BRKRST2500

Octubre 5-8, 2009 Santiago, Chile
Advanced Campus QoS Design

BRKRST-2500
Marta Ferreyra
Network Consulting Engineer
Advanced Services
CCIE # 8672 - R&S – Voice
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Agenda
 Introduction and Best Practices
 Campus QoS Design Considerations
 Cisco Catalyst® QoS Capabilities
2960/3560/3750 and 3560-E/3750-E
Cisco Catalyst 4500 and 4948 QoS Design
(Sup II+ through Sup 6-E)
Cisco Catalyst 6500 QoS Design
 QoS Deployment
Trust Boundary—Access Edge
Distribution/Core
Queuing
 Catalyst 4500 and 6500
Control Plane Policing
 Summary
Why Enable QoS?
HA, Security, and QoS Are Interdependent Technologies
QoS:
 Enables UC and
Security other collaborative
Quality of
Service applications
 Drives productivity
by enhancing service
levels to mission-critical
applications
 Cuts costs by bandwidth
optimization
 Helps maintain network
High Availability availability in the event
of DoS/worm attacks
Enabling QoS in the Network
Traffic Profiles and Requirements
Voice Video Data
 Smooth  Bursty  Smooth/bursty

 Benign  Greedy  Benign/greedy
 Drop sensitive  Drop sensitive  Drop insensitive
 Delay sensitive  Delay sensitive  Delay insensitive
 UDP priority  UDP priority  TCP retransmits
Bandwidth per Call Network requirements for Traffic patterns for

Depends on Codec, video traffic can vary Data Vary Among
greatly, based on the type
Sampling-Rate, of application being used, Applications
and Layer 2 Media as well as whether the
media flows are standard
or high definition.
 Latency ≤ 150 ms  Latency ≤ 150–300ms Data Classes:

 Jitter ≤ 30 ms  Jitter ≤ 10 ms–50ms Mission-Critical Apps
 Loss ≤ 1%  Loss ≤ .05% Transactional/Interactive Apps
One-Way Requirements One-Way Requirements Bulk Data Apps
Best Effort Apps (Default)
Enabling QoS
Elements that Affect End-to-End Delay
Cisco
CallManager
Cluster
PSTN
SRST
Router
IP WAN
Campus Branch Office
Propagation
CODEC Queuing Serialization Jitter Buffer
and Network
Variable Variable 6.3 µs/Km +

G.729A: 25 ms (Can Be Reduced (Can Be Reduced Network Delay 20–50 ms
Using LLQ) Using LFI) (Variable)
End-to-End Delay (Should Be < 150 ms)

Classification and Marking
How Should It Be Done?
QoS is implemented in Hardware on the

Catalyst switching platforms. Depending
on the platform, Qos functions may be
split across the Supervisor and linecards
QoS features and capabilities

could have dependencies
on the specific forwarding
engine and/or Linecard
hardware versions
Classification and Marking
Where Should It Be Done?
Classification and marking should be performed as close as technically
feasible to the sources so that prioritization may be implemented at
congestion points throughout the network; DSCP should be used
wherever possible…
Trust Boundary
WAN Edge
WAN Classification and
initial marking
Subsequent points Trust Pre-Assigned
in the network can LAN Edge DSCP Markings
now “trust” the

marked values and
queue based on
these baseline
Core
values outlined
below
Distribution
Classify and mark
traffic at the
Trust
physical port. Boundary
Queue on uplinks
to Distribution
Access
DiffServ QoS Recommendations
(RFC 4594-Based)
How Should Traffic Be Marked?
Application Per-Hop Admission Queuing & Application
Class Behavior Control Dropping Examples
VoIP Telephony EF Required Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 Required (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Realtime Interactive CS4 Required (Optional) PQ Cisco TelePresence™
Multimedia Conferencing AF4 Required BW Queue + DSCP WRED Cisco Unified Personal Communicator
Multimedia Streaming AF3 Recommended BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Call-Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED Cisco WebEx®™ / MeetingPlace® / ERP Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Best Effort DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, iTunes, BitTorent, Xbox Live
Policing Design Principles
Where and How Should Policing Be Done?
Policing shall be applied as close to the traffic source as possible; in general, policing should be
applied at the access layer of the network at the “Trust Boundary” during the initial classification
and marking process; policing policies can be configured to drop offending traffic, or they can
be configured to mark down excess traffic, specifying a different PHB or method of treatment
Egress Queuing Policy
Ingress Marking Policy

Ingress policy includes a policer for voice bearer w/ policer
traffic, based on the codec type and the number of
concurrent calls. Excess traffic is dropped by the
policer.
Ingress policy includes a policer for data traffic. A Ingress policy for video
baseline value is used. Traffic conforming to the conferencing marks conforming
policer is marked as 0. For excess traffic, the policer traffic to AF41, while excess
will ‘mark down’ to CS1 (DSCP 8), as opposed to traffic is tagged as AF42 and
dropping (Scavenger – RFC 3662) violating traffic is marked as AF43
(Assured Forwarding – RFC 2597)
Queuing policy will queue traffic on

uplink to Distribution/Core, where CS1
is allocated minimal bandwidth.
Scavenger-Class
What Is the Scavenger Class?
 The Scavenger class is based on RFC 3662—

“A Lower Effort Per-Domain Behavior (PDB) for
Differentiated Services”
 There is an implied “good faith” commitment for the
“best effort” traffic class
It is generally assumed that at least some network resources
will be available for the default class
 Scavenger class markings can be used to distinguish out-of-

profile/abnormal traffic flows from in-profile/normal flows
The Scavenger class marking is CS1 (DSCP 8)
 Scavenger traffic is assigned a “less-than-best effort”

queuing treatment whenever congestion occurs
Queuing Design Principles
Where Should It Be Done?
Queuing should be performed wherever there may be potential for
congestion (even if a rare occurrence), ensuring consistency between
Campus/WAN/VPN networks…
Recommended Administrative Trust Domain

Guidelines:
10 Gigabit Ethernet 8 Egress Queues
1) 25% minimum 1 Gigabit Ethernet

4 Egress Queues
allocated to Best
Effort (BE) Class Core
2) Priority Queue
(PQ) given
maximum of 33%
3) Scavenger
should be
provisioned with Distribution
a minimal
bandwidth
allocation ~ 5%
4) Congestion
Avoidance
enabled on
Access
select TCP flows
in non-PQ Egress Queuing
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Policy 11
Campus Queuing Design
Real-Time, Best Effort, and Scavenger Queuing Rules
Best Effort
≥ 25%
Scavenger/Bulk
≤ 5%
Real-Time ≤
33%
Critical Data
Agenda
 Cisco Catalyst QoS Capabilities
2960/3560/3750 and 3560-E/3750-E
 QoS Deployment
Distribution/Core
Queuing
 Summary
Campus QoS Considerations
Establishing Trust Boundaries
Endpoints Access Distribution Core WAN Aggregators
1 Si Si
3 Si Si
Trust Boundary
4
Trust boundary defined on ingress port of distribution
switch
1 Optimal Trust Boundary: Trusted Endpoint
2 Optimal Trust Boundary: Untrusted Endpoint
3 Trust Boundary: Cisco Security Agent

4 Sub-optimal Trust Boundary: Untrusted Endpoint
Endpoints and Endpoint Trust-Categories
Endpoints Endpoint Trust-Categories

