ccnp - qos

7/30/2019 CCNP - QOS

1/98

Train Signal, Inc., 2002-2007

ONT

Optimizing Converged Cisco Networks

Cisco CCNP


Welcome To YourONT Video Boot

Camp!

Topics: Introduction To QoS Queuing Methods Marking and Classifying Traffic Congestion Avoidance, Policing, and Shaping End-to-end QoS AutoQoS Introduction To Wireless LANs WLAN Management Voice Over IP (VoIP)


About YourInstructor

Chris Bryant, CCIE #12933

Earned My CCIE On February 26, 2004, and founded The Bryant

Advantage in June of that year.

My Video Boot Camps and Ultimate Study Packages place anemphasis on clearly explained theory and as much work aspossible on REAL Cisco routers and switches.

Free Tutorials, Daily Exam Questions, and more at my website:

www.thebryantadvantage.com

7/30/2019 CCNP - QOS

2/98


The ONT Hands-On Challenge

Cisco is rapidly entering the world of - gasp! - GUIs, andthese GUIs are not always easy to get hands-on practicewith.

If possible, ask a senior admin at your workplace if any ofthe apps you see here are in use at your site, and if youmay take a look at them (changing nothing, of course!).

There may be simulator programs that duplicate CiscoGUIs.

Very limited rental access is available for theseprograms.


Introduction to Quality of Service(QoS)


Introduction toQuality of Service

(QoS)

What is QoS and why we use it?

Three Steps to a QoS Deployment Delay Types (and the Network Admins

who hate them)

QoS Model Comparison

7/30/2019 CCNP - QOS

3/98


What is QoS?

Even if you don't know what QoS is, you've most likelyheard of it. Basically, Quality of Service is a way to givedelay-sensitive traffic the attention it deserves while(hopefully) still getting "regular" traffic to its destinationin a timely manner.

When you break QoS down to its very core, we'reanswering one question: "Which incoming data shouldbe transmitted first?" That used to be an easy questionto answer, since we didn't have a lot of time-sensitivedata traveling across our network. Then again, a floppydisk used to store all the information we needed, andthat's not true anymore either!


Not only do we have different data types on our network -voice and video, just to name two - but we have trafficthat's much more time-sensitive than it used tobe. When our network gets congested, QoS helps toensure that the voice and video streams receive theproper level of attention, which in turn ensures that voiceand video presentations are of high qua lity.

You've probably watched a video presentation that wasmore than a little choppy, or listened to streaming videothat would play the stream for 30 seconds, then stop for asecond or two, then pick back up. That's jitter, and ourmajor weapon to fight jitter is QoS.


Fighting jitter isn't the only reason weconfigure QoS. Here are four other major

reasons to use QoS: Provide adequate bandwidth, and guarantee it in

some situations

Provide consistent and predictable packet delivery

Prevent delay, especially with voice and videotransmission

Prevent packet loss (especially via tail drop, whichwe'll address in another section)

7/30/2019 CCNP - QOS

4/98


I'll speak of "voice and video" quite a bit in this course, andwhile both types of data benefit from QoS, the application ofQoS may be a bit different. Video tends to be more bursty thanvoice, particularly with video conferencing. From personalexperience, I'll tell you this - video conferencing is very burstyand very hard on a network that doesn't usually carry suchtransmissions!

Also, network congestion is not the only problem with voiceand video traffic. As you'll see later in this course, headeroverhead is a real problem with voice packets. We'll discussthat in detail during the VoIP section, but keep in mind thatcongestion and overhead are problems with voice packets.


Three Quick Steps ToA QoS Deployment

Part 1

Well, maybe not quick steps! Here's thebasic three-step process we'll use to apply

QoS to our network:

Identify the traffic that needs QoS, and determine theQoS requirements of that traffic.

Use the requirements to classify the traffic.

Define and apply a policy for each class of traffic.


Three Quick Steps ToA QoS Deployment

Part 2

Defining and applying a policy has three main stepsof its own, or rather three values that should bedefined and applied: A maximum bandwidth limit should be set. You don't want any

traffic class taking up all of your bandwidth!

A minimum bandwidth level should be set as well. Part of QoSis guaranteeing a certain level of service.

Assign each class a priority level in proportion to the level ofservice the traffic class should receive when compared to theother traffic classes. If one traffic class is basically twice asimportant as another, assign that class a priority twice as high asthe other.

7/30/2019 CCNP - QOS

5/98


Not All Delays AreCreated Equal

Now, it's a fair bet that sometime during yourstudies, you're going to wonder why wereally need so many different ways toperform QoS. The main reason we needdifferent ways to combat transmission delayis that we've got different kinds of delay inthe first place. You probably never thoughtabout it this way, but Cisco does - theyactually define four different types of delay!


Variable-LengthDelays

Queuing Delayis simply the amount of

time a packet spends in the exit queuebefore being transmitted.

Processing Delayis the time it takesthe network device to move a packetfrom the incoming queue into the

appropriate outgoing queue.


Fixed-LengthDelays

Serialization Delay is the time it takes

to place the frame onto the physicalmedium.

Propagation delay is the amount oftime it takes for the bits to cross thephysical media.

7/30/2019 CCNP - QOS

6/98


The sum of thosefour delays is theoverall end-to-end

delay

Those delays add up, and they can add up toa little something called jitter. If you've everlistened to streaming video or audio and had

the stream break up intermittently, you wereexperiencing jitter. Obviously, we don't wantthat, and combating jitter is one majorreason we configure QoS.


QoS Models

As with most things in Ciscoland, we've

got more than one way to dothings. When it comes to QoSplanning, we have three differentmodels to choose from. Let's take a

look at the pros and cons of each.


Best-Effort

If you don't have a QoS model in place, you actuallydo. Best-effort QoS is just that - best-effort. No priorityis given to any traffic. If your network is carrying voice or

video traffic, best-effort is definitely not the way to go.Not to say that all best-effort QoS applications are bad; ifyou're on the Internet, you're using a best-effort network!

Best-effort isn't all bad - since it's basically "no QoS", atleast it's highly scalable! There's still a lot of best-effortQoS out there, but just remember that there are noclasses, no default classes, no preferential treatment forhigh-quality traffic - no nothin'!

7/30/2019 CCNP - QOS

7/98


IntegratedServices (IntServ)

The Integrated Services model, morepopularly known as IntServ, uses the

Resource Reservation Protocol (RSVP) tosend an advance signal and reserve networkresources in advance of the data actuallytraveling across the network. Once the end-to-end bandwidth reservation is in place, thedata is transmitted.


Here's a little moreinfo about RSVP

Uses Internet Protocol (IP) ID 46

Uses TCP/UDP ports 3445

Is not a routing protocol; rather, it's a signaling protocol

Initial RFC is 2205; if you're going to use RSVP over IP tunnels, Irecommend reading RFC 2746 as well

If RSVP cannot reserve the required bandwidth, the applicationwill not work.

That sounds great, and it's certainly better than best-effort QoS! However, there are somedrawbacks. It's a waste of bandwidth to have theentire end-to-end path reserved in advance.


Additionally, IntServ isn't as scalable asolution as we'd like. Everything we do on a

router or switch has a cost of some kind, andin this case it's RSVP overhead. One or twopaths won't cause much overhead, but as thenumber of reserved paths increases as anetwork becomes larger, the RSVP overheadcan take its toll on the routers involved.

7/30/2019 CCNP - QOS

8/98


IntServ actually requires six functions to runon all network devices along the path fromsource to destination: end-to-end signaling admission control (actually responds to the end-to-

end service request) classification policing queuing scheduling


DifferentiatedServices (DiffServ)

Part 1

Differentiated Services is the latest of the threemodels, and many would agree that it's also thegreatest. DiffServ doesn't use RSVP, but insteaduses Per-Hop Behavior (PHB) to allow each routeracross the network to examine the packet anddecide what service level it should receive. WithDiffServ, one router along the path from source todestination could consider a packet to be of thehighest priority, while another router could considerit "just another packet".


DifferentiatedServices (DiffServ)

Part 2

There is no advance signaling with DiffServ - no "hey, herecomes a really important packet!" advance notice. Each hopalong the way from source to destination makes its owndecision as to how important a packet is or isn't. This lack ofadvance signaling is why DiffServ is considered more scalablethan IntServ, since no bandwidth is reserved in advance of theactual transmission.

A term you hear often with DiffServ is "marking andclassification". Markinga packet is the process of assigningthe packet a value reflecting the level of QoS it should receive,while classificationis placing that packet into a queue inaccordance with that level of QoS.

7/30/2019 CCNP - QOS

9/98


Those of you who have taken my Switchingcourses know what I'm about to say - whenyou perform classification with switches,don't perform classification on the coreswitches! ;) What follows is the CiscoThree-Layer switching model; both Ciscoand I recommend that you perform trafficmarking and classification as close to theedge of the network as possible.


