Wan and Branch Qos Design

7/27/2019 Wan and Branch Qos Design

http://slidepdf.com/reader/full/wan-and-branch-qos-design 1/126

1© 2005 Cisco Systems, Inc. All rights reserved.

RST-2502

11138_05_2005_c1

WAN AND BRANCH QoS DESIGN

SESSION RST-2502




RST-2502

11138_05_2005_c1

How Is QoS Optimally Deployed?

1) Strategically define the business objectives to be

achieved via QoS2) Analyze the service-level requirements of the

various traffic classes to be provisioned for

3) Design and test the QoS policies prior toproduction-network rollout

4) Roll-out the tested QoS designs to the production-

network in phases, during scheduled downtime5) Monitor service levels to ensure that the QoS

objectives are being met




RST-2502

11138_05_2005_c1

General QoS Design Principles

Start with the Objectives: Not the Tools

• Clearly define the organizational objectives

Protect voice? video? data? DoS/worm mitigation?

• Assign as few applications as possible to betreated as “mission-critical”

• Seek executive endorsement of the QoS objectivesprior to design and deployment

• Determine how many classes of traffic are required

to meet the organizational objectivesMore classes = more granular service-guarantees




RST-2502

11138_05_2005_c1

How Many Classes of Service Do I Need?

Expanding the Number of Classes of Service over Time

4/5 Class Model

Scavenger

Critical Data

Call Signaling

Best Effort

Realtime

8 Class Model

Critical Data

Video

Call Signaling

Best Effort

Voice

Bulk Data

Network Control

Scavenger

QoS Baseline Model

Network Management

Call Signaling

Streaming Video

Transactional Data

Interactive-Video

Voice

Best Effort

IP Routing

Mission-Critical Data

Scavenger

Bulk Data

Time




RST-2502

11138_05_2005_c1

Classification and Marking Design Principles

Where and How Should Marking Be Done?

• QoS policies (in general) should always be

performed in hardware, rather than software,whenever a choice exists

• Classify and mark applications as close to their sources as technically and administratively feasible

• Use DSCP markings whenever possible

• Follow standards-based DSCP PHBs to ensureinteroperation and future expansion

RFC 2474 Class Selector code points

RFC 2597 Assured Forwarding classes

RFC 3246 Expedited Forwarding PHB




RST-2502

11138_05_2005_c1

Classification and Marking

QoS Baseline Marking Recommendations

ApplicationL3 Classification

DSCPPHBIPP CoS

Transactional Data 18AF212 2

Call Signaling 24CS3*3 3

Streaming Video 32CS44 4

Video Conferencing 34AF414 4

Voice 46EF5 5

Network Management 16CS22 2

L2

Bulk Data 10AF111 1

Scavenger 8CS11 1

Best Effort 000 0

Routing 48CS66 6

Mission-Critical Data 26AF31*3 3




RST-2502

11138_05_2005_c1

Policing Design Principles

Where and How Should Policing Be Done?

• Police traffic flows as close to their sources

as possible• Perform markdown according to standards-based

rules, whenever supported

RFC 2597 specifies how assured forwarding traffic classesshould be marked down (AF11Î AF12Î AF13) whichshould be done whenever DSCP-based WRED is supportedon egress queues

Cisco Catalyst ® platforms currently do not support DSCP-based WRED, so Scavenger-class remarking is a viablealternative

Additionally, non-AF classes do not have a standards-based markdown scheme, so Scavenger-class remarking

is a viable option




RST-2502

11138_05_2005_c1

DoS/Worm Mitigation Design Principles

How Can QoS Tools Contain Attacks?

• Profile applications to determine what constitutes “normal”vs. “abnormal” flows (within a 95% confidence interval)

• Deploy campus access-edge policers to remark abnormaltraffic to Scavenger

DSCP CS1 (8)

• Deploy a second-line of defense at the Distribution-Layer viaper-user microflow policing

Cisco Catalyst 4500 or Catalyst 6500 (PFC3)

• Provision end-to-end “less-than-Best-Effort” Scavenger-classqueuing policies

Campus + WAN + VPN

• Police-to-drop known worms/variants via NBAR on

branch routers




RST-2502

11138_05_2005_c1

Queuing Design Principles

Where and How Should Queuing Be Done?

• The only way to provide service GUARANTEES is to enablequeuing at any node that has the potential for congestion

Regardless of how rarely—in fact—this may occur

• At least 25 percent of a link’s bandwidth should be reservedfor the default Best Effort class

• Limit the amount of strict-priority queuing to 33 percent of alink’s capacity

• Whenever a Scavenger queuing class is enabled, it should beassigned a minimal amount of bandwidth

• To ensure consistent PHBs, configure consistent queuingpolicies in the Campus + WAN + VPN, according to platformcapabilities

• Enable WRED on all TCP flows, whenever supported

Preferably DSCP-based WRED




RST-2502

11138_05_2005_c1

Campus and WAN/VPN Queuing DesignCompatible Four-Class and Eleven-Class Queuing Models

Following Realtime, Best Effort and Scavenger Queuing Rules

Voice 18%

Scavenger

1%

Best Effort25%

Bulk4%

Streaming-Video10%

Mission-Critical Data7%

Internetwork-Control5%

Interactive Video15%

Call-Signaling5%

Network Management5%

Transactional Data5%

Real-Time≤ 33%

Critical Data37%

Best Effort≥ 25%

Scavenger/Bulk5%




WAN QoS DESIGN

RST-2502

11138_05_2005_c1




RST-2502

11138_05_2005_c1

WAN Edge QoS Design Considerations

QoS Requirements of WAN Aggregators

WAN Aggregator

(WAG)

WAN Edges

Campus

Distribution/Core

Switches

LAN Edges

WAN

Queuing/Dropping/

Shaping/Link-Efficiency Policies

for Campus-to-Branch Traffic




RST-2502

11138_05_2005_c1


Factors to Consider in WAN Edge QoS Design

• Per-hop serialization delay

• IP cRTP header compression performance-impact

• Tx-Ring tuning

• PAK_Priority

• Distributed-platform considerations

• Link speed considerations




RST-2502

11138_05_2005_c1

Scheduling Tools

LLQ/CBWFQ Algorithm

CBWFQ Fragment

Interleave

WFQ

Link Fragmentation

and Interleave

Low Latency Queueing

PacketsOut

PacketsIn

Police

VoIP

IP/VC PQ

Layer 3 Queueing Subsystem Layer 2 Queueing Subsystem

Signaling

Critical

Bulk

Mgmt

Default

TXRing




RST-2502

11138_05_2005_c1


Link-Speed Considerations

• Slow speed links (≤ 768 kbps)

Voice or video (not both)—3 to 5 Class model

LFI mechanism required

cRTP recommended

• Medium speed links (≤ T1/E1)

Voice or video (not both)—5 Class model

cRTP optional

• High speed links (> T1/E1)

Voice and/or video—5 to 11 Class (QoS baseline) model

Multiple links require bundling or load-balancing

Very high-speed links (DS3/OC3) require newer CPUs




RST-2502

11138_05_2005_c1

WAN Edge Bandwidth Allocation Models

Three-Class (VoIP and Data Only) WAN Edge Model

Voice33%

Call-Signaling5%

Best Effort62%




RST-2502

11138_05_2005_c1


Three-Class WAN Edge Model Configuration Example

!class-map match-all VOICE match ip dscp ef ! IP Phones mark Voice to EFclass-map match-any CALL-SIGNALING match ip dscp cs3 ! Call-Signaling marking

!! policy-map WAN-EDGEclass VOICE priority percent 33 ! Recommended to keep LLQ ≤ 33%compress header ip rtp ! Optional: Enables Class-Based cRTPclass CALL-SIGNALING bandwidth percent 5 ! Minimal BW guarantee for Call-Signalingclass class-defaultfair-queue ! All other data gets fair-queuing

!




RST-2502

11138_05_2005_c1


Five-Class WAN Edge Model

Voice33%

Call-Signaling5%

Critical Data36%

Best Effort25%

Scavenger 1%




RST-2502

11138_05_2005_c1


Five-Class WAN Edge Model Configuration Example

!class-map match-all VOICE match ip dscp ef ! IP Phones mark Voice to EFclass-map match-any CALL-SIGNALING

match ip dscp cs3 ! Call-Signaling markingclass-map match-any CRITICAL-DATA match ip dscp cs6 ! Routers mark Routing traffic to CS6 match ip dscp af21 af22 ! Recommended markings for Transactional-Data match ip dscp cs2 ! Recommended marking for Network Managementclass-map match-all SCAVENGER match ip dscp cs1 ! Scavenger marking

!! policy-map WAN-EDGEclass VOICE priority percent 33 ! Voice gets 33% of LLQclass CALL-SIGNALING bandwidth percent 5 ! BW guarantee for Call-Signalingclass CRITICAL-DATA

bandwidth percent 36 ! Critical Data class gets min 36% BW random-detect dscp-based ! Enables DSCP-WRED for Critical-Data classclass SCAVENGER bandwidth percent 1 ! Scavenger class is throttled class class-default bandwidth percent 25 ! Default class gets a 25% BW guaranteerandom-detect ! Enables WRED for class-default

!




RST-2502

11138_05_2005_c1

Voice

18%

Best Effort25%

Bulk Data4%

Critical Data27%

Call Signaling5%

Interactive-Video15%

Network Control5%


Eight-Class WAN Edge Model

Scavenger 1%

* Dual-T1 Link Example




RST-2502

11138_05_2005_c1


Eight-Class Model Configuration Example: Part 1

!class-map match-all VOICE match ip dscp ef ! IP Phones mark Voice to EFclass-map match-all INTERACTIVE-VIDEO

match ip dscp af41 af42 ! Recommended markings for IP/VCclass-map match-any CALL-SIGNALING match ip dscp cs3 ! Call-Signaling markingclass-map match-any NETWORK-CONTROL match ip dscp cs6 ! Routers mark Routing traffic to CS6 match ip dscp cs2 ! Recommended marking for Network Managementclass-map match-all CRITICAL-DATA match ip dscp af21 af22 ! Recommended markings for Transactional-Dataclass-map match-all BULK-DATA match ip dscp af11 af12 ! Recommended markings for Bulk-Dataclass-map match-all SCAVENGER match ip dscp cs1 ! Scavenger marking

!