 Analog gateways  Trusted endpoints
 IP-conferencing stations  Untrusted endpoints
 Videoconferencing  Conditionally-trusted
gateways and systems endpoints
 Video surveillance units
 Wireless access points
 Wireless IP phones
 Servers
 Client PCs
Conditional-Trust Boundary Extension and Operation
“I See You’re an IP Phone,
1 So I Will Trust Your CoS” PC VLAN = 10
Phone VLAN = 110
Trust Boundary
4
Voice CoS 5 - Signaling CoS 3
2
“CoS 5 = DSCP 46”
All PC Traffic Is Reset to CoS 0 3 PC Sets CoS 5 for All Traffic
1 Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone
2 Phone Sets CoS 5 for VoIP and CoS 3 for Call-Signaling Traffic
3 Phone Rewrites CoS from PC Port to 0
4 Switch Trusts CoS from Phone and Maps CoS  DSCP for Output Queuing
Conditional-Trust Boundary for Cisco TelePresence
Trust Boundary
Successful “Condition” Met (i.e. CDP negotiation successful)
Trust is Dynamically Extended to Cisco 7970G IP Phone

1
2 Cisco 7979G: Voice  CoS 5 & DSCP 46
Call-Signaling  CoS 3 & DSCP CS3
3
TelePresence Primary Codec:
Voice + Video  CoS 4 & DSCP CS4
Call-Signaling  CoS 3 & DSCP CS3 4
CoS-to-DSCP Map:
CoS 5  DSCP EF (46)
CoS 4  DSCP CS4 (32)
CoS 3  DSCP CS3 (24)
Note: As 2–6 data ports are available for PC connections (as part of the
TelePresence tables), it is recommended to disable the PC port in the
back of the Cisco Unified 7970G IP Phone (from within CallManager)
Campus QoS Access Edge Trust Models
 Trusted endpoint model

 AutoQoS—VoIP model
 Modular QoS CLI based model
Access Edge Trust Boundary
Ingress Policy Enforcement—End User Policy
(VLAN-Based Policy)
Network Control Voice VLAN
VoIP Telephony Class-map VOICE-BEARER (w/ policer)

Class-map SIGNALING (w/ policer)
Call-Signaling Class class-default
Multimedia Conferencing
Real-Time Interactive / TelePresence
Multimedia Streaming
Broadcast Video
(VLAN-Based Policy)
Low-Latency / Transactional Data Data VLAN
Operations / Administration / Management Class-map VOICE-BEARER (w/ policer)

Class-map SIGNALING (w/ policer)
High-Throughput / Bulk Data Class-map TRANSACTIONAL-DATA

Class-map OAM**
Class-map BULK
Best Effort Traffic Markings:
Class-map SCAVENGER
Class class-default VOICE-BEARER EF
Low-Priority / Scavenger Data SIGNALING CS3
TRANSACTIONAL-DATA AF2x
OAM CS2
BULK AF1x
SCAVENGER CS1
class-default 0
Ingress Policy Enforcement—Media Endpoints
Traffic Markings:
VOD
Network Control AF3x
BROADCAST-VID CS5
VoIP Telephony class-default 0
End User
Policy
Call-Signaling
WAN Internet
Multimedia Conferencing

Port-Based Policy
Multimedia Streaming Specific Port-Based
Policy identifying
media flows Class-map VOD
Broadcast Video Class-map BROADCAST-VID
(w/ optional policer)
Low-Latency / Transactional Data
Operations / Administration / Management

End User
High-Throughput / Bulk Data Policy
Live Digital Media
Best Effort Broadcasts System
& VODs
Low-Priority / Scavenger Data
**Class-maps match on media source IP address

and/or destination multicast group address
Ingress Policy Enforcement—Video Conferencing
Traffic Markings:
VIDEO-CONF
Network Control AF4x
RT-INTERACTIVE CS4
class-default 0
VoIP Telephony End User
Policy
Call-Signaling
Multimedia Conferencing Specific Port-Based WAN Internet

Policy identifying
media flows
Multimedia Streaming Media Endpoint

Policy
Broadcast Video
Low-Latency / Transactional Data Telepresence
Operations / Administration / Management Port-Based Policy

End User
High-Throughput / Bulk Data Policy Class-map VIDEO-CONF (w/ policer)
Class-map RT-INTERACTIVE (w/ policer)
Best Effort
Videoconferencing
Low-Priority / Scavenger Data
**Class-maps match on video conferencing

station source IP address
Campus QoS Design Considerations
Port-Based vs. VLAN-Based QoS
Port Based VLAN Based
QoS QoS
Policy Map
VLAN 10 VLAN 20 VLAN 10 VLAN 20
Policy Map
*Requires “[mls] qos vlan-based” command
With Port Based QoS, QoS policies are With VLAN Based QoS, the QoS policy
applied to a physical interface. The is applied to the VLAN interface.
policy manages traffic only the port Traffic through all associated Switch
the policy is applied. ports is managed by that policy.
By default, Catalyst switches will refer to policies assigned to the physical port.
Ports defined as a “switchport” can be told to use the policy attached to its
parent VLAN interface—this is known as VLAN-based QoS
Per Port-/Per VLAN-Based QoS
Voice VLAN Policy:

Data Data
Voice VLAN Policy: Trust Voice VLAN
Police Voice Traffic
Mark Voice Bearer
Mark Voice Signaling
IP Phone Trunk
Switch Data VLAN Policy:

Data VLAN Policy:
Apply flow based
Apply default marking policing policy to limit
to all data traffic. traffic on a per source
basis.
Switchports are configured as trunks VLAN A

or voice ports. Advanced QoS
VLAN B (Voice)
policies can be applied
independently to multiple VLANs on a VLAN C (Data)
given interface. VLAN D
Internal Mapping Tables
Ingress mapping tables are used to take an existing layer 2 or

layer 3 marking and map it to an internal DSCP value used by
the switch to assign service levels to the frame as it is in transit.
CoS
Ingress Port
Trust State
Assigned
Marking Value IPP DSCP CoS
DSCP
Egress mapping tables are used to rewrite

CoS for applicable frames from the internal
DSCP on egress from the switch.
Internal Mapping Tables (Cont.)—Default Behavior
802.1p = 1
Un- internal 802.1p = 0
IPP=5 DSCP=44 trusted dscp = 0 IPP=0 DSCP=0
802.1p = 1 Trust internal 802.1p = 1

IPP=5 DSCP=44 CoS dscp = 8 IPP=1 DSCP=8

IPP=5 DSCP=44 IPP dscp = 40 IPP=5 DSCP=40

IPP=5 DSCP=44 DSCP dscp = 44 IPP=5 DSCP=44
Typical Campus Oversubscription Ratios
Campus networks are always designed with oversubscription in mind
to take advantage of the bursty nature of traffic and the assumption
that not all users are requiring bandwidth simultaneously…
Typically 4:1
Ratio Core
Distribution
Typically 20:1
Ratio
Access
Catalyst Hardware Queuing
All Catalyst switches have hardware based queues, which can differ depending
on the module, supervisor or port ASIC used. They are depicted using the
notation of 1PxQyT, where x represents the number of normal Queues and y
represents number of thresholds within those normal Queues…
1p3q8t
Normal Queue
Single Port 1 Priority Queue Drop
Threshold 8
3 Normal Queues
Drop
Threshold 1
ws-x6748-SFP = 1p3q8t queue structure

1p3q8t = 1 Priority Queue with 3 Normal Queues,
with each normal queue containing 8 Drop Thresholds
Allocating Buffer Capacity
Each port has a finite amount of memory that is specifically reserved for buffering traffic during
times of contention. Although the total amount of buffer capacity for egress traffic may be fixed
for a given port, how that memory is distributed amongst the queues is configurable.
Small buffer allocation for

critical data (queue 2), with
heavier bandwidth weighting
SP Queue Real Time Traffic
B/W SP Queue
Queue 3 Control Traffic
B/W Queue 3
Queue 2 Critical Data

