Cisco QoS Concept and Design

Agenda
• QoS Introduction
• QoS Technologies Overview
• QoS Best Pratice Design Principle
• QoS Design for WAN 、 Branch 、 VPN
• QoS Design for Campus
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1

Introduction to QoS
Tools and Design
Cisco

QoS Introduction

What Is Quality of Service?
Two Perspectives
• The user perspective

Users perceive that their applications
are performing properly
Voice, video, and data
• The network manager perspective
Need to manage bandwidth
allocations to deliver the desired
application performance
Control delay, jitter, and
packet loss

Why Enable QoS? HA, Security, and QoS
Are Interdependent Technologies
QoS
• Enables VoIP and
IP telephony
Security Quality of
• Drives productivity
by enhancing Service
service-levels to
mission-critical
applications
• Cuts costs by bandwidth
optimization
• Helps maintain
network availability
in the event of DoS/
High Availability
worm attacks

What Causes ...
Lack of bandwidth – multiple flows are contesting for a limited amount

of bandwidth
Too much delay – packets have to traverse many network devices and
links that add up to the overall delay
Variable delay – sometimes there is a lot of other traffic which results
in more delay
Drops – packets have to be dropped when a link is congested

Available Bandwidth
IP IP IP IP
256 kbps 512 kbps
10 Mbps 100 Mbps
BWmax = min(10M, 256k, 512k, 100M)=256kbps

BWavail = BWmax /Flows
Maximum available bandwidth equals the bandwidth of the weakest link
Multiple flows are contesting for the same bandwidth resulting in much less bandwidth being available to
one single application.

How to Increase Available Bandwidth?
TCP Header Compression

RTP Header Compression
cTCP data
Compress
the Headers
IP TCP data Fancy

FIFO queuing
queuing
Compress
the Payload
Priority Queuing (PQ)
Custom Queuing (CQ)
Stacker Modified Deficit Round Robin (MDRR)
Compressed packet
Predictor Class-based Weighted Fair Queing (CB-WFQ)
Upgrade the link. The best solution but also the most expensive.
• Take some bandwidth from less important applications.

• Compress the payload of layer-2 frames.
• Compress the header of IP packets.

End-to-End Delay
IP IP IP IP
Propagation Propagation Propagation

delay (P1) delay (P2) delay (P3) Propagation
delay (P4)
Processing and Processing and Processing and
queuing delay (Q1) queuing delay (Q2) queuing delay (Q3)
Delay = P1 + Q1 + P2 + Q2 + P3 + Q3 + P4 = X ms
End-to-end delay equals a sum of all propagation, processing and queuing delays
in the path
Propagation delay is fixed, processing and queuing delays are unpredictable in
best-effort networks

How to Reduce Delay?
TCP Header Compression

RTP Header Compression
cRTP data
Compress
the Headers
IP UDP RTP data Fancy

FIFO queuing
queuing
Compress
the Payload
Priority Queuing (PQ)
Custom Queuing (CQ)
Stacker Strict Priority MDRR
Compressed packet IP RTP prioritization
Predictor
Class-based Low-latency Queuing (CB-LLQ)
• Forward the important packets first.
• Compress the payload of layer-2 frames (it takes time).
• Compress the header of IP packets.

Packet Loss
Forwarding
IP IP IP IP IP
Tail-drop
Tail-drops occur when the output queue is full. These are the most common drops which
happen when a link is congested.
There are also many other types of drops that are not as common and may require a
hardware upgrade (input drop, ignore, overrun, no buffer, ...). These drops are usually a
result of router congestion.

How to Prevent Packet Loss?
Weighted Random Early Detection (WRED)
IP data Dropper Fancy

FIFO queuing
queuing
Custom Queuing (CQ)

Modified Deficit Round Robin (MDRR)
Class-based Weighted Fair Queuing (CB-WFQ)
• Guarantee enough bandwidth to sensitive packets.

• Prevent congestion by randomly dropping less important packets
before congestion occurs

Quality of Service Operations
How Do QoS Tools Work?
Classification Queuing and Post-Queuing

and Marking (Selective) Dropping Operations

Cisco IOS QoS Behavioral Model
Queuing System
Queue
Packet Optional
Pre- Sche-
Optional
Stream Queuing Queue duler
Post-
Queuing
Operators Operators
Classification
Queue

Specify Match Conditions and
Policy Actions
Match Conditions Policy Actions
Queuing System
Queue
Optional Optional
Pre- Sche- Post-
Queuing Queue duler Queuing
Operators Operators
Classification
Queue
Classification Pre-Queuing Queuing and Post-Queuing

