Implementing Quality of Service on Cisco Switches

It is important to understand the features and limitations of the various Catalyst platforms to ensure your network can deliver the QoS your applications require. The following platforms are considered the most common Cisco switches available today; the scenario for this chapter includes each of the following:

• Catalyst 2900XL/3500XL

• Catalyst 2950/3550

• Catalyst 4000 Supervisor 1/2

• Catalyst 4000 Supervisor 3

• Catalyst 6000/6500

Each platform is now discussed, with the discussion focusing on the classification, marking, policing, queuing, and scheduling features available. You also learn how to configure QoS on each platform to aid your understanding of this complex subject.

Catalyst 2900XL/3500XL

The Catalyst 2900XL/3500XL family consists of workgroup switches designed as an access layer switch for small to medium businesses. Their QoS features are very basic when compared to the newer Catalyst switches. However, a large installed base of these switches exists, and due to the inline power capabilities of the Catalyst 3524PWR-XL, this family of switches is common in Cisco IP Telephony deployments.

Classification and marking is supported only at a Layer 2 level by using 802.1p CoS values. The default classification process of the Catalyst 2900XL/3500XL is to trust the CoS of tagged frames received on a port and is described below:

• If untagged traffic is received on a port, assign the default 802.1p priority of the port to the frame tag.

• If tagged traffic is received on a port, trust the 802.1p priority value in the tag.

The default priority (CoS) of a port is zero, so by default any traffic received on access ports (non-trunk ports) are assigned a CoS of zero. The default priority can be changed per-port and is applied to all untagged traffic received on the port. You can also optionally override the CoS assigned to all ingress tagged traffic on a particular port.

TIP

The Catalyst 2900XL/3500XL switches do not support policing of any kind.

The queuing mechanism used on the Catalyst 2900XL/3500XL switches consists of a single ingress queue and two egress queues per port. A high-priority queue and normal-priority queue make up the egress queues, with the high-priority queue being a strict priority queue, where it is always serviced ahead of the normal-priority queue. Traffic in the normal-priority queue is serviced only if the high-priority queue is empty. The traffic that is placed into each queue is determined by the CoS priority value in the 802.1Q or Inter-Switch Link (ISL) tag:

• Priority 0 to 3 This traffic is placed into the normal-priority queue.

• Priority 4 to 7 This traffic is placed into the high-priority queue.

NOTE

The queuing placement configuration just listed is fixed and is non-configurable.

Catalyst 2950/3550

The Catalyst 2950/3550 switches are the successors to the current 2900XL/3500XL switches and include more advanced quality of service features.

NOTE

The first release of Catalyst 2950 switches, running on the IOS 12.0(5.2)WC(1) Release software image support only the QoS features described for the 2900XL/3500XL switches. The next software release (IOS 12.1(6)EA2) Release introduced the advanced QoS features discussed in this section.

Before you can use QoS features, you must ensure QoS is globally enabled by issuing the mls qos privileged configuration mode command:

 [no] mls qos 

The switches use the DiffServ model in order to support end-to-end QoS, where all IP traffic is classified using a DSCP value. Switches also maintain class of service information for any tagged traffic, with mapping options available to generate the CoS from the DSCP value and vice versa. In terms of classification, the Catalyst 2950/3550 offers the following options:

• Classification based upon Layer 2, 3 or 4 access lists

• Classification based upon the trust state of the port

• Classification based upon the default priority (CoS) of the port

Classification based upon access lists is relatively straightforward to understand. Incoming traffic is compared to an access list; if traffic matches the access list, a QoS action (such as marking the packet with a particular DSCP value) is taken. This form of classification is normally performed on access layer switches, at the edge of the network.

Classification based upon the trust state of the port is a little more complicated to understand, but much simpler for switches to implement. Remember that a switch marks two places within each frame that contains an IP packetthe CoS value in the Layer 2 trunk header and the DSCP value in the IP packet. The switch can be configured to trust either the received CoS value or the received DSCP value. If the switch trusts the CoS value, the CoS value is maintained, and a DSCP value is written to the IP header based upon a map table called the CoS-to-DSCP map. Similarly, if the switch trusts the DSCP value, the DSCP value is maintained; however, the CoS value can be modified based upon another map table called the DSCP-to-CoS map.

NOTE

The Catalyst 3550 switches support a few more marking and trust features compared to the Catalyst 2950. The Catalyst 3550 can also trust IP Precedence and has an IP-Precedence-to-DSCP map to generate the appropriate DSCP value for each packet. Also, if an interface trusts DSCP state, you can modify the DSCP value using a DSCP-to-DSCP-mutation map, which translates a particular DSCP value to a new value.

If you do not explicitly configure classification based upon trust or access lists, the switch automatically overrides received QoS markings with the default priority of the port. This is limited to modification of the CoS value only (DSCP is not considered). You can modify the CoS assigned to any untagged traffic that is received or optionally overwrite the CoS values of any received tagged traffic.

Once an incoming frame has been classified appropriately, the switch can police traffic on a per-class basis only. Traffic that does not conform to the configured rate can be dropped or marked with a different DSCP value.

The last step in the QoS process is queuing and scheduling. The available options differ between the Catalyst 2950 and the 3550. On the Catalyst 2950, each port has four egress queues, which can be configured using one of the following scheduling options:

• Strict priority Each queue is assigned a priority between 0 and 7. All traffic in higher priority queues is always serviced before traffic in lower priority queues. This mechanism is identical to the priority queuing implementation used on Cisco IOS routers. As such, care must be taken to ensure that all queues are serviced appropriately.

• Weighted round robin (WRR) Each queue is assigned a weight, with each queue guaranteed service. The amount of traffic sent from each queue as it is serviced depends on the weight of the queue, with higher-weighted queues sending more traffic per scheduling cycle than lower-weighted queues.

Traffic is placed into each queue based upon a configurable CoS-to-Queue mapping table. Table 9-4 shows the default CoS-to-Queue mappings.

Notice in Table 9-4 that the CoS value (rather than the DSCP value) determines which queue (and ultimately the actual QoS) a frame is placed into. This means it is very important that your DSCP-to-CoS map is accurate and consistent throughout the network.

WARNING

On the Catalyst 2950, all queueing and scheduling configuration can only be applied on a global basis, meaning only a single policy can be used. On the Catalyst 3550, a unique queueing and scheduling policy can be configured per-port, allowing for much more flexibility.

• Tail drop All traffic exceeding a queue threshold is dropped. If a tail drop condition occurs, all traffic can suddenly be dropped, which can cause phenomenon such as TCP slow start, where all TCP applications suddenly slow their data transmission rates in response to lost (dropped) TCP packets. In slow start, bandwidth efficiency is low because the network is sending at full bandwidth and then suddenly at half bandwidth due to TCP slow start. This bandwidth usage slowly increases until another tail drop occurs.

• Weighted Random Early Detection (WRED) Traffic exceeding a queue threshold is randomly discarded, with frames coming from heavier data sources more likely to be dropped. WRED prevents a combined TCP slow start by dropping only a few select packets, causing TCP slow start for those sessions only. This increases the efficiency of the network.

Catalyst 4000

The Catalyst 4000 series of switches (including the 2948G and 2980G but excluding the Catalyst 4000 with Supervisor 3/4 module) offer very limited QoS functionality. In terms of classification, the Catalyst 4000 switches can only provide the following functions:

• Any untagged traffic can be assigned a default CoS value. This CoS value can be configured only on a per-switch basis.

• Any tagged traffic CoS values are maintained and cannot be overridden.

As you can see, you can configure the CoS value for untagged traffic only on a per-switch basis. This does not provide much flexibility, and you must bear this limitation in mind when designing your QoS architecture.

In terms of policing, the Catalyst 4000 switches do not provide any policing capabilities. In terms of queuing and scheduling, each port features two egress queues with a single drop threshold (of 100 percent), at which point tail drop occurs. A configurable CoS-to-Transmit Queue mapping exists, which defines the queue each frame is placed into based upon the CoS value of the frame. For example, you could place frames with a CoS value of 03 into one queue, and frames with a CoS value of 47 into the other queue.

Catalyst 4000 with Supervisor 3/4

The Supervisor 3/4 module for the Catalyst 4000 is a Cisco IOS-based module that includes many new features, including many new QoS features. The QoS features available on the Supervisor 3/4 are similar to those offered on the Catalyst 2950/3550 series switches, except a few interesting extras are included on the Supervisor 3/4.

Classification on the Catalyst 4000 is identical to the classification options available for the Catalyst 2950/3550, which in summary are as follows:

• Classification based upon Layer 2, 3, or 4 access lists

• Classification based upon the trust state of the port

• Classification based upon the default priority (CoS) of the port

If using CoS for classification, a CoS-to-DSCP map exists that generates the appropriate DSCP value for each IP packet. When using DSCP classification, if a CoS value needs to be generated for a frame, a DSCP-to-CoS map is referenced.

Policing is available on the Supervisor 3/4, with policing options on an individual basis, where each matched traffic class in a policy is policed separately, or on an aggregate basis, where all traffic classes within a policy are policed all together. Traffic that does not conform to a configured rate can either be dropped or marked with a new DSCP value.

Once classification and policing are complete, each frame needs to be queued and scheduled for transmission. Each egress port features four queues, and the placement of traffic into each queue is determined by the DSCP value of each packet by using a DSCP-to-queue map. For scheduling, the egress queues can be serviced using one of the following options:

• Round robin Traffic is serviced on a round-robin basis, queue by queue. In essence this provides best-effort QoS and is the default scheduling mode.

• Weighted round robin Each queue is assigned a portion of the available bandwidth of the egress port. Traffic in each queue is serviced according to this bandwidth value. By default, the user configurable weights are tied to IP Precedence.

• Strict priority One of the queues is designated a priority queue, which is always serviced ahead of other queues.

A useful QoS feature also available on the Supervisor 3/4 is traffic shaping on each egress queue. This feature allows you to shape traffic to a maximum rate on each queue. Unlike a policer that typically drops traffic that exceeds the configured rate, the traffic shaper uses the egress queue to buffer traffic that exceeds the rate. The shaper can queue excess traffic only for a small time, and if traffic continuously exceeds the configured rate, the shaper discards traffic. Traffic shaping is useful for bursty applications, where the shaper allows short bursts of data, whereas a policer drops traffic bursting above the configured rate.

Catalyst 6000/6500

The Catalyst 6000/6500 switch is the flagship of the Cisco switch product line and as such includes the most advanced quality of service features available. The QoS features available are quite complex and are dependent on the type of switching engines installed in the Catalyst 6000/6500 switch. Two major switching engines exist on the Catalyst 6000/6500 switch:

• Layer 2 switching engine This includes the Supervisor 1 or Supervisor 1a without the policy feature card (PFC) installed.

• Layer 3 switching engine Includes the Supervisor 1/1a with PFC or the Supervisor 2 (which includes an integrated PFC2).

TIP

The policy feature card (PFC) is a Layer 3 switching engine that allows the Catalyst 6000/6500 to perform Layer 3 switching at wire speed. To perform true routing, the PFC requires a multiLayer switch feature card (MSFC), which is basically a Cisco IOS router. The MSFC operates in the control plane for Layer 3 routing, generating a route table, and then downloading this information to the PFC that operates in the data plane for Layer 3 routing. The PFC also provides hardware-based Layer 3 classification for QoS and security purposes, allowing these features to be applied at wire speed. The PFC does not require the MSFC for Layer 3 classification, only for performing Layer 3 routing.

It is important to note that the QoS model used by the Catalyst 6000/6500 features both egress and ingress classification, policing, and queuing mechanisms. The Catalyst 6000/6500 allows you to perform all QoS actions on the ingress port and egress port, not just some actions on the ingress and some actions on the egress.

For classification, the L2 switching engine can classify based upon Layer 2 access lists and VLANs and mark using CoS values. The Layer 3 engine can classify based upon Layer 3/4 access lists and mark using CoS, IP Precedence, or DSCP. If you classify traffic using the CoS trust option, you can queue received traffic in ingress queues. If you classify traffic using any other option (such as via access control lists (ACLs), non-trusted ports, trust DSCP, or trust IP Precedence), the traffic is passed directly to the switching engine.

The ingress queuing mechanism depends on the capability of the switch port. You can issue a show port capabilities command to view the ingress port queues and thresholds available. For example, a port might support a single queue with four thresholds, while another might support a priority queue and a standard queue with no thresholds. The thresholds are used to implement congestion avoidance mechanisms, such as tail drop or WRED. For example, if a queue reaches a threshold of 75 percent full, the switch might start dropping frames (tail drop) or randomly dropping frames (WRED). With multiple thresholds, traffic with a lower CoS can be assigned to a lower threshold (e.g., 50 percent), while higher CoS traffic can be assigned to a higher threshold (e.g., 100 percent). This ensures that lower priority traffic is dropped before higher priority traffic.

NOTE

The show port capabilities command shows queuing capabilities using a special naming convention. For example, an ingress (receive) queue that features a single queue with four thresholds is represented as rx-(1q4t). The rx identifies this applies to the ingress, the 1q specifies a single queue, and the 4t specifies four configurable thresholds on the queue. The rx-(1p1q8t) representation specifies on ingress the port supports a single priority queue (1p) and a single queue with eight configurable drop thresholds.

For policing functionality, only the Layer 3 switching engine supports policing. Policing can be applied on a microflow basis, where a single flow that matches an access list entry is policed at the configured rate. Policing can also be applied on an aggregate basis, where all flows that match an access control entry are policed at the configured rate. Any traffic that does not conform to the configured rate can be dropped or marked down.

NOTE

Do not confuse the microflow and aggregate policing features with the individual and aggregate policing functions on the Catalyst 4000 with Supervisor 3. On the Catalyst 4000, individual policers apply to a single traffic class (i.e., all traffic matched by a single ACL), and the aggregate policer applies to an entire policy (collection of ACLs).

So far, you have learned about the ingress classification, queuing and policing functions of the Catalyst 6000/6500 switch. Once the egress port for the received frame has been determined, the frame is placed into an egress queue for transmission. Similar to the ingress port, each egress port has particular queuing characteristics, which can be determined by using the show port capabilities command. For example, the port might indicate a capability of tx-1p3q1t, where the tx indicates this is for the egress side of the port, the 1p indicates a single priority queue, and the 3q1t indicates three standard queues, each with a single drop threshold. The CoS value of each frame dictates which queue traffic is placed into; the CoS value is also used within each queue to determine which drop threshold applies to traffic. The drop threshold relates to how full each queue is (e.g., 75 percent full) and determines the point at which traffic is subject to congestion avoidance. As for the ingress queues, the congestion avoidance mechanisms include tail drop and WRED.

TIP

The Catalyst 6000/6500 switch with a Layer 3 switching engine also supports the IntServ QoS model by supporting both the Resource Reservation Protocol (RSVP) and the Common Open Policy Service. The configuration of this is outside the scope of this book.