Transactional TCP-
based applications with B/W Queue 2
specific strict latency
requirements.
Low Priority/ BE
Queue 1 B/W Queue 1
Mixed TCP and UDP Large buffer allocation for BE

applications with no real traffic (queue 1), with minimal
latency requirements. bandwidth weighting
***Allocating more memory to a given queue can increase packet latency, which
could impact application performance.
Where Is QoS Required Within the Campus?
FastEthernet No Trust + Policing

GigabitEthernet + Queuing
Conditional Trust +
Ten GigabitEthernet
Policing + Queuing
Trust DSCP + Queuing
Per-User Microflow
Policing + CoPP
Cisco Catalyst 6500 PFC3
WAN Aggregator
Server Farms IP Phones + PCs IP Phones + PCs Trust Boundary

Defined!!!
Agenda
2960/3560/3750 and 3560-E/3750-E
 QoS Deployment
Distribution/Core
Queuing
 Summary
Catalyst 2960/3560/3750 + 3560-E
and 3750-E
QoS Model
Stack Egress
Policer Marker Ring Queues
Ingress
Policer Marker Queues
Traffic Classify SRR SRR
Policer Marker
Policer Marker
Ingress Egress
Ingress Queue/ Egress Queue/
Schedule Schedule
Classification Policing Marking
Congestion Congestion
Control Control
• Act on policer
• Inspect incoming • Ensure • Four SRR queues/port shared
decision • Two queues/port
packets conformance to a or shaped servicing
• Reclass or drop ASIC shared
• Based on ACLs or specified rate • One queue is configurable
out-of-profile servicing
configuration, • On an aggregate for strict priority servicing
• One queue is
determine or individual flow • WTD for congestion
configurable for strict
classification label basis control (three thresholds
priority servicing
• Up to 256 policers per queue)
• WTD for congestion
per Port ASIC • Egress queue shaping
control (three
• Support for rate • Egress port rate limiting
thresholds per queue)
and burst
• SRR is performed
Catalyst 2960/3560/3750 + 3560-E
and 3750-E
Platform-Specific QoS Design Considerations
 QoS disabled by default
 Full DSCP-range is supported
 Classification can be done by trust states, standard and advanced IP
ACLs, or MAC ACLs
 Supports classification, marking, and policing by port or by Switched
Virtual Interface (SVI) via hierarchical class maps on Cisco Catalyst 2970,
3650, and 3750 (not yet on Cisco Catalyst 2960)
 Minimum policing granularity is 8 kbps
 Supports 4Q3T queuing or 1P3Q3T queuing (Egress)
Q1 can be configured as a priority queue
Queues can operate in shaped or sharing modes
Each interface can be assigned to one of two queue-sets
Congestion avoidance algorithm is Weighted Tail Drop (WTD)
 Catalyst 3550, 2950G, 2950T, 2950 LRE are End-of-Life
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Shaping vs. Sharing Queue Management
 Sharing
Get portion of output bytes, i.e. 25 share equates to 25% of the link bandwidth
Can expand into other shared or shaped queues
Cat3750-E(config-if)# srr-queue bandwidth share 1 70 25 5
 Shaping
Throttles the outbound traffic to achieve a predefined average rate; a shape
value of 10 means the queue will shape traffic to 1/10th of the interface speed
Does not exceed the shaped value
*Takes precedence over sharing
Cat3750-E(config-if)# srr-queue bandwidth shape 3 0 0 0
 **Priority-queue out, when applied to the interface, supersedes

both sharing and shaping parameters
Cat3750-E(config-if)# priority-queue out
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Egress Port Rate-Limiting
Flow of traffic Flow of traffic

INPUT OUTPUT
Catalyst 3750-E
Port-based
bandwidth limiting
can be configured
Egress Port Rate Limiter from 10% to 90%.
Cat3750-E(config-if)# srr-queue bandwidth limit <XX>
Port-based rate limiting is not recommended for MetroE handoffs, where

the service subscription rate/ CIR is less than the physical port rate.
Cisco Catalyst 4500 (Sup II+ Through
Sup V-10GE) and 4948
QoS Model
 Catalyst 4500 implements a sophisticated
NFL TCAM
suite of QoS features FWD
ASIC TCAM
 These QoS features are implemented with DBL
three major components Sched
TCAMs (Policers) ASIC
Netflow Feature (UBRL on SupV-10GE)

Dynamic Buffer Limiting (DBL)
Enters QoS Actions at QoS Actions Leaves

Fabric Supervisor Forwarding ASIC at Scheduling ASIC Fabric
Queue 1
Ingress/ Dynamic NFL2 Queue 2 Shaping
RX Classify Egress Buffer (Enhanced Sharing TX
Police Limiting QoS) Queue 3 Scheduling
Queue 4
Cisco Catalyst 4500 (Sup II+ Through
Sup V-10GE) and 4948
 Classification can be done by trust states, standard and
advanced IP ACLs
 No “mls” prefix in command syntax
 Policing rates can use ‘k’, ‘m,’ or ‘g’ for kbps, mbps, or gbps
 Supports per-port/per-VLAN policing
 SupV-10GE supports User-Based Rate Limiting (UBRL)
 Minimum policing granularity is 8 kbps
 Supports 4Q1T queuing or 1P3Q1T queuing
Q3 can be configured as a priority queue
DSCP values can be mapped to queues
Supports bandwidth allocation and shaping (per queue) on certain linecards
Congestion avoidance algorithm is Dynamic Buffer Limiting (DBL)
Cisco Catalyst 4500 Supervisor 6-E QoS
QoS Model
 Catalyst 4500 Supervisor 6-E implements Line Cards

IPP VFE
an enhanced flexible suite of QoS features

Line Cards
IPP VFE
TCAM 4
Packet
Buffers
TCAM 4
 These QoS features are implemented with Packet Buffers
three major components

CenterFlex ASICs
IPP
VFE
TCAM IV (Policers/Classification)
Enters QoS Actions at QoS Actions Leaves

Fabric VFE Forwarding ASIC at IPP ASIC Fabric
Egress Queue 1
Ingress/ Classify Dynamic Queue 2 Shaping
Per Port
RX Classify
Egress On Ingress Buffer Sharing TX
Police Actions Limiting User Scheduling
Defined
SP Queue
Queue 8
Cisco Catalyst 4500 Supervisor-6E QoS
 QoS enabled
(QoS does not have to be explicitly globally enabled)
 By default, inbound traffic on a given port is considered “trusted”

 “Internal DSCP” does not apply
Global mappings tables are not used to influence “internal DSCP” or egress markings
 Classification can be done by standard and advanced IP ACLs, or

MAC ACLs
 Supports 8Q1T queuing or 1P7Q1T queuing
Queues can operate in shaped or shared modes
Configurable queue size
Class-based queuing via Modular QoS CLI
User configurable priority queue
Congestion avoidance algorithm is Dynamic Buffer Limiting (DBL)
Cisco Catalyst 4500 Supervisor-6E QoS
QoS Design Considerations (QoS-Groups)
 QoS-Groups instead of “internal DSCP”

 “internal DSCP” used to queue packets, we no longer rely on DSCP
 L2 and L3 traffic can be grouped together
 Useful tool for combining a wide variety of traffic types
class-map input-one class-map egress-group1

match dscp 8 match qos-group 1
class-map input-two policy-map out-policy
match access-group 1 class egress-group1
bandwidth 1000000
policy-map qos-group-port1
class-map input-one
set qos-group 1 Set QoS-Group 1
policy-map qos-group-port2 Match QoS-Group 1
class-map input-two
DSCP 8 Port1
set qos-group 1
Port3
MAC 00.13.02.67.59 Port2
Catalyst 6500 QoS
QoS Model
Scheduling: Queue and Scheduling:

Police via ACLs - Police De-queue uses
Threshold - select based Queue and
actions include Forward, WRR or SRR
on received CoS through Threshold
Mark and Drop. between the
configurable MAP I/F - selected based
Based on Burst (Token round robin
CoS can be overwritten if on CoS
Bucket) and Byte Rate queues
port untrusted through a Map
Queue
Queue TX
INGRESS EGRESS
Classify Classify Queue WRR
RX ARB Rewrite
& & Queue ARB
Police Police
Priority Q Priority Q
Rewrite
Each queue
TOS field
Incoming DSCP based classification has
in IP Outgoing
encap can based on “trusted port” and configurable
Header encap can be
be ISL, layer 2 info with ACL, layer 3 thresholds -
and ISL, 802.1Q
802.1Q or info with ACL and layer 4 some have
802.1p/IS or None
None info with ACL WRED
L CoS
(except PQ)
field
Cisco Catalyst 6500 (PFC2/PFC3)
Platform Specific QoS Design Considerations

 Configuration may be CatOS or Cisco IOS®
Cisco IOS currently does not support conditional trust (“mls qos
trust device”) nor AutoQoS
 Classification can be done by trust states, standard and advanced IP

ACLs, or MAC ACLs
 PFC3 supports per-user microflow policing and control plane policing
(Sup720 and Sup32)
 Deep packet inspection supported with Sup32 and PISA
 CoS and DSCP to egress queue and threshold mappings
 Linecards determine queuing structure
*2Q2T 1p3Q4T
*Linecards supporting 2Q2T queue
1P2Q1T 1P2Q2T structure are approaching EoL, and
1P3Q1T 1P3Q8T are not recommended for
converged networks.
1P7Q8T 1P7Q4T
NBAR on Supervisor 32 PISA
Network-Based Application Recognition
NBAR Policy can mark HTTP
data as high priority and rate
limit both E-Donkey and
Netshow traffic ensuring
priority for internal HTTP traffic
Link Utilization
E-Donkey 60%
Netshow 30%
HTTP 5%
E-mail 25%
PISA – Enhanced QoS Trust Boundary
Dynamic detection of CUCM signaled media
NBAR identifies the RTP stream

associated with a call setup
OpenReceiveChannelAck
StartMediaTransmission
RTP Traffic originated by phone

RTP flow identified, marked,
policed by PISA
 PDLM matches on the bearer path (RTP media stream) associated with SCCP
call setup – (12.2(18)ZYA)
 Unique RTP flow originating from phone is determined based on the Source
and Destination IP address and UDP port numbers identified in the SCCP
signaling messages
 QoS policy is applied to the CUCM approved media streams
Agenda
2960/3560/3750 and 3560-E/3750-E
 QoS Deployment
Distribution/Core
Queuing
 Summary
Cisco Catalyst QoS Deployment
Globally Enabling QoS in Cisco IOS
Cisco IOS
Catalyst-IOS# show mls qos
QoS is disabled globally ! By default QoS is disabled
Catalyst-IOS#
Catalyst-IOS# config t
Catalyst-IOS(config)# mls qos ! Enables QoS globally
Catalyst(config)#end
Catalyst-IOS# show mls qos

QoS is enabled globally ! Verifies QoS is enabled
Microflow policing is enabled globally
Vlan or Portchannel(Multi-Earl) policies supported: Yes
----- Module [2] -----
QoS global counters:
Total packets: 65
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 0
IP packets with COS changed by policing: 0
Non-IP packets with COS changed by policing: 0
Catalyst-IOS#
Globally Enabling QoS in Cisco IOS (Catalyst 4500)
CAT4500#show qos
QoS is disabled globally ! By default QoS is disabled
IP header DSCP rewrite is enabled
CAT4500#conf term
Enter configuration commands, one per line. End with CNTL/Z.
CAT4500(config)#qos ! Enables QoS globally for the Cat4500
CAT4500(config)#end
CAT4500#
CAT4500#show qos
QoS is enabled globally ! Verifies that QoS is enabled globally
IP header DSCP rewrite is enabled
CAT4500#
***Catalyst 4500 Sup-6E Does Not require QoS to be globally enabled.
Trust Boundary Policy—Access Edge (Port-Based Policy)
Catalyst(config)# ip access-list extended RealTime-Voice-ACL
Catalyst(config-ext-nacl)# permit udp any any range 16384 32767
Catalyst(config)# ip access-list extended Signaling-ACL
Catalyst(config-ext-nacl)# permit tcp any any range 1718 1721
Catalyst(config-ext-nacl)# permit tcp any any eq 1731
Catalyst(config)# class-map match-all Voice-Bearer

Catalyst(config-cmap)# match access-group name RealTime-Voice-ACL
Catalyst(config)# class-map match-all Voice-Signaling
Catalyst(config-cmap)# match access-group name Signaling-ACL
Catalyst(config)# policy-map Mark

Catalyst(config-pmap)# class Voice-Bearer
Catalyst(config-pmap-c)# set dscp ef
Catalyst(config-pmap-c)# police 128000 16000 exceed-action drop
Catalyst(config-pmap)# class Voice-Signaling
Catalyst(config-pmap-c)# set dscp cs3
Catalyst(config-pmap-c)# police 32000 8000 exceed-action drop
Catalyst(config-pmap)# class class-default
Catalyst(config-pmap-c)# set dscp default
Catalyst(config)# interface FastEthernetx/y

Cat3750-E(config-if)# Description ***Access port with port-based trust boundary**
Cat3750-E(config-if)# switchport access vlan 10
Cat3750-E(config-if)# switchport mode access
Cat3750-E(config-if)# switchport voice vlan 100
Cat3750-E(config-if)# service-policy input Mark
Trust Boundary Policy—Access Edge (VLAN-Based Policy)
Catalyst(config)# ip access-list extended RealTime-Voice-ACL
Catalyst(config)# ip access-list extended Signaling-ACL
Catalyst(config)# class-map match-all Voice-Bearer

Catalyst(config-cmap)# match access-group name RealTime-Voice-ACL
Catalyst(config)# class-map match-all Voice-Signaling
Catalyst(config-cmap)# match access-group name Signaling-ACL
Catalyst(config)# policy-map Mark-VVLAN

Catalyst(config-pmap)# class Voice-Bearer
Catalyst(config-pmap-c)# police 12800000 400000 conform-action set-dscp-transmit ef exceed-
action drop
Catalyst(config-pmap)# class Voice-Signaling
Catalyst(config-pmap-c)# police 3200000 100000 conform-action set-dscp-transmit cs3 exceed-
action drop
Catalyst(config-pmap)# class class-default
Catalyst(config-pmap-c)# set dscp default
Catalyst(config)# policy-map Mark-DVLAN When configuring VLAN-Based policies

Catalyst(config-pmap)# class class-default on the 4500 and 6500, since aggregate
Catalyst(config-pmap-c)# set dscp default policers are being used, the police rate
should account for the total aggregate of
traffic through the SVI.
Trust Boundary Policy—Access Edge (VLAN-Based Policy) (Cont.)
Catalyst(config)# interface FastEthernetx/y

Catalyst(config-if)# Description ***Access port with VLAN-based trust boundary**
Catalyst(config-if)# switchport access vlan 10
Catalyst(config-if)# switchport mode access
Catalyst(config-if)# switchport voice vlan 100
Catalyst(config-if)# mls qos vlan-based     [“qos vlan-based” for 4500]
Catalyst(config)# interface Vlan100

