The difference between classification and marking is action. Classification tools categorize packets while marking changes packet headers. These tools lay the foundation upon which the rest of QoS is built.
Classification — Perform classification closest to the source as possible is the most efficient use of network resources.
Marking — Marking is performed after classification, how it is marked depends upon the layer.
Layer 2 Marking:
- CoS — Used on ISL or 802.1Q header
- EXP — MPLS header
- DE — Frame relay header
- CLP — ATM cell header
Layer 3 Marking:
- IP Precedence — RFC 791, first 3 bits of the ToS byte.
- DSCP IP Header — RFC 2474 and 2475, first 6 bits of the ToS byte.
Layer 2 Class of Service (CoS):
Ethernet frame 802.1Q/P uses the 3 bits from the PRI field, which make up 8 possible values.
|001||Priority||Medium Priority Data|
|010||Immediate||High Priority Data|
|100||Flash Override||Video Conferencing|
|110||Internetwork Control||Internetwork Control|
|111||Network Control||Network Control|
Frame relay uses the discard eligible (DE) bit to tell a router whether the frame can be dropped, 1 == discard eligible, 0 == should not be dropped.
ATM cells has the cell loss priority field, 1 == discard eligible, 0 == should not be discarded.
Layer 2 1/2:
MPLS packets have the EXP field within the MPLS header which is compatible with the 3 bit PRI/CoS field of the 802.1Q header. The CoS field can be copied into the MPLS EXP field or, a service provider can designate their own EXP value, leaving the customer’s intact in the IP header field.
RFC 791 called the 3 most significant bits of the ToS byte the IP Precedence bits. It was the predecessor to Differentiated Services Code Point (DSCP) which uses 6 bits of the ToS byte to classify traffic, the remaining two bits of DSCP are for Explicit Congestion Notification (ECN).
DSCP is backward compatible with IP Precedence, however, it has more options for classification.
Because DiffServ does not signal along the path like IntServ, each hop has it’s own behavior based upon the DSCP which are called Per-Hop Behaviors (PHB).
DSCP defines four PHBs:
- Class selector PHB — The 3 least significant DSCP bits set to 000, provides backward compatibility with ToS based IP Precedence.
- Default PHB — The 3 most significant bits set to 000, this is best effort or when a packet has not been marked.
- Assure Forwarding (AF) PHB — Defines four queues with reserved bandwidth for each queue. When congestion occurs for a queue packets are dropped to avoid tail drop based on their drop precedence. Lower AF drop precedence provides better QoS within each AF class.
Low Drop Probability Within Class Medium Drop Probability within Class High Drop Probability within Class Name/Decimal/Binary Name/Decimal/Binary Name/Decimal/Binary Class 1 AF11 / 10 / 001010 AF12 / 12 / 001100 AF13 / 14 / 001110 Class 2 AF21 / 18 / 010010 AF22 / 20 / 010100 AF23 / 22 / 010110 Class 3 AF31 / 26 / 011010 AF32 / 28 / 011100 AF33 / 30 / 011110 Class 4 AF41 / 34 / 100010 AF42 / 36 / 100100 AF43 / 38 / 100110
- Expedited Forwarding (EF) PHB — Provides low delay service to packets with the DSCP field set to 101110 or a decimal value of 46.
QoS Service Class
- Identify network traffic and its requirements.
- Divide traffic into classes.
- Define QoS policies for each class
Cisco recommended mappings between CoS, DSCP IP precedence markings:
|AutoQoS Class||Layer 2 CoS or
|DSCP Value in Decimal||DSCP Value in Binary||Code Name|
(Class Selector 1)
Class Selector 2
|Local Mission Crtiical||3||28
|Streaming Media Traffic||4||32||100000||CS4
Class Selector 4
|Interactive Video Traffic||4||34
|Interactive Voice Traffic||5||46||101110||EF|
Trust Boundaries — The trust boundary is the perimeter where you classify data and do not reclassify QoS markings after that point. The trust boundary should be as close to the source as possible taking into account the ability of the device.
Network Based Application Recognition (NBAR):
NBAR has some built in traffic recognition and can expand the number of packets it recognizes by using Packet Description Language Models (PDLMs) published by Cisco.
Can be used for:
- Protocol discovery — Used to learn and report on the types of traffic passing through an interface. NBAR uses subport classification, it looks into the payload of the packet and classifies based on content.
- Traffic classification — NBAR can use deep packet inspection to classify traffic based on URL, MIME type or hostname.
- Traffic statistics collection — NBAR reports traffic statistics by protocol as shown below:
circus-rtr#sh ip nbar protocol-discovery GigabitEthernet0/1/0 Input Output ----- ------ Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) ------------------------ ------------------------ ------------------------------ secure-http 45804031 51160464 14439692115 45672201126 2000 1000 5249000 2207000 http 426396714 578778999 54201282821 812650380836 2000 372000 4309000 3087000 ftp 689880 771488 467904677 812190544 0 0 802000 1798000 ssh 71666 95757 11923882 103359890 0 0
- Cannot function on Fast Etherchannel logical interface.
- Can only handle 24 concurrent URLs, hosts or MIME types.
- Only analyzes the first 400 bytes of a packet.
- Only supports CEF.
Commands to implement NBAR:
! Turn on CEF ip cef ! ! Load the bittorrent.pdlm from flash: ip nbar pdlm flash:bittorrent.pdlm ! ! Match any protocol listed below. class-map match-any cmap-nbar-drop match protocol edonkey match protocol gnutella match protocol fasttrack match protocol kazaa2 match protocol http url "*cmd.exe*" match protocol novadigm match protocol bittorrent ! ! Make a policy map. policy-map pmap-nbar-drop class cmap-nbar-drop drop ! ! Apply it to an interface. interface GigabitEthernet0/1/0 description LAN Subnet ip address 192.168.1.1 255.255.255.0 ! This command may not be necessary but for ONT testing purposes use it. ip nbar protocol-discovery !Apply the policy map to incoming traffic. service-policy input pmap-nbar-drop