QoS Best Practices
`
`Tim Szigeti
`Technical Marketing Engineer
`Technology and Systems Marketing: QoS
`Cisco Central Development Organization
`10/5/04
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`1
`
`EX1038
`Palo Alto Networks v. Sable Networks
`IPR2020-01712
`
`0001
`
`

`

`QoS Perception
`Changing the Way Intelligent Services Are Enabled
`Necessity Luxury
`
`Security
`Security
`
`Quality of
`Quality of
`Service
`Service
`
`High Availability
`High Availability
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`222
`
`0002
`
`

`

`QoS Deployment Principles
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`3
`
`0003
`
`

`

`How is QoS Optimally Deployed in the
`Enterprise?
`
`1) Strategically define the business objectives to be achieved
`via QoS.
`2) Analyze the service-level requirements of the various traffic
`classes to be provisioned for.
`3) Design and test the QoS policies prior to production-network
`rollout.
`4) Roll-out the tested QoS designs to the production-network in
`phases, during scheduled downtime.
`5) Monitor service levels to ensure that the QoS objectives are
`being met.
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`444
`
`0004
`
`

`

`General QoS Design Principles
`Start with the Objectives: Not the Tools
`
`• Clearly define the organizational objectives
`Protect voice? video? data? DoS/worm mitigation?
`• Assign as few applications as possible to be
`treated as “mission-critical”
`• Seek executive endorsement of the QoS objectives
`prior to design and deployment
`• Determine how many classes of traffic are required
`to meet the organizational objectives
`More classes = more granular service-guarantees
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`555
`
`0005
`
`

`

`How Many Classes of Service Do I Need?
`Example Strategy for Expanding the Number of Classes of Service over Time
`
`4/5 Class Model
`
`8 Class Model
`
`QoS Baseline Model
`
`Realtime
`
`Call Signaling
`
`Critical Data
`
`Best Effort
`Best Effort
`
`Voice
`
`Video
`
`Call Signaling
`
`Network Control
`Network Control
`
`Critical Data
`
`Bulk Data
`
`Best Effort
`Best Effort
`
`Scavenger
`
`Voice
`Interactive-Video
`Streaming Video
`Call Signaling
`IP Routing
`IP Routing
`Network Management
`Mission-Critical Data
`Transactional Data
`Bulk Data
`
`Best Effort
`Best Effort
`
`Scavenger
`
`666
`
`Scavenger
`Time
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`0006
`
`

`

`QOS REQUIREMENTS OF
`VOICE, VIDEO, AND DATA
`
`NMS-2T30
`9681_05_2004_c2
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`777
`
`0007
`
`

`

`Voice QoS Requirements
`End-to-End Latency
`
`Avoid the
`“Human Ethernet”
`
`Hello?
`
`Hello?
`
`Satellite Quality
`Satellite Quality
`
`CB Zone
`CB Zone
`
`High Quality
`High Quality
`
`Fax Relay, Broadcast
`Fax Relay, Broadcast
`
`0
`
`100
`
`200
`
`300
`
`400
`500
`Time (msec)
`
`600
`
`700
`
`800
`
`Delay Target
`
`
`
`Way DelayITUITU’’s G.114 Recommendation: s G.114 Recommendation: ≤≤ 150msec One150msec One--Way Delay
`
`
`
`
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`888
`
`0008
`
`

`

`Voice QoS Requirements
`Elements That Affect Latency and Jitter
`
`PSTN
`
`IP WAN
`
`Branch Office
`
`Campus
`
`CODEC
`CODEC
`
`G.729A: 25 ms
`G.729A: 25 ms
`
`Queuing
`Queuing
`
`Serialization
`
`Propagation
`Propagation
`and Network
`and Network
`Fixed
`Fixed
`(6.3 µµs/Km) +s/Km) +
`
`(6.3
`Network Delay
`Network Delay
`(Variable)
`(Variable)
`
`
`150 ms)EndEnd--toto--End Delay (Must Be End Delay (Must Be ≤≤ 150 ms)
`
`Variable
`Variable
`
`Variable
`
`Jitter Buffer
`
`20–50 ms
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`999
`
`0009
`
`

`

`Voice QoS Requirements
`Packet Loss Limitations
`
`Voice
`Voice
`44
`
`Voice
`Voice
`3
`3
`Voice
`Voice
`3
`3
`
`Voice
`Voice
`3
`3
`
`Voice
`Voice
`22
`
`Voice
`Voice
`11
`
`Voice
`Voice
`44
`
`Voice
`3
`
`Voice
`Voice
`22
`
`Voice
`Voice
`11
`
`Reconstructed Voice Sample
`
`• Cisco DSP codecs can use predictor algorithms to
`compensate for a single lost packet in a row
`• Two lost packets in a row will cause an audible clip
`in the conversation
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`101010
`
`0010
`
`