Catalyst(config-if)# service-policy input Mark-VVLAN
Catalyst(config)# interface Vlan10

Catalyst(config-if)# service-policy input Mark-DVLAN
Trust Boundary Policy—Access Edge (Advanced)
*Per VLAN/ Per Port Policing
3750-E
Cat3750-E(config)# mls qos map policed-dscp 0 24 to 8
Cat3750-E(config)# ip access-list extended Voice-Bearer

Cat3750-E(config-ext-nacl)# permit udp any any range 16384 32767 dscp 46
!Extended ACL matching voice bearer traffic on voice VLAN
Cat3750-E(config)# ip access-list extended Voice-Signal
Cat3750-E(config-ext-nacl)# permit tcp any any range 2000 2002 dscp 24
!Extended ACL matching voice signaling traffic on voice VLAN
Cat3750-E(config)# ip access-list extended All-IP
Cat3750-E(config-ext-nacl)# permit ip any any
!Extended ACL matching all IP traffic
Cat3750-E(config)# class-map match-all User-Ports

Cat3750-E(config-cmap)# match input-interface FastEthernet1/0/1 - FastEthernet1/0/48
Cat3750-E(config)# class-map match-any Voice-Bearer
Cat3750-E(config-cmap)# match access-group name Voice-Bearer
Cat3750-E(config)# class-map match-any Voice-Signal
Cat3750-E(config-cmap)# match access-group name Voice-Signal
Cat3750-E(config)# class-map match-any All-Traffic
Cat3750-E(config-cmap)# match access-group name All-IP
Cat3750-E(config)# policy-map Police-128k

Cat3750-E(config-pmap)# class User-Ports
Cat3750-E(config-pmap-c)# police 128000 8000 exceed-action drop
Cat3750-E(config)# policy-map Police-32k

Cat3750-E(config-pmap)# class User-Ports
Cat3750-E(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit
Trust Boundary Policy—Access Edge (Advanced) (Cont.)
*Per VLAN/ Per Port Policing
3750-E
Cat3750-E(config)# policy-map Mark-VVLAN
Cat3750-E(config-pmap)# class Voice-Bearer
Cat3750-E(config-pmap-c)# set dscp ef
Cat3750-E(config-pmap-c)# service-policy Police-128k
Cat3750-E(config-pmap)# class Voice-Signal
Cat3750-E(config-pmap-c)# set dscp cs3
Cat3750-E(config-pmap-c)# service-policy Police-32k
Cat3750-E(config)# policy-map Mark-DVLAN

Cat3750-E(config-pmap)# class All-Traffic
Cat3750-E(config-pmap-c)# set dscp default
Cat3750-E(config)# interface FastEthernet 1/0/1

Cat3750-E(config-if)# Description ***Access port with vlan based trust boundary**
Cat3750-E(config-if)# switchport access vlan 10
Cat3750-E(config-if)# switchport mode access
Cat3750-E(config-if)# switchport voice vlan 100
Cat3750-E(config-if)# mls qos vlan-based
Cat3750-E(config)# interface Vlan10

Cat3750-E(config-if)# service-policy input Mark-DVLAN
Cat3750-E(config)# interface Vlan100
Cat3750-E(config-if)# service-policy input Mark-VVLAN
Trust Boundary Policy—Access Edge (Auto QoS)
CAT3750-E(config-if)#auto qos voip cisco-phone
mls qos map policed-dscp 24 26 46 to 0

mls qos map cos-dscp 0 8 16 24 32 46 48 56
Options: <snip>
mls qos
auto qos voip cisco-phone !
class-map match-all AutoQoS-VoIP-RTP-Trust
auto qos voip cisco-softphone match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
auto qos voip trust match ip dscp cs3 af31
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
!
interface GigabitEthernet1/0/1
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
AutoQoS is available mls qos trust device cisco-phone
mls qos trust cos
starting in IOS on the auto qos voip cisco-phone
6500 in 12.2(33)SXH service-policy input AutoQoS-Police-CiscoPhone
Trust Boundary Policy—Access Edge (Smartport Macros)
Catalyst(config)# macro name UNTRUST-ENDPT
! Define Macro Name
Global Policy Defined:
Enter macro commands one per line. End with the character '@'.
policy-map MARK
service-policy input MARK class Voice-Bearer
set dscp ef
! Define commands to apply to interface police 128000 16000 exceed-action drop
class Signaling
@ set dscp cs3
police 32000 8000 exceed-action drop
Catalyst(config)# class All-Traffic
set dscp default
Catalyst(config)# macro name TRUST-ENDPT

! Define Macro Name
mls qos trust dscp Trusted Endpoints
! Define commands to apply to interface

@
Catalyst(config)#
Untrusted Endpoints
Catalyst(config)# interface range FastEthernet 1/0/5 – 10

Catalyst(config-if-range)# macro apply UNTRUST-ENDPT
! Apply defined macro to appropriate interface(s)
Catalyst(config)# int range gigabitEthernet 1/0/1 – 2
Catalyst(config-if-range)# macro apply TRUST-ENDPT
Distribution/Core Layer QoS—Preserving Markings
Once the trust boundary is defined and the DSCP markings are
established at the access edge, measures must be taken to ensure
those markings are preserved through the campus infrastructure.
Preserving DSCP Markings:

Catalyst(config)# interface GigabitEthernet 0/1
Catalyst(config-if)# mls qos trust dscp
Catalyst 4500 (Sup II+ - SupV-10GE):

CAT4500-IOS(config)# interface FastEthernet3/1
CAT4500-IOS(config-if)#qos trust dscp
Regardless of the interswitch connection being

layer 2 or layer 3, it is always recommended
to configure interswitch connections and uplinks
to trust the incoming DSCP markings.
Trust Boundary
Policy
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Queuing Design: 1P3Q3T
1P3Q3T
Application DSCP CoS
DSCP 0 Q4T3
Network Control CS6 CoS 6 Queue 4
VoIP Telephony EF CoS 5 AF11 (35%) Q4T2
Broadcast Video CS5 CoS 5 CS1 Q4T1

AF21 Q3T3
Multimedia Conferencing AF4x CoS 4
Real-Time Interactive CS4 CoS 4 CS4/ Q3T2
AF41 Queue 3
Multimedia Streaming AF3x CoS 3
(50%) Q3T1
Call Signaling CS3 CoS 3 AF31
Transactional Data AF2x CoS 2
CS6 Q2T3
Ops/ Admin/ Mgt CS2 CoS 2 Queue 2
CS3 (15%) Q2T2
High Throughput AF1x CoS 1
CS2 Q2T1
Low Priority CS1 CoS 1 Q1T3
EF Queue 1
Best Effort DF 0 CS5 (PQ)
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Queuing Design: 1P3Q3T—Part 2
CAT3750(config)#mls qos srr-queue output dscp-map queue 1 threshold 3 40 46
! Maps DSCP EF (Voice) to Queue 1 Threshold 3
CAT3750(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 16
! Maps DSCP CS2 (Network Management) to Queue 2 Threshold 1
! Maps DSCP CS3 (Call-Signaling) to Queue 2 Threshold 2
! Maps DSCP CS6 (Network Control) to Queue 2 Threshold 3
! Maps DSCP CS3 (Streaming Media) to Queue 3 Threshold 1
! Maps DSCP CS4 (Real-Time Interactive-Video) to Queue 3 Threshold 1
CAT3750(config)#mls qos srr-queue output dscp-map queue 3 threshold 2 34 36 38
! Maps DSCP AF41, AF42, AF43 (Multimedia Conf) to Queue 3 Threshold 1
! Maps DSCP AF21, AF22, AF23 (Transactional Data) to Queue 3 Threshold 3
! Maps DSCP CS1 (Scavenger) to Queue 4 Threshold 1
! Maps DSCP AF1x (Bulk/High Throughput) to Queue 4 Threshold 2
! Maps DSCP 0 (Best Effort) to Queue 4 Threshold 3
CAT3750(config)#
Catalyst 2960/3560/3750 + 3650-E
and 3750-E
Queuing Design: 1P3Q3T—Part 3
CAT3750(config)# mls qos queue-set output 1 buffers 15 20 25 40
! Assigns buffers to queues: Q1 15%; Q2 20%; Q3 25%; Q4 40%
CAT3750(config)# mls qos queue-set output 1 threshold 1 75 200 100 400
! Sets Q1 Threshold 1 to 75% and Q2 Threshold 2 to 200%
CAT3750(config)#
CAT3750(config)#interface range GigabitEthernet0/1 - 28

