Agenda

• QoS Introduction • QoS Technologies Overview • QoS Best Pratice Design Principle • QoS Design for WAN 、 Branch 、 VPN • QoS Design for Campus

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Introduction to QoS Tools and Design

Cisco

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

QoS Introduction

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

What Is Quality of Service? Two Perspectives
• The user perspective Users perceive that their applications are performing properly Voice, video, and data • The network manager perspective Need to manage bandwidth allocations to deliver the desired application performance Control delay, jitter, and packet loss

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

Security.Why Enable QoS? HA. and QoS Are Interdependent Technologies QoS • Enables VoIP and IP telephony • Drives productivity by enhancing service-levels to mission-critical applications • Cuts costs by bandwidth optimization • Helps maintain network availability in the event of DoS/ worm attacks Security Quality of Service High Availability © 2006 Cisco Systems. Inc. All rights reserved. Cisco Public 5 .

Cisco Public 6 . Inc.What Causes ... Lack of bandwidth – multiple flows are contesting for a limited amount of bandwidth Too much delay – packets have to traverse many network devices and links that add up to the overall delay Variable delay – sometimes there is a lot of other traffic which results in more delay Drops – packets have to be dropped when a link is congested © 2006 Cisco Systems. All rights reserved.

Available Bandwidth IP IP IP IP 256 kbps 10 Mbps 512 kbps 100 Mbps BWmx = min(10M. All rights reserved. 256k. 100M)=256kbps a BWavail = BWmx /Flows a Maximum available bandwidth equals the bandwidth of the weakest link Multiple flows are contesting for the same bandwidth resulting in much less bandwidth being available to one single application. Inc. © 2006 Cisco Systems. Cisco Public 7 . 512k.

© 2006 Cisco Systems. The best solution but also the most expensive. Cisco Public 8 . All rights reserved.How to Increase Available Bandwidth? TCP Header Compression RTP Header Compression cTCP data Compress the Headers IP TCP data Compress the Payload Priority Queuing (PQ) Custom Queuing (CQ) Modified Deficit Round Robin (MDRR) Class-based Weighted Fair Queing (CB-WFQ) Fancyqueuing FIFO queuing Compressed packet Stacker Predictor Upgrade the link. • Compress the payload of layer-2 frames. • Take some bandwidth from less important applications. • Compress the header of IP packets. Inc.

Cisco Public 9 . Inc.End-to-End Delay IP IP IP IP Propagation delay (P1) Processing and queuing delay (Q1) Propagation delay (P2) Processing and queuing delay (Q2) Propagation delay (P3) Processing and queuing delay (Q3) Propagation delay (P4) Delay = P1 + Q1 + P2 + Q2 + P3 + Q3 + P4 = X ms End-to-end delay equals a sum of all propagation. processing and queuing delays are unpredictable in best-effort networks © 2006 Cisco Systems. All rights reserved. processing and queuing delays in the path Propagation delay is fixed.

The best solution but also the most expensive. • Compress the payload of layer-2 frames (it takes time). • Forward the important packets first.How to Reduce Delay? TCP Header Compression RTP Header Compression cRTP data Compress the Headers IP UDP RTP data Fancyqueuing FIFO queuing Priority Queuing (PQ) Custom Queuing (CQ) Strict Priority MDRR IP RTP prioritization Class-based Low-latency Queuing (CB-LLQ) Compress the Payload Compressed packet Stacker Predictor Upgrade the link. Cisco Public 10 . © 2006 Cisco Systems. • Compress the header of IP packets. Inc. All rights reserved.

Inc. All rights reserved.).Packet Loss Forwarding IP IP IP IP IP Tail-drop Tail-drops occur when the output queue is full. These are the most common drops which happen when a link is congested. ignore. no buffer. There are also many other types of drops that are not as common and may require a hardware upgrade (input drop. overrun.. . © 2006 Cisco Systems.. These drops are usually a result of router congestion. Cisco Public 11 .

Custom Queuing (CQ) Modified Deficit Round Robin (MDRR) Class-based Weighted Fair Queuing (CB-WFQ) • Guarantee enough bandwidth to sensitive packets. Inc. • Prevent congestion by randomly dropping less important packets before congestion occurs © 2006 Cisco Systems. All rights reserved.How to Prevent Packet Loss? Weighted Random Early Detection (WRED) IP data Dropper Fancyqueuing FIFO queuing Upgrade the link. Cisco Public 12 . The best solution but also the most expensive.

Cisco Public 13 . All rights reserved.Quality of Service Operations How Do QoS Tools Work? Classification and Marking Queuing and (Selective) Dropping Post-Queuing Operations © 2006 Cisco Systems. Inc.

Cisco IOS QoS Behavioral Model Queuing System Queue Packet Stream Classification Optional PreQueuing Operators Queue Scheduler Optional PostQueuing Operators Queue © 2006 Cisco Systems. Inc. All rights reserved. Cisco Public 14 .

Inc. All rights reserved.Specify Match Conditions and Policy Actions Match Conditions Policy Actions Queuing System Optional PreQueuing Operators Queue Queue Queue Scheduler Classification Optional PostQueuing Operators Classification Classify Traffic Pre-Queuing Immediate Actions Queuing and Scheduling Congestion Management and Avoidance Post-Queuing Link Efficiency Mechanisms © 2006 Cisco Systems. Cisco Public 15 .

layer two) © 2006 Cisco Systems. All rights reserved. Inc.Operators for Traffic Classification and QoS Policy Actions Match Conditions Keyword: class-map Classification Classify Traffic Pre-Queuing Immediate Actions Policy Actions Keyword: policy-map Queuing and Scheduling Congestion Management and Avoidance Post-Queuing Link Efficiency Mechanisms Match One or More Attributes (partial list) • ACL list • COS • Differentiated Services Code Point (DSCP) • Input-interface • Media Access Control (MAC) address • Packet length • Precedence • Protocol • VLAN • Mark (Set QoS values) • Police • Drop • Count • • • • • • Queue-Limit Random-Detect Bandwidth Fair-Queue Priority Shape • Compress header • Fragment (Link fragmentation and interleaving. Cisco Public 16 .

Cisco Public 17 .Cisco QoS Architectural Framework Business Objectives Video Voice Data QoS for Security QoS for Tiered Services QoS for Convergence DiffServ Standards Hybrid Standards IntServ Standards Architecture Standards © 2006 Cisco Systems. All rights reserved. Inc.

Single-Rate. Dual-Rate CBWFQ NBAR QoS Single Rate. Cisco Public Management Applications 18 . ECN Shaping Cisco QoS Tools © 2006 Cisco Systems. cRTP.Cisco QoS Architectural Framework Automating and Management Video Voice Data QoS for Security QoS for Tiered Services Management Technologies Provisioning/ Auto-Provisioning QoS for Convergence DiffServ Standards Classification and Marking Policing Hybrid Standards IntServ Standards Signaling RSVP RSVP. LFI Router CoS. COPS LinkCongestion Congestion Mgmt Avoidance Specific WRED. ECN Shaping. Cisco CoS. LLQ. Inc. WRED. DSCP. Cisco IOS® MPLS EXP. Catalyst DSCP Microflow QoS WTD. All rights reserved. ® 1PxQyT Dual Rate.

Inc. Strategically define the business objectives to be achieved via QoS 2. Monitor service levels to ensure that the QoS objectives are being met © 2006 Cisco Systems. All rights reserved. Cisco Public 19 . during scheduled downtime 5. Roll-out the tested QoS designs to the production-network in phases.How Is QoS Optimally Deployed? 1. Analyze the service-level requirements of the various traffic classes to be provisioned for 3. Design and test the QoS policies prior to production-network rollout 4.

All rights reserved. Not the Tools • Clearly define the organizational objectives Protect voice? Video? Data? DoS/worm mitigation? • Assign as few applications as possible to be treated as “mission-critical” • Seek executive endorsement of the QoS objectives prior to design and deployment • Determine how many classes of traffic are required to meet the organizational objectives More classes = more granular service-guarantees © 2006 Cisco Systems.General QoS Design Principles Start with the Objectives. Cisco Public 20 . Inc.

Best Effort Scavenger . All rights reserved. Inc.How Many Classes of Service Do I Need? Example Strategy for Expanding the Number of Classes of Service over Time 4/5 Class Model Realtime Call Signaling 8 Class Model Voice Video Call Signaling Network Control 11 Class Model Voice Interactive-Video Streaming Video Call Signaling IP Routing Network Management Mission-Critical Data Transactional Data Bulk Data Best Effort Scavenger Cisco Public 21 Critical Data Critical Data Bulk Data Best Effort Scavenger Time © 2006 Cisco Systems.

Inc. Broadcast 600 700 800 Time (msec) Delay Target ITU’s G.114 Recommendation: ≤ 150msec One-Way Delay © 2006 Cisco Systems.Voice QoS Requirements End-to-End Latency Hello? Hello? Avoid the “Human Ethernet” CB Zone Satellite Quality High Quality 0 100 200 300 400 500 Fax Relay. Cisco Public 22 . All rights reserved.

3 µ s/Km) + Network Delay (Variable) Jitter Buffer G. Cisco Public 23 .729A: 25 ms Variable Variable 20–50 ms End-to-End Delay (Must Be ≤ 150 ms) © 2006 Cisco Systems. Inc. All rights reserved.Voice QoS Requirements Elements That Affect Latency and Jitter PSTN IP WAN Campus Branch Office CODEC Queuing Serialization Propagation and Network Fixed (3.

Voice QoS Requirements Packet Loss Limitations Voice Voice Voice Voice 4 3 Voice 3 Voice 3 2 1 Voice Voice Voice Voice 4 3 2 1 Reconstructed Voice Sample • Cisco DSP codecs can use predictor algorithms to compensate for a single lost packet in a row • Two lost packets in a row will cause an audible clip in the conversation © 2006 Cisco Systems. All rights reserved. Inc. Cisco Public 24 .

Voice QoS Requirements Provisioning for Voice • Latency ≤ 150 ms • Jitter ≤ 30 ms • Loss ≤ 1% • 17–106 kbps guaranteed priority bandwidth per call • 150 bps (+ layer 2 overhead) guaranteed bandwidth for voice-control traffic per call • CAC must be enabled • • • • • Smooth Benign Drop sensitive Delay sensitive UDP priority One-Way Requirements Voice © 2006 Cisco Systems. All rights reserved. Inc. Cisco Public 25 .

Cisco Public 26 . All rights reserved.Video QoS Requirements “I” Frame 1024–1518 Bytes Video Conferencing Traffic Example (384 kbps) “I” Frame 1024–1518 Bytes 450Kbps 30pps “P” and “B” Frames 128–256 Bytes 32Kbps 15pps • “I” frame is a full sample of the video • “P” and “B” frames use quantization via motion vectors and prediction algorithms © 2006 Cisco Systems. Inc.

Inc. All rights reserved.Video QoS Requirements Video Conferencing Traffic Packet Size Breakdown 1025–1500 Bytes 37% 65–128 Bytes 1% 513–1024 Bytes 20% 129–256 Bytes 34% 257–512 Bytes 8% © 2006 Cisco Systems. Cisco Public 27 .

Video QoS Requirements Provisioning for Interactive Video • Latency ≤ 150 ms • Jitter ≤ 30 ms • Loss ≤ 1% • Minimum priority bandwidth guarantee required is Video-stream + 10–20% e. All rights reserved..g. a 384 kbps stream could require up to 460 kbps of priority bandwidth • CAC must be enabled © 2006 Cisco Systems. One-Way Requirements Video • Bursty • Drop sensitive • Delay sensitive • UDP priority Cisco Public 28 . Inc.

Data QoS Requirements Application Differences Oracle 0–64 Bytes 65–127 Bytes 128–252 Bytes 253–511 Bytes 512–1023 Bytes SAP R/3 1024–1518 Bytes 512–1023 Bytes 0–64 Bytes 253–511 Bytes 1024–1518 Bytes 128–252 Bytes 65–127 Bytes © 2006 Cisco Systems. Inc. All rights reserved. Cisco Public 29 .

Release 4. SAP GUI. no Cache Cache SAP GUI (HTML). Cisco Public .000 490. with Cache SAP GUI for HTML.6C.000 0 SAP GUI Release 3. No Cache SAP GUI Release 4. with 4.Data QoS Requirements Version Differences Same Transaction Takes Over 35 Times More Traffic from One Version of an Application to Another SAP Sales Order Entry Transaction Client Version VA01 # of Bytes 14.6C. Release 4.000 33.0 F SAP GUI Release 4.6C SAP GUI.6C 30 © 2006 Cisco Systems.000 200. Release Release Release 3.000 300.000 400.6C.000 57.0F 4. SAP GUI. Inc.6C.000 100. All rights reserved.000 500.

All rights reserved.) • Use four/five main traffic classes Mission-critical apps—business-critical client-server applications Transactional/interactive apps—foreground apps: client-server apps or interactive applications Bulk data apps—background apps: FTP. make sure that adequate bandwidth is provisioned for this default class Cisco Public 31 © 2006 Cisco Systems. content distribution Best effort apps—(default class) Optional: Scavenger apps—peer-to-peer apps. e-mail. Inc. . gaming traffic • Additional optional data classes include internetworkcontrol (routing) and network-management • Most apps fall under best-effort. backups.Data QoS Requirements Provisioning for Data (Cont.

Data • • • • • Smooth/bursty Benign/greedy Drop insensitive Delay insensitive TCP retransmits Cisco Public 32 .Data QoS Requirements Provisioning for Data • Different applications have different traffic characteristics • Different versions of the same application can have different traffic characteristics • Classify data into four/five data classes model Mission-critical apps Transactional/interactive apps Bulk data apps Best effort apps Optional: Scavenger apps © 2006 Cisco Systems. Inc. All rights reserved.

Cisco Public 33 .Scavenger-Class What Is the Scavenger Class? • The Scavenger class is an Internet 2 draft specification for a “less than best effort” service • There is an implied “good faith” commitment for the “best effort” traffic class It is generally assumed that at least some network resources will be available for the default class • Scavenger class markings can be used to distinguish out-of-profile/abnormal traffic flows from inprofile/normal flows The Scavenger class marking is CS1. All rights reserved. Inc. DSCP 8 • Scavenger traffic is assigned a “less-than-best effort” queuing treatment whenever congestion occurs © 2006 Cisco Systems.

Inc.QoS Technology Overview © 2006 Cisco Systems. All rights reserved. Cisco Public 34 .

All rights reserved. Inc.QoS Technologies Overview • Classification tools • Scheduling tools • Policing and shaping tools • Link-Specific tools • Signaling tools (RSVP) • AutoQoS tools • QoS for Security © 2006 Cisco Systems. Cisco Public 35 .

1p user priority field also called Class of Service (CoS) • Different types of traffic are assigned different CoS values • CoS 6 and 7 are reserved for network use © 2006 Cisco Systems.Classification Tools Ethernet 802. 7 6 5 4 3 2 1 0 . SFD DA SA Type TAG 4 Bytes PT Data FCS Ethernet Frame Three Bits Used for CoS (802.1Q/p Header Application Reserved Routing Voice Video Call Signaling Critical Data Bulk Data Best Effort Data Cisco Public 36 • 802.1p User Priority) PRI CFI VLAN ID CoS 802. All rights reserved. Inc.1Q Class of Service---L2 Pream.

Cisco Public 37 . All rights reserved. Inc.Classification Tools IP Precedence and DiffServ Code Points---L3 Version Length ToS Byte Len ID Offset TTL Proto FCS IP SA IP DA Data IPv4 Packet 7 6 5 4 3 2 Unused IP ECN 1 0 IP Precedence Standard IPv4 DiffServ Extensions DiffServ Code Point (DSCP) • IPv4: three most significant bits of ToS byte are called IP Precedence (IPP)—other bits unused • DiffServ: six most significant bits of ToS byte are called DiffServ Code Point (DSCP)—remaining two bits used for flow control • DSCP is backward-compatible with IP precedence © 2006 Cisco Systems.

Cisco Public 38 . All rights reserved. Inc.Classification Tools MPLS EXP Bits Frame Encapsulation 0 MPLS Shim Header 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Label Stack Label Header Layer-2 Header Label Header Payload Label EXP S EXP TTL 3 2 1 0 MPLS EXP S • Packet class and drop precedence inferred from EXP (three-bit) field • RFC3270 does not recommend specific EXP values for DiffServ PHB (EF/AF/DF) • Used for frame-based MPLS © 2006 Cisco Systems.

56) • AFxy: Assured Forwarding (RFC2597) Where x corresponds to the IP Precedence value (only 1–4 are used for AF Classes) And y corresponds to the Drop Preference value (either 1 or 2 or 3) With the higher values denoting higher likelihood of dropping (DSCP 10/12/14. 40. Cisco Public 39 . 16. 32. called Per-Hop Behaviors.Classification Tools DSCP Per-Hop Behaviors • IETF RFCs have defined special keywords. All rights reserved. 18/20/22. 34/36/38) • BE: Best Effort or Default Marking Value (RFC2474) (DSCP 0) © 2006 Cisco Systems. 24. 48. Inc. for specific DSCP markings • EF: Expedited Forwarding (RFC3246) (DSCP 46) • CSx: Class Selector (RFC2474) Where x corresponds to the IP Precedence value (1–7) (DSCP 8. 26/28/30.

Inc. Cisco Public 40 . All rights reserved.Classification Tools Network-Based Application Recognition Stateful and Dynamic Inspection IP Packet ToS Protocol Source IP Addr Dest IP Addr TCP/UDP Packet Src Port Dst Port Data Area Sub-Port/Deep Inspection • Identifies over 90 applications and protocols TCP and UDP port numbers Statically assigned Dynamically assigned during connection establishment • Non-TCP and non-UDP IP protocols • Data packet inspection for matching values © 2006 Cisco Systems.

All rights reserved.Policing Tools RFC 2697 Single Rate Three Color Policer CIR CBS Overflow EBS B<Tc Packet of Size B Yes No B<Te Yes No Conform Exceed Violate Action Action Action Cisco Public 41 © 2006 Cisco Systems. . Inc.

Inc. . All rights reserved.Policing Tools RFC 2698 Two Rate Three Color Policer PIR PBS CIR CBS B>Tp Packet of Size B Yes No B>Tc Yes No Violate Exceed Conform Action Action Action Cisco Public 42 © 2006 Cisco Systems.

Inc. All rights reserved. Cisco Public 43 .Scheduling Tools Queuing Algorithms Voice Video Data 3 1 2 1 2 3 • Congestion can occur at any point in the network where there are speed mismatches • Routers use Cisco IOS-based software queuing Low-Latency Queuing (LLQ) used for highestpriority traffic (voice/video) Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth to data applications • Cisco Catalyst switches use hardware queuing © 2006 Cisco Systems.

Inc. All rights reserved.TCP Global Synchronization: The Need for Congestion Avoidance • All TCP flows synchronize in waves • Synchronization wastes available bandwidth Bandwidth Utilization 100% Time Tail Drop Three Traffic Flows Start at Different Times Another Traffic Flow Starts at This Point Cisco Public 44 © 2006 Cisco Systems. .

like data © 2006 Cisco Systems. Cisco Public 45 . All rights reserved. Inc.Scheduling Tools Congestion Avoidance Algorithms TAIL DROP WRED 3 3 1 0 1 0 0 2 1 Queue 2 0 2 0 3 2 1 3 • Queueing algorithms manage the front of the queue  Which packets get transmitted first 3 • Congestion avoidance algorithms manage the tail of the queue  Which packets get dropped first when queuing buffers fill 3 • Weighted Random Early Detection (WRED) WRED can operate in a DiffServ-compliant mode  Drops packets according to their DSCP markings WRED works best with TCP-based applications.

Cisco Public 46 . Inc.Scheduling Tools DSCP-Based WRED Operation Drop Probability 100% Drop All AF13 Drop All AF12 Drop All AF11 50% Average Queue Size Max Queue Length (Tail Drop) 0 Begin Dropping AF13 Begin Dropping AF12 Begin Dropping AF11 AF = (RFC 2597) Assured Forwarding © 2006 Cisco Systems. All rights reserved.

Congestion Avoidance
RFC3168: IP Explicit Congestion Notification
Version Length ToS Byte Len ID Offset TTL Proto FCS IP SA IP DA Data

IPv4 Packet
7 6 5 4 3 2 1 0

DiffServ Code Point (DSCP)

ECT CE

ECT Bit: ECN-Capable Transport

CE Bit: Congestion Experienced

• IP header Type of Service (ToS) byte • Explicit Congestion Notification (ECN) bits
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

47

Traffic Shaping
Line Rate Shaped Rate
Without Traffic Shaping With Traffic Shaping

Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate

• Policers typically drop traffic • Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops • Very common on Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame Relay and ATM
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

48

Link-Specific Tools Link-Fragmentation and Interleaving
Serialization Can Cause Excessive Delay

Voice

Data

Data

Data

Data

Voice

Data

With Fragmentation and Interleaving Serialization Delay Is Minimized

• Serialization delay is the finite amount of time required to put frames on a wire • For links ≤ 768 kbps serialization delay is a major factor affecting latency and jitter • For such slow links, large data packets need to be fragmented and interleaved with smaller, more urgent voice packets

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

49

Link-Specific Tools IP RTP Header Compression

IP Header
20 Bytes

UDP Header
8 Bytes

RTP Header
12 Bytes

Voice Payload

• cRTP reduces L3 VoIP BW by: ~ 20% for G.711 ~ 60% for G.729

2–5 Bytes

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

AutoQoS AutoQoS VoIP for Cisco Catalyst Switches CAT2970(config-if)#auto qos voip cisco-phone ! mls qos map cos-dscp 0 8 16 26 32 46 48 56 mls qos srr-queue output cos-map queue 1 threshold 3 5 mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 2 4 mls qos srr-queue output cos-map queue 4 threshold 2 1 mls qos srr-queue output cos-map queue 4 threshold 3 0 mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 mls qos srr-queue output dscp-map queue 4 threshold 1 8 mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 mls qos queue-set output 1 threshold 1 138 138 92 138 mls qos queue-set output 1 threshold 2 138 138 92 400 mls qos queue-set output 1 threshold 3 36 77 100 318 mls qos queue-set output 1 threshold 4 20 50 67 400 mls qos queue-set output 2 threshold 1 149 149 100 149 mls qos queue-set output 2 threshold 2 118 118 100 235 mls qos queue-set output 2 threshold 3 41 68 100 272 mls qos queue-set output 2 threshold 4 42 72 100 242 mls qos queue-set output 1 buffers 10 10 26 54 mls qos queue-set output 2 buffers 16 6 17 61 mls qos ! ! interface GigabitEthernet0/1 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone ! © 2006 Cisco Systems. All rights reserved. 47 31 55 63 23 39 Cisco Public 51 . Inc.

1.2 255.102.255.2 255.0 service-policy output AutoQoS-Policy-Trust ip tcp header-compression iphc-format no cdp enable ppp multilink ppp multilink fragment delay 10 ppp multilink interleave ppp multilink group 2001100117 ip rtp header-compression iphc-format ! … ! interface Serial2/0 bandwidth 768 no ip address encapsulation ppp auto qos voip trust no fair-queue ppp multilink ppp multilink group 2001100117 ! Cisco Public 52 ! ! ! policy-map AutoQoS-Policy-Trust class AutoQoS-VoIP-RTP-Trust priority percent 70 class AutoQoS-VoIP-Control-Trust bandwidth percent 5 class class-default fair-queue © 2006 Cisco Systems. . Inc.0 encapsulation ppp auto qos voip trust ! class-map match ip class-map match ip match ip match-any AutoQoS-VoIP-RTP-Trust dscp ef match-any AutoQoS-VoIP-Control-Trust dscp cs3 dscp af31 ! interface Multilink2001100117 bandwidth 768 ip address 10. All rights reserved.AutoQoS AutoQoS VoIP: WAN interface Serial2/0 bandwidth 768 ip address 10.102.255.255.1.255.

53 . Inc.AutoQoS AutoQoS Enterprise: WAN DiffServ Classes AutoDiscovery Application and Protocol Types Cisco AutoQoS Policy Traffic Class DSCP CS6 EF AF41 CS4 CS3 AF21 CS2 AF11 0 CS1 Cisco Public Cisco AutoQoS Class-Maps Match Statements IP Routing Interactive Voice Interactive Video Streaming Video Telephony Signaling Transactional/Interactive Network Management Bulk Data Best Effort Scavenger Offered Bit Rate (Average and Peak) Minimum Bandwidth to Class Queues. All rights reserved. Scheduling and WRED © 2006 Cisco Systems.

255. Part One: Discovery AutoDiscovery Notes interface Serial4/0 point-to-point encapsulation frame-relay bandwidth 256 ip address 10. Cisco Public 54 .1.71.0 frame-relay interface-dlci 100 auto discovery qos • Command should be enabled on interface of interest • Do not change interface bandwidth when running auto discovery • Cisco Express Forwarding must be enabled • All previously attached QoS policies must be removed from the interface © 2006 Cisco Systems.AutoQoS AutoQoS Enterprise: WAN.1 255. All rights reserved. Inc.255.

AutoQoS Enterprise: WAN. 55 minutes AutoQoS Class information: Class VoIP: Recommended Minimum Bandwidth: 517 Kbps/50% (PeakRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp audio 76/7 517/50 703104 Class Interactive Video: Recommended Minimum Bandwidth: 24 Kbps/2% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp video 24/2 5337/52 704574 Class Transactional: Recommended Minimum Bandwidth: 0 Kbps/0% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) citrix 36/3 74/7 30212 sqlnet 12/1 7/<1 1540 © 2006 Cisco Systems. All rights reserved.) Router# show auto discovery qos AutoQoS Discovery enabled for applications Discovery up time: 2 days. Inc. Part One: Discovery (Cont. Cisco Public 55 .

Inc.1 255. Part Two: Provisioning interface Serial4/0 point-to-point bandwidth 256 ip address 10.71.AutoQoS Enterprise: WAN.0 frame-relay interface-dlci 100 auto qos class-map match-any AutoQoS-Voice-Se4/0 match protocol rtp audio class-map match-any AutoQoS-Inter-Video-Se4/0 match protocol rtp video class-map match-any AutoQoS-Transactional-Se4/0 match protocol sqlnet match protocol citrix ! policy-map AutoQoS-Policy-Se4/0 class AutoQoS-Voice-Se4/0 priority percent 70 set dscp ef class AutoQoS-Inter-Video-Se4/0 bandwidth remaining percent 10 set dscp af41 class AutoQoS-Transactional-Se4/0 bandwidth remaining percent 1 set dscp af21 class class-default fair-queue ! © 2006 Cisco Systems.1. All rights reserved.255.255. Cisco Public 56 .

0 frame-relay interface-dlci 100 auto qos <policy continued> ! policy-map AutoQoS-Policy-Se4/0-Parent class class-default shape average 256000 service-policy AutoQoS-Policy-Se4/0 ! interface Serial4/0 point-to-point frame-relay interface-dlci 100 class AutoQoS-FR-Serial4/0-100 ! map-class frame-relay AutoQoS-FR-Serial4/0-100 frame-relay cir 256000 frame-relay mincir 256000 frame-relay fragment 320 service-policy output AutoQoS-Policy-Se4/0-Parent © 2006 Cisco Systems. All rights reserved.255.1 255.1. Inc.71.AutoQoS Enterprise: WAN.) interface Serial4/0 point-to-point bandwidth 256 ip address 10.255. Cisco Public 57 . Part Two: Provisioning (Cont.

AutoQoS Enterprise: WAN. All rights reserved. Cisco Public 58 .2991 30 Absolute rising-threshold 1 33333 falling-threshold 0 Owner AutoQoS RMON Event Configured and Generated by Cisco AutoQoS © 2006 Cisco Systems. Part Three: Monitoring Monitoring Drops in LLQ • Thresholds are activated in RMON alarm table to monitor drops in Voice Class • Default drop threshold is 1bps rmon event 33333 log trap AutoQoS description “AutoQoS SNMP traps for Voice Drops” owner AutoQoS rmon alarm 33350 cbQoSCMDDropBitRate.2881. Inc.

All rights reserved. Cisco Public 59 . Inc.Signaling Tools Resource Reservation Protocol (RSVP) • RSVP QoS services Guaranteed service Mathematically provable bounds on end-to-end datagram queuing delay/bandwidth Controlled service Approximate QoS from an unloaded network for delay/bandwidth • RSVP provides the policy to WFQ and LLQ This App Needs 16K BW and 100 msec Delay Handset Multimedia Station I Need 16K BW and 100 msec Delay Reserve 16K BW on this Line Handset Multimedia Server © 2006 Cisco Systems.

All rights reserved.QoS for Security © 2006 Cisco Systems. Cisco Public 60 . Inc.

Massive Worm Driven DDoS. Inc. Trojans. Flash Threats. Widespread System Hacking 1980s 1990s Today Future Sophistication of Threats © 2006 Cisco Systems. Blended Threat (Worm+ Virus+ Trojan). Worms. and Trojans Second Gen Macro Viruses. Negative Payload Viruses. Turbo Worms. All rights reserved.Business Security Threat Evolution Expanding Scope of Theft and Disruption Global Impact Scope of Damage Regional Networks Multiple Networks Individual Networks Individual Computer Next Gen Third Gen Infrastructure Hacking. Cisco Public 61 . Email. Single Server DoS. Limited Targeted Hacking First Gen Boot Viruses Multiserver DoS. DDoS.

Your Network and All of Your Applications Would Have Become Unreachable © 2006 Cisco Systems. Newer “Flash” Worms Are Exponentially Faster Cisco Public 62 In Half the Time It Took to Read This Slide.Emerging Speed of Network Attacks Do You Have Time to React? 1980s–1990s Usually Had Weeks or Months to Put Defense in Place 2000–2002 Attacks Progressed Over Hours. All rights reserved. Time to Assess Danger and Impact Time to Implement Defense 2003–Future Attacks Progress on the Timeline of Seconds SQL Slammer Worm Doubled Every 8. Inc. .5 Seconds After Three Min: 55M Scans/Sec 1Gb Link Is Saturated After One Minute SQL Slammer Was a Warning.

Impact of an Internet Worm Anatomy of a Worm: Why It Hurts 1—The Enabling Vulnerability 2—Propagation Mechanism 3—Payload © 2006 Cisco Systems. Inc. All rights reserved. Cisco Public 63 .

Inc.Impact of an Internet Worm: Part One Direct and Collateral Damage Campus Branch L3VPN Internet L2VPN BBDSL MetroE Teleworker End Systems Overloaded Control Plane Primary Data Center Overloaded Secondary Data Center © 2006 Cisco Systems. Data Plane Overloaded Cisco Public 64 . All rights reserved.

QoS Tools and Tactics for Security QoS for Self-Defending Networks • Control plane policing • Data plane policing (Scavenger-Class QoS) • NBAR for known-worm policing © 2006 Cisco Systems. Inc. Cisco Public 65 . All rights reserved.

. All rights reserved.Control Plane Policing Overview Control Plane Management SNMP. SSL Output from the Control Plane Silent Mode (Reconnaissance Prevention) Processor Switched Packets …. Telnet ICMP IPv6 Routing Updates Management SSH. Input to the Control Plane Control Plane Policing (Alleviating DoS Attack) URPF Packet Buffer Output Packet Buffer ACL NAT CEF Input Forwarding Path CEF/FIB Lookup Cisco Public 66 © 2006 Cisco Systems.. Inc.

Inc.Data Plane Policing (Scavenger-Class QoS) Part One: First Order Anomaly Detection • All end systems generate traffic spikes. All rights reserved. but worms create sustained spikes • Normal/abnormal threshold set at approx 95% confidence • No dropping at campus access-edge. Cisco Public 67 . only remarking Policing and Remarking (If Necessary) Normal/Abnormal Threshold © 2006 Cisco Systems.

All rights reserved.Data Plane Policing (Scavenger-Class QoS) Part Two: Second Order Anomaly Reaction • Queuing only engages if links become congested When congestion occurs. Cisco Public 68 . Inc. drops will also occur • Scavenger-class QoS allows for increased intelligence in the dropping decision “Abnormal” traffic flows will be dropped aggressively “Normal” traffic flows will continue to receive network service Police WAN/VPN Links Will Likely Congest First Campus Uplinks May Also Congest Queuing Will Engage When Links Become Congested and Traffic Previously Marked as Scavenger Is Dropped Aggressively © 2006 Cisco Systems.

Redv3.exe*” Branch Router Branch Switch © 2006 Cisco Systems. Inc. Cisco Public 69 69 .) • Newer strains replaced home page of Web servers and caused DoS flooding-attacks • Attempts to access a file with “.ida* DATA • First released in May 2001 • Exploited a vulnerability in Microsoft IIS and infected 360.ida” extension class-map match-any CODE-RED match protocol http url “*. All rights reserved.ida*” match protocol http url “*cmd.C.exe*” match protocol http url “*root. Code Red Example Frame ToS/ DSCP IP Packet Source IP Dest IP Src Port Dst Port TCP Segment Data Payload *HTTP GET/*. CodeRed. CodeRed II. CodeRedv2.000 hosts in 14 hours • Several strains (CodeRed. Code.NBAR Known-Worm Policing NBAR vs.

Data Plane Overloaded Cisco Public 70 .Impact of an Internet Worm: Part Two Integrating Security and QoS Campus Protect the End Systems • Cisco security agent Branch Prevent the Attack • Intrusion detection • Cisco Guard • Firewall • ACLs and NBAR Protect the Data Plane • Data plane policing (Scavenger-Class QoS) L3VPN L2VPN BBDSL Internet MetroE Protect the Control Plane • Control plane policing Teleworker End Systems Overloaded Control Plane Primary Data Center Overloaded Secondary Data Center © 2006 Cisco Systems. Inc. All rights reserved.

QoS Best-Practice Design Principles © 2006 Cisco Systems. Inc. Cisco Public 71 . All rights reserved.

rather than software. Inc. whenever a choice exists • Classify and mark applications as close to their sources as technically and administratively feasible • Use DSCP markings whenever possible • Follow standards-based DSCP PHBs to ensure interoperation and future expansion RFC 2474 Class Selector Code Points RFC 2597 Assured Forwarding Classes RFC 3246 Expedited Forwarding © 2006 Cisco Systems. Cisco Public 72 .Classification and Marking Design Where and How Should Marking Be Done? • QoS policies (in general) should always be performed in hardware. All rights reserved.