When it comes to marking, there are different valueswe can use to decide what value to mark the frameor packet with. In my experience, here are the fourthat are used most often: IP Precedence (IP Prec)

Differentiated Services Code Point (DSCP)

CoS value

Interface that received the data (ingress interface)

Which one you choose depends on your particularnetwork's needs, and of course, the OSI layer atwhich the marking is taking place.


Okay, So WhichModel Should I

Use?

Every network is different, and so are every network'sneeds. Here's a basic list of questions to ask before decidingon a model.

What applications are running on the network? Best-effort maybe just fine for your network; if you're running voice and video,it's not a good choice.

To what extent do you want to tie down your network'stransmissions? In some networks, you may not even want toconfigure QoS, but in most of today's networks you need toexercise at least some control over data transmission. That'swhat QoS is all about!

7/30/2019 CCNP - QOS

10/98


How much is all ofthis gonna cost?

Cost isn't just measured in money, butin time. A proper QoS deploymenttakes time to configure and even moretime to plan. That proper deploymentcan also make your life a lot easier - as

long as it's cost-efficient!


Queuing Methods


Queuing

FIFO

Round-Robin and Weighted Round-Robin

Priority Queuing

Weighted Fair Queuing

Class-based WFQ

Low Latency Queuing

7/30/2019 CCNP - QOS

11/98


At its core, queuing is a congestion management technique thatallows us a degree of control over which packets a router will transmitfirst.

Queuing is basically a three-step process:

Create the queues.

Classify the traffic.

Schedule the packets to exit the queue.

One catch - we can only apply one queuing strategy to a giveninterface.


First-In, First-Out Part 1

If ever there's been a "the name is the recipe" networkingterm, this is it. Traffic isn't ranked, marked, classified, oranything else - it's just queued up and sent, and traffic isqueued in the order in which it arrived.

The default queuing scheme for interfaces running atgreater than E1 speed, FIFO is just fine in someinstances, but the amount of time-sensitive data ontoday's networks is increasing every day. Voice andvideo are particularly subject to jitter, and if you've evertried to watch streaming video on a slow connection, youknow how frustrating that can be.


First-In, First-Out Part 2

Also, every organization has applications that are more criticalto operations than others. Yes, I know that every end userthinks their apps are the most important, but some apps trulyare more important than others! You don't want traffic createdby your company's critical apps to sit in a FIFO queue withother, less-important traffic.

I was once the network admin for a hospital, and there wereapplications that helped save lives - and if those apps weredown, patients' lives were at risk. The data produced by thoseapps could not be left to FIFO.

Luckily for us, Cisco routers give us quite a few options when itcomes to queuing, and there's a pretty good chance we'll see alot of these options on the ONT exam.

7/30/2019 CCNP - QOS

12/98


Round-Robin AndWeighted Round-

Robin (WRR)

With round-robin (RR) queuing, no one queue isgiven priority over another. For example, if you havefive queues in an RR scheme, one packet will be sentfrom Queue 1, then one from Queue 2, and so forthuntil each queue has had an opportunity to send apacket. The process then repeats itself.

Weighted Round-Robin (WRR) allows you to assignweights to queues; queues that have higher weightswill transmit more packets than others, but it's still around-robin format.


Let's say we have five queues and the following weights:

Q1: 5 Q2: 4 Q3: 3 Q4: 2 Q5: 1

Theoretically, Q1 will send five packets, then Q2 will send four,Q3 will send three, Q4 will send two, and Q5 will sendone. Every queue gets a chance to transmit, but again thequeues with higher weights get to send more packets.

That's the theory of how WRR works. You probably won't runinto a scenario like the following until you're going after yourCCIE number, but let's take a look at how Custom Queuing (CQ)is configured, and work in a situation where WRR isn't quite so

cut-and-dried.


Using WeightsWith Custom

Queueing

In this example, we'll use source IPaddresses to decide which queue traffic

should be placed into. Q1: Source 172.12.123.0 /24 Weight: 3 Q2: Source 210.1.1.0 /24 Weight: 2 Q3: Source 215.1.1.0 /24 Weight: 1 Q4: All traffic that does not match any of the above.

Weight: 1

As you've probably guessed, we f irst have towrite ACLs matching those three definitions.

7/30/2019 CCNP - QOS

13/98


We'll use the queue-listcommand tomatch those ACLs to the appropriatequeues. I'll use IOS Help to show theoptions for the first queue-list. Thesyntax is a little tricky when you first

work with CQ, but you'll quickly getused to it.


Like ACLs, queue-lists are read from

top to bottom. Once a match is made,the traffic is queued and no other linesof the queue-list are considered.

Now we'll add a default queue that willmatch all traffic that does not match the

first three lines of the queue-list.


Now you're thinking, "That's all great, but what aboutthe weights?" We can assign a type of weight toeach queue by assigning a byte-countto eachqueue. Let's review the desired weights:

Q1: Source 172.12.123.0 /24 Weight: 3

Q2: Source 210.1.1.0 /24 Weight: 2

Q3: Source 215.1.1.0 /24 Weight: 1

Q4: All traffic that does not match any of the above. Weight: 1

7/30/2019 CCNP - QOS

14/98


That means Q1's byte-count should be three timesthat of Q3 and Q4, and Q2's byte-count should betwice that of Q3 and Q4. One configuration thatwould give us the desired result is:

R1(config)#queue-list 1 queue 1 byte-count 3000R1(config)#queue-list 1 queue 2 byte-count 2000R1(config)#queue-list 1 queue 3 byte-count 1000R1(config)#queue-list 1 queue 4 byte-count 1000


Pretty easy, eh? :) It really is simple. The only issuearises from the fact that not all packets are the samesize, and CQ will continue to transmit packets aslong as that byte-count hasn't been reached yet.

Q1 has been configured with a byte-count of 3000bytes. The first two packets are 1450 and 1350bytes, for a total of 2800 bytes. The question is - willthe 1250-byte packet in Q1 be transmitted, or will Q2now begin to transmit?


Q1 will indeed transmit the 1250-byte packet. CQ considers theoverall byte-count after each packet is sent - and if the queue isstill under its byte-count limit, the queue will send the nextpacket in full, even if that packet puts the queue over its byte-count limit. The 1250-byte packet in this example will not befragmented - it will be transmitted in its entirety.

This is hardly the end of the world, but it's a good detail to keepin mind. CQ weights aren't perfect, but they are effective.

If you want to bypass the byte-count calculations and give eachqueue a strict packet limit instead, you can do so with thequeue-list command's limitoption.

7/30/2019 CCNP - QOS

15/98


Hey, after all that, we should apply thelist to the interface, right? We'll do sowith the custom-queue-listcommand. There are no options withthis command.


We'll verify all of this with show

queueing custom. This commanddisplays the queue-list numbers, thequeue numbers, and everything elseyou need to know about your CQ

configuration, including any ACLs inuse.


Priority Queuing

PQ is simple enough to configure, but there's one big trap youhave to watch out for when configuring it. Before we discussthat, let's go over the basics of PQ.

PQ has four and only four queues. All four are predefined as topriority and capacity. Note that the Normal queue is the defaultqueue; packets that have not had a priority explicitly assignedto them are placed into that queue.

High-Priority Queue: Capacity of 20 packets

Medium-Priority Queue: Capacity of 40 packets

Normal-Priority (Default) Queue: Capacity of 60 packets Low-Priority Queue: Capacity of 80 packets

7/30/2019 CCNP - QOS

16/98


As you'll see in just a moment, changing the capacity of any ofthese queues is easy. The difficult part of working with PQ isresisting the temptation to configure a lot of traffic as highpriority (yeah, I know, everybody'straffic is high priority - justlike their email, right?).

Why is this a problem? PQ does notwork in a round-robinformat, as some other queuing strategies do. Regardless ofhow much traffic is waiting in the lower queues, the High-priority queue is always going to be given first priority, and thatmeans traffic in the lower-priority queues can sit there for alongtime. Let's take a look at one basic scenario thatillustrates this.


As the network admin, you decide that FTPpackets should be given the highest priority

possible. You configure FTP packets to beplaced in the High-priority queue, and they'retransmitted before any other traffic. Sinceyou've defined no other priorities, all othertraffic is placed into the Normal queue.


Create The PriorityList

Remember how you wrote dialer lists in your CCNAstudies to define interesting traffic? Creatingpriority lists in PQ is a similar operation, but the

priority list will actually do two things - define traffic,and define which queue that traffic named by the listshould be placed into. If traffic is not explicitlyplaced into a queue, it will be placed into the Normalqueue.