CAT3750(config-if-range)# queue-set 1
! Assigns interface to Queue-Set 1 (default)
CAT3750(config-if-range)# srr-queue bandwidth share 1 15 50 35
! Q2 gets 15% of remaining BW; Q3 gets 50% and Q4 gets 35%
CAT3750(config-if-range)# priority-queue out
! Q1 is enabled as a PQ
CAT3750(config-if-range)#end
CAT3750#
Cisco Catalyst 4500
Sup II+ - SupV-10GE
Queuing Design: (1P3Q1T + DBL)
Application DSCP 1P3Q1T
Network Control CS6
VoIP Telephony EF
Broadcast Video CS5 CS4/ AF4x
Queue 4 (30%)
Multimedia Conferencing AF4x
AF2x
Realtime Interactive CS4
AF3x
Multimedia Streaming AF3x
Call Signaling CS3 CS5 Q3 (30%)
EF Priority Queue
Transactional Data AF2x
Ops/Admin/Management CS2 CS6
Queue 2
CS3
CS2 (15%)
High Throughput AF1x
Low Priority CS1 DF Queue 1
Best Effort DF CS1/ AF1x (25%)
Cisco Catalyst 4500 QoS
Dynamic Buffer Limiting
 Problem: DoS flows with large number of packets per second (pps)
Take as much bandwidth as possible
Not responding to congestion notification
Causing transmitting queue full and performance degradation
 Solution:
DBL (Dynamic Buffer Limiting)
Automatically drop packets from Belligerent Traffic Flows
Cisco Catalyst 4500
Sup II+ - SupV-10GE
Queuing Design: (1P3Q1T + DBL)—Part 1
CAT4500-SUP4(config)#qos dbl
! Globally enables DBL
CAT4500-SUP4(config)#qos dbl exceed-action ecn
! Optional: Enables DBL to mark RFC 3168 ECN bits in the IP ToS Byte
CAT4500-SUP4(config)#
CAT4500-SUP4(config)#qos map dscp 0 to tx-queue 1
! Maps DSCP 0 (Best Effort) to Q1
CAT4500-SUP4(config)#qos map dscp 8 10 12 14 to tx-queue 1
! Maps DSCP CS1 (Scavenger) and AF11/AF12/AF13 (Bulk) to Q1
! Maps DSCP CS2 (Net-Mgmt) to Q2
CAT4500-SUP4(config)#qos map dscp 18 20 22 to tx-queue 4
! Maps DSCP AF21/AF22/AF23 (Transactional) to Q4
! Maps DSCP CS3 (Call-Signaling) to Q2
CAT4500-SUP4(config)#qos map dscp 26 28 30 to tx-queue 4
! Maps DSCP AF31/AF32/AF33 to Q4
CAT4500-SUP4(config)#qos map dscp 32 34 36 38 to tx-queue 4
! Maps DSCP CS4 (Str-Video) and AF41/AF42/AF43 (Int-Video) to Q4
CAT4500-SUP4(config)#qos map dscp 40 46 to tx-queue 3
! Maps DSCP EF (VoIP) to Q3 (PQ)
! Maps DSCP CS6 (Network Control) to Q2
CAT4500-SUP4(config)#policy-map DBL
CAT4500-SUP4(config-pmap)#class Internetwork Control
CAT4500-SUP4(config-pmap)#class Voice
CAT4500-SUP4(config-pmap)#class Telepresence
CAT4500-SUP4(config-pmap)#class class-default
CAT4500-SUP4(config-pmap-c)# dbl ! Enables DBL for targeted traffic flows
Cisco Catalyst 4500
Sup II+ - SupV-10GE
Queuing Design: (1P3Q1T + DBL)—Part 2 (FE + GE)
CAT4500-SUP4(config)#interface range FastEthernet2/1 - 48
CAT4500-SUP4(config-if-range)# service-policy output DBL
CAT4500-SUP4(config-if-range)# tx-queue 3
CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ
CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30%
CAT4500-SUP4(config-if-tx-queue)# exit
CAT4500-SUP4(config-if-range)#exit
CAT4500-SUP4(config)#
CAT4500-SUP4(config)#interface range GigabitEthernet1/1 - 2

CAT4500-SUP4(config-if-range)# service-policy output DBL
CAT4500-SUP4(config-if-range)# tx-queue 1
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 25 ! Q1 gets 25%
CAT4500-SUP4(config-if-tx-queue)# tx-queue 2
CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 30 ! PQ gets 30%
CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30%
CAT4500-SUP4(config-if-tx-queue)#end
CAT4500-SUP4#
Cisco Catalyst 4500—Sup-6E
Queuing Design (1P7Q1T + DBL)
1P7Q1T
Application DSCP
Network Control CS6 EF (30%)
CS5 Priority Queue
VoIP Telephony EF
Broadcast Video CS5 CS6
(10%)
CS3
Multimedia Conferencing AF41 Control/ OAM
CS2
Realtime Interactive CS4
CS4/ AF4x
Multimedia Streaming AF31
(30%)
Call Signaling CS3 Critical
AF3x
Transactional Data AF21
AF2x
Ops/Admin/Mgt CS2
High Throughput AF11 (25%)
DF Best Effort
Low Priority CS1
Best Effort DF CS1/AF11 (5%)
Bulk
Queuing Design (1P7Q1T + DBL)—Part 1
4500-SUP6E(config)# class-map match-any REALTIME
4500-SUP6E(config-cmap)# match dscp ef cs5
4500-SUP6E(config)# class-map match-any CONTROL
4500-SUP6E(config-cmap)# match dscp cs6 cs3 cs2
4500-SUP6E(config-cmap)# match access-group name ROUTING
4500-SUP6E(config)# class-map match-any CRITICAL
4500-SUP6E(config-cmap)# match qos-group 3
4500-SUP6E(config-cmap)# match dscp cs4 af41 af31 af21
4500-SUP6E(config)# class-map match-any BULK
4500-SUP6E(config-cmap)# match dscp cs1 af11
4500-SUP6E(config)# policy-map EGRESS-QUEUE

! Defines Egress Queuing Policy
4500-SUP6E(config-pmap)# class REALTIME
4500-SUP6E(config-pmap-c)# police rate percent 30 conform-action transmit exceed-action drop
! Limits strict priority queue traffic to 30% of the available B/W
4500-SUP6E(config-pmap-c-police)# priority
! Enables strict priority queue
4500-SUP6E(config-pmap)# class CONTROL
4500-SUP6E(config-pmap-c)# set dscp cs6
! Assigns DSCP marking to egress traffic
4500-SUP6E(config-pmap-c)# bandwidth percent 10
! Defines minimum bandwidth allocation for class
Queuing Design (1P7Q1T + DBL)—Part 2
4500-SUP6E(config-pmap)# class CRITICAL

