Chainring Circus

Auto QoS has two versions AutoQoS VOIP for switches and routers which was developed first to deploy QoS without the need for QoS experience. The second is AutoQoS Enterprise, is for routers only and requires a two step deployment process.

There are five key elements of QoS design and deployment.

1. Application Classification
2. Policy Generation
3. Configuration
4. Monitoring
5. Consistency

AutoQos VOIP
Oriented to make VOIP traffic work well (duh).
Follows Cisco best practices for QoS tools for VOIP.

AutoQoS requirements:
Requires CEF be enabled first.
Cannot be used on an interface with a previous service policy command configured.
Bandwidth command should be configured with the correct bandwidth, AutoQoS VOIP relies upon this setting.
Supports only point-to-point subinterfaces on Frame Relay interfaces.

Commands to implement AutoQoS VOIP:
(config)#int s1/0
(config-if)#auto qos voip

Command to remove AutoQoS VOIP:
(config)# no auto qos voip
Unless you have made local changes, then you will have to remove it manually.

Confirmation commands for AutoQoS VOIP:
(config)# show auto qos
Shows configuration generated by autoqos voip, will not show changes made to the QoS configuration.
(config)# show auto qos int s1/0
Shows the policy map on the interface
(config)# show run
Shows config as it is, with local changes to the policy.

When connecting to a trusted switch or router, use the command:
(config-if)# auto qos voip trust
This router implicitly trusts the DSCP marking sent on this interface.

When the possibility exists to connect to a phone:
(config-if)# auto qos voip cisco-phone
The switch will then use CDPv2 to check if it is a Cisco phone on the other end the trust boundary is extended.

AutoQoS Enterprise
Designed to expand the use of QoS from voice to include video, and data without an in-depth knowledge of QoS, PPP, frame relay, ATM and LFI. AutoQoS Enterprise uses a two step deployment process, the first being auto-discovery or data collection, the second step is AutoQoS template generation and installation.

AutoQoS Enterprise addresses five key elements of QoS design and deployment.

1. Application Classification — Uses NBAR and CDPv2 to classify traffic.
2. Policy Generation — AutoQoS Enterprise generates
3. Configuration — Easily configured.
4. Monitoring
5. Consistency

Auto-Discovery
Started with the command:
(config-if)# auto discovery qos [trust]

In trust mode auto-discovery trusts the DSCP values in the IP header and uses it to classify packets, collect bandwidth statistics, calculate traffic average and traffic peak rate, then passes the data to the template module.

In untrust mode auto-discovery uses NBAR to detect application on the network to collect data and perform statistical analysis.

To show the data that has been collected:
# show auto discovery qos [interface [interface type]]

AutoQoS template generation and installation
The second stage uses the discovery results to generate class and policy map templates.

The class-map templates generated are used to classify applications and map them to classes for DiffServ PHB. AutoQoS Enterprise can define as many as 10 classes, which are designed to accommodate various enterprise applications.

Below is the table of classes and their PHB from the Cisco document “AutoQoS for the Enterprise.”

The policy-map templates define interface queuing and minimum bandwidth. The templates created depend on the type of interface and bandwidth configured on the interface, which is why it is so important to define bandwidth correctly. Networkers can tune the policy-map if needed.

To show the auto qos class and policy maps:
# show auto qos [interface [interface type]]
# show policy-map interface [interface type]

AutoQoS Issues:
AutoQoS may not work well for corner cases.
Creates too many traffic classes.
Does not adapt to changes in the network.

Diagnosing AutoQoS:
show auto qos
Class map match and set commands show how the traffic is marked.
Policy map priority and bandwidth show queue type and bandwidth guarantee.

Some common statements:
! Where does the traffic originate.
match input interface int
! Layer 2 CoS values.
match cos cos-value
! Layer 3 IP precedence
match ip precedence ip-prec-value
! Layer 3 IP DSCP
match ip dscp ip-dscp-value
! RTP port value
match ip rtp port-number port-range

References used besides ONT and the QoS Exam Certification Guide:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/ft_aqose.html#wp1050762

http://www.cisco.com/en/US/technologies/tk543/tk879/technologies_white_paper0900aecd800a8561.html

https://www.cisco.com/en/US/technologies/tk543/tk879/technologies_white_paper0900aecd800a8561_ps6613_Products_White_Paper.html

Qos Pre-Classify
The point of the qos pre-classify command is to be able to read and manipulate the IP header of a packet going through a VPN. The problem is that when a packet enters a VPN it is encrypted, header and all. After this command is applied, the router makes a copy of the original IP header so that you can perform QoS manipulation at egress on an interface.

