Classification and Marking

Classification involves differentiating services at the edge of your network. When you classify applications, the router marks individual packets according to the type of application they belong to. When configuring marking, you should consider an application's overall priority as compared to other applications in your network. An application's overall priority typically depends on the business criticality or time sensitivity of the application for minimal and consistent latency and jitter. You can assign each application in your network to a different priority value, or, depending on the number of applications running in your network, you can group applications into classes of traffic. Once the router marks a packet, you can configure downstream routers to apply congestion management and congestion avoidance techniques to it.

You can use the following technologies to classify and mark your applications in your network:

• Class-Based Packet Marking Class-based packet marking is an enhanced classification mechanism. You can use it to mark a packet's IP Precedence, Differentiated Services Code Point (DSCP), Layer 2 Class of Service (CoS), or QoS group values in order to differentiate your applications.

• Network-Based Application Recognition (NBAR) You can use NBAR to classify traffic at the application layer. NBAR classifies based on traffic behavior to determine applications that use dynamic ports.

• Policy-Based Routing (PBR) PBR is traditionally a feature for extending normal routing features. You can use PBR in your network to specify custom routing paths for traffic flows, using criteria such as IP address, TCP/UDP ports, MAC addresses, and packet size. However, you can also use PBR to mark a packet's IP Precedence value.

• Class-Based Policing and Committed Access Rate (CAR) Both class-based policing and CAR are policing features that you can use to rate-limit traffic entering your network. You also can use them to classify packets when bandwidth levels exceed configured thresholds. Routers within your network apply congestion management and avoidance QoS features to the marked packets. You will learn about policing later in this Chapter.

• QoS Policy Propagation via BGP With this feature, you can classify traffic based on criteria, including BGP communities, AS paths, and access lists, in your routing domains. For example, a BGP router may advertise three routes assigned to three different communities. When its peers receive the three BGP routes, they translate the community values into three levels of IP Precedence. When its peers receive packets destined to the BGP routes, they assign the respective IP Precedence before routing the packet.

• QoS for Virtual Private Networks (VPN) QoS for VPNs classify packets before they enter VPN tunnels to allow for tunnel routers to apply QoS policies.

Marking Packets at Layer 3

The three values that you can use to mark packets at Layer 3 are

• IP Precedence

• IP DSCP

• QoS group value

Marking a Packet's IP Precedence Value

As you learned in Chapter 2 the IP Precedence uses three bits of the 8-bit type of service (ToS) field in the IP packet header, as defined in the Internet Protocol RFC (RFC 791). The eight possible values of IP Precedence are given names in RFC 791, but you can use these values to differentiate whatever classes of traffic you have in your network. IP Precedence values 6 and 7 are reserved for network control information, such as routing updates and link keep-alives, leaving six values from 0 to 5 for use in your network. Table 6-1 gives these IP Precedence values and their respective names as specified in RFC 791.

For example, you should use IP Precedence 0 for applications that do not require QoS guarantees, and IP Precedence 5 for the most critical applications in your network. You can mark packets with IP Precedence using any of the following marking tools in Cisco IOS:

• Policy-Based Routing

• QoS Policy Propagation via Border Gateway Protocol

• Committed Access Rate and Class-Based Policing

• Network-Based Application Recognition

• Class-Based Packet Marking

Example 6-1 gives a Layer 3 marking configuration to mark packets entering a network from a high-priority source subnet 10.1.1.0/24 with IP Precedence 5, using policy-based routing (PBR). Packets from the less critical subnet 10.1.2.0/24 are marked with IP Precedence 0.

Example 6-1. Configuring Layer 3 Packet Marking Using Policy-Based Routing

 ip cef access-list 1 permit 10.1.1.0 255.255.255.0 access-list 2 permit 10.1.2.0 255.255.255.0 interface fastethernet 0/1  ip policy route-map markprec ! route-map markprec permit 10  match ip address 1  set ip precedence 5 route-map markprec permit 20  match ip address 2  set ip precedence 0 

Note

By default, routers switch packets treated with PBR by using CEF switching when you enable CEF on your router. However, you also can switch PBR with the process or fast switching path.

Marking a Packet's IP Differentiated Services Code Field

To mark packets using the IP DSCP definition, you must use class-based packet marking. As you learned in Chapter 2, there are six available bits to classify traffic, giving 64 possible traffic classes. Table 6-2 lists the supported IP DSCP values.

Table 6-3 maps the IP Precedence values to the supported IP DSCP values.

Example 6-2 gives a Layer 3 marking configuration to mark packets entering a network from the high-priority source subnet 10.1.1.0/24 with IP DCSP 40 (CS5) and from a less critical source subnet 10.1.2.0/24 with IP Precedence 0 (default).You can perform this example using class-based packet marking, configurable within the Cisco Modular QoS CLI (MQC).

Note

The MQC enables you to create traffic policies and attach these policies to router interfaces. You configure traffic policies with the policy-map command. The policy contains traffic classes that you configure with class-map commands, and one or more QoS features. An example QoS feature would be to mark a packet's DSCP value with the priority command. You use traffic classes to classify traffic, while the QoS features in the traffic policy determine how to mark the classified traffic.

Example 6-2. Configuring Layer 3 Packet Marking Using Class-Based Packet Marking

 ip cef access-list 1 permit 10.1.1.0 255.255.255.0 access-list 2 permit 10.1.2.0 255.255.255.0 class-map match-all subnet1  match access-group 1 class-map match-all subnet2  match access-group 2 policy-map prioritize_subnets  class subnet1   set ip dscp cs5  class subnet2   set ip dscp default interface fastethernet 0/1  service-policy input prioritize_subnets 

In Example 6-2, two access lists are created to identify two subnets. You then enter the MQC with the policy-map command. The policy named "prioritize_subnets" marks the two subnets with their respective DSCP values, using the set ip dscp command. The router classifies the subnets within individual class-map modules, assigned the names "subnet1" and "subnet2."

Note

Class-based packet marking requires that you first enable CEF on your routers.

IP QoS Group Value

Marking a packet with a QoS group value affects the packet only within the local router that assigns the group value. That is, the router does not modify the packet header ToS field. You can assign up to 100 QoS group values to your applications. You should use the IP QoS group value if changing the IP Precedence or DSCP for the packet is not desirable in your network. You can assign QoS groups based on prefix, BGP autonomous system, or BGP community string. To set the QoS group value in a policy, use the set qos-group policy-map class command.

Marking Frames, Cells, and Trunks at Layer 2

For marking at Layer 2, you can use one of the following:

• Asynchronous Transfer Mode (ATM) Cell Loss Priority (CLP) bit marking An ATM cell header contains a 1-bit CLP field indicating that, if you set to the value 1, the cell should be dropped within the ATM cloud during periods of congestion. If your routers interface into ATM networks, you can set the CLP bit for low-priority traffic or applications that can tolerate a minimal amount of lost content in the ATM cloud.

• Frame Relay Discard Eligible (DE) bit marking Similar to ATM CLP marking, the frame relay DE header field indicates that, if you set to the value 1, the frame should be dropped within the frame relay cloud during periods of congestion. If your routers interface into frame relay networks, you can set the DE bit for low-priority application traffic or those that can tolerate lost frames in the frame cloud.

• Ethernet Class of Service (CoS) bit marking The CoS field is a 3-bit value within the 802.1P field used for applying prioritization at Layer 2 to 802.1Q tagged frames. You learned about the 802.1Q frame header in Chapter 3, "Introducing Switching, Routing, and Address Translation." You can set the CoS value on routers or switches and configure your Layer 2 switches to apply QoS policies to the frames. For example, in order to prioritize voice and video traffic over other application traffic, you should separate the voice and video into a different VLAN and configure VLAN tagging throughout your network. Applying VLAN tags is necessary because they carry the priority values used for Layer 2 QoS policy features. Otherwise, you can configure your switch to inspect the IP packet headers for IP Precedence/ DSCP values.

Note

You can perform ATM, frame relay, and CoS marking using class-based marking only.

Network-Based Application Recognition

By statefully inspecting flows as they traverse router interfaces, you can use Network-Based Protocol Recognition (NBAR) to detect applications that are running on your network. Once NBAR detects an application, you can configure class-based packet marking to mark the packet. You can then apply QoS policies to the marked packets throughout the network, including congestion management, congestion avoidance, traffic shaping, and policing.

The major advantage of NBAR over other classification techniques is that it stores transport connection information in RAM, giving it the ability to obtain an accurate picture of the behavior of the application. For example, a peer-to-peer file sharing application may easily use the standard HTTP port (80) but behave completely differently to HTTP. Without stateful inspection, the HTTP port number easily hides the actual behavior of the application. NBAR's stateful inspection engine can easily recognize difficult-to-detect applications that use dynamic TCP/UDP ports, such as peer-to-peer file sharing and instant messaging applications.

To use NBAR, you must enable the NBAR protocol discovery IOS feature to statefully monitor the applications running through router interfaces. To enable protocol discovery on desired interfaces in order to classify packets using class-based packet marking, use the ip nbar protocol-discovery interface configuration command.

As discussed previously in Chapter 4, "Exploring Security Technologies and Network Infrastructure Designs," in order to identify most TCP applications, the TCP connection information must be stored in the router's RAM. NBAR provides stateful inspection by storing the connection information as 150-byte entries in RAM. Once the TCP application has completed its three-way handshake, the NBAR engine inspects the payload of the IP packets and classifies the application with high accuracy. The marked values in the packets can then invoke QoS policy at each router within the network.

Note

Before enabling NBAR, make sure that you know on average how many connections NBAR will be maintaining through your router interface. Multiply the number of connections by 150 bytes to calculate the amount of memory you will need for NBAR connection maintenance. For example, if your router tracks 15,000 concurrent connections on average, then NBAR will use 15,000 * 150 = 2.25 MBs of memory.

Table 6-4 lists applications supported by NBAR that use static ports. The match syntax is the keyword that you use in your class map's match clause to match the application.

Table 6-5 lists applications supported by NBAR that use dynamic ports.

Table 6-6 lists non-TCP/UDP applications supported by NBAR.

NBAR classifies HTTP packets based on URL, host, or MIME type. For URL classification, NBAR scans the portion of the URL after the hostname. For example, in the URL http://www.cisco.com/support/support-data.pdf, NBAR checks the portion "support/support-data.pdf" for a match during inspection. For host classification, NBAR checks the hostname www.cisco.com. You can also classify packets based on Internet MIME-types.

Note

A list of the Internet Assigned Numbers Authority (IANA)-supported MIME types can be found at the IANA website at http://www.iana.org/assignments/media-types/.

When NBAR classifies the first packet of a connection, it assigns all subsequent packets of the connection to the same class. For example, if NBAR detects an HTTP GET request for a file of MIME-type "video/mpeg" from a client, it will also classify the HTTP 200 OK response and data packets from the server containing the MPEG4 file, because they are a part of the same TCP connection.

Example 6-3 uses class-based packet marking and NBAR to give Real-Time Transfer Protocol (RTP) and HTTP streaming video traffic precedence over all other traffic. NBAR marks packets with either types of streaming content with their IP DSCP field as 40 (CS5). Alternatively, all non-streaming traffic is marked with an IP DSCP of 0 (default).

Example 6-3. Configuring Application Recognition Using NBAR to Prioritize RTP Traffic over Web Traffic

 ip cef interface fastethernet 0/1 ip nbar protocol-discovery ! class-map match-all streaming  match protocol http mime video/mpeg  match protocol rtp class-map match-all nonstreaming  match any ! policy-map video_then_web  class streaming   set ip dscp cs5  class nonstreaming   set ip dscp default 

Besides supporting the well-known protocols in Tables 6-4, 6-5, and 6-6, you also can configure NBAR to classify custom applications in your network. For example, if an application in your network is differentiated from others by information in the payload, you can specify what content to match with the ip nbar custom command. For example, if your organization's accounting department runs a TCP-based application on port 4777 that contains "PAYABLE=" starting at the 50th byte of the payload, use the following command to enable NBAR to track the application on the router:

 ip nbar custom acct_app 50 ascii "PAYABLE=" dest tcp 4777 

To add known protocols supported by NBAR without requiring an upgrade to the IOS on the routers enabled for NBAR, Cisco IOS uses external Packet Description Language Modules (PDLM). Cisco periodically releases PDLMs that you can download from the Cisco.com site. You can install the PDLMs to your router in permanent flash memory and enable them without reloading the router.

Note

You must enable Cisco Express Forwarding (CEF) before you configure NBAR.

In this section, you have learned about the ways to inform your routers of traffic that may cause problems if left unchecked. You may find that some of your critical applications are not functioning during times when you would expect them to function properly. Perhaps an application is running during this time that is flooding the network and causing other more critical applications to fail intermittently. If you feel this to be the case, consider classifying and marking the suspect traffic.

When you initially configure congestion marking, you should wait for some time before enabling any of the congestion management techniques that you will learn about next. You should take this time to install traffic sniffers and make sure that the applications you intended to mark are indeed being marked, and that other applications are not unintentionally being marked. You do not want to unwittingly drop packets that belong to a critical application. Once you are sure that traffic is being marked correctly, you should then consider applying the techniques you will learn about next.