4500-SUP6E(config-pmap-c)# dbl
! Applies DBL to the defined class
4500-SUP6E(config-pmap)# class BULK
4500-SUP6E(config-pmap)# class class-default
4500-SUP6E(config)# interface GigabitEthernet 5/7

4500-SUP6E(config-if)# service-policy output EGRESS-QUEUE
! Assigns egress queuing policy to interface
4500-SUP6E(config-if)# end
Queuing Design (1P3Q8T)
Application DSCP CoS 1P3Q8T
Network Control CS6
– CoS 6
7
CoS 5 Q4
Internetwork
VoIP Telephony
Control CS6
EF CoS 5
6 Priority Queue
Broadcast
VoiceVideo CS5
EF CoS 5 CoS 6
7 Q3T4
Multimedia
Interactive
Conferencing
Video AF41 CoS 4 CoS 6
CoS 3 Q3T3
Real-Time
Streaming
Interactive
Video CS4 CoS 4
CoS 2 Q3T2
Multimedia
Mission-Critical
Streaming
Data AF31 CoS 3 Q3T1
Queue 3
Call Signaling CS3 CoS 3 (70%)
Transactional Data AF21 CoS 2 CoS 4

Network
Ops/ Admin/
Management
Mgt CS2 CoS 2 Q2T1
HighBulk
Throughput
Data AF11 CoS 1 Queue 2
CoS 0 (25%)
Low
Scavenger
Priority CS1 CoS 1
Best Effort DF
0 0 CoS 1 Queue 1 (5%) Q1T1
Queuing Design (1P3Q8T)—Part 1
CAT6500-IOS(config)# interface range GigabitEthernet1/1 - 48
CAT6500-IOS(config-if)# wrr-queue queue-limit 25 35 20
! Allocates 25% for Q1, 35% for Q2 and 20% for Q3
CAT6500-IOS(config-if)# priority-queue queue-limit 20
! Allocates 20% of the buffers to the strict priority queue
CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 70
! Sets the WRR weights for 5:25:70 (Q1:Q2:Q3) bandwidth servicing
CAT6500-IOS(config-if-range)# wrr-queue random-detect 1 ! Enables WRED on Q1

CAT6500-IOS(config-if)#
CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 1 70

100 100 100 100 100 100 100
! Sets Min WRED Threshold for Q1T1 to 70% and all others to 100%
CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 1 100
100 100 100 100 100 100 100
! Sets Max WRED Threshold for Q1T1 to 100% and all others to 100%

100 100 100 100 100 100 100
100 100 100 100 100 100 100

60 80 100 100 100 100 100
! Sets Min WRED Threshold for Q3T1 to 50%, Q3T2 to 60%, Q3T3 to 80%
! and all others to 100%
70 80 100 100 100 100 100
! Sets Max WRED Threshold for Q3T1 to 60%, Q3T2 to 70%, Q3T3 to 80%
CAT6500-IOS(config-if)# wrr-queue cos-map 1 1 1

! Maps Scavenger/Bulk to Q1 WRED Threshold 1
! Maps Best Effort to Q2 WRED Threshold 1
! Maps Video to Q3 WRED Threshold 1
! Maps Net-Mgmt and Transactional Data to Q3 WRED T2
! Maps Call-Signaling and Mission-Critical Data to Q3 WRED T3
CAT6500-IOS(config-if)# wrr-queue cos-map 3 4 6 7
! Maps Internetwork-Control and Network Control to Q3 WRED T4
CAT6500-IOS(config-if)# priority-queue cos-map 1 5
! Maps VoIP to the PQ (Q4)
CAT6500-IOS(config-if)#end
CAT6500-IOS#
Queuing Design (1P7Q4T)
Application DSCP CoS 1P7Q4T
Network Control CS6 CoS 6
EF Q8
VoIP Telephony EF CoS 5 CS5 Priority Queue
Broadcast Video CS5 CoS 5 CS6 Queue 4 Q4T3
CS3 (10%) Q4T2
Multimedia Conferencing AF41 CoS 4
CS2 Q4T1
Real-Time Interactive CS4 CoS 4 Q3T3
AF21
Multimedia Streaming AF31 CoS 3 CS4/ AF41 Q3T2
Call Signaling CS3 CoS 3 Queue 3 Q3T1

AF31 (60%)
Transactional Data AF21 CoS 2
Ops/ Admin/ Mgt CS2 CoS 2 Q2T1
Queue 2
High Throughput AF11 CoS 1
DSCP 0 (25%)
Low Priority CS1 CoS 1
Best Effort DF 0
AF11 Queue 1 (5%) Q1T3
CS1 Q1T1
CAT6500-IOS(config)# mls qos 10g-only
! Disables Gigabit interfaces on the supervisor, allowing DSCP to
queue and threshold mapping capability
CAT6500-IOS(config)# interface TenGigabitEthernet 5/4

CAT6500-IOS(config-if)# wrr-queue queue-limit 15 35 20 10 0 0 0
! Allocates Buffers: 15% for Q1, 35% for Q2, 20% for Q3, 10% for Q4
CAT6500-IOS(config-if)# priority-queue queue-limit 20
! Allocates 20% of the buffers to the strict priority queue
CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 60 10 0 0 0
! Sets the WRR percentages for 5:25:60:10 (Q1:Q2:Q3:Q4) B/W servicing

CAT6500-IOS(config-if-range)# no wrr-queue random-detect 4 ! Disables WRED on Q4
CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 1 70 100 100 100

CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 1 100 100 100 100
! Sets Max WRED Threshold for Q3T1 to 60%, Q3T2 to 70%, Q3T3 to 80%
! and all others to 100 76
BRKRST-2500_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
CAT6500-IOS(config-if)# wrr-queue threshold 4 60 80 100 100
CAT6500-IOS(config-if)# mls qos queue-mode mode-dscp

! Enables DSCP to queue and threshold mapping
CAT6500-IOS(config-if)# wrr-queue dscp-map 1 1 8 10
! Maps Scavenger/Bulk to Q1 WRED Threshold 1
CAT6500-IOS(config-if)# wrr-queue dscp-map 2 1 0
! Maps Best Effort to Q2 WRED Threshold 1
CAT6500-IOS(config-if)# wrr-queue dscp-map 3 1 26 28 30
! Maps Streaming Video to Q3 WRED Threshold 1
CAT6500-IOS(config-if)# wrr-queue dscp-map 3 2 32 34 36 38
! Maps Interactive Video and Multimedia Conferencing to Q3 WRED T2
CAT6500-IOS(config-if)# wrr-queue dscp-map 3 3 18 20 22
! Maps Transactional Data to Q3 WRED T3
! Maps Operations/Administration/Management to Q4 WRED T1
! Maps Call-Signaling to Q4 WRED T2
CAT6500-IOS(config-if)# wrr-queue dscp-map 4 3 48 56
! Maps Network Control to Q4 WRED T3
CAT6500-IOS(config-if)# priority-queue dscp-map 1 46
! Maps VoIP to the PQ (Q8)
CAT6500-IOS(config-if)#end
Queuing Design—(Auto QoS)
CAT6500(config-if)#auto qos voip trust
interface GigabitEthernet3/24
wrr-queue bandwidth 20 100 200
priority-queue queue-limit 5
wrr-queue queue-limit 65 15 15
wrr-queue random-detect min-threshold 1 70 100 100 100 100 100 100 100
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
wrr-queue cos-map 2 1 1 2
mls qos trust dscp
auto qos voip trust
end
Trust policy applied to the

port will vary based on port
configuration.
Queuing Design—(Smartport Macros)
Catalyst(config)# macro name UPLINK
! Define macro name
priority-queue out
queue-set 2
@
Catalyst(config)#
Catalyst(config)# macro name Tenant
! Define macro name
srr-queue bandwidth shape 5 0 0 0
queue-set 1
@
Catalyst(config)#
Catalyst(config)# int range GigabitEthernet 1/0/1 - 2

