Professional Documents
Culture Documents
BRKRST2500
BRKRST2500
Marta Ferreyra
Network Consulting Engineer
Advanced Services
CCIE # 8672 - R&S – Voice
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Agenda
Introduction and Best Practices
Campus QoS Design Considerations
Cisco Catalyst® QoS Capabilities
2960/3560/3750 and 3560-E/3750-E
Cisco Catalyst 4500 and 4948 QoS Design
(Sup II+ through Sup 6-E)
Cisco Catalyst 6500 QoS Design
QoS Deployment
Trust Boundary—Access Edge
Distribution/Core
Queuing
Catalyst 4500 and 6500
Control Plane Policing
Summary
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Why Enable QoS?
HA, Security, and QoS Are Interdependent Technologies
QoS:
Enables UC and
Security other collaborative
Quality of
Service applications
Drives productivity
by enhancing service
levels to mission-critical
applications
Cuts costs by bandwidth
optimization
Helps maintain network
High Availability availability in the event
of DoS/worm attacks
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Enabling QoS in the Network
Traffic Profiles and Requirements
Voice Video Data
IP WAN
Propagation
CODEC Queuing Serialization Jitter Buffer
and Network
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Classification and Marking
Where Should It Be Done?
Classification and marking should be performed as close as technically
feasible to the sources so that prioritization may be implemented at
congestion points throughout the network; DSCP should be used
wherever possible…
Trust Boundary
WAN Edge
WAN Classification and
initial marking
Subsequent points Trust Pre-Assigned
in the network can LAN Edge DSCP Markings
Distribution
Classify and mark
traffic at the
Trust
physical port. Boundary
Queue on uplinks
to Distribution
Access
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
DiffServ QoS Recommendations
(RFC 4594-Based)
How Should Traffic Be Marked?
Application Per-Hop Admission Queuing & Application
Class Behavior Control Dropping Examples
VoIP Telephony EF Required Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 Required (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Multimedia Conferencing AF4 Required BW Queue + DSCP WRED Cisco Unified Personal Communicator
Multimedia Streaming AF3 Recommended BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Transactional Data AF2 BW Queue + DSCP WRED Cisco WebEx®™ / MeetingPlace® / ERP Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Scavenger CS1 Min BW Queue (Deferential) YouTube, iTunes, BitTorent, Xbox Live
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Policing Design Principles
Where and How Should Policing Be Done?
Policing shall be applied as close to the traffic source as possible; in general, policing should be
applied at the access layer of the network at the “Trust Boundary” during the initial classification
and marking process; policing policies can be configured to drop offending traffic, or they can
be configured to mark down excess traffic, specifying a different PHB or method of treatment
Ingress policy includes a policer for data traffic. A Ingress policy for video
baseline value is used. Traffic conforming to the conferencing marks conforming
policer is marked as 0. For excess traffic, the policer traffic to AF41, while excess
will ‘mark down’ to CS1 (DSCP 8), as opposed to traffic is tagged as AF42 and
dropping (Scavenger – RFC 3662) violating traffic is marked as AF43
(Assured Forwarding – RFC 2597)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Scavenger-Class
What Is the Scavenger Class?
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Queuing Design Principles
Where Should It Be Done?
