Evil TTL - Network Solutions
Evil TTL   >   QoS Classification and Marking

Evil_TTL> show | s

QoS Classification and Marking

Category:Cisco Systems -> Routing and Switching

Before we start there are tons of books written about QoS and it is impossible to cover it in any way completely here. Use these materials only for reference or as starting point for further analysis.

Before deploying QoS in the network you have to classify the traffic first. There are various tools you can use and it solely depends on the situation where and how you could apply them. For example, you can start with NBAR if available. Then you can switch to SNMP Monitoring Tools. There’s a handy free software called Cacti used to handle all the SNMP logs. You can also use NetFlow technology and nfsen plugin for Cacti or standalone software to analyse the traffic. You could even use SLA as well to get even more statistics if you have time, of course.

Assume you have gathered enough info, classified the traffic accordingly and prepared some classification table of any kind. Maybe like the following one:

QoS-Classification-and-Marking-10.png

Now we can mark the traffic as close to the source as possible. Access switch is usually the closest to the source. Hence we configure it.

First go ACLs:

// QOS-MANAGEMENT
ip access-list extended QOS-MANAGEMENT
permit tcp any anyeq 22
permit tcp any anyeq telnet
permit tcp any anyeq 3389
exit

// QOS-MISSION-CRITICAL-DATA
ip access-list extended QOS-MISSION-CRITICAL-DATA
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 53
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 53
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 123
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 67
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 68
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 2535
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 389
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 389
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 636
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 3268
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 3269
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 88
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 88
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 464
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 464
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 445
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 445
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 135
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 5722
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 138
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 9389
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 137
permit udp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 137
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 139
permit tcp 10.52.0.0 0.0.255.255 host 10.52.x.y eq 475
permit udp 10.52.0.0 0.0.255.255 host 10.52.x.y eq 475
exit

// QOS-TRANSACTIONAL-DATA
ip access-list extended QOS-TRANSACTIONAL-DATA
permit tcp 10.52.0.0 0.0.255.255 host 10.52.x.y eq 3260
permit tcp 10.52.0.0 0.0.255.255 10.52.0.0 0.0.255.255 eq 25
exit

// QOS-BULK-DATA
ip access-list extended QOS-BULK-DATA
permit tcp any anyeq 3128
permit tcp any anyeq 80
permit tcp any anyeq 443
permit tcp any anyeq 20
permit tcp any anyeq 21
exit

// QOS-SCAVENGER-DATA
ip access-list extended QOS-SCAVENGER-DATA
permit ip 10.52.20.0 0.0.0.255 any
exit

// QOS-Video
ip access-list extended QOS-Video
permit ip host 109.43.x.y any 
permit ip host 109.43.x.z any 
exit 

Second, we create class maps according to ACLs:

class-map match-all QOS-MANAGEMENT
match access-group name QOS-MANAGEMENT
exit

class-map match-all QOS-MISSION-CRITICAL-DATA
match access-group name QOS-MISSION-CRITICAL-DATA
exit

class-map match-all QOS-TRANSACTIONAL-DATA
match access-group name QOS-TRANSACTIONAL-DATA
exit

class-map match-all QOS-BULK-DATA
match access-group name QOS-BULK-DATA
exit

class-map match-all QOS-SCAVENGER-DATA
match access-group name QOS-SCAVENGER-DATA
exit

class-map match-all QOS-Video
match access-group name QOS-Video
exit 

Third, we create a marking policy for the traffic:

policy-map MARKING-POLICY
class QOS-MANAGEMENT
set dscp cs2
class QOS-MISSION-CRITICAL-DATA
set dscp 25
class QOS-TRANSACTIONAL-DATA
set dscp af21
class QOS-BULK-DATA
set dscp10
class QOS-SCAVENGER-DATA
setdscp cs1
class class-default
setdscp default
exit
exit

policy-map MARKING-POLICY-VIDEO
class QOS-Video
setdscp cs4
exit
exit 

After it’s been done we have to understand what kinds of queues and what CoS and DSCP values are assigned by default to one or another queue. To check the defaults for input queue on eg. 3750 switch, use:

Switch#show mls qos maps cos-input-q
   Cos-inputq-threshold map:
              cos:  0   1   2   3   4   5   6   7
              ------------------------------------
  queue-threshold1-1 1-1 1-1 1-1 1-1 2-1 1-1 1-1

Switch#show mls qos maps dscp-input-q
   Dscp-inputq-threshold map:
     d1 :d2  0    1    2    3    4    5    6    7    8    9
     ------------------------------------------------------------
      :  01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
      1 :  01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
      2 :  01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
      3 :  01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
      4 :  02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01 01-01 01-01
      5 :  01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01
      6 :  01-01 01-01 01-01 01-01 

The same table is represented in the following picture:

QoS-Classification-and-Marking-20.png

Packets with CoS 5 (DSCP 40 to 47) are placed into queue 2. The packets that remain are placed in queue 1.

To check the default output queue mappings, use:

Switch#show mls qos maps cos-output-q
   Cos-outputq-threshold map:
              cos:  0   1   2   3   4   5   6   7
              ------------------------------------
  queue-threshold2-1 2-1 3-1 3-1 4-1 1-1 4-1 4-1

Switch#show mls qos maps dscp-output-q
   Dscp-outputq-threshold map:
     d1 :d2  0    1    2    3    4    5    6    7    8    9
     ------------------------------------------------------------
     :  02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01
     1 :  02-01 02-01 02-01 02-01 02-01 02-01 03-01 03-01 03-01 03-01
     2 :  03-01 03-01 03-01 03-01 03-01 03-01 03-01 03-01 03-01 03-01
     3 :  03-01 03-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
     4 :  01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 04-01 04-01
     5 :  04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
     6 :  04-01 04-01 04-01 04-01 

Graphical representation is as follows:

QoS-Classification-and-Marking-30.png

You can always change those mappings at will.

It is also important to understand CoS to DCSP mappings. The following example shows how to display the QoS-map settings:

Switch# show mls qos maps

   Policed-dscp map:
            0  1  2  3  4  5  6  7  8  9
   ----------------------------------
      00:  00 01 02 03 04 05 06 07 08 09
      10:  10 11 12 13 14 15 16 17 18 19
      20:  20 21 22 23 24 25 26 27 28 29
      30:  30 31 32 33 34 35 36 37 38 39
      40:  40 41 42 43 44 45 46 47 48 49
      50:  50 51 52 53 54 55 56 57 58 59
      60:  60 61 62 63

   Dscp-cos map:
            0  1  2  3  4  5  6  7  8  9
   ----------------------------------
      00:  00 00 00 00 00 00 00 00 01 01
      10:  01 01 01 01 01 01 02 02 02 02
      20:  02 02 02 02 03 03 03 03 03 03
      30:  03 03 04 04 04 04 04 04 04 04
      40:  05 05 05 05 05 05 05 05 06 06
      50:  06 06 06 06 06 06 07 07 07 07
      60:  07 07 07 07

   Cos-dscp map:
          cos:   0  1  2  3  4  5  6  7
       ----------------------------------
        dscp:   0  8 16 24 32 40 48 56

   IpPrecedence-dscp map:
       ipprec:   0  1  2  3  4  5  6  7
       ----------------------------------
        dscp:   0  8 16 24 32 40 48 56

Switch

In the policed DSCP and DSCP-CoS map displays, the new DSCP or CoS values are shown in the body of the table. The decade of the original DSCP value is shown in the left-side vertical column, and the units digit is in the top row. For example, the DSCP-CoS map indicates that if the original DSCP value is between 32 and 39, the CoS will be set to 4.

The CoS-DSCP and IP precedence-DSCP maps display the DSCP values to which each CoS or IP precedence value will be mapped. For example, the IP precedence-DSCP map indicates that if the original IP precedence value is 3, the DSCP will be set to 24.

NOTE

In a network, all the Cisco Catalyst switches should have identical map tables. Different map table values in different switches cause undesirable QoS behavior.

Now that you know what DSCP value is mapped to what CoS value and what CoS/DSCP values mapped to queue numbers you can apply the classification policy and if needed congestion management policies to interface:

// Access ports on Access Switches
service-policy input MARKING-POLICY
srr-queue bandwidth share {weight for q1} {weight for q2} {weight for q3} {weight for q4}

// Access ports with video station on Access Switches
service-policy input MARKING-POLICY-VIDEO
srr-queue bandwidth share {weight for q1} {weight for q2} {weight for q3} {weight for q4}

// Trunk ports on Access Switches
mlsqos trust dscp 

Using SPAN and Wireshark or any other packet capture software you can check if DSCP value is actually assigned:

QoS-Classification-and-Marking-40.jpg

By privilege15