policy Example
class BULK-DATA
police 10m bc 8000
class SCAVENGER
police 10m bc 8000
conform-action set-dscp-transmit cs1
exceed-action drop
class class-default
police 10m bc 8000
conform-action set-dscp-transmit default
exceed-action set-dscp-transmit cs1
interface GigabitEthernet 3/1

service-policy input MARKING&POLICING
Catalyst 4500
1P7Q1T+Dynamic Buffer Limiting (DBL) Egress Queuing Model
Application DSCP 1P7Q1T (+DBL)

Network Control (CS7) EF
Internetwork Control CS6 CS5 PQ
VoIP EF CS4
Broadcast Video CS5 CS7 & CS6 Q7
CS3 & CS2 (BWR 10%)
Realtime Interactive CS4 AF4 Q6 (BWR 10%)
Multimedia Streaming AF3 AF3 Q5 (BWR 10%)
Signaling CS3
Transactional Data AF2 AF2 Q4 (BWR 10%)
AF1 Q3 (BWR 4%)
Bulk Data AF1
Scavenger CS1 CS1 Q2 (BWR 1%)
Best Effort DF DF Q1 (25%)

Catalyst 4500 If PQ is enabled then
bandwidth remaining
1P7Q1T+DBL Egress Queuing Config must be used
class-map match-all PRIORITY-QUEUE Enables the PQ policy-map 1P7Q1T

match dscp cs4 cs5 ef class PRIORITY-QUEUE
class-map match-all CONTROL-MGMT-QUEUE priority
match dscp cs7 cs6 cs3 cs2 class CONTROL-MGMT-QUEUE
class-map match-all MULTIMEDIA-CONFERENCING-QUEUE bandwidth remaining percent 10
match dscp af41 af42 af43 class MULTIMEDIA-CONFERENCING-QUEUE
class-map match-all MULTIMEDIA-STREAMING-QUEUE bandwidth remaining percent 10
match dscp af31 af32 af33 class MULTIMEDIA-STREAMING-QUEUE
class-map match-all TRANSACTIONAL-DATA-QUEUE bandwidth remaining percent 10
match dscp af21 af22 af23 class TRANSACTIONAL-DATA-QUEUE
class-map match-all BULK-DATA-QUEUE bandwidth remaining percent 10
match dscp af11 af12 af13 dbl
class-map match-all SCAVENGER-QUEUE class BULK-DATA-QUEUE
match dscp cs1 bandwidth remaining percent 4
dbl
class SCAVENGER-QUEUE
DBL can be enabled on a per-class basis, bandwidth remaining percent 1
but should not be enabled on the PQ or Control traffic queues class class-default
Enabling DBL on UDP-based queues and/or Scavenger queue dbl
is optional
service-policy output 1P7Q1T
Catalyst 4500 Campus QoS Design At-A-Glance
Catalyst 6500/6800
QoS Design
Cisco Catalyst 6500/6800
QoS Roles in the Campus Core
Catalyst 6500/6800
Core Switches
Trust DSCP
+ Ingress Queuing
+ Egress Queuing
Cisco Catalyst 6500/6800
QoS Design Steps
1. Configure Ingress Queuing

Catalyst 6500 IOS C3PL trusts by default;

All Catalyst 6500-Sup2T
Cisco Catalyst 6500/6800 Queuing Models are detailed
in the Appendix
2P6Q4T (Ingress & Egress Queuing Models—DSCP-to-Queue)
Application-Class DSCP 2P6Q4T
Ingress and Egress
queuing models
Network Control (CS7) Voice-PQ1 varies by line
EF (Priority Level 1) card/module.
Internetwork Control CS6
VoIP EF CS5 Video-PQ2
CS4 (Priority Level 2) Refer to the
Broadcast Video CS5 6500/6800 QoS
CS6 & CS7 Control/Mgm t Queue
Configuration Guide
CS2 & CS3 (5% BWR)
or data sheets to
Realtime Interactive CS4 Multim edia-Conferencing Queue ensure that you use
AF4 (20% BWR + DSCP-WRED) the proper queuing
Multimedia Streaming AF3 AF4
module for a given
Signaling CS3 AF3 Multim edia-Stream ing Queue line card.
(20% BWR + DSCP-WRED)
AF2 Transactional Data Queue
Network Management CS2 (10% BWR + DSCP-WRED)
Bulk Data AF1 AF1 Bulk Data Queue

Scavenger CS1 CS1 (5% BWR + DSCP-WRED)
Default Queue
Best Effort DF DF
(WRED)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/qos_policy_based_queueing.html
Cisco Catalyst 6500/6800—2P6Q4T Model
Part 1 of 3—Common Ingress & Egress Queuing Class-Maps Unless specified
otherwise, the default
class-map type lan-queuing match-all VOICE-PQ1 C3PL class-map and
match dscp ef policy-map type is qos
class-map type lan-queuing match-all VIDEO-PQ2 (classification,
match dscp cs4 cs5 marking, policing)
class-map type lan-queuing match-all CONTROL-MGMT-QUEUE
class-map type lan-queuing match-all MULTIMEDIA-CONFERENCING-QUEUE Class-maps and policy-
match dscp af41 af42 af43 maps used for ingress
class-map type lan-queuing match-all MULTIMEDIA-STREAMING-QUEUE and/or egress queuing
match dscp af31 af32 af33 policies must be explicitly
class-map type lan-queuing match-all TRANSACTIONAL-DATA-QUEUE configured as type lan-
match dscp af21 af22 af23 queuing
class-map type lan-queuing match-all SCAVENGER-BULK-DATA-QUEUE
match dscp cs1 af11 af12 af13
Note: A C3PL interface may support up to 4 QoS policies:

• service-policy type qos input
• service-policy type qos output
• service-policy type lan-queuing input
• service-policy type lan-queuing output
Part 2 of 3—2P6Q4T Queuing Policy-Map
Policy-map must be defined as type lan-queuing
policy-map type lan-queuing 2P6Q4T
class VOICE-PQ1
priority level 1 Enables egress Priority Queue 1 (highest level of service)
class VIDEO-PQ2
priority level 2 Enables egress Priority Queue 2 (can only be interrupted by PQ1)
class CONTROL-MGMT-QUEUE
bandwidth remaining percent 5 bandwidth remaining is required
class MULTIMEDIA-CONFERENCING-QUEUE (as PQ is enabled)
random-detect dscp af41 percent 80 100
random-detect dscp af43 percent 60 100 Tunes WRED to better align
class MULTIMEDIA-STREAMING-QUEUE to the AF PHB
…
Part 3 of 3—2P6Q4T Queuing Policy-Map (continued)
[continued]
class TRANSACTIONAL-DATA-QUEUE
class BULK-DATA-QUEUE
random-detect dscp cs1 percent 50 100
class class-default
random-detect dscp default percent 80 100
service-policy type lan-queuing input 2P6Q4T
service-policy type lan-queuing output 2P6Q4T
type lan-queuing must also be

specified in the service-policy statement
Cisco Catalyst 6500 QoS Design At-A-Glance
Campus QoS Design
Key Takeaways
• Start by defining your QoS Strategy
• Campus QoS is needed primarily to control packet drops
• Know your QoS toolset, as this varies platform-to-platform
• Cisco provides many At-A-Glance guides to get you up and running quickly
• Cisco also provides Cisco Validated Design guides for more detail
• WAN
• MPLS VPN
• DMVPN
• WLAN QoS Design
• Appendices
WLAN QoS Design
The Case for Wireless QoS
• QoS is like a chain

• It’s only as strong as its weakest link
• the WLAN is one of the weakest links in
enterprise QoS designs for three primary reasons:
1) Typical downshift in speed (and throughput)
2) Shift from full-duplex to half-duplex media
3) Shift from a dedicated media to a shared media
• WLAN QoS policies control both jitter and packet loss
Wireless QoS-Specific Limitations
• No priority servicing LAN QoS WLAN QoS
• No bandwidth guarantees
• Non-deterministic media access
• Only 4 levels of service
WLAN QoS Improvements Quantified
Application Original Metric Improved Metric Percentage
Improvement
Voice 15 ms max jitter 5 ms max jitter 300%
3.92 MOS 4.2 MOS
(Cellular Quality) (Toll Quality)
Video 9 fps 14 fps 55%
Visual MOS: Visual MOS:
Good Excellent
Transactional Data 14 ms latency 2 ms latency 700%
http://www.cisco.com/en/US/prod/collateral/wireless/cisco_avc_application_improvement.pdf
Know Your Tools
• Trust Boundaries and PEPs
• IEEE 802.11 User Priorities (UP)
• Enhanced Distribution Coordination Function (EDFC)
• L2/L3 Marking and Mapping
Cisco AireOS WLC
QoS Roles in the Wireless LAN
• AireOS WLCs are deployed in a Centralized Deployment Model, where:

• Trust Boundary is at the WLC
• PEP is at the WLC
Centralized Deployment Model
CAPWAP Tunnel
AireOS WLC
Trust Boundary
PEP
Cisco AireOS WLC
QoS Roles in the Wireless LAN
• Customizable DSCPUP Mappings will modify QoS Roles:

• Trust Boundary moves to the AP
• PEP remains at the WLC
Centralized Deployment Model
CAPWAP Tunnel
AireOS WLC
Trust Boundary
PEP
IEEE 802.11 User Priority (UP)
3 Bit Field allows for UP values 0-7
IEEE 802.11 UP Values and Access Categories
802.11 802.11 WMM Cisco AireOS WLC
UP Value Access Category Designation Designation
7 AC_VO Voice Platinum
6
5 AC_VI Video Gold
4
3 AC_BE Best Effort Silver
0
2 AC_BK Background Bronze
1
IEEE 802.11 Arbitration Inter-Frame Spacing (AIFS)
and Contention Windows (CW)
• due to the nature of wireless as a shared media, a Congestion Avoidance algorithm (CSMA/CA) must be utilized
• wireless senders have to wait a fixed amount of time (the AIFS)
• wireless senders also have to wait a random amount of time (the Contention Window)
• AIFS and Contention Window timers vary by Access Category
Access AIFS CWmin CWmax

Category (Slot Times) Access Category (Slot Times) (Slot Times)
Voice 2 Voice 3 7
Video 2 Video 7 15
Best Effort 3 Best-Effort 15 1023

Background 7 Background 15 1023
EDCF Operation
Round 1 Round 2 Round 3

Voice 2+1=3 2+3=5 2+2=4
Video 2+1=3 2+7=9 2+1=3
Best Effort 3+1=4 3+15=18 3+15=18
Background 7+1=8 7+15=22 7+15=22
Collision Voice Video
Downstream DSCP-to-UP Default Mapping
3-Bit UP 6-Bit DSCP

802.11 Frame CAPWAP Packet IP Packet
UP DSCP DSCP DSCP DSCP
BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Default DSCP-to-UP Mapping Table
DSCP 802.11 UP WLC QoS Profile
56-63 7 Platinum
(Voice)
48-55 6
IETF PHB for VoIP: EF 40-47 46 5 Gold
(Video)
32-39 4
24-31 3 Silver
(Best Effort)
0-7 0
16-23 2 Bronze
(Background)
8-15 1
Per RFC 4594 & 3246
Downstream DSCP-to-UP Mapping Model
Ratified Cisco Consensus Model (June 2015)
RFC 4594-Based Model DSCP IEEE 802.11 Model

Remark /
Network Control (CS7)
• Plugs potential security Drop
UP 7 Voice
if not in
vulnerabilities Internetwork Control CS6
use Access
• Provides distinction
Voice + DSCP-Admit EF + 44 UP 6 Category
between elastic and Broadcast Video CS5
inelastic video classes Multimedia Conferencing AF4 UP 5 Video
• Aligns RFC 4594 Realtime Interactive CS4 Access
recommendations into the
UP 4 Category
IEEE 802.11 model
Signaling CS3
UP 3 Best Effort
• Requires several custom Transactional Data AF2 Access
DSCP-to-UP mappings
OAM CS2 UP 0 Category
Bulk Data AF1
Scavenger CS1 UP 2 Background
Access
Best Effort DF UP 1 Category
Upstream UP-to-DSCP Default Mapping
DSCP UP DSCP DSCP DSCP
3-Bit UP 6-Bit DSCP

First 3 Bits are copied
Last 3 Bits are zeroed-out
Upstream DSCP Trust Model
DSCP UP DSCP DSCP DSCP
6-Bit DSCP 6-Bit DSCP

All 6 Bits are copied
RFC 8325
Mapping DiffServ to
IEEE 802.11
• Reconciles RFC 4594 with
IEEE 802.11
• Summarizes our internal
consensus on DSCP-to-UP
mapping
• Advocates DSCP-trust in the
upstream direction
(vs. UP-to-DSCP mapping)
https://tools.ietf.org/html/rfc8325
Cisco WLAN QoS Design At-A-Glance
AireOS QoS Design
AireOS QoS Policy Deployment
List of Steps
1) Disable Radios and WLANs
2) Tune EDCA and CAC
3) Tune QoS Profile
4) Create AVC Profile
5) Attach QoS and AVC Profiles to WLAN and Enable AVC
6) Configure Downstream DSCP-to-UP Mapping and Enable
Upstream DSCP-Trust
7) Re-enable WLANs and radios
Step 1) Disable Radios and WLANs
(Cisco Controller) > config 802.11a disable network