Since we're studying Cisco, you just know we'regoing to have quite a few options! Let's use IOSHelp to view the options for priority lists:

7/30/2019 CCNP - QOS

17/98


Weighted FairQueuing Part 1

The default queuing scheme for Serial interfacesrunning at E1 speed or below, WFQ handles packetsaccording to their flow, with a "flow" defined aspackets that have one of the following in common:

Source or destination IP address

Source or destination port number (TCP or UDP)

Protocol Number (that's why I mention them occasionally)

ToS (Type of Service)


Weighted FairQueuing Part 2

Therefore, a group of packets destined for the IP address213.1.1.1 would be considered to be part of the sameflow.

The key word in WFQ is "fair", since "fair" isn't a term wesee in networking very often! WFQ is considered "fair"because it assigns the same weight to all traffic flows,while at the same time giving priority to low-volume,interactive flows over high-volume flows ("aggressiveflows", in Cisco website documentation terms). Thispriority results in packets being dropped from aggressiveflows before they're dropped from low-volume flows.


A major difference between WFQ and other queuingstrategies is that WFQ will dynamically build and teardown queues as they are needed. WFQ cannot build

an infinite number of queues, however; the defaultmaximum number of dynamic WFQ queues is256. This can be changed, but you can't just changeit to any old number - that would be too easy!

Before we set the number of reservable queues, let'sassume this serial interface is running at over E1speed - which means it would not be running WFQby default.

7/30/2019 CCNP - QOS

18/98


Note in the above config that I had to set the CongestiveDiscard Threshold (CDT) before I could set the number ofDynamic Conversation Queues. The CDT is the numberof packets a queue can hold before WFQ will start to droppackets from high-volume conversations.

A third value that can be set with the fair-queuecommand isthe number of Reservable Queues (RQ). The RQ value is, well,the number of queues reserved for reserved conversations!

If that sounds like a feature that our old friend ResourceReservation Protocol (RSVP) would use, you're right. RSVPreserves bandwidth for a transmission from source todestination before sending the transmission, and RSVP usesthese queues when WFQ is in effect.


We skipped around abit on that command,so let's review from

left to right

The first value is the Congestive Discard Threshold.Remember that WFQ will drop packets from high-volumeconversations ("aggressive flows") first; the CDT is the numberof packets that will be held in a queue before packets aredropped from those conversations. Default is 64.

The second value is the number of Dynamic ConversationQueues. The default is 256, and when changing this value, youmust set it to a power of 2.

The third and final value is the number of ReservableQueues. The default is zero, and the range is 0 - 1000.


The hold-queuevalue determines how

many packets can be held before taildrop takes effect. The default is 1000and this can be changed with the hold-queuecommand.

7/30/2019 CCNP - QOS

19/98


Real-World vs.Theory In WFQ

I want to bring something to your attention regardingWFQ theory and its actual operation. In the previousconfig, we set the Congestive Discard Threshold to100 with no problem.

According to Cisco and non-Cisco documentation,that value is required to be set to a power of 2, justas the number of Dynamic Queues was. That wasn'tthe case on this router, though.

Let's set it to 17 just to make sure.


Sure looks like the non-Base2 value wasaccepted!

I doubt this comes up on your ONT exam, butjust in case it does, I'd stick with the officialCisco theory that both the CongestiveDiscard Threshold and number of DynamicQueues must both be set to a power of 2. Aswe well know, theory doesn't always matchup with the real world!


The Exception ToThe WFQ Rule

I mentioned several times that WFQ is the defaultqueueing scheme for Serial interfaces running at orbelow E1 speed, but as we all know, there are alwaysexceptions. WFQ cannot serve as the default forserial interfaces using any of the following encapmethods or interface types, regardless of theinterface's speed:

Virtual interfaces, including loopbacks and dialer interfaces

Bridging or tunneling

LAPB, X.25, SDLC

7/30/2019 CCNP - QOS

20/98


Disabling AndEnabling WFQ

Part 1

WFQ's the default queuing scheme for Serialinterfaces running at or les than E1 speed, but whatif you want to disable it? Or reenable it? Just usethe no fair-queue and fair-queue commands,respectively.

R1(config)#int s0

R1(config-if)#no fair-queue

R1(config-if)#fair-queue

Must remove custom-queue configuration first.


Disabling AndEnabling WFQ

Part 2

Don't forget - you can have only onequeueing scheme running on a single

interface at one time! The router was kindenough to remind us of that, but the ONTexam will likely not be as kind.

R1(config-if)#no custom-queue-list 1

R1(config-if)#fair-queue


Class-BasedWeighted Fair

Queuing Part 1

With CBWFQ, we're going to create classes of traffic,and these classes are each assigned their ownqueue. The queues can then be assigned a

guaranteed amount of bandwidth.

Doesn't exactly sound "fair", does it? The key is thateach queue is going to be guaranteed a certainamount of available bandwidth. In our PQdiscussion, I mentioned several times that you haveto watch for the possibility of queue starvation, butthat danger doesn't exist with CBWFQ, since everyqueue is guaranteed some bandwidth.

7/30/2019 CCNP - QOS

21/98


Class-BasedWeighted Fair

Queuing Part 2

Some important details regarding CBWFQ:

You can create up to 64 queues

The queues themselves are FIFO queues, but youcan configure the queues with WRED, as we'll soonsee

Traffic that is not explicitly placed in a queue is placedinto the default queue, appropriately named class-default.


ConfiguringCBWFQ

The first step in configuring CBWFQ is toidentify the traffic that should be placed in agiven queue. We'll take all UDP Voice portsand put them into one queue, while all HTTPtraffic will be placed into another queue. Anyremaining traffic will be placed into thedefault queue. We'll identify those twogroups of traffic with access lists. (WFQdoesn't use ACLs, but CBWFQ does.)


Now that we've used ACLs to identify the traffic, we'lluse class maps that will be used to match those twoACLs. We'll use the Modular Command-lineInterface (MQC) to create class maps.

After creating the class map UDPVOICE andconfiguring it to match traffic defined by ACL 110, I'llrun IOS Help so you can see the other options. Thatwill be followed by the creation of the class mapHTTP, which will match traffic defined by ACL 120.

7/30/2019 CCNP - QOS

22/98


We've actually got three options with thebandwidthcommand. The first option callsfor a numeric value - note that this value is inkbps!

The second option, percent, defines thepercentage of available overall bandwidththat will be assigned to that particularclass. Both WFQ and CBWFQ have thebandwidth percentage options.


The third option, remaining, also defines the percentage ofbandwidth that should be assigned to this class, but it's thepercentage of bandwidth that has not yet been assigned toother classes. This is a relatively new command, so even ifyou've worked with CBWFQ before, you may not have seen thatone.

There's one more detail with bandwidth that we have to watchout for - we can't assign more than 75% of availablebandwidth. The router will reserve 25% of available bandwidthfor network control traffic and routing overhead. This is a goodthing - after all, we don't want to cut off our routing controltraffic, or we're not going to have routing!


If you really feel the need to override thispercentage, use the max-reserved-bandwidth

command. Don't blame me for all thehyphens!

R1(config-if)#max-reserved-bandwidth ?

Max. reservable bandwidth as % of interface

bandwidth

7/30/2019 CCNP - QOS

23/98


There is no cut-and-dried situation whereyou should definitely define bandwidth in

kbps or with the bandwidth percentcommand, but Cisco routers don't like itwhen you try to use both in the same policymap. Here, we'll set the bandwidth to 25kbps for the UDPVOICE class. Rememberthat when we get to the HTTP class!


Low LatencyQueuing Part 1

Waaaay back at the beginning of this chapter, I mentioned thata major reason we don't stick with FIFO is that today'snetworks handle more Voice traffic than ever before. Voicetraffic needs the highest priority we can give it, and onedrawback of CBWFQ is that while we do have a default queue,that default queue isn't given higher priority than the others.

Configuring LLQ creates such a queue. This strict priorityqueueis created primarily for Voice traffic, which is much moresensitive to jitter and delay than "regular" data traffic.


Low LatencyQueuing Part 2

When we configure LLQ in just a moment, it's goingto look a great deal like CBWFQ. Basically, LLQ isan add-on or extension to CBWFQ. The commandsare almost all the same, and LLQ uses the class-defaultclass just as CBWFQ does.

The major difference between LLQ and CBWFQ isthe creation of that strict priority queue, and there'sone simple word that creates that queue - priority.

7/30/2019 CCNP - QOS

24/98


The rules for the prioritycommand in LLQ are thesame as they are for the bandwidth command inCBWFQ - you can't use the priorityand prioritypercentcommands in the same policy map. Here,we assigned 25% of the overall available bandwidthto the strict priority queue. After defining the priorityqueue's parameters, you can then create otherclasses just as we did with CBWFQ.

The policy map is applied in the same fashion asCBWFQ, and the policy map can only be applied tooutgoing traffic.


Marking and Classifying Traffic


Marking andClassifying Traffic

Which Comes First?