`

`Voice QoS Requirements
`Call Admission Control (CAC): Why Is It Needed?
`
`Switched CircuitCircuit--Switched
`
`
`Networks
`Networks
`
`Switched PacketPacket--Switched
`
`
`Networks
`Networks
`
`PSTN
`
`IP WAN/VPN
`
`IP VPN Link Provisioned
`for 2 VoIP Calls
`
`Physical
`Trunks
`
`PBX
`
`Third Call
`Rejected
`STOP
`STOP
`
`Router/
`Gateway
`
`Cisco
`Call
`Manager
`
`NoNo PhysicalPhysical
`
`Limitation on IP Links
`Limitation on IP Links
`If 3If 3rdrd Call Accepted,
`Call Accepted,
`
`Voice Quality of Voice Quality of AllAll
`Calls Degrades
`Calls Degrades
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`111111
`
`CAC Limits Number of VoIP Calls on Each VPN Link
`CAC Limits Number of VoIP Calls on Each VPN Link
`
`0011
`
`

`

`Video QoS Requirements
`Video Conferencing Traffic Example (384 kbps)
`
`“I” Frame
`1024–1518
`Bytes
`
`“I” Frame
`1024–1518
`Bytes
`
`30pps
`
`15pps
`
`“P” and “B” Frames
`128–256 Bytes
`
`450Kbps
`
`32Kbps
`
`• “I” frame is a full sample of the video
`• “P” and “B” frames use quantization via motion vectors
`and prediction algorithms
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`121212
`
`0012
`
`

`

`Video QoS Requirements
`Video Conferencing Traffic Packet Size Breakdown
`
`1025–1500 Bytes
`37%
`
`65–128 Bytes
`1%
`
`513–1024 Bytes
`20%
`
`129–256 Bytes
`34%
`
`257–512 Bytes
`8%
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`131313
`
`0013
`
`

`

`Data QoS Requirements
`Application Differences
`
`Oracle SAP R/3
`
`0–64 Bytes
`65–127 Bytes
`128–252 Bytes
`
`253–511
`Bytes
`
`1024–1518
`Bytes
`
`512–1023
`Bytes
`
`0–64
`Bytes
`
`1024–1518
`Bytes
`
`512–1023
`Bytes
`
`253–511
`Bytes
`
`128–252
`Bytes
`
`65–127
`Bytes
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`141414
`
`0014
`
`

`

`Data QoS Requirements
`Version Differences
`
`SAP Sales Order
`Entry Transaction
`
`Client Version
`
`SAP GUI Release 3.0 F
`SAP GUI Release 4.6C, No Cache
`SAP GUI Release 4.6C, with Cache
`SAP GUI for HTML, Release 4.6C
`
`VA01
`# of
`Bytes
`14,000
`57,000
`33,000
`490,000
`
`500,000
`
`400,000
`
`300,000
`
`200,000
`
`100,000
`
`0
`
`SAP GUI,
`Release
`3.0F
`
`SAP GUI,
`Release
`4.6C, with
`Cache
`
`SAP GUI,
`Release
`4.6C, no
`Cache
`
`SAP GUI
`(HTML),
`Release
`4.6C
`
`• Same transaction takes over 35 times more traffic
`from one version of an application to another
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`151515
`
`0015
`
`

`

`OVERVIEW OF
`DOS/WORM ATTACKS
`
`NMS-2T30
`9681_05_2004_c2
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`161616
`
`0016
`
`

`

`Business Security Threat Evolution
`Expanding Scope of Theft and Disruption
`
`Next Gen
`Infrastructure
`Hacking, Flash
`Threats,
`Massive Worm
`Driven DDoS,
`Negative
`Payload Viruses,
`Worms and
`Trojans
`
`2nd Gen
`Macro Viruses,
`Trojans, Email,
`Single Server
`DoS, Limited
`Targeted
`Hacking
`
`3rd Gen
`Multi-Server
`DoS, DDoS,
`Blended Threat
`(Worm+ Virus+
`Trojan), Turbo
`Worms,
`Widespread
`System
`Hacking
`
`Today
`1990’s
`Sophistication of Threats
`
`Future
`
`1st Gen
`Boot Viruses
`
`1980’s
`
`Global
`Impact
`
`Regional
`Networks
`
`Multiple
`Networks
`
`Individual
`Networks
`
`Individual
`Computer
`
`Scope of Damage
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`171717
`
`0017
`
`

`

`Emerging Speed of Network Attacks
`Do You Have Time To React?
`
`1980s-1990s
`Usually had Weeks
`or Months to Put Defense
`in Place
`
`2000-2002
`Attacks Progressed
`Over Hours, Time
`to Assess Danger and Impact;
`Time to Implement Defense
`
`In Half the Time It Took to Read
`This Slide, Your Network
`and All of Your Applications Would
`Have Become Unreachable
`
`2003-Future
`Attacks Progress on the
`Timeline of Seconds
`
`SQL Slammer Worm:
`Doubled Every 8.5 Seconds
`After 3 Min: 55M Scans/Sec
`1Gb Link Is Saturated After
`One Minute
`
`SQL Slammer Was A Warning,
`Newer “Flash” Worms Are
`Exponentially Faster
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`181818
`
`0018
`
`

`

`“Slammer” or the Sapphire Worm
`Infected 75,000 Hosts in First 11 Minutes
`
`• Infections doubled every 8.5 seconds
`• Infected 75,000 hosts in first 11 minutes
`• Caused network outages, cancelled airline
`flights and ATM failures
`
`At Peak, Scanned 55 Million
`At Peak, Scanned 55 Million
`Hosts per Second
`Hosts per Second
`11 Minutes after Release
`8
`6
`2
`
`11
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`0
`
`
`
`19191919
`
`0019
`
`