(Cisco Controller) > config 802.11b disable network
! Must disable 802.11a/b networks to make changes to QoS
(Cisco Controller) > config wlan disable all

! Must disable all WLANs to make changes to QoS
Step 2) Tune EDCA and CAC
(Cisco Controller) > config 802.11a Qos Mode 7
(Cisco Controller) > config 802.11b Qos Mode 7
! Apply Fastlane EDCA profile (best of current EDCA profiles) for 802.11a/b
(Cisco Controller) > config 802.11a cac voice acm enable

(Cisco Controller) > config 802.11b cac voice acm enable
! Enable ACM for 802.11a/b
(Cisco Controller) > config 802.11a cac voice max-bandwidth 50

(Cisco Controller) > config 802.11b cac voice max-bandwidth 50
! Limit voice traffic to 50% of total bandwidth for 802.11a/b
(Cisco Controller) > config 802.11a cac voice roam-bandwidth 6

(Cisco Controller) > config 802.11b cac voice roam-bandwidth 6
! Keep 6% bandwidth for roaming users for 802.11a/b
(Cisco Controller) > config 802.11a exp-bwreq enable

(Cisco Controller) > config 802.11b exp-bwreq enable
! Enable Expedited Bandwidth for 802.11a/b
Step 3) Tune Platinum QoS Profile
(Cisco Controller) > config qos priority platinum voice besteffort besteffort
! Set QoS Profile to Platinum
! Set default marking to unmarked unicast and multicast traffic to best effort
(Cisco Controller) > config qos protocol-type platinum none

! Disables 802.1p marking (all wired marking is DSCP-based)
(Cisco Controller) > config qos burst-realtime-rate platinum per-ssid downstream 0

! Do not restrict profile bandwidth for UDP traffic
(Cisco Controller) > config qos average-realtime-rate platinum per-ssid downstream 0

! Do not restrict profile bandwidth for TCP traffic
Step 4) Create an AVC Profile—Example (Part 1 of 2)
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE create
! Creates the AVC Profile
! This section configures AVC to mark Voice applications/sub-components to EF (DSCP 46)

(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application cisco-phone-audio mark 46
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application cisco-jabber-audio mark 46
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application ms-lync-audio mark 46
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application citrix-audio mark 46
! This section configures AVC to mark Multimedia Conferencing applications to AF41 (DSCP 34)
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application cisco-phone-video mark 34
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application cisco-jabber-video mark 34
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application ms-lync-video mark 34
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application webex-media mark 34
! This section configures AVC to mark Multimedia Streaming applications to AF31 (DSCP 26)
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application citrix mark 26
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application pcoip mark 26
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application vnc mark 26
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application vnc-http mark 26
! This section configures AVC to mark Signaling protocols to CS3 (DSCP 24)
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application skinny mark 24
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application cisco-jabber-control mark 24
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application sip mark 24
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application sip-tls mark 24
Step 4) Create an AVC Profile—Example (Part 2 of 2)
! This section configures AVC to mark Transactional Data applications to AF21 (DSCP 18)
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application cisco-jabber-im mark 18
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application ms-office-web-apps mark 18
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application salesforce mark 18
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application sap mark 18
! This section configures AVC to mark OAM applications to CS2 (DSCP 16)
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application dhcp mark 16
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application dns mark 16
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application ntp mark 16
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application snmp mark 16
! This section configures AVC to mark Bulk Data applications marking to AF11 (DSCP 10)
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application ftp mark 10
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application ftp-data mark 10
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application ftps-data mark 10
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application cifs mark 10
! This section configures AVC to mark Scavenger applications to CS1 (DSCP 8)

(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application netflix mark 8
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application youtube mark 8
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application skype mark 8
(Cisco WLC) > config avc profile AVC-STATIC-PROFILE rule add application bittorrent mark 8
Step 5) Attach QoS and AVC Profiles to WLAN and Enable AVC
(Cisco WLC) > config wlan qos 10 platinum

! Applies the Platinum QoS profile to the WLAN
(Cisco WLC) > config wlan avc 10 visibility enable

! Enables AVC Visibility on WLAN 10
(Cisco WLC) > config wlan avc 10 profile AVC-APPS enable

! This command applies the AVC profile AVC-APPS to WLAN ID 10
Step 6) Configure Downstream DSCP-to-UP Mapping and
Enable Upstream DSCP-Trust
RFC 4594-Based Model DSCP IEEE 802.11 Model
UP 7 Voice
Access
Voice + Voice-ADMIT EF + 44 UP 6 Category
Broadcast Video CS5
Multimedia Conferencing AF4 UP 5 Video
Real-Time Interactive CS4 Access
UP 4 Category
Signaling CS3
UP 3 Best Effort
Transactional Data AF2 Access
OAM CS2 UP 0 Category
Bulk Data AF1
Scavenger CS1 UP 2 Background
Access
Best Effort DF UP 1 Category
Enable Upstream DSCP-Trust—Configuration (Part 1 of 2)
Step 1: Disable the Current QoS Map

(Cisco WLC) > config qos qosmap disable
Step 2: Configure the UP-to-DSCP Maps

(Cisco WLC) > config qos qosmap up-to-dscp-map 0 0 0 7
Step 3: Configure DSCP-to-UP Mapping Exceptions
(Cisco Controller) > config qos qosmap dscp-to-up-exception 56 0
(Cisco Controller) > config qos qosmap dscp-to-up-exception 8 ©12018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 4: Enable DSCP-Trust, the New Qos Maps and the 802.11 Networks
(Cisco Controller) > config qos qosmap trust-dscp-upstream enable
(Cisco Controller) > config qos qosmap enable
AireOS Static QoS Policy Deployment
Step 7) Re-Enable Radios and WLANs
(Cisco Controller) > config 802.11a enable network

(Cisco Controller) > config 802.11b enable network
(Cisco Controller) > config wlan enable all
WLAN QoS Design
Key Takeaways
• Start by defining your QoS Strategy
• Design your RF for Voice Efficiency
• Small cells, lower rates disabled, 15% overlap, AP at client power level
• See BRKWEN 2000 for more details
• Restructure upstream and downstream marking and trust

• Use Platinum for your WLANs
• Apply efficient EDCA if possible, CAC if needed
• WAN
• MPLS VPN
• DMVPN
• WLAN QoS Design
• Appendices
Hardware Variations Access
Distribution
Core
Hardware
Consistency Catalyst 9300
Stackable Access
The Catalyst 9K portfolio will finally

realize the long-held goal of a
Catalyst 9400
single hardware queuing model
Modular Access for access, distribution/aggregation
Catalyst 9500
Fixed Aggregation
UADP
3.0
Software and Syntax Variations
• Catalyst 3650/3850/9300/9400/9500 and 4500 use IOS Modular QoS Command Line Interface
(MQC)
Software and Syntax Consistency
• Catalyst 3650/3850/9300/9400/9500 and 4500 AND ASR/ISR Routers AND Wireless (coming)
will all use IOS Modular QoS Command Line Interface (MQC) and IOS XE
How Many Lines of CLI Does it take to Configure
QoS for All 1400+ Apps in Our Common Library?
Pre-IOS 15.5(3) / IOS XE 3.15

1622+ Lines
Configuration Consistency and Brevity
“Holy Grail” QoS Config for Routers/Switches
class-map match-all VOICE-DSCP
policy-map LAN_EDGE-IN
class-map match-all VOICE-NBAR match dscp ef policy-map WAN_EDGE-OUT
class VOICE-NBAR
match protocol attribute traffic-class voip-telephony class-map match-all BROADCAST_VIDEO-DSCP class VOICE-DSCP
set dscp ef
match protocol attribute business-relevance business-relevant match dscp cs5 priority percent 10
class BROADCAST_VIDEO-NBAR
class-map match-all BROADCAST_VIDEO-NBAR class-map match-all REALTIME_INTERACTIVE-DSCP class BROADCAST_VIDEO-DSCP
set dscp cs5
match protocol attribute traffic-class broadcast-video match dscp cs4 priority percent 10
class REALTIME_INTERACTIVE-NBAR
match protocol attribute business-relevance business-relevant class-map match-all NETWORK_CONTROL-DSCP class REALTIME_INTERACTIVE-DSCP
set dscp cs4
class-map match-all REALTIME_INTERACTIVE-NBAR match dscp cs6 priority percent 13
class MULTIMEDIA_CONFERENCING-NBAR
match protocol attribute traffic-class real-time-interactive class-map match-all SIGNALING-DSCP class NETWORK_CONTROL-DSCP
set dscp af41
match protocol attribute business-relevance business-relevant match dscp cs3 bandwidth percent 2
class MULTIMEDIA_STREAMING-NBAR
class-map match-all MULTIMEDIA_CONFERENCING-NBAR class-map match-all NETWORK_MANAGEMENT-DSCP class SIGNALING-DSCP
set dscp af31
match protocol attribute traffic-class multimedia-conferencing match dscp cs2 bandwidth percent 2
class SIGNALING-NBAR
match protocol attribute business-relevance business-relevant class-map match-all MULTIMEDIA_CONFERENCING-DSCP class NETWORK_MANAGEMENT-DSCP
set dscp cs3
class-map match-all MULTIMEDIA_STREAMING-NBAR match dscp af41 bandwidth percent 3
class NETWORK_CONTROL-NBAR
match protocol attribute traffic-class multimedia-streaming class-map match-all MULTIMEDIA_STREAMING-DSCP class MULTIMEDIA_CONFERENCING-DSCP
set dscp cs6
match protocol attribute business-relevance business-relevant match dscp af31 bandwidth percent 10
class NETWORK_MANAGEMENT-NBAR
class-map match-all SIGNALING-NBAR class-map match-all TRANSACTIONAL_DATA-DSCP fair-queue
set dscp cs2
match protocol attribute traffic-class signaling match dscp af21 random-detect dscp-based
class TRANSACTIONAL_DATA-NBAR
match protocol attribute business-relevance business-relevant class-map match-all BULK_DATA-DSCP class MULTIMEDIA_STREAMING-DSCP
set dscp af21
class-map match-all NETWORK_CONTROL-NBAR match dscp af11 bandwidth percent 10
class BULK_DATA-NBAR
match protocol attribute traffic-class network-control class-map match-all SCAVENGER-DSCP fair-queue
set dscp af11
match protocol attribute business-relevance business-relevant match dscp cs1 random-detect dscp-based
class SCAVENGER-NBAR
class-map match-all NETWORK_MANAGEMENT-NBAR class TRANSACTIONAL_DATA-DSCP
set dscp cs1
match protocol attribute traffic-class ops-admin-mgmt bandwidth percent 10
class class-default
match protocol attribute business-relevance business-relevant fair-queue
set dscp default
class-map match-all TRANSACTIONAL_DATA-NBAR random-detect dscp-based
match protocol attribute traffic-class transactional-data class BULK_DATA-DSCP
match protocol attribute business-relevance business-relevant bandwidth percent 4
IOS XE 3.16+
class-map match-all BULK_DATA-NBAR fair-queue
match protocol attribute traffic-class bulk-data random-detect dscp-based
match protocol attribute business-relevance business-relevant class SCAVENGER-DSCP
class-map match-all SCAVENGER-NBAR bandwidth percent 1
match protocol attribute business-relevance business-irrelevant class class-default
fair-queue
114 Lines
Where do we want to get to? (with AutoQoS 5.0)
class-map match-all VOICE-DSCP
policy-map LAN_EDGE-IN
class-map match-all VOICE-NBAR match dscp ef policy-map WAN_EDGE-OUT
class VOICE-NBAR
match protocol attribute traffic-class voip-telephony class-map match-all BROADCAST_VIDEO-DSCP class VOICE-DSCP
set dscp ef
match protocol attribute business-relevance business-relevant match dscp cs5 priority percent 10
class BROADCAST_VIDEO-NBAR
class-map match-all BROADCAST_VIDEO-NBAR class-map match-all REALTIME_INTERACTIVE-DSCP class BROADCAST_VIDEO-DSCP
set dscp cs5
match protocol attribute traffic-class broadcast-video match dscp cs4 priority percent 10
class REALTIME_INTERACTIVE-NBAR
match protocol attribute business-relevance business-relevant class-map match-all NETWORK_CONTROL-DSCP class REALTIME_INTERACTIVE-DSCP
set dscp cs4
class-map match-all REALTIME_INTERACTIVE-NBAR match dscp cs6 priority percent 13
class MULTIMEDIA_CONFERENCING-NBAR
match protocol attribute traffic-class real-time-interactive class-map match-all SIGNALING-DSCP class NETWORK_CONTROL-DSCP
set dscp af41
match protocol attribute business-relevance business-relevant match dscp cs3 bandwidth percent 2
class MULTIMEDIA_STREAMING-NBAR
class-map match-all MULTIMEDIA_CONFERENCING-NBAR class-map match-all NETWORK_MANAGEMENT-DSCP class SIGNALING-DSCP
set dscp af31
match protocol attribute traffic-class multimedia-conferencing match dscp cs2 bandwidth percent 2
class SIGNALING-NBAR
match protocol attribute business-relevance business-relevant class-map match-all MULTIMEDIA_CONFERENCING-DSCP class NETWORK_MANAGEMENT-DSCP
set dscp cs3
class-map match-all MULTIMEDIA_STREAMING-NBAR match dscp af41 bandwidth percent 3
class NETWORK_CONTROL-NBAR
auto qos srnd5 lan-edge
match protocol attribute traffic-class multimedia-streaming
set dscp cs6
class NETWORK_MANAGEMENT-NBAR
auto qos srnd5 wan-edge
class-map match-all
match dscp af31
MULTIMEDIA_STREAMING-DSCP class MULTIMEDIA_CONFERENCING-DSCP
class-map match-all SIGNALING-NBAR class-map match-all TRANSACTIONAL_DATA-DSCP fair-queue
set dscp cs2
match protocol attribute traffic-class signaling match dscp af21 random-detect dscp-based
class TRANSACTIONAL_DATA-NBAR
match protocol attribute business-relevance business-relevant class-map match-all BULK_DATA-DSCP class MULTIMEDIA_STREAMING-DSCP
set dscp af21
class-map match-all NETWORK_CONTROL-NBAR match dscp af11 bandwidth percent 10
class BULK_DATA-NBAR
match protocol attribute traffic-class network-control class-map match-all SCAVENGER-DSCP fair-queue
set dscp af11
match protocol attribute business-relevance business-relevant match dscp cs1 random-detect dscp-based
Targeted:
class SCAVENGER-NBAR
class-map match-all NETWORK_MANAGEMENT-NBAR class TRANSACTIONAL_DATA-DSCP
set dscp cs1
match protocol attribute traffic-class ops-admin-mgmt bandwidth percent 10
class class-default
match protocol attribute business-relevance business-relevant fair-queue
set dscp default
class-map match-all TRANSACTIONAL_DATA-NBAR random-detect dscp-based
match protocol attribute traffic-class transactional-data class BULK_DATA-DSCP
match protocol attribute business-relevance business-relevant bandwidth percent 4
class-map match-all BULK_DATA-NBAR fair-queue
match protocol attribute traffic-class bulk-data random-detect dscp-based
IOS XE 16.11
match protocol attribute business-relevance business-relevant class SCAVENGER-DSCP
class-map match-all SCAVENGER-NBAR bandwidth percent 1
match protocol attribute business-relevance business-irrelevant class class-default
fair-queue
2 Lines #CLUS BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Cisco DNA Architecture
DNA Software Capabilities

Cloud Service Management
Automation Analytics
Virtualization
DNA-Ready Physical and Virtual infrastructure
Security
Cisco DNA Architecture—Automation and Analytics
Virtualization
NCP
APIC-EM: NDP:
Application
Network Controller Policy
Platform NCP NDP Network Data Platform
Infrastructure Controller—
(Network Controller) EM
EM EM
(Analytics Engine)
Enterprise Module
Cisco DNA Architecture—Automation and Analytics
Virtualization
NCP Assuring NDP:
the Intent
Network Controller Platform NCP NDP Network Data Platform
(Network Controller) EM EM
(Analytics Engine)
Abstraction layer
Analyzing the Outcome

Delivering the Intent Intent Outcome within the Context of the
expressed Intent
Cisco DNA Architecture—DNA Center
DNA Center User Interface

A single pane of glass for Design, Policy, Provisioning, and Assurance
NCP NDP
EM EM
DNA Center Appliance
Your Choice:
Manual QoS Policy Intent-Based Application Policy
ip access-list extended MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended SIGNALING-ACL
remark h323 - H.323
permit tcp any any range 1718 1720 BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Demo: DNA Application Policy
Demo: DNA Application Assurance
• WAN
• MPLS VPN
• DMVPN
• WLAN QoS Design
• Appendices
Summary and
References
Enterprise QoS Design Summary
Part 1: QoS in DNA
• Cisco has adopted a new paradigm for QoS focusing on policy-abstraction
• Articulate business intent as a strategic end-to-end policy
• Device-specific tactical policies reflect strategic policy with maximum fidelity
• Cisco platform-specific features and controller-based applications all revolve
around this paradigm, including:
• NBAR QoS Attributes (LAN & WAN)
• IWAN & IWAN App
• FastLane for iOS for WLAN
• EasyQoS & DNA Center Application Policy
• DNA Assurance
• Cisco’s DNA architecture combines hardware, software, automation and analytics
to deliver “powerful yet simple” solutions for application experience
Part 2: WAN & VPN QoS Design
• Use new NBAR2 QoS Attributes (traffic-class and business-relevance) to mark
on LAN edges
• Design WAN/IWAN edge policies to address:
• QoS Scheduling
• Aggregate priority load
• IPSec Anti-Replay
• Know and leverage WAN edge tools, including:
• Hierarchical QoS policies for sub-line-rate interfaces
• DMVPN Per-Tunnel QoS for IWAN
• Enterprise-to-SP Mapping Models
Part 3: Campus QoS Design
• Campus QoS is key to managing packet loss due to instantaneous buffer
overruns which are very common in oversubscribed campus networks
• Know your QoS toolset, as hardware features and software syntax vary from
platform-to-platform
• Cisco provides At-A-Glance Guides to get you up-and-running quickly, as well
as detailed Cisco Validated Design Guides
• Or … just use DNA Application Policy
Part 4: WLAN QoS Design
• Design your RF for Voice Efficiency
• Restructure upstream and downstream marking and trust
• Use Platinum for your WLANs
• Apply efficient EDCA if possible; CAC if needed
• FastLane is a plus in most cases
• Or … just use DNA Application Policy
Parts 5: Looking Ahead
• Cisco campus hardware will converge on UADP
• this will finally realize the long-held goal of a single hardware queuing model for access,
distribution/aggregation and core
• Cisco routing, switching and wireless software will converge on IOS XE
• All QoS policies will expressed via MQC
• Cisco will continue to simplify the automation of QoS features
• AutoQoS 5.0
• Cisco is complementing QoS automation with an analytics and assurance to
correlate disparate data-sources, identify anomalies and guide the
troubleshooting of application quality issues
IWAN Cisco Validated Design (CVD) Guide
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Sep2017/CVD-IWANDeployment-SEP17.pdf
EasyQoS Cisco Validated Design (CVD) Guide
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Dec2017/APIC-EM-EasyQoS-DesignGuide-Dec2017.html
Recommended Reading
End-to-End QoS (v2)
• Release Date: Jan 2014
• Page Count: 1040
• Comprehensive QoS design
guidance for PINs and platforms:
• Campus Catalyst 3750/4500/6500
• WLAN WLC 5508 / Catalyst 3850 NGWC
• Data Center Nexus 1000V/2000/5500/7000
• WAN & Branch Cisco ASR 1000 / ISR G2
• MPLS VPN Cisco ASR 9000 / CRS-3
• IPSec VPNs Cisco ISR G2
• ISBN: 1-58714-369-0
http://www.amazon.com/End---End-QoS-Network-Design/dp/1587143690/
Recommended Reading
End-to-End QoS (v2)
Amazon.com Overall
• Release Date:Rating:
Jan 2014
“The best ever book on QoS on the market. Bravo to the author.”
“AWESOME RESUME OF QoS TECHNOLOGIES”
“I strongly recommend this book to anyone working with Cisco infrastructure.”
“This book
• Campus Catalyst
is an all-encompassing 3750/4500/6500
presentation and tutorial on Cisco Quality of
Service (QoS)”
“QoS is •intimidating; however, Nexus
Data Center this book 1000V/2000/5500/7000
is a tremendous resource that will ease
your anxiety.”
“This book is kept in my cubicle and is already filled with highlights, notes in the
margin, •andMPLS VPN Cisco
many dog-eared pages.”ASR 9000 / CRS-3
“QOS is often misunderstood, and he explains it very well. The explanations are
thorough to help understand each case”
• ISBN: 1-58714-369-0
WE NO LONGER Recommended Reading
End-to-End QoS (v2) (USE DNA Center INSTEAD)
Amazon.com Overall
• Release Rating:Jan 2014
Date:
“The best ever book on QoS on the market. Bravo to the author.”
“AWESOME RESUME OF QoS TECHNOLOGIES”
“I strongly recommend this book to anyone working with Cisco infrastructure.”
“This book is an all-encompassing
• Campus Catalyst presentation and tutorial on Cisco Quality of
3750/4500/6500
Service (QoS)”
“QoS is •intimidating; however, Nexus
Data Center this book 1000V/2000/5500/7000
is a tremendous resource that will ease
your anxiety.”
“This book is kept in my cubicle and is already filled with highlights, notes in the
margin, •andMPLS VPN Cisco
many dog-eared pages.”ASR 9000 / CRS-3
“QOS is often misunderstood, and he explains it very well. The explanations are
thorough to help understand each case”
• ISBN: 1-58714-369-0
Next Steps: Download APIC-EM (and EasyQOS App)
FREE Download at: cisco.com/go/apicem
DNAC 1.2 Platform:
Scale and Hardware specification
• Centralized deployment, cloud tethered

• 1 RU Small form factor
• 2 x 10Gbps Data links
• Built in Network Telemetry collection (FNF,
Scale: Single Node SNMP, Syslog)
• Built in Contextual connectors (ISE/PxGrid,
IPAM, Location)
5,000  4K APs + 1K Network Devices
• HA (3 Node, Automation), RBAC, Backup/Restore,
25,000  Clients/Hosts
Scheduler, APIs
• 64-bit x86 Processors

• Solid State Disks in RAID10
• Hardware MRAID Controller
• Dual PSU
DNAC 1.2 Supported Network Platforms
CAT2K / CAT3K / CAT4K Switches CAT9K / CAT6K / N7K Switches ASR / ISR / CSRv Routers
CAT2K Recommended OS Minimum OS CAT9K Recommended OS Minimum OS ISR 4K Recommended OS Minimum OS
C2960-L IOS 15.2(2)E7 IOS 15.2(1)E1
C9300 IOS-XE 16.6.2 IOS-XE 16.6.1 ISR 4431 WIP WIP
C2960-P IOS 15.2(2)E7 IOS 15.2(1)E1
C2960-C IOS 15.2(2)E8 IOS 15.2(1)E1 C9300 Stack IOS-XE 16.6.2 IOS-XE 16.6.1 ISR 4221 WIP WIP
C2960-CPD IOS 15.2(2)E8 IOS 15.2(1)E1 C9400-LC-48UX IOS-XE 16.6.2 IOS-XE 16.6.1 ISR 4351 WIP WIP
C2960-X Stack IOS 15.2(2)E6 IOS ≥ 12.1 C9400-LC-24XS IOS-XE 16.6.2 IOS-XE 16.6.1 ISR 4451-X WIP WIP
C2960-XR IOS 15.2(2)E6 IOS ≥ 12.1 C9400 (Sup1XL) IOS-XE 16.6.2 IOS-XE 16.6.1
Recommen Minimum
C2960-XR Stack IOS 15.2(2)E6 IOS ≥ 12.1 C9400 (Sup1E) IOS-XE 16.6.2 IOS-XE 16.6.1 ISR 1K (Selected PIDs Only)
ded OS OS
C2960-CX IOS 15.2(4)E3 IOS ≥ 12.1 C9500 IOS-XE 16.6.2 IOS-XE 16.6.1
C1112-8P + (LTEEA) IOS-XE 16.7.1 IOS-XE 16.6.1
C9500 Stack IOS-XE 16.6.2 IOS-XE 16.6.1
C1113-8P + (M,LTE*,WE,WA,WZ,MWE) IOS-XE 16.7.1 IOS-XE 16.6.1
CAT3K Recommended OS Minimum OS
CAT6K Recommended OS Minimum OS C1114-8P + (LTEEA) IOS-XE 16.7.1 IOS-XE 16.6.1
C3560-CX IOS 15.2(6)E All Versions C1115-8P + (PM, LTEEA,PMLTEEA) IOS-XE 16.7.1 IOS-XE 16.6.1
C3650 (Copper) IOS-XE 16.6.1 All Versions C6503E (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2
C3650-Stack IOS-XE 16.6.1 All Versions C6504E (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2 ASR 1K Recommended OS Minimum OS
C3850(Copper/Fiber) IOS-XE 16.6.1 All Versions C6506E (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2
ASR 1001-X WIP ≥ 15.2(2)S, ≥ 15.3(1)S1
C3850-Stack (Copper/Fiber) IOS-XE 16.6.1 All Versions C6509E (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2
ASR 1002-X WIP ≥ 15.2(2)S, ≥ 15.3(1)S1
C6513E (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2
ASR 1006-X WIP ≥ 15.2(2)S, ≥ 15.3(1)S1
CAT4K Recommended OS Minimum OS C6807-XL (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2
ASR 1009-X (RP2|RP3) WIP WIP
C4500-X IOS-XE 3.10E All Versions C6840-X (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2
ASR 1001-HX WIP WIP
C6880-X (Sup 2T|6T) IOS 15.5.1 SY ≥ 12.2
C4500-E (SUP 7E|7LE|8LE) IOS-XE 3.10E All Versions ASR 1002-HX WIP WIP
C4507R+E (SUP 7E|7LE|8LE) IOS-XE 3.10E All Versions
Virtual Router Recommended OS Minimum OS
C4503E (Sup 8E|9E) IOS-XE 3.10E All Versions
C4506E (Sup 8E|9E) IOS-XE 3.10E All Versions
Wireless Controllers / APs CSRv (Virtual) WIP WIP
C4507R+E (Sup 8E|9E) IOS-XE 3.10E All Versions
C4510R+E (Sup 8E|9E) IOS-XE 3.10E All Versions
Automation Assurance
Cisco DNA Center Key Speaking Sessions
Learning Map
Monday (June 11) Tuesday (June 12) Wednesday (June 13) Thursday (June 14)
8:00–10:00 AM 1:30 - 3:30 PM 4:00 - 5:30 PM 8:00–10:00 AM 1:30 - 3:30 PM 4:00 - 5:30 PM 8:00–10:00 AM 1:30 - 3:30 PM 4:00 - 5:30 PM 8:00–10:00 AM 1:00 - 2:30 PM 4:00 - 5:30 PM
BRKRST-2777
BRKEWN-2034 LTRNMS-2043 DNA Analytics and Assurance
DNA Wireless Assurance: Isolate DNA Assurance and Analytics - The Shortest Path to Network
problems f or faster troubleshooting Lab Innocence
BRKRST-2046
BRKNMS-2301 DNA Quality of Service
DNA Center: Evolution to Intent CCP-1201
Based Automation and Cisco DNA Center Roadmap
Asurance
LTRNMS-2500 BRKCRS-2701 CCP-1202 PSOCRS-1103 PSOEWN-1102

Practical Look at Intent based Networking SDA and DNA Center as an Open 5 Reasons and 5 Tips to Get
DNA Center with Cisco DNA Assurance Platf orm Started with IBN
Roadmap
BRKNMS-1499
BRKRST-2112 PSORST-2001 Wired and Wireless Network
Deploy Network Services w/ PI Migration to DNAC Automation with DNAC
BRKEWN-2026 BRKNMS-2224
Wireless Network Automation Network Automation with Cisco ENFV
with DNAC DNAC
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you
#CLUS
Appendix A—
IWAN QoS Design
What is IWAN from a QoS Perspective?
• Augment expensive MPLS service with business class internet
• Performance Routing (PfR) to load balance / provide resiliency / best path
• Dynamic Multipoint VPN (DMVPN) overlay on MPLS and Internet
• Up to 2,000 remote sites per hub router in a single domain
• MPLS will have Service Provider QoS, but with Internet we assume none
Hybrid Model – MPLS and Internet
Hub
Master
MPLS
Controller
T1
Branch
Hub
Router T1
Branch
INTERNET
Hub T3
Branch
Router
10
Mbps
Branch
T3
Branch
Aggregate Priority Load
IWAN Conclusion
• For Voice, use an Always On policer, rather than a Conditional policer
class VOICE
priority level 1
police cir percent 10
• For Video, use a Bandwidth Remaining Percent (BWR) queue with DSCP-based WRED,
rather than a level 2 Priority queue
class INTERACTIVE-VIDEO
Always On Police BWR Class-Based WFQ
bandwidth remaining percent 30 Policer 10% 30% DSCP-based WRED
voice data video class-default
P1
IPsec Anti-Replay and QoS
IWAN Conclusion
Crypto Engine Enqueue
23 22 21
(Adds Sequence
Packets In Number)
Police
• On a congested interface, a low-priority packet may be 25
delayed by queuing, and then, arrive at the next router after Dropped 28
the anti-replay window has been exceeded 26 23 27
By Policer
• Also, if an encrypted packet arrives out of sequence by the 24 22 21 Queue
window size (default is 64 packets), the packet is dropped Tail Drop
• Increasing the anti-replay window size has no impact on priority data class-default
throughput or security
• The impact on memory is insignificant because only an
P1
extra 128 bytes per incoming IPsec SA is needed
Use the maximum replay window-size of 1024 for

each supported platform
23 27 21 22 26 24
crypto ipsec security-association replay window-size 1024
Packets Out
IWAN Egress QoS Models
Example: Combining 12 Classes into an 8-Class Model
Application DSCP 8-Class Model
Internetwork Control CS6 VOICE

PQ-10%
VoIP EF
NET-CTRL
Broadcast Video CS5 5% BWR
Multimedia Conferencing AF41 INTERACTIVE-VIDEO

30% BWR
Real-Time Interactive CS4
STREAMING-VIDEO
10% BWR
Signaling CS3 CALL-SIGNALING
4% BWR
Network Management (OAM) CS2 CRITICAL-DATA
25% BWR
Bulk Data AF11
Scavenger CS1 SCAVENGER—1% BWR
DEFAULT
Best Effort DF 25% BWR
PQ = Priority Queue Note: Bandw idth Remaining

BWR = Bandw idth Remaining Percentages must equal 100%
IWAN 8-Class Egress Queuing Model
Child Policy
IWAN 8-Class Queuing Model Class-Maps IWAN 8-Class Queuing Policy-Map
class-map match-any VOICE-DSCP policy-map IWAN-EDGE-QUEUING
match dscp ef class VOICE-DSCP
class-map match-any INTERACTIVE-VIDEO-DSCP priority level 1
match dscp cs4 af41 af42 af43 police cir percent 10
class-map match-any STREAMING-VIDEO-DSCP class INTERACTIVE-VIDEO-DSCP
match dscp cs5 af31 af32 af33 bandwidth remaining percent 30
class-map match-any NETWORK-CONTROL-DSCP random-detect dscp-based
match dscp cs6 class STREAMING-VIDEO-DSCP
class-map match-any SIGNALING-DSCP bandwidth remaining percent 10
match dscp cs3
class-map match-any CRITICAL-DATA-DSCP random-detect dscp-based
match dscp cs2 af11 af12 af13 af21 af22 af23 class NETWORK-CONTROL-DSCP
class-map match-any SCAVENGER-DSCP bandwidth remaining percent 5
match dscp cs1 class SIGNALING-DSCP
class CRITICAL-DATA-DSCP
class SCAVENGER-DSCP
class class-default
random-detect
Branch QoS Scheduling Hierarchy
Two Levels: Child / Parent
Police
1M
priority data class-default
P1
Parent Shaping
Child Queuing
Policy on Physical
Policy on Physical
Shape for service rate
Bandwidth sharing
within tunnel
To Physical
Branch QoS Scheduling Hierarchy
Two Levels: Child / Parent
policy-map IWAN-EDGE-QUEUING policy-map POLICY-TRANSPORT-1 interface GigabitEthernet0/0
class INTERACTIVE-VIDEO class class-default bandwidth 10000
bandwidth remaining percent 30 shape average 10 Mbps service-policy output POLICY-TRANSPORT-1
random-detect dscp-based service-policy WAN-EDGE-QUUEING
class CALL-SIGNALING
bandwidth remaining percent 4  A shaper will guarantee that traffic will not exceed the contracted rate
class NET-CTRL  A nested queuing policy will force queuing to engage at the contracted
class CRITICAL-DATA sub-line-rate to prioritize packets prior to shaping
random-detect dscp-based Always On Police
class SCAVENGER Policer 1M
class VOICE
priority level 1
class class-default priority data class-default
random-detect
P1
Min: 0 GigE Interface with

Max: 10M
Excess: 10
service rate of 10 Mbps
Hub Site QoS Scheduling
Three Levels: Child / Parent / Grandparent
Shape for
Remote Site
Last Mile
T1
Branch
1.5 Mbps
Shape for
Service Rate
50 Mbps 50 Mbps
Branch
Hub 100 Mbps 20 Mbps 20 Mbps

Branch
BR GE Service
Rate
10 Mbps
10 Mbps
Branch
Per Site
Bandwidth Sharing 45 Mbps
Within Tunnel
T3
Branch
Hub Site QoS Scheduling Hierarchy
Three Levels: Child / Parent / Grandparent
Police Police Per-SA QoS Site N – 10 Mbps

Per-SA QoS Site1 – T1 Police Per-SA QoS Site2 – T3 1M
150K 4.5M
priority data class-default priority data class-default priority data class-default
P1 P1 P1
Child Queuing
Policy on Tunnel
Bandwidth sharing
within tunnel
Grandparent Shaping
Parent Shaping Shape for remote
Policies on Tunnel site last mile
Policy on Physical
Shape for service rate
To Physical
Priority Propagation / Passing Lanes
Police Police Police
150K 4.5M 1M
priority data class-default priority data class-default

priority data class-default
P1 P1 P1
Priority traffic is always

serviced first at each
level of the QoS
scheduling hierarchy
To Physical BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
IWAN Conclusion
• For Voice, use an Always On policer, rather than a Conditional policer
class VOICE
priority level 1
• For Video, use a Bandwidth Remaining Percent (BWR) queue with DSCP-based WRED,
rather than a level 2 Priority queue
Always On Police BWR Class-Based WFQ
bandwidth remaining percent 30 Policer 10% 30% DSCP-based WRED
voice data video class-default
P1
IPsec Anti-Replay
Message Integrity
• Designed to identify packet capture/replay by 3rd party — Message Integrity
• Sender assigns sequence number per Security Association (SA) to
encrypted packets
• Receiver maintains 64 packet sliding window by default
Default 64 Packet Sliding Window
1 2 3 4 64 65 66 67
Packet Flow into Router
IPsec Anti-Replay
Message Integrity
• Designed to identify packet capture/replay by 3rd party — Message Integrity
• Sender assigns sequence number per Security Association (SA) to
encrypted packets
• Receiver maintains 64 packet sliding window by default
• Window moves right to

Default 64 Packet Sliding
Default
Window
64 Packet Sliding Window
include higher sequence
numbers 1 2 3 4 64 65 66 67
• Window marks packets as 1 2 3 Packet Flow into Router

received or not
Anti-Replay
• Packets to the left of the Drops
window are dropped
IPsec Anti-Replay and QoS
IWAN Conclusion
Crypto Engine Enqueue
23 22 21
(Adds Sequence
Packets In Number)
Police
• On a congested interface, a low-priority packet may be 25
delayed by queuing, and then, arrive at the next router after Dropped 28
the anti-replay window has been exceeded 26 23 27
By Policer
• Also, if an encrypted packet arrives out of sequence by the 24 22 21 Queue
window size (default is 64 packets), the packet is dropped Tail Drop
• Increasing the anti-replay window size has no impact on priority data class-default
throughput or security
• The impact on memory is insignificant because only an
P1
extra 128 bytes per incoming IPsec SA is needed
Use the maximum replay window-size of 1024 for

each supported platform
23 27 21 22 26 24
crypto ipsec security-association replay window-size 1024
Packets Out
Bandwidth Percent vs Bandwidth Remaining Percent
Bandwidth Percent specifies bandwidth allocation as a percentage of the value entered
in the bandwidth command on the interface
• Bandwidth percentages have to take into account priority percent values
• They have to be adjusted when priority bandwidth values are changed
Bandwidth Remaining Percent specifies bandwidth allocation as a percentage of the

bandwidth value that has not been allocated to priority classes
• Bandwidth remaining percentages must equal 100%
• The bandwidth automatically adjusts when priority bandwidth values are changed
The two features cannot be used in the same policy map
Examples:
Bandwidth Percent (BWP) Bandwidth Remaining Percent (BWR) PQ Change in Value
Service Rate Bandwidth = 10Mbps Service Rate Bandwidth = 10Mbps Service Rate Bandwidth = 10Mbps
Priority Queue 10% = 1 Mbps Priority Queue 10% = 1 Mbps Priority Queue 20% = 2 Mbps
BWP of 30% = 10 x .30 = 3.0 Mbps BWR of 30% = 10 – 1 = 9 x .30 = 2.7 Mbps BWR of 30% = 10 – 2 = 8 x .30 = 2.4 Mbps
Bandwidth Remaining Ratio
IWAN Details
Bandwidth Remaining Ratio (BRR) provides proportional sharing to parent shapers during times
of congestion.
If you over-subscribe your hub BR outbound bandwidth with per-tunnel policies that exceed the
service rate, the BRR commands on each parent policy means they will get their “ fair share” of
the remaining bandwidth as compared to the other branch sites.
• If all the per-tunnel BW amounts are 5 Mbps or greater, we use a BRR value of BW / 1 Mbps. (i.e. 10 Mbps is BRR of
10, 50 Mbps is BRR of 50, etc.)
• If any of the per-tunnel BW values are less than 5 Mbps, we use a BRR value of BW / 100 Kbps. (i.e. 3 Mbps is BRR of
30, 1.5 Mbps is BRR of 15, etc.)
Per-Tunnel shapers When the total bandwidth exceeds 100 Mbps,

50 Mbps BRR=50
Service rate each of the per-tunnel shapers will get their fair
50 Mbps BRR=50 shaper share based on their BRR values.
20 Mbps BRR=20
Shape Example:
(100 Mbps)
20 Mbps BRR=20 50 Mbps site gets 50 / 160 or 31.25%
10 Mbps BRR=10 20 Mbps site gets 20 / 160 or 12.5%
BRR=10
10 Mbps site gets 10 / 160 or 6.25%
10 Mbps
Multiple Sender QoS for Hub Routers
Bandwidth Sharing Between Multiple Senders
• Bandwidth can exceed 100% of the remote-site inbound • As the number of senders increase, the percentages need to
Service Rate using a calculated oversubscription of ~ 1.6:1 come down accordingly based on the network administrators
• Bandwidth has to be divided equally due to one NHRP group knowledge of their traffic patterns
• QoS child policies do not have to be the same per Sender but
DSCP markings must match for PfR TC channels to establish
Hub BR1 (MNH/MDC) Hub BR2 (MNH/MDC) Remote Site Example:

50 Mb/s *.80 = 40 Mb/s per Hub BR
Branch Tunnel Interface

interface Tunnel10
bandwidth receive 50000
nhrp nhs 10.6.34.1 nbma 192.168.6.1 multicast
nhrp nhs 10.6.34.2 nbma 192.168.6.41 multicast
80% BW 80% BW nhrp group RS-GROUP-50MBPS-80
• Total bandwidth should not
Hub Policy
exceed 160% of remote-site
inbound Service Rate policy-map RS-GROUP-50MBPS-80-POLICY
class class-default
description 80% of 50 Mbps
bandwidth remaining ratio 40
service-policy WAN
To avoid unwanted SP drops of

voice traffic, priority traffic from all Remote Site
senders should not exceed the Inbound Service Rate
remote site inbound service rate
Multiple VRF QoS for Hub Routers
Bandwidth Sharing Between Multiple VRF Tunnels
• Bandwidth can exceed 100% of the remote-site inbound • As the number of VRFs increase, the percentages need to come
Service Rate using an oversubscription ratio of ~ 2:1 down accordingly based on the network administrators knowledge
• Bandwidth does not have to be divided equally between VRFs of their traffic patterns
• QoS policies do not have to be the same per VRF
Default VRF Contractor VRF Guest VRF IOT VRF
75% BW 75% BW 40% BW 10% BW
Remote Site Example:

40 Mb/s *.75 = 30 Mb/s per VRF
• Total bandwidth for VRFs should 40 Mb/s *.40 = 16 Mb/s per VRF
not exceed 200% of remote-site 40 Mb/s *.10 = 4 Mb/s per VRF
inbound Service Rate as Default VRF / Contractor VRF
oversubscription traffic will be Aggregate Priority Load:
interface Tunnel101
Priority traffic from all bandwidth receive 40000
dropped in the SP cloud Grandparent Shaping
VRFs cannot exceed nhrp group RS-GROUP-40MBPS-75
• Bandwidth for Guest traffic is the hub BR outbound Policy on Physical
normally less than non-Guest service rate Guest VRF
Shape for Outbound interface Tunnel103
• Bandwidth for low volume VRFs Service Rate bandwidth receive 40000
like IOT and PCI should use a nhrp group RS-GROUP-40MBPS-40
much smaller percentage
To Physical IOT VRF
interface Tunnel104
bandwidth receive 40000
nhrp group RS-GROUP-40MBPS-10
VRF = Virtual Routing and Forwarding BRKRST-2501 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Multiple VRF QoS for Branch
• Using normal IWAN recommendations, QoS policy is applied to the physical interface at an IWAN
remote site which means all VRFs share the same QoS policy by default
• If you want to use different QoS policies for each VRF, you can deploy per-tunnel QoS in the spoke to
hub direction using the same tools and limitations described on the previous slide
Enterprise to SP Mapping
ToS Byte Preservation
The 12-class view is preserved across the enterprise even though we treat it differently at the
egress of the router and send it to different channels within the SP network
The twelve classes remain intact on the inner header and the outer tunnel header is remarked as
the traffic leaves the tunnel interface
The remarked outer header is discarded after arriving at the tunnel interface on the receiving router,
thus leaving the inner header marking unchanged
IP Packet
ToS
By default, ToS byte IP HDR IP Payload
is copied to the new
IP Header
GRE Tunnel
GRE
ToS
ToS
IP HDR IP HDR IP Payload
HDR
IPSec Tunnel mode
ESP ESP
ToS
ToS
IP HDR ESP HDR IP HDR IP Payload

Trailer Auth
Enterprise to SP Mapping Video Flow from
Set dscp tunnel outbound on tunnel (Hub) Term-A
Term-A To Term-B
Packet View 1
class-map match-all MULTIMEDIA_CONFERENCING-NBAR 10.1.0.1 L2 L2 User IP User
Type
match protocol attribute traffic-class multimedia-conferencing Dest Src Header Data
Gig0/0/0
match protocol attribute business-relevance business-relevant 10.1.0.2 Src IP: 10.1.0.1
Dst IP: 10.3.0.1
policy-map INGRESS-MARKING DSCP: 0
Packet View 2
class MULTIMEDIA_CONFERENCING-NBAR Marking the
User IP User
set dscp af41 User IP header Type
Header Data
Tun10 Src IP: 10.1.0.1
interface GigabitEthernet0/0/0 172.16.0.1 Dst IP: 10.3.0.1
service-policy input INGRESS-MARKING DSCP: af41
Gig0/0/1 Packet View 3
192.168.0.1
L2 L2 Tunnel IP User IP User
Type
Dest Src Header Header Data
SP
class-map INTERACTIVE-VIDEO Tunnel Network
Src IP: 172.16.0.1 Src IP: 10.1.0.1
match dscp af41 Dst IP: 172.16.0.2 Dst IP: 10.3.0.1
DSCP: af31 DSCP: af41
policy-map RS-GROUP-10MBPS-POLICY
class INTERACTIVE-VIDEO Marking the
192.168.0.2
‘Set dscp tunnel’ means don’t copy
set dscp tunnel af31 Tunnel IP header Tun10
172.16.0.2 but instead remember and mark this
interface Tunnel10 10.3.0.2
value once tunnel header is imposed
nhrp map group RS-GROUP-10MBPS service-policy
Packet View 4
output RS-GROUP-10MBPS-POLICY
L2 L2 User IP User
Type
Dest Src Header Data
10.3.0.1
Src IP: 10.1.0.1
Dst IP: 10.3.0.1
DSCP: af41
Term-B
Enterprise to SP Mapping Video Flow from
Term-B
Set dscp outbound on physical (Branch) Term-B To Term-A
Packet View 1
class-map match-all MULTIMEDIA_CONFERENCING-NBAR 10.3.0.1 L2 L2 User IP User
Type
match protocol attribute traffic-class multimedia-conferencing Dest Src Header Data
Gig0/0/0
match protocol attribute business-relevance business-relevant 10.3.0.2 Src IP: 10.3.0.1
Dst IP: 10.1.0.1
policy-map INGRESS-MARKING DSCP: 0
Packet View 2
class MULTIMEDIA_CONFERENCING-NBAR Marking the
User IP User
set dscp af41 User IP header Type
Header Data
Tun10 Src IP: 10.3.0.1
interface GigabitEthernet0/0/0 172.16.0.2 Dst IP: 10.1.0.1
service-policy input INGRESS-MARKING DSCP: af41
Gig0/0/1 Packet View 3
192.168.0.2
L2 L2 Tunnel IP User IP User
Type
Dest Src Header Header Data
SP
class-map INTERACTIVE-VIDEO Tunnel Network
Src IP: 172.16.0.2
Dst IP: 172.16.0.1
Src IP: 10.3.0.1
Dst IP: 10.1.0.1
match dscp af41
DSCP: af31 DSCP: af41
policy-map POLICY-TRANSPORT-1
192.168.0.1
class INTERACTIVE-VIDEO Marking the DSCP copied Inner-to-Outer *BUT*
set dscp af31 Tunnel IP header Tun10
172.16.0.1 we over-write Outer after the copy
10.1.0.2
interface GigabitEthernet0/0/1 Packet View 4
service-policy output POLICY-TRANSPORT-1
L2 L2 User IP User
Type
Dest Src Header Data
10.1.0.1
Src IP: 10.3.0.1
Dst IP: 10.1.0.1
Term-A DSCP: af41
Example: 4-Class SP Model
CS6 Sent
Unchanged
VoIP EF
Multimedia Conferencing AF41  AF31
AF31 SP-CLASS1DATA
Real-Time Interactive CS4  AF31 (UDP)

Transactional Data AF21 SP-CLASS2DATA
AF21
(TCP)
Network Management CS2  AF21
Bulk Data AF11  AF21
Scavenger CS1 DF
SP-DEFAULT
Best Effort DF
4-Class SP QoS Model Configuration
Tunnel Interface
IWAN Hub BR policy-map WAN
random-detect exponential-weighting-constant 9
set dscp tunnel af31 Hub Router:
bandwidth remaining percent 10 policy-map RS-GROUP-10MBPS-POLICY
random-detect dscp-based class class-default
random-detect exponential-weighting-constant 9 shape average 10 Mbps
set dscp tunnel af31 bandwidth remaining ratio 10
class NET-CTRL-MGMT service-policy WAN
set dscp tunnel cs6
class CALL-SIGNALING interface Tunnel10
bandwidth remaining percent 4 bandwidth <service-rate>
set dscp tunnel af21
class CRITICAL-DATA
bandwidth remaining percent 25 output RS-GROUP-10MBPS-POLICY
class SCAVENGER
Branch Router:
set dscp tunnel default interface GigabitEthernet0/0
class VOICE bandwidth 10000
priority level 1 service-policy output POLICY-TRANSPORT-1
police cir percent 10 !
set dscp tunnel ef interface Tunnel10
class class-default
bandwidth 10000
random-detect
nhrp group RS-GROUP-10MBPS
random-detect exponential-weighting-constant 9 tunnel source GigabitEthernet0/0
set dscp tunnel default tunnel vrf IWAN-TRANSPORT-1
4-Class SP QoS Model Configuration
Physical Interface
IWAN Branch policy-map WAN
set dscp af31
random-detect exponential-weighting-constant 9 Branch Router:
set dscp af31
class NET-CTRL-MGMT
bandwidth remaining percent 5 class class-default
set dscp cs6 shape average 10 Mbps
class CALL-SIGNALING service-policy WAN
set dscp af21
class CRITICAL-DATA interface GigabitEthernet0/0
bandwidth remaining percent 25 bandwidth 10000
random-detect dscp-based service-policy output POLICY-TRANSPORT-1
set dscp af21
class SCAVENGER
set dscp default
class VOICE
priority level 1
set dscp ef
class class-default
bandwidth remaining percent 25 The PfR Traffic Class channels will not
random-detect
establish if the DSCP values from the
set dscp default hub and branch routers do not match
Enterprise to SP Mapping Reference
CS6 Sent
Unchanged
VoIP EF
Multimedia Conferencing AF41  AF31 SP-CLASS1DATA
AF31
Real-Time Interactive CS4  AF31 (UDP)

AF21
(TCP)
Bulk Data AF11  AF21 AF11 SP-CLASS3DATA
*
Scavenger CS1  AF11
DF SP-DEFAULT
Best Effort DF
* - Specified by ISP
Reference
5-Class QoS Model Configuration
Tunnel Interface
set dscp tunnel cs6
class CRITICAL-DATA
class SCAVENGER Branch Router:
set dscp tunnel af11 interface GigabitEthernet0/0
class class-default bandwidth 10000
random-detect
tunnel vrf IWAN-TRANSPORT-1
set dscp tunnel default
Reference
5-Class QoS Model Configuration
Physical Interface
set dscp af31
set dscp af31
class NET-CTRL-MGMT
set dscp af21
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
set dscp default
Reference
CS6 Sent
Unchanged
VoIP EF
AF41 SP-VIDEO
Real-Time Interactive CS4  AF41
SP-CLASS1DATA
(UDP)
AF21 (TCP)
AF11  AF21 AF11 SP-CLASS3DATA
Bulk Data
*
Scavenger CS1  AF11
DF SP-DEFAULT
Best Effort DF
* - Specified by ISP
6-Class QoS Model Configuration Reference
Tunnel Interface
set dscp tunnel cs6
class CRITICAL-DATA
class SCAVENGER Branch Router:
set dscp tunnel af11 interface GigabitEthernet0/0
class class-default bandwidth 10000
random-detect
tunnel vrf IWAN-TRANSPORT-1
set dscp tunnel default
6-Class QoS Model Configuration Reference
Physical Interface
set dscp af41
set dscp af31
class NET-CTRL-MGMT
set dscp af21
set dscp af21
class SCAVENGER
set dscp af11
class VOICE
priority level 1
set dscp ef
class class-default
random-detect
set dscp default
Appendix B—
Campus Qos Design
Cisco Catalyst 2960-X
QoS Design
Catalyst 2960-X
QoS Roles in the Campus Access
No Trust +
Ingress Queuing +
Egress Queuing
Trust DSCP +
Ingress Queuing +
Egress Queuing
Conditional Trust +
Ingress Queuing +
C2960-X Egress Queuing
Access
Switch Classification/Marking +
[Optional Policing] +
Distribution Ingress Queuing +
Switches Egress Queuing
Catalyst 2960-X Note: Catalyst 2960-X is QoS compatible with
QoS Design Steps the Catalyst 3560-X & 3750-X, with the
following exceptions:
1. Enable QoS • The Catalyst 3560-X & 3750-X support
ingress queuing policies, but the 2960-X
2. Configure Ingress QoS Model(s): does not.
 Trust Models • Similarly, the Catalyst 3560-X & 3750-X
 Conditional Trust Model support VLAN-based QoS policies, but the
2960-X does not.
Note: Catalyst 2960-X must be running a LAN
3. Configure Egress Queuing Base image to support the following QoS
features
• Policy maps
• Policing & marking
• Mapping tables
• Weighted Tail Drop (WTD)
Catalyst 2960-X
Enabling QoS and Trust Models
Enabling QoS:
mls qos Shaded commands are global
Trust-CoS Model Example:

mls qos map cos-dscp 0 8 16 24 32 46 48 56 Key commands/parameters in RED
mls qos trust cos Highlighted commands are interface specific
Trust-DSCP Model Example:

mls qos trust dscp Note: CoS 5 which is explicitly mapped to DSCP 46
Conditional-Trust Model Example:

mls qos trust device cisco-phone [or]
mls qos trust device cts [or] Note: Only one type of device may be configured at a time
mls qos trust device ip-camera [or]
mls qos trust device media-player
Catalyst 2960-X
Conditional Trust Model Example
Conditional Trust Policy to a Cisco IP Phone:

mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos trust device cisco-phone
mls qos trust cos Note: All CoS-to-DSCP values are left at default
(DSCP = CoS * 8)
Except for CoS 5 which is explicitly mapped to DSCP 46

(Expedite Forwarding/EF, per RFC 3246 & 4594).
CoS must be
matched as Cisco IP
Phones only remark
at Layer 2
Catalyst 2960-X
Marking Policy Model Example – Policy-Map & Class-Maps
class-map match-all VOIP policy-map MARKING-POLICY
match access-group name VOIP class VOIP
class-map match-all MULTIMEDIA-CONFERENCING set dscp ef
match access-group name MULTIMEDIA-CONFERENCING class MULTIMEDIA-CONFERENCING
class-map match-all SIGNALING set dscp af41
match access-group name SIGNALING class SIGNALING
class-map match-all TRANSACTIONAL-DATA set dscp cs3
match access-group name TRANSACTIONAL-DATA class TRANSACTIONAL-DATA
class-map match-all BULK-DATA set dscp af21
match access-group name BULK-DATA class BULK-DATA
class-map match-all SCAVENGER set dscp af11
match access-group name SCAVENGER class SCAVENGER
set dscp cs1
class class-default
set dscp default
service-policy input MARKING-POLICY
Catalyst 2960-X
Marking Policy Model Example – Access Control List
ip access-list extended SIGNALING
remark sccp
remark rtsp
remark sip
remark sip-tls
!
Note: Remarking is performed by configuring a
Catalyst 2960-X policed-DSCP map with the global configuration

command mls qos map policed-dscp, which
specifies which DSCP values are subject to
Marking & Policing Policy Example remarking if out-of-profile and what value these
should be remarked as.
mls qos map policed-dscp 0 10 18 to 8
In this example exceeding:
• Best Effort (DSCP 0)
[class-maps omitted for brevity] • Bulk (AF11 / DSCP 10)
policy-map MARKING&POLICING • Transactional Data (AF21 / DSCP 18)
class VVLAN-VOIP are remarked to Scavenger (CS1 / DSCP 8).
set dscp ef
[continued]
police 128k 8000 exceed-action drop
class BULK-DATA
class VVLAN-SIGNALING
set dscp af11
set dscp cs3
police 10m 8000 exceed-action policed-dscp-transmit
class SCAVENGER
class MULTIMEDIA-CONFERENCING
set dscp cs1
set dscp af41
police 10m 8000 exceed-action drop
police 5m 8000 exceed-action drop
class DEFAULT
class SIGNALING
set dscp default
set dscp cs3
class TRANSACTIONAL-DATA service-policy input MARKING&POLICING
set dscp af21
…
Catalyst 2960-X
1P3Q3T Egress Queuing Model
Application DSCP 1P3Q3T
Network Control (CS7) AF1 Q4T2

Queue 4
CS1 (5%) Q4T1
VoIP EF Default Queue

DF
Broadcast Video CS5 Queue 3 (35%)
Multimedia Conferencing AF4 CS7 Q2T3
Realtime Interactive CS4 CS6
Multimedia Streaming AF3 CS3 Q2T2

Queue 2
Signaling CS3 AF4 (30%) Q2T1
Network Management CS2 AF2

CS2
Bulk Data AF1
EF
Scavenger CS1 Q1
CS5 Priority Queue
Best Effort DF CS4
Catalyst 2960-X
Note: The Catalyst 2960-X can also be
1P3Q3T Egress Queuing Model Config—Part 1 of 2 configured to use an 8-queue model; however
this model is NOT supported in a stack, nor is
it supported if AutoQoS is enabled.
! This section configures egress buffers and thresholds

mls qos queue-set output 1 buffers 15 30 35 20 Allocates buffers to Q1, Q2, Q3 and Q4
(respectively)
mls qos queue-set output 1 threshold 1 100 100 100 100
mls qos queue-set output 1 threshold 4 60 100 100 3200 Each queue has 4 thresholds:
• WTD Threshold 1
! This section configures egress CoS-to-Queue mappings • WTD Threshold 2
mls qos srr-queue output cos-map queue 1 threshold 3 4 5 • Reserved Threshold—buffers that may NOT
mls qos srr-queue output cos-map queue 2 threshold 1 2 be shared with adjacent port-queues
• Maximum Threshold—maximum amount of
mls qos srr-queue output cos-map queue 2 threshold 2 3 buffers may be borrowed from common buffer
mls qos srr-queue output cos-map queue 2 threshold 3 6 7 pools (if available)
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
If the packet enters the switch on a port that is set
to trust cos then these CoS-to-Queue mappings
will be used to determine how the packet is
queued on egress
Catalyst 2960-X
1P3Q3T Egress Queuing Model Config—Part 2 of 2 If the packet enters the switch on a port
that is set to trust dscp then these
! This section configures egress DSCP-to-Queue mappings DSCP-to-Queue mappings will be used to
determine how the packet is queued on
mls qos srr-queue output dscp-map queue 1 threshold 3 32 40 46 egress
mls qos srr-queue output dscp-map queue 2 threshold 1 16 18 20 22
mls qos srr-queue output dscp-map queue 2 threshold 1 26 28 30 34 36 38
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 56
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
! This section configures interface egress queuing parameters

queue-set 1
srr-queue bandwidth share 1 30 35 5
priority-queue out
Enables the PQ Allocates bandwidth to each queue by means of a WRR weight.

Q1 weight is ignored, as it’s operating as a PQ
Catalyst 2960-X
EtherChannel QoS Design
All QoS policies are configured on the physical port-member interfaces only
Platform QoS Policies Applied to the QoS Policies Applied to the

(Logical) Port-Channel Interface (Physical) Port-Member Interfaces
Catalyst 2960/3560/3750  Classification & Marking (Ingress)
Catalyst 2960-X QoS Design At-A-Glance
https://cisco.app.box.com/v/QoS-AAGs
Catalyst 3560-X/3750-X QoS Design At-A-Glance
https://cisco.app.box.com/v/QoS-AAGs
Catalyst 6500/6800
Queuing Models
Catalyst 65xx-E / 6807-XL with Sup2T/6T
Ingress & Egress Queueing Models
• Ingress Queue Structures
• 1Q8T CoS to Queue Mapping CoS-based Tail-Drop
• 8Q4T DSCP to Queue Mapping DSCP-based WRED
• 8Q8T CoS to Queue Mapping CoS-based WRED
• 1P7Q2T DSCP to Queue Mapping DSCP-based WRED
• Ingress & Egress Queue Structures

• 2P6Q4T DSCP to Queue Mapping DSCP-based WRED
• Egress Queue Structures

• 1P3Q8T CoS to Queue Mapping Cos-based WRED
• 1P3Q4T CoS to Queue Mapping CoS-based WRED
• 1P7Q4T DSCP to Queue Mapping DSCP-based WRED*
• 1P7Q8T CoS to Queue Mapping CoS-based WRED
* 1P7Q4T can be implementing as an alternate ingress queueing structure to 2P6Q4T
1Q8T – Ingress Queueing
CoS to Queue Mapping
CoS-based Tail-Drop
1Q8T Ingress Queueing Linecards
• WS-X6704-10GE with CFC
• WS-X6724-SFP with CFC
• WS-X6748-SFP and WS-X6748-GE-TX with CFC
Catalyst 65xx-E/6807-XL with Sup2T/6T
1Q8T Ingress Queuing Models—CoS-to-Queue Mapping w/ COS-based Tail-Drop
Application-Class DSCP CoS 1Q8T
Network Control (CS7) CoS 7 Q1T8—100%

CoS 7
Internetwork Control CS6 CoS 6
Q1T7—95%
VoIP EF CoS 6
CoS 5
Broadcast Video CS5
Q1T6—90%
CoS 5
CoS 4
Realtime Interactive CS4 Q1T5—85%
CoS 4
CoS 3 Q1T4—80%
Signaling CS3 CoS 3
CoS 2 Q1T3—75% All noted thresholds are
Network Management CS2 CoS 2
tail-drop thresholds
Bulk Data AF1 Q1T2—70%

CoS 1 CoS 0
Scavenger CS1
Q1T1—65%
Best Effort DF CoS 0 CoS 1
Catalyst 65xx-E/6807-XL—1Q8T Ingress Model
policy-map type lan-queuing QUEUING-1Q8T-IN
class class-default Un-configured CoS values default to
queue-limit cos 7 percent 100
threshold 8 which is 100%. May not
need to configure the CoS 7 value, as
this should default to 100%.
queue-limit cos 3 percent 80 However, it is shown here for
queue-limit cos 2 percent 75 completeness.
queue-limit cos 0 percent 70 Recommend to explicitly configure it.
Interface GigabitEthernet1/1
service-policy type lan-queuing input QUEUING-1Q8T-IN
CoS-based Tail-Drop
• VS-S2T-10G and VS-S2T-10G-XL with Gigabit Ethernet ports enabled
• Applies to all ports on the Supervisor 2T
Catalyst 65xx-E/6807-XL with Sup2T
2Q4T Ingress Queuing Models—CoS-to-Queue Mapping
Network Control (CS7) CoS 7 Q2 40% BW

CoS 7
VoIP EF CoS 6
CoS 5
Broadcast Video CS5
CoS 5
CoS 4
Realtime Interactive CS4
CoS 4
CoS 3
Signaling CS3 CoS 3 Q1 60% BW
CoS 2
Bulk Data AF1

CoS 1 CoS 0
Scavenger CS1
Catalyst 65xx-E/6807-XL with Sup2T
2Q4T Ingress Queuing Models—CoS-to-Queue Mapping w/ CoS-based Tail-Drop

CoS 7
Q2T3—95%
VoIP EF CoS 6
CoS 5
Broadcast Video CS5 Q2T2—90%
CoS 5
CoS 4 Q2 40% BW
Q2T1—85%
CoS 4
CoS 3 Q1T4—100%
CoS 2 Q1T3—95%
Network Management CS2 CoS 2 All noted thresholds are
tail-drop thresholds
Q1T2—90%
Bulk Data AF1
CoS 1 Cos 0
Scavenger CS1
Q1T1—85%
Best Effort DF CoS 0 CoS1
class-map type lan-queuing match-all Q2-2Q4T-QUEUE
match cos 7 6 5 4
policy-map type lan-queuing QUEUING-2Q4T-IN Un-configured CoS values

class Q2-2Q4T-QUEUE default to threshold 8 which is
100%. May not need to
bandwidth percent 40 configure the CoS 7 or CoS 3
queue-limit cos 7 percent 100 values, as this should default to
queue-limit cos 6 percent 95 100%, but is shown here for
queue-limit cos 5 percent 90 completeness.
Recommend explicitly
class class-default configuring thresholds however.
interface TenGigabitEthernet1/3/4
CoS-based Tail-Drop
• WS-X6724-SFP with DFC4/DFC4XL upgrade (WS-F6k-DFC4-A, WS-F6k-DFC4-AXL)
• WS-X6748-SFP and WS-X6748-GE-TX with DFC4/DFC4XL upgrade (WS-F6k-DFC4-A,
WS-F6k-DFC4-AXL)
• WS-X6824-SFP-2T and WS-X6824-SFP-2TXL
• WS-X6848-SFP-2T, WS-X6848-SFP-2TXL, WS-X6848-TX-2T and WS-X6848-TX-2TXL
Cisco Catalyst 65xx-E/6807-XL with Sup2T
2Q8T Ingress Queuing Models—CoS-to-Queue Mapping
Network Control (CS7) CoS 7 Q2 40% BW

CoS 7
VoIP EF CoS 6
CoS 5
Broadcast Video CS5
CoS 5
CoS 4
CoS 4
CoS 3
CoS 2
Bulk Data AF1

CoS 1 CoS 0
Scavenger CS1
2Q8T Ingress Queuing Models—CoS-to-Queue Mapping w/ CoS-based Tail-Drop