Scheduling
Classify Traffic Immediate Actions Congestion Link Efficiency
Management Mechanisms
and Avoidance

Operators for Traffic Classification and
QoS Policy Actions
Match Conditions Policy Actions
Keyword: Keyword: policy-map
class-map
Classification Pre-Queuing Queuing and Post-Queuing
Scheduling
Classify Traffic Immediate Actions Congestion Link Efficiency
Management Mechanisms
and Avoidance
Match One or More • Mark • Queue-Limit • Compress header
Attributes (partial list) (Set QoS values)
• ACL list
• Random-Detect • Fragment
• COS • Police • Bandwidth (Link fragmentation
and interleaving,
• Differentiated Services • Drop • Fair-Queue layer two)
Code Point (DSCP)
• Input-interface • Count • Priority
• Media Access Control
(MAC) address • Shape
• Packet length
• Precedence
• Protocol
• VLAN

Cisco QoS Architectural Framework
Business Objectives
Video
Voice
Data
QoS for QoS for
Security Tiered Services
QoS for
Convergence
DiffServ Hybrid IntServ

Standards Standards Standards
Architecture Standards

Cisco QoS Architectural Framework
Automating and Management
Video
Voice
Data
QoS for QoS for
Security Tiered Services
Management Technologies
Management Applications
QoS for
Convergence
Auto-Provisioning
Provisioning/
DiffServ Hybrid IntServ

Standards Standards Standards
Classification Policing Congestion Congestion Link- Signaling

and Marking Mgmt Avoidance Specific
Router CoS, DSCP, Single-Rate, LLQ, WRED, Shaping,
Cisco IOS® MPLS EXP, Dual-Rate RSVP
CBWFQ ECN cRTP, LFI
QoS NBAR
Cisco CoS, Single Rate, WTD, RSVP,
Catalyst ® Dual Rate, 1PxQyT WRED, ECN Shaping COPS
QoS DSCP Microflow
Cisco QoS Tools

How Is QoS Optimally Deployed?
1. Strategically define the business

objectives to be achieved via QoS
2. Analyze the service-level
requirements of the various traffic
classes to be provisioned for
3. Design and test the QoS policies
prior to production-network rollout
4. Roll-out the tested QoS designs to
the production-network in phases,
during scheduled downtime
5. Monitor service levels to ensure
that the QoS objectives are
being met

General QoS Design Principles
Start with the Objectives, Not the Tools
• Clearly define the organizational objectives

Protect voice? Video? Data?
DoS/worm mitigation?
• Assign as few applications as possible to be treated
as “mission-critical”
• Seek executive endorsement of the QoS objectives
prior to design and deployment
• Determine how many classes of traffic are required
to meet the organizational objectives
More classes = more granular service-guarantees

How Many Classes of Service Do I Need?
Example Strategy for Expanding the Number of Classes of Service over Time
4/5 Class Model 8 Class Model 11 Class Model
Voice Voice
Realtime Interactive-Video
Video Streaming Video
Call Signaling Call Signaling Call Signaling
IP Routing
Network Control
Network Management
Critical Data Mission-Critical Data
Critical Data
Transactional Data
Bulk Data Bulk Data
Best Effort Best Effort

Best Effort
Scavenger Scavenger Scavenger

Time
Voice QoS Requirements
End-to-End Latency
Hello? Hello?
Avoid the
“Human Ethernet”
CB Zone
Satellite Quality
High Quality Fax Relay, Broadcast
0 100 200 300 400 500 600 700 800

Time (msec)
Delay Target
ITU’s G.114 Recommendation: ≤ 150msec One-Way Delay

Elements That Affect Latency and Jitter
PSTN
IP WAN
Campus Branch Office
Propagation
CODEC Queuing Serialization and Network Jitter Buffer
Fixed
G.729A: 25 ms Variable Variable (3.3 µ s/Km) + 20–50 ms
Network Delay
(Variable)
End-to-End Delay (Must Be ≤ 150 ms)

Packet Loss Limitations
Voice Voice Voice Voice Voice Voice Voice Voice

4 3 2 1 4 3 2 1
Voice
3
Voice
Reconstructed Voice Sample
3
• Cisco DSP codecs can use predictor algorithms to

compensate for a single lost packet in a row
• Two lost packets in a row will cause an audible clip
in the conversation

Provisioning for Voice
• Latency ≤ 150 ms
Voice
One-Way
• Jitter ≤ 30 ms Requirements
• Loss ≤ 1%
• 17–106 kbps guaranteed priority
bandwidth per call • Smooth
• 150 bps (+ layer 2 overhead) • Benign
guaranteed bandwidth for • Drop sensitive
voice-control traffic per call • Delay sensitive
• CAC must be enabled • UDP priority

