QoS is basically traffic shaping; I'm not going to go in depth into it because I know less than I probably should considering I'm writing a wiki about it...We're giving priority to certain traffic when the packets are queued outbound.
It works somewhat differently with tunnels because we need to have the packet headers inspected BEFORE encapsulation. To do this we have to declare qos pre-classify; what this does is it creates a copy of the packet and caches it, encapsulates the packet, then when it comes to apply the QoS settings, it refers to the copy rather than the outbound packet itself.
Atlas
The first thing we have to do is define a class-map. Class maps identify traffic flows using a wide array of filtering criteria which are individually defined by match statements within the class map. Multiple match statements can be defined under a single class map.When multiple match statements are used, the class map can be specified as follows:
match-all - a logical AND operand, meaning that all match statements must be true at the same time for the class map condition to be true
match-any - a logical OR operand, meaning that any of the match statements can be true for the class map condition to be true
You can define the follow criteria to match:
For this specific scenario, we're concerned about SNMP and Telnet traffic:access-group Access group any Any packets class-map Class map cos IEEE 802.1Q/ISL class of service/user priority values destination-address Destination address discard-class Discard behavior identifier dscp Match DSCP in IP(v4) and IPv6 packets flow Flow based QoS parameters fr-de Match on Frame-relay DE bit fr-dlci Match on fr-dlci input-interface Select an input interface to match ip IP specific values mpls Multi Protocol Label Switching specific values not Negate this match result packet Layer 3 Packet length precedence Match Precedence in IP(v4) and IPv6 packets protocol Protocol qos-group Qos-group source-address Source address vlan VLANs to match
The next map you'll have to define is the first of two policy-maps. A policy map defines a named object that represents a set of policies to be applied to a set of traffic classes. There's two types of classes you can use, one such as our MANAGE class we defined earlier, and class-default which is the system default class matching otherwise unclassified packets. For our child policy map, we need to use a user-defined class.class-map match-any CM-MANAGE match protocol snmp match protocol telnet
Once in place, we can enforce a number of things:
Our implementation is farily simple, so we're just giving our SNMP and Telnet traffic a priority. When defining priority, you can specify Kbps or percentage of total bandwidth. For us, we're just giving our traffic a 50Kb window.bandwidth Bandwidth compression Activate Compression drop Drop all packets exit Exit from class action configuration mode fair-queue Enable Flow-based Fair Queuing in this Class log Log IPv4 and ARP packets netflow-sampler NetFlow action no Negate or set default values of a command police Police priority Strict Scheduling Priority for this Class queue-limit Queue Max Threshold for Tail Drop random-detect Enable Random Early Detection as drop policy service-policy Configure QoS Service Policy set Set QoS values shape Traffic Shaping
For our next map, our parent map, we need to use the class-default class. As noted before, this matches unclassified packets. Within this class, we can refer to our CHILD policy map and implement traffic shaping. We could have implemented policing; policing also puts a limit on the maximum amount of available bandwidth, however, it simply drops off any packets that go over the set limit. Whereas shaping (which we're using here) will queue the traffic, cramming as many packets as possible within the limit given.policy-map PM-QOS-CHILD class MANAGE priority 50
Because QoS on tunnels can only be applied ingress, we shape for the maximum upload rate provided by the ISP; in this case it's 500000bps (488Kbps). We also have to declare our child policy we defined earlier. The reason being is you cannot apply LLQ to the default class.
Low Latency Queuing (LLQ) allows delay-sensitive data to be given preferential treatment over other traffic by letting the data to be dequeued and sent first.
Now that we've drawn up our maps, we can apply them to our tunnel interface. Remember that we have to enable pre-classification to the interface otherwise our packets will be filtered after encapsulation.policy-map PM-QOS-PARENT class class-default shape average 500000 service-policy PM-QOS-CHILD
int tun0 service-policy output PM-QOS-PARENT qos pre-classify
Show
To verify that our QoS setup is working, we can use the show policy-map int tun0 command (replace tun0 with whatever interface you're applying it to).You'll have to let some appropriate traffic through before this will accumulate any data; for our purpose, I simply spammed the inside with SNMP packets.
The main things we want to look for is any dropped packets, as you can see below there are none at the moment. We also want to make sure that our class-map is matching traffic; if you look under the user-defined class-map you will see a packet count. If this any anywhere higher than zero, it means your traffic is being matched and your QoS should be working.
Tunnel0
Service-policy output: PM-QOS-PARENT
Class-map: class-default (match-any)
2566 packets, 1453477 bytes
5 minute offered rate 11000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 500000, bc 131250, be 131250
target shape rate 500000
Service-policy : PM-QOS-CHILD
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: CM-MANAGE (match-any)
157 packets, 110875 bytes
5 minute offered rate 11000 bps, drop rate 0 bps
Match: protocol snmp
66 packets, 100848 bytes
5 minute rate 11000 bps
Match: protocol telnet
91 packets, 10027 bytes
5 minute rate 0 bps
Priority: 50 kbps, burst bytes 1500, b/w exceed drops: 0
Class-map: class-default (match-any)
2409 packets, 1342602 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
I can user this for GRE IpSec tunnel interface ?
ReplyDelete