Configuring Traffic Classification Solutions in this chapter: ■ Configuring Policy-based Routing (PBR) ■ Defining and Configuring Committed Access Rate (CAR) ■ Marking and Transmitting Web Traffic ■ Marking and Rate Limiting ISPs ■ Configuring Cisco Express Forwarding (CEF) ■ Configuring Basic Network-based Application Recognition (NBAR) ■ Configuring Complex NBAR ■ Integrating NBAR with Class-based Weighted Fair Queuing (CBWFQ) ■ Configuring System Network Architecture Type of Service (SNA ToS) Chapter 5 181 110_QoS_05 2/13/01 11:47 AM Page 181 182 Chapter 5 • Configuring Traffic Classification Introduction Enough with theory, I suppose. Now it is time to show you how to configure all of the things that we discussed in the last chapter.This chapter shows you how to put into practice all of the theories that were introduced in the last chapter, how you would implement these technologies in your network. This chapter contains many configuration examples, but is by no means a complete listing of all possible uses for the technologies presented. The configurations presented center on the Quality of Service (QoS) configu- ration steps required. Basic configuration of interfaces and devices is not discussed. Remember that the classification examples we show are only one part of the equa- tion. After a packet is classified, an appropriate queuing mechanism must be config- ured on the devices to provide the required QoS. For details on configuring the queuing mechanisms required, please see the relevant chapters in this text. We strongly encourage you to visit the Cisco Web site at www.cisco.com to view more configuration examples, as new uses for these mechanisms are con- stantly being developed. Cisco’s Web site has one of the best collections of con- figuration examples available. What we hope that we have done here is provide you with excellent exam- ples for the most popular uses of these technologies. By doing so, it is our hope that you will use this book as a reference when you are configuring these mecha- nisms on your network. Configuring Policy-based Routing (PBR) Policy-based routing is one of the original methods of providing QoS marking within networks. It provides a method of marking packets not by destination, but rather by originating source, be this address or port, and applying defined policy meanings to these packets.This functionality is the key to understanding PBR. It acts and makes decisions based on the SOURCE address or port number, not the destination address or port as is most common in routing or QoS situations. PBR works in conjunction with access control lists (ACLs) to first select the traffic to be marked. After the traffic is selected, PBR can either direct all of the traffic to certain networks or interfaces, or selectively mark the (Type of Service) ToS bit to indicate levels of service to be provided to that traffic.As PBR works by the use of ACLs, any traffic that can be differentiated by ACLs can be sub- jected to PBR.This includes, but is not limited to: www.syngress.com 110_QoS_05 2/13/01 11:47 AM Page 182 www.syngress.com ■ Source system address ■ Application ■ Protocol ■ Size of packet PBR has a fairly straightforward configuration that is based on the concept of route maps. A route map is a list of accept or deny clauses against which every packet that enters an interface is matched. If a packet meets the accept clause (which is defined via ACLs), a set command is performed against the packet.The set command specifies the routing behavior or QoS tagging that will be per- formed on the packet.A key difference to remember is that in a normal ACL, if a packet is not matched it is dropped and not passed through the interface. In a PBR route map ACL, the packet is not dropped; rather, it will not be subjected to the PBR defined actions and will instead be forwarded by the normal destina- tion-based best effort routing procedure. An important caveat with PBR is to ensure that you are using at least IOS 12.0. Prior to 12.0, all PBR was process switched, which limited the packet response rate to levels that may cause some applications to quit responding.As of 12.0 and later, PBR is fast switched with a correspondingly significant increase in packet rates. Beginning in global config mode, first define a route map and enter the route map configuration mode using the following command: route-map map-tag [permit | deny] Then, match a defined access list for an IP