`

`Internet Worms
`By the Time You Read This Slide It Will Be Out of Date
`
`sadmind/IIS
`sadmind/IIS
`
`Code Red
`Code Red
`
`NIMDA
`NIMDA
`
`Apache/
`Apache/
`mod_ssl
`mod_ssl
`
`MS-SQL
`MS-SQL
`Slammer
`Slammer
`
`W32/
`W32/
`Blaster
`Blaster
`W32/Sobig
`W32/Sobig
`
`W32/
`W32/
`MyDoom
`MyDoom
`W32/Bagel
`W32/Bagel
`
`Sasser
`Sasser
`
`May ’01
`May ’01
`
`May ’01
`May ’01
`
`Sep ’01
`Sep ’01
`
`Jul ’02
`Jul ’02
`
`Jan ’03
`Jan ’03
`
`Aug ’03
`Aug ’03
`
`Jan ’04
`Jan ’04
`
`April ’04
`April ’04
`
`• More than 994 new Win32 viruses and worms were
`documented in the first half of 2003, more than double
`the 445 documented in the first half of 2002
`
`http://www.symantec.com/press/2003/n031001.html
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`202020
`
`0020
`
`

`

`Types of DoS Attacks
`Spoofing vs. Slamming
`
`• Imposter attack
`Pretends to be a legitimate service but maliciously
`intercepts/misdirects client requests
`• Flooding attack
`Exponentially generates and propagates traffic
`until service resources (servers and/or network)
`are overwhelmed
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`212121
`
`0021
`
`

`

`Impact of an Internet Worm
`Anatomy of a Worm: Why It Hurts
`
`1—The Enabling
`Vulnerability
`
`
`2—Propagation 2—Propagation
`
`MechanismMechanism
`
`3—Payload
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`222222
`
`0022
`
`

`

`Impact of an Internet Worm
`Direct and Collateral Damage
`
`System
`Under Attack
`
`SiSi
`
`SiSi
`
`Distribution
`
`SiSi
`
`Infected
`Source
`
`SiSi
`
`Core
`
`Routers
`Overloaded
`High CPU
`Instability
`Loss of Mgmt
`
`Access
`
`Network Links
`Overloaded
`High Packet Loss
`Mission Critical
`Applications Impacted
`
`End Systems
`Overloaded
`High CPU
`Applications
`Impacted
`Attacks Targeted to End Systems CAN and DO
`Affect the Infrastructure
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`232323
`
`0023
`
`

`

`QoS Technologies Review
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`24
`
`0024
`
`

`

`QoS Technologies Review
`
`• QoS Overview
`• Classification Tools
`• Scheduling Tools
`• Policing and Shaping Tools
`• Link-Specific Tools
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`252525
`
`0025
`
`

`

`QoS Factors
`Attributes Requiring Explicit Service Levels
`
`DelayDelay
`(Latency)
`(Latency)
`
`DelayDelay--
`Variation
`Variation
`(Jitter)
`(Jitter)
`
`Packet
`Packet
`LossLoss
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`262626
`
`0026
`
`

`

`Quality of Service Operations
`How Do QoS Tools Work?
`
`CLASSIFICATION AND MARKING
`
`QUEUEING AND
`(SELECTIVE) DROPPING
`
`SHAPING/COMPRESSION/
`FRAGMENTATION/INTERLEAVE
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`272727
`
`0027
`
`

`

`Data
`
`FCS
`
`Ethernet Frame
`
`802.1Q/p
`Header
`Application
`Reserved
`Routing
`Routing
`Voice
`Video
`Call Signaling
`Critical Data
`Bulk Data
`Best Effort Data
`Best Effort Data
`
`Classification Tools
`Ethernet 802.1Q Class of Service
`
`Pream.
`
`SFD
`
`DA
`
`SA
`
`Type
`
`TAGTAG
`4 Bytes
`4 Bytes
`
`PT
`
`Three Bits Used for CoS
`(802.1p User Priority)
`
`PRIPRI
`
`CFICFI
`
`VLAN ID
`VLAN ID
`
`CoS
`
`12345667
`
`00
`
`• 802.1p user priority field also
`called Class of Service (CoS)
`• Different types of traffic are
`assigned different CoS values
`• CoS 6 and 7 are reserved for
`network use
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`282828
`
`0028
`
`

`

`Classification Tools
`IP Precedence and DiffServ Code Points
`
`Version
`Length
`
`ToSToS
`ByteByte
`
`Len
`
`ID
`
`Offset TTL
`
`Proto
`
`FCS IP SA IP DA Data
`IPv4 Packet
`
`44
`
`55
`66
`77
`22
`IP Precedence
`Unused
`IP Precedence
`Unused
`DiffServ Code Point (DSCP)
`DiffServ Code Point (DSCP)
`
`33
`
`11
`
`00
`
`IP ECN
`
`Standard IPv4
`
`DiffServ Extensions
`
`• IPv4: Three most significant bits of ToS byte are called IP
`Precedence (IPP)—other bits unused
`• DiffServ: Six most significant bits of ToS byte are called
`DiffServ Code Point (DSCP)—remaining two bits used for
`flow control
`• DSCP is backward-compatible with IP precedence
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`292929
`
`0029
`
`