Queuing should be performed wherever there may be potential for
congestion (even if a rare occurrence), ensuring consistency between
Campus/WAN/VPN networks…
allocated to Best
Effort (BE) Class Core
2) Priority Queue
(PQ) given
maximum of 33%
3) Scavenger
should be
provisioned with Distribution
a minimal
bandwidth
allocation ~ 5%
4) Congestion
Avoidance
enabled on
Access
select TCP flows
in non-PQ Egress Queuing
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Policy 11
Campus Queuing Design
Real-Time, Best Effort, and Scavenger Queuing Rules
Best Effort
≥ 25%
Scavenger/Bulk
≤ 5%
Real-Time ≤
33%
Critical Data
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Agenda
Introduction and Best Practices
Campus QoS Design Considerations
Cisco Catalyst QoS Capabilities
2960/3560/3750 and 3560-E/3750-E
Cisco Catalyst 4500 and 4948 QoS Design
(Sup II+ through Sup 6-E)
Cisco Catalyst 6500 QoS Design
QoS Deployment
Trust Boundary—Access Edge
Distribution/Core
Queuing
Catalyst 4500 and 6500
Control Plane Policing
Summary
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Campus QoS Considerations
Establishing Trust Boundaries
1 Si Si
3 Si Si
Trust Boundary
4
Trust boundary defined on ingress port of distribution
switch
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Campus QoS Considerations
Conditional-Trust Boundary Extension and Operation
“I See You’re an IP Phone,
1 So I Will Trust Your CoS” PC VLAN = 10
Trust Boundary
4
Voice CoS 5 - Signaling CoS 3
2
“CoS 5 = DSCP 46”
“CoS 3 = DSCP 24”
“CoS 0 = DSCP 0”
All PC Traffic Is Reset to CoS 0 3 PC Sets CoS 5 for All Traffic
2 Phone Sets CoS 5 for VoIP and CoS 3 for Call-Signaling Traffic
4 Switch Trusts CoS from Phone and Maps CoS DSCP for Output Queuing
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Campus QoS Considerations
Conditional-Trust Boundary for Cisco TelePresence
Trust Boundary
3
TelePresence Primary Codec:
Voice + Video CoS 4 & DSCP CS4
Call-Signaling CoS 3 & DSCP CS3 4
CoS-to-DSCP Map:
CoS 5 DSCP EF (46)
CoS 4 DSCP CS4 (32)
CoS 3 DSCP CS3 (24)
Note: As 2–6 data ports are available for PC connections (as part of the
TelePresence tables), it is recommended to disable the PC port in the
back of the Cisco Unified 7970G IP Phone (from within CallManager)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Campus QoS Access Edge Trust Models
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Access Edge Trust Boundary
Ingress Policy Enforcement—End User Policy
(VLAN-Based Policy)
Network Control Voice VLAN
Multimedia Conferencing
Multimedia Streaming
Broadcast Video
(VLAN-Based Policy)
Low-Latency / Transactional Data Data VLAN
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Access Edge Trust Boundary
Ingress Policy Enforcement—Media Endpoints
Traffic Markings:
VOD
Network Control AF3x
BROADCAST-VID CS5
VoIP Telephony class-default 0
End User
Policy
Call-Signaling
WAN Internet
Multimedia Conferencing
VIDEO-CONF
Network Control AF4x
RT-INTERACTIVE CS4
class-default 0
VoIP Telephony End User
Policy
Call-Signaling
Policy Map
*Requires “[mls] qos vlan-based” command
With Port Based QoS, QoS policies are With VLAN Based QoS, the QoS policy
applied to a physical interface. The is applied to the VLAN interface.
policy manages traffic only the port Traffic through all associated Switch
the policy is applied. ports is managed by that policy.
By default, Catalyst switches will refer to policies assigned to the physical port.
Ports defined as a “switchport” can be told to use the policy attached to its
parent VLAN interface—this is known as VLAN-based QoS
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Campus QoS Design Considerations
Per Port-/Per VLAN-Based QoS
IP Phone Trunk
CoS
Ingress Port
Trust State
Assigned
Marking Value IPP DSCP CoS
DSCP
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Campus QoS Considerations
Internal Mapping Tables (Cont.)—Default Behavior
802.1p = 1
Un- internal 802.1p = 0
IPP=5 DSCP=44 trusted dscp = 0 IPP=0 DSCP=0
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Campus QoS Considerations
Typical Campus Oversubscription Ratios
Campus networks are always designed with oversubscription in mind
to take advantage of the bursty nature of traffic and the assumption
that not all users are requiring bandwidth simultaneously…
Typically 4:1
Ratio Core
Distribution
Typically 20:1
Ratio
Access
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Campus QoS Design Considerations
Catalyst Hardware Queuing
All Catalyst switches have hardware based queues, which can differ depending
on the module, supervisor or port ASIC used. They are depicted using the
notation of 1PxQyT, where x represents the number of normal Queues and y
represents number of thresholds within those normal Queues…
1p3q8t
Normal Queue
Single Port 1 Priority Queue Drop
Threshold 8
3 Normal Queues
Drop
Threshold 1
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Campus QoS Design Considerations
Allocating Buffer Capacity
Each port has a finite amount of memory that is specifically reserved for buffering traffic during
times of contention. Although the total amount of buffer capacity for egress traffic may be fixed
for a given port, how that memory is distributed amongst the queues is configurable.