address or protocol on which the eroute map is to act. match ip address (access-list-number) Next, you should set the action to be performed on the packet: set ip precedence (number or name) or set ip next-hop ip-address Either of these commands routes the packet to a defined address or sets the precedence bit to a predetermined level.Then we will specify the interface on which the PBR is to be applied. interface interface-type interface-number Configuring Traffic Classification • Chapter 5 183 110_QoS_05 2/13/01 11:47 AM Page 183 184 Chapter 5 • Configuring Traffic Classification Finally, apply the route map to the interface. ip policy route-map map tag Using PBR to Route Specific Packet Types PBR can be used to specifically direct certain traffic types to required destina- tions.This example network (Figure 5.1) is composed of a core 6509 with an MSFC doing core layer-three switching.There are two WAN connections. One is via the firewall out to the Internet.The second is to a corporate network.The requirement is that all HTTP traffic, which is proxied as port 8080, is to be directed to the firewall. In addition, all RDP traffic (port 1330) is to be assigned a higher priority level for premium service levels. The following shows the MSFC configuration to send all HTTP traffic on port 8080 to the firewall, which has an internal IP address of 10.20.218.17. All RDP traffic on port 1330 is being increased in precedence to a level of 5 to allow for priority service. version 12.15 no service pad service timestamps debug datetime www.syngress.com Figure 5.1 PBR Network Configuration Internet Firewall Corporate WAN Router 1 User User 110_QoS_05 2/13/01 11:47 AM Page 184 Configuring Traffic Classification • Chapter 5 185 service timestamps log datetime no service password-encryption ! hostname router1 ! ip route-cache policy ! interface Vlan1 ip address 10.20.10.1 255.255.255.0 ip policy route-map outgoing ! route-map outgoing permit 10 match ip address 101 set ip next-hop 10.20.218.17 ! route-map outgoing permit 20 match ip address 102 set ip precedence priority ! access-list 101 permit tcp any any eq 8080 access-list 102 permit tcp any any eq 1330 In this example, the ip route-cache policy statement enables PBR fast cache processing. Any traffic that matches access list 101 that specifies traffic on port 8080 (this network is using translation to hide the inside addresses and ports) will be directed to IP address 10.20.218.17 by the outgoing route map state- ment. Any RDP traffic on port 1330 will have its precedence bit set to priority to ensure proper QoS processing within the network. Defining Committed Access Rate (CAR) CAR is the most widely used method in a Cisco environment to mark packets at the network edge ingress and egress points. CAR can perform, in general terms, one of two functions: rate limiting, and packet classification through IP prece- dence and QoS group setting. With CAR’s rate limiting mechanism, you can control the base rate of traffic received or transmitted on an interface.Typically, classification and marking occur www.syngress.com 110_QoS_05 2/13/01 11:47 AM Page 185 186 Chapter 5 • Configuring Traffic Classification on the ingress, and rate limiting occurs on the egress. CAR defines traffic for rate limitation in one of three ways. ■ Average rate Average rate determines long-term average transition rate. Any traffic that falls under this parameter is transmitted. ■ Normal burst This determines how large a burst can be before some of the traffic exceeds the rate limit. ■ Excess burst size This determines how large bursts can be before all traffic exceeds the rate limit. Concerning bursts, it is important to note that CAR does no traffic shaping or smoothing. It has no burst buffer capabilities. Because of this, CAR does add to interpacket delay; however, this also means that CAR’s greatest benefits occur on high-speed links of DS3 speed or greater. Low-speed links that must contend with a significant amount of buffering to deal with bursty traffic will not see the benefits of CAR as would higher-speed links. CAR’s rate limiting feature works on the principle of a token bucket.The bucket depth is indicative of the burst size that is configured for the link.Traffic rate capabilities can be configured in 8 k segments up to the physical capacity of the link. If a packet arrives and there exists enough tokens within the bucket, the packet is allowed to pass. If, however, there