Catalyst(config-if-range)# macro apply UPLINK
Catalyst(config)# int fastEthernet 1/0/11
Catalyst(config-if)# macro apply Tenant
Agenda
2960/3560/3750 and 3560-E/3750-E
 QoS Deployment
Distribution/Core
Queuing
 Summary
Control Plane vs. Data Plane
 Most packets are processed in hardware (data plane);

however, some packets need to be processed by the
CPU (control plane) Mgmt
Routing IP
SNMP, ICMP
Updates Options
 Packets bound to the CPU include usual control-plane Telnet
and management-plane traffic:
Routing protocol packets
First hop redundancy protocol packets
Control Plane
Multicast control packets
Remote access and management
Monitoring and troubleshooting traffic
Address Resolution Protocol (ARP)
Layer 2 control packets
 Special data-plane traffic may have to be processed

Data Plane
in software (data-plane "punt" traffic):
Packets with IP options
Packets with TTL=1
Packets that don’t match any FIB route ("FIB-miss“) Switch
Packets that require ACL logging
Packets with non-hardware-supported features applied
Hardening the Switches
Software Protection
IP Priority
Process Level Queues
IP Normal Queue
Queue
Software Control Plane
Control-Plane
Policing
Policing
SPD Check Selective Packet

Discard (SPD) Check
…
Hardware Protection
Hardware Control Plane

Queues
Control-Plane Policing
Hardware Control Plane
Policing
Hardware Rate Limiter Hardware Rate limiters
Storm Control
ACL
QoS
Traffic to the CPU
Catalyst 4500 CoPP for DoS Mitigation
16 CPU
Switch CPU … Queues
User Defined Police Actions

Control  Pre-configured System Traffic
and CPU Ingress Control Plane Types and / or
bound Apply
 User Configurable Traffic Types
traffic
Forwarding ASICs
Create the system-cpp-policy policy-map
and attach it to the control-plane
Data “macro global apply system-cpp”
Backplane
traffic
Linecard Linecard
MQC-based Commands
**Available 12.2(31)SG
Catalyst 6500 Multi-Level HW and SW Protection
Special-Case Rate Limiters Override Hardware
Special PFC3/DFC3
Cases Hardware Special
Traffic Rate-Limiters Case
to CPU Traffic
Software
“Control- CPU
Plane”
Matches Hardware
Policy “Control-Plane”
All Packets Processed
If a HWRL Is by Both HW CoPP and
Configured, If a HWRL Is Not HWRL Will Be
Those Packets Configured or Processed Again by
that match a there is no match, SW CoPP
HWRL will Bypass Those Packets
HW CoPP and Be Will Be Processed
Processed by By by HW CoPP
HWRL
Catalyst 6500 (PFC3) QoS Design
CPP Deployment Guide
 Explicitly allow needed, known critical protocols such as BGP and EIGRP
Conform and exceed action  transmit
 Define other required but not critical traffic such as ICMP, SNMP, SSH,
telnet, and default
Conform action  transmit, exceed action  drop
 Drop all other undesirable traffic

 Depending on class defined, apply appropriate policy
Routing protocol traffic (BGP, IGP)—no rate limit
Management traffic (SNMP, SSH, NTP, etc.)—conservative rate limit
Reporting traffic (SAA combined with DSCP)—conservative rate limit
Monitoring traffic (ICMP, trace route)—conservative rate limit
Critical traffic (HSRP, SIP/VoIP, DLSw)—conservative rate limit
Default traffic—low rate limit
Undesirable traffic (DoS attacks)—drop
Agenda
2960/3560/3750 and 3560-E/3750-E
 QoS Deployment
Distribution/Core
Queuing
 Summary
Q and A
Complete Your Session Evaluation
 Please give us your feedback!!

Complete the evaluation form you were
given when you entered the room
 This is session BRKRST-2500
Don’t forget to complete the overall

event evaluation form included in
your registration kit
YOUR FEEDBACK IS VERY

IMPORTANT FOR US!!! THANKS
Recommended Reading
BRKRST-2500
Source: Cisco Press®


BRKRST2500

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

BRKRST2500

Enviado por

Direitos autorais:

Formatos disponíveis

Octubre 5-8, 2009 Santiago, Chile

Advanced Campus QoS Design

 Smooth  Bursty  Smooth/bursty

Bandwidth per Call Network requirements for Traffic patterns for

 Latency ≤ 150 ms  Latency ≤ 150–300ms Data Classes:

Campus Branch Office

Variable Variable 6.3 µs/Km +

End-to-End Delay (Should Be < 150 ms)

QoS is implemented in Hardware on the

QoS features and capabilities

now “trust” the

Realtime Interactive CS4 Required (Optional) PQ Cisco TelePresence™

Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE

Call-Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog

Best Effort DF Default Queue + RED Default Class

Egress Queuing Policy

Ingress Marking Policy

Queuing policy will queue traffic on

 The Scavenger class is based on RFC 3662—

 Scavenger class markings can be used to distinguish out-of-

 Scavenger traffic is assigned a “less-than-best effort”

Recommended Administrative Trust Domain

1) 25% minimum 1 Gigabit Ethernet

Endpoints Access Distribution Core WAN Aggregators

1 Optimal Trust Boundary: Trusted Endpoint

2 Optimal Trust Boundary: Untrusted Endpoint

3 Trust Boundary: Cisco Security Agent

Endpoints Endpoint Trust-Categories

Phone VLAN = 110

1 Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone

3 Phone Rewrites CoS from PC Port to 0

Successful “Condition” Met (i.e. CDP negotiation successful)

Trust is Dynamically Extended to Cisco 7970G IP Phone

 Trusted endpoint model

VoIP Telephony Class-map VOICE-BEARER (w/ policer)

Call-Signaling Class class-default

Real-Time Interactive / TelePresence

Operations / Administration / Management Class-map VOICE-BEARER (w/ policer)

High-Throughput / Bulk Data Class-map TRANSACTIONAL-DATA

Real-Time Interactive / TelePresence

Low-Latency / Transactional Data

Operations / Administration / Management

**Class-maps match on media source IP address

Multimedia Conferencing Specific Port-Based WAN Internet

Multimedia Streaming Media Endpoint

Low-Latency / Transactional Data Telepresence

Operations / Administration / Management Port-Based Policy

**Class-maps match on video conferencing

VLAN 10 VLAN 20 VLAN 10 VLAN 20

Voice VLAN Policy:

Switch Data VLAN Policy:

Switchports are configured as trunks VLAN A

Ingress mapping tables are used to take an existing layer 2 or

Egress mapping tables are used to rewrite

802.1p = 1 Trust internal 802.1p = 1

802.1p = 1 Trust internal 802.1p = 5

802.1p = 1 Trust internal 802.1p = 5

ws-x6748-SFP = 1p3q8t queue structure

Small buffer allocation for

Queue 2 Critical Data

Mixed TCP and UDP Large buffer allocation for BE

FastEthernet No Trust + Policing