RST-2502

11138_05_2005_c1


Eight-Class Model Configuration Example: Part 2

! policy-map WAN-EDGEclass VOICE priority percent 18 ! Voice gets 552 kbps of LLQ

class INTERACTIVE-VIDEO priority percent 15 ! 384 kbps IP/VC needs 460 kbps of LLQclass CALL-SIGNALING bandwidth percent 5 ! BW guarantee for Call-Signalingclass NETWORK-CONTROL bandwidth percent 5 ! Routing and Network Management get min 5% BW class CRITICAL-DATA bandwidth percent 27 ! Critical Data gets min 27% BW random-detect dscp-based ! Enables DSCP-WRED for Critical-Data classclass BULK-DATA bandwidth percent 4 ! Bulk Data gets min 4% BW guaranteerandom-detect dscp-based ! Enables DSCP-WRED for Bulk-Data classclass SCAVENGER bandwidth percent 1 ! Scavenger class is throttled class class-default

bandwidth percent 25 ! Default class gets a 25% BW guaranteerandom-detect ! Enables WRED on class-default

!!i nt er f ace <interface> max-reserved-bandwidth 100 ! Overrides the default 75% BW limitservice-policy output WAN-EDGE ! Attaches the MQC policy to the interface

!





RST-2502

11138_05_2005_c1


QoS Baseline (11-Class) WAN Edge Model

Voice18%

Best Effort

25%

Bulk4%

Streaming-Video10%


Call Signaling 5%


Routing 3%

Network Mgmt2%

Transactional Data 7%

Scavenger 1%





RST-2502

11138_05_2005_c1

!class-map match-all VOICE match ip dscp ef ! IP Phones mark Voice to EFclass-map match-all INTERACTIVE-VIDEO

match ip dscp af41 af42 ! Recommended markings for IP/VCclass-map match-any CALL-SIGNALING match ip dscp cs3 ! Future Call-Signaling markingclass-map match-all ROUTING match ip dscp cs6 ! Routers mark Routing traffic to CS6class-map match-all NET-MGMT match ip dscp cs2 ! Recommended marking for Network Managementclass-map match-all MISSION-CRITICAL-DATA match ip dscp af31 af32 ! Recommended marking for Mission-Critical Datclass-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! Recommended markings for Transactional-Dataclass-map match-all BULK-DATA match ip dscp af11 af12 ! Recommended markings for Bulk-Dataclass-map match-all STREAMING-VIDEO match ip dscp cs4 ! Recommended marking for Streaming-Video

class-map match-all SCAVENGER match ip dscp cs1 ! Recommended marking for Scavenger traffic

!


QoS Baseline Model Configuration Example: Part 1





RST-2502

11138_05_2005_c1

! policy-map WAN-EDGEclass VOICE priority percent 18 ! Voice gets 552 kbps of LLQ

class INTERACTIVE-VIDEO priority percent 15 ! 384 kbps IP/VC needs 460 kbps of LLQclass CALL-SIGNALING bandwidth percent 5 ! BW guarantee for Call-Signalingclass ROUTING bandwidth percent 3 ! Routing class gets explicit BW guaranteeclass NET-MGMT bandwidth percent 2 ! Net-Mgmt class gets explicit BW guaranteeclass MISSION-CRITICAL-DATA bandwidth percent 10 ! Mission-Critical class gets 10% BW guaranteerandom-detect dscp-based ! Enables DSCP-WRED for Mission-Critical Data classclass TRANSACTIONAL-DATA bandwidth percent 7 ! Transactional-Data class gets 7% BW guaranteerandom-detect dscp-based ! Enables DSCP-WRED for Transactional-Data classclass BULK-DATA

bandwidth percent 4 ! Bulk Data remains at 4% BW guaranteerandom-detect dscp-based ! Enables DSCP-WRED for Bulk-Data classclass STREAMING-VIDEO bandwidth percent 10 ! Streaming-Video class gets 10% BW guaranteeclass SCAVENGER bandwidth percent 1 ! Scavenger class is throttled class class-default bandwidth percent 25 ! Default class gets 25% min BW guarantee

random-detect ! Enables WRED on class-default!


QoS Baseline Model Configuration Example: Part 2





RST-2502

11138_05_2005_c1


Distributed-Platform QoS Baseline Model Configuration Example

policy-map WAN-EDGEclass VOICE priority percent 18 ! Voice gets 552 kbps of LLQclass INTERACTIVE-VIDEO

priority percent 15 ! 384 kbps IP/VC needs 460 kbps of LLQclass CALL-SIGNALING bandwidth percent 5 ! Bandwidth guarantee for Call-Signalingclass ROUTING bandwidth percent 3 ! Bandwidth guarantee for Routingclass NET-MGMT bandwidth percent 2 ! Bandwidth guarantee for Network Managementclass MISSION-CRITICAL-DATA bandwidth percent 10 ! Mission-Critical data gets min 10% BW guaranteefair-queue ! Applies FQ to Mission-Critical Data classrandom-detect ! Enables WRED on Mission-Critical Data classclass TRANSACTIONAL-DATA bandwidth percent 7 ! Transactional Data gets min 7% BW guaranteefair-queue ! Applies FQ to Transactional Data classrandom-detect dscp-based ! Enables DSCP-WRED on Transactional Data classclass BULK-DATA bandwidth percent 4 ! Bulk Data gets min 4% BW guarantee

fair-queue ! Applies FQ to Bulk Data classrandom-detect dscp-based ! Enables DSCP-WRED on Bulk Data classclass STREAMING-VIDEO bandwidth percent 10 ! Streaming-Video gets min 10% BW guaranteeclass SCAVENGER bandwidth percent 1 ! Scavenger class is throttled class class-default bandwidth percent 25 ! Class-Default gets min 25% BW guarantee

fair-queue ! Applies FQ to Class-Defaultrandom-detect ! Enables WRED on Class-Default





RST-2502

11138_05_2005_c1

Leased-Line QoS Design

Leased-Line Recommendations

• Slow-speed (≤ 768 kbps)

MLP LFI

cRTP

• Medium speed (≤ T1/E1)cRTP optional

• High speed(multiple T1/E1)

Bundle links via MLP

WAG MLP Link

≤ 768 kbps

BR

WAG MLP Link

> 768 kbps ≤ T1/E1

BR

WAG

BR

MLP BundleMultiple T1/E1




RST-2502

11138_05_2005_c1


Slow-Speed Leased-Line Configuration Example

<a 3 to 5 Class Model can be used>

! policy-map WAN-EDGE

class VOICE priority percent 30compress header ip rtp ! Enables Class-Based cRTPclass CALL-SIGNALING bandwidth percent 5

!!i nt er f ace Mul t i l i nk1service-policy output WAN-EDGE ! Attaches the MQC policy to Multilink 1ppp mul t i l i nk

ppp multilink fragment delay 10 ! Limits serialization delay to 10 ms ppp multilink interleave ! Enables interleaving of Voice with Datappp mul t i l i nk gr oup 1

!!

i nt er f ace Ser i al 1/ 0 bandwidth 786 ! Bandwidth is defined on physical intno i p addr essencapsul at i on pppppp mul t i l i nk

ppp multilink group 1 ! Includes interface Ser1/0 into Mu1 group!

WAG MLP Link

≤ 768 kbps

BR




RST-2502

11138_05_2005_c1


Medium-Speed Leased-Line Configuration Example


!

policy-map WAN-EDGEclass VOICE priority percent 33compress header ip rtp ! Optional: Enables Class-Based cRTPclass CALL-SIGNALING bandwidth percent 2

!

!i nt er f ace Mul t i l i nk1service-policy output WAN-EDGE ! Attaches the MQC policy to Mu1ppp mul t i l i nkppp mul t i l i nk gr oup 1

!!

i nt er f ace Ser i al 1/ 0 bandwidth 1536 ! Bandwidth is defined on physical intno i p addr essencapsul at i on pppppp mul t i l i nk ppp multilink group 1 ! Includes interface Ser1/0 into Mu1 group!

WAG

BR

MLP Link

> 768 kbps ≤ T1/E1




RST-2502

11138_05_2005_c1


High-Speed Leased-Line Configuration Example

<a 5 to 11 Class Model may be used>

!

i nt er f ace Mul t i l i nk1 max-reserved-bandwidth 100 ! Overrides the default 75% BW limitservice-policy output WAN-EDGE ! Attaches the MQC policy to Mu1ppp mul t i l i nkppp mul t i l i nk gr oup 1

!i nt er f ace Ser i al 1/ 0 bandwidth 1536 ! Bandwidth is defined on physical int only

no i p addr essencapsul at i on pppppp mul t i l i nk

ppp multilink group 1 ! Includes interface Ser1/0 into Mu1 group!i nt er f ace Ser i al 1/ 1 bandwidth 1536 ! Bandwidth is defined on physical int only

no i p addr essencapsul at i on pppppp mul t i l i nk

ppp multilink group 1 ! Includes interface Ser1/1 into Mu1 group!

WAG MLP BundleMultiple T1/E1

BR




RST-2502

11138_05_2005_c1

Frame Relay QoS Design

Frame Relay Recommendations


FRTS or CB-FRTS or FR-VATS

Set CIR to 95% PVC speed

Set Bc to CIR/100

Set Be to 0

FRF.12

cRTP

• Medium-speed (≤ T1/E1)

FRTS or CB-FRTS

Set CIR to 95% PVC speed

Set Bc to CIR/100Set Be to 0

cRTP optional

• High-speed (Multiple T1/E1)

Use IP CEF per-packet loadbalancing

WAG

BR

Multiple T1/E1 FR LinksFrameRelayCloud

WAG

BR

FR Link > 768 kbps ≤ T1/E1

FrameRelayCloud

WAG

BR

FR Link ≤ 768 kbps

FrameRelayCloud




RST-2502

11138_05_2005_c1

Scheduling/Shaping Interoperation

LLQ/CBWFQ with Frame Relay Traffic Shaping

Call-Signalling

Critical Data

Bulk Data

Best Effort

Classifier FRTSLLQ/CBWFQDual-

FIFO Tx-Ring

VoIP




RST-2502

11138_05_2005_c1


FRTS (+ FRF.12) Recommended Parameters Table

640 Bytes4864 bits per Tc486400 bps512 kbps







Fragment SizeBcCIRPVCSpeed




RST-2502

11138_05_2005_c1


Slow-Speed Frame Relay Configuration Example

<a 3 to 5 Class Model can be used> Optional: Enabling Class-Based cRTP

! policy-map MQC-FRTS-768

class class-defaultshape average 729600 7296 0 ! CIR=95% rate, Bc=CIR/100, Be=0service-policy WAN-EDGE ! Queues packets before shaping

!!i nt er f ace Ser i al 2/ 0no i p addr essencapsul at i on f r ame- r el ay

!i nt er f ace Ser i al 2/ 0. 12 poi nt - t o- poi ntf r ame- r el ay i nt er f ace- dl ci 102

class FR-MAP-CLASS-768 ! Binds the map-class to the FR DLCI!!map- cl ass f r ame- r el ay FR- MAP- CLASS- 768service-policy output MQC-FRTS-768 ! Attaches MQC policies to FR map-classframe-relay fragment 960 ! Enables FRF.12

!

