Classification involves differentiating services at the edge of your network. When you classify applications, the router marks individual packets according to the type of application they belong to. When configuring marking, you should consider an application's overall priority as compared to other applications in your network. An application's overall priority typically depends on the business criticality or time sensitivity of the application for minimal and consistent latency and jitter. You can assign each application in your network to a different priority value, or, depending on the number of applications running in your network, you can group applications into classes of traffic. Once the router marks a packet, you can configure downstream routers to apply congestion management and congestion avoidance techniques to it.
You can use the following technologies to classify and mark your applications in your network:
Marking Packets at Layer 3
The three values that you can use to mark packets at Layer 3 are
Marking a Packet's IP Precedence Value
As you learned in Chapter 2 the IP Precedence uses three bits of the 8-bit type of service (ToS) field in the IP packet header, as defined in the Internet Protocol RFC (RFC 791). The eight possible values of IP Precedence are given names in RFC 791, but you can use these values to differentiate whatever classes of traffic you have in your network. IP Precedence values 6 and 7 are reserved for network control information, such as routing updates and link keep-alives, leaving six values from 0 to 5 for use in your network. Table 6-1 gives these IP Precedence values and their respective names as specified in RFC 791.
For example, you should use IP Precedence 0 for applications that do not require QoS guarantees, and IP Precedence 5 for the most critical applications in your network. You can mark packets with IP Precedence using any of the following marking tools in Cisco IOS:
Example 6-1 gives a Layer 3 marking configuration to mark packets entering a network from a high-priority source subnet 10.1.1.0/24 with IP Precedence 5, using policy-based routing (PBR). Packets from the less critical subnet 10.1.2.0/24 are marked with IP Precedence 0.
Example 6-1. Configuring Layer 3 Packet Marking Using Policy-Based Routing
By default, routers switch packets treated with PBR by using CEF switching when you enable CEF on your router. However, you also can switch PBR with the process or fast switching path.
Marking a Packet's IP Differentiated Services Code Field
To mark packets using the IP DSCP definition, you must use class-based packet marking. As you learned in Chapter 2, there are six available bits to classify traffic, giving 64 possible traffic classes. Table 6-2 lists the supported IP DSCP values.
Table 6-3 maps the IP Precedence values to the supported IP DSCP values.
Example 6-2 gives a Layer 3 marking configuration to mark packets entering a network from the high-priority source subnet 10.1.1.0/24 with IP DCSP 40 (CS5) and from a less critical source subnet 10.1.2.0/24 with IP Precedence 0 (default).You can perform this example using class-based packet marking, configurable within the Cisco Modular QoS CLI (MQC).
The MQC enables you to create traffic policies and attach these policies to router interfaces. You configure traffic policies with the policy-map command. The policy contains traffic classes that you configure with class-map commands, and one or more QoS features. An example QoS feature would be to mark a packet's DSCP value with the priority command. You use traffic classes to classify traffic, while the QoS features in the traffic policy determine how to mark the classified traffic.
Example 6-2. Configuring Layer 3 Packet Marking Using Class-Based Packet Marking
In Example 6-2, two access lists are created to identify two subnets. You then enter the MQC with the policy-map command. The policy named "prioritize_subnets" marks the two subnets with their respective DSCP values, using the set ip dscp command. The router classifies the subnets within individual class-map modules, assigned the names "subnet1" and "subnet2."
Class-based packet marking requires that you first enable CEF on your routers.
IP QoS Group Value
Marking a packet with a QoS group value affects the packet only within the local router that assigns the group value. That is, the router does not modify the packet header ToS field. You can assign up to 100 QoS group values to your applications. You should use the IP QoS group value if changing the IP Precedence or DSCP for the packet is not desirable in your network. You can assign QoS groups based on prefix, BGP autonomous system, or BGP community string. To set the QoS group value in a policy, use the set qos-group policy-map class command.
Marking Frames, Cells, and Trunks at Layer 2
For marking at Layer 2, you can use one of the following:
You can perform ATM, frame relay, and CoS marking using class-based marking only.
Network-Based Application Recognition
By statefully inspecting flows as they traverse router interfaces, you can use Network-Based Protocol Recognition (NBAR) to detect applications that are running on your network. Once NBAR detects an application, you can configure class-based packet marking to mark the packet. You can then apply QoS policies to the marked packets throughout the network, including congestion management, congestion avoidance, traffic shaping, and policing.