`

`Classification Tools
`DSCP Per-Hop Behaviors
`
`• IETF RFCs have defined special keywords, called Per-Hop
`Behaviors, for specific DSCP markings
`• EF: Expedited Forwarding (RFC3246, formerly RFC2598)
`(DSCP 46)
`• CSx: Class Selector (RFC2474)
`Where x corresponds to the IP Precedence value (1-7)
`(DSCP 8, 16, 24, 32, 40, 48, 56)
`• AFxy: Assured Forwarding (RFC2597)
`Where x corresponds to the IP Precedence value
`(only 1-4 are used for AF Classes)
`And y corresponds to the Drop Preference value (either 1 or 2 or 3)
`With the higher values denoting higher likelihood of dropping
`(DSCP 10/12/14, 18/20/22, 26/28/30, 34/36/38)
`• BE: Best Effort or Default Marking Value (RFC2474)
`(DSCP 0)
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`303030
`
`0030
`
`

`

`Classification Tools
`Network-Based Application Recognition
`
`Frame
`
`IP Packet
`ToS/
`ToS/
`Source
`Source
`DSCP
`DSCP
`IP
`IP
`
`MAC/CoS
`DE/CLP/MPLS EV
`citrix
`cuseeme
`custom
`exchange
`fasttrack
`ftp
`gnutella
`
`TCP/UDP
`Segment
`
`Data Payload
`
`Dest
`Dest
`IP
`IP
`
`Src
`Src
`Port
`Port
`
`Dst
`Dst
`Port
`Port
`
`98 Supported Protocols
`
`NBAR PDLM
`NBAR PDLM
`
`DATA
`
`http
`imap
`irc
`kerberos
`ldap
`napster
`netshow
`
`nntp
`notes
`novadigm
`pcanywhere
`pop3
`realaudio
`rcmd
`
`ssh
`smtp
`snmp
`socks
`sqlserver
`sqlnet
`sunrpc
`
`streamwork
`syslog
`telnet
`secure-telnet
`tftp
`vdolive
`xwindows
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`313131
`
`0031
`
`

`

`Policing Tools
`RFC 2697 Single Rate Three Color Policer
`
`CIR
`
`Overflow
`
`CBS
`
`EBS
`
`Packet of
`Size B
`
`No
`
`No
`
`B<Tc
`
`Yes
`Conform
`Conform
`
`B<Te
`
`Yes
`Exceed
`
`Violate
`Violate
`
`Action
`Action
`
`Action
`
`Action
`Action
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`323232
`
`0032
`
`

`

`Policing Tools
`RFC 2698 Two Rate Three Color Policer
`
`PIR
`
`CIR
`
`PBS
`
`CBS
`
`Packet of
`Size B
`
`No
`
`No
`
`B<Tp
`
`Yes
`Violate
`Violate
`
`B<Tc
`
`Yes
`Exceed
`
`Conform
`Conform
`
`Action
`Action
`
`Action
`
`Action
`Action
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`333333
`
`0033
`
`

`

`Scheduling Tools
`Queuing Algorithms
`
`Voice
`
`Video
`
`Data
`
`11
`
`11
`
`11
`
`1
`
`11
`
`1 1
`11
`
`1
`
`1
`2 2
`
`3
`11
`
`11
`
`3
`11
`
`1
`
`11
`
`1
`
`11
`
`11
`
`11
`
`11
`
`11
`
`11
`
`1
`
`1
`
`1
`
`1
`
`1
`
`11
`
`11
`
`11
`
`• Congestion can occur at any point in the network where there
`are speed mismatches
`• Routers use Cisco IOS-based software queuing
`Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video)
`Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing
`bandwidth to data applications
`• Cisco Catalyst® switches use hardware queuing
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`343434
`
`0034
`
`

`

`Scheduling Tools
`TCP Global Synchronization: The Need for Congestion Avoidance
`
`100%
`
`All TCP Flows Synchronize in
`Waves Wasting Much of the
`Available Bandwidth
`
`Bandwidth
`Utilization
`
`Time
`
`Tail Drop
`
`3 Traffic Flows Start
`at Different Times
`
`Another Traffic Flow
`Starts at This Point
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`353535
`
`0035
`
`

`

`Scheduling Tools
`Congestion Avoidance Algorithms
`
`Queue
`
`2
`
`1
`
`2
`
`0
`
`2
`
`0
`
`3
`
`2
`
`1
`
`3
`
`
`
`00
`
`01
`
`TAIL DROP
`WRED
`
`3
`
`11
`
`3
`
`3
`
`0
`
`3
`• Queueing algorithms manage the front of the queue
`i.e. which packets get transmitted first
`• Congestion avoidance algorithms, like Weighted-Random
`Early-Detect (WRED), manage the tail of the queue
`i.e. which packets get dropped first when queuing buffers fill
`• WRED can operate in a DiffServ compliant mode which will
`drop packets according to their DSCP markings
`• WRED works best with TCP-based applications, like data
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`363636
`
`0036
`
`