WAG

BR


FrameRelay

Cloud

F R l Q S D i




RST-2502

11138_05_2005_c1

Frame Relay QoS DesignFrame Relay Voice-Adaptive Traffic Shaping:

Slow-Speed Frame Relay Configuration Example


! policy-map FR-VATS-768class class-defaultshape average 729600 3648 0 ! CIR=95% of PVC (768 kbps)

! Bc to minCIR/100, Be=0shape adaptive 364800 ! Sets the minCIR to 95% of 384 kbpsshape fr-voice-adapt deactivation 30 ! Enables FR VATS with default timer

!i nt er f ace Ser i al 0/ 1no i p addr essencapsul at i on f r ame- r el ayser i al r est ar t _del ay 0frame-relay fragmentation voice-adaptive deactivation 30 ! Enables FR VATS FRF.12

!i nt er f ace Ser i al 0/ 1. 50 poi nt - t o- poi ntbandwi dt h 768

i p addr ess 10. 200. 50. 1 255. 255. 255. 252f r ame- r el ay i nt er f ace- dl ci 150class FRTS-768 ! Binds FR-MAP-CLASS-768 to the DLCI

!map- cl ass f r ame- r el ay FRTS- 768ser vi ce- pol i cy out put FR- VATS- 768frame-relay fragment 480 ! Sets FRF.12 fragment size for 384 kbps PVC

!

BR

768 kbps FR Link

with 384 kbps CIRWAG

FrameRelay

Cloud




RST-2502

11138_05_2005_c1

Frame Relay QoS DesignMedium-Speed Frame Relay Configuration Example


! policy-map MQC-FRTS-1536

class class-defaultshape average 1460000 14600 0 ! CIR=95% rate, Bc=CIR/100, Be=0service-policy WAN-EDGE ! Queues packets before shaping

!!i nt er f ace Ser i al 2/ 0no i p addr essencapsul at i on f r ame- r el ay

!i nt er f ace Ser i al 2/ 0. 12 poi nt - t o- poi ntf r ame- r el ay i nt er f ace- dl ci 102class FR-MAP-CLASS-1536 ! Binds the map-class to the FR DLCI

!!map- cl ass f r ame- r el ay FR- MAP- CLASS- 1536service-policy output MQC-FRTS-1536 ! Attaches MQC policies to FR map-class

!

FR Link ≤ 768 kbps ≤ T1/E1WAG

BR

FrameRelay

Cloud




RST-2502

11138_05_2005_c1


!pol i cy- map MQC- FRTS- 1536

cl ass cl ass- def aul tshape average 1460000 14600 0 ! CIR=95% rate, Bc=CIR/100, Be=0service-policy WAN-EDGE ! Queues packets before shaping

!…

!i nt er f ace Ser i al 2/ 0no i p addr essencapsul at i on f r ame- r el ayno f ai r - queuef r ame- r el ay t r af f i c- shapi ng

!

i nt er f ace Ser i al 2/ 0. 12 poi nt - t o- poi ntip load-sharing per-packet ! Enables IP CEF Per-Packet Load-Sharingf r ame- r el ay i nt er f ace- dl ci 102class FR-MAP-CLASS-1536 ! Binds the map-class to FR DLCI 102

!

Frame Relay QoS DesignHigh-Speed Frame Relay Configuration Example: Part 1

Multiple T1/E1 FR LinksWAG

BR

FrameRelay

Cloud




RST-2502

11138_05_2005_c1

!i nt er f ace Ser i al 2/ 1

no i p addr essencapsul at i on f r ame- r el ayno f ai r - queuef r ame- r el ay t r af f i c- shapi ng

!i nt er f ace Ser i al 2/ 1. 12 poi nt - t o- poi ntip load-sharing per-packet ! Enables IP CEF Per-Packet Load-Sharingf r ame- r el ay i nt er f ace- dl ci 112class FR-MAP-CLASS-1536 ! Binds the map-class to FR DLCI 112

!!map- cl ass f r ame- r el ay FR- MAP- CLASS- 1536service-policy output MQC-FRTS-1536 ! Attaches MQC policies to FR map-class

!

Frame Relay QoS DesignHigh-Speed Frame Relay Configuration Example: Part 2

Multiple T1/E1 FR LinksWAG

BR

FrameRelay

Cloud




RST-2502

11138_05_2005_c1

Frame Relay QoS DesignDistributed-Platform Frame Relay FRTS Parameters


N/A11520 bits per Tc1440000 bps1536 kbps




N/A15360 bits per Tc1920000 bps2048 kbps




Fragment SizeBcCIRPVC Speed




RST-2502

11138_05_2005_c1


!pol i cy- map MQC- FRTS- 768cl ass cl ass- def aul tshape average 720000 5760 0 ! CIR=95% rate, Bc=CIR/125, Be=0service-policy WAN-EDGE ! Queues packets before shaping

!i nt er f ace Ser i al 1/ 1/ 0no i p addr ess

encapsul at i on f r ame- r el ayno f ai r - queuef r ame- r el ay t r af f i c- shapi ng

!i nt er f ace Ser i al 1/ 1/ 0. 12 poi nt - t o- poi ntf r ame- r el ay i nt er f ace- dl ci 102class FR-MAP-CLASS-768 ! Binds the map-class to the FR DLCI

!map- cl ass f r ame- r el ay FR- MAP- CLASS- 768service-policy output MQC-dTS-768 ! Attaches MQC policies to FR map-classframe-relay fragment 960 ! Enables FRF.12!

Frame Relay WAN QoS DesignDistributed-Platform Slow-Speed Frame Relay Configuration Example

VIP WAG

BR


FrameRelay

Cloud

Q S




RST-2502

11138_05_2005_c1

ATM QoS DesignATM Recommendations


MLPoATM

MLP LFI

cRTP

Set PVC Tx-Ring to 3

• Medium-speed (≤

T1/E1)ATM IMA

• High-speed (multiple T1/E1)

ATM IMA groups

• Very-high speed (DS3-OC3)

Use NPE-G1 for complexQoS models

WAG

BR

MLPoATM Link≤ 768 kbps

ATMCloud

WAG

BR

ATMCloud

ATM T1/E1 IMA Link

WAG

BR

ATM T1/E1 IMA Link

(Multiple Active GroupMembers)

ATMCloud

ATM Q S D i




RST-2502

11138_05_2005_c1

ATM QoS DesignSlow-Speed ATM PVC Configuration Example


!i nt er f ace ATM4/ 0bandwi dth 768no i p addr essno at m i l mi - keepal i ve

!i nt er f ace ATM4/ 0. 60 poi nt - t o- poi ntpvc BRANCH#60 0/ 60

vbr-nrt 768 768 ! Defines Slow-Speed ATM PVCtx-ring-limit 3 ! Per-PVC Tx-ring is tuned to 3 particles

protocol ppp Virtual-Template60 ! PVC is bound to the Virtual-Template!i nt er f ace Vi r t ual - Templ at e60bandwi dth 768i p addr ess 10. 200. 60. 1 255. 255. 255. 252service-policy output WAN-EDGE ! Attaches MQC policy to Virtual-Templateppp mul t i l i nk

ppp multilink fragment-delay 10 ! Enables MLP Fragmentation ppp multilink interleave ! Enables MLP Interleaving!

WAG

BR

MLPoATM Link≤ 768 kbps

ATM

Cloud

ATM Q S D i




RST-2502

11138_05_2005_c1

ATM QoS DesignMedium-Speed ATM Configuration Example


!

i nt er f ace ATM3/ 0no i p addr essno at m i l mi - keepal i veima-group 0 ! ATM3/0 added to ATM IMA group 0no scr ambl i ng- payl oad

!…!

i nt er f ace ATM3/ I MA0no i p addr essl oad- i nt er val 30no at m i l mi - keepal i ve

!i nt er f ace ATM3/ I MA0. 12 poi nt - t o- poi nti p addr ess 10. 200. 60. 1 255. 255. 255. 252descr i pt i on T1 ATM- I MA t o Br anch#60pvc 0/ 100vbr-nrt 1536 1536 ! ATM PVC defined under ATM IMA sub-intservice-policy output WAN-EDGE ! Attaches MQC policy to PVC

!!

BR

ATM

Cloud

ATM T1/E1 IMA LinkWAG

ATM Q S D i




RST-2502

11138_05_2005_c1

ATM QoS DesignHigh-Speed ATM Configuration Example: Part 1


!

i nt er f ace ATM3/ 0no i p addr essno at m i l mi - keepal i veima-group 0 ! ATM3/0 added to ATM IMA group 0no scr ambl i ng- payl oad

!i nt er f ace ATM3/ 1

no i p addr essno at m i l mi - keepal i veima-group 0 ! ATM3/1 added to ATM IMA group 0no scr ambl i ng- payl oad

!…

ATM T1/E1 IMA Link(Multiple Active Group

Members)

WAG

BR

ATM

Cloud

ATM QoS Design




RST-2502

11138_05_2005_c1

ATM QoS DesignHigh-Speed ATM Configuration Example: Part 2


!

i nt er f ace ATM3/ I MA0no i p addr essl oad- i nt er val 30no at m i l mi - keepal i ve

!i nt er f ace ATM3/ I MA0. 12 poi nt - t o- poi nti p addr ess 10. 6. 12. 1 255. 255. 255. 252pvc 0/ 100

vbr-nrt 3072 3072 ! ATM PVC speed is increased to dual-T1 max-reserved-bandwidth 100 ! Overrides the default 75% BW limitservice-policy output WAN-EDGE ! Attaches MQC policy to PVC

!!

ATM T1/E1 IMA Link(Multiple Active Group

Members)

BR

ATM

Cloud

WAG

ATM QoS Design




RST-2502

11138_05_2005_c1

ATM QoS DesignVery-High-Speed ATM Configuration Example

• Keep a careful eye on CPU levels (keep thembelow 75%)

• Use high-performance platforms (like NPE-G1/VIP6-80)

ATMCloud

Site BRouter

Site ARouter

ATM DS3/OC3 Link <a 5 to 11 Class Model may be used>

!

i nt er f ace ATM3/ 0no i p addr essl oad- i nt er val 30no at m i l mi - keepal i ve

!i nt er f ace ATM3/ 0. 1 poi nt - t o- poi nti p addr ess 10. 2. 12. 1 255. 255. 255. 252pvc 0/ 12

vbr - nrt 149760 149760 max-reserved-bandwidth 100 ! Overrides the default 75% BW limitservice-policy output WAN-EDGE ! Attaches MQC policy to PVC

!!

