Cisco Modular QoS CLI
For abounding years and over abounding IOS releases, Cisco added QoS appearance and functions, anniversary of
which acclimated its own abstracted set of agreement and exec commands. Eventually, the cardinal of
different QoS accoutrement and altered QoS commands got so ample that QoS agreement became a big
chore. Cisco created the Modular QoS CLI (MQC) to advice boldness these problems, by defining a
common set of agreement commands to configure abounding QoS appearance in a router or switch.
MQC is not a absolutely new CLI, altered from IOS agreement mode, for configuring QoS.
Rather, it is a adjustment of allocation IOS classification, marking, and accompanying accomplishments into logical
groupings to arrange the command-line interface. MQC defines a new set of configuration
commands—commands that are typed in appliance the aforementioned IOS CLI, in agreement mode.
However, already you acquire MQC, you about charge to apprentice alone one new command to know
how to configure any added MQC-based QoS tools. You can analyze MQC-based accoutrement by the
name of the tool; they all activate with the byword “Class-Based” (abbreviated CB for this
discussion). These accoutrement accommodate CB Marking, CB Weighted Fair Queuing (CBWFQ), CB
Policing, CB Shaping, and CB Attack Compression.
414 Affiliate 12: Allocation and Marking
Mechanics of MQC
MQC separates the allocation activity of a QoS apparatus from the activity (PHB) that the QoS apparatus wants
to perform. To do so, there are three above commands with MQC, with several accessory commands:
■ The class-map command defines the analogous ambit for classifying packets into
service classes.
■ The PHB accomplishments (marking, queuing, and so on) are configured beneath a policy-map
command.
■ The activity map is enabled on an interface by appliance a service-policy command.
Figure 12-4 shows the accepted breeze of commands.
Figure 12-4 MQC Commands and Their Correlation
In Amount 12-4, the network’s QoS activity calls for alleviative packets in one of two categories, called
QoS account classes. (The absolute types of packets that are placed into anniversary chic are not shown, to
keep the focus on the accepted breeze of how the capital commands assignment together.) Classifying packets
into two classes calls for the use of two class-map commands. Anniversary class-map command would
be followed by a bout subcommand, which defines the absolute ambit that are compared to
the frame/packet attack capacity to bout packets for classification.
For anniversary class, some QoS activity (PHB) needs to be performed; this activity is configured using
the policy-map command. Beneath a distinct activity map, assorted classes can be referenced; in
Figure 12-4, the two classes myclass1 and myclass2. Central the distinct activity alleged mypolicy,
under anniversary of the two classes myclass1 and myclass2, you can configure abstracted QoS actions.
For instance, you could administer altered arrangement to packets in myclass1 and myclass2 at this point.
Finally, back the service-policy command is activated to an interface, the QoS appearance are enabled
either entering or outbound on that interface.
The abutting area takes a abundant afterpiece attending at packet allocation appliance chic maps. Best of the
discussion of activity maps will be included back accurately accoutrement CB Appearance configuration
later in the chapter.
class-map myclass1
(matching ambit chase …)
class-map myclass2
(matching ambit chase …)
policy-map mypolicy
class myclass1
(Actions/PHB’s FOR THIS CLASS follow: marking, queuing, etc.)
class myclass2
(Actions/PHB’s FOR THIS CLASS follow: marking, queuing, etc.)
Interface S 0/0
service-policy achievement mypolicy
Classification
Configuration
Action/PHB
Configuration
Enable on
Interface
Cisco Modular QoS CLI 415
Classification Appliance Chic Maps
MQC-based accoutrement allocate packets appliance the bout subcommand central an MQC chic map. The
following account capacity the rules surrounding how chic maps assignment for analogous and classifying
packets:
■ The bout command has abounding options for analogous packets, including QoS fields, ACLs,
and MAC addresses. (See Table 12-10 in the “Foundation Summary” area for a reference.)
■ Class-map names are case sensitive.
■ The bout agreement command agency that IOS uses Arrangement Based Appliance Recognition
(NBAR) to accomplish that match.
■ The bout any command matches any packet—in added words, any and all packets.