Actually if the ToS byte (DSCP, ECN or IP Precedence) is the only portion of the header that needs manipulation you don’t need qos pre-qualify, however, if you need access to source or destination ip address or port numbers then you need the qos pre-qualify command.

This is better stated on page 231 of the QoS Exam Certification Guide:
Packets entering a router interface, not yet in a VPN tunnel, can be processed with ingress QoS features on that interface just like always.

Packets exiting a router interface, after encapsulation and encryption by that router into a VPN tunnel, cannot be processed with egress QoS features on that interface just like always. The Egress QoS features can only examine the post-encapsulation IP header.

That is why qos pre-classify makes a copy of the original IP header. The command qos pre-classify turns on pre-classification and is restricted to tunnel interfaces, virtual templates, and crypto maps, it is not available on any other interface type.

Applying a QoS policy to a physical interface causes that policy to affect all tunnel interfaces on that physical interface. Applying a service policy to a tunnel interface affects that particular tunnel only and does not affect other tunnel interfaces on the same physical interface.

The configuration below only applies qos pre-classify to the tunnel interface:

From page 195 of the ONT book:

• To classify packets based on the pre-tunnel header, apply the QoS policy to the tunnel interface without QoS pre-classify.
• To classify packets based on the post-tunnel header, apply the QoS policy to the physical interface without QoS pre-classify.
• To classify packets based on the pre-tunnel header, apply the QoS policy to the physical interface and enable QoS pre-classify.

Generic Routing Encapsulation (GRE)
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, including routing protocols, multicast packets and non-IP traffic. GRE tunnels create a virtual point-to-point link between Cisco routers at remote points over an IP internetwork. GRE itself does not provide data confidentiality using encryption.

IPSec Authentication Header (IPSec AH)
IPSec Authentication Header (IPSec AH) is a security protocol that provides authentication and optional replay-detection services. Transport mode is applicable only to host implementations and provides protection for upper layer protocols, in addition to selected IP header fields. AH can be used either by itself or with Encryption Service Payload (ESP).

Tunnel mode AH may be employed in either hosts or security gateways. When AH is implemented in a security gateway to protect transit traffic tunnel mode must be used.

IPSec AH is documented in RFC 2402.

Click here for a better image.

IPSec Encapsulating Security Payload (ESP)
IPSec Encapsulating Security Payload (ESP) is documented in RFC 2406.

The ESP header is inserted after the IP header and before the upper layer protocol header for transport mode or before an encapsulated IP header in tunnel mode.

Click here for a better image.

Tunnel mode in both IPSec ESP and IPSec AH the original packet header ToS byte is copied to the encapsulating IP packet header ToS byte and is available for QoS purposes. In transport mode, the entire original IP header is available for QoS processing in both.

End-to-End QoS
This may sound rudimentary, but in order to reap the benefits of QoS, it must be deployed consistently throughout an AS. At the access layer trust must be set appropriately, the correct queues on created on switch ports with priority queuing for VOIP. At the distribution layer you should employ layer 3 policing and marking, have the correct queues created, priority queuing for VOIP and use WRED in data queues. At the AS edge you should employ classification and marking, WRED, LLQ and LFI.

Now that service providers offer layer 3 hand-off it is more important to coordinate QoS setting with you provider. Layer 3 allows them more flexibility in in how they handle traffic. Typical service provider SLAs include up to five traffic classes, ranging from real-time to best effort.

These are the guidelines for implementing QoS in an AS taken from page 189 of ONT book:

• Classify and mark as close to the source as possible.
• Police traffic as close to the source as possible.
• Establish proper trust boundaries.
• Classify and mark real-time voice and video as high-priority traffic.
• Use multiple queues on transmit interfaces.
• Try to perform hardware-based rather software-based QoS.