L2 Marking CoS

L3 Marking IP Prec, DSCP

DSCP and PHB

NBAR Theory and Operation

To Trust or Not To Trust (incomingmarkings, that is)

7/30/2019 CCNP - QOS

25/98


Marking AndClassification - Or IsIt Classification And

Marking?

Call it either, but remember that these are twoseparate processes, and classification is donebefore marking!

Classification identifies a certain type of traffic Marking is assigning a vale to that class of traffic

This being Cisco, naturally we have some optionswhen it comes to marking traffic. Some markingtechniques occur at Layer 2 of the OSI model, someat Layer 3. We'll start with L2 marking techniques.


L2 MarkingOptions - Code Of

Service

You spent a lot of time studying trunking protocolsduring your CCNA studies, and you're about tospend just a bit more. Don't worry, we're not goingto go over all the differences between ISL and dot1qagain.

What we do need to concentrate on is a valuecontained in the dot1q header - the CoS value.

Officially called the Priority Fieldand the 802.1pField, the three-bit CoS field has eight possible

values.


000 - Routine

001 - Priority

010 - Immediate

011 - Flash

100 - Flash Override

101 - Critical

110 - Internet (Reserved)

111 - Network (Reserved)

7/30/2019 CCNP - QOS

26/98


Note that these values are only going to be present whenframes are trunked.

What if they're sent across a Frame Relay link? Youknow about the congestion indicators FECN and BECN,but don't forget the 1-bit Discard Eligible bit! Whencongestion occurs to the point where frames must bedropped, frames with a DE of 1 are more likely to bedropped than frames with a DE of 0.

ATM has a Cell Loss Priority (CLP) field that serves thesame purpose. (If you're not familiar with ATM, cells areused rather than packets.)


L3 Marking Options -IP Precedence And

DSCP

Of these two, IP Prec came first, but DSCP is themore popular of the two options. You'll see why injust a minute, but let's take a quick look at whereboth the IP Prec and DSCP values come from in thefirst place!

In an IP header, there's an eight-bit field called theType Of Service (ToS) byte. Of those eight bits, thefirst three bits from left to right - often called thethree most significant bits - comprise the IP Precvalue. As with CoS, this gives us eight possiblevalues.


000 - Routine

001 - Priority

010 - Immediate

011 - Flash

100 - Flash Override

101 - Critical

110 - Internetwork Control (Reserved)

111 - Network Control (Reserved)

7/30/2019 CCNP - QOS

27/98


With those last two values reserved, that only leaves us six IPPrec values that can actually be assigned to "regular"traffic. Don't get me wrong, using IP Prec isn't "wrong" -it'sjust that using DSCP may be a little more right!

Why? Because DSCP gives us a lot more options for markingtraffic. The terminology is a little different from our IP Precdiscussion - hey, this is networking, we have to have somedifferent names for the same thing, right? With DSCP, the ToSbyte is referred to as the Differentiated Services field (DiffServ),and the first sixbits make up the DSCP.

DiffServ f ield: 000000 00DSCP ECN


DSCP And Per-Hop Behavior

(PHB)

Boththe most significant bits and the least significant bits can linka given DSCP value to a certain PHB.

Expedited Forwardingresults in the least jitter of the four PHBswe'll look at here, which gives you a hint as to what kind of trafficcan best use this level of QoS - voice and video! If the mostsignificant bits of the DSCP are set to 101, you're using EF. (That'sequivalent to an IP Prec setting of 5, the highest assignable level.)

As with PQ's High-priority queue, you don't want to mark too muchof your traffic as EF! Some non-Cisco documentation I've seenrecommends that you keep the EF-marked traffic at less than 30%of your network's overall traffic, but that seems a little high tome. Again, it depends on your network's capacity and needs.


Assured Forwardingdoes guarantee delivery as long as apredefined transmission rate is adhered to. Naturally, if thatrate is exceeded, that traffic is likely to be dropped whencongestion is encountered. If the three most significant bitsare set to any of the following, AF is in use.

001

010

011

100

7/30/2019 CCNP - QOS

28/98


Default PHBis in use when the three mostsignificant bits of the DSCP are all set to zero. Asthe name suggests, this PHB is assigned to anyunmarked traffic and is basically "best-effort"service.

Class Selector PHBis set when the leastsignificantthree bits of the DSCP are all set to zero. DSCP isbackward-compatible with IP Prec, and it's the classselector PHB that makes this possible.


Let's take a look at how the AF and CS bits worktogether. Remember, the three most significant bits of theDSCP value are AF bits and the least significant are CSbits. The final two bits are the ECN bits and aren't used toconsider drop probabilities.

The eight DSCP bits: AF AF AF CS CS CS ECN ECN

The AF bits are used to predefine four classes. The CS bits arethen used to determine the drop probability with a value of 1-3: 3 indicates the highest level of drop probability 2 is the intermediate level of drop probability (or "medium"

1 is the lowest level


You'll see these numbers expressed as "AFxx", with the first"x" represented by the AF bits; that simply indicates the AFclass. The second "x" represents the CS value, which indicates- say it with me - drop probability! For example, "AF 32"indicates AF Class 3 with a medium drop probability.

Here's a list of the classes and their drop probability:

Class 1: AF11 is low, AF12 is medium, AF13 is highClass 2: AF21 is low, AF22 is medium, AF23 is highClass 3: AF31 is low, AF32 is medium, AF33 is highClass 4: AF41 is low, AF42 is medium, AF43 is high

7/30/2019 CCNP - QOS

29/98


NBAR

The Network Based Application Recognition feature is a greatplace to start your QoS deployment - after all, before you worryabout marking or classifying traffic, you've got to identify thetraffic on your network! NBAR works from OSI layers 4 - 7 toidentify and classify protocols, making it possible for youto create an accurate QoS configuration.

You may also be familiar with the use of NBAR to block the"Code Red" virus. It's highly doubtful you'll see any questionson your exam regarding that, but if you'd like to learn moreabout that, just put "nbar code red" in your favorite searchengine and you'll quickly find some Cisco documentation onthat subject.


NBAR has two basic purposes:

Identifying traffic on a per-protocol basis Application monitoring

NBAR performs application monitoring via itsProtocol Discoveryfeature. Protocol Discovery isenabled on a per-interface basis, and this helpfulfeature can tell you what applications are running onthat interface and the amount of bandwidth they'reusing.


NBAR is capable of categorizing traffic in three ways:

protocol

port number payload content (default limit: 400 bytes)

NBAR also examines network traffic and classifies it by TCPand UDP port numbers, whether those port numbers bestatically or dynamically assigned. When dynamic portnumbers are involved, NBAR is said to be performing a statefulinspection.

7/30/2019 CCNP - QOS

30/98


NBAR can identify IP protocols that are neither TCP-based notUDP-based as well, and NBAR's capabilities go beyondidentifying port numbers. NBAR can identify and classify WWWtraffic according to the URL as well.

Best of all, NBAR's capabilities are continually extendedthrough the development of Packet Description LanguageModules(PDLM). Not only do these PDLMs allow your NBARdeployment to identify more and more different types of traffic,but a router reload is not necessary, and you don't need a newIOS.

We'll look at the command to load PDLMs in just a moment, butfor now keep in mind that you're generally going to storePDLMs in Flash.


You will need a Cisco CCO number to access PDLMs; thedownload page can be quickly accessed through yourfavorite search engine.

NBAR can go above and beyond "just" examining portnumbers. Through subport classification, NBAR canexamine the payload and classify packets on othervalues, such as the Multipurpose Internet Mail Extension(MIME) type or, as previously mentioned, the URL. Thisdetailed packet examination is called deep packetinspection. (NBAR cannot support more than 24 MIMEor URL matches at the same time.)


NBARConfiguration

Cisco Express Forwarding (CEF) must beenabled on the interfaces that will run NBAR.

Enabling NBAR protocol discovery (anoptional command, but required forapplication monitoring):

R2(config-if)#ip nbar protocol-discovery

7/30/2019 CCNP - QOS

31/98


Verify with show ip nbar protocol-discovery. To illustrate the results, Iran BGP on this interface for a fewminutes before running thiscommand. This command's output is

verbose to say the least, so I will notshow the entire output here.


R2#show ip nbar protocol-discoverySerial0/0

Input Output

----- ------

Protocol Packet Count Packet Count

Byte Count Byte Count

5min Bit Rate (bps) 5min Bit Rate (bps)

5min Max Bit Rate (bps) 5min Max Bit Rate (bps)

bgp 19 38

1197 2033

0 00 0


Loading a PDLM (assuming the PDLM

is in Flash) :

R2(config)#ip nbar pdlm ?

WORD Full path of the PDLM file

R2(config)#ip nbar pdlm flash://ccnp.pdlm

7/30/2019 CCNP - QOS

32/98


To verify the port numbers used by NBAR, run show ip nbar port-map. To verify a single port number, put the protocol name at the endof that command. I've truncated the output of the first command.

R2#show ip nbar port-map

port-map bgp udp 179

port-map bgp tcp 179

port-map citrix udp 1604

port-map citrix tcp 1494

port-map cuseeme udp 7648 7649 24032

port-map cuseeme tcp 7648 7649

R2#show ip nbar port-map dns

port-map dns udp 53

port-map dns tcp 53


NBAR LimitationsAnd Restrictions

If you're interested in using NBAR in your network,be sureto visit Cisco's website for the latestdocumentation. In the meantime, here's a partial listof NBAR's limitations.

NBAR does *not* support or analyze: Non-IP traffic MPLS packets Fragments Packets created by the local router (the one actually running

NBAR) Packets destined for the local router


Additionally, you cannot run NBAR on these interface types:

Interfaces running encryption or tunneling

Dialer interfaces Fast Etherchannel (NOTE - that's Fast Etherchannel, not Fast Ethernet)

The dialer interface limitation was removed as of IOS 12.2(4)T.

And one more thing... The only switching mode that supports NBAR is CEF.

7/30/2019 CCNP - QOS

33/98


Configuring TrafficClasses And Policies

With NBAR

Creating these policies is a simple (and familiar)three-part process:

Create the traffic class (class-map)

Create the traffic policy (policy-map)

Apply the policy to the appropriate interfaces (service-policy)

I placed "class" and "policy" in italics to remind youof the proper order - creating the policy first won'twork!


Should IncomingTraffic Markings

Be Trusted?

As network admins, we're suspicious typesby nature, and that suspicion should extendto incoming CoS, IP Prec, and DSCP valuesas well!

A trust boundary is the point at which yournetwork no longer trusts such an incomingvalue. For example, let's look at a three-switch network - two switches that are underour direct control, and one that is not.


Congestion Avoidance,Policing and Shaping

7/30/2019 CCNP - QOS

34/98


CongestionAvoidance

Tail Drop, RED and WRED

Traffic Shaping and Policing

Payload Compression Methods

Header Compression Methods

Intro to Link Fragmentation andInterleaving


When the queue is full, packets that are trying to queue up fortransmission literally have nowhere to be put! These packetsare then subject to tail drop, which is a fancy way of saying"you're being dropped because we have no place to put you".

You know that TCP has a detection and recovery scheme whenit comes to missing segments, so tail drop is no big deal,right? Quite the opposite, it's a hugedeal.

The problem starts innocently enough, as the senders realizetheir TCP packets are being dropped. As we'd expect, thesenders then throttle back on their transmission speed. Afterdoing so, the senders will then gradually speed theirtransmission rates back up.


As multiple senders increase their tranmission rates, thequeue will fill up again, and the senders will again almostsimultaneously slow their tranmission rates, followed by

another near-simultaneous increase. As a result of thisglobal synchronization, the links are perpetually in one oftwo states - congested or underutilized.

Basically, the network ends up being either hammered ornot being used to its full potential, and those are bothcircumstances we want to avoid. One way to avoid globalsynchronization is though the use of Random EarlyDetection (RED).

7/30/2019 CCNP - QOS

35/98


Random EarlyDetection (RED)

At first glance, you might wonder what the differenceis between RED and tail drop. If packets are beingdropped randomly by RED - and from the name,obviously they are - why not just use tail drop?

RED is preferred over tail drop due to RED's abilityto see that the queue is becoming congested beforeit's totally congested - that's the "early detection"part of RED. Another benefit of RED is its ability todrop packets at a higher rate as the queue lengthapproaches its maximum.


RED will use three separate values toperform this congestion detection:

Minimum Queue Threshold - This is when REDbegins to drop packets.

Maximum Queue Threshold - At this level, RED isdropping as many packets as it can.

Mark Probability Denominator- Value used to decideby RED to decide exactly how many packets "as

many packets as it can" is.


RED has a different packet drop behavior for each of thosesituations.

No Drop: When the number of packets in the queue is between zeroand the minimum, RED drops no packets. After all, if the queue size isbelow the minimum threshold, why drop packets?

Random Drop: Between the minimum and maximum thresholds,packets are randomly dropped ("early detection"). As the queue sizegets closer to the maximum, RED increases the drop rate.

Full Drop: When the queue size exceeds the maximum, all newly-arrived packets are dropped until the queue size no longer exceeds thatmaximum. If that sounds like tail drop, that's because it is!

7/30/2019 CCNP - QOS

36/98


The mark probability denominatordetermines the probability of a packet beingdropped when the number of packets in thequeue reaches the maximum threshold. Thatmight sound complicated, but it's not:

When the average queue size reaches themaximum threshold value, drop 1 of every packets.


If the MDP is set to 5, one out of every 5 packets willbe dropped when the average queue size hits themaximum threshold. (a 20% drop probability). If thequeue size exceeds the maximum threshold, TailDrop behavior goes into effect.

RED is a major improvement over Tail Drop, but itstill doesn't give us a great deal of control over theentire queueing and dropping process. With onesimple word, though, we do gain that control - when

we use Weighted Random Early Detection (WRED).


Weighted RandomEarly Detection

The "weight" in WRED refers to the amount ofimportance assigned to a given traffic type. IP Precand DSCP values can be used to assign this weight,

and here we'll concentrate on IP Precedence.

Since there are multiple IP Precedence values,multiple weights and thresholds can be assigned,indicating to the router that certain traffic typesshould be subject to packet drop before otherhigher-priority traffic. This allows WRED toselectively drop packets, rather than just the totalrandom drop of RED.

7/30/2019 CCNP - QOS

37/98


IP Precedence values range from 0 - 7, with 7 as thehighest precedence. Here's a breakdown of all IPPrec values and their common names:

7 - Network6 - Internet5 - Critical4 - Flash-Override3 - Flash2 - Immediate1 - Priority0 - Routine


Enabling WRED is simple enough:

R3(config)#int serial0

R3(config-if)#random-detect

When WRED is enabled, two values are set --the weight value used in the average queuelength configuration is set to 9, and the markprobability denominator for all IP Prec valuesis set to 10.


What's that? I didn't give you the formula WREDuses to calculate the average queue size? Here youare....

(old_average * (1 - 1/2^n) ) + (current_queue_size * 1/2^n)

I wouldn't spend a great amount of time memorizingthat formula, but there it is! "n" is set to 9 by default,and Cisco documentation recommends that youleave that at the default. So do I! But if you have atruly great reason for changing this value, you cando so with this command:

7/30/2019 CCNP - QOS

38/98


R3(config-if)#random-detectexponential-weighting-constant ?

integer in 1..16 used inweighted average to mean 2^number


Traffic ShapingAnd Policing

These two terms are often mentioned jointly,but they are far from the same thing.

Traffic shaping is more of a "friendly" policytoward excess traffic. When traffic shapingis in effect, non-conforming traffic will bebuffered on its way to eventually beingtransmitted. Traffic shaping is particularlyeffective when your network has to deal withbursty traffic on a regular basis.


Traffic policing is a whole other ball game. One of two things isgoing to happen to non-conforming traffic when policing is ineffect:

The traffic is dropped The traffic is demoted in importance ("re-marked")

By the way, the technical term for non-conforming traffic is "outof profile", which results in the non-technical-sounding "OOP"acronym.

Before we look at some policing and shaping configurations,let's look at the other major differences between the two.

7/30/2019 CCNP - QOS

39/98


Traffic policing can be applied on both an incoming andoutgoing basis; traffic shaping can only be applied to outgoingtraffic.

TCP retransmissions do occur as a result of dropped packetswhen policing is in effect. These retransmissions occur withtraffic shaping as well, but there will not be as many sincetraffic shaping does buffer OOP packets.

Traffic policing does consider packet marking and will performpacket re-marking, but traffic shaping doesn't have anything todo with either packet marking or re-marking.


Traffic policing is more complex to configurethan shaping, so we'll tackle that one first. Atraffic policy is actually applied in a policymap, so the first part of the configuration willlook very familiar! There are quite a fewoptions in a traffic policing config, so we'lluse IOS Help quite a bit in this section.

In this example, we'll assume that we want topolice traffic sourced from 172.1.1.0 /24.


Now let's start using IOS Help to see ourtraffic policing options. For this config, we'll

need to define three separate values. Fromleft to right in the policecommand, they are:

Average transmission rate

Normal burst size

Excess burst size

7/30/2019 CCNP - QOS

40/98


CompressionMethods

Another good way to avoid congestion is to compress some ofthe data we're transmitting. We've got quite a few optionswhen it comes to compression, so let's start at Layer Two.

L2 compression is actually L2 payloadcompression, animportant distinction from compression methods we'll look atlater in this course that only compress packet headers. Frompast Cisco exams, you're probably familiar with these three L2compression methods:

Stacker

Predictor Microsoft Point-To-Point Compression


Cisco's website recommends that you choose Predictor if thecongestion is due to an overloaded router, while Stacker is agood selection if limited bandwidth is the issue. Additionally,Cisco's recommendation is that you disable compression if theCPU load goes over the 40% mark.