Example 12-1 shows a simple CB Appearance configuration, with comments focused on the
classification configuration. Agenda that the names and argumentation bout Amount 12-4.
With Archetype 12-1, anniversary packet abrogation interface fa0/0 will bout one of the two classes. Because
the activity map uses a set dscp command in anniversary class, and all packets appear to bout either
myclass1 or myclass2, anniversary packet will leave the interface apparent either with DSCP EF
(decimal 46) or absence (decimal 0). (If the analogous argumentation was altered and some packets match
neither myclass1 nor myclass2, those packets would not be marked, and would absorb their
existing DSCP values.)
Example 12-1 Basic CB Appearance Example
! CEF is adapted for CB Marking. After it, the chic map and activity map
! agreement would be allowed, but the service-policy command would be rejected.
ip cef
! The aboriginal chic map matches all UDP/RTP packets with UDP ports amid 16384 and
! 32767 (the 2nd cardinal is added to the aboriginal to get the end of the range.) The
! additional chic map matches any and all packets.
class-map match-all msclass1
match ip rtp 16384 16383
class-map match-all myclass2
match any
! The activity map calls anniversary of the two chic maps for matching. The set command
! implies that the PHB is marking, acceptation that this is a CB Appearance config.
policy-map mypolicy
class myclass1
set dscp EF
class myclass2
set dscp default
! The activity map processes packets abrogation interface fa0/0.
interface Fastethernet0/0
service-policy achievement mypolicy
416 Affiliate 12: Allocation and Marking
Using Assorted bout Commands
In some cases, a chic map may charge to appraise assorted items in a packet to adjudge whether the
packet should be allotment of that class. Chic maps can use assorted bout commands, and alike nest
class maps central added chic maps, to accomplish the adapted aggregate of logic. The afterward list
summarizes the key credibility apropos these added circuitous analogous options:
■ Up to four (CoS and IPP) or eight (DSCP) ethics can be listed on a distinct bout cos, match
precedence, or bout dscp command, respectively. If any of the ethics are activate in the
packet, the account is matched.
■ If a chic map has assorted bout commands in it, the match-any or match-all (default)
parameter on the class-map command defines whether a analytic OR or a analytic AND
(default) is acclimated amid the bout commands, respectively.
■ The bout chic name command refers to addition chic map by name, nesting the named
class map’s analogous logic; the bout chic name command is advised to bout if the
referenced class-map additionally after-effects in a match.
Example 12-2 shows several examples of this added complicated analogous logic, with notations
inside the archetype of what charge be accurate for a chic map to bout a packet.
Example 12-2 Circuitous Analogous with Chic Maps
! class-map example1 uses match-all argumentation (default), so this chic map matches
! packets that are acceptable by ACL 102, and that additionally acquire an IP antecedence of 5.
class-map match-all example1
match access-group 102
match antecedence 5
! class-map example2 uses match-any logic, so this chic map matches packets that
! are acceptable by ACL 102, or acquire DSCP AF21, or both.
class-map match-any example2
match access-group 102
match dscp AF21
! class-map example3 matches no packets, due to a accepted mistake—the two match
! commands use a analytic AND amid them due to the absence match-all argument, meaning
! that a distinct packet charge acquire DSCP 0 and DSCP 1, which is impossible. class-map example4
! shows how to accurately bout either DSCP 0 or 1.
class-map match-all example3
match dscp 0
match dscp 1
!
class-map match-any example4
match dscp 0 1
! class-map i-am-nesting refers to class-map i-am-nested through the bout class
! i-am-nested command. The argumentation is explained afterwards the example.
class-map match-all i-am-nested
match access-group 102
Cisco Modular QoS CLI 417
The trickiest allotment of Archetype 12-2 is how the chic maps can be nested, as apparent at the end.
