Looking to increase the switching capabilities within my setup to support the Gigabit needs of my ever growing environment, I ran across a spare 4507E chassis and some line cards. With the new platform came the opportunity to research and apply the latest QoS configurations available.
The Setup
I have had some Gigabit switches in the past, but had the opportunity to implement this monster switch. I was ultimately a little concerned about power, but it seems it will not be as big of a concern as I initially thought. With the current switch configuration, I am using two switches. My 3750 has PoE for phones and access points while the Linksys Small Business SW2048 handles the servers and other Gigabit connections. The new switch is a 4507R-E with a Supervisor 6E with a WS-X4648-RJ45-E and a WS-X4648-RJ45V+E. I am running a single supervisor and single power supply to help keep power requirements down. With the latest Version 15.2(2)E3 software loaded, the switch was ready to go.
QoS Configuration
I like to use my environment to demonstrate and test the various components within. When there is a new application or technology that is interesting, I like to add it. As such, I run much more than voice and video on my setup and therefore enjoy applying QoS as needed. A few applications I desire to prioritize are:
- Voice
- Interactive Video
- Counterstrike Global Offensive (CS:GO)
- Crash Plan Backups
With my prioritizations set, off to Cisco Medianet’s Quality of Service Validated Designs. This post is the outcome of the Catalyst 4500 IOS 15.2 Configuration Guide, and the Medianet Campus QoS Design 4.0. Within those documents, there are great references which we will follow for the basic steps of implementing an ingress, egress, and control plane modular QoS policies.
Ingress Marking
With the Sup6E supervisor, there is no ingress queuing customization. For the ingress QoS marking, we could select several options. We could select to trust the DSCP which would allow markings to be trusted completely, or just the IP Phone markings if present. This tutorial will walk through the configuration of the Service Policy Model using the Modular QoS CLI (MQC) policies. This MQC configuration will use three components to mark the traffic appropriately:
- class-map
- policy-map
- service-policy
Below is an example of a section of ingress marking for identifying the traffic on the switch.
! ! Signaling lines in order: SCCP, SIP, SIP, H245, MGCP, MGCP, H323 ! ip access-list extended VVLAN-Signaling permit tcp 192.168.1.128 0.0.0.31 any range 2000 2002 permit udp 192.168.1.128 0.0.0.31 any eq 5060 permit tcp 192.168.1.128 0.0.0.31 any eq 5060 permit tcp 192.168.1.128 0.0.0.31 any range 11000 11999 permit udp 192.168.1.128 0.0.0.31 any eq 2427 permit udp 192.168.1.128 0.0.0.31 any eq 2428 permit tcp 192.168.1.128 0.0.0.31 any eq 1720 ! ip access-list extended VVLAN-Voice permit udp 192.168.1.128 0.0.0.31 any range 16384 32767 dscp ef ! ip access-list extended VVLAN-Video permit udp 192.168.1.128 0.0.0.31 any range 16384 32767 dscp af41 ! ip access-list extended VVLAN-Signaling permit tcp 192.168.1.0 0.0.0.31 any range 2000 2002 permit udp 192.168.1.0 0.0.0.31 any eq 5060 permit tcp 192.168.1.0 0.0.0.31 any eq 5060 permit tcp 192.168.1.0 0.0.0.31 any range 11000 11999 permit udp 192.168.1.0 0.0.0.31 any eq 2427 permit udp 192.168.1.0 0.0.0.31 any eq 2428 permit tcp 192.168.1.0 0.0.0.31 any eq 1720 permit tcp 192.168.1.32 0.0.0.31 any range 2000 2002 permit udp 192.168.1.32 0.0.0.31 any eq 5060 permit tcp 192.168.1.32 0.0.0.31 any eq 5060 permit tcp 192.168.1.32 0.0.0.31 any range 11000 11999 permit udp 192.168.1.32 0.0.0.31 any eq 2427 permit udp 192.168.1.32 0.0.0.31 any eq 2428 permit tcp 192.168.1.32 0.0.0.31 any eq 1720 ! ip access-list extended DVLAN-Voice permit udp 192.168.1.0 0.0.0.31 any range 16384 32767 dscp ef permit udp 192.168.1.32 0.0.0.31 any range 16384 32767 dscp ef ! ip access-list extended DVLAN-Video permit udp 192.168.1.0 