ATM/FR Service Interworking QoS Design




RST-2502

11138_05_2005_c1

ATM/FR Service Interworking QoS DesignSIW QoS Considerations

• Slow-speed ATM/FR SIW requires MLP for LFI

MLPoATM to MLPoFR to achieve end-to-end LFI

• MLPoATM can be supported only on platforms that supportper-VC traffic shaping

These include ATM enhanced port adaptors for the Cisco 7200/7500and OC-3 network modules for the Cisco 3600/3700

• MLPoATM requires the MLP bundle to classify the outgoingpackets before they are sent to the ATM VC; it also requiresthat the per-VC queuing strategy for the ATM VC to be FIFO

• MLPoFR relies on the FRTS engine to control the flow of

packets from MLP bundle to FR VC

• cRTP is only supported over ATM links as of Cisco IOS ®

Software release 12.2(2)T

ATM/FR Service Interworking QoS Design




RST-2502

11138_05_2005_c1

ATM/FR Service Interworking QoS DesignOptimal Fragment-Delay Values for MLP LFI for MLPoATM

10 ms7320 Bytes256 kbps






ppp Multilink Fragment-Delay Value

ATM Cells(Rounded Up)

OptimalFragment Size

PVC Speed

ATM/FR SIW QoS Design




RST-2502

11138_05_2005_c1

gSlow-Speed ATM/FR SIW Configuration Example:Part 1 (ATM WAN Aggregator Configuration)


!i nt er f ace ATM4/ 0no i p addr essno at m i l mi - keepal i ve

!i nt er f ace ATM4/ 0. 60 poi nt - t o- poi ntpvc BRANCH#60 0/ 60vbr - nr t 256 256

tx-ring-limit 3 ! Per-PVC Tx-ring is tuned to 3 particles protocol ppp Virtual-Template60 ! Enables MLPoATM

!i nt er f ace Vi r t ual - Templ at e60 bandwidth 256i p addr ess 10. 200. 60. 1 255. 255. 255. 252service-policy output WAN-EDGE ! Attaches MQC policy to Virtual-Templateppp mul t i l i nk

ppp multilink fragment-delay 10 ! Enables MLP fragmentation ppp multilink interleave ! Enables MLP interleaving!

WAGAggregation

Router BranchRouter

ATMCloud

FRCloud

ATM Link≤ 768 kbps Frame-Relay Link

≤ 768 kbps

ATM/FR SIW QoS Design




RST-2502

11138_05_2005_c1

Slow-Speed ATM/FR SIW Configuration Example:Part 2 (FR Branch Router Configuration)

<a 3 to 5 Class Model can be used> Optional: Enabling Class-Based cRTP!i nt er f ace Ser i al 6/ 0no i p addr ess

encapsul at i on f r ame- r el ayframe-relay traffic-shaping

!i nt er f ace Ser i al 6/ 0. 60 poi nt - t o- poi ntbandwi dt h 256frame-relay interface-dlci 60 ppp Virtual-Template60 ! Enables MLPoFR class FRTS-256kbps ! Binds the map-class to the FR DLCI

!

i nt er f ace Vi r t ual - Templ at e60bandwi dt h 256i p addr ess 10. 200. 60. 2 255. 255. 255. 252service-policy output WAN-EDGE ! Attaches MQC policy to map-classppp mul t i l i nk ppp multilink fragment-delay 10 ! Enables MLP fragmentation ppp multilink interleave ! Enables MLP interleaving!

map-class frame-relay FRTS-256kbpsframe-relay cir 243200 ! CIR is set to 95% of FR DLCI rateframe-relay bc 2432 ! Bc is set to CIR/100frame-relay be 0 ! Be is set to 0frame-relay mincir 243200 ! MinCIR is set to CIR no frame-relay adaptive-shaping ! Adaptive shaping is disabled

!

WAGAggregation

Router BranchRouter

ATMCloud

FRCloud


≤ 768 kbps

WAGAggregation

Router BranchRouter

ATMCloud

FRCloud


≤ 768 kbps

ISDN QoS Design




RST-2502

11138_05_2005_c1

ISDN QoS DesignISDN QoS Design Considerations

• Link bandwidth varies as B channels are addedor dropped

• RTP packets may arrive out of order whentransmitted across multiple B channels

• CAC limitations with Cisco CallManager locations-based CAC

ISDN QoS Design




RST-250211138_05_2005_c1

ISDN QoS DesignISDN Configuration Example: Part 1

!class-map match-all VOICE match ip dscp ef

!

class-map match-any CALL-SIGNALING match ip dscp cs3 match ip dscp af31

!! policy-map WAN-EDGE-ISDN

class VOICE

priority percent 70 ! LLQ 33% Rule is relaxed for DDR scenarioscompress header ip rtp ! Enables Class-Based cRTPclass CALL-SIGNALING bandwidth percent 5 ! Explicit BW protection for Call-Signalingclass class-defaultfair-queue

WAGAggregation BranchRouter

ISDNCloud

ISDN Link

ISDN QoS Design




RST-250211138_05_2005_c1

ISDN QoS DesignISDN Configuration Example: Part 2

i nt er f ace BRI 0/ 0encapsul at i on pppdi al er pool - member 1

!i nt er f ace Di al er 1encapsul at i on pppdi al er pool 1di al er r emot e- name r out er B- di al er 1di al er - gr oup 1di al er st r i ng 12345678service-policy output WAN-EDGE-ISDN ! Attaches MQC policy to Dialer interfaceppp mul t i l i nk

ppp multilink fragment-delay 10 ! Enables MLP fragmentation ppp multilink interleave ! Enables MLP interleaving ppp multilink links minimum 2 ! Activates both B Channels immediately ppp multilink multiclass ! Enables MCMP!

WAGAggregation BranchRouter

ISDNCloud

ISDN Link



545454

CONTROL PLANE POLICING

© 2005 Cisco Systems, Inc. All rights reserved.

RST-250211138_05_2005_c1

Control Plane Policing




RST-250211138_05_2005_c1

CONTROL PLANE POLICING(Alleviating DoS Attack)

SILENT MODE(Reconnaissance Prevention)

Processor SwitchedPackets

OUTPUTfrom the

Control PlaneINPUT

to the ControlPlane

…..Management

SSH, SSLRoutingUpdates

IPv6ICMPManagementSNMP, Telnet

Control Plane

PACKETBUFFER

OUTPUTPACKETBUFFER

A C L

U R P F

N A T

CEF Input Forwarding Path

Control Plane PolicingOverview

CEF/FIBLOOKUP

Control Plane Policing




RST-250211138_05_2005_c1

Configuration Comments

access-list 140 deny tcp host 3.3.3.3 any eq telnet Ignore 3.3.3.3 (trusted host traffic)

access-list 140 deny tcp host 4.4.4.4 any eq telnet Ignore 4.4.4.4 (trusted host traffic)

access-list 140 permit tcp any any eq telnet Catch all other telnet traffic

class-map telnet-class Telnet class map defined

match access-group 140

policy-map control-plane-policy 80,000 bps of telnet traffic allowed

class telnet-class from untrusted sources, excess

police 80000 conform transmit exceed drop traffic will be dropped

control-plane Global CP Service definedservice-policy input control-plane-policy

gConfiguration

Note That Only Packets That Match the ACL Are Policed; Allow Trusted Hosts with SourceIP 3.3.3.3 and 4.4.4.4 to Forward Telnet Packets to the CP Without Constraint, AllRemaining Telnet Packets Will Be Policed to Specified Rate

Configuring Control Plane Services Example:Rate Limit Telnet Traffic



575757

BRANCH QoS DESIGN


RST-250211138_05_2005_c1

Branch Router QoS Design




RST-250211138_05_2005_c1

gQoS Requirements for Branch Routers

Branch Router

WAN Edge

WAN

Queuing/Dropping/Shaping/

Link-Efficiency Policies for

Branch-to-Campus Traffic

Optional: DSCP-to-CoS Mapping Policiesfor Campus-to-Branch Traffic

LAN Edge

Classification and Marking (+ NBAR)

Policies for Branch-to-Campus Traffic

Branch

Switch

Branch Router QoS Design




RST-250211138_05_2005_c1

gQoS Considerations

• AutoQoS Enterprise

• Corvil Bandwidth Estimator (within Cisco IOS)• Unidirectional applications

Streaming video protection is generally not requiredin branch-to-campus direction

• Branch switch QoS capabilities/limitations

• NBAR for worm mitigation and traffic classification

AutoQoS




RST-250211138_05_2005_c1

AutoQoS Enterprise: WAN DiffServ Classes

Minimum Bandwidthto Class Queues,

Schedulingand WRED

Offered Bit Rate(Average and

Peak)

Cisco AutoQoS

Class-Maps

Match Statements

Application andProtocol-Types

Cisco AutoQoS PolicyAutoDiscoveryTraffic Class

Transactional/Interactive AF21

Telephony Signaling CS3Streaming Video

CS4

Interactive Video AF41

Interactive Voice EF

Network Management CS2

Bulk Data AF11

Scavenger CS1

Best Effort 0

IP Routing CS6

DSCP

AutoQoS



616161© 2005 Cisco Systems, Inc. All rights reserved.RST-250211138_05_2005_c1

interface Serial4/0 point-to-point

encapsulation frame-relay

bandwidth 256ip address 10.1.71.1 255.255.255.0

frame-relay interface-dlci 100

auto discovery qos

AutoQoS Enterprise: WAN, Part 1: Discovery

• Command should be enabled on interface of interest

• Do not change interface bandwidth when running

auto discovery• Cisco Express Forwarding must be enabled

• All previously attached QoS policies must beremoved from the interface

AutoDiscovery Notes

AutoQoS




Router# show auto discovery qos

AutoQoS Discovery enabled for applications

Discovery up time: 2 days, 55 minutes

AutoQoS Class information:

Class VoIP:

Recommended Minimum Bandwidth: 517 Kbps/50% (PeakRate)

Detected applications and data:

Application/ AverageRate PeakRate Total

Protocol (kbps/%) (kbps/%) (bytes)

rtp audio 76/7 517/50 703104

Class Interactive Video:

Recommended Minimum Bandwidth: 24 Kbps/2% (AverageRate)




rtp video 24/2 5337/52 704574

Class Transactional:Recommended Minimum Bandwidth: 0 Kbps/0% (AverageRate)




citrix 36/3 74/7 30212

sqlnet 12/1 7/<1 1540

AutoQoS Enterprise: WAN, Part 1: Discovery (Cont.)