class-map i-am-nesting uses OR argumentation amid its two bout commands, acceptation “I will match
if the CoS is 5, or if class-map i-am-nested matches the packet, or both.” Back accumulated with
the match-all argumentation of the i-am-nested chic map, the argumentation matches the afterward packets/frames:
Packets that are acceptable by ACL 102, AND apparent with antecedence 5
or
frames with CoS 5
Classification Appliance NBAR
NBAR classifies packets that are commonly difficult to classify. For instance, some applications use
dynamic anchorage numbers, so a statically configured bout command, analogous a accurate UDP or
TCP anchorage number, artlessly could not allocate the traffic. NBAR can attending accomplished the UDP and TCP
header, and accredit to the host name, URL, or MIME blazon in HTTP requests. (This deeper
examination of the packet capacity is sometimes alleged abysmal packet inspection.) NBAR can also
look accomplished the TCP and UDP headers to admit application-specific information. For instance,
NBAR allows acceptance of altered Citrix appliance types, and allows analytic for a portion
of a URL string.
NBAR itself can be acclimated for a brace of altered purposes. Absolute of QoS features, NBAR
can be configured to accumulate counters of cartage types and cartage aggregate for anniversary type. For QoS,
NBAR can be acclimated by CB Appearance to bout difficult-to-match packets. Whenever the MQC
match agreement command is used, IOS is appliance NBAR to bout the packets. Table 12-6 lists some
of the added accepted uses of the bout agreement command and NBAR.
match antecedence 5
!
class-map match-any i-am-nesting
match chic i-am-nested
match cos 5
Table 12-6 Accepted Fields Matchable by CB Appearance Appliance NBAR
Field Comments
RTP audio against video RTP uses even-numbered UDP ports from 16,384 to 32,768. The oddnumbered
port numbers are acclimated by RTCP for alarm ascendancy traffic. NBAR
allows analogous the even-numbered ports only, for allocation of voice
payload into a altered account chic from that acclimated for articulation signaling.
Citrix applications NBAR can admit altered types of appear Citrix applications.
continues
Example 12-2 Circuitous Analogous with Chic Maps (Continued)
418 Affiliate 12: Allocation and Marking
Classification and Appearance Tools
The final above area of this affiliate covers CB Marking, with a abrupt acknowledgment of a few other,
less accepted appearance tools.
Class-Based Appearance (CB Marking) Configuration
As with the added QoS accoutrement whose names activate with the byword “Class-Based,” you will use MQC
commands to configure CB Marking. The afterward account highlights the key credibility apropos CB
Marking agreement and logic:
■ CB Appearance requires CEF (enabled appliance the ip cef all-around command).
■ Packets are classified based on the argumentation in MQC chic maps.
■ An MQC activity map refers to one or added chic maps appliance the chic class-map-name
command; packets classified into that chic are again marked.
■ CB Appearance is enabled for packets either entering or departure an interface appliance the MQC
service-policy in | out policy-map-name interface subcommand.
■ A CB Appearance activity map is candy sequentially; already a packet has akin a class,
it is apparent based on the set command(s) authentic for that class.
■ You can configure assorted set commands in one chic to set assorted fields; for example, to
set both DSCP and CoS.
■ Packets that do not absolutely bout a authentic chic are advised to acquire akin a special
class alleged class-default.
■ For any chic central the activity map for which there is no set command, packets in that class
are not marked.
Field Comments
Host name, URL string,
MIME type
NBAR can additionally bout URL strings, including the host name and the MIME
type, appliance approved expressions for analogous logic.
Peer-to-peer applications NBAR can acquisition file-sharing applications like KaZaa, Morpheus, Grokster,
and Gnutella.
Table 12-6 Accepted Fields Matchable by CB Appearance Appliance NBAR (Continued)
Classification and Appearance Accoutrement 419
Table 12-7 lists the syntax of the CB Appearance set command, assuming the accustomed fields that can
be set by CB Marking. Table 12-8 lists the key appearance commands accessible for CB Marking.
CB Appearance Example
The aboriginal CB Appearance archetype uses the arrangement apparent in Amount 12-5. Cartage was generated
in the arrangement to accomplish the appearance commands added meaningful. Two G.711 articulation calls were
completed amid R4 and R1 appliance Foreign Exchange Station (FXS) cards on these two routers,
with Articulation Activity Detection (VAD) disabled. Client1 performed an FTP get of a ample book from
Server1, and downloaded two ample HTTP objects, alleged important.jpg and not-so.jpg. Finally,
Client1 and Server1 captivated a Microsoft NetMeeting conference, appliance G.723 for the audio and
H.263 for the video.