0.0.0.31 any range 16384 32767 dscp af41 permit udp 192.168.1.32 0.0.0.31 any range 16384 32767 dscp af41 ! ip access-list extended ANY-CounterStrike-Competitive permit tcp any any range 27030 27039 permit tcp any any eq 27015 permit tcp any any range 27017 27020 permit udp any any range 27000 27015 permit udp any any eq 1200 ! ip access-list extended ANY-CounterStrike-1v1 permit udp any any eq 27016 permit tcp any any eq 27016 ! ip access-list extended ANY-Scavenger permit ip 192.168.2.48 0.0.0.15 any permit ip 192.168.0.90 0.0.0.0 any dscp cs1 ! ip access-list extended ANY-WebBased permit tcp any any eq www permit tcp any any eq 443 permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq ftp permit tcp any any eq 22 permit tcp any any eq domain permit tcp any eq www any permit tcp any eq 443 any permit tcp any eq smtp any permit tcp any eq pop3 any permit tcp any eq ftp any permit tcp any eq 22 any permit tcp any eq domain any permit tcp any any eq 5223 ! class-map match-any VVLAN-Signaling match access-group name VVLAN-Signaling ! class-map match-all VVLAN-Voice match access-group name VVLAN-Voice ! class-map match-all VVLAN-Video match access-group name VVLAN-Video ! class-map match-any DVLAN-Signaling match access-group name DVLAN-Signaling ! class-map match-all DVLAN-Voice match access-group name DVLAN-Voice ! class-map match-all DVLAN-Video match access-group name DVLAN-Video ! class-map match-any ANY-CounterStrike-Competitive match access-group name ANY-CounterStrike-Competitive ! class-map match-any ANY-CounterStrike-1v1 match access-group name ANY-CounterStrike-1v1 ! class-map match-any ANY-WebBased match access-group name ANY-WebBased ! class-map match-any ANY-Scavenger match access-group name ANY-Scavenger ! policy-map Ingress-Policy class VVLAN-Voice set dscp ef police 128k bc 8000 conform-action transmit exceed-action drop class VVLAN-Video set dscp af41 police 5m bc 8000 conform-action transmit exceed-action drop class VVLAN-Signaling set dscp cs3 police 32k bc 8000 conform-action transmit exceed-action drop class DVLAN-Voice set dscp ef police 128k bc 8000 conform-action transmit exceed-action drop class DVLAN-Video set dscp af41 police 5m bc 8000 conform-action transmit exceed-action drop class DVLAN-Signaling set dscp cs3 police 32k bc 8000 conform-action transmit exceed-action drop class ANY-CounterStrike-Competitive set dscp af31 police 5m bc 8000 conform-action transmit exceed-action set-dscp-transmit default class ANY-CounterStrike-1v1 set dscp af21 police 5m bc 8000 conform-action transmit exceed-action set-dscp-transmit default class ANY-WebBased set dscp af11 police 25m bc 562500 conform-action transmit exceed-action set-dscp-transmit default class ANY-Scavenger set dscp cs1 class class-default set dscp default ! interface range GigabitEthernet 1/1-48 service-policy input Ingress-Policy
A few things to note about this policy. Within the DVLAN-Voice, DVLAN-Video, and Scavenger access lists, I am matching against packets that are set to a specific DSCP value and then “remarking” them. This original marking is being set by a Windows Group Policy that sets specific application traffic to a certain DSCP value. This is used for Crash Plan Backups and Cisco Jabber.
Egress Queuing
The Supervisor 6E provides a 1P7Q1T+DBL queuing model. With this, each port is capable of supporting eight transmit queues with one Priority Queue. There is one threshold for each queue as well as the support for Dynamic Buffer Limiting (DBL) for congestion avoidance.
From the Medianet guide, it is required to use separate class maps from the ingress configuration. Using the same class maps will cause issues with classification of the traffic.
For the egress queuing, we will be focusing on matching against DSCP values as all traffic has already been marked on ingress. Below is an example layout from the Medianet. My example policy will stay relatively close to this, but tailoring it as appropriate to support my traffic classes.