Control Plane Policing
The control plane of a Cisco router includes the data plane, management plane and service plane. Control plane policing allows you to build QoS filters to protect the router against DoS attacks.

Documentation referenced in this post:
CCNP ONT Official Exam Certification Guide
Cisco QoS Exam Certification Guide, Second Edition

Quality of Service Options on GRE Tunnel Interfaces, Document ID: 10106
RFC 2402
RFC 2406

For both of those people who read my blog regularly, hi mom, I want to say that I have not really been slacking. I have been typing up flashcards for the iPhone. I downloaded a number of flashcard apps for the iPhone to figure out which one I liked and decided on Flashcards Deluxe. It has the most intuitive user interface and it allowed me to easily download my own flashcards without having to join some portal. Unfortunately it is not cheap, but I am willing to pay for a quality application.

This actually plays toward my longterm goal of trying for my CCIE. Greg Ferro over at Etherealmind had a post about how he uses Mental Case for his flash cards, but Mental Case did not fit my work flow. I made paper 3×5 cards for BSCI and BCMSN but wanted something that would work long term, and quite frankly 1,000 paper flashcards just doesn’t seem reasonable down the stretch. So this is my attempt to not have to redo flashcards in the future.

I have been reticent about posting these flashcards because they are taken straight from the book. I decided to share them because there is only six months left to take these tests and no one will care except those who have purchased the books and are getting ready for this version of the CCNP. If anyone from Cisco Press has a problem please contact me and I will remove them.

To add these flashcards to your phone, in Flashcards Deluxe choose to add a private deck, choose Deck Code and point it to http://chainringcircus.org/files/ont-chx-description.csv then you can download the cards and study. If you prefer to try before you buy, Flashcards Deluxe Light is free but only allows four flashcards, in that case download test.csv.

I have not used all of the cards yet so there may be some formatting changes. I will post another entry any time I add new sets or make changes to the current sets.

Hope this helps and good luck studying.

There are three main quality of service concepts: congestion avoidance, traffic shaping and policing, and link efficiency mechanisms.

Congestion Avoidance:

Tail Drop
Tail drop causes problems with the network because it is not “smart” in how it deals with dropping traffic. Once the hardware and software queues become full it just starts dropping packets regardless of application, destination or need.

Global synchronization and TCP starvation are the result of tail drop.

• TCP Global Synchronization — When tail drop occurs all TCP based applications go into slow start, bandwidth use drops and queues clear. Once the queues clear flows increase their TCP send window until they start to receive dropped packets again. It results in waves peak utilization coupled with sudden drops in utilization, resulting in waves of traffic.
• TCP Starvation — TCP tries to work well in the network by backing off on bandwidth when packets are dropped, called slow start, but UDP does not. As a result when TCP traffic slows to deal with dropped traffic, UDP traffic does not slow, resulting in queues being filled by UDP packets, starving TCP of bandwidth.

Random Early Detection (RED)
Statistically RED drops more packets from aggressive flows than from slower flows and only flows who have packets dropped slow down, avoiding global synchronization.

RED measures the average queue depth to decide whether or not to drop packets because the average queue depth changes more slowly than the actual depth.

RED has three configuration parameters: minimum threshold, maximum threshold, and mark probability denominator (MPD).

Once the depth reaches the minimum threshold packets begin to be dropped and once it exceeds the maximum threshold there is effectively tail drop. Everything in between is governed by the mark probability denominator.

The mark probability denominator sets the maximum percentage of packets discarded by RED. IOS calculates the maximum percentage using the formula 1/MPD. For instance, an MPD of 10 yields a calculated value of 1/10, meaning the maximum discard rate is 10 percent.

The following table is from page 425 of the QoS Exam Certification Guide and shows how the minimum threshold, maximum threshold and queue depth all interact.

Weighted Random Early Detection
WRED behaves the same as RED, except that WRED differentiates between IP precedence or DSCP value. The ONT book and the QoS Exam book both cover the same example of WRED, just in different levels of detail. Personally if you understand the concepts from the chart above with the min and max thresholds, the following charts will explain everything. When an interface starts to become congested, WRED discards lower priority traffic with a higher probability. By default in IOS lower precedence flows have smaller minimum thresholds and will therefore begin dropping packets before higher precedence flows. As the queue passes a threshold, for instance 22 packets for packets with a precedence of 1, then packets with precedence 0 and 1 will be dropped.

The tables below are taken from pages 430 and 431 of the QoS Exam Certification Guide.

This table is for IP Precedence based WRED defaults.

This table is for IOS DSCP-Based WRED defaults.

Class-Based Weighted Random Early Detection (CBWRED)
CBWRED is configured by applying WRED to CBWFQ. Remember, by default CBWFQ performs tail drop by default. By default WRED is based on IP precedence as seen in the chart above, it has eight profiles pre-defined. To me it is a joy to be able to look at the following configuration and understand it’s meaning. This is how to configure CBWRED from page 159 in the ONT book. Notice that they are just configuring the defaults from IOS as seen in the chart above. By tying it all together the configuration makes more sense.

And the same configuration using DSCP.

To verify configuration use the show policy-map interface command.

Traffic Policing and Shaping

Providers commonly police traffic while subscribers commonly shape traffic.

Policing restricts the amount of bandwidth into or out of an interface. Traffic policing discards or re-marks excess packets so that the overall rate defined is not exceeded. Whenever the physical clock rate exceeds the traffic contract, policing may be needed, called subrate access. Policing protects a network from being overrun by traffic.

• Limit the rate of traffic to less than what an interface can support, subrate access.
• Rate limit traffic classes.
• Re-mark traffic to a lower class.

Traffic shaping applies only to outbound traffic. Traffic shaping buffers excess packets in a queue that are then sent at the shaping rate, introducing variable delay and jitter.

• Shape traffic to match provider policing rate.
• Slow traffic to a congested destination.
• Send separate traffic classes at different rates.

Shaping Terminology from page 346 of the QoS Exam Certification Guide.

• Tc — Committed time interval, measured in milliseconds over which the committed burst (Bc) can be sent.
  Tc = Bc/CIR or Tc = Bc/Shaped Rate
• Bc — Committed burst size, measured in bits. The amount of traffic that can be sent over time Tc. Commonly defined in the traffic contract.
  Bc = Tc * CIR or Bc = Tc * Shaped Rate
• CIR — Committed information rate, in bits per second, defined in the traffic contract.
• Shaped Rate — The rate in bits per second configured. This can be equal to or greater than the CIR.
• Be — Excess burst size, in bits. The number of bits greater than Bc that can be sent after a period of inactivity.

CIR (bits per second) = Bc (bits) / Tc (second)

Link Efficiency Mechanisms

The bandwidth gained by compression must be more important than the delay added by compression processing or you should not use compression.

Layer 2 Payload Compression

• Performed on a link by link basis.
• Compresses the entire layer 2 payload.
• Increases processing delay due to computation.
• Decreases serialization delay because packets are smaller.
• Increases available bandwidth because packets are smaller.
• Can be performed in both hardware and software, software compression is not recommended.

Header Compression
Generally headers of the packets in a single flow are identical, therefore instead of sending the same header over and over, an index that refers to that entire header is sent instead. On the receiving end, the index is referenced and the real header is married back with the packet to be forwarded.

• Performed on a link by link basis.
• Header compression is not CPU intensive.
• The payload is not compressed, only the headers.
• Can be used with TCP or RTP.
• Best when dealing with small packets because proportionally the header takes up a larger percentage of the packet.
• RTP header compression is good for voice because voice uses smaller packets.

Header Compression Configuration
To configure header compression, the interface command ip tcp header-compression must be configured on both ends of a link.

Confirm that header compression is active:

Link Fragmentation and Interleaving (LFI)
LFI tries to lower delay by attacking the problem of serialization delay.
Serialization delay is the time required to send a frame over a physical link. This is not trivial on slower clocked physical interfaces such as 56k links.

LFI reduces serialization delay by making sure large packets do not delay smaller packets. It fragments large packets and interleaves smaller packets between the fragments of the large packets being sent.

The following process for how LFI works is taken from page 477 of the QoS Exam Certification Guide, please note the differentiation between the use of the word packet and frame because it makes a difference in this description.