Table 12-7 set Agreement Command Advertence for CB Marking
Command Function
set [ip] antecedence ip-precedence-value Marks the amount for IP Antecedence for IPv4 and IPv6
packets if the ip constant is omitted; sets only
IPv4 packets if the ip constant is included
set [ip] dscp ip-dscp-value Marks the amount for IP DSCP for IPv4 and IPv6
packets if the ip constant is omitted; sets only
IPv4 packets if the ip constant is included
set cos cos-value Marks the amount for CoS
set qos-group group-id Marks the accumulation identifier for the QoS group
set atm-clp Sets the ATM CLP bit
set fr-de Sets the Frame Relay DE bit
Table 12-8 EXEC Command Advertence for CB Marking
Command Function
show policy-map policy-map-name Lists agreement advice about a policy
map
show policy-map interface-spec [input | output]
[class class-name]
Lists statistical advice about the behavior of a
policy map back enabled on an interface
420 Affiliate 12: Allocation and Marking
Figure 12-5 Sample Arrangement for CB Appearance Examples
The afterward belief ascertain the requirements for appearance the assorted types of cartage for
Example 12-3:
■ VoIP burden is apparent with DSCP EF.
■ NetMeeting video cartage is apparent with DSCP AF41.
■ Any HTTP cartage whose URL contains the cord “important” anywhere in the URL is marked
with AF21.
■ Any HTTP cartage whose URL contains the cord “not-so” anywhere in the URL is marked
with AF23.
■ All added cartage is apparent with DSCP Absence (0).
Example 12-3 lists the annotated configuration, including the adapted appearance commands.
Example 12-3 CB Appearance Archetype 1, with appearance Command Output
ip cef
! Chic map voip-rtp uses NBAR to bout all RTP audio payload, but not the video
! or the signaling.
class-map voip-rtp
match agreement rtp audio
SW1 R1 R3
Client1
1001
s0/0 SW2
Server1
1002
s0/0 FA0/0
3001 3002
R4
Packet Direction
Mark VoIP as DSCP EF
Mark NetMeeting as AF41
Mark URLs with “Important” as AF21
Mark URLs with “Not” as AF23
Mark All Else with DSCP Default
Mark
X
Y
Z
Classification and Appearance Accoutrement 421
! Chic map http-impo matches all packets accompanying to downloading altar whose
! name contains the cord “important,” with any argument about it. Similar logic
! is acclimated for class-map http-not.
class-map http-impo
match agreement http url "*important*"
!
class-map http-not
match agreement http url "*not-so*"
! Chic map NetMeet matches two RTP subtypes—one for G.723 audio (type 4) and
! one for H.263 video (type 34). Agenda the match-any argumentation so that if either is
! true, a bout occurs for this chic map.
class-map match-any NetMeet
match agreement rtp payload-type 4
match agreement rtp payload-type 34
! policy-map laundry-list calls anniversary of the chic maps. Agenda that the order
! listed actuality is the adjustment in which the chic commands were added to the policy
! map.
policy-map laundry-list
class voip-rtp
set ip dscp EF
class NetMeet
set ip dscp AF41
class http-impo
set ip dscp AF21
class http-not
set ip dscp AF23
class class-default
set ip DSCP default
! Above, the command chic class-default is alone adapted if some nondefault action
! needs to be taken for packets that are not absolutely akin by addition class.
! In this case, packets not akin by any added chic abatement into the class-default
! class, and are apparent with DSCP Absence (decimal 0). After these two commands,
! packets in this chic would abide unchanged.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Below, the activity map is enabled for ascribe packets on fa0/0.
interface Fastethernet 0/0
service-policy ascribe laundry-list
! The command appearance policy-map laundry-list artlessly restates the configuration.