Classification and Marking Design L3 Classification IPP 6 5 4 4 3 3 2 2 1 0 1 PHB CS6 EF AF41 CS4 AF31* CS3* AF21 CS2 AF11 0 CS1 QoS Baseline Marking Recommendations Application Routing Voice Video Conferencing Streaming Video Mission-Critical Data Call Signaling Transactional Data Network Management Bulk Data Best Effort Scavenger L2 DSCP 48 46 34 32 26 24 18 16 10 0 8 CoS 6 5 4 4 3 3 2 2 1 0 1 Cisco Public 73 © 2006 Cisco Systems. All rights reserved. Inc. .

it should be assigned a minimal amount of bandwidth • To ensure consistent PHBs. whenever supported Preferably DSCP-based WRED © 2006 Cisco Systems. All rights reserved.Queuing Design Principles Where and How Should Queuing Be Done? • The only way to provide service guarantees is to enable queuing at any node that has the potential for congestion Regardless of how rarely—in fact—this may occur • At least 25 percent of a link’s bandwidth should be reserved for the default Best Effort class • Limit the amount of strict-priority queuing to 33 percent of a link’s capacity • Whenever a Scavenger queuing class is enabled. configure consistent queuing policies in the Campus + WAN + VPN. Inc. Cisco Public 74 . according to platform capabilities • Enable WRED on all TCP flows.

and Scavenger Queuing Rules Best Effort ≥ 25% Scavenger/Bulk ≤ 5% Real-Time ≤ 33% Critical Data © 2006 Cisco Systems. All rights reserved.Campus Queuing Design Realtime. Cisco Public 75 . Best Effort. Inc.

Campus and WAN/VPN Queuing Design Best Effort 25% Scavenger 1% Best Effort ≥ 25% Scavenger/ Bulk 5% Compatible Four-Class and Eleven-Class Queuing Models Following Realtime. and Scavenger Queuing Rules Bulk 4% Streaming-Video Voice 18% Real-Time ≤ 33% Network Management Transactional Data Mission-Critical Data Critical Data Interactive Video 15% InternetworkControl Cisco Public 76 Call-Signaling © 2006 Cisco Systems. . Inc. All rights reserved. Best Effort.

non-AF classes do not have a standards-based markdown scheme. Inc. Cisco Public 77 . so Scavenger-class remarking is a viable alternative Additionally. so Scavenger-class remarking is a viable option © 2006 Cisco Systems. All rights reserved.Policing Design Principles Where and How Should Policing Be Done? • Police traffic flows as close to their sources as possible • Perform markdown according to standards-based rules. whenever supported RFC 2597 specifies how assured forwarding traffic classes should be marked down (AF11  AF12  AF13) which should be done whenever DSCP-based WRED is supported on egress queues Cisco Catalyst platforms currently do not support DSCP-based WRED.

Inc. All rights reserved. and VPN QoS Design Overview © 2006 Cisco Systems. Cisco Public 78 .Enterprise LAN. Branch. WAN.

IP Phones + PCs Cisco Public 79 . All rights reserved.Campus QoS Considerations FastEthernet GigabitEthernet TenGigabitEthernet Where Is QoS Required Within the Campus? No Trust + Policing + Queuing Conditional Trust + Policing + Queuing Trust DSCP + Queuing Per-User Microflow Policing Cisco Catalyst 6500 Sup720 WAN Aggregator Server Farms IP Phones + PCs © 2006 Cisco Systems. Inc.

Cisco Public 80 .WAN Edge QoS Design Considerations QoS Requirements of WAN Aggregators Campus Distribution/ Core Switches Queuing/Dropping/Shaping/ Link-Efficiency Policies for Campus-to-Branch Traffic WAN Aggregator WAN LAN Edges WAN Edges © 2006 Cisco Systems. Inc. All rights reserved.

Inc.Branch Router QoS Design QoS Requirements for Branch Routers Queuing/Dropping/Shaping/ Link-Efficiency Policies for Branch-to-Campus Traffic Classification and Marking (+ NBAR) Policies for Branch-to-Campus Traffic Branch Router WAN Branch Switch WAN Edge LAN Edge Optional: DSCP-to-CoS Mapping Policies for Campus-to-Branch Traffic © 2006 Cisco Systems. Cisco Public 81 . All rights reserved.

Cisco Public 82 . All rights reserved. Inc.MPLS VPN QoS Design QoS Requirements in MPLS VPN Architectures CE-to-PE Queuing/Shaping/Remarking/LFI PE Ingress Policing and Remarking Optional: Core DiffServ or MPLS TE Policies P Routers CE Router PE Router CE Router PE Router MPLS VPN PE-to-CE Queuing/Shaping/LFI Required Optional © 2006 Cisco Systems.

Inc. Cisco Public 83 .IPSec VPN QoS Design QoS Requirements in IPSec VPN Architectures Queuing/Dropping/Shaping/Link-Efficiency Policies LLQ for Crypto QoS Pre-Classification ISAKMP Protection Anti-Replay Tuning IPSec VPN Tunnel VPN HeadEnd/ Edge Router Internet Branch Router © 2006 Cisco Systems. All rights reserved.

All rights reserved.© 2006 Cisco Systems. Inc. Cisco Public 84 .

Sign up to vote on this title
UsefulNot useful