is a shortage of tokens, the packet is allowed to borrow tokens up to the Excess burst size.This Excess packet depth is a loan against future traffic and must be rebuilt from periods of low traffic.The idea is to allow for a gradual reduction in packet traffic using a WRED-type pro- cedure rather than a tail drop in packets that may occur. If the cumulative burst size exceeds the excess burst size, packets will be dropped.When traffic has been classified as belonging to a specific rate, one of several actions will occur, depending on how the network administrator has configured the response. ■ Transmit the packet. ■ Drop the packet. ■ Set precedence and transmit.The packet may have a lower precedence set and be transmitted with a lower QoS. ■ Continue. If there are further CAR statements, the packet will continue to be processed. At the end of the chain, it will be transmitted. If the router is a VIP-based platform (7000 series or better), there are two other options available. www.syngress.com 110_QoS_05 2/13/01 11:47 AM Page 186 Configuring Traffic Classification • Chapter 5 187 ■ Set QoS group and transmit.The packet is assigned to a specific QoS group and transmitted. ■ Set QoS Group and continue.The packet is assigned a QoS group and further processing is continued. If no further rate policies exist, the packet is transmitted. It is important to note that, for rate limiting procedures, only packets that are in burst mode are subjected to changes in the precedence or QoS. Packets that are within the average rate are not modified and transmitted as specified by their QoS parameters. Concerning QoS, the marking capabilities of CAR are of prime importance. CAR has the ability to mark packets by setting the IP Precedence bits.While there do exist eight differing possible levels of IP Precedence (0–7) it is strongly recommended that the network administer only use the first six levels.The two highest levels are to be reserved for critical network control and routing protocols that must pass from device to device to ensure proper internetwork functioning. CAR can mark traffic based on physical port, source or destination IP address, MAC address, IP protocol type, or any other differentiation that can be specified by normal or extended IP access lists.The key is that CAR will only function on IP-based traffic. Non-IP traffic is switched normally and is unaf- fected by CAR rate limiting or marking features. As of IOS 12.04, CAR is available on all Cisco router platforms from the 1720 series and up. However, CAR does require that Cisco Express Forwarding (CEF) is enabled, and not all line cards support CEF. It is recommended that you check the exact model number of all interface cards to ensure that CEF, and cor- respondingly CAR, can be deployed. CAR does have a number of significant limitations in design and implemen- tation of network services. ■ CAR will only affect IP traffic. Non-IP traffic is not rate limited or marked.This may cause issues on a legacy network; however, as most networks are being migrated to pure IP, this will become less of a con- cern. ■ CAR is not supported on EtherChannel,Tunnel, or ISDN PRI inter- faces. ■ On ATM interfaces, CAR only supports aal5snap, aal5mux, or aal5nlpid interfaces. www.syngress.com 110_QoS_05 2/13/01 11:47 AM Page 187 188 Chapter 5 • Configuring Traffic Classification ■ There is no support for BECN or FECN in Frame Relay (backward and forward express congestion notification). Configuring Distributed CAR (DCAR) DCAR is found on the Cisco 7500 or 12000 series router platforms. In these routers, each card has the ability to handle processing by maintaining an indi- vidual copy of the routing database and thereby offloading processor load from the central processor.The VIPs serve as unique processors for all packets. In this manner, with DCEF enabled, DCAR is enabled and functions autonomously on each VIP, rather than being a processor-based operation.This architecture provides significant improvements in base efficiencies compared to the standard processor bounded CAR functionality. To configure CAR, follow these steps in order. First, enter the interface con- figuration mode. interface interface-type interface-number Next, specify the rate policy for each class of traffic and the action to be taken if the rate is exceeded. rate-limit {input | output} [access-group [rate-limit] acl- index]bps burst-norma lburst max 3) conform action action exceed-action action Valid actions include continue, drop, set-prec-con (Set the precedence bit and continue), set-prec-trans (set the precedence bit and transmit), and transmit.Then we can use the optional command to specify a rate limited access list. access-list rate-limit Finally, we should use another optional command that specifies a standard or extended access list to be used. access-list acl-index {deny | permit} Marking and Transmitting Web Traffic In this initial example,Web traffic is allowed access to a network via a token ring interface on a 7513 router.This Web traffic is to be assigned a precedence of 5 up to a bandwidth of 4MB. Anything over 4MB is to be assigned to a best-effort delivery class. Enter the incoming token ring interface and configuration mode. www.syngress.com 110_QoS_05 2/13/01 11:47 AM Page 188 Configuring Traffic Classification • Chapter 5 189 Int Tok 2/0 Next, use the following command to define that all traffic that meets access list 101 will have a precedence setting of 5 if has 4MB or under in bandwidth. Anything over 4MB will be delivered, but will be only best-effort QoS. Rate-limit input access-group 101 16000000 4000 4000 conform-action set prec-transmit 5 exceed action set-prec-transmit 0 Now, enable the access list that will define that we will be matching on Web traffic only. Access-list 101 permit tcp any any eq www The following illustrates the exact router interface configuration for this con- figuration. router#Show run ! interface TokenRing2/0 description web in ip address 207.48.198.1 255.255.255.0 Rate-limit input access-group 101 16000000 4000 4000 conform- action set prec-transmit 5 exceed action set-prec-transmit 0 no ip directed-broadcast ring-speed 16 hold-queue 500 in ! Access-list 101 permit tcp any any eq www Remarking the Precedence Bit and Transmitting Web Traffic CAR provides the ability to sort on the precedence bit of packets and reassign this precedence bit to better fit the current network model. In this example, we will be using the same token ring interface as we did previously, but will remark all precedence level 0,1, and 2 bits as precedence level 4. First, enter the configuration mode and input the incoming token ring. Int Tok 2/0 www.syngress.com 110_QoS_05 2/13/01 11:47 AM Page 189 190 Chapter 5 • Configuring Traffic Classification Next, set the rate command to set any packets that match our rate limited access list to have their precedence level reset to 4. rate-limit input access-group rate-limit 25 conform-action set prec-transmit 4: The following access list uses a binary mask to match the precedence levels 0, 1, and 2 only. access-list rate-limit 25 mask 07 The following illustrates the interface configuration for this required configu- ration. router#Show run ! interface TokenRing2/0 description web in ip address 207.48.198.1 255.255.255.0 Rate-limit input access-group conform-action set prec-transmit 4 no ip directed-broadcast ring-speed 16 hold-queue 500 in ! Access-list rate-limit 25 mask 07 The access-list command that is used is different from that of the standard access list. CAR defines the access-list rate-limit special format access list.This list has the format access-list rate-limit acl-index {precedence | mac-address | mask prec-mask}.While normal access lists and extended access lists allow us to permit by port numbers, services, and source and destination addresses, this format allows filtering on specific properties of the ToS bit. Specifically, this will filter by existing precedence bit; if the mask is used, it will filter on a range of precedence bits that are converted to binary, or it will filter on individual MAC addresses.This addition provides for further fine-tuning and granularity in CAR. Marking and Transmitting Multilevels of CAR CAR allows for up to 100 levels of precedence marking and action per interface or subinterface. As such, extremely fine differentiation can be achieved with min- imal delay and processor utilization. In this configuration, we are using a three- www.syngress.com 110_QoS_05 2/13/01 11:47 AM Page 190 [...]... route-cache no ip mroute-cache no atm oversubscribe no atm ilmi-keepalive pvc ip1 /42 protocol ip 192.168.160.1 broadcast encapsulation aal5snap rate-limit output access-group 101 8000000 8000 10000 conformaction set-prectransmit 5 exceed-action set-prec-transmit 0 rate-limit output access-group 102 4000000 50 00 50 00 conformaction set-prec-transmit 5 exceed-action set-prec-transmit 0 rate-limit output... 255 . 255 . 255 .0 no ip directed-broadcast no ip route-cache no ip mroute-cache no keepalive hold-queue 3000 in hold-queue 3000 out rate-limit input access-group rate-limit 100 conform-action drop ! access-list rate-limit 100 0090.27d1.2917 www.syngress.com 1 95 110 _QoS_ 05 196 2/13/01 11:47 AM Page 196 Chapter 5 • Configuring Traffic Classification Monitoring CAR To monitor CAR, the primary command within the Cisco. .. 193 110 _QoS_ 05 194 2/13/01 11:47 AM Page 194 Chapter 5 • Configuring Traffic Classification access-list 102 permit tcp any any eq www The following is the actual Router1 configuration for the interface and access list ! interface ATM1/IMA0 ip address 192.168.160.2 255 . 255 . 255 .0 ip directed-broadcast no ip route-cache no ip mroute-cache no atm oversubscribe no atm ilmi-keepalive pvc ip /42 protocol ip 192.168.160.1... traffic over 30MB Rate-limit output 250 00000 30000 30000 conform-action transmit exceed-action drop The interface configuration on the router is shown here: ! interface ATM2/0 ip address 192.168.160.2 255 . 255 . 255 .0 no ip mroute-cache no atm ilmi-keepalive pvc 1/42 protocol ip 192.168.160.1 broadcast encapsulation aal5snap Rate-limit input 250 00000 30000 30000 conform-action transmit exceed-action drop www.syngress.com... 2/13/01 11:47 AM Page 2 05 Configuring Traffic Classification • Chapter 5 7206(config-pmap-c)#bandwidth 20 7206(config-pmap-c)#class Video 7206(config-pmap-c)#bandwidth 30 7206(config-pmap-c)#class Xwindows 7206(config-pmap-c)#bandwidth 20 7206(config-pmap-c)#class SQL 7206(config-pmap-c)#bandwidth 20 7206(config-pmap-c)#class internet 7206(config-pmap-c)#police 2000000 conform transmit exceed drop The last step is... hostname 7206 ! ip cef ! class-map match-any Priority match protocol FTP match protocol Telnet ! class-map match-all citrix match protocol citrix www.syngress.com 110 _QoS_ 05 2/13/01 11:47 AM Page 209 Configuring Traffic Classification • Chapter 5 ! policy-map Quality class Citrix bandwidth 6000 queue-limit 100 class priority bandwidth 3000 ! interface TokenRing2/1 ip address 10.20.198.1 255 . 255 . 255 .0 service... 100 class-map match-any Priority match protocol FTP match protocol Telnet ! class-map match-all citrix match protocol citrix ! policy-map Quality class Citrix bandwidth 6000 class priority bandwidth 3000 ! interface TokenRing2/1 ip address 10.20.198.1 255 . 255 . 255 .0 service input quality www.syngress.com 110 _QoS_ 05 2/13/01 11:47 AM Page 211 Configuring Traffic Classification • Chapter 5 custom-queue-list... Actual QoS is then left to negotiated parameters within the Frame Relay switch and service provider.The following is a simple PBR configuration to send all DLSw+_ traffic out a subinterface Interface serial 2/0 Encap frame-relay Frame-relay lmi-type ansi Interface ser1/0.1 point-to-point ip address 20.23.32.1 255 . 255 . 255 .0 frame-relay interface-dlci 10 access-list 101 permit tcp any nay eq 20 65 access-list... ATM2/0 7206(Config-if)# pvc 1/42 ip 7206(config-if-atm-vc)#service-policy output wan The final router configuration is summarized in the following output Current configuration: ! version 12. 15 service timestamps debug uptime service timestamps log uptime ! hostname 7206 ! ip cef ! class-map match-all Citrix match protocol Citrix ! class-map match-all Video match protocol Cu-SeeMe ! class-map match-all Xwindows... 7206(config-pmap)#exit 7206(config)#random-detect exponential-weighting-constant 10 7206(config-pmap)#class class-default 7206(config-pmap-c)#fair-queue 20 7206(config)#queue-limit 100 The following output is similar to the previous example, except that NBAR is configured with WRED instead of CBFWQ Current configuration: ! hostname 7206 ! ip cef ! random-detect exponential-weighting-constant 10 queue-limit 100 . 207.48.198.1 255 . 255 . 255 .0 Rate-limit input access-group 101 16000000 4000 4000 conform- action set prec-transmit 5 exceed action set-prec-transmit 0 no ip directed-broadcast ring-speed 16 hold-queue 50 0. here: interface ATM1/IMA0 ip address 192.168.160.2 255 . 255 . 255 .0 ip directed-broadcast no ip route-cache no ip mroute-cache no atm oversubscribe no atm ilmi-keepalive pvc ip1 /42 protocol ip 192.168.160.1. standard best-effort delivery service. ! interface Fddi11/0 description FDDI Backbone ip address 207.48.199.3 255 . 255 . 255 .0 no ip directed-broadcast no ip route-cache no ip mroute-cache no keepalive hold-queue