• The router fragments the packet into smaller pieces.
• The router adds the appropriate data-link headers and trailers, including any headers specifically needed for fragmentation support.
• The length of the resulting frames (including data-link headers/trailers) does not exceed the fragmentation size configured.
• The router adds these frames to the appropriate queue.

Last week we upgraded our callmanager and I had to mess around with DHCP to get some phones working correctly. I’ve been meaning to write an entry about our DHCP server configuration so I figured I would take some time to document what we do at the Circus.

We use ISC BIND and DHCP, let me explain our setup. We have two DNS/DHCP servers. The DNS servers are in master/slave and the DHCP servers are failover peers in primary/secondary. However, every time I update the DHCP configuration I didn’t want to have to think too hard about updating the the peer. So I set up the configuration files for DHCP so that I would only have to copy one file with all of the changes from one DHCP server to the other.

The configuration that is different for each server resides in /etc/dhcpd.conf and all other configuration that is shared resides in /etc/dhcpd/dhcpd.master.conf. When I make a change like adding a subnet to DHCP I only have to copy /etc/dhcpd/dhcpd.master.conf from one sever to the other and my configuration stays in sync.

The only difference between the two /etc/dhcpd.conf configuration files is the IP address of the peer and primary versus secondary.

The master file is common to both DHCP servers. Whenever you make a change to one, just copy it over to the other DHCP server and they will always be in sync.

If you have gotten this far then you are definitely interested in DNS/DHCP. Let me plug the training that ISC provides as the best training course I have ever attended. The labs are not trivial as they are in some Cisco classes and the lecturers were awesome. The trainers were two individuals who run two different root servers on the net. They knew DNS/DHCP inside and out.

Each day we had lunch with some great resources, like Paul Vixie one day, the developers for BIND another, the DHCP developers the third day and the support staff the fourth. Each had their own spin on any question you asked and I left knowing a great deal about how I wanted to reconfigure our DNS/DHCP infrastructure.

Definitions:
Tail drop — When a queue becomes full and new packets are dropped.
Speed mismatch– The incoming interface speed exceeds the outgoing interface speed.
Aggregation problem — The traffic from many interfaces aggregates into one interface that does not have enough bandwidth.
Confluence problem — The joining of multiple traffic streams causes congestion on an interface.
Transmit queue (TxQ) or tx_ring — The hardware queue of an interface, always a FIFO queue.

There are two levels to a queue, the software queue and the hardware queue. The software queue can change it’s queuing algorithm while the hardware queue is always FIFO. The software portion of a queue has multiple queues within it, allowing for tiered service based on different algorithms. Once a packet is assigned to a software queue it can still be dropped depending on the algorithm employed for that software queue.

You can set the size of the hardware queue by using the tx-ring-limit command, however, keep in mind that a hardware queue that is too big imposes FIFO like delay and one that is too short is inefficient because it causes too many CPU interrupts.

Queuing Methods:

First In First Out (FIFO)
The default queuing mechanism for interfaces faster than 2.048Mbps. If an interface is unlikely to be congested this might be an appropriate queuing mechanism. Packets line up in a single queue with no regard for class, priority or type. Similar to a gas station with only one register and no pay at the pump.

The main drawback of FIFO is that high volume applications will be allowed to consume more bandwidth, while lower bandwidth applications may not be serviced adequately.

Priority Queuing (PQ)
Priority queuing has four queues which traffic must be assigned to or it defaults to the normal queue. Access lists are commonly used to assign packets to each queue. Priority queuing uses strict priority, if a packet is in the high priority queue it is processed while all other queues are starved. When the high priority queue is empty one packet from the medium priority queue is processed, after which the scheduler restarts at the high priority queue. It is this way all the way down to the low priority queue, which is only processed when all other queues are empty. The default size of the queue gets smaller as the priority increases, although you can adjust the default queue sizes.

The four priority queues and their default queue size:

1. High — 20
2. Medium — 40
3. Normal — 60
4. Low-priority — 80

Priority Queuing Configuration
You can configure up to 16 priority lists on a router, this configures priority list 7. For reference you can check the Classification post for IP precedence.

Confirm configuration:

And finally to show debugging of priority queuing:

Round Robin (RR)
There is no priority in queuing with the RR queue. It takes one packet from the first queue and repeats the process for each queue, effectively sharing the bandwidth equally between each queue.