Not all routers have hardware-based compression capabilities,but if you're working on one that does, be aware that hardware-based compression is much easier on the CPU than software-based compression. The hardware-based compressionprocess is also faster than software-based, resulting in lessdelay before the compressed data is transmitted.


Obviously, we're only compressing the header here,so CPU load really isn't an issue. What can be anissue is getting the syntax right!

Before we look at these compression methods inaction, take note that these two methods compressdifferent headers:

RTP HC compresses the IP, RTP, and UDP headers

TCP HC compresses the IP and TCP headers only

7/30/2019 CCNP - QOS

41/98


You may be familiar with the passiveoption fromyour CCNA studies. When this option is used,headers destined for a given destination arecompressed only if headers on packets from thatsame destination arrived in a compressed state.

If you choose IETF compression, the remote routersmust be configured for IETF as well. You can't runIETF compression on Frame Relay interfaces.


There's a third option that's not available on all routers, andthat is iphc-format. This command enables the IP HeaderCompression (IPHC) header compression method. When IPHCis in effect on an interface running HDLC or PPP, RTP headercompression will also be enabled. As with IETF headercompression, IPHC compression cannot run on interfacesenabled with Frame Relay.

Configuring TCP HC on interfaces running Frame Relay is alittle different. I did get an interesting result when attempting toconfigure IETF encapsulation on an interface that was alreadyrunning Frame. We're not supposed to be able to do that,right?


RTP HeaderCompression

Realtime Transport Protocol compression isconfigured in much the same fashion as TCP

HC. At the interface level, it's enabled withthe ip rtp header-compressioncommand. Aswith TCP HC, configuring passive RTPcompression means that outbound RTPpackets only have their headers compressedif that same interface is receiving RTPpackets with their headers compressed.

7/30/2019 CCNP - QOS

42/98


What Exactly DoesRTP HC Compress,Anyway? Part 1

It's pretty easy to figure out what TCP HCcompresses, but what about RTP HC? RTP

HC will compress RTP headers, certainly -but it will also compress IP and UDPheaders. Therefore, if you're using bothcompression methods, you're compressingboth TCP and UDP headers.


What Exactly DoesRTP HC Compress,Anyway? Part 2

RTP compression can result in quite a bit ofoverhead reduction. Consider those three headersand their size:

IP Header: 20 bytes UDP Header: 8 bytes RTP Header: 12 bytes

RTP HC will result in that overall header size beingreduced to anywhere from 2 to 4 bytes, dependingon whose documentation you're reading.


So Which One Do IUse In My

Network?

In a nutshell, use TCP HC for data transmission andRTP HC for Voice transmissions. In the past, acombination of LLQ and RTP HC has worked nicelyfor voice transmissions, since LLQ creates that strictpriority queue for voice. Team that up with RTP HCand you've got a great way to speed up Voicetransmissions.

For good ol' basic data transmissions, I personallyprefer CBWFQ with TCP HC, but you can use WFQas well.

7/30/2019 CCNP - QOS

43/98


Link FragmentingAnd Interleaving

In today's networks, we've basically got two packet types:delay-sensitive, and non-delay-sensitive. Obviously, we wantto get that delay-sensitive (voice, most likely) traffic to itsdestination as quickly as possible, but we can't just ignore theregular data traffic to do so.

LFI operates at Layer 2 and it allows these two traffic types tobe sent almost simultaneously. It sounds complicated, but aswe like to say around here, the name is the recipe.

The data packets will be fragmented, and then those fragmentsare interleavedwith the delay-sensitive packets. (This is a fancyway of saying that the fragments are mixed in with the delay-sensitive packets as they're sent across the link.)


Once the fragments reach the other side of the link, they're putback together. Simple enough!

LFI is primarily used on Frame Relay and ATM circuits,although you can configure LFI on a dialer interface for usewith ISDN. Interestingly enough,while LFI does support VoiceOver IP (VoIP), it does not support Voice over Frame Relay(VoFM) or Voice over ATM (VoATM).

Let's walk through an example of configuring LFI on a framecircuit. First, we'll create a Virtual Template with our old friendppp multilink. After we enable pppmultilink, we'll enable LFI.


End-to-End QoS

7/30/2019 CCNP - QOS

44/98


End-to-End QoSAnd

Preclassification

Intro to VPNs

QoS Preclassification

SLAs Defined

The Control Plane And CoPP


The "V" in VPN stands for Virtual, and that's exactlythe kind of connection you have when you "VPN in"to your network. You "tunnel" through an existingphysical line to get to your destination, and ofcourse, that tunnel is a logical one.

The actual tunneling occurs by placing one packetinto anotherpacket and then transmitting that"tunneled packet" over the logical connection. Thetunnels are configured on the routers - the switchesand PCs in the following example don't even knowthat tunneling is occurring.


This would actually be okay, since the ToS will becopied from the original packet to the header of theencapsulating packet. Therefore, ifwe're using IPPrecedence or DSCP for QoS policies, we have noproblems.

Ifwe're using other values, such as a source ordestination IP address or port number, we do have aproblem - because those values are not copied to theheader of the encapsulating packet.

7/30/2019 CCNP - QOS

45/98


Generic RoutingEncapsulation

(GRE)

GRE uses IP protocol 47 and is definedin RFC 1702, and it follows a basic two-step process. First, the payload isencapsulated in a GRE packet...


... and the GRE packet itself is then

encapsulated by the transport protocol,the protocol that will be used totransport the packet across thetunnel. (GRE is the carrier protocol,

and the protocol at the very center ofthis process is the passenger protocol.)


We've also got IPSec tunnels, and IPSec actuallyoffers us two choices - tunnel mode and transportmode. You'll learn (much) more about these optionsin your ISCW studies, but for now it's enough toknow that all three of the tunneling options we'vediscussed

GRE

IPSec Tunnel mode

IPSec Transport mode

7/30/2019 CCNP - QOS

46/98


... all copy the original ToS setting to the "outside"IP header. Therefore, if we're classifying traffic byToS, tunneling doesn't cause any issues. But ifwe're using another value, an issue does exist - anissue that really wastes all of our earlier QoSconfigurations.

Regardless of which option you're using, thepackets we send across the tunnel will have identicalheaders, which means they'll all be treated thesame.


That means that important, jitter-sensitive voice traffic will be treated thesame as "regular" data traffic. Not thatregular data isn't important, but packetequality is the oppositeof what we'retrying to accomplish with QoS; thebasic concept of QoS is that we don'twantevery packet treated identically.


Luckily, Cisco routers offer QoSPreclassification, a feature that allows a

packet to be classified by its original QoSmarking before the tunneling process makesthat impossible. Basically, QoSPreclassification makes it possible to apply aQoS policy to tunneled packets, which wouldotherwise be impossible due to theencapsulation process.

7/30/2019 CCNP - QOS

47/98


When And WhereTo Use QoS

Preclassification

If the policy involves values derived from the ToS -namely, IP Precedence and DSCP - QoSPreclassfication is not necessary, since the ToSvalue is copied from the header of the encapsulatepacket to the header of the encapsulating packet.

If the policy involves IP addresses, port numbers, orother values not derived from the ToS, QoSPreclassification is necessary to ensure that high-priority packets are given the attention they deserve.


When it comes to applying the actual policy,we can apply it to either the tunnel interface

or the physical interface. We've got twodecisions to make before doing so:

Do we need QoS Preclassfication?

On which interface should the policy be applied?


Cisco's official recommendation for the

various scenarios is as follows:

If the policy is to be applied to the tunnel

interface only and packets are to be classifiedaccording to the pre-tunnel header, do NOTuse the qos pre-classifycommand.

7/30/2019 CCNP - QOS

48/98


If the policy is to be applied to thephysical interface and packets are to beclassified according to the pre-tunnelheader, DO use the qos pre-classifycommand.


If the policy is to be applied to the physical interfaceand packets should be classified according to thepost-tunnel header, you obviously wouldn't usethe qos pre-classifycommand.

Additionally, a policy applied to a physical interfacewith multiple tunnels will result in all tunnels on thatinterface being subject to that policy. (Similar towhat we saw with Frame Relay compressiontechniques in another part of the course.)


When And WhereTo Use QoS

Preclassification

If the policy involves values derived from the ToS -namely, IP Precedence and DSCP - QoSPreclassfication is not necessary, since the ToSvalue is copied from the header of the encapsulatepacket to the header of the encapsulating packet.

If the policy involves IP addresses, port numbers, orother values not derived from the ToS, QoSPreclassification is necessary to ensure that high-priority packets are given the attention they deserve.