AutoQoSA Q S E i WAN P 2 P i i i




interface Serial4/0 point-to-point bandwidth 256ip address 10.1.71.1 255.255.255.0frame-relay interface-dlci 100auto qos

AutoQoS Enterprise: WAN, Part 2: Provisioning

class-map match-any AutoQoS-Voice-Se4/0 match protocol rtp audioclass-map match-any AutoQoS-Inter-Video-Se4/0 match protocol rtp videoclass-map match-any AutoQoS-Transactional-Se4/0 match protocol sqlnet

match protocol citrix! policy-map AutoQoS-Policy-Se4/0

class AutoQoS-Voice-Se4/0 priority percent 70set dscp efclass AutoQoS-Inter-Video-Se4/0 bandwidth remaining percent 10

set dscp af41class AutoQoS-Transactional-Se4/0 bandwidth remaining percent 1set dscp af21class class-defaultfair-queue

!

AutoQoSA t Q S E t i WAN P t 2 P i i i (C t )




AutoQoS Enterprise: WAN, Part 2: Provisioning (Cont.)

<policy continued> !

policy-map AutoQoS-Policy-Se4/0-Parentclass class-defaultshape average 256000service-policy AutoQoS-Policy-Se4/0

!interface Serial4/0 point-to-pointframe-relay interface-dlci 100class AutoQoS-FR-Serial4/0-100

! map-class frame-relay AutoQoS-FR-Serial4/0-100frame-relay cir 256000

frame-relay mincir 256000frame-relay fragment 320service-policy output AutoQoS-Policy-Se4/0-Parent

interface Serial4/0 point-to-point bandwidth 256ip address 10.1.71.1 255.255.255.0frame-relay interface-dlci 100auto qos

AutoQoSAutoQoS Enterprise: WAN Part 3: Monitoring




AutoQoS Enterprise: WAN, Part 3: Monitoring

• Thresholds are activated inRMON alarm table to monitor drops in Voice Class

• Default drop threshold is 1bps

rmon event 33333 log trap AutoQoS description “AutoQoSSNMP traps for Voice Drops” owner AutoQoS

rmon alarm 33350 cbQoSCMDDropBitRate.2881.2991 30 Absolute rising-threshold 1 33333 falling-threshold 0

Owner AutoQoS

RMON Event Configured and

Generated by Cisco AutoQoS

Monitoring Drops in LLQ

How Much Bandwidth Do I Need?Corvil Bandwidth Estimating Feature




Corvil Bandwidth Estimating Feature

• Adequate bandwidth isessential for applicationperformance

Too little bandwidth can makebusiness services unusable

Too much bandwidth can bevery costly

• Corvil Bandwidth providesthe minimum bandwidthrequired to meet a Quality of Service target

The ability to obtain bandwidthvalues for USER-SPECIFIED

QoS targets distinguishes CorvilBandwidth from other approaches

Use Corvil Bandwidth values toallocate bandwidth usingexisting Cisco IOS QoS policy

mechanisms

Time

Too MuchBandwidth

What You Need to Know:

CORVIL BANDWIDTH

Too Little

BandwidthMean Traffic Rate

E.g., 300 kbps over a 5-Minute Period

Real-Time Traffic Bursts B a n d w

i d t h

E.g., the CorvilBandwidth Is 460 kbpsfor This Application to

Achieve No More Than250 ms Delay

and 0.1% Loss

What You See Today

Using Corvil Bandwidth inCisco IOS Software




show policy-map interface

Quality of Service targets:

Drop no more than one packet in 100 (Packet loss < 1.000%)Delay no more than one packet in 200 by more than 50 milliseconds(Confidence: 99.500%)

Corvil Bandwidth: 249 kbits/sec

To specify < 1% packet drop and < 0.5% of packets delayed more than 50 milliseconds:

estimate bandwidth drop-one-in 100 delay-one-in 200 milliseconds 50

Cisco IOS Software

Use estimate bandwidth command in an MQC policy map

Specify tolerance for PACKET LOSS

Specify tolerance for DELAY DURATION

Commence Observation for a Traffic Class

Display Corvil Bandwidth via show policy-map interface command

QoS targets

Corvil Bandwidth Estimate

Branch QoS Design(Ten Class) QoS Baseline Branch WAN Edge Model




(Ten-Class) QoS Baseline Branch WAN-Edge Model


Voice18%

Best Effort25%

Bulk4%

Mission-Critical Data

15%

Call Signaling5%


Routing3%

Network Mgmt

2%


Scavenger 1%

Branch QoS Design(Ten Class) QoS Baseline Branch WAN Edge Model: Part 1




!ip cef ! Required for NBAR + CB-Marking!class-map match-all VOICE

match ip dscp ef ! IP Phones mark Voice to EFclass-map match-all INTERACTIVE-VIDEO match ip dscp af41 af42 ! Recommended markings for IP/VCclass-map match-any CALL-SIGNALING match ip dscp cs3 ! Call-Signaling markingclass-map match-all ROUTING match ip dscp cs6 ! Routers mark Routing traffic to CS6

class-map match-all NET-MGMT match ip dscp cs2 ! Recommended marking for Network Managementclass-map match-all MISSION-CRITICAL-DATA match ip dscp af31 af32 ! Recommended marking for Mission-Critical Dataclass-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22 ! Recommended markings for Transactional Dataclass-map match-all BULK-DATA match ip dscp af11 af12 ! Recommended markings for Bulk Data

class-map match-all SCAVENGER match ip dscp cs1 ! Recommended marking for Scavenger traffic

!

(Ten-Class) QoS Baseline Branch WAN-Edge Model: Part 1


Note: No Streaming-Video Class in Branch-to-Campus Direction

Branch QoS Design(Ten-Class) QoS Baseline Branch WAN-Edge Model: Part 2




!pol i cy- map RBR- WAN- EDGEcl ass VOI CE priority percent 18 ! Voice gets 552 kbps of LLQ

cl ass I NTERACTI VE- VI DEO priority percent 15 ! 384 kbps IP/VC needs 460 kbps of LLQcl ass CALL- SI GNALI NG bandwidth percent 5 ! Minimal BW guarantee for Call-Signalingcl ass ROUTI NG bandwidth percent 3 ! Routing class gets 3% explicit BW guaranteecl ass NET- MGMT

bandwidth percent 2 ! Net-Mgmt class gets 2% explicit BW guaranteecl ass MI SSI ON- CRI TI CAL- DATA bandwidth percent 15 ! Mission-Critical class gets min 15% BW guaranteerandom-detect ! Enables WRED on Mission-Critical Data class

cl ass TRANSACTI ONAL- DATA bandwidth percent 12 ! Transactional-Data class gets min 12% BW guaranteerandom-detect dscp-based ! Enables DSCP-WRED on Transactional-Data class

cl ass BULK- DATA

bandwidth percent 4 ! Bulk Data class gets 4% BW guaranteerandom-detect dscp-based ! Enables DSCP-WRED on Bulk-Data class

cl ass SCAVENGER bandwidth percent 1 ! Scavenger class is throttled cl ass cl ass- def aul t bandwidth percent 25 ! Default class gets min 30% BW guaranteerandom-detect ! Enables WRED on the default class

!

(Ten-Class) QoS Baseline Branch WAN-Edge Model: Part 2


Branch QoS DesignNBAR Vs Code Red



717171© 2005 Cisco Systems, Inc. All rights reserved.RST-250211138_05_2005_c1 71717171

NBAR Vs. Code Red

• First released in May 2001

• Exploited a vulnerability inMicrosoft IIS and infected

360,000 hosts in 14 hours• Several strains (CodeRed,

CodeRedv2, CodeRed II,CodeRedv3, CodeRed.C.)

• Newer strains replaced homepage of web-servers andcaused DoS flooding-attacks

• Attempts to access a filewith “.ida” extension

class-map match-any CODE-RED

match protocol http url “*.ida*” match protocol http url “*cmd.exe*” match protocol http url “*root.exe*”

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

Src

Port

Dst

Port

Data Payload

*HTTP GET/*.ida*

BranchSwitch

BranchRouter

Branch QoS DesignNBAR Vs. NIMDA




NBAR Vs. NIMDA

• Nimda is both a worm and avirus (a virus requires humaninteraction to facilitatespreading)

• Spread via several vectors(email, network shares,JavaScript, infected hosts,and backdoors created byCodeRed)

• Early instances limited toself-propagation (with DoSflooding-attack side-effect)

• Worm/virus is within a filecalled “readme.eml”

class-map match-any NIMDA match protocol http url “*readme.eml*”

BranchSwitch

BranchRouter

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

Src

Port

80

Data Payload

*readme.eml*

Branch QoS DesignNBAR Vs. SQL Slammer




NBAR Vs. SQL Slammer

• Flash worm first released inJanuary 2003

• Targeted vulnerability inMicrosoft SQL server

• Reached 55 million scans/secwithin three min and infected300,000 hosts in 11 min(doubling rate was 8.5 sec)

• DoS flooding-attack side-effect

• Small (single packet)UDP-based worm

ip nbar port-map custom-01 udp 1434

class-map match-all SQL-SLAMMER match protocol custom-01 match packet length min 404 max 404

BranchSwitch

BranchRouter

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

Src

Port

1434

Data Payload

\x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll]

Branch QoS DesignNBAR Vs. MS Blaster (a.k.a. RPC DCOM and W32 Blaster)




NBAR Vs. MS Blaster (a.k.a. RPC DCOM and W32 Blaster)

• First released inAugust 2003

• Targeted flaw in MicrosoftDistributed Component

Object Model (DCOM) RPC

• Copies itself from infectedsystem to targetsystem via TFTP

• Listens on TCP ports 135,

139 and 445 and starts acmd.exe process on TCPport 4444, providingattacker with local systemprivilege (root) level access

ip nbar port-map netbios tcp 137 139 445

ip nbar port-map netbios udp 135 137 138 139 445

class-map match-any MS-BLASTER match protocol exchange match protocol netbios

BranchSwitch

BranchRouter

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

Src

Port

135

139

445

Data Payload

MS Blast Worm TFTP Request

Branch QoS DesignNBAR Vs. Sasser




• First detected Fri,April 29, 2004

• Variants: Sasser.A/B/C/D

• Exploited flaw in MicrosoftLocal Security AuthorityService Server (LSASS)

• Vulnerability allows remoteattacker to execute arbitrarycode with system privileges

• Can scan for 1024 separate IPaddresses simultaneously onTCP Port 445 and creates aremote shell on TCP 9996 andan FTP session on TCP 5554

ip nbar port-map custom-02 tcp 445 5554 9996

class-map match-all SASSER match protocol custom-02

BranchSwitch

BranchRouter

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

44555549996

Data Payload

Sasser Worm445

55549996

Branch QoS DesignNBAR User-Defined Custom Application Classification




ip nbar custom MOONBEAM

8 ascii Moonbeam tcp range 21000 21999

class-map match-all MOONBEAM-WORM match protocol MOONBEAM

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

21000–

21999

Data Payload

FFFF0000MoonbeamFFFF21000–

21999

pp

• Name: Name the custom protocol tobe matched

Up to 24 characters

e.g. MOONBEAM (a fictitious worm)

• Offset: Specify the beginning byte of string or value to be matched in the data packet,

counting from ZERO for the first bytee.g. 8 means “skip the first 8 bytes”

• Format: Define the format of the match criteriaASCII, hex or decimal

e.g. ASCII

• Value: The value to match in the packetIf ASCII, up to 16 characters

e.g., “Moonbeam”

• [Source or destination port]Optionally restrict the direction of packet inspection

Defaults to both directions if not specified

e.g., both source and destination ports will beinspected

• TCP or UDPIndicate the protocol encapsulated in the IPpacket,e.g., TCP

• Range or selected port number(s)“Range” with start and end port numbers, up to1000

Or 1 to 16 individual port numbers

E.g. range 21000 21999

BranchSwitch

BranchRouter

Branch QoS DesignNBAR Policy for Code Red, NIMDA, SQL Slammer, MS-Blaster,Sasser and “Moonbeam” Worm-Prevention Example: Part 1




ip nbar port-map custom-01 udp 1434 ! SQL Slammer custom PDLM ip nbar port-map custom-02 tcp 5554 9996 ! Sasser custom PDLM ip nbar port-map netbios tcp 137 139 445 ! MS Blaster TCP 137/139/445ip nbar port-map netbios udp 135 137 138 139 445 ! MS Blaster UDP 135/137-139/445ip nbar custom MOONBEAM 8 ascii Moonbeam tcp range 21000 21999 ! “Moonbeam” PDLM !

class-map match-all SQL-SLAMMER match protocol custom-01 ! Matches the SQL Slammer PDLM match packet length min 404 max 404 ! Matches the packet length (376+28)

!class-map match-any WORMS match protocol http url “*.ida*” ! CodeRed match protocol http url “*cmd.exe*” ! CodeRed

match protocol http url “*root.exe*” ! CodeRed match protocol http url “*readme.eml*” ! NIMDA match class-map SQL-SLAMMER ! SQL Slammer class-map match protocol exchange ! MS Blaster (TCP 135) match protocol netbios ! MS Blaster NetBIOS PDLM match protocol custom-02 ! Sasser custom PDLM match protocol MOONBEAM ! “Moonbeam” PDLM

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

Src

Port

Dst

Port

Data Payload

Worm

p

Branch QoS DesignNBAR Policy for Code Red, NIMDA, SQL Slammer, MS-Blaster,Sasser and “Moonbeam” Worm-Prevention Example: Part 2




! policy-map WORM-DROPclass WORMSdrop ! Drops all known worms

!…

!interface FastEthernet0/0.60description DVLAN SUBNET 10.1.60.0encapsulation dot1Q 60ip address 10.1.60.1 255.255.255.0service-policy input WORM-DROP ! Drops known worms (DVLAN only)!

BranchSwitch

BranchRouter

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

Src

Port

Dst

Port

Data Payload

Worm/Virus

BranchSwitch

BranchRouter

Branch QoS DesignBranch-to-Campus Classification Ex: Part 1




ip nbar port-map custom-01 tcp 3200 3201 3202 3203 3600 ! SAP custom PDLM ip nbar port-map custom-02 udp 1434 ! SQL Slammer PDLM ip nbar port-map custom-03 tcp 5554 9996 ! Sasser PDLM ip nbar port-map netbios tcp 137 139 445 ! MS Blaster NetBIOSip nbar port-map netbios udp 135 137 138 139 445 ! MS Blaster NetBIOSip nbar custom MOONBEAM 8 ascii Moonbeam tcp range 21000 21999 ! “Moonbeam” PDLM !!class-map match-all BRANCH-MISSION-CRITICAL match access-group name MISSION-CRITICAL-SERVERS ! MC Data ACL to reference!class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix ! Identifies Citrix traffic match protocol ldap ! Identifies LDAP traffic match protocol sqlnet ! Identifies Oracle SQL*NET traffic match protocol http url "*SalesReport*" ! Identifies “SalesReport” URLs match protocol custom-01 ! Identifies SAP traffic via PDLM !class-map match-any BRANCH-NET-MGMT

match protocol snmp ! Identifies SNMP traffic match protocol syslog ! Identifies Syslog traffic match protocol telnet ! Identifies Telnet traffic match protocol nfs ! Identifies NFS traffic match protocol dns ! Identifies DNS traffic match protocol icmp ! Identifies ICMP traffic match protocol tftp ! Identifies TFTP traffic

BranchSwitch

BranchRouter





class-map match-all BRANCH-BULK-DATA match access-group name BULK-DATA-APPS ! Reference ACL for Bulk Data apps!class-map match-any BRANCH-SCAVENGER match protocol napster ! Identifies Napster traffic match protocol gnutella ! Identifies Gnutella traffic match protocol fasttrack ! Identifies KaZaa (v1) traffic match protocol kazaa2 ! Identifies KaZaa (v2) traffic!class-map match-all SQL-SLAMMER match protocol custom-02 ! Matches the custom Slammer PDLM match packet length min 404 max 404 ! Matches the packet length (376+28)

!class-map match-any WORMS match protocol http url “*.ida*” ! CodeRed match protocol http url “*cmd.exe*” ! CodeRed match protocol http url “*root.exe*” ! CodeRed match protocol http url “*readme.eml*” ! NIMDA match class-map SQL-SLAMMER ! SQL Slammer class-map

match protocol exchange ! MS Blaster (TCP 135) match protocol netbios ! MS Blaster NetBIOS PDLM match protocol custom-03 ! Sasser custom PDLM match protocol MOONBEAM ! “Moonbeam” PDLM

!


BranchSwitch

BranchRouter




! policy-map BRANCH-LAN-EDGE-IN

class BRANCH-MISSION-CRITICALset ip dscp af31 ! Marks Mission-Critical apps to DSCP AF31class BRANCH-TRANSACTIONAL-DATA

set ip dscp af21 ! Marks Transactional Data apps to DSCP AF21class BRANCH-NET-MGMTset ip dscp cs2 ! Marks Net Mgmt apps to DSCP CS2class BRANCH-BULK-DATA set ip dscp af11 ! Marks Bulk Data apps to DSCP AF11class BRANCH-SCAVENGER set ip dscp cs1 ! Marks Scavenger apps to DSCP CS1

class WORMSdrop ! Drops all known wormsclass class-defaultset ip dscp default ! Marks everything else to DSCP 0

!


BranchSwitch

BranchRouter




!i nt er f ace Fast Et her net 0/ 0no i p addr essspeed aut odupl ex aut o

!i nt er f ace Fast Et her net 0/ 0. 60descr i pt i on DVLAN SUBNET 10. 1. 60. 0encapsul at i on dot 1Q 60i p addr ess 10. 1. 60. 1 255. 255. 255. 0service-policy input BRANCH-LAN-EDGE-IN ! Marks data and drops worms!

…!ip access-list extended MISSION-CRITICAL-SERVERS permit ip any 10.200.200.0 0.0.0.255 ! MC Data Server-Farm Subnet!ip access-list extended BULK-DATA-APPS permit tcp any any eq ftp ! Identifies FTP Control traffic

permit tcp any any eq ftp-data ! Identifies FTP Default traffic permit tcp any any eq pop3 ! Identifies POP3 E-mail traffic permit tcp any any eq 143 ! Identifies IMAP E-mail traffic!

Branch QoS DesignOptional: DSCP-to-CoS Remapping




RST-2502

11138_05_2005_c1

!pol i cy- map BRANCH- LAN- EDGE- OUT

cl ass cl ass- def aul tset cos dscp ! default DSCP-to-CoS Mapping

!

…!i nt er f ace Fast Et her net 0/ 0no i p addr essspeed aut odupl ex aut o

!

i nt er f ace Fast Et her net 0/ 0. 60descr i pt i on NATI VE SUBNET 10. 1. 60. 0 DATAencapsul at i on dot 1Q 60i p addr ess 10. 1. 60. 1 255. 255. 255. 0service-policy output BRANCH-LAN-EDGE-OUT ! Restores CoS for Data VLAN

!i nt er f ace Fast Et her net 0/ 0. 160

descr i pt i on NATI VE SUBNET 10. 1. 160. 0 VOI CEencapsul at i on dot 1Q 160i p addr ess 10. 1. 160. 1 255. 255. 255. 0service-policy output BRANCH-LAN-EDGE-OUT ! Restores CoS on Voice VLAN

!

BranchSwitch

BranchRouter



848484

MPLS VPN QoS DESIGN FORENTERPRISE SUBSCRIBERS


RST-2502

11138_05_2005_c1

Private WAN QoS DesignTraditional Hub-and-Spoke Layer 2 WAN QoS Design




RST-2502

11138_05_2005_c1

AccessSwitch

CoreSwitch

AccessSwitch

Distribution

Switch

WAN

Aggregator Router

WAN

SiSi

SiSi

SiSi

SiSi

Branch Router

Campus-to-Branch TrafficBranch-to-Branch Traffic

Enterprise WAN Aggregators (Hubs)

Principally Control ALL QoS

MPLS VPN QoS DesignParadigm Shift for Fully-Meshed VPN QoS Designs




RST-2502

11138_05_2005_c1

MPLS

VPNSiSi

SiSi

SiSi

SiSi

AccessSwitch

CoreSwitch

DistributionSwitch PE RoutersCE Routers CE Routers

Campus-to-Branch Traffic

Branch-to-Branch Traffic

Enterprise (CE) Edges Principally

Control Campus-to-Branch

and Branch-to-Campus QoS

Service Providers (PE) Principally

Control Branch-to-Branch QoS

What Are the QoS Implicationsof MPLS VPNs?