`

`Scheduling Tools
`DSCP-Based WRED Operation
`
`Drop
`Probability
`
`Drop All
`AF13
`
`Drop All
`AF12
`
`Drop All
`AF11
`
`100%
`
`50%
`
`0
`
`Begin
`Dropping
`AF13
`
`Begin
`Dropping
`AF12
`
`Begin
`Dropping
`AF11
`
`Average
`Queue
`Size
`Max Queue
`Length
`(Tail Drop)
`
`AF = (RFC 2597) Assured Forwarding
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`373737
`
`0037
`
`

`

`Congestion Avoidance Tools
`IP ToS Byte Explicit Congestion Notification (ECN) Bits
`
`Version
`Length
`
`ToSToS
`ByteByte
`
`Len
`
`ID
`
`Offset TTL
`
`Proto
`
`FCS IP SA IP DA Data
`IPv4 Packet
`
`22
`33
`44
`55
`66
`77
`DiffServ Code Point (DSCP)
`DiffServ Code Point (DSCP)
`
`11
`ECT
`
`00
`CE
`
`ECT Bit:
`ECN-Capable Transport
`
`CE Bit:
`Congestion Experienced
`
`RFC3168: IP Explicit Congestion Notification
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`383838
`
`0038
`
`

`

`Shaping Tools
`Traffic Shaping
`
`Without Traffic Shaping
`
`Line
`Rate
`Shaped
`Rate
`
`With Traffic Shaping
`
`Traffic Shaping Limits the Transmit Rate to a Value Lower than Line Rate
`
`• Policers typically drop traffic
`• Shapers typically delay excess traffic, smoothing bursts
`and preventing unnecessary drops
`• Very common on Non-Broadcast Multiple-Access (NBMA)
`network topologies such as Frame-Relay and ATM
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`393939
`
`0039
`
`

`

`Link-Specific Tools
`Link-Fragmentation and Interleaving
`
`Serialization
`Can Cause
`Excessive Delay
`
`Voice
`Voice
`
`DataData
`
`DataData
`
`DataData
`
`DataData
`
`Voice
`Voice
`
`DataData
`
`With Fragmentation and Interleaving Serialization Delay Is Minimized
`
`• Serialization delay is the finite amount of time required to
`put frames on a wire
`• For links ≤ 768 kbps serialization delay is a major factor
`affecting latency and jitter
`• For such slow links, large data packets need to be fragmented
`and interleaved with smaller, more urgent voice packets
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`404040
`
`0040
`
`

`

`Link-Specific Tools
`IP RTP Header Compression
`
`IP Header
`IP Header
`20 Bytes
`20 Bytes
`
`UDP Header
`UDP Header
`8 Bytes
`8 Bytes
`
`RTP Header
`RTP Header
`12 Bytes
`12 Bytes
`
`Voice
`Voice
`Payload
`Payload
`
`cRTP Reduces L3 VoIP BW by:
`~ 20% for G.711
`~ 60% for G.729
`
`2-5 Bytes
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`414141
`
`0041
`
`

`

`QOS DESIGN PRINCIPLES
`AND STRATEGIES
`
`NMS-2T30
`9681_05_2004_c2
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`424242
`
`0042
`
`

`

`Voice QoS Requirements
`Provisioning for Voice
`
`One-Way
`Requirements
`
`• Latency ≤ 150 ms
`• Jitter ≤ 30 ms
`• Loss ≤ 1%
`• 17–106 kbps guaranteed
`priority bandwidth per call
`• 150 bps (+ Layer 2 overhead)
`guaranteed bandwidth for
`Voice-Control traffic per call
`• CAC must be enabled
`
`Voice
`
`• Smooth
`• Benign
`• Drop sensitive
`• Delay sensitive
`• UDP priority
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`434343
`
`0043
`
`

`

`Video QoS Requirements
`Provisioning for Interactive Video
`
`One-Way
`Requirements
`
`• Latency ≤ 150 ms
`• Jitter ≤ 30 ms
`• Loss ≤ 1%
`• Minimum priority bandwidth
`guarantee required is:
`Video-stream + 20%
`e.g. a 384 kbps stream would
`require 460 kbps of priority
`bandwidth
`• CAC must be enabled
`
`Video
`
`• Bursty
`• Greedy
`• Drop sensitive
`• Delay sensitive
`• UDP priority
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`444444
`
`0044
`
`

`

`Data QoS Requirements
`Provisioning for Data
`
`• Different applications have
`different traffic characteristics
`• Different versions of the same
`application can have different
`traffic characteristics
`• Classify data into four/five
`data classes model:
`Mission-critical apps
`Transactional/interactive apps
`Bulk data apps
`Best effort apps
`Optional: Scavenger apps
`
`Data
`
`• Smooth/bursty
`• Benign/greedy
`• Drop insensitive
`• Delay insensitive
`• TCP retransmits
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`454545
`
`0045
`
`