Video QoS Requirements
Video Conferencing Traffic Example (384 kbps)
“I” Frame “I” Frame

1024–1518 1024–1518
Bytes Bytes
450Kbps
30pps
“P” and “B” Frames
128–256 Bytes
15pps
32Kbps
• “I” frame is a full sample of the video

• “P” and “B” frames use quantization via
motion vectors and prediction algorithms

Video Conferencing Traffic Packet Size Breakdown
1025–1500 Bytes
37% 65–128 Bytes
1%
129–256 Bytes
513–1024 Bytes 34%
20%
257–512 Bytes
8%

Provisioning for Interactive Video
• Latency ≤ 150 ms Video

One-Way
• Jitter ≤ 30 ms Requirements
• Loss ≤ 1%
• Minimum priority bandwidth
guarantee required is
• Bursty
Video-stream + 10–20%
• Drop sensitive
e.g., a 384 kbps stream could • Delay
require up to 460 kbps of sensitive
priority bandwidth • UDP priority
• CAC must be enabled

Data QoS Requirements
Application Differences
Oracle SAP R/3
0–64 Bytes 1024–1518

65–127 Bytes Bytes
128–252 Bytes 512–1023
Bytes 0–64
253–511 Bytes
Bytes
512–1023 253–511
Bytes Bytes
1024–1518
Bytes
128–252 65–127
Bytes Bytes

Version Differences
Same Transaction Takes Over 35 Times More
Traffic from One Version of an Application to
Another
SAP Sales Order

Entry Transaction
500,000
Client Version VA01 # of
Bytes 400,000
SAP GUI Release 3.0 F 14,000 300,000

SAP GUI Release 4.6C, 57,000
No Cache 200,000
SAP GUI Release 4.6C, 33,000

100,000
with Cache
SAP GUI for HTML, 490,000 0
Release 4.6C SAP GUI, SAP GUI, SAP GUI, SAP GUI
Release Release Release (HTML),
3.0F 4.6C, with 4.6C, no Release
Cache Cache 4.6C

Provisioning for Data (Cont.)
• Use four/five main traffic classes

Mission-critical apps—business-critical client-server applications
Transactional/interactive apps—foreground apps: client-server apps
or interactive applications
Bulk data apps—background apps: FTP, e-mail, backups,
content distribution
Best effort apps—(default class)
Optional: Scavenger apps—peer-to-peer apps, gaming traffic
• Additional optional data classes include internetwork-

control (routing) and network-management
• Most apps fall under best-effort, make sure that adequate
bandwidth is provisioned for this default class

Provisioning for Data
• Different applications have

different traffic characteristics
Data
• Different versions of the same
application can have different
traffic characteristics
• Classify data into four/five
data classes model • Smooth/bursty
Mission-critical apps • Benign/greedy
Transactional/interactive apps • Drop insensitive
Bulk data apps • Delay insensitive
Best effort apps • TCP retransmits
Optional: Scavenger apps
Scavenger-Class
What Is the Scavenger Class?
• The Scavenger class is an Internet 2 draft

specification for a “less than best effort” service
• There is an implied “good faith” commitment for the
“best effort” traffic class
It is generally assumed that at least some network
resources will be available for the default class
• Scavenger class markings can be used to distinguish
out-of-profile/abnormal traffic flows from in-
profile/normal flows
The Scavenger class marking is CS1, DSCP 8
• Scavenger traffic is assigned a “less-than-best effort”
queuing treatment whenever
congestion occurs

QoS Technology Overview

QoS Technologies Overview
• Classification tools
• Scheduling tools
• Policing and shaping tools
• Link-Specific tools
• Signaling tools (RSVP)
• AutoQoS tools
• QoS for Security

Classification Tools
Ethernet 802.1Q Class of Service---L2
TAG
Pream. SFD DA SA Type PT Data FCS
4 Bytes
Ethernet Frame
Three Bits Used for CoS
(802.1p User Priority)
PRI CFI VLAN ID 802.1Q/p
Header
CoS Application
7 Reserved
• 802.1p user priority field also
6 Routing
called Class of Service (CoS)
5 Voice
• Different types of traffic are 4 Video
assigned different CoS values 3 Call Signaling
• CoS 6 and 7 are reserved for 2 Critical Data

network use 1 Bulk Data
0 Best Effort Data
IP Precedence and DiffServ Code Points---L3
Version ToS
Len ID Offset TTL Proto FCS IP SA IP DA Data
Length Byte
IPv4 Packet
7 6 5 4 3 2 1 0
Standard IPv4
IP Precedence Unused
DiffServ Code Point (DSCP) IP ECN DiffServ Extensions
• IPv4: three most significant bits of ToS byte are

called IP Precedence (IPP)—other bits unused
• DiffServ: six most significant bits of ToS byte are
called DiffServ Code Point (DSCP)—remaining two
bits used for flow control
• DSCP is backward-compatible with IP precedence