RST-2502

11138_05_2005_c1

Bottom Line:

Enterprises MustCo-Manage QoS withTheir MPLS VPN ServiceProviders; Their Policies

Must Be Both Consistentand Complementary

878787

MPLS VPN QoS DesignWhere QoS Is Required in MPLS VPN Architectures?




RST-2502

11138_05_2005_c1

CE Router

MPLS VPN

PE Router

P Routers

CE Router PE Router

Required

Optional

CE-to-PE Queuing/Shaping/Remarking/LFI

PE Ingress Policing and Remarking

PE-to-CE Queuing/Shaping/LFI

Optional: Core DiffServ or MPLS TE Policies

CPN IP Multiservice VPN Service ProvidersService-Level Agreements




RST-2502

11138_05_2005_c1

Service Provider

Enterprise

Campus

Maximum One-Way

SP Service-Levels

Latency ≤ 60 ms

Jitter ≤ 20 ms

Loss ≤ 0.5%

Enterprise

Remote-Branch

Maximum One-Way Service-Levels

Latency ≤ 150 ms/Jitter ≤ 30 ms/Loss ≤ 1%

CPN IP Multiservice VPN Service ProvidersWho Are My Choices?




RST-2502

11138_05_2005_c1

http://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl

Enterprise-to-Service Provider MappingMapping Considerations




RST-2502

11138_05_2005_c1

• Voice and video within a class?

• Call-signaling into the SP Priority Class?

• Mixing TCP with UDP within a class?

• Marking/remarking

Enterprise-to-Service Provider MappingThree-Class SP Model: Remarking Diagram




RST-2502

11138_05_2005_c1

Network Management

Call Signaling

Streaming Video

Transactional Data

Interactive-Video

Voice

Enterprise

Application

Bulk Data

AF21Î CS3

CS3Î CS5

CS4

AF41Î CS5

EF

CS2Î CS3

AF11

Scavenger CS1

Best Effort 0

Routing CS6

Mission-Critical Data AF31

SP-REALTIME35%

DSCP

SP-CRITICAL

40%

SP-BEST EFFORT

25%

PE Classes

EF

CS5

CS6

AF31

CS3

X

X

Enterprise-to-Service Provider MappingThree-Class SP Model: Bandwidth Allocation Example




RST-2502

11138_05_2005_c1

Voice15%


Best Effort24%

Scavenger 1%


Routing3%

Call Signaling5%

SP-BestEffort25%

SP-Realtime

35%

SP-Critical40%

NetworkManagement

2%


Enterprise-to-Service Provider MappingThree-Class SP Model: CE Configuration Example: Part 1




RST-2502

11138_05_2005_c1

• All traffic is assumedto be correctly

classified prior toMPLS VPN CE

• 3-Class SP modeldoes not supportstreaming-video

or bulk-dataenterprise classes

!cl ass- map mat ch- al l ROUTI NG match ip dscp cs6cl ass- map mat ch- al l VOI CE match ip dscp ef

cl ass- map mat ch- al l I NTERACTI VE- VI DEO match ip dscp af41 af42cl ass- map mat ch- al l MI SSI ON- CRI TI CAL- DATA match ip dscp af31cl ass- map mat ch- any CALL- SI GNALI NG match ip dscp cs3cl ass- map mat ch- al l TRANSACTI ONAL- DATA

match ip dscp af21 af22cl ass- map mat ch- al l NETWORK- MANAGEMENT match ip dscp cs2cl ass- map mat ch- al l SCAVENGER match ip dscp cs1!


PE Router

MPLS VPNCloud

CE Router

Enterprise-to-Service Provider MappingThree-Class SP Model: CE Configuration Example: Part 2




RST-2502

11138_05_2005_c1

pol i cy- map CE- THREE- CLASS- SP- MODELcl ass ROUTI NG bandwidth percent 3 ! Routing Î SP-Criticalcl ass VOI CE priority percent 15 ! Voice Î SP-Realtime

cl ass I NTERACTI VE- VI DEOpr i or i t y per cent 15set ip dscp cs5 ! Interactive-Video is remarked + mapped to SP-Realtime

cl ass CALL- SI GNALI NG priority percent 5 ! Call-Signaling gets LLQ for this (high-speed) scenarioset ip dscp cs5 ! Call-Signaling is remarked + mapped to SP-Realtime

cl ass MI SSI ON- CRI TI CAL- DATAbandwi dt h percent 20

r andom- det ectcl ass TRANSACTI ONAL- DATAbandwi dt h percent 15r andom- det ectset ip dscp cs3 ! Transactional Data is remarked + mapped to SP-Critical

cl ass NETWORK- MANAGEMENTbandwi dt h percent 2set ip dscp cs3 ! Net Mgmt is remarked + mapped to SP-Critical

cl ass SCAVENGER bandwidth percent 1 ! Scavenger (choked at CE) will default to SP-Best Effortcl ass cl ass- def aul tbandwi dt h percent 24 ! Best Effort will default to SP-Best Effort classr andom- det ect

!

PE Router

MPLS VPNCloud

CE Router


Enterprise-to-Service Provider MappingFour-Class Provider-Edge Model Remarking Diagram




RST-2502

11138_05_2005_c1

SP-REAL-TIME35%

Network Management

Call Signaling

Streaming Video

Transactional Data

Interactive Video

Voice

Enterprise

Application

Bulk Data

AF21Î CS3

CS3Î CS5

CS4Î AF21

AF41Î CS5

EF

CS2AF11

Scavenger CS1

Best Effort 0

Routing CS6


DSCP

SP-CRITICAL25%

SP-VIDEO

15%

PE Classes

EF

CS5

CS6

AF31

CS3

AF21

XCS2

SP-BEST EFFORT

25%

Enterprise-to-Service Provider MappingFour-Class SP Model: Bandwidth Allocation Example




RST-2502

11138_05_2005_c1

Voice15%

Best Effort24%

Scavenger 1%

Streaming-Video

13% Routing3%

Call Signaling5%

NetworkManagement

2%



SP-Realtime

35%

SP-BestEffort25%

SP-Video15% SP-Critical

25%


Enterprise-to-Service Provider MappingFour-Class SP Model: CE Configuration Example: Part 1




RST-2502

11138_05_2005_c1

• All traffic is assumedto be correctly

classified prior toMPLS VPN CE

• 4-Class SP modelsupports either streaming-video or

Bulk-Dataenterprise classes

!cl ass- map mat ch- al l ROUTI NG match ip dscp cs6cl ass- map mat ch- al l VOI CE match ip dscp ef

cl ass- map mat ch- al l I NTERACTI VE- VI DEO match ip dscp af41 af42cl ass- map mat ch- al l STREAMI NG- VI DEO match ip dscp cs4cl ass- map mat ch- al l MI SSI ON- CRI TI CAL- DATA match ip dscp af31 af32cl ass- map mat ch- any CALL- SI GNALI NG

match ip dscp cs3cl ass- map mat ch- al l TRANSACTI ONAL- DATA match ip dscp af21 af22cl ass- map mat ch- al l NETWORK- MANAGEMENT match ip dscp cs2cl ass- map mat ch- al l SCAVENGER match ip dscp cs1

!

* Dual-T1 Link Example * Dual-T1 Link Example

PE Router

MPLS VPNCloud

CE Router

Enterprise-to-Service Provider MappingFour-Class SP Model: CE Configuration Example: Part 2




RST-2502

11138_05_2005_c1

pol i cy- map CE- FOUR- CLASS- SP- MODELcl ass ROUTI NG bandwidth percent 3 ! Routing Î SP-Criticalcl ass VOI CE priority percent 15 ! Voice Î SP-Realtimecl ass I NTERACTI VE- VI DEO

priority percent 15set ip dscp cs5 ! Interactive-Video is remarked + mapped to SP-Realtime

cl ass STREAMI NG- VI DEObandwi dth percent 13set ip dscp af21 ! Streaming-Video is remarked + mapped to SP-Video


cl ass MI SSI ON- CRI TI CAL- DATAbandwi dth percent 12r andom- det ect

cl ass TRANSACTI ONAL- DATAbandwi dth percent 10r andom- det ectset ip dscp cs3 ! Transactional Data is remarked + mapped to SP-Critical

cl ass NETWORK- MANAGEMENT

bandwidth percent 2 ! Net Mgmt (mainly UDP) is mapped to SP-Videocl ass SCAVENGER bandwidth percent 1 ! Scavenger (choked at CE) will default to SP-Best Effort

cl ass cl ass- def aul tbandwi dth percent 24 ! Best Effort will default to SP-Best Effortr andom- det ect

PE Router

MPLS VPNCloud

CE Router


Enterprise-to-Service Provider MappingFive-Class Provider-Edge Model Remarking Diagram

Enterprise




RST-2502

11138_05_2005_c1

SP-REAL-TIME35%

Network Management

Call Signaling

Streaming Video

Transactional Data

Interactive Video

Voice

Enterprise

Application

Bulk Data

AF21Î CS3

CS3Î CS5

CS4Î AF21

AF41Î CS5

EF

CS2AF11

Scavenger CS1Î 0

Best Effort 0

Routing CS6


DSCP

SP-CRITICAL

20%

SP-VIDEO

15%

PE Classes

EF

CS5

CS6

AF31

CS3

AF21

CS2

SP-BEST EFFORT

25%

SP-BULK 5%AF11/CS1

Enterprise-to-Service Provider MappingFive-Class SP Model: Bandwidth Allocation Example




RST-2502

11138_05_2005_c1

Voice 15%

Scavenger 1%

Best Effort24%

Bulk5%

Streaming-Video13%


Call Signaling5%


Routing3%

NetworkManagement

2%


SP-Realtime

35%

SP-BestEffort25%

SP-Video15%

SP-Bulk5%

SP-Critical

20%

Enterprise-to-Service Provider MappingFive-Class SP Model: CE Configuration Example: Part 1




RST-2502

11138_05_2005_c1

• All traffic isassumed to be

correctlyclassified prior toMPLS VPN CE

• 5-Class SP model

supports allenterprise classes

!cl ass- map mat ch- al l ROUTI NG match ip dscp cs6

cl ass- map mat ch- al l VOI CE match ip dscp efcl ass- map mat ch- al l I NTERACTI VE- VI DEO match ip dscp af41 af42cl ass- map mat ch- al l STREAMI NG- VI DEO match ip dscp cs4cl ass- map mat ch- al l MI SSI ON- CRI TI CAL- DATA match ip dscp af31 af32cl ass- map mat ch- any CALL- SI GNALI NG match ip dscp cs3cl ass- map mat ch- al l TRANSACTI ONAL- DATA match ip dscp af21 af22cl ass- map mat ch- al l BULK- DATA match ip dscp af11 af12cl ass- map mat ch- al l NETWORK- MANAGEMENT match ip dscp cs2cl ass- map mat ch- al l SCAVENGER match ip dscp cs1!


PE Router

MPLS VPNCloud

CE Router

Enterprise-to-Service Provider MappingFive-Class SP Model: CE Configuration Example: Part 2




RST-2502

11138_05_2005_c1

pol i cy- map CE- FI VE- CLASS- SP- MODELcl ass ROUTI NG bandwidth percent 3 ! Routing Î SP-Criticalcl ass VOI CE priority percent 15 ! Voice Î SP-Realtime

cl ass I NTERACTI VE- VI DEOpr i or i t y per cent 15set ip dscp cs5 ! Interactive-Video is remarked + mapped to SP-Realtime

cl ass STREAMI NG- VI DEObandwi dth percent 13set ip dscp af21 ! Streaming-Video is remarked + mapped to SP-Video


cl ass MI SSI ON- CRI TI CAL- DATAbandwi dth percent 12r andom- det ect

cl ass TRANSACTI ONAL- DATAbandwi dth per cent 5r andom- det ectset ip dscp cs3 ! Transactional Data is remarked + mapped to SP-Critical

cl ass NETWORK- MANAGEMENT bandwidth percent 2 ! Net Mgmt (mainly UDP) is mapped to SP-Videocl ass BULK- DATA

bandwidth percent 5 ! Bulk Data is mapped to Bulk SP classr andom- det ect

cl ass SCAVENGER bandwidth percent 1 ! Scavenger (choked at CE) will default to SP-Best Effortset i p dscp 0

cl ass cl ass- def aul tbandwi dth percent 24 ! Best Effort will default to SP-Best Effortr andom- det ect

PE Router

MPLS VPNCloud

CE Router


MPLS DiffServ Tunneling ModesWhat Difference Does It Make?




RST-2502

11138_05_2005_c1

CE1 PE1 PE2 CE2

Uniform

Pipe

ShortPipe

IPIP IP/MPLS

MPLS Uniform Mode DiffServ TunnelingUniform Mode Operation

Shaded Area Represents Customer/Provider DiffServ Domain




RST-2502

11138_05_2005_c1Direction of Packet Flow

CE Router

MPLS VPN

PE Router

P Routers

CE Router PE Router

Assume a Policer Remarks Out-of-Contract

Traffic’s Top-Most Label to MPLS EXP 0 Here

IPP3/DSCP AF31

Packet Initially

Marked to IPP3/DSCP AF31

MPLS EXP 3

MPLS EXP 3

IPP3/DSCP AF31

By Default IPP

Values Will Be

Copied to MPLS

EXP Labels

MPLS EXP 3

MPLS EXP 0

IPP3/DSCP AF31

Top-Most Label Is

Marked Down by a

Policer

MPLS EXP 0

IPP3/DSCP AF31

Top-Most Label Is

Popped and EXP

Value Is Copied to

Underlying Label

IPP0/DSCP 0

MPLS EXP Value

Is Copied to

IP ToS Byte

105105105

MPLS Uniform Mode DiffServ TunnelingRemarking Considerations




RST-2502

11138_05_2005_c1

Enterprise Customers May Need to Remark onIngress from Their MPLS VPN SP to Restore DiffServ

Markings That May Have Been Changed in TransitThrough the Cloud

Ingress Marking from LAN

CE Router

Ingress Remarking from MPLS VPN

MPLS VPN

MPLS Uniform Mode DiffServ TunnelingEnterprise Remarking from MPLS VPN SP: Case-Study Example




RST-2502

11138_05_2005_c1

!

dlsw local-peer peer-id x.x.x. group 50 promiscuous

dlsw remote-peer 0 tcp x.x.x.x

dlsw tos map high 3 medium 3 normal 3 low 3

!!

interface FastEthernet0/0

ip address x.x.x.x

no ip redirects

no ip proxy-arp

ip nbar protocol-discovery

service-policy input MARKING!

interface Serial0/0

description AT&T MPLS T1.5 Ckt

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queueservice-module t1 timeslots 1-24

frame-relay traffic-shaping

!

!

interface Serial0/0.1 point-to-point

description AT&T MPLS PVC CIRCUIT

bandwidth 1536

ip address x.x.x.x

ip nbar protocol-discovery

frame-relay interface-dlci 777class FRTS-1536

!

...

!

map-class frame-relay FRTS-1536

frame-relay cir 1460000

frame-relay bc 14600frame-relay be 0

frame-relay mincir 1460000

no frame-relay adaptive-shaping

service-policy input MARKING

service-policy output WAN-EDGE

!

MPLS Short Pipe Mode DiffServ TunnelingShort Pipe Mode Operation

A P li R k Unshaded Areas

Shaded Area Represents Provider DiffServ Domain




RST-2502

11138_05_2005_c1

CE Router

MPLS VPN

PE Router

P Routers

CE Router PE Router

Assume a Policer Remarks

Out-of-Contract Traffic’s

Top-Most Label to

MPLS EXP 0 Here

IPP3/DSCP AF31IPP3/DSCP AF31

Packet Initially

Marked to IPP3/

DSCP AF31

MPLS EXP 4

MPLS EXP 4

IPP3/DSCP AF31MPLS EXP Values

Are Set Independently

from IPP/DSCP Values

MPLS EXP 4

MPLS EXP 0

IPP3/DSCP AF31

Topmost Label Is

Marked Down by

a Policer

MPLS EXP 0

IPP3/DSCP AF31

Top-Most Label IsPopped and EXP

Value Is Copied to

Underlying Label

Original Customer-

Marked IP ToS

Values Are Preserved

PE Edge (to CE) Policies

Are Based onCUSTOMER-MARKINGS

Direction of Packet Flow

Unshaded Areas

Represent Customer

DiffServ Domain

MPLS Pipe Mode DiffServ TunnelingPipe Mode Operation

Shaded Area Represents Provider DiffServ DomainUnshaded AreasAssume a Policer Remarks




RST-2502

11138_05_2005_c1

CE Router

MPLS VPN

PE Router

P Routers

CE Router PE Router

IPP3/DSCP AF31

MPLS EXP 4

MPLS EXP 4

IPP3/DSCP AF31MPLS EXP 4

MPLS EXP 0

IPP3/DSCP AF31

MPLS EXP 0

IPP3/DSCP AF31

IPP3/DSCP AF31

Packet Initially

Marked to IPP3/

DSCP AF31MPLS EXP Values

Are Set Independently

from IPP/DSCP ValuesTop-Most Label Is

Marked Down by

a Policer

Top-Most Label Is

Popped and EXP

Value Is Copied to

Underlying Label

Original Customer-

Marked IP ToS

Values ArePreserved

Unshaded Areas

Represent Customer

DiffServ Domain

PE Edge (to CE)

Policies Are Based onPROVIDER-MARKINGS

Direction of Packet Flow

Assume a Policer Remarks

Out-of-Contract Traffic’s Top-

Most Label to MPLS EXP 0 Here



110110110

SUMMARY


RST-2502

11138_05_2005_c1




RST-2502

11138_05_2005_c1



Q and A


RST-2502

11138_05_2005_c1



119119119

REFERENCES


RST-2502

11138_05_2005_c1

ReferencesDiffServ Standards

• RFC 2474 “Definition of the Differentiated Services Field




RST-2502

11138_05_2005_c1

RFC 2474 Definition of the Differentiated Services Field(DS Field) in the IPv4 and IPv6 Headers”http://www.ietf.org/rfc/rfc2474

• RFC 2475 “An Architecture for Differentiated Services”http://www.ietf.org/rfc/rfc2475

• RFC 2597 “Assured Forwarding PHB Group”http://www.ietf.org/rfc/rfc2597

• RFC 2697 “A Single Rate Three Color Marker”http://www.ietf.org/rfc/rfc2697

• RFC 2698 “A Two Rate Three Color Marker”http://www.ietf.org/rfc/rfc2698

• RFC 3246 “An Expedited Forwarding PHB

(Per-Hop Behavior)”http://www.ietf.org/rfc/rfc3246

• RFC 3270 “MPLS Support of Differentiated Services”http://www.ietf.org/rfc/rfc3270

ReferencesCisco IOS QoS Documentation

• Classification Tools




RST-2502

11138_05_2005_c1

Classification Toolshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm#1000913

• Congestion Management (Queuing) Toolshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm#1001619

• Congestion Avoidance (Selective Dropping) Toolshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm#1000448

• Policing and Shaping Toolshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm#1001018

• Link-Specific Toolshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm#

1001728

• Modular QoS CLI (MQC) Syntaxhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm#1001811

Solution Reference Network Design GuidesEnterprise QoS Design Guide




RST-2502

11138_05_2005_c1

http://www.cisco.com/go/srnd

QoS Design Overview

Campus QoS Design

WAN QoS Design

Branch QoS DesignMPLS VPN (CE) QoS Design



123123123

RECOMMENDED READING


RST-2502

11138_05_2005_c1

Reference MaterialsCisco Press Book: End-to-End QoS Design

ISBN 1587051761

http://www.ciscopress.com/title/1587051761




RST-2502

11138_05_2005_c1

ISBN: 1587051761

Publish Date: Nov 9/04

LAN• Catalyst 2950

• Catalyst 3550

• Catalyst 2970/3560/3750

• Catalyst 4500

• Catalyst 6500

VPN• MPLS (for Enterprise Subscribers)

• MPLS (for Service Providers)

• IPSec (Site-to-Site)

• IPSec (Teleworker)

WAN/Branch• Leased Lines

• Frame Relay

• ATM

• ATM-to-FR SIW

• ISDN

• NBAR for Worm Policing

Complete Your Online Session Evaluation!

• Win fabulous prizes! Give us your feedback!




RST-2502

11138_05_2005_c1

• Receive 10 Passport Points for eachsession evaluation you fill out

• Go to the Internet stations locatedthroughout the Convention Center

• Winners will be posted on the Internetstations and digital plasma screens

• Drawings will be held in theWorld of Solutions

Monday, June 20 at 8:45 p.m.

Tuesday, June 21 at 8:15 p.m.

Wednesday, June 22 at 8:15 p.m.

Thursday, June 23 at 1:30 p.m.

125125125




RST-2502

11138_05_2005_c1

Wan and Branch Qos Design

Documents

Transcript of Wan and Branch Qos Design