Switch QoS: Classification and Marking Example

In this blog, we will look at an access layer switch configuration performing classification, marking, and policing. The policy incorporates the creation of a scavenger class to further leverage the preemptive security advantages of rolling out quality of service. Once QoS is deployed, the next Internet work or denial of service attack can only utilize the resources that are not currently being utilized for good traffic receiving a bandwidth guarantee. The policy that I will be explaining was borrowed from the Cisco QoS 3.3 SRND. I have chosen to remove the class-map and ACL configuration so we can focus on the classification, marking, and policing policy. Let’s dive right in! CAT2970(config)#mls qos map policed-dscp 0 10 18 24 25 34 to 8 The configuration statement above will modify DSCP values 0 (default), 10 (AF11), 18 (AF21), 24 (CS3), 25 (user), or 34 (AF41) to DSCP 8 (class selector 1). Class selector 1 is used to identify the scavenger class. In a future blog we will explore the configuration of congestion avoidance (WRED or WTD) thresholds to ensure CS1 traffic is dropped when there is congestion. CAT2970(config)#policy-map IPPHONE+PC-ADVANCED ! CAT2970(config-pmap)#class VVLAN-VOICE CAT2970(config-pmap-c)# set ip dscp 46 CAT2970(config-pmap-c)# police 128000 8000 exceed-action drop The VVLAN-VOICE class in the policy is matching on UDP port 16384 through 32767 (RTP) and we are marking the traffic to expedited forwarding (EF) which has a DSCP decimal value of 46. The highest quality voice over IP media (RTP) traffic is currently G.722. The bandwidth requirements of the voice media is as follows: G.722 codec: 64kbps IP/UDP/RTP header: 16kbps 802.1Q Ethernet header: 8.8kbps Total bandwidth 88.8kbps The police statement polices the voice media traffic on the voice vlan to 128kbps and a burst of 8000 bytes (64kbps). Traffic that exceeds the CIR of 128kbps + Bc of 64kbps is dropped. The police statement would help limit a denial of service attack masquerading as voice media traffic. CAT2970(config-pmap-c)#class VVLAN-CALL-SIGNALING CAT2970(config-pmap-c)# set ip dscp 24 CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit The VVLAN-CALL-SIGNALING class is matching on skinny client control protocol (SCCP) signaling traffic on TCP port 2000 and marking the traffic to class selector 3 (DSCP 24). The policing statement will police the signaling traffic to 32kbps with a burst of up to 64kbps. Call signaling uses less than 600bps, but the 2960/2970/3560/3750 switches can only police traffic in 32kbps increments. Any signaling traffic exceeding 32kbps (+burst) will be marked down into the scavenger class. It would not be good to drop exceeding signaling traffic because the Cisco IP phone may need more than 32kbps when they downloading firmware updates (LOAD ID), configuration files and ringers. CAT2970(config-pmap-c)#class VVLAN-ANY CAT2970(config-pmap-c)# set ip dscp 0 CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit All other traffic coming from the voice vlan will be marked at default (DSCP 0) and policed to a rate of 32kbps (+burst). Traffic exceeding this rate will be transmitted, but marked down into the scavenger class (CS1). XML based Cisco IP phone applications will fall into this category. CAT2970(config-pmap-c)#class DVLAN-PC-VIDEO CAT2970(config-pmap-c)# set ip dscp 34 CAT2970(config-pmap-c)# police 480000 8000 exceed-action policed-dscp-transmit The DVLAN-PC-VIDEO class matches on video traffic from the data vlan and marks the video traffic as AF41 (DSCP 34). The Cisco QoS 3.3 SRND uses an ACL that matches on the voice UDP port range to match on video (16384 – 32767), but this will not work. The Cisco Unified Video Advantage (CUVA) client sends video traffic over UDP 5445 by default. CUVA uses the H.264 video codec at 384kbps (plus overhead). The QoS policies are properly defined in the IP Telephony Endpoints chapter of the Call Manager 4.x SRND: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42endpts.html CAT2970(config-pmap-c)#class DVLAN-MISSION-CRITICAL-DATA CAT2970(config-pmap-c)# set ip dscp 26 CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit The DVLAN-MISSION-CRITICAL-DATA class matches on SAP traffic and marks the traffic to AF31 (DSCP 26). Although the interface speed the policy is attached to is Gigabit Ethernet, any traffic that exceeds 5Mbps will be marked into the scavenger class in case a DOS attack masquerades as SAP traffic. The mission critical data class should contain the most important company data application. CAT2970(config-pmap-c)#class DVLAN-TRANSACTIONAL-DATA CAT2970(config-pmap-c)# set ip dscp 18 ! CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit The DVLAN-TRANSACTIONAL-DATA class has the same policy as mission critical, but this traffic is marked at AF21 because the traffic is lower priority than the mission critical data class. The transactional data class normally matches on SQL server, Citrix, oracle, etc. CAT2970(config-pmap-c)#class DVLAN-BULK-DATA CAT2970(config-pmap-c)# set ip dscp 10 CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit The DVLAN-BULK-DATA class policy is very similar to the last two policies, but the marking is AF11. The bulk data class normally matches on E-Mail, FTP, WWW, file transfers, etc. CAT2970(config-pmap-c)#class class-default CAT2970(config-pmap-c)# set ip dscp 0 CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit Policy-maps are processed in a top down fashion. Any traffic that has not been marked by classes earlier in the policy is marked as default (DSCP 0). This traffic is policed at 5Mbps and exceeding traffic is marked down to CS1. REFERENCES Implementing Cisco Quality of Service http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=7578&catid=206&country=United+States Advanced Cisco Quality of Service http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=9368&catid=206&country=United+States Enterprise QoS Solution Reference Network Design Guide http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book.html