Skip Links

Network World

Dennis Hartmann

Switch QoS: Classification and Marking Example

By Dennis Hartmann on Thu, 06/04/09 - 4:28pm.
Newsletter Signup

In this blog, we will look at an access layer switch configuration performing classification, marking, and policing. The policy incorporates the creation of a scavenger class to further leverage the preemptive security advantages of rolling out quality of service. Once QoS is deployed, the next Internet work or denial of service attack can only utilize the resources that are not currently being utilized for good traffic receiving a bandwidth guarantee.

The policy that I will be explaining was borrowed from the Cisco QoS 3.3 SRND. I have chosen to remove the class-map and ACL configuration so we can focus on the classification, marking, and policing policy. Let’s dive right in!

CAT2970(config)#mls qos map policed-dscp 0 10 18 24 25 34 to 8

The configuration statement above will modify DSCP values 0 (default), 10 (AF11), 18 (AF21), 24 (CS3), 25 (user), or 34 (AF41) to DSCP 8 (class selector 1). Class selector 1 is used to identify the scavenger class. In a future blog we will explore the configuration of congestion avoidance (WRED or WTD) thresholds to ensure CS1 traffic is dropped when there is congestion.

CAT2970(config)#policy-map IPPHONE+PC-ADVANCED
!
CAT2970(config-pmap)#class VVLAN-VOICE
CAT2970(config-pmap-c)# set ip dscp 46
CAT2970(config-pmap-c)# police 128000 8000 exceed-action drop

The VVLAN-VOICE class in the policy is matching on UDP port 16384 through 32767 (RTP) and we are marking the traffic to expedited forwarding (EF) which has a DSCP decimal value of 46. The highest quality voice over IP media (RTP) traffic is currently G.722. The bandwidth requirements of the voice media is as follows:

G.722 codec: 64kbps
IP/UDP/RTP header: 16kbps
802.1Q Ethernet header: 8.8kbps

Total bandwidth 88.8kbps

The police statement polices the voice media traffic on the voice vlan to 128kbps and a burst of 8000 bytes (64kbps). Traffic that exceeds the CIR of 128kbps + Bc of 64kbps is dropped. The police statement would help limit a denial of service attack masquerading as voice media traffic.

CAT2970(config-pmap-c)#class VVLAN-CALL-SIGNALING
CAT2970(config-pmap-c)# set ip dscp 24
CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

The VVLAN-CALL-SIGNALING class is matching on skinny client control protocol (SCCP) signaling traffic on TCP port 2000 and marking the traffic to class selector 3 (DSCP 24). The policing statement will police the signaling traffic to 32kbps with a burst of up to 64kbps. Call signaling uses less than 600bps, but the 2960/2970/3560/3750 switches can only police traffic in 32kbps increments. Any signaling traffic exceeding 32kbps (+burst) will be marked down into the scavenger class. It would not be good to drop exceeding signaling traffic because the Cisco IP phone may need more than 32kbps when they downloading firmware updates (LOAD ID), configuration files and ringers.

CAT2970(config-pmap-c)#class VVLAN-ANY
CAT2970(config-pmap-c)# set ip dscp 0
CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

All other traffic coming from the voice vlan will be marked at default (DSCP 0) and policed to a rate of 32kbps (+burst). Traffic exceeding this rate will be transmitted, but marked down into the scavenger class (CS1). XML based Cisco IP phone applications will fall into this category.

CAT2970(config-pmap-c)#class DVLAN-PC-VIDEO
CAT2970(config-pmap-c)# set ip dscp 34
CAT2970(config-pmap-c)# police 480000 8000 exceed-action policed-dscp-transmit

The DVLAN-PC-VIDEO class matches on video traffic from the data vlan and marks the video traffic as AF41 (DSCP 34). The Cisco QoS 3.3 SRND uses an ACL that matches on the voice UDP port range to match on video (16384 – 32767), but this will not work. The Cisco Unified Video Advantage (CUVA) client sends video traffic over UDP 5445 by default. CUVA uses the H.264 video codec at 384kbps (plus overhead). The QoS policies are properly defined in the IP Telephony Endpoints chapter of the Call Manager 4.x SRND: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42endpts.html

CAT2970(config-pmap-c)#class DVLAN-MISSION-CRITICAL-DATA
CAT2970(config-pmap-c)# set ip dscp 26
CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit

The DVLAN-MISSION-CRITICAL-DATA class matches on SAP traffic and marks the traffic to AF31 (DSCP 26). Although the interface speed the policy is attached to is Gigabit Ethernet, any traffic that exceeds 5Mbps will be marked into the scavenger class in case a DOS attack masquerades as SAP traffic. The mission critical data class should contain the most important company data application.

CAT2970(config-pmap-c)#class DVLAN-TRANSACTIONAL-DATA
CAT2970(config-pmap-c)# set ip dscp 18 !
CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit

The DVLAN-TRANSACTIONAL-DATA class has the same policy as mission critical, but this traffic is marked at AF21 because the traffic is lower priority than the mission critical data class. The transactional data class normally matches on SQL server, Citrix, oracle, etc.

CAT2970(config-pmap-c)#class DVLAN-BULK-DATA
CAT2970(config-pmap-c)# set ip dscp 10
CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit

The DVLAN-BULK-DATA class policy is very similar to the last two policies, but the marking is AF11. The bulk data class normally matches on E-Mail, FTP, WWW, file transfers, etc.

CAT2970(config-pmap-c)#class class-default
CAT2970(config-pmap-c)# set ip dscp 0
CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit

Policy-maps are processed in a top down fashion. Any traffic that has not been marked by classes earlier in the policy is marked as default (DSCP 0). This traffic is policed at 5Mbps and exceeding traffic is marked down to CS1.

REFERENCES

Implementing Cisco Quality of Service
http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=757...

Advanced Cisco Quality of Service
http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=936...

Enterprise QoS Solution Reference Network Design Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRN...

Tags

boring

0
By Anon (not verified) on Mon, 06/08/2009 - 6:47am.

boring.......... copy, paste, edit....

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Cisco Unified Communications

Dennis Hartmann, CCIE No. 15651, is a consultant with www.highpoint.com and author of Implementing Cisco Unified Communications Manager, Part 1. Dennis is also a lead instructor at Global Knowledge. Dennis has various certifications, including the Cisco CCVP, CCSI, CCNP, CCIP, and the Microsoft MCSE.  Dennis has various specializations including unified communications, data center, routing & switching, service provider (MPLS and optical).  Dennis has worked for various Fortune 500 companies, including AT&T, Sprint, Merrill Lynch, KPMG, and Cabletron Systems. He lives with his wife and children in Hopewell Junction, New York.

Global Knowledge