1P7Q1T+DBL Egress Queuing Standard Mapping
With that, below is the example policy created for the environment.
class-map match-any Priority-Queue match dscp ef match dscp cs5 match dscp cs4 class-map match-any Control-Mgmt-Queue match dscp cs7 match dscp cs6 match dscp cs3 match dscp cs2 class-map match-all Multimedia-Video-Queue match dscp af41 match dscp af42 match dscp af43 class-map match-all Multimedia-CSGO-Competitive-Queue match dscp af31 match dscp af32 match dscp af33 class-map match-all Multimedia-CSGO-1v1-Queue match dscp af21 match dscp af22 match dscp af23 class-map match-all Bulk-WebTraffic-Queue match dscp af11 match dscp af12 match dscp af13 class-map match-all Scavenger-Queue match dscp cs1 policy-map Engress-Policy class Priority-Queue priority class Control-Mgmt-Queue bandwidth remaining percent 10 class Multimedia-Video-Queue bandwidth remaining percent 10 class Multimedia-CSGO-Competitive-Queue bandwidth remaining percent 10 class Multimedia-CSGO-1v1-Queue bandwidth remaining percent 10 class Bulk-WebTraffic-Queue bandwidth remaining percent 10 dbl class Scavenger-Queue bandwidth remaining percent 4 dbl class class-default class class-default dbl interface range GigabitEthernet 1/1-48 service-policy output Engress-Policy
Control Plane Policing
Last but not least is configuring the Control Plane Policing. This is intended to protect the switches processor by limiting traffic from hitting the CPU. While it can be configured automatically, we have configured the rest of the QoS manually and will continue to be stubborn here too :).
Within the example below, not all the options are included within the Medianet design guide. In addition, the EIGRP and Multicast configurations were added within the COPP-IGP access list. While configuring your policy, keep in mind the class-default is a catch all and will provide anything that was missed some level of connectivity.
The CIR configuration within the policy map is indicating the amount of committed bits per second. Notice the configuration is limiting each queue to less than 1Mbps to minimize CPU overload. The class-default is your friend again to protect anything left out or that may be malicious.
ip access-list extended COPP-IGP remark Internal Routing permit eigrp any host 224.0.0.10 permit udp any any eq pim-auto-rp ! ip access-list extended COPP-Monitoring remark Ping permit icmp any any echo remark Ping-Echo-Reply permit icmp any any echo-reply remark Traceroute permit icmp any any ttl-exceeded permit icmp any any port-unreachable ! ip access-list extended COPP-Management remark TACACS (return traffic) permit tcp host 192.168.0.66 host 192.168.0.253 established remark SSH permit tcp 192.168.0.0 0.0.7.255 host 192.168.0.253 eq 22 remark SNMP permit udp host 192.168.0.76 host 192.168.0.253 eq snmp remark NTP permit udp host 192.168.0.254 host 192.168.0.253 eq ntp ! ip access-list extended COPP-Undesirable remark Undesirable Traffic permit udp any any eq 1434 ! class-map match-all COPP-IGP match access-group name COPP-IGP class-map match-all COPP-Monitoring match access-group name COPP-Monitoring class-map match-all COPP-Management match access-group name COPP-Management class-map match-all COPP-Undesirable match access-group name COPP-Undesirable ! policy-map system-cpp-policy class COPP-IGP police cir 300000 bc 3000 be 3000 conform-action transmit exceed-action drop class COPP-Management police cir 500000 bc 5000 be 5000 conform-action transmit exceed-action drop class COPP-Monitoring police cir 900000 bc 9000 be 9000 conform-action transmit exceed-action drop class COPP-Undesirable police cir 32000 bc 3000 be 3000 conform-action transmit exceed-action drop class class-default police cir 500000 bc 5000 be 5000 conform-action transmit exceed-action drop ! control-plane service-policy input system-cpp-policy
Conclusion
While this guide is certainly not specific to most builds, hopefully sharing the thought process and sources help you build your own modular QoS configuration. If you have multiple switches in your environment, you will quickly learn that the exact syntax for these steps vary greatly. This is where the configuration guides come in for the specific models. Feel free to share your experiences and configurations!