CoS 7
Q2T3—95%
VoIP EF CoS 6
CoS 5
Broadcast Video CS5 Q2T2—90%
CoS 5
CoS 4 Q2 40% BW
Q2T1—85%
CoS 4
CoS 3 Q1T4—100%
CoS 2 Q1T3—95%
All noted thresholds are
Q1T2—90% tail-drop thresholds
Bulk Data AF1
CoS 1 Cos 0
Scavenger CS1
Q1T1—85%
Best Effort DF CoS 0 CoS1
match cos 7 6 5 4
policy-map type lan-queuing QUEUING-2Q8T-IN

class Q2-2Q8T-QUEUE
bandwidth percent 40 Un-configured CoS values
queue-limit cos 7 percent 100 default to threshold 8 which
queue-limit cos 6 percent 95 is 100%. May not need to
queue-limit cos 5 percent 90 configure the CoS 7 or CoS
queue-limit cos 4 percent 85 3 values, as this should
class class-default default to 100%.
queue-limit cos 2 percent 95 Recommend explicitly
queue-limit cos 0 percent 90 configuring thresholds
DSCP to Queue Mapping
DSCP-based WRED
• VS-S2T-10G, VS-S2T-10G-XL with Gigabit Ethernet ports disabled
• WS-X6908-10G-2T, WS-X6908-10G-2TXL
• WS-X6816-10T-2T, WS-X6816-10T-2TXL, WS-X6816-10G-2T, WS-X6816-10G-
2TXL in performance mode
• WS-X6716-10G-3C, WS-X6716-10G-3CXL, WS-X6716-10T-3C, WS-X6716-
10T-3CXL with a DFC4 or DFC4XL upgrade (WS-F6k-DFC4-E, WS-F6k-DFC4-
EXL) in performance mode)
How to Disable or Display the State of
GigabitEthernet Interfaces on the Sup2T
o23-6500-1(config)#platform qos 10g-only Global command disables GigabitEthernet interfaces on the
Sup2T.
o23-6500-1#show platform qos module 3
QoS is enabled globally
Port QoS is enabled globally
QoS serial policing mode enabled globally Global command to show whether the
Distributed Policing is Disabled GigabitEthernet interfaces on the Sup2T
Secondary PUPs are enabled are enabled or disabled
QoS Trust state is DSCP on the following interface:
EO0/2 Gi1/1 Gi1/2 Gi1/3 Gi1/4 Gi1/5 Gi1/6 Gi1/7 Gi1/8 Gi1/9
Gi1/10 Gi1/11 Gi1/12 Gi1/13 Gi1/14 Gi1/15 Gi1/16 Gi1/17 Gi1/18 Gi1/19
Gi1/40 Gi1/41 Gi1/42 Gi1/43 Gi1/44 Gi1/45 Gi1/46 Gi1/47 Gi1/48 Te2/1
Te2/2 Te2/3 Te2/4 Te2/5 Te2/6 Te2/7 Te2/8 Gi3/1 Gi3/2 Gi3/3
Te3/4 Te3/5 Te5/1 Te5/2 Te5/3 Te5/4 Te5/5 Te5/6 Te5/7 Te5/8
Te5/9 Te5/10 Te5/11 Te5/12 Te5/13 Te5/14 Te5/15 Te5/16 Te6/1 Te6/2
Te6/3 Te6/4 CPP CPP.1 Vl1
QoS 10g-only mode supported: Yes [Current mode: Off]
GigabitEthernet interfaces on the
Global Policy-map: ingress[] Sup2T are currently enabled
…
How to Enable or Display Performance Mode on Linecards
Global command enables
performance mode on a port
o23-6500-1(config)#no hw-module slot 5 oversubscription port-group 4 group of a linecard
o23-6500-1#show hw-module slot 5

oversubscription
port-group oversubscription-mode
1 enabled
2 enabled
3 enabled
4 disabled
Global command to show whether the
oversubscription is enabled or disabled
(performance mode) per port group of a
linecard
8Q4T Ingress Queuing Models—DSCP-to-Queue Mapping
8Q4T
Application-Class DSCP
EF Realtim e Queue
Network Control (CS7) CS5 (10% BW)
CS4
CS7
VoIP EF
CS6 Control Queue
Broadcast Video CS5 CS3 (10% BW)
CS2
AF4
Realtime Interactive CS4 Multim edia-Conferencing Queue
(20% BW + DSCP-WRED)
AF3 Multim edia-Stream ing Queue
Signaling CS3 (20% BW + DSCP-WRED)
Transactional Data AF2 AF2 Transactional Data Queue

AF1 Bulk Data Queue
Bulk Data AF1 (4% BW + DSCP-WRED)
Scavenger CS1 CS1 Scavenger Queue (1% BW)
Best Effort DF Default Queue

DF
8Q4T
8Q4T Ingress Queuing Models—
EF
DSCP-to-Queue with DSCP-WRED CS5
Realtim e Queue
(10% BW)
All noted thresholds are
CS4 Min WRED thresholds

CS7
Network Control (CS7) All max WRED thresholds
CS6 Control-Plane Queue
CS3 (10% BW) Are set to 100%
CS2
VoIP EF
AF41 Q6T3—80%
Broadcast Video CS5 AF42 Multim edia-Conferencing Queue
Q6T2—70%
AF43 (20% BW + DSCP-WRED)
Multimedia Conferencing AF4 Q6T1—60%
Realtime Interactive CS4 Q5T3—80%

AF31
AF32 Q5T2—70%
Multim edia-Stream ing Queue
Q5T1—60%
Signaling CS3 AF21 Q4T3—80%
Transactional Data AF2 AF22 Q4T2—70%

AF23 Q4T1—60%
Transactional Data Queue
Network Management CS2 AF11 Q3T3—80%
Bulk Data AF1 AF12 Q3T2—70%

AF13 Q3T1—60% Bulk Data Queue
Scavenger CS1 (4% BW + DSCP-WRED)
CS1 Scavenger Queue (1% BW)
Best Effort DF DF Default Queue
Catalyst 65xx-E/6807-XL —8Q4T Ingress Model
class-map type lan-queuing match-all REALTIME-8Q4T-QUEUE
match dscp cs4 cs5 ef
class-map type lan-queuing match-all CONTROL-8Q4T-QUEUE
class-map type lan-queuing match-all MM_CONF-8Q4T-QUEUE
class-map type lan-queuing match-all MM_STREAM-8Q4T-QUEUE
class-map type lan-queuing match-all TRANS_DATA-8Q4T-QUEUE
class-map type lan-queuing match-all BULK_DATA-8Q4T-QUEUE
class-map type lan-queuing match-all SCAVENGER-8Q4T-QUEUE
match dscp cs1
policy-map type lan-queuing QUEUEING-8Q4T-IN
class REALTIME-8Q4T-QUEUE
class CONTROL-8Q4T-QUEUE
class MM_CONF-8Q4T-QUEUE
class MM_STREAM-8Q4T-QUEUE
[continued]
class TRANS_DATA-8Q4T-QUEUE
class BULK_DATA-8Q4T-QUEUE
bandwidth percent 4
class SCAVENGER-8Q4T-QUEUE
bandwidth percent 1
class class-default
service-policy type lan-queuing input QUEUEING-8Q4T-IN
CoS-based Tail-Drop
WS-X6704-10GE supported with a DFC4/DFC4XL upgrade (WS-F6k-DFC4-A,
WS-F6k-DFC4-AXL)
o23-6500-1#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL10478SWP
2 8 DCEF2T 8 port 10GE WS-X6908-10G SAL172682AK
3 5 Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G SAL1702WNR0
5 16 CEF720 16 port 10GE WS-X6716-10GE SAL1228WYB7
6 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL15013XBH
Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------
1 Centralized Forwarding Card WS-F6700-CFC SAD074308C9 1.1 Ok
2 Distributed Forwarding Card WS-F6K-DFC4-E SAL17152T2R 1.2 Ok
3 Policy Feature Card 4 VS-F6K-PFC4 SAL1638N3R3 1.2 Ok
3 CPU Daughterboard VS-F6K-MSFC5 SAL1702WNG1 1.5 Ok
5 Distributed Forwarding Card WS-F6K-DFC4-E SAL1541SQHX 1.1 Ok
6 Centralized Forwarding Card WS-F6700-CFC SAL1518CRZ3 4.1 PwrDown
8Q8T Ingress Queuing Models—CoS-to-Queue Mapping with COS-based WRED
8Q8T
Application-Class DSCP CoS
Network Control (CS7) CoS 7 CoS 5

Q8-VoIP-Broadcast Queue
(10% BW )
CoS 7 Q7-Netw ork Control Queue
VoIP EF (5% BW)
CoS 5
Broadcast Video CS5
Q6-Internetw ork Control Queue
Multimedia Conferencing AF4 CoS 6 (5% BW)
CoS 4
Realtime Interactive CS4 Q5-Multim edia-Realtim e Queue
CoS 4 (20% BW)
CoS 3
Signaling CS3 Q4-Stream ing-Signaling Queue
CoS 3 (20% BW)
CoS 2 Q3-Transactional-Managem ent Queue
Network Management CS2 CoS 2 (10% BW)
Bulk Data AF1

CoS 1 Q2-Bulk-Scavenger Queue
Scavenger CS1 CoS 1 (5% BW)
Best Effort DF CoS 0 CoS 0 Q1-Default Queue

(25% BW)
match cos 7
Class-map type lan-queuing match-all Q7-8Q8T-QUEUE
match cos 6
match cos 5
match cos 4
match cos 3
match cos 2
match cos 1
policy-map type lan-queuing QUEUEING-8Q8T-IN
class Q8-8Q8T-QUEUE
class Q7-8Q8T-QUEUE
bandwidth percent 5
class Q6-8Q8T-QUEUE
bandwidth percent 5
class Q5-8Q8T-QUEUE
class Q4-8Q8T-QUEUE
class Q3-8Q8T-QUEUE
class Q2-8Q8T-QUEUE
bandwidth percent 5
class class-default
service-policy type lan-queuing input QUEUEING-8Q8T-IN
1P7Q2T – Ingress Queueing
DSCP-based WRED
1P7Q2T Ingress Queueing Linecards
EXL) in oversubscription mode
2TXL in oversubscription mode
1P7Q2T Ingress Queuing Models—DSCP-to-Queue Mapping
1P7Q2T
Application-Class DSCP EF
Realtim e Queue
CS5 (Priority)
CS4
CS7
VoIP EF CS6 Control Plane Queue
CS3 (10% BWR)
Broadcast Video CS5 CS2
AF4
Signaling CS3 (15% BWR + DSCP-WRED)

AF1 Bulk Data Queue
Bulk Data AF1 (9% BWR + DSCP-WRED)
Scavenger CS1 Scavenger Queue (1% BW)

CS1
DF (30% BWR + DSCP-WRED)
1P7Q2T Ingress Queuing Models—DSCP- 1P7Q2T
to-Queue Mapping (DSCP-WRED) EF

CS5 Realtim e Queue All noted thresholds are
(Priority) Min WRED thresholds
Application-Class DSCP CS4 All max WRED thresholds
CS7
Network Control (CS7) Are set to 100%
CS6 Control Plane Queue
Internetwork Control CS6 CS3 (10% BWR)
CS2
VoIP EF
AF41 Q6T2—80%
Broadcast Video CS5 Multim edia-Conferencing Queue
AF42
Q6T1—70% (20% BWR + DSCP-WRED)
Multimedia Conferencing AF4 AF43
Realtime Interactive CS4 AF31 Q5T2—80%

Multim edia-Stream ing Queue
Multimedia Streaming AF3 AF32 (15% BWR + DSCP-WRED)
AF33 Q5T1—70%
Signaling CS3
AF21 Q4T2—80%
Q4T1—70% Transactional Data Queue
AF23
Network Management CS2 (15% BWR + DSCP-WRED)
AF11 Q3T2—80%
Bulk Data AF1 AF12
Q3T1—70%
AF13 Bulk Data Queue
Scavenger CS1 (9% BWR + DSCP-WRED)
CS1 Scavenger Queue (1% BW)
DF
Cisco Catalyst 65xx-E/6807-XL - 1P7Q2T Ingress
Model
class-map type lan-queuing match-all REALTIME-1P7Q2T-QUEUE
class-map type lan-queuing match-all CONTROL-1P7Q2T-QUEUE
class-map type lan-queuing match-all MM_CONF-1P7Q2T-QUEUE
class-map type lan-queuing match-all MM_STREAM-1P7Q2T-QUEUE
class-map type lan-queuing match-all TRANS_DATA-1P7Q2T-QUEU
class-map type lan-queuing match-all BULK_DATA-1P7Q2T-QUEUE
class-map type lan-queuing match-all SCAVENGER-1P7Q2T-QUEUE
match dscp cs1
Catalyst 65xx-E/6807-XL —1P7Q2T Ingress Model
policy-map type lan-queuing QUEUEING-1P7Q2T-IN
class REALTIME-1P7Q2T-QUEUE
priority
class CONTROL-1P7Q2T-QUEUE
class MM_CONF-1P7Q2T-QUEUE
class MM_STREAM-1P7Q2T-QUEUE
Catalyst 65xx-E/6807-XL - 1P7Q2T Ingress Model
[continued]
class TRANS_DATA-1P7Q2T-QUEU
class BULK_DATA-1P7Q2T-QUEUE
class SCAVENGER-1P7Q2T-QUEUE
class class-default
service-policy type lan-queuing input QUEUEING-1P7Q2T-IN
2P6Q4T Ingress & Egress Queueing
DSCP-based WRED
2P6Q4T Ingress Queueing Linecards
• WS-X6904-40G-2T and WS-X6904-40G-2TXL
• C6800-8P10G, C6800-8P10G-XL
• C6800-16P10G, C6800-16P10G-XL
• C6800-32P10G, C6800-32P10G-XL
2P6Q4T (Ingress & Egress Queuing Models—DSCP-to-Queue)
Application-Class DSCP 2P6Q4T
Network Control (CS7) Voice-PQ1
EF (Priority Level 1)
CS4
VoIP EF CS5 Video-PQ2
(Priority Level 2)
Broadcast Video CS5 AF4
Multimedia Conferencing AF4 CS7 & CS6 Control Plane Queue

(10% BWR)
Realtime Interactive CS4 CS3 & CS2
Multimedia Streaming AF3 Multim edia-Stream ing Queue

AF3 (20% BWR + DSCP-WRED)
Signaling CS3
Transactional Data AF2 AF2 (20% BWR + DSCP-WRED)
Network Management CS2 Bulk Data Queue