`

`Data QoS Requirements
`Provisioning for Data (Cont.)
`
`• Use four/five main traffic classes:
`Mission-critical apps—business-critical client-server applications
`Transactional/interactive apps—foreground apps: client-server
`apps or interactive applications
`Bulk data apps—background apps: FTP, e-mail, backups,
`content distribution
`Best effort apps—(default class)
`Optional: Scavenger apps—peer-to-peer apps, gaming traffic
`• Additional optional data classes include internetwork-
`control (routing) and network-management
`• Most apps fall under best-effort, make sure that
`adequate bandwidth is provisioned for this default class
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`464646
`
`0046
`
`

`

`Scavenger-Class QoS DoS/Worm Mitigation Strategy
`What Is the Scavenger Class?
`
`• The Scavenger class is an Internet 2 Draft Specification
`for a “less-than best effort” service
`• There is an implied “good faith” commitment for the
`“best effort” traffic class
`It is generally assumed that at least some network resources
`will be available for the default class
`• Scavenger class markings can be used to distinguish
`out-of-profile/abnormal traffic flows from in-
`profile/normal flows
`The Scavenger class marking is DSCP CS1 (8)
`• Scavenger traffic is assigned a “less-than best effort”
`queuing treatment whenever congestion occurs
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`474747
`
`0047
`
`

`

`Scavenger-Class QoS DoS/Worm Mitigation Strategy
`First Order Anomaly Detection
`
`• All end systems generate traffic spikes
`• Sustained traffic loads beyond ‘normal’ from each source
`device are considered suspect and marked as scavenger
`(DSCP CS1)
`• No dropping at campus access-edge, only remarking
`Police
`
`Excess Traffic Is Remarked to Scavenger (DSCP CS1)
`
`Normal/Abnormal Threshold
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`484848
`
`0048
`
`

`

`Scavenger-Class QoS DoS/Worm Mitigation Strategy
`Second Order Anomaly Reaction
`
`• During ‘abnormal’ worm traffic conditions traffic, where
`multiple infected hosts are causing uplink congestion,
`suspect traffic—previously marked as Scavenger—is
`aggressively dropped
`• Stations not generating abnormal traffic volumes continue
`to receive network service
`
`Police
`
`Throttle Scavenger
`(when Congested)
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`494949
`
`0049
`
`

`

`Scavenger-Class QoS DoS/Worm Mitigation Strategy
`Preventing and Limiting the Pain
`
`System
`Under
`Attack
`
`SiSi
`
`SiSi
`
`SiSi
`
`Core
`
`Distribution
`
`Access
`
`SiSi
`
`Infected
`Source
`
`Prevent the Attack
`Cisco Guard
`Firewall
`ACLs & NBAR
`
`Protect the End
`Systems
`Cisco Security Agent
`
`Protect the Links
`QoS
`Scavenger Class
`
`Protect the Switches
`CEF
`Rate Limiters
`
`An Integrated Network Architecture Holistically Combines
`High Availability, Quality of Service and Security
`Technologies to Prevent and Limit Attacks
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`505050
`
`0050
`
`

`

`Classification and Marking Design Principles
`Where and How Should Marking Be Done?
`
`• QoS policies (in general) should always be
`performed in hardware, rather than software,
`whenever a choice exists
`• Classify and mark applications as close to their
`sources as technically and administratively feasible
`• Use DSCP markings whenever possible
`• Follow standards-based DSCP PHBs to ensure
`interoperation and future expansion
`RFC 2474 class selector code points
`RFC 2597 assured forwarding classes
`RFC 3246 expedited forwarding
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`515151
`
`0051
`
`

`

`Classification and Marking
`QoS Baseline/AIT Marking Recommendations
`
`Application
`
`Routing
`Routing
`Voice
`Video Conferencing
`Streaming Video
`Mission-Critical Data
`Call Signaling
`Transactional Data
`Network Management
`Bulk Data
`Scavenger
`Best Effort
`Best Effort
`
`IPP
`66
`5
`4
`4
`3
`3
`2
`2
`1
`1
`00
`
`L3 Classification
`PHB
`CS6CS6
`EF
`AF41
`CS4
`-
`AF31 (cid:206) CS3*
`AF21
`CS2
`AF11
`CS1
`00
`
`DSCP
`4848
`46
`34
`32
`25
`26 (cid:206) 24
`18
`16
`10
`8
`00
`
`L2
`CoS
`66
`5
`4
`4
`3
`3
`2
`2
`1
`1
`00
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`525252
`
`0052
`
`

`

`Policing Design Principles
`Where and How Should Policing Be Done?
`
`• Police traffic flows as close to their sources as
`possible
`• Perform markdown according to standards-based
`rules, whenever supported
`RFC 2597 specifies how assured forwarding traffic classes
`should be marked down (AF11 (cid:206) AF12 (cid:206) AF13) which
`should be done whenever DSCP-based WRED is supported
`on egress queues
`Cisco Catalyst platforms currently do not support DSCP-
`based WRED, so Scavenger-class remarking is a viable
`alternative
`Additionally, non-AF classes do not have a standards-
`based markdown scheme, so Scavenger-class remarking
`is a viable option
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`535353
`
`0053
`
`