R3# appearance policy-map laundry-list
Policy Map laundry-list
Class voip-rtp
set ip dscp 46
Class NetMeet
set ip dscp 34
Class http-impo
set ip dscp 18
Class http-not
continues
Example 12-3 CB Appearance Archetype 1, with appearance Command Achievement (Continued)
422 Affiliate 12: Allocation and Marking
Example 12-3 includes several altered allocation options appliance the bout command,
including the analogous of Microsoft NetMeeting traffic. NetMeeting uses RTP for the video flows,
and by absence uses G.723 for audio and H.323 for video. To bout both the audio and video for
NetMeeting, a chic map that matches either of the two RTP burden subtypes for G.723 and
H.263 is needed. So, chic map NetMeet uses match-any logic, and matches on RTP payload
types 4 (G.723) and 34 (H.263). (For added accomplishments advice on RTP burden types, accredit to
http://www.cisco.com/en/US/products/ps6616/products_white_paper09186a0080110040.shtml.)
set ip dscp 22
Class class-default
set ip dscp 0
! The command appearance policy-map interface lists statistics accompanying to MQC features.
! Several stanzas of achievement were bare for brevity.
R3# appearance policy-map interface fastethernet 0/0 input
Fastethernet0/0
Service-policy input: laundry-list
Class-map: voip-rtp (match-all)
35268 packets, 2609832 bytes
5 minute offered amount 59000 bps, bead amount 0 bps
Match: agreement rtp audio
QoS Set
ip dscp 46
Packets apparent 35268
Class-map: NetMeet (match-any)
817 packets, 328768 bytes
5 minute offered amount 19000 bps, bead amount 0 bps
Match: agreement rtp payload-type 4
protocol rtp payload-type 34
QoS Set
ip dscp 34
Packets apparent 817
! abbreviating arrangement of achievement for chic http-impo
! abbreviating arrangement of achievement for chic http-not
Class-map: class-default (match-all)
33216 packets, 43649458 bytes
5 minute offered amount 747000 bps, bead amount 0 bps
Match: any
QoS Set
ip dscp 0
Packets apparent 33301
Example 12-3 CB Appearance Archetype 1, with appearance Command Achievement (Continued)
Classification and Appearance Accoutrement 423
The appearance policy-map interface command provides statistical advice about the cardinal of
packets and bytes that acquire akin anniversary chic in the activity maps. The all-encompassing syntax is as
follows:
show policy-map interface interface-name [vc [vpi/] vci] [dlci dlci] [input | output]
[class class-name]
The end of Archetype 12-3 shows a sample of the command, which lists statistics for marking. If
other MQC-based QoS appearance were configured, statistics for those appearance would additionally be
displayed. As you see from the all-encompassing command, the appearance policy-map interface command
allows you to baddest aloof one interface, either ascribe or output, and alike baddest a distinct chic inside
a distinct activity map for display.
The load-interval interface subcommand can additionally be advantageous back attractive at any QoS tool’s
statistics. The load-interval command defines the time breach over which IOS measures packet
and bit ante on an interface. With a lower amount interval, the statistics change added quickly; with a
larger amount interval, the statistics change added slowly. The absence ambience is 5 minutes, and it can
be bargain to 30 seconds.
Example 12-3 additionally shows a accepted blank with QoS configuration. Agenda that the aboriginal chic in
policy-map laundry-list is chic voip-rtp. Because that chic map matches all RTP audio, it
matches the Microsoft NetMeeting audio beck as well, so the NetMeeting audio is not matched
by chic NetMeet that follows. If the aboriginal two classes (voip-rtp and NetMeet) alleged in the policy
map had been reversed, again the NetMeeting audio would acquire been accurately akin in the
NetMeet class, and all added audio would acquire been apparent as allotment of the voip-rtp class.
CB Appearance of CoS and DSCP
Example 12-4 shows how a router ability be configured for CB Appearance back an absorbed LAN
switch is assuming QoS based on CoS. In this case, R3 looks at frames advancing in its fa0/0
interface, appearance the DSCP ethics based on the admission CoS settings. Additionally, R3 looks
at the DSCP settings for packets departure its fa0/0 interface against the switch, ambience the CoS
values in the 802.1Q header. The absolute ethics acclimated on R3’s fa0/0 interface for allocation and
marking are as follows:
■ Frames entering with CoS 5 will be apparent with DSCP EF.