MPLS EXP Bits
Frame Encapsulation MPLS Shim Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Label Label Header Label EXP

EXP S TTL
Stack Layer-2 Header
Label Header
Payload 3 2 1 0
MPLS EXP S
• Packet class and drop precedence inferred from

EXP (three-bit) field
• RFC3270 does not recommend specific EXP values
for DiffServ PHB (EF/AF/DF)
• Used for frame-based MPLS
DSCP Per-Hop Behaviors
• IETF RFCs have defined special keywords, called Per-Hop

Behaviors, for specific DSCP markings
• EF: Expedited Forwarding (RFC3246)
(DSCP 46)
• CSx: Class Selector (RFC2474)
Where x corresponds to the IP Precedence value (1–7)
(DSCP 8, 16, 24, 32, 40, 48, 56)
• AFxy: Assured Forwarding (RFC2597)
Where x corresponds to the IP Precedence value
(only 1–4 are used for AF Classes)
And y corresponds to the Drop Preference value (either 1 or 2 or 3)
With the higher values denoting higher likelihood of dropping
(DSCP 10/12/14, 18/20/22, 26/28/30, 34/36/38)
• BE: Best Effort or Default Marking Value (RFC2474)
(DSCP 0)

Network-Based Application Recognition
Stateful and Dynamic Inspection
IP Packet TCP/UDP Packet Data Area
ToS Protocol Source Dest Src Dst

IP Addr IP Addr Port Port Sub-Port/Deep Inspection
• Identifies over 90 applications and protocols TCP and UDP

port numbers
Statically assigned
Dynamically assigned during connection establishment
• Non-TCP and non-UDP IP protocols
• Data packet inspection for matching values

Policing Tools
RFC 2697 Single Rate Three Color Policer
Overflow
CIR
CBS EBS
No No
B<Tc B<Te
Packet of Yes Yes

Size B
Conform Exceed Violate
Action Action Action

Policing Tools
RFC 2698 Two Rate Three Color Policer
PIR CIR
PBS CBS
No No
B>Tp B>Tc
Packet of Yes Yes

Size B
Violate Exceed Conform
Action Action Action

Scheduling Tools
Queuing Algorithms
Voice 1 1
Video 2 2
3 3
Data
• Congestion can occur at any point in the network

where there are speed mismatches
• Routers use Cisco IOS-based software queuing
Low-Latency Queuing (LLQ) used for highest-
priority traffic (voice/video)
Class-Based Weighted-Fair Queuing (CBWFQ) used
for guaranteeing bandwidth to data applications
• Cisco Catalyst switches use hardware queuing

TCP Global Synchronization:
The Need for Congestion Avoidance
• All TCP flows synchronize in waves

• Synchronization wastes available bandwidth
Bandwidth
100% Utilization
Time
Tail Drop
Three Traffic Flows Another Traffic Flow
Start at Different Times Starts at This Point
Scheduling Tools
Congestion Avoidance Algorithms
TAIL DROP
WRED Queue
3 3
1 0
1 2 1 2 0 2 0 3 2 1 3
0
3
• Queueing algorithms manage the front of the queue
0
 Which packets get transmitted first
3
• Congestion avoidance algorithms manage the tail of
the queue
 Which packets get dropped first when queuing buffers fill
• Weighted Random Early Detection (WRED)
WRED can operate in a DiffServ-compliant mode
 Drops packets according to their DSCP markings
WRED works best with TCP-based applications, like data

Scheduling Tools
DSCP-Based WRED Operation
Drop All Drop All Drop All

Drop AF13 AF12 AF11
Probability
100%
50%
Average
0 Queue
Begin Begin Begin Size
Dropping Dropping Dropping
AF13 AF12 AF11 Max Queue
Length
(Tail Drop)
AF = (RFC 2597) Assured Forwarding

Congestion Avoidance
RFC3168: IP Explicit Congestion Notification
Version ToS
Len ID Offset TTL Proto FCS IP SA IP DA Data
Length Byte
IPv4 Packet
7 6 5 4 3 2 1 0
DiffServ Code Point (DSCP) ECT CE
ECT Bit: CE Bit:

ECN-Capable Transport Congestion Experienced
• IP header Type of Service (ToS) byte