`

`DoS/Worm Mitigation Design Principles
`How Can QoS Tools Contain Attacks?
`
`• Profile applications to determine what constitutes “normal”
`vs. “abnormal” flows (within a 95% confidence interval)
`• Deploy campus access-edge policers to remark abnormal
`traffic to Scavenger
`DSCP CS1 (8)
`• Deploy a second-line of defense at the Distribution-Layer via
`per-user microflow policing
`Cisco Catalyst 6500 Sup720 (PFC3) only
`• Provision end-to-end “less-than-Best-Effort” Scavenger-class
`queuing policies
`Campus + WAN + VPN
`• Police-to-drop known worms/variants via NBAR on branch
`routers
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`545454
`
`0054
`
`

`

`Queuing Design Principles
`Where and How Should Queuing Be Done?
`
`• The only way to provide service GUARANTEES is to enable
`queuing at any node that has the potential for congestion
`Regardless of how rarely—in fact—this may occur
`• At least 25 percent of a link’s bandwidth should be reserved
`for the default Best Effort class
`• Limit the amount of strict-priority queuing to 33 percent of a
`link’s capacity
`• Whenever a Scavenger queuing class is enabled, it should be
`assigned a minimal amount of bandwidth
`• To ensure consistent PHBs, configure consistent queuing
`policies in the Campus + WAN + VPN, according to platform
`capabilities
`• Enable WRED on all TCP flows, whenever supported
`Preferably DSCP-based WRED
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`555555
`
`0055
`
`

`

`Campus Queuing Design
`Realtime, Best Effort and Scavenger Queuing Rules
`
`Best Effort
`≥ 25%
`
`Scavenger/Bulk
`≤ 5%
`
`Real-Time
`≤ 33%
`
`Critical Data
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`565656
`
`0056
`
`

`

`Campus and WAN/VPN Queuing Design
`Compatible Four-Class and Eleven-Class Queuing Models
`Following Realtime, Best Effort and Scavenger Queuing Rules
`
`Best Effort
`25%
`
`Scavenger
`1%
`
`Voice 18%
`
`Best Effort
`Best Effort
`≥ 25%
`≥ 25%
`
`Scavenger/
`Scavenger/
`Bulk 5%
`Bulk 5%
`
`Real-Time
`Real-Time
`≤ 33%
`≤ 33%
`
`Interactive Video
`15%
`
`Bulk 4%
`
`Critical Data
`Critical Data
`
`Streaming-Video
`
`Network Management
`
`Internetwork-
`Control
`Call-Signaling
`
`Transactional Data
`
`Mission-Critical Data
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`575757
`
`0057
`
`

`

`LAN/WAN/VPN QoS Design Overview
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`58
`
`0058
`
`

`

`Campus QoS Considerations
`Where Is QoS Required Within the Campus?
`
`FastEthernet
`GigabitEthernet
`TenGigabitEthernet
`
`No Trust + Policing +
`Queuing
`Conditional Trust +
`Policing + Queuing
`Trust DSCP + Queuing
`Per-User Microflow
`Policing
`
`Catalyst 6500 Sup720
`
`WAN Aggregator
`
`Server Farms
`
`IP Phones + PCs
`
`IP Phones + PCs
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`595959
`
`0059
`
`

`

`WAN Edge QoS Design Considerations
`QoS Requirements of WAN Aggregators
`
`Campus
`Distribution/Core
`Switches
`
`Queuing/Dropping/
`Shaping/Link-Efficiency Policies
`for Campus-to-Branch Traffic
`
`WAN Aggregator
`
`LAN Edges
`
`WAN Edges
`
`WAN
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`606060
`
`0060
`
`

`

`Branch Router QoS Design
`QoS Requirements for Branch Routers
`
`Queuing/Dropping/Shaping/
`Link-Efficiency Policies for
`Branch-to-Campus Traffic
`
`Classification and Marking (+ NBAR)
`Policies for Branch-to-Campus Traffic
`
`WAN
`
`Branch Router
`
`Branch
`Switch
`
`WAN Edge
`
`LAN Edge
`
`Optional: DSCP-to-CoS Mapping Policies
`for Campus-to-Branch Traffic
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`616161
`
`0061
`
`

`

`MPLS VPN QoS Design
`Where QoS Is Required in MPLS VPN Architectures?
`
`CE-to-PE Queuing/Shaping/Remarking/LFI
`
`Optional: Core DiffServ or MPLS TE Policies
`
`PE Ingress Policing and Remarking
`
`CE Router
`
`PE Router
`
`PE-to-CE Queuing/Shaping/LFI
`
`P Routers
`
`MPLS VPN
`
`PE Router
`
`CE Router
`
`Required
`Optional
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`626262
`
`0062
`
`

`

`At-a-Glance
`Summaries
`
`NMS-2T30
`9681_05_2004_c2
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`636363
`
`0063
`
`