WAN Aggregator
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Catalyst 2960/3560/3750 + 3560-E
and 3750-E
QoS Model
Stack Egress
Policer Marker Ring Queues
Ingress
Policer Marker Queues
Traffic Classify SRR SRR
Policer Marker
Policer Marker
Ingress Egress
Ingress Queue/ Egress Queue/
Schedule Schedule
Classification Policing Marking
Congestion Congestion
Control Control
• Act on policer
• Inspect incoming • Ensure • Four SRR queues/port shared
decision • Two queues/port
packets conformance to a or shaped servicing
• Reclass or drop ASIC shared
• Based on ACLs or specified rate • One queue is configurable
out-of-profile servicing
configuration, • On an aggregate for strict priority servicing
• One queue is
determine or individual flow • WTD for congestion
configurable for strict
classification label basis control (three thresholds
priority servicing
• Up to 256 policers per queue)
• WTD for congestion
per Port ASIC • Egress queue shaping
control (three
• Support for rate • Egress port rate limiting
thresholds per queue)
and burst
• SRR is performed
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Catalyst 2960/3560/3750 + 3560-E
and 3750-E
Platform-Specific QoS Design Considerations
QoS disabled by default
Full DSCP-range is supported
Classification can be done by trust states, standard and advanced IP
ACLs, or MAC ACLs
Supports classification, marking, and policing by port or by Switched
Virtual Interface (SVI) via hierarchical class maps on Cisco Catalyst 2970,
3650, and 3750 (not yet on Cisco Catalyst 2960)
Minimum policing granularity is 8 kbps
Supports 4Q3T queuing or 1P3Q3T queuing (Egress)
Q1 can be configured as a priority queue
Queues can operate in shaped or sharing modes
Each interface can be assigned to one of two queue-sets
Congestion avoidance algorithm is Weighted Tail Drop (WTD)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 32
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Shaping vs. Sharing Queue Management
Sharing
Get portion of output bytes, i.e. 25 share equates to 25% of the link bandwidth
Can expand into other shared or shaped queues
Cat3750-E(config-if)# srr-queue bandwidth share 1 70 25 5
Shaping
Throttles the outbound traffic to achieve a predefined average rate; a shape
value of 10 means the queue will shape traffic to 1/10th of the interface speed
Does not exceed the shaped value
*Takes precedence over sharing
Cat3750-E(config-if)# srr-queue bandwidth shape 3 0 0 0
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Egress Port Rate-Limiting
Catalyst 3750-E
Port-based
bandwidth limiting
can be configured
Egress Port Rate Limiter from 10% to 90%.