• Explicit Congestion Notification (ECN) bits

Traffic Shaping
Without Traffic Shaping
Line
Rate
With Traffic Shaping
Shaped
Rate
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
• Policers typically drop traffic

• Shapers typically delay excess traffic, smoothing
bursts and preventing unnecessary drops
• Very common on Non-Broadcast Multiple-Access
(NBMA) network topologies such as Frame Relay
and ATM

Link-Specific Tools
Link-Fragmentation and Interleaving
Serialization Voice Data

Can Cause
Excessive Delay
Data Data Data Voice Data
With Fragmentation and Interleaving Serialization Delay Is Minimized
• Serialization delay is the finite amount of time required to

put frames on a wire
• For links ≤ 768 kbps serialization delay is a major factor
affecting latency and jitter
• For such slow links, large data packets need to be fragmented
and interleaved with smaller, more urgent voice packets

Link-Specific Tools
IP RTP Header Compression
IP Header UDP Header RTP Header Voice

20 Bytes 8 Bytes 12 Bytes Payload
• cRTP reduces L3 VoIP BW by:

~ 20% for G.711
2–5
~ 60% for G.729 Bytes

AutoQoS
AutoQoS VoIP for Cisco Catalyst Switches
CAT2970(config-if)#auto qos voip cisco-phone
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
interface GigabitEthernet0/1
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
!
AutoQoS
AutoQoS VoIP: WAN
interface Serial2/0
bandwidth 768
ip address 10.1.102.2 255.255.255.0
encapsulation ppp
auto qos voip trust
!
!
class-map match-any AutoQoS-VoIP-RTP-Trust
interface Multilink2001100117
match ip dscp ef
bandwidth 768
class-map match-any AutoQoS-VoIP-Control-Trust
ip address 10.1.102.2 255.255.255.0
match ip dscp cs3
service-policy output AutoQoS-Policy-Trust
match ip dscp af31
ip tcp header-compression iphc-format
!
no cdp enable
!
ppp multilink
policy-map AutoQoS-Policy-Trust
ppp multilink fragment delay 10
class AutoQoS-VoIP-RTP-Trust
ppp multilink interleave
priority percent 70
ppp multilink group 2001100117
class AutoQoS-VoIP-Control-Trust
ip rtp header-compression iphc-format
bandwidth percent 5
!
class class-default
…
fair-queue
!
!
interface Serial2/0
bandwidth 768
no ip address
encapsulation ppp
auto qos voip trust
no fair-queue
ppp multilink
ppp multilink group 2001100117
!

AutoQoS
AutoQoS Enterprise: WAN DiffServ Classes
AutoDiscovery Cisco AutoQoS Policy

Traffic Class DSCP
Application and Cisco AutoQoS
Protocol Types Class-Maps IP Routing CS6
Match Statements Interactive Voice EF
Offered Bit Minimum Bandwidth Interactive Video AF41

Rate (Average and to Class Queues,
Streaming Video CS4
Peak) Scheduling
and WRED Telephony Signaling CS3
Transactional/Interactive AF21
Network Management CS2
Bulk Data AF11
Best Effort 0
Scavenger CS1

AutoQoS
AutoQoS Enterprise: WAN, Part One: Discovery
AutoDiscovery Notes
interface Serial4/0 point-to-point
encapsulation frame-relay
bandwidth 256
ip address 10.1.71.1 255.255.255.0
frame-relay interface-dlci 100
auto discovery qos
• Command should be enabled on interface of

interest
• Do not change interface bandwidth when running
auto discovery
• Cisco Express Forwarding must be enabled
• All previously attached QoS policies must be
removed from the interface

AutoQoS Enterprise: WAN, Part One:
Discovery (Cont.)
Router# show auto discovery qos
AutoQoS Discovery enabled for applications

Discovery up time: 2 days, 55 minutes
AutoQoS Class information:
Class VoIP:
Recommended Minimum Bandwidth: 517 Kbps/50% (PeakRate)
Detected applications and data:
Application/ AverageRate PeakRate Total
Protocol (kbps/%) (kbps/%) (bytes)
rtp audio 76/7 517/50 703104
Class Interactive Video:
Recommended Minimum Bandwidth: 24 Kbps/2% (AverageRate)
rtp video 24/2 5337/52 704574
Class Transactional:
Recommended Minimum Bandwidth: 0 Kbps/0% (AverageRate)
citrix 36/3 74/7 30212
sqlnet 12/1 7/<1 1540

AutoQoS Enterprise: WAN, Part Two:
Provisioning
bandwidth 256
ip address 10.1.71.1 255.255.255.0
auto qos
class-map match-any AutoQoS-Voice-Se4/0

match protocol rtp audio
class-map match-any AutoQoS-Inter-Video-Se4/0
match protocol rtp video
class-map match-any AutoQoS-Transactional-Se4/0
match protocol sqlnet
match protocol citrix
!
policy-map AutoQoS-Policy-Se4/0
class AutoQoS-Voice-Se4/0
priority percent 70
set dscp ef
class AutoQoS-Inter-Video-Se4/0
bandwidth remaining percent 10
set dscp af41
class AutoQoS-Transactional-Se4/0
bandwidth remaining percent 1
set dscp af21
class class-default
fair-queue
!

AutoQoS Enterprise: WAN, Part Two:
Provisioning (Cont.)
bandwidth 256
ip address 10.1.71.1 255.255.255.0
auto qos
<policy continued>
!
policy-map AutoQoS-Policy-Se4/0-Parent
class class-default
shape average 256000
service-policy AutoQoS-Policy-Se4/0
!
class AutoQoS-FR-Serial4/0-100
!
map-class frame-relay AutoQoS-FR-Serial4/0-100
frame-relay cir 256000
frame-relay mincir 256000
frame-relay fragment 320
service-policy output AutoQoS-Policy-Se4/0-Parent

AutoQoS Enterprise: WAN, Part Three:
Monitoring
Monitoring Drops in LLQ
• Thresholds are activated in
RMON alarm table to monitor
drops in Voice Class
• Default drop threshold is 1bps
rmon event 33333 log trap AutoQoS description “AutoQoS

SNMP traps for Voice Drops” owner AutoQoS
rmon alarm 33350 cbQoSCMDDropBitRate.2881.2991 30

Absolute rising-threshold 1 33333 falling-threshold 0
Owner AutoQoS
RMON Event Configured and

Generated by Cisco AutoQoS

Signaling Tools
Resource Reservation Protocol (RSVP)
This App Needs
16K BW and
• RSVP QoS 100 msec Delay
services Multimedia
Guaranteed service Station
Handset
I Need 16K
Mathematically BW and
provable bounds 100 msec
on end-to-end Delay
datagram queuing
delay/bandwidth
Reserve 16K
Controlled service BW on this Line
Approximate QoS from
an unloaded network
for delay/bandwidth Handset
• RSVP provides the
policy to WFQ and LLQ
Multimedia Server
QoS for Security

Business Security Threat Evolution
Expanding Scope of Theft and Disruption
Global
Impact
Scope of Damage
Regional
Networks
Next Gen
Infrastructure
Hacking, Flash
Multiple Third Gen Threats,
Networks Multiserver Massive Worm
DoS, DDoS, Driven DDoS,
Individual
Second Gen Blended Threat Negative
Macro Viruses, (Worm+ Virus+ Payload
Networks Trojans, Email, Viruses,
Trojan), Turbo
Single Server Worms, Worms, and
First Gen DoS, Limited Widespread Trojans
Individual
Boot Viruses Targeted System
Computer Hacking Hacking
1980s 1990s Today Future

Sophistication of Threats
Emerging Speed of Network Attacks
Do You Have Time to React?
1980s–1990s 2000–2002 2003–Future

Usually Had Weeks Attacks Progressed Attacks Progress on the
or Months to Put Over Hours, Time to Assess Timeline of Seconds
Defense in Place Danger and Impact
SQL Slammer Worm
Time to Implement Defense Doubled Every 8.5 Seconds
After Three Min: 55M Scans/Sec
In Half the Time It Took to 1Gb Link Is Saturated
After One Minute
Read This Slide, Your Network
and All of Your Applications SQL Slammer Was a Warning,
Newer “Flash” Worms Are
Would Have Become Unreachable Exponentially Faster

Impact of an Internet Worm
Anatomy of a Worm: Why It Hurts
1—The Enabling
Vulnerability
2—Propagation
Mechanism
3—Payload

Impact of an Internet Worm: Part One
Direct and Collateral Damage
Campus Branch
L3VPN
Internet
L2VPN
BBDSL
MetroE
Teleworker
End Systems Control Plane Data Plane

Overloaded Primary Data Center Overloaded
Secondary Data Center Overloaded

QoS Tools and Tactics for Security
QoS for Self-Defending Networks
• Control plane policing

• Data plane policing (Scavenger-Class QoS)
• NBAR for known-worm policing

Control Plane Policing
Overview
Control Plane
Management ICMP IPv6 Routing Updates Management SSH, …..
SNMP, Telnet SSL
Output
Input from the Control
to the Plane
Control Plane
Control Plane Policing Silent Mode
(Alleviating DoS Attack) (Reconnaissance Prevention)
Processor
Switched
Packets
Packet Output Packet

