Tuesday, December 11, 2007

Using QoS and NBAR: Example 1

We have all have seen QoS in our networking life. And from the deployment perspective many networks administrators complain is a technology too complex to use. The truth is that QoS can be as simple as you want and as complex as you don't want.

Now, lets start by saying that QoS is not a protocol but a concept. Quality-of-Service is a concept that has been applied in various methods from Layer2 to Layer 7.

Here I will generate an example that will cover the basics of two concepts: service policy and NBAR. Service policy allows us to do policing to an interface. NBAR or Network Based Application Recognition is a Cisco proprietary feature to detect application based on their signature (i.e. mime-type, header, etc).

This example goals are to do service policing having the end result of:

  • Gold customers will have a (CIR) of the 50% of the interface bandwidth 
  • Telnet traffic that transit the selected interface from/to the management network will have a CIR of 128Kbps 
  • Everything else goes as normal 
For easier visualization lets start defining CustomerA, CustomerB and Management. (It is my personal preference to use named access-list but you are free to use any one you will like).

ip access-list standard CustomerA_Networks
 remark CustomerA Networks
ip access-list standard CustomerB_Networks
 remark CustomerB Networks
ip access-list standard Management_Stations
 remark IT LAN
 remark Ronald Workstation
 permit host

Now, lets define our two classes:

class-map match-any Gold
 match access-group name CustomerA_Networks
 match access-group name CustomerB_Networks
class-map match-all Management
 match protocol telnet
 match access-group name Management_Stations

You should notice the "match-all" and "match-any" keyword before the name of the class. That is setting the "how to" do the "match"-ing. A "match-any" is a logical "OR", meaning, anyone of the statements should. A "match-all" is a logical "AND", meaning, all the statements must match.

You may also notice the "match protocol telnet". That is the "NBAR" part of the map. Instead of using an access-list I will do the matching using NBAR classification.

Now lets create the actual policy-map: (Note: This is an example policy-map not recommended for actual deployment).
policy-map GeneralPolicy
 class Gold
  shape average percent 50
 class Management
  police cir 128000
  conform-action transmit
  exceed-action drop
 class class-default


What we have accomplished here are exactly our goals. Now, some explanations are in place.

The first thing I want you to notice is that you can "shape" and "police" the traffic. In the real world you might not want to mix both. Remember, this is an example to present various general concepts in a concise matter. I could have used "shape" or "police" in both, the Gold and Management traffic and it would have work.

The "fair-queue" and "random-detect" entries at the default class is to allow for a better flow based weighted fair queuing (WFQ) and to use WRED (Weighted Random Early Detection) for packets discard during saturation of this class. I recommend both settings for class-default.

Now that we have all the elements, lets apply it to the interface. You can apply it in the outgoing or incoming direction.

interface FastEthernet1/0
  description WAN Ethernet Link
  ip address
  ip nbar protocol-discovery
  service-policy output GeneralPolicy

The "ip nbar protocol-discovery" is not needed for the NBAR magic for application classification. It just to maintain statistics of the applications discovered. Those can be seen with "show ip nbar protocol-discovery", The "service-policy" statement applies the policy-map we defined. In this case, in the outgoing direction.

You can verify the results with the "show policy-map interface FastEthernet1/0" command:

R2#sh policy-map interface f1/0

Service-policy output: GeneralPolicy

Class-map: Gold (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name CustomerA_Networks
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name CustomerB_Networks
0 packets, 0 bytes
5 minute rate 0 bps
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
50 (%) 0 (ms) 0 (ms)
50000000/50000000 312500 1250000 1250000 25 156250

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 0 0 0 0 no

Class-map: Management (match-all)
149 packets, 8437 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
Match: access-group name Management_Stations
cir 128000 bps, bc 4000 bytes
conformed 149 packets, 8437 bytes; actions:
exceeded 0 packets, 0 bytes; actions:
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
2387 packets, 231709 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
exponential weight: 9

class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 897/120692 0/0 0/0 20 40 1/10
1 0/0 0/0 0/0 22 40 1/10
2 0/0 0/0 0/0 24 40 1/10
3 0/0 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 1490/111017 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10

At the colored entries you may see the results of our policy. You may also see the amount of packets that have been matched by the different classes.

For more information on NBAR visit this link. For information on shaping vs policing visit this link.

Hope you have found this example useful. If you have any comments, complains, questions on this topic, please post your comments below.

1 comment:

  1. I never knew that Using QoS and NBAR can solve the problem of daily work..You've mentioned all the stuff in very good manner.Thanks for sharing this article with us.keep posting