7/30/2019 CCNP - QOS

49/98


QoS Service LevelAgreements (SLA)

An SLA is simply the agreement between acustomer and an ISP.

The ISP promises to supply your networkwith a certain level of service, and you agreeto supply the ISP with money.

The more money you supply, the higher levelof service your network receives!


The Control Planeand Control Plane

Policing (CoPP)

A Cisco router has four overall planes:

Control

Management

Data

Service

It's the Control and Management planes we'llprotect with our CoPPs!


The number and variation of attacks on the ControlPlane (including DoS attacks), as well as the need forQoS at the Control Plane level, has led Cisco to

recommend CoPP configuration as a bestpractice. Before we configure CoPP, we shouldknow what the Control Plane actually does!

A Cisco router's control plane is vital to the overalloperation of the router. This plane handles networkcontrol traffic, including keepalives and routingupdate packets - and without those, we don't havemuch of a network!

7/30/2019 CCNP - QOS

50/98


CoPP allows us to configure QoS andsecurity rules on the Control Plane justas if it were a regular router port. Thatmeans we can have one set of rules forincoming packets ("ingress port") and

another set of rules for exiting packets("egress port").


Cisco's website lists four steps to a

successful CoPP configuration:

Define packet classification criteria

Define the service policy

Enter control-plane configuration mode

Apply QoS policy


AutoQoS

7/30/2019 CCNP - QOS

51/98


AutoQoS

The 3 Basic QoS Config Methods

Intro to AutoQoS

Prerequisites

VoIP and Enterprise

Live Demo of SDM and AutoQoSWizard


We've got threemethods of

configuring andapplying QoS

Legacy CLI ("legacy" = "old")

MQC ("Modular QoS CLI")

AutoQoS ("Automated / Automatic QOS")

Throughout the course, we've been creating ACLs,calling those ACLs with class maps, writing policymaps that in turn call the class maps, and thenfinally we've been applying the policy maps. Youmay *think* we were using the CLI, but in truth we

were using the MQC.


MQC requires less configuration than using the CLI,and as we've seen, it allows for a great deal ofcontrol and the opportunity to truly fine-tune yournetwork.

AutoQoS actually discovers what applicationsyou've got running on your network - with the help ofNBAR - and automatically creates the appropriateQoS deployment. That includes ACLs, class maps,policy maps, and the application of the policy!

7/30/2019 CCNP - QOS

52/98


AutoQoS is Cisco's attempt to make configuring QoS easier intoday's complex networks. Several of their documents mentiona cost savings as well, since this app makes it possible forsomeone without in-depth knowledge of QoS to successfullydeploy QoS in their network. The phrase "without calling aconsulting firm and paying a consultant" is left unspoken.

Frankly, some control freaks (like me) have a hard time lettinggo of manually configuring QoS - that can be the hardest partof running AutoQoS! But once you work with AutoQos, you'llwonder how you did without it. It's hard for anyone to think ofeveryone, even a network admin, but look at just a partial list ofwhat AutoQos will take care of for us!


On The WAN Side ....

Autoconfiguration of LLQ for voice traffic, as well asguaranteeing a certain level of bandwidth to that voice traffic.

Dynamically configures and enables RTP Header Compression(cRTP), as well as link fragmentation and interleaving (LFI)

Autoconfigures class-based traffic shaping as needed incompliance with Cisco best practice

Overall, supports Frame, ATM, PPP, and HDLC - but there arecertain interface types that do not run AutoQoS.

Congestion avoidance with WRED


And on the LAN Side....

Establishes trust boundaries as needed,especially at the IP Phone

Uses LLQ for voice traffic and WRR for datatraffic

Dynamically resizes queues and changesqueue weights as deemed necessary

7/30/2019 CCNP - QOS

53/98


What interface types supportAutoQoS?

Frame Relay and ATM PTP subinterfaces

Serial interfaces running PPP or HDLC

ATM-to-Frame transitional links

ATM PVCs


AutoQoSPrerequisites

For WAN interfaces, the following must beconfigured: An IP address on a "slow" link (always helpful) bandwidthcommand is required on both ends of the link CEF must be enabled NBAR will be used to identify applications and traffic

Here's what must NOT be configured:

QoS policies must be removed from the interface(s)that will run AutoQoS


There are two flavors of AutoQoS:

AutoQoS VoIP- runs on routers and Cat switches

AutoQoS Enterprise- runs only on routers. Consistsof two stages, Autodiscovery(using NBAR) andTemplate Generation And Installation.

CEF must be enabled for any version of AutoQoS towork correctly.

7/30/2019 CCNP - QOS

54/98


AutoQoS For VoIP

First supported in IOS 12.2(15)T, Cisco's websitelists quite a few benefits for AutoQoS VoIP,including:

Establishment of trust boundaries, especially with Cisco IPPhones and access ports

Autoconfiguration of strict priority queuing for VoIP traffic (LLQ)and weighted round robin (WRR) transmission of data

Dynamic modification of queue sizes and weights as needed

QoS configuration is simpler and cheaper (maybe)


AutoQoS for VoIP has two requirements and about30 warnings. Let's look at the requirements first:

An IP address must be configured on the interface orsubinterface

The bandwidthcommand must be configured on those interfaces

The bandwidthcommand's value will be used by theAutoQoS process, so we need to double-check thatvalue's accuracy.


AutoQoS for VoIP will create globaltemplates for ACLs, class maps, and policy

maps - everything we need forQoS! However, any preexisting servicepolicy must be removed from any interfacethat will be running AutoQoS for VoIP.

Additionally, if you're going to run SNMPtraps, the SNMP server should be enabled.(Another good idea.)

7/30/2019 CCNP - QOS

55/98


AutoQoS VoIP runs on these interface types:

Serial interfaces running HDLC or PPP

Frame Relay DLCIs on PTP subinterfaces (no mapclasses)

ATM PTP PVCs (both slow and high-speed)

ATM-To-Frame transitional links

Virtual templates will conflict with AutoQoS.


If the serial interface is a low-speed link (lessthan or equal to 768 kbps), there are evenmore restrictions!

The bandwidthcommand at each end of thelink must be the same

AutoQoS for VoIP must be configured at

each end of the link


Basic AutoQoSVoIP Configuration

The auto qos voipcommand just about does it all --- ACLcreation, class and policy map configuration, and interfaceconfigurations.

The key is really remembering all of the prerequisites! CEF must be enabled Slow links must have an IP address

Bandwidth command must be configured

Verify with show auto qos, which will show you the class maps,policy maps, and interface configs created and applied byAutoQoS.

7/30/2019 CCNP - QOS

56/98


AutoQoS For TheEnterprise

("Enterprise")

Two phases: Auto-Discoveryand TemplateGeneration & Application.

As with AutoQoS for VoIP, a major benefit ofEnterprise is that an in-depth knowledge of QoS andother Cisco technologies is not necessary to createa QoS deployment.

Enterprise is supported on PPP and HDLC links,ATM PVCs, Frame DLCIs (PTP only), and ATM-to-Frame transitional links.


"To-Do" List for Enterprise:

Remove preexisting service policies.

Make sure the SNMP server is up andrunning if SNMP traps are to be used.


Restrictions from AutoQoS for VoIP

are present in Enterprise.

1. No map classes on Frame DLCIs

2. No virtual templates on ATM-To-Frame transitional links.

7/30/2019 CCNP - QOS

57/98


Phase One: Auto-Discovery

Answers the question "What traffic's running on our network,anyway?"

Untrustedmode: NBAR is used to collect network trafficinformation.

Trustedmode: Packets are classified according to DSCP value.

CEF must be enabled before configuring Auto-Discovery,regardless of mode.

To start : auto discovery qosTo stop: no auto discovery qos


Phase Two:Template Generation

& Application

Answers the question "Now that we know what traffic'srunning on our network, what are we gonna do about it?"

The data collected in Phase One will be used to createtemplates, which in turn are used to create class mapsand policy maps. The resulting policy is then applied tothe appropriate interface.

To start Phase Two: auto qos

To stop Phase Two: no auto qos


Why would we ever stop either phase?

The bandwidth value we configure isvital to the creation of appropriate QoSvalues in AutoQoS. If you change thisvalue, AutoQoS does *not* dynamicallyadapt to the new value. You'll have tostop and then restart both phases.

7/30/2019 CCNP - QOS

58/98


Introduction to Wireless LANs


WLAN Basics

DCF and WMM

SSID and MAC Address Authentication

WEP, WPA, and WPA2

EAP, LEAP, and other EAPs


CSMA/CD vs.CSMA/CA Part 1

Ethernet has CSMA/CD, and wirelessnetworking has CSMA/CA, Carrier Sense

Multiple Access with CollisionAvoidance. CSMA/CA works much the sameas CSMA/CD

a host that wants to transmit must listen first to see ifanother host is transmitting

if the channel is idle, the host can transmit if the channel is busy, the host can't transmit, and

must invoke a random backoff timer

7/30/2019 CCNP - QOS

59/98


CSMA/CD vs.CSMA/CA Part 2

So what's the real difference betweenCSMA/CD and CSMA/CA? CA is usedon wireless networks, and jam signalswill not be sent over a wirelessnetwork. Collisions are not detectedona wireless network, they can only beavoided, so we use CSMA/CA insteadof CD.


