Home > CCNP ONT > Classification, Marking and NBAR

Classification, Marking and NBAR

October 23rd, 2009 jud Leave a comment Go to comments

The difference between classification and marking is action. Classification tools categorize packets while marking changes packet headers. These tools lay the foundation upon which the rest of QoS is built.

Classification — Perform classification closest to the source as possible is the most efficient use of network resources.

Marking — Marking is performed after classification, how it is marked depends upon the layer.

Layer 2 Marking:

  • CoS — Used on ISL or 802.1Q header
  • EXP — MPLS header
  • DE — Frame relay header
  • CLP — ATM cell header

Layer 3 Marking:

  • IP Precedence — RFC 791, first 3 bits of the ToS byte.
  • DSCP IP Header — RFC 2474 and 2475, first 6 bits of the ToS byte.

Layer 2 Class of Service (CoS):

Ethernet frame 802.1Q/P uses the 3 bits from the PRI field, which make up 8 possible values.

CoS Name Application
000 Routine Best-Effort Data
001 Priority Medium Priority Data
010 Immediate High Priority Data
011 Flash Call Signaling
100 Flash Override Video Conferencing
101 Critic/ECP/Critical Voice Bearer
110 Internetwork Control Internetwork Control
111 Network Control Network Control

Frame relay uses the discard eligible (DE) bit to tell a router whether the frame can be dropped, 1 == discard eligible, 0 == should not be dropped.

ATM cells has the cell loss priority field, 1 == discard eligible, 0 == should not be discarded.

Layer 2 1/2:
MPLS packets have the EXP field within the MPLS header which is compatible with the 3 bit PRI/CoS field of the 802.1Q header. The CoS field can be copied into the MPLS EXP field or, a service provider can designate their own EXP value, leaving the customer’s intact in the IP header field.

Layer 3:
RFC 791 called the 3 most significant bits of the ToS byte the IP Precedence bits. It was the predecessor to Differentiated Services Code Point (DSCP) which uses 6 bits of the ToS byte to classify traffic, the remaining two bits of DSCP are for Explicit Congestion Notification (ECN).

DSCP is backward compatible with IP Precedence, however, it has more options for classification.

Because DiffServ does not signal along the path like IntServ, each hop has it’s own behavior based upon the DSCP which are called Per-Hop Behaviors (PHB).

DSCP defines four PHBs:

  • Class selector PHB — The 3 least significant DSCP bits set to 000, provides backward compatibility with ToS based IP Precedence.

  • Default PHB — The 3 most significant bits set to 000, this is best effort or when a packet has not been marked.

  • Assure Forwarding (AF) PHB — Defines four queues with reserved bandwidth for each queue. When congestion occurs for a queue packets are dropped to avoid tail drop based on their drop precedence. Lower AF drop precedence provides better QoS within each AF class.

    Low Drop Probability Within Class Medium Drop Probability within Class High Drop Probability within Class
    Name/Decimal/Binary Name/Decimal/Binary Name/Decimal/Binary
    Class 1 AF11 / 10 / 001010 AF12 / 12 / 001100 AF13 / 14 / 001110
    Class 2 AF21 / 18 / 010010 AF22 / 20 / 010100 AF23 / 22 / 010110
    Class 3 AF31 / 26 / 011010 AF32 / 28 / 011100 AF33 / 30 / 011110
    Class 4 AF41 / 34 / 100010 AF42 / 36 / 100100 AF43 / 38 / 100110

  • Expedited Forwarding (EF) PHB — Provides low delay service to packets with the DSCP field set to 101110 or a decimal value of 46.

QoS Service Class

  1. Identify network traffic and its requirements.
  2. Divide traffic into classes.
  3. Define QoS policies for each class

Cisco recommended mappings between CoS, DSCP IP precedence markings:

AutoQoS Class Layer 2 CoS or
IP Precedence 		DSCP Value in Decimal DSCP Value in Binary Code Name
Best Effort 0 0 000000 BE
(Best Effort)
Scavenger 1 8 001000 CS1
(Class Selector 1)
Bulk Data 1 10
12
14 		001010
001100
001110 		AF11
AF12
AF13
Network Management 2 16 010000 CS2
Class Selector 2
Telephony Signaling 3 26 011010 AF31
Local Mission Crtiical 3 28
30 		011100
011110 		AF32
AF33
Streaming Media Traffic 4 32 100000 CS4
Class Selector 4
Interactive Video Traffic 4 34
36
38 		100010
100100
100110 		AF41
AF42
AF43
Interactive Voice Traffic 5 46 101110 EF

Trust Boundaries — The trust boundary is the perimeter where you classify data and do not reclassify QoS markings after that point. The trust boundary should be as close to the source as possible taking into account the ability of the device.

Network Based Application Recognition (NBAR):
NBAR has some built in traffic recognition and can expand the number of packets it recognizes by using Packet Description Language Models (PDLMs) published by Cisco.
Can be used for:

  • Protocol discovery — Used to learn and report on the types of traffic passing through an interface. NBAR uses subport classification, it looks into the payload of the packet and classifies based on content.
  • Traffic classification — NBAR can use deep packet inspection to classify traffic based on URL, MIME type or hostname.
  • Traffic statistics collection — NBAR reports traffic statistics by protocol as shown below:
    circus-rtr#sh ip nbar protocol-discovery

     GigabitEthernet0/1/0
                                Input                    Output                  
                                -----                    ------                  
       Protocol                 Packet Count             Packet Count            
                                Byte Count               Byte Count              
                                5min Bit Rate (bps)      5min Bit Rate (bps)    
                                5min Max Bit Rate (bps)  5min Max Bit Rate (bps)
       ------------------------ ------------------------ ------------------------------
       secure-http              45804031                 51160464                
                                14439692115              45672201126            
                                2000                     1000                    
                                5249000                  2207000                
       http                     426396714                578778999              
                                54201282821              812650380836            
                                2000                     372000                  
                                4309000                  3087000                
       ftp                      689880                   771488                  
                                467904677                812190544              
                                0                        0                      
                                802000                   1798000                
       ssh                      71666                    95757                  
                                11923882                 103359890              
                                0                        0

NBAR Limitations:

  • Cannot function on Fast Etherchannel logical interface.
  • Can only handle 24 concurrent URLs, hosts or MIME types.
  • Only analyzes the first 400 bytes of a packet.
  • Only supports CEF.

Commands to implement NBAR:

! Turn on CEF
ip cef
!
! Load the bittorrent.pdlm from flash:
ip nbar pdlm flash:bittorrent.pdlm
!
! Match any protocol listed below.
class-map match-any cmap-nbar-drop
 match protocol edonkey
 match protocol gnutella
 match protocol fasttrack
 match protocol kazaa2
 match protocol http url "*cmd.exe*"
 match protocol novadigm
 match protocol bittorrent
!
! Make a policy map.
policy-map pmap-nbar-drop
 class cmap-nbar-drop
   drop
!
! Apply it to an interface.
interface GigabitEthernet0/1/0
 description LAN Subnet
 ip address 192.168.1.1 255.255.255.0
! This command may not be necessary but for ONT testing purposes use it.
 ip nbar protocol-discovery
!Apply the policy map to incoming traffic.
 service-policy input pmap-nbar-drop
Categories: CCNP ONT Tags: