Cisco CCNA 200-301 – QoS Quality of Service Part 2

3. Classification and Marking

You’ll learn about classification and marking, which is part of your QoS configuration for a router or switch to give a particular level of service to a type of traffic, obviously it has to recognize that traffic first. Common ways to recognize the traffic are by Cost, which is class of service. That’s a layer two marking DSCP, which is Differentiated Services code point. That’s a layer three marking an access control list or using NBAR, which is network based application recognition.

And we’re going to cover what those different types are in this lecture. So first one was Cost class of service. This is a layer two QoS marking. There’s a three bit field in the layer 2821 Q frame header, which is used to carry the Cost marking. So this three bit field in the one Q header is specifically used for marking. In QoS there’s three bits. So that means that we can set a value from zero through to seven, and the default value is zero, which is designated as best effort traffic. So if a value is not explicitly put on there, it will be left to zero. Cost six and seven are reserved for network use like routing protocols, network control traffic. So this means that the next highest value available is five.

With Cost, the higher the number, the more important the traffic. Typically, IP phones mark their call signaling traffic as cost three. What call signaling is used for is setting up a call and tearing a call down. The voice payload, which is the spoken voice, is marked as cost five. So we use two different values there because the spoken voice is more important than the call signaling. I showed you the requirements for voice in the last lecture, which was a maximum latency of 150 milliseconds, maximum jitter of 30 milliseconds and a maximum loss of 1%. Those requirements are for the spoken voice. If I’m here in Thailand and you’re over in New York and I’m talking to you over an IP call, my packets have got 150 milliseconds to get you. And it’s the spoken voice, the call signaling, which handles the call set up and tear down. Well, if those packets get delayed, then maybe the call takes a fraction of a second longer to set up or tear down. It’s not a big deal, we’re not going to notice it on the call. So that’s why the voice payload reacts with spoken voice, gets given a higher value than the call signaling. Next marking is DSCP Differentiated Services code Point.

So we just covered the class of service marking that is carried in the layer two header. The DSCP value is carried in the layer three in the IP header. In the IP header there’s a single byte called tos the type of service byte and the DSCP value is carried in there a single byte. So type of service has got eight bits. DSCP uses the first six bits in that byte, six bits gives us 64 possible values. Again, the default is zero. So if a value is not explicitly poo on there, it’s going to be marked as DSCP Zero which is designated for best effort. Traffic doesn’t get any special service. IP phones mark their call signaling traffic as DSCP 24 which is also known as CS Three. So with DSCP versus 64 possible values going from zero to 63 numerical. And those values have also got DSCP code name which is basically like a nickname for the numerical value. So CS three is the nickname for DSCP 24. They both mean exactly the same thing called signaling traffic, marked as 24. CS Three. The voice payload again gets a higher value. It is DSCP 46 which is also known as EF, which is expedited forwarding.

So there are standard markings for other traffic types as well. Those are the standard markings for voice signaling and voice payload which should be used by all vendors for some other traffic types for standard markings for those as well, such as 26 which is AF, 31 for mission critical data and 34 which is a 41 for standard definition video. High definition video uses CS four. Next thing to talk about is the trust boundary. The switch the end devices are plugged into should be configured to trust markings from an IP phone that’s plugged in there and pass them on unchanged. The IP phone is generating its own packets and it’s going to put its own markings on those packets. The switch should trust them so they get passed on to the router, so the router can put them into the better queue. But you don’t want to trust any markings from the PC behind the phone because maybe there’s a user there and he is tech savvy and they think oh, I’ve got an IP phone plugged in here. If I mark my own packets coming from the PC as EF, I’ll get better quality service and we’re right.

But the problem is that that bandwidth is going to take bandwidth away that was designated for voice and it’s going to cause bad quality voice calls. So you need to make sure that the switch trusts the phone, but it doesn’t trust the PC behind the phone. So the switched the phone. Any traffic coming from the PC behind there. The switch should mark that traffic down to cost zero and DSCP zero, marking it as best effort. And in the slide here you can see the packet coming from the phone. If you are confused about the cost and the DSCP value, the phone can put both a cost and a DSCP value on the same packet.

So this is a single packet here and you see that the phone is sending the traffic to somebody in another office. We’ve got the layer five to layer seven information in the packet which is going to include bespoken voice. Layer four, voice uses UDP. I’ll just go in a quick tangent for 1 second here. In the early lectures when we were talking about layer four and the OSI stack and we spoke about TCP and UDP and TCP is connection oriented and if a packet is lost, it will resend that packet, whereas UDP is best effort. It just sends and assumes that it’s going to get there. Well. Voice uses UDP rather than TCP. Maybe when we were doing those lectures before, you thought, well, why would we ever use UDP? We’re always going to use TCP for voice traffic.

Because you’ve got those quality requirements that if a packet is lost, there’s no point in resending it again, it’s too late already. So we use UDP for Voice because it’s got less overhead than TCP. The actual protocol is used is RTP, the real time protocol, which is based on UDP. So on our Voice packet, when we’re setting up our spoken voice, our Voice payload, we’ve got the RTP UDP port number at layer four. As the phone is making the packet, it will then encapsulate that with the layer three header, which has got the source and the destination IP address. And it also puts the DSCP value in that IP header. It’s Voice payload, so it marks it as EF. The phone on that same packet encapsulates it in the layer two header. The layer two header has got the source and the destination Mac addresses and it will mark the traffic at layer two as cost five. So it’s not an either or thing.

The phone will put both of those markings on the packet. Okay, moving on. Next up. So our quality requirements for Voice and Video, voice and Video endpoints that we just covered, they mark their own traffic with a DSVP value. They can do that because they’re generating the packets. If you want to give a particular quality of service to another application, however, a data application running between a workstation and a server, the endpoints will typically not be able to mark their own traffic.

That won’t be supported in the application. So in that case, you can mark it for that endpoint. An access control list can be used to recognize traffic based on its layer three and layer four information. For example, secure shell traffic going to and from a router ten 110 on TCP port number 22. If you wanted to give that SSH traffic better service, because SSH is an interactive application, when you’re using it, you get an immediate response back from the thing that you’re configuring with SSH. If you’re finding that that is slow, there’s a delay, you could give SSH better service. Real world, you probably won’t need to because it’s a very small bandwidth anyway. But it is traffic that maybe you would want to configure a QoS policy for. With that your PC is not going to be able to mark its own SSH packets. The router switch won’t do that either, but you can do it for it. So on the switch that is connected to the PCs and to the router, you can configure an ACL there which is looking for traffic going to and from the router on port 22, and you can configure a policy that will mark that with a DSCP value. So that’s one way you can mark the traffic from the endpoints. Another way you can do it is with NBAR.

So an access control list that you’ve learned about already, you know, that we can specify, we can recognize traffic based on layer three and four information in the ACL. NBAR does deeper packet inspection. NBAR stands for network based application Recognition, and it can recognize traffic based on its own layer three to layer seven characteristics. To use this, you can download signatures from Cisco and you can think of it just like your antivirus software. You know, if your antivirus software, you install that and then you regularly update it with new antivirus signatures. The antivirus signatures look for known characteristics of a particular virus. NBAR is doing the same kind of thing, it’s looking for known characteristics of a particular application up to the layer seven information in that packet. So you can download signatures from Cisco for well known applications.

You can also write your own custom applications, your own custom signatures, if you wanted to as well. Okay, so there are other methods we can use as well, but those are the main methods that are most commonly used. Out of the four, DSCP is the preferred classification and marking method, because the router can very quickly gather the information from a single bite in the IP header. If you compare this with NBAR, with NBAR, all traffic going through the router, the router has to check, is it this type of traffic I’m looking for or not? So all packets, the router is looking up to layer seven information in the packet. If it’s looking at DSCP information instead, that’s just a single bite in the IP header. So obviously the router is doing a lot less work to look for DSCP information rather than using NBAR. So it’s preferred that when traffic gets to the router, it should be DSCP, that is the marking type that is specified in your queuing policies. If you do use another method like ACL or NBAR, because the end point can’t mark its own traffic, that should be done as close to the source as possible, and then a DSCP value added there.

So you can see in our example here, we’ve got a server that’s running an important application that we want to give better service to, so we need to recognize the traffic from that application. So we configure a QLS policy, a classification and marking policy on our layer three switch that is connected to the server looking at the layer three and layer four information in the ACL, then on the switch, when we send it on upstream, the switch adds a DSCP value on that traffic. So rather than having the ACL on the router and without having to do more work, we add the ACL on the switch and this distributes the QoS effort and it makes things more efficient. Okay, so that was it for classification and marking. When you do classification and marking, this isn’t actually doing anything yet. All it’s doing is putting a DSCP value in the packet. It’s not giving it any different service yet. This is a misconfigured misunderstanding. I see sometimes that people think they can just do classification and marking and match QoS configured. It’s not. Classification and marking doesn’t do anything on its own. It puts the marking on there, but then you have to take an action based on that marking brower switches to recognize the traffic and then give it a different type of service. And usually we’re going to be doing queuing when we do that and we’ve that’s what we’re going to be covering in the next lecture and I’ll show you how to do it there.

• Category: Uncategorized