Thursday, 25 May 2017

Setting up QoS on the Cisco 2960X / 3650-X

Cisco IOS provides QoS on both layer 2 (that is handled by cos) and layer 3 (ToS / DSCP).

CoS (Class of Service) is a 3 bit field that is present in an Ethernet frame header when 802.1q trunking is in place - to illustrate:


A priority value from 0 to 7 is set in the field - meaning the higher the priority, the more urgently the switch will ensure a low latency, expedited delivery of the frame (providing the switch is setup with QoS enabled!)

VoIP phones are often considered to have a priority of 5 - however this is not set in stone. Some common mappings can be found below:


ToS (Type of Service) is an 8 bit field that is part of an IP packet. There are two common QoS methods - one being 'IP Precedence' (the older method) that uses 3 bits of the field and DSCP (the newer / preferred method) that uses 6 bits in the field - as is illustrated below:



It is also worth bearing in mind that DSCP is backward compatible with IP Precedence.

The same priority mapping can be applied to ToS as above.

Trust Boundary 

In QoS a trust boundary is simply the point at which (in your network) that you trust CoS or DSCP priorities from inbound packets / frames. For example a user might purposely mark DSCP priority of IP packets from their computer - however the switch (by default) will ignore and strip the information of the packet. In order for the computer to be trusted you would need to issue something like:

mls qos # turn on qos
int fa0/1
mls qos trust cos # trust the interface

or

mls qos trust cos pass-through # this will also ensure any existing DSCP values are not ovewritten by the switches CoS to DSCP map!

It is also important to note that this also applies to upstream switches - for example if I wanted to ensure priority delivery of the frame when it hits the core switch I would need to ensure that the same configuration is applied on the uplink port on the core switch.

CoS -> DSCP and DSCP - CoS Mappings

These mapping provide a way to ensure that a (for example) frame that is marked with a CoS priority value of 5 will also have an equivalent DSCP value when it hits a layer 3 device / router.

Although these mappings can be customised - the default mappings can be found below:


As an example:

mls qos map cos-dscp 0 8 16 24 32 40 48 56

or the other way around (dscp to cos):

mls qos map dscp-cos 16 18 24 26 to 1 


QoS Example: Prioritising SSH traffic on a Cisco 2960-X switch

Unfortunately on the 2960X you are unable to classify specific TCP / UDP protocols - so instead we have to define address ranges / ports in order to categorise traffic we wish to apply QoS to.

Let's firstly turn on QoS with:

mls qos

and define our CoS to DSCP map:

mls qos map cos-dscp 0 8 16 24 32 40 48 56

Now we will set the CoS priority on our traffic - in some cases end user devices such as VoIP phones can do this for us - however for the purposes of completeness I will perform this on the switch instead.

In this example I want to ensure that all traffic from any source to a particular IP (1.2.3.4) is marked with a CoS priority of 5:

access-list 123 permit ip any 1.2.3.4 0.0.0.0

class-map match-all CM-CALLSRVER
match access-group 123

policy-map PM-CALLSERVER
class CM-CALLSRVER
set ip dscp 40

and apply the policy map to the interface connected to the VoIP phone:

int fa0/10
service-policy input PM-CALLSERVER

We can verify that traffic is being matched with:

show policy-map int fa0/10

Let's now instruct the switch what to do with traffic that we have tagged:

Note: On the 2960-X there are a total of two input queues and four output queues - for more information about them please refer to this article. By default queue 2 is the priority queue on the 2960-X

mls qos srr-queue input dscp-map queue 1 threshold 3 0 8 16 32

mls qos srr-queue input dscp-map queue 2 threshold 3 40 48 56

mls qos srr-queue input cos-map queue 1 threshold 3 0 1 2 3 4

mls qos srr-queue input cos-map queue 2 threshold 3 5 6 7

mls qos srr-queue output cos-map queue 4 threshold 3 0 1

mls qos srr-queue output cos-map queue 3 threshold 3 2 3

mls qos srr-queue output cos-map queue 2 threshold 3 4

mls qos srr-queue output cos-map queue 1 threshold 3 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 3 0 8

mls qos srr-queue output dscp-map queue 3 threshold 3 16 24

mls qos srr-queue output dscp-map queue 2 threshold 3 32

mls qos srr-queue output dscp-map queue 1 threshold 3 40 48 56

Note: By default when QoS in enabled - ingress traffic will be marked with CoS 0 / DSCP 0 (or the traffic is not marked in the first place) - unless you 'trust' the interface e.g.:

int fa0/10
mls qos trust cos
mls qos trust dscp
spanning-tree portfast
priority-queue out
switchport mode access
swichport access vlan 123

Note: The 'priority-queue out' command ensures that all traffic in the priority queue is serviced on the interface before other queues. Warning: Although this is generally fine, in some cases using this command can result in other queues suffering from starvation.

Sources



  

0 comments:

Post a Comment