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Cisco Catalyst 4500 (Sup II+ Through
Sup V-10GE) and 4948
QoS Model
Catalyst 4500 implements a sophisticated
NFL TCAM
suite of QoS features FWD
ASIC TCAM
These QoS features are implemented with DBL
three major components Sched
TCAMs (Policers) ASIC
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Cisco Catalyst 4500 (Sup II+ Through
Sup V-10GE) and 4948
Platform-Specific QoS Design Considerations
QoS disabled by default
Classification can be done by trust states, standard and
advanced IP ACLs
No “mls” prefix in command syntax
Policing rates can use ‘k’, ‘m,’ or ‘g’ for kbps, mbps, or gbps
Supports per-port/per-VLAN policing
SupV-10GE supports User-Based Rate Limiting (UBRL)
Minimum policing granularity is 8 kbps
Supports 4Q1T queuing or 1P3Q1T queuing
Q3 can be configured as a priority queue
DSCP values can be mapped to queues
Supports bandwidth allocation and shaping (per queue) on certain linecards
Congestion avoidance algorithm is Dynamic Buffer Limiting (DBL)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
Cisco Catalyst 4500 Supervisor 6-E QoS
QoS Model
TCAM 4
Packet
Buffers
TCAM 4
Egress Queue 1
Ingress/ Classify Dynamic Queue 2 Shaping
Per Port
RX Classify
Egress On Ingress Buffer Sharing TX
Police Actions Limiting User Scheduling
Defined
SP Queue
Queue 8
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Cisco Catalyst 4500 Supervisor-6E QoS
Platform-Specific QoS Design Considerations
QoS enabled
(QoS does not have to be explicitly globally enabled)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Cisco Catalyst 4500 Supervisor-6E QoS
QoS Design Considerations (QoS-Groups)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39
Catalyst 6500 QoS
QoS Model
Queue
Queue TX
INGRESS EGRESS
Classify Classify Queue WRR
RX ARB Rewrite
& & Queue ARB
Police Police
Priority Q Priority Q
Rewrite
Each queue
TOS field
Incoming DSCP based classification has
in IP Outgoing
encap can based on “trusted port” and configurable
Header encap can be
be ISL, layer 2 info with ACL, layer 3 thresholds -
and ISL, 802.1Q
802.1Q or info with ACL and layer 4 some have
802.1p/IS or None
None info with ACL WRED
L CoS
(except PQ)
field
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Cisco Catalyst 6500 (PFC2/PFC3)
Platform Specific QoS Design Considerations
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
NBAR on Supervisor 32 PISA
Network-Based Application Recognition
NBAR Policy can mark HTTP
data as high priority and rate
limit both E-Donkey and
Netshow traffic ensuring
priority for internal HTTP traffic
Link Utilization
E-Donkey 60%
Netshow 30%
HTTP 5%
E-mail 25%
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42
PISA – Enhanced QoS Trust Boundary
Dynamic detection of CUCM signaled media
OpenReceiveChannelAck
StartMediaTransmission
PDLM matches on the bearer path (RTP media stream) associated with SCCP
call setup – (12.2(18)ZYA)
Unique RTP flow originating from phone is determined based on the Source
and Destination IP address and UDP port numbers identified in the SCCP
signaling messages
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Agenda
Introduction and Best Practices
Campus QoS Design Considerations
Cisco Catalyst QoS Capabilities
2960/3560/3750 and 3560-E/3750-E
Cisco Catalyst 4500 and 4948 QoS Design
(Sup II+ through Sup 6-E)
Cisco Catalyst 6500 QoS Design
QoS Deployment
Trust Boundary—Access Edge
Distribution/Core
Queuing
Catalyst 4500 and 6500
Control Plane Policing
Summary
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
Cisco Catalyst QoS Deployment
Globally Enabling QoS in Cisco IOS
Cisco IOS
Catalyst-IOS# show mls qos
QoS is disabled globally ! By default QoS is disabled
Catalyst-IOS#
Catalyst-IOS# config t
Catalyst-IOS(config)# mls qos ! Enables QoS globally
Catalyst(config)#end
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Cisco Catalyst QoS Deployment
Globally Enabling QoS in Cisco IOS (Catalyst 4500)
CAT4500#show qos
QoS is disabled globally ! By default QoS is disabled
IP header DSCP rewrite is enabled
CAT4500#conf term
Enter configuration commands, one per line. End with CNTL/Z.
CAT4500(config)#qos ! Enables QoS globally for the Cat4500
CAT4500(config)#end
CAT4500#
CAT4500#show qos
QoS is enabled globally ! Verifies that QoS is enabled globally
IP header DSCP rewrite is enabled
CAT4500#
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
Cisco Catalyst QoS Deployment
Trust Boundary Policy—Access Edge (Port-Based Policy)
Catalyst(config)# ip access-list extended RealTime-Voice-ACL
Catalyst(config-ext-nacl)# permit udp any any range 16384 32767
Catalyst(config)# ip access-list extended Signaling-ACL
Catalyst(config-ext-nacl)# permit tcp any any range 1718 1721
Catalyst(config-ext-nacl)# permit tcp any any range 2000 2002
Catalyst(config-ext-nacl)# permit tcp any any range 2427 2428
Catalyst(config-ext-nacl)# permit tcp any any range 3230 3235
Catalyst(config-ext-nacl)# permit tcp any any eq 1731
Catalyst(config-ext-nacl)# permit tcp any any eq 1560
Catalyst(config-ext-nacl)# permit udp any any range 11000 11999
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Cisco Catalyst QoS Deployment
Trust Boundary Policy—Access Edge (VLAN-Based Policy)
Catalyst(config)# ip access-list extended RealTime-Voice-ACL
Catalyst(config-ext-nacl)# permit udp any any range 16384 32767
Catalyst(config)# ip access-list extended Signaling-ACL
Catalyst(config-ext-nacl)# permit tcp any any range 1718 1721
Catalyst(config-ext-nacl)# permit tcp any any range 2000 2002
Catalyst(config-ext-nacl)# permit tcp any any range 2427 2428
Catalyst(config-ext-nacl)# permit tcp any any range 3230 3235
Catalyst(config-ext-nacl)# permit tcp any any eq 1731
Catalyst(config-ext-nacl)# permit tcp any any eq 1560
Catalyst(config-ext-nacl)# permit udp any any range 11000 11999
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Cisco Catalyst QoS Deployment
Trust Boundary Policy—Access Edge (Advanced)
*Per VLAN/ Per Port Policing
3750-E
Cat3750-E(config)# mls qos map policed-dscp 0 24 to 8
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Cisco Catalyst QoS Deployment
Trust Boundary Policy—Access Edge (Advanced) (Cont.)
*Per VLAN/ Per Port Policing
3750-E
Cat3750-E(config)# policy-map Mark-VVLAN
Cat3750-E(config-pmap)# class Voice-Bearer
Cat3750-E(config-pmap-c)# set dscp ef
Cat3750-E(config-pmap-c)# service-policy Police-128k
Cat3750-E(config-pmap)# class Voice-Signal
Cat3750-E(config-pmap-c)# set dscp cs3
Cat3750-E(config-pmap-c)# service-policy Police-32k
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Cisco Catalyst QoS Deployment
Trust Boundary Policy—Access Edge (Auto QoS)
CAT3750-E(config-if)#auto qos voip cisco-phone
Options: <snip>
mls qos
auto qos voip cisco-phone !
class-map match-all AutoQoS-VoIP-RTP-Trust
auto qos voip cisco-softphone match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
auto qos voip trust match ip dscp cs3 af31
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
!
interface GigabitEthernet1/0/1
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
AutoQoS is available mls qos trust device cisco-phone
mls qos trust cos
starting in IOS on the auto qos voip cisco-phone
6500 in 12.2(33)SXH service-policy input AutoQoS-Police-CiscoPhone
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 58
Cisco Catalyst QoS Deployment
Trust Boundary Policy—Access Edge (Smartport Macros)
Catalyst(config)# macro name UNTRUST-ENDPT
! Define Macro Name
Global Policy Defined:
Enter macro commands one per line. End with the character '@'.
policy-map MARK
service-policy input MARK class Voice-Bearer
set dscp ef
! Define commands to apply to interface police 128000 16000 exceed-action drop
class Signaling
@ set dscp cs3
police 32000 8000 exceed-action drop
Catalyst(config)# class All-Traffic
set dscp default
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59
Cisco Catalyst QoS Deployment
Distribution/Core Layer QoS—Preserving Markings
Once the trust boundary is defined and the DSCP markings are
established at the access edge, measures must be taken to ensure
those markings are preserved through the campus infrastructure.
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Queuing Design: 1P3Q3T—Part 3
CAT3750(config)# mls qos queue-set output 1 buffers 15 20 25 40
! Assigns buffers to queues: Q1 15%; Q2 20%; Q3 25%; Q4 40%
CAT3750(config)# mls qos queue-set output 1 threshold 1 75 200 100 400
! Sets Q1 Threshold 1 to 75% and Q2 Threshold 2 to 200%
CAT3750(config)# mls qos queue-set output 1 threshold 2 80 100 100 400
! Sets Q2 Threshold 1 to 80% and Q2 Threshold 2 to 100%
CAT3750(config)# mls qos queue-set output 1 threshold 3 60 100 100 400
! Sets Q3 Threshold 1 to 60% and Q2 Threshold 2 to 100%
CAT3750(config)# mls qos queue-set output 1 threshold 4 40 800 50 1600
! Sets Q4 Threshold 1 to 40% and Q4 Threshold 2 to 800%
CAT3750(config)#
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64
Cisco Catalyst 4500
Sup II+ - SupV-10GE
Queuing Design: (1P3Q1T + DBL)
Application DSCP 1P3Q1T
Network Control CS6
VoIP Telephony EF
Broadcast Video CS5 CS4/ AF4x
Queue 4 (30%)
Multimedia Conferencing AF4x
AF2x
Realtime Interactive CS4
AF3x
Multimedia Streaming AF3x
Call Signaling CS3 CS5 Q3 (30%)
EF Priority Queue
Transactional Data AF2x
Ops/Admin/Management CS2 CS6
Queue 2
CS3
CS2 (15%)
High Throughput AF1x
Low Priority CS1 DF Queue 1
Best Effort DF CS1/ AF1x (25%)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65
Cisco Catalyst 4500 QoS
Dynamic Buffer Limiting
Problem: DoS flows with large number of packets per second (pps)
Take as much bandwidth as possible
Not responding to congestion notification
Causing transmitting queue full and performance degradation
Solution:
DBL (Dynamic Buffer Limiting)
Automatically drop packets from Belligerent Traffic Flows
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 66
Cisco Catalyst 4500
Sup II+ - SupV-10GE
Queuing Design: (1P3Q1T + DBL)—Part 1
CAT4500-SUP4(config)#qos dbl
! Globally enables DBL
CAT4500-SUP4(config)#qos dbl exceed-action ecn
! Optional: Enables DBL to mark RFC 3168 ECN bits in the IP ToS Byte
CAT4500-SUP4(config)#
CAT4500-SUP4(config)#qos map dscp 0 to tx-queue 1
! Maps DSCP 0 (Best Effort) to Q1
CAT4500-SUP4(config)#qos map dscp 8 10 12 14 to tx-queue 1
! Maps DSCP CS1 (Scavenger) and AF11/AF12/AF13 (Bulk) to Q1
CAT4500-SUP4(config)#qos map dscp 16 to tx-queue 2
! Maps DSCP CS2 (Net-Mgmt) to Q2
CAT4500-SUP4(config)#qos map dscp 18 20 22 to tx-queue 4
! Maps DSCP AF21/AF22/AF23 (Transactional) to Q4
CAT4500-SUP4(config)#qos map dscp 24 to tx-queue 2
! Maps DSCP CS3 (Call-Signaling) to Q2
CAT4500-SUP4(config)#qos map dscp 26 28 30 to tx-queue 4
! Maps DSCP AF31/AF32/AF33 to Q4
CAT4500-SUP4(config)#qos map dscp 32 34 36 38 to tx-queue 4
! Maps DSCP CS4 (Str-Video) and AF41/AF42/AF43 (Int-Video) to Q4
CAT4500-SUP4(config)#qos map dscp 40 46 to tx-queue 3
! Maps DSCP EF (VoIP) to Q3 (PQ)
CAT4500-SUP4(config)#qos map dscp 48 to tx-queue 2
! Maps DSCP CS6 (Network Control) to Q2
CAT4500-SUP4(config)#policy-map DBL
CAT4500-SUP4(config-pmap)#class Internetwork Control
CAT4500-SUP4(config-pmap)#class Voice
CAT4500-SUP4(config-pmap)#class Telepresence
CAT4500-SUP4(config-pmap)#class class-default
CAT4500-SUP4(config-pmap-c)# dbl ! Enables DBL for targeted traffic flows
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 67
Cisco Catalyst 4500
Sup II+ - SupV-10GE
Queuing Design: (1P3Q1T + DBL)—Part 2 (FE + GE)
CAT4500-SUP4(config)#interface range FastEthernet2/1 - 48
CAT4500-SUP4(config-if-range)# service-policy output DBL
CAT4500-SUP4(config-if-range)# tx-queue 3
CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ
CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30%
CAT4500-SUP4(config-if-tx-queue)# exit
CAT4500-SUP4(config-if-range)#exit
CAT4500-SUP4(config)#
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 68
Cisco Catalyst 4500—Sup-6E
Queuing Design (1P7Q1T + DBL)
1P7Q1T
Application DSCP
Network Control CS6 EF (30%)
CS5 Priority Queue
VoIP Telephony EF
Broadcast Video CS5 CS6
(10%)
CS3
Multimedia Conferencing AF41 Control/ OAM
CS2
Realtime Interactive CS4
CS4/ AF4x
Multimedia Streaming AF31
(30%)
Call Signaling CS3 Critical
AF3x
Transactional Data AF21
AF2x
Ops/Admin/Mgt CS2
High Throughput AF11 (25%)
DF Best Effort
Low Priority CS1
Best Effort DF CS1/AF11 (5%)
Bulk
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Cisco Catalyst 4500—Sup-6E
Queuing Design (1P7Q1T + DBL)—Part 1
4500-SUP6E(config)# class-map match-any REALTIME
4500-SUP6E(config-cmap)# match dscp ef cs5
4500-SUP6E(config)# class-map match-any CONTROL
4500-SUP6E(config-cmap)# match dscp cs6 cs3 cs2
4500-SUP6E(config-cmap)# match access-group name ROUTING
4500-SUP6E(config)# class-map match-any CRITICAL
4500-SUP6E(config-cmap)# match qos-group 3
4500-SUP6E(config-cmap)# match dscp cs4 af41 af31 af21
4500-SUP6E(config)# class-map match-any BULK
4500-SUP6E(config-cmap)# match dscp cs1 af11
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 71
Cisco Catalyst 6500 QoS Design
Queuing Design (1P3Q8T)
Application DSCP CoS 1P3Q8T
Network Control CS6
– CoS 6
7
CoS 5 Q4
Internetwork
VoIP Telephony
Control CS6
EF CoS 5
6 Priority Queue
Broadcast
VoiceVideo CS5
EF CoS 5 CoS 6
7 Q3T4
Multimedia
Interactive
Conferencing
Video AF41 CoS 4 CoS 6
CoS 3 Q3T3
Real-Time
Streaming
Interactive
Video CS4 CoS 4
CoS 2 Q3T2
Multimedia
Mission-Critical
Streaming
Data AF31 CoS 3 Q3T1
Queue 3
Call Signaling CS3 CoS 3 (70%)
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 72
Cisco Catalyst 6500 QoS Design
Queuing Design (1P3Q8T)—Part 1
CAT6500-IOS(config)# interface range GigabitEthernet1/1 - 48
CAT6500-IOS(config-if)# wrr-queue queue-limit 25 35 20
! Allocates 25% for Q1, 35% for Q2 and 20% for Q3
CAT6500-IOS(config-if)# priority-queue queue-limit 20
! Allocates 20% of the buffers to the strict priority queue
CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 70
! Sets the WRR weights for 5:25:70 (Q1:Q2:Q3) bandwidth servicing
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 74
Cisco Catalyst 6500 QoS Design
Queuing Design (1P7Q4T)
Application DSCP CoS 1P7Q4T
Network Control CS6 CoS 6
EF Q8
VoIP Telephony EF CoS 5 CS5 Priority Queue
Broadcast Video CS5 CoS 5 CS6 Queue 4 Q4T3
CS3 (10%) Q4T2
Multimedia Conferencing AF41 CoS 4
CS2 Q4T1
Real-Time Interactive CS4 CoS 4 Q3T3
AF21
Multimedia Streaming AF31 CoS 3 CS4/ AF41 Q3T2
interface GigabitEthernet3/24
wrr-queue bandwidth 20 100 200
priority-queue queue-limit 5
wrr-queue queue-limit 65 15 15
wrr-queue random-detect min-threshold 1 70 100 100 100 100 100 100 100
wrr-queue random-detect min-threshold 2 70 100 100 100 100 100 100 100
wrr-queue random-detect min-threshold 3 40 40 50 50 60 60 70 70
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
wrr-queue random-detect max-threshold 3 70 70 80 80 90 90 100 100
wrr-queue cos-map 2 1 1 2
wrr-queue cos-map 3 5 3 4
wrr-queue cos-map 3 7 6 7
mls qos trust dscp
auto qos voip trust
end
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 78
Cisco Catalyst QoS Deployment
Queuing Design—(Smartport Macros)
Catalyst(config)# macro name UPLINK
! Define macro name
Enter macro commands one per line. End with the character '@'.
priority-queue out
srr-queue bandwidth share 1 70 25 5
queue-set 2
! Define commands to apply to interface
@
Catalyst(config)#
Catalyst(config)# macro name Tenant
! Define macro name
Enter macro commands one per line. End with the character '@'.
srr-queue bandwidth share 1 40 30 30
srr-queue bandwidth shape 5 0 0 0
queue-set 1
! Define commands to apply to interface
@
Catalyst(config)#
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 79
Agenda
Introduction and Best Practices
Campus QoS Design Considerations
Cisco Catalyst QoS Capabilities
2960/3560/3750 and 3560-E/3750-E
Cisco Catalyst 4500 and 4948 QoS Design
(Sup II+ through Sup 6-E)
Cisco Catalyst 6500 QoS Design
QoS Deployment
Trust Boundary—Access Edge
Distribution/Core
Queuing
Catalyst 4500 and 6500
Control Plane Policing
Summary
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 80
Control Plane Policing
Control Plane vs. Data Plane
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Control Plane Policing
Hardening the Switches
Software Protection
IP Priority
Process Level Queues
IP Normal Queue
Queue
Software Control Plane
Control-Plane
Policing
Policing
Control-Plane Policing
Hardware Control Plane
Policing
Hardware Rate Limiter Hardware Rate limiters
Storm Control
ACL
QoS
Traffic to the CPU
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 82
Catalyst 4500 CoPP for DoS Mitigation
16 CPU
Switch CPU … Queues
Forwarding ASICs
Create the system-cpp-policy policy-map
and attach it to the control-plane
Data “macro global apply system-cpp”
Backplane
traffic
Linecard Linecard
MQC-based Commands
**Available 12.2(31)SG
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 83
Control Plane Policing
Catalyst 6500 Multi-Level HW and SW Protection
Special-Case Rate Limiters Override Hardware
Control Plane Policing
Special PFC3/DFC3
Cases Hardware Special
Traffic Rate-Limiters Case
to CPU Traffic
Software
“Control- CPU
Plane”
Matches Hardware
Policy “Control-Plane”
All Packets Processed
If a HWRL Is by Both HW CoPP and
Configured, If a HWRL Is Not HWRL Will Be
Those Packets Configured or Processed Again by
that match a there is no match, SW CoPP
HWRL will Bypass Those Packets
HW CoPP and Be Will Be Processed
Processed by By by HW CoPP
HWRL
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 87
Catalyst 6500 (PFC3) QoS Design
CPP Deployment Guide
Explicitly allow needed, known critical protocols such as BGP and EIGRP
Conform and exceed action transmit
Define other required but not critical traffic such as ICMP, SNMP, SSH,
telnet, and default
Conform action transmit, exceed action drop
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 92
Agenda
Introduction and Best Practices
Campus QoS Design Considerations
Cisco Catalyst QoS Capabilities
2960/3560/3750 and 3560-E/3750-E
Cisco Catalyst 4500 and 4948 QoS Design
(Sup II+ through Sup 6-E)
Cisco Catalyst 6500 QoS Design
QoS Deployment
Trust Boundary—Access Edge
Distribution/Core
Queuing
Catalyst 4500 and 6500
Control Plane Policing
Summary
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 93
Q and A
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 94
Complete Your Session Evaluation
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Recommended Reading
BRKRST-2500