Buffer Buffer
URPF
ACL
NAT
CEF/FIB Lookup
CEF Input Forwarding
Path
Data Plane Policing (Scavenger-Class QoS)
Part One: First Order Anomaly Detection
• All end systems generate traffic spikes, but worms create

sustained spikes
• Normal/abnormal threshold set at approx 95% confidence
• No dropping at campus access-edge; only remarking
Policing and Remarking (If Necessary)
Normal/Abnormal Threshold

Data Plane Policing (Scavenger-Class QoS)
Part Two: Second Order Anomaly Reaction
• Queuing only engages if links become congested

When congestion occurs, drops will also occur
• Scavenger-class QoS allows for increased intelligence in the
dropping decision
“Abnormal” traffic flows will be dropped aggressively
“Normal” traffic flows will continue to receive network service
Police
WAN/VPN Links Will Likely Congest First

Campus Uplinks May Also Congest
Queuing Will Engage When Links Become Congested and Traffic

Previously Marked as Scavenger Is Dropped Aggressively
NBAR Known-Worm Policing
NBAR vs. Code Red Example
Frame IP Packet TCP Segment Data Payload
ToS/ Source Dest Src Dst

DSCP *HTTP GET/*.ida* DATA
IP IP Port Port
• First released in May 2001 class-map match-any CODE-RED

match protocol http url “*.ida*”
• Exploited a vulnerability in match protocol http url “*cmd.exe*”
Microsoft IIS and infected match protocol http url “*root.exe*”
360,000 hosts in 14 hours
• Several strains (CodeRed, Branch Branch
CodeRedv2, CodeRed II, Code, Router Switch
Redv3, CodeRed.C.)
• Newer strains replaced home
page of Web servers and
caused DoS flooding-attacks
• Attempts to access a file with
“.ida” extension
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 69 69

Impact of an Internet Worm: Part Two
Integrating Security and QoS
Campus Protect the End Systems Branch

• Cisco security agent
Protect the Data Plane

Prevent the Attack • Data plane policing
• Intrusion detection (Scavenger-Class QoS)
• Cisco Guard
• Firewall L3VPN
Internet
• ACLs and NBAR

L2VPN
BBDSL
MetroE
Protect the Control Plane
• Control plane policing
Teleworker
End Systems Control Plane Data Plane

Overloaded Primary Data Center Overloaded
Secondary Data Center Overloaded

QoS Best-Practice
Design Principles

Classification and Marking Design
Where and How Should Marking Be Done?
• QoS policies (in general) should always be

performed in hardware, rather than software,
whenever a choice exists
• Classify and mark applications as close to their
sources as technically and administratively feasible
• Use DSCP markings whenever possible
• Follow standards-based DSCP PHBs to ensure
interoperation and future expansion
RFC 2474 Class Selector Code Points
RFC 2597 Assured Forwarding Classes
RFC 3246 Expedited Forwarding
Classification and Marking Design
QoS Baseline Marking Recommendations
L3 Classification L2
Application
IPP PHB DSCP CoS
Routing 6 CS6 48 6
Voice 5 EF 46 5
Video Conferencing 4 AF41 34 4
Streaming Video 4 CS4 32 4
Mission-Critical Data 3 AF31* 26 3
Call Signaling 3 CS3* 24 3
Transactional Data 2 AF21 18 2
Network Management 2 CS2 16 2

Bulk Data 1 AF11 10 1
Best Effort 0 0 0 0
Scavenger 1 CS1 8 1
Queuing Design Principles
Where and How Should Queuing Be Done?
• The only way to provide service guarantees is to enable

queuing at any node that has the potential for congestion
Regardless of how rarely—in fact—this may occur
• At least 25 percent of a link’s bandwidth should be reserved for
the default Best Effort class
• Limit the amount of strict-priority queuing to 33 percent of a
link’s capacity
• Whenever a Scavenger queuing class is enabled, it should be
assigned a minimal amount of bandwidth
• To ensure consistent PHBs, configure consistent queuing
policies in the Campus + WAN + VPN, according to platform
capabilities
• Enable WRED on all TCP flows, whenever supported
Preferably DSCP-based WRED

Campus Queuing Design
Realtime, Best Effort, and Scavenger Queuing Rules
Best Effort
≥ 25%
Scavenger/Bulk
≤ 5%
Real-Time
≤ 33%
Critical Data