Weighted Round Robin (WRR)
A modified version of RR, each queue is assigned a weight that effectively assigns it a portion of the bandwidth.

Weighted Fair Queuing (WFQ)
WFQ scheduler has two goals:
1. Provide fairness among the existing flows, each flow receives the same amount of bandwidth as other flows with the same precedence.
2. Provide more bandwidth to flows with higher IP precedence values. A higher precedence flow receives more bandwidth than a lower precedence flow, hence the “weighted” in the name.

The effect of these goals, lower volume flows get relatively better service and higher volume flows get worse service.

WFQ is supported only on slow links, slower than 2.048 Mbps. WFQ is either on or off, there are no classification configuration options.

WFQ can be disabled on an interface with:
no fair-queue

It is enable with the commands:
fair-queue [cdt [dynamic-queues [reservable-queues]]]
hold-queue max-limit out

You can see the what has been configured for an interface using:
sh int s0/1
or
sh queue int s2/0

WFQ Classification and Scheduling
WFQ is flow-based and dynamically builds and deletes queues based on the number of flows. The number of queues that the router can build is configurable from 16 to 4096(inclusive) with a default of 256. When the number of flows exceeds the maximum number of queues, new flows are assigned to existing queues.

Flows are identified by creating a has from the following fields:
Source IP
Destination IP
Protocol Number
Type of Service (ToS)
Source TCP/UDP port number
Destination TCP/UDP port number
Because WFQ needs access to the packet header fields it does not work with tunneling or encryption.

WFQ Drop Policy
Hold Queue Limit — The absolute limit of the number of packets in all queues. Once this limit has been reached any arriving packet is dropped.

WFQ Agressive Dropping — When a packet arrives while the hold queue is full, the packet is dropped.

Congestive Discard Threshold (CDT) — Limits the number of packets in each individual queue.

WFQ Early Dropping — A packet arrives and the congestive discard threshold (CDT) has been reached for an individual queue, the packet is dropped, even though the hold queue is not full unless there is a packet in another queue with a higher sequence number, then that packet is dropped instead.

Class-Based Weighted Fair Queuing (CBWFQ)
Classes for CBWFQ are defined by class maps, not access lists.
Can create up 64 queues, however, the class-default queue is always present and if you do not specify bandwidth for it, uses remaining bandwidth not defined. Each queue has a reserved bandwidth with a bandwidth guarantee. When there is room a queue can use more bandwidth than that allotted.

The bandwidth command reserves bandwidth to the queue of a class. The maximum reserved bandwidth is 75% and can be changed with the max-reserved-bandwidth command for the interface. The bandwidth percent and bandwidth remaining percent commands you allocate interface bandwidth accordingly.

You can allocate bandwidth using only one form of the bandwidth allocation command, you cannot mix bandwidth class maps with bandwidth percent class maps for different classes on the same interface.

Each queue can have two types of drop policy, tail drop and WRED. Tail drop is the default, while WRED requires extra configuration. Simply put, WRED discards packets before the queue is full, making some TCP connections react to lost packets and slowing down rate of delivery. WRED would not be a good option for VOIP but then, neither is CDWFQ.

The greatest drawback of CBWFQ, it does not address the low latency requirements of VOIP.

How to configure CBWFQ

Low-Latency Queuing (LLQ)
LLQ introduces a strict-priority queue into CBWFQ, or LLQ is a feature of CBWFQ that adds a strict-priority queue. You turn on LLQ in CBWFQ by using the priority command. LLQ includes a policed strict-priority queue that is given priority over other queues, so it is best able to provide the low delay and jitter required for VOIP applications. Because it is policed during time of congestion other queues are not starved of bandwidth, packets to the strict-priority queue are dropped when its bandwidth is exceeded.

With LLQ you get the best of both worlds, low latency for traffic in the priority queue and guaranteed bandwidth for the traffic in the other queues.

LLQ configuration requires one more command in addition to those used in CBWFQ, instead of using the bandwidth command, use the priority command. It enables LLQ on this class, reserves bandwidth and enables the policing function.

priority {bandwidth-kbps | percent percentage} [burst]