The major advantage of NBAR over other classification techniques is that it stores transport connection information in RAM, giving it the ability to obtain an accurate picture of the behavior of the application. For example, a peer-to-peer file sharing application may easily use the standard HTTP port (80) but behave completely differently to HTTP. Without stateful inspection, the HTTP port number easily hides the actual behavior of the application. NBAR's stateful inspection engine can easily recognize difficult-to-detect applications that use dynamic TCP/UDP ports, such as peer-to-peer file sharing and instant messaging applications.
To use NBAR, you must enable the NBAR protocol discovery IOS feature to statefully monitor the applications running through router interfaces. To enable protocol discovery on desired interfaces in order to classify packets using class-based packet marking, use the ip nbar protocol-discovery interface configuration command.
As discussed previously in Chapter 4, "Exploring Security Technologies and Network Infrastructure Designs," in order to identify most TCP applications, the TCP connection information must be stored in the router's RAM. NBAR provides stateful inspection by storing the connection information as 150-byte entries in RAM. Once the TCP application has completed its three-way handshake, the NBAR engine inspects the payload of the IP packets and classifies the application with high accuracy. The marked values in the packets can then invoke QoS policy at each router within the network.
Before enabling NBAR, make sure that you know on average how many connections NBAR will be maintaining through your router interface. Multiply the number of connections by 150 bytes to calculate the amount of memory you will need for NBAR connection maintenance. For example, if your router tracks 15,000 concurrent connections on average, then NBAR will use 15,000 * 150 = 2.25 MBs of memory.
Table 6-4 lists applications supported by NBAR that use static ports. The match syntax is the keyword that you use in your class map's match clause to match the application.
Table 6-5 lists applications supported by NBAR that use dynamic ports.
Table 6-6 lists non-TCP/UDP applications supported by NBAR.
NBAR classifies HTTP packets based on URL, host, or MIME type. For URL classification, NBAR scans the portion of the URL after the hostname. For example, in the URL http://www.cisco.com/support/support-data.pdf, NBAR checks the portion "support/support-data.pdf" for a match during inspection. For host classification, NBAR checks the hostname www.cisco.com. You can also classify packets based on Internet MIME-types.
A list of the Internet Assigned Numbers Authority (IANA)-supported MIME types can be found at the IANA website at http://www.iana.org/assignments/media-types/.
When NBAR classifies the first packet of a connection, it assigns all subsequent packets of the connection to the same class. For example, if NBAR detects an HTTP GET request for a file of MIME-type "video/mpeg" from a client, it will also classify the HTTP 200 OK response and data packets from the server containing the MPEG4 file, because they are a part of the same TCP connection.
Example 6-3 uses class-based packet marking and NBAR to give Real-Time Transfer Protocol (RTP) and HTTP streaming video traffic precedence over all other traffic. NBAR marks packets with either types of streaming content with their IP DSCP field as 40 (CS5). Alternatively, all non-streaming traffic is marked with an IP DSCP of 0 (default).
Example 6-3. Configuring Application Recognition Using NBAR to Prioritize RTP Traffic over Web Traffic
Besides supporting the well-known protocols in Tables 6-4, 6-5, and 6-6, you also can configure NBAR to classify custom applications in your network. For example, if an application in your network is differentiated from others by information in the payload, you can specify what content to match with the ip nbar custom command. For example, if your organization's accounting department runs a TCP-based application on port 4777 that contains "PAYABLE=" starting at the 50th byte of the payload, use the following command to enable NBAR to track the application on the router:
ip nbar custom acct_app 50 ascii "PAYABLE=" dest tcp 4777
To add known protocols supported by NBAR without requiring an upgrade to the IOS on the routers enabled for NBAR, Cisco IOS uses external Packet Description Language Modules (PDLM). Cisco periodically releases PDLMs that you can download from the Cisco.com site. You can install the PDLMs to your router in permanent flash memory and enable them without reloading the router.
You must enable Cisco Express Forwarding (CEF) before you configure NBAR.
In this section, you have learned about the ways to inform your routers of traffic that may cause problems if left unchecked. You may find that some of your critical applications are not functioning during times when you would expect them to function properly. Perhaps an application is running during this time that is flooding the network and causing other more critical applications to fail intermittently. If you feel this to be the case, consider classifying and marking the suspect traffic.
When you initially configure congestion marking, you should wait for some time before enabling any of the congestion management techniques that you will learn about next. You should take this time to install traffic sniffers and make sure that the applications you intended to mark are indeed being marked, and that other applications are not unintentionally being marked. You do not want to unwittingly drop packets that belong to a critical application. Once you are sure that traffic is being marked correctly, you should then consider applying the techniques you will learn about next.