`

`QoS is the measure of transmission quality
`and service availability of a network (or
`internetworks). The transmission quality of
`the network is determined by the following
`factors: Latency, Jitter and Loss.
`
`QoS Tools
`
`Classification can be done at Layers 2-7:
`L2 Frame
`L3 IP Packet
`
`Policing tools can complement marking
`tools by marking metering flows
`and marking-down out-of-contract traffic.
`
`L4 TCP/UDP Segment
`
`L7 Data Payload
`
`ToS/
`DSCP
`
`Source
`IP
`
`Dest
`IP
`
`Src
`Port
`
`Dst
`Port
`
`NBAR PDLM
`
`DelayDelay
`(Latency)
`(Latency)
`
`DelayDelay--
`Variation
`Variation
`(Jitter)
`(Jitter)
`
`Packet
`Packet
`LossLoss
`
`QoS technologies refer to the set of tools and
`techniques to manage network resources and
`are considered the key enabling technologies
`for the transparent convergence of voice,
`video and data networks. Additionally, QoS
`tools can play a strategic role in significantly
`mitigating DoS/worm attacks.
`
`Cisco’s QoS toolset consists of the following:
`•Classification and Marking tools
`•Policing and Markdown tools
`•Scheduling tools
`•Link-specific tools
`•AutoQoS tools
`
`Policing and
`Markdown
`
`Marking can be done at Layers 2 or Layer 3:
`Layer 2: 802.1Q/p CoS, MPLS EXP
`Layer 3: IP Precedence, DSCP and/or
`IP ECN
`
`Layer 3 (IP ToS Byte) Marking Options:
`
`44
`
`55
`66
`77
`22
`IP Precedence
`Unused
`DiffServ Code Point (DSCP)
`
`33
`
`11
`
`00
`
`IP ECN
`
`RFC 2474
`RFC 2474
`DiffServ Extensions
`DiffServ Extensions
`
`RFC 3168
`RFC 3168
`IP ECN Bits
`IP ECN Bits
`
`Cisco recommends end-to-end marking at
`Layer 3 with standards-based DSCP values.
`
`Classification
`and Marking
`
`Scheduling
`(Queuing and
`Selective-Dropping)
`
`Traffic Shaping
`
`Link-Specific
`Mechanisms
`
`IP07 QoS
`
`© 2004 Cisco Systems, Inc. All rights reserved.
`
`Policers meter traffic into three categories:
`•Conform: traffic is within the
`defined rate (green light)
`•Exceed: moderate bursting is
`allowed (yellow light)
`•Violate: no more traffic is
`allowed beyond this upper-limit
`(red light)
`
`Scheduling tools re-order and selectively-
`drop packets whenever congestion occurs.
`Voice
`(cid:110)(cid:110)
`(cid:111)(cid:111)
`(cid:112)(cid:112)
`
`Video
`
`Data
`
`(cid:112)(cid:111)(cid:111)(cid:110)(cid:110)
`
`Link-Specific tools are useful on slow-
`speed WAN/VPN links and include
`shaping, compression, fragmentation and
`interleaving.
`
`AutoQoS features automatically configure
`Cisco-recommend QoS on Catalyst
`switches and IOS routers with just one or
`two commands.
`
`646464
`szigeti@cisco.com 2004
`
`0064
`
`

`

`The QoS Baseline
`
`The IP Routing class is intended for IP
`Routing protocols, such as BGP, OSPF, etc.
`
`Standards-based marking
`recommendations allow for better
`integration with service-provider offerings
`as well as other internetworking scenarios.
`
`In Cisco IOS, rate-based queuing translates
`to CBWFQ; priority queuing is LLQ.
`DSCP-Based WRED (based on RFC 2597)
`drops AFx3 before AFx2, and in turn drops
`AFx2 before AFx1. RSVP is recommended
`(whenever supported) for Voice and/or
`Interactive-Video admission control
`
`The QoS Baseline is a strategic document
`designed to unify QoS within Cisco. The
`QoS Baseline provides uniform, standards-
`based recommendations to help ensure that
`QoS products, designs and deployments are
`unified and consistent.
`The QoS Baseline defines up to 11 classes of
`traffic that may be viewed as critical to a
`given enterprise. A summary these classes
`and their respective standards-based
`markings and recommended QoS
`configurations are shown below.
`
`Application
`
`Interactive-Video
`refers to IP Video-
`Conferencing;
`Streaming Video is
`either unicast or
`multicast uni-
`directional video.
`
`The Call-Signaling class is intended for
`voice and/or video signaling traffic, such as
`Skinny, SIP, H.323, etc.
`The Network Management class is intended
`for network management protocols, such as
`SNMP, Syslog, DNS, etc.
`L3 Classification
`PHB DSCP
`IP Routing
`CS6CS6
`4848
`IP Routing
`Voice
`46
`EF
`Interactive-Video
`34
`AF41
`32
`CS4
`Streaming Video
`Mission-Critical
`26
`AF31
`Call-Signaling
`24
`CS3
`18
`AF21
`Transactional Data
`Network Mgmt
`16
`CS2
`Bulk Data
`10
`AF11
`Scavenger
`8
`CS1
`Best Effort
`00
`00
`Best Effort
`The (Locally-Defined) Mission-Critical class is intended for a subset
`of Transactional Data applications that contribute most significantly
`to the business objectives (this is a non-technical assessment).
`
`Recommended Configuration
`
`Referencing
`Standard
`4.2.2RFC 2474RFC 2474--4.2.2
`
`
`RateRate--Based Queuing + REDBased Queuing + RED
`
`RFC 3246
`RSVP Admission Control + Priority Queuing
`RFC