The DistributedCoordination Function

(DCF) vs. WiFiMultimedia (WMM)

The IEEE 802.11 WLAN standards use the DCF to implementthe DIFS backoff timer mentioned earlier. With normal datatransfer, the DIFS interval doesn't cause much trouble - exceptwith our delay-sensitive traffic, voice and video!

That's where WMM comes in! WMM is actually QoS for ourWLAN traffic, since priority is given to delay-sensitive trafficwhile making regular data wait its turn. The WMM standardmakes a point of mentioning that absolute QoS is notguaranteed, but it's a major step forward over DCF.

Actually, since WMM uses an enhanced version of DCF, thatversion is called - you guessed it! - Enhanced DCF(EDCF). WMM and EDCF allow for true QoS over a wireless

connection, although it is not guaranteed.


Where DCF is best-effort delivery, WMM has fourpreset priority levels:

Platinum (for voice) Gold (for video) Silver (for everything else - best-effort) Bronze (background traffic)

Just as PQ uses the third queue down (the Normalqueue) for traffic that has not been specifically beenassigned to another queue, WMM uses the Silverqueue for its default queue.

7/30/2019 CCNP - QOS

60/98


When it comes to wireless standards, we're in a hurry. 802.11ewas actually in the process of being ratified when the Wi-FiAlliance (http://www.wi-fi.org/) released WMM.

While WMM has four priority levels, 802.11e has eight prioritylevels. Here's how these levels map to each other:

Platinum (Voice) - 802.11e Priority Level of 6 or 7 Gold (Video) - 802.11e Priority Level of 4 or 5

Silver (Best-Effort) - 802.11e Priority Level of 0 or 3 Background (Bronze) - 802.11e Priority Level of 1 or 2


LightweightAccess Points

Many WLANs start small and end up, well, not so small! Atfirst, centralizing your security policies doesn't seem like sucha big deal, especially when you've only got one access point.

As your network grows larger and more access points areadded, having a central policy does become moreimportant. The more WAPs you have, the bigger the chance ofsecurity policies differing between them - and the bigger thechance of a security breach.

Let's say you add two WAPs to the WLAN network shownabove. Maybe they're configured months apart; maybe they'reconfigured by different people - but the result can be a radicallydifferent set of security standards.


While having a centralized QoS policy isn't as important ashaving a single security policy, it doesn't hurt, either! TheWLAN controller is capable of handling QoS tasks as well assecurity tasks, and the primary task is mapping one QoS valueto another. With an end-to-end communication, we will havethree different values in play:

Layer 2 - 802.1p Layer 3 - DSCP WMM priority values

It's the WLAN controller that will handle mapping one value toanother when necessary.

7/30/2019 CCNP - QOS

61/98


As always, there's a tradeoff with anybenefit! Having centralized WLAN

controllers does help to standardize securityand QoS policies, but we can't have thecontroller handle all AP operations. The splitMAC architecturedoes just what it soundslike - it splits the MAC layer processingbetween the WLAN controller and the APs.


"War Driving"

Many of us (ahem) have done this without even knowing it hadsuch a dramatic-sounding name! The term "war driving" refersto the process of driving around a neighborhood or businessdistrict in hopes of finding a non-secured WLAN. ("wardriving" is derived from "war dialing", a term from the filmWarGames).

There's one very sad fact about many of today's WLANs: TheWLAN devices have basic security features that are easy toconfigure - and many users just don't take the time to configurethem.

Regardless of what it's called, as WLAN security admins, weneed to stop it! Here are a few methods of doing so.


Service SetIdentifier (SSID)

When you configure a name for your WLAN, you'vejust configured a SSID. The SSID theory is simpleenough - if the wireless client's SSID matches that ofthe access point, communication can proceed. TheSSID is case-sensitive and it has a maximum lengthof 32 characters.

A laptop can be configured with a null SSID,resulting in the client basically asking the AP for itsSSID; if the AP is configured to broadcast its SSID, itwill answer and communication can proceed.

7/30/2019 CCNP - QOS

62/98


MAC AddressAuthentication

During your CCNA studies, you learned about a Cisco switchfeature called port-based authentication. This authenticationscheme allowed a device to successfully authenticate only if itsMAC address was considered secure for that particularport. There are WLANs set up to use MAC addresses in asimilar fashion.

Basically, the AP keeps a list of secure MAC addresses;devices with a secure MAC address can authenticatesuccessfully, while those with a non-secure MAC cannot.

If this strikes you as fine for a switchport but not fine for aWLAN, well, I agree with you! It's pretty easy to spoof a MACaddress, especially when there is no physical connectionbetween the client and the access point.


WEP, WPA, AndWPA2

These three WLAN security standards are theresult of two evolutions:

WEP came first WPA evolved from WEP WPA2 evolved from WPA

There are significant differences between thethree, so let's take a look at each whilecomparing them at the same time.


Wired EquivalentPrivacy(WEP)

Wired Equivalent Privacy(WEP) has some realproblems:

Clear-text keys

Static keys (makes passwords easier to guess)

One-way authentication (client does not authenticate AP, makingit easier for rogue access points to infiltrate the WLAN)

Encryption scheme is very easily broken in a matter of seconds

Other than that, it's pretty good. :)

7/30/2019 CCNP - QOS

63/98


WEP supports two forms of authentication, openandshared key. Open authentication is pretty muchwhat it sounds like - the virtual door to an AP is wideopen. Any device can authenticate and then opencommunication with the AP.

According to Cisco's website, if both devices areusing WEP but the key on the client does not matchthat of the AP, authentication will succeed but datacannot be successfully passed.


I hope the phrase "clear-text challenge"

sets off alarm bells! This clear-texttransmission results in shared keyauthentication actually beingconsidered less securethan open

authentication!


WEP was ratified by the IEEE in 1999, and things havechanged just a bit since then! WEP can be broken byeasily-obtained software programs in a matter of

seconds, so it's a good idea to avoid WEP unless it's theonly option you have. And if it is the only option youhave, buy something that doesgive you more options!

The next step in WLAN security was Wi-Fi ProtectedAccess(WPA). WPA works with all wireless NICs, butyou may have trouble running it on legacy (old) APs. Ifyou can't run WPA on your APs, it's time to get some newAPs.

7/30/2019 CCNP - QOS

64/98


WPA's strengths

Two-way authentication ("mutual authentication")

Dynamic keys and a stronger encryption scheme throughuse of Temporal Key Integrity Protocol (TKIP, "tee-kip")

WPA uses an 8-byte Message Integrity Check (MIC),sometimes called "Michael", to protect against replayattacks, spoofing, and man-in-the-middle attacks.

WPA uses 802.1x or pre-shared keys (PSK) forauthentication


Some additional details regarding TKIP:

The use of TKIP made it possible to use legacy ("old")hardware that had originally been created with WEPin mind.

Both WEP and TKIP use the RC4 stream cipher forencryption, but TKIP protects RC4 keys via per-packet key mixing, which results in every packet

having a unique encryption key


WPA requires the use of a passphrase

rather than a password. Therecommended length of a passphraseis 20 - 30 characters, which willimmediately have some users running

WEP simply because WEP allows ashort password to be configured.

7/30/2019 CCNP - QOS

65/98


There's always the legacy issue to consider when it comes tobackwards compatibility, but at this point, you should stronglyconsider replacing WLAN equipment that does not supportWPA or a later, stronger solution.

Choosing the correct EAP flavor can be a challenge - moreabout that later.

There's a potential issue with "Michael" (MIC). Access pointsthat run WPA will shut down their Basic Service Set if itreceives two packets, one right after the other, that has a badMIC. A DoS attack specifically designed to counteract Michaelcan take advantage of this situation.

Another potential issue lies with the use of pre-shared keys(PSK). If a small passphrase is allowed and then intercepted, adictionary attack can be run by an attacker, resulting in acompromised passphrase.


http://www.sonicwall.com/downloads/W

iFiSec_vs_WPA.pdf


Here's what happened next:

After WPA wasratified by the Wi-Fi Alliance, the IEEE came out with 802.11i.

After the IEEE came out with .11i, the Wi-Fi Alliance came out with WPA2.

The good news: .11i and WPA2 are fully compatible andinteroperable. WPA2 is considered fully secure through its useof the Counter Mode with Cipher Block Chaining MessageAuthentication Code Protocol, thankfully referred to as CCMP.

This "fully secure" status is earne

ccnp - qos

Documents