AF1 (14% BWR + DSCP-WRED)
Bulk Data AF1
Scavenger Queue
CS1 (1% BWR + DSCP-WRED)
Scavenger CS1
DF Default Queue
Best Effort DF (35% BWR + WRED)
2P6Q4T (Ingress & Egress Queuing 2P6Q4T
Models—DSCP-to-Queue with DSCP WRED Voice-PQ1
EF (Priority Level 1)
CS4
Network Control (CS7) CS5 Video-PQ2
(Priority Level 2)
Internetwork Control CS6 AF4
VoIP EF
CS7 & CS6 Control Plane Queue
Broadcast Video CS5 CS3 & CS2 (10% BWR)
Multimedia Conferencing AF4 Q4T3—80%

Realtime Interactive CS4 AF32 Q4T2—70% (20% BWR + DSCP-WRED)
AF33 Q4T1—60%
AF21 Q3T3—80% Transactional Data Queue
Signaling CS3 AF22 Q3T2—70% (20% BWR + DSCP-WRED)
Q2T3—80%
Network Management CS2 AF11
Bulk Data Queue
AF12 Q2T2—70%
Bulk Data AF1 AF13
CS1 Q2T1—60%
Scavenger CS1 Scavenger Queue

CS1 (1% BWR )
DF
(35% BWR + WRED)
Cisco Catalyst 65xx-E/6807-XL—2P6Q4T Model
Part 1 of 3—Common Ingress & Egress Queuing Class-Maps
class-map type lan-queuing match-all VOICE-2P6Q4T-PQ1
match dscp ef
class-map type lan-queuing match-all VIDEO-2P6Q4T-PQ2
match dscp cs4 cs5 af41 af42 af43
class-map type lan-queuing match-all TRANS_DATA-2P6Q4T-QUEUE
class-map type lan-queuing match-all BULK_DATA-2P6Q4T-QUEUE
class-map type lan-queuing match-all SCAVENGER-2P6Q4T-QUEUE
match dscp cs1
Part 2 of 3—2P6Q4T Queuing Policy-Map
policy-map type lan-queuing QUEUING-2P6Q4T
class VOICE-2P6Q4T-PQ1
priority level 1
class VIDEO-2P6Q4T-PQ2
priority level 2
class TRANS_DATA-2P6Q4T-QUEUE
Part 3 of 3—2P6Q4T Queuing Policy-Map (continued)
[continued]
class BULK_DATA-2P6Q4T-QUEUE
class SCAVENGER-2P6Q4T-QUEUE
class class-default
service-policy type lan-queuing input QUEUEING-2P6Q4T
service-policy type lan-queuing output QUEUEING-2P6Q4T
1P3Q8T – Egress Queueing
CoS-based Tail-Drop
1P3Q8T Egress Queueing Linecards
• WS-X6724-SFP, WS-X6748-SFP and WS-X6748-GE-TX with CFC
• WS-X6724-SFP, WS-X6748-SFP, and WS-X6748-GE-TX with a DFC4 or
DFC4XL upgrade (WS-F6k-DFC4-A, WS-F6k-DFC4-AXL)
• WS-X6824-SFP-2T and WS-X6824-SFP-2TXL
• WS-X6848-SFP-2T, WS-X6848-SFP-2TXL, WS-X6848-TX-2T and WS-X6848-
TX-2TXL
1P3Q8T Egress Queuing Models—CoS-to-Queue Mapping
1P3Q8T

Realtime Queue
Internetwork Control CS6 CoS 6 (Priority)
CoS 4
VoIP EF
CoS 5
Broadcast Video CS5 CoS 7 Control Plane Queue
CoS 6 (10% BWR)
CoS 4
CoS 3
CoS 3
Signaling CS3 CoS 2 (45% BWR + COS-WRED)
CoS 2
Bulk Data AF1 CoS 0
CoS 1
Scavenger CS1 Default Queue
(45% BWR + COS WRED)
1P3Q8T Egress Queuing Models—CoS-to-Queue Mapping with CoS-WRED
1P3Q8T

Realtime Queue
CoS 4
VoIP EF
CoS 5
CoS 6 (10% BWR)
CoS 4
CoS 3 Q2T2—80%
CoS 3
Transactional Data AF2 Q2T1—70%
CoS 2 All noted thresholds are
Network Management CS2 Min WRED thresholds
Q2T2—80%
Bulk Data AF1 CoS 0
CoS 1 All max WRED thresholds
Are set to 100%
Q2T1—70%
Catalyst 65xx-E/6807-XL—1P3Q8T Egress Model
match cos 4 5
match cos 6 7
match cos 2 3
Cisco Catalyst 65xx-E/6807-XL —1P3Q8T Egress
Model
policy-map type lan-queuing QUEUING-1P3Q8T-OUT
priority
random-detect cos-based
random-detect cos 3 percent 80 100
class class-default
service-policy type lan-queuing output QUEUING-1P3Q8T-OUT
CoS-based Tail-Drop
• VS-S2T-10G and VS-S2T-10G-XL with Gigabit Ethernet ports enabled
1P3Q4T Egress Queuing Models—CoS-to-Queue Mapping
1P3Q4T

Realtime Queue
CoS 4
VoIP EF
CoS 5
CoS 6 (10% BWR)
CoS 4
CoS 3
CoS 3
CoS 2
Bulk Data AF1 CoS 0
CoS 1
1P3Q4T Egress Queuing Models—CoS-to-Queue Mapping with CoS WRED
1P3Q4T

Realtime Queue
CoS 4
VoIP EF
CoS 5
CoS 6 (10% BWR)
CoS 4
CoS 3 Q2T2—80%
CoS 3
Transactional Data AF2 Q2T1—70%
CoS 2 All noted thresholds are
Network Management CS2 Min WRED thresholds
Q2T2—80%
Bulk Data AF1 CoS 0
CoS 1 All max WRED thresholds
Are set to 100%
Q2T1—70%
Catalyst 65xx-E/6807-XL —1P3Q4T Egress Model
match cos 4 5
match cos 6 7
match cos 2 3
priority
class class-default
1P7Q4T –Egress Queueing
DSCP-based WRED
EXL) in performance or oversubscription mode
2TXL in performance or oversubscription mode
• WS-X6908-10G-2T and WS-X6908-10G-2TXL
1P7Q4T Egress Queuing Models—DSCP-to-Queue Mapping
1P7Q4T
Application-Class DSCP EF
Realtim e Queue
CS5 (Priority)
CS4
CS7
VoIP EF CS6 Control Plane Queue
CS3 (10% BWR)
Broadcast Video CS5 CS2
AF4
Signaling CS3 (15% BWR + DSCP-WRED)

AF1 Bulk Data Queue
Bulk Data AF1 (9% BWR + DSCP-WRED)
Scavenger CS1 Scavenger Queue (1% BW)

CS1
DF (30% BWR + DSCP-WRED)
1P7Q4T
1P7Q4T Egress Queuing Models— EF
DSCP-to-Queue with DSCP-WRED CS5 Realtim e Queue
(Priority)
CS4 All noted thresholds are
Min WRED thresholds
CS7
Network Control (CS7) CS6
All max WRED thresholds
Control Queue
CS3 (10% BWR) Are set to 100%
CS2
VoIP EF
AF41 Q6T3—80%
Broadcast Video CS5 AF42 Multim edia-Conferencing Queue
Q6T2—70%
Multimedia Conferencing AF4 AF43 Q6T1—60%
Realtime Interactive CS4 AF31 Q5T3—80%

AF32 Q5T2—70% Multim edia-Stream ing Queue
Q5T1—60%
Signaling CS3 AF21 Q4T3—80%

AF23 Q4T1—60%
Network Management CS2 AF11 Q3T3—80%
Bulk Data AF1 AF12 Q3T2—70%

AF13 Q3T1—60% Bulk Data Queue
Scavenger CS1 (9% BWR + DSCP-WRED)
CS1 Scavenger Queue (1% BWR)
Best Effort DF DF Default Queue
class-map type lan-queuing match-all MM_CONF-1P7Q4T-QUEUE
class-map type lan-queuing match-all APIC_EM_TRANS_DATA-1P7Q4T-QUEUE
class-map type lan-queuing match-all APIC_EM_BULK_DATA-1P7Q4T-QUEUE
class-map type lan-queuing match-all APIC_EM_SCAVENGER-1P7Q4T-QUEUE
match dscp cs1
Model
priority
class MM_CONF-1P7Q4T-QUEUE
Model
[continued]
class APIC_EM_TRANS_DATA-1P7Q4T-QUEUE
class APIC_EM_BULK_DATA-1P7Q4T-QUEUE
class APIC_EM_SCAVENGER-1P7Q4T-QUEUE
class class-default
CoS-based Tail-Drop
• WS-X6704-10GE with CFC
• WS-X6704-10GE with a DFC4 or DFC4XL upgrade (WS-F6k-DFC4-A, WS-F6k-
DFC4-AXL)
1P7Q8T Egress Queuing Models—CoS-to-Queue Mapping w/ CoS-based WRED
1P7Q8T

Q8-VoIP-Broadcast Queue
(Priority)
VoIP EF CoS 7 Q7 - Netw ork Control Queue

(5% BWR)
CoS 5
Broadcast Video CS5
Q6 - Internetwork Control Queue
Multimedia Conferencing AF4 CoS 6 (5% BWR)
CoS 4
Realtime Interactive CS4 Q5 - Multim edia-Realtim e Queue
(20% BWR)
Multimedia Streaming AF3 CoS 4
CoS 3
Signaling CS3 Q4 - Stream ing-Signaling Queue
(20% BWR)
CoS 3
CoS 2 Q3-Transactional-Managem ent Queue
Network Management CS2 CoS 2 (10% BWR)
Bulk Data AF1

CoS 1 Q2 - Bulk-Scavenger Queue
Scavenger CS1 CoS 1 (10% BWR)
Best Effort DF CoS 0 CoS 0 Default Queue

(30% BWR)
class-map type lan-queuing match-all Q8-1P7Q8T-QUEUE
match cos 7
match cos 6
match cos 5
match cos 4
match cos 3
match cos 2
match cos 1
class Q8-1P7Q8T-QUEUE
priority
class class-default
#CLUS
Thank you
#CLUS

BRKRST-2501 (2018) (QoS)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKRST-2501 (2018) (QoS)

Uploaded by

Copyright:

Available Formats

#CLUS

Webex Teams will be moderated cs.co/ciscolivebot#BRKRST-2501

Transform our customers’ businesses

Relevant Default Irrelevant

Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV

Real-Tim e Interactive CS4 (Optional) PQ Cisco TelePresence

Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Adm in / Mgm t (OAM) CS2 BW Queue SNMP, SSH, Syslog

Default Default Forw arding DF Default Queue + RED Default Class

Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV

Real-Tim e Interactive CS4 (Optional) PQ Cisco TelePresence

Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Adm in / Mgm t (OAM) CS2 BW Queue SNMP, SSH, Syslog

Default Default Forw arding DF Default Queue + RED Default Class

• Operations / Administration / Management protocol?

• Otherwise – the application/protocol remains in the default class (Best Effort)

Category First level grouping of applications with similar functionalities

Sub-category Second level grouping of applications with similar functionalities

Application-group Grouping of applications based on brand or application suite

P2P-technology? Indicates application is peer-to-peer

Encrypted? Indicates application is encrypted

Tunneled? Indicates application uses tunneling technique

show ip nbar protocol-attribute airbnb

show ip nbar protocol-attribute airbnb

Step 1: Create an Attribute-Map with the Desired Setting

ip nbar attribute-map BUSINESS-RELEVANT-MAP attribute business-relevance business-relevant

Step 2: Associate the Application with the Desired Attribute-Map

ip nbar attribute-set airbnb BUSINESS-RELEVANT-MAP

Scenario 1: Making an Application Business-Relevant

Scenario 2: Making an Application Default

Scenario 3: Making an Application Business-Irrelevant

A flow is defined by five matching tuples:

IOS Interface Buffers

 All TCP flows synchronize in waves

Three Traffic Flows Another Traffic Flow

AF12 Minimum WRED Threshold:

AF11 Minimum WRED Threshold:

Network Control Multimedia Streaming

The Parent QoS Policy (shaper with nested queuing policy) is

Bulk Data AF11  AF21

• The primary role of QoS in campus networks is to manage packet loss

2,073,600 pixels per frame

x 24 bits of color per pixel

x 60 frames per second

100 Total Per-Port Buffer: 5.4 MB

Total Per-Queue Buffering Capacity: 10.8 ms

*Assuming (4) equal-sized queues

1000 Total Per-Port Buffer: 90 MB

Total Per-Queue Buffering Capacity: 9.0 ms

*Assuming (8) equal-sized queues

Red Minimum WTD Threshold 1:

Yellow Minimum WTD Threshold 2:

Tail of Queue is WTD Threshold 3

Maximum WRED Thresholds for AF11, AF12 and AF13

*Note: Catalyst 3650/3850/9300 use IOS MQC, which trusts by default;

• ACL-based classification: match access-group ACL_NAME

• NBAR2 classification (as of IOS XE 16.3): match protocol APPLICATION

• Supports 1400+ protocols 1400% increase

• MSRP (beginning at) ~$3K 90% decrease

policy-map MARKING&POLICING …[continued]

Best Effort DF DF Q1 (BWR 25%)

Defines the sub-line rate (CIR)

Only the Hierarchical Shaping policy is

*Note: Catalyst 4500 uses IOS MQC, which trusts by default;