Campus and WAN/VPN Queuing Design
Compatible Four-Class and Eleven-Class Queuing Models
Following Realtime, Best Effort, and Scavenger Queuing Rules
Best Effort
25%
Scavenger
1%
Best Effort
Bulk ≥ 25%
4%
Scavenger/ Voice
Bulk 5% 18%
Streaming-Video
Real-Time
≤ 33%
Critical Data
Network Management
Transactional Data
Interactive Video
15%
Mission-Critical Data
Internetwork-
Call-Signaling Control
Policing Design Principles
Where and How Should Policing Be Done?
• Police traffic flows as close to their sources as possible

• Perform markdown according to standards-based rules, whenever
supported
RFC 2597 specifies how assured forwarding traffic classes
should be marked down (AF11  AF12  AF13) which should
be done whenever DSCP-based WRED is supported on egress
queues
Cisco Catalyst platforms currently do not support DSCP-based
WRED, so Scavenger-class remarking is a viable alternative
Additionally, non-AF classes do not have a standards-based
markdown scheme, so Scavenger-class remarking
is a viable option

Enterprise LAN, WAN, Branch,
and VPN QoS
Design Overview

Campus QoS Considerations
Where Is QoS Required Within the Campus?
FastEthernet No Trust + Policing

GigabitEthernet + Queuing
Conditional Trust +
TenGigabitEthernet Policing + Queuing
Trust DSCP + Queuing
Per-User Microflow
Policing
Cisco Catalyst 6500 Sup720
WAN Aggregator
Server Farms IP Phones + PCs IP Phones + PCs

WAN Edge QoS Design Considerations
QoS Requirements of WAN Aggregators
Campus
Distribution/
Queuing/Dropping/Shaping/
Core Switches Link-Efficiency Policies for
Campus-to-Branch Traffic
WAN Aggregator
WAN
LAN Edges WAN Edges

Branch Router QoS Design
QoS Requirements for Branch Routers
Queuing/Dropping/Shaping/ Classification and Marking (+ NBAR)

Link-Efficiency Policies for Policies for Branch-to-Campus Traffic
Branch-to-Campus Traffic
Branch Router
Branch
Switch
WAN
WAN Edge LAN Edge
Optional: DSCP-to-CoS Mapping

Policies for Campus-to-Branch Traffic

MPLS VPN QoS Design
QoS Requirements in MPLS VPN Architectures
CE-to-PE Queuing/Shaping/Remarking/LFI Optional: Core DiffServ or MPLS TE Policies
PE Ingress Policing and Remarking
P Routers
CE Router
PE Router PE Router CE Router
MPLS VPN
PE-to-CE Queuing/Shaping/LFI Required
Optional

IPSec VPN QoS Design
QoS Requirements in IPSec VPN Architectures
Queuing/Dropping/Shaping/Link-Efficiency Policies
LLQ for Crypto
QoS Pre-Classification
ISAKMP Protection
Anti-Replay Tuning
IPSec VPN Tunnel
VPN HeadEnd/ Branch

Internet
Edge Router Router


Cisco QoS Concept and Design

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cisco QoS Concept and Design

Transféré par

Droits d'auteur :

Formats disponibles

Agenda

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3

• The user perspective

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Lack of bandwidth – multiple flows are contesting for a limited amount

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6

256 kbps 512 kbps

10 Mbps 100 Mbps

BWmax = min(10M, 256k, 512k, 100M)=256kbps

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7

TCP Header Compression

IP TCP data Fancy

• Take some bandwidth from less important applications.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8

Propagation Propagation Propagation

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9

TCP Header Compression

IP UDP RTP data Fancy

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Weighted Random Early Detection (WRED)

IP data Dropper Fancy

Custom Queuing (CQ)

• Guarantee enough bandwidth to sensitive packets.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12

Classification Queuing and Post-Queuing

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14

Match Conditions Policy Actions

Classification Pre-Queuing Queuing and Post-Queuing

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16

DiffServ Hybrid IntServ

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17

DiffServ Hybrid IntServ

Classification Policing Congestion Congestion Link- Signaling

Cisco QoS Tools

1. Strategically define the business

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19

• Clearly define the organizational objectives

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20

4/5 Class Model 8 Class Model 11 Class Model

Best Effort Best Effort

Scavenger Scavenger Scavenger

0 100 200 300 400 500 600 700 800

ITU’s G.114 Recommendation: ≤ 150msec One-Way Delay

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 22

Campus Branch Office

End-to-End Delay (Must Be ≤ 150 ms)

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Voice Voice Voice Voice Voice Voice Voice Voice

• Cisco DSP codecs can use predictor algorithms to

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25

“I” Frame “I” Frame

• “I” frame is a full sample of the video

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 27

• Latency ≤ 150 ms Video

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 28