■ Frames entering with CoS 1 will be apparent with DSCP AF11.
■ Frames entering with any added CoS will be apparent DSCP 0.
■ Packets departure with DSCP EF will be apparent with CoS 5.
■ Packets departure with DSCP AF11 will be apparent with CoS 1.
■ Packets departure with any added DSCP will be apparent with CoS 0.
424 Affiliate 12: Allocation and Marking
The QoS activity requires two activity maps in this example. Activity map map-cos-to-dscp matches
CoS ethics for frames entering R3’s fa0/0.1 interface, and marks DSCP values, for packets
flowing appropriate to larboard in Amount 12-5. Therefore, the activity map is enabled on ascribe of R3’s fa0/0.1
interface. Activity map map-dscp-to-cos matches DSCP ethics for packets departure R3’s fa0/0.1
interface, and marks the agnate CoS value. Therefore, the activity map was enabled on the
output of R3’s fa0/0.1 interface. Neither activity map could be activated on the WAN interface,
Example 12-4 Appearance DSCP Based on Admission CoS, and Vice Versa
! The chic maps anniversary artlessly bout a distinct CoS or DSCP value.
class-map cos1
match cos 1
!
class-map cos5
match cos 5
!
class-map AF11
match dscp af11
!
class-map EF
match dscp EF
! This activity map will map admission CoS to a DSCP value
policy-map map-cos-to-dscp
class cos1
set DSCP af11
class cos5
set ip DSCP EF
class class-default
set ip dscp default
! This activity map will map admission DSCP to approachable CoS. Agenda that the DSCP
! amount is not changed.
policy-map map-dscp-to-cos
class AF11
set cos 1
class EF
set cos 5
class class-default
set cos 0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! The activity maps are activated to an 802.1q subinterface.
interface FastEthernet0/0.1
encapsulation dot1Q 102
service-policy ascribe map-cos-to-dscp
service-policy achievement map-dscp-to-cos
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
Classification and Appearance Accoutrement 425
because alone interfaces configured for 802.1Q acquire service-policy commands that reference
policy maps that either allocate or mark based on CoS.
Note that you cannot accredit a policy-map that refers to CoS on interface fa0/0.2 in this example.
That subinterface is in the built-in VLAN, acceptation that no 802.1Q attack is used.
Network-Based Appliance Recognition
CB Appearance can accomplish use of NBAR’s able allocation capabilities via the bout protocol
subcommand. Archetype 12-5 shows a agreement for CB Appearance and NBAR in which the
following requirements are met:
■ Any HTTP cartage whose URL contains the cord “important” anywhere in the URL is marked
with AF21.
■ Any HTTP cartage whose URL contains the cord “not-so” anywhere in the URL is marked
with DSCP default.
■ All added cartage is apparent with AF11.
Example 12-5 shows the configuration, forth with a few NBAR-related appearance commands.
Example 12-5 CB Appearance Based on URLs, Appliance NBAR for Classification
ip cef
! The “*” in the url cord is a wildcard acceptation “0 or added characters.”
class-map http-impo
match agreement http url “*important*"
class-map http-not
match agreement http url “*not-so*"
! The activity map lists the three classes in order, ambience the DSCP values.
policy-map http
class http-impo
set dscp AF21
!
class http-not
set dscp default
!
class class-default
set DSCP AF11
! The ip nbar agreement analysis command may or may not be required—see the notes
! afterward this example.
interface fastethernet 0/0
ip nbar protocol-discovery
service-policy ascribe http
! The appearance ip nbar command alone displays statistics if the ip nbar
! protocol-discovery command is activated to an interface. These statistics are
continues
426 Affiliate 12: Allocation and Marking
Unlike best added IOS features, you can advancement NBAR after alteration to a after IOS version.
Cisco uses a affection alleged Packet Description Language Modules (PDLMs) to ascertain new
protocols that NBAR should match. Back Cisco decides to add one or added new protocols to
the account of protocols that NBAR should recognize, it creates and compiles a PDLM. You can then
download the PDLM from Cisco, archetype it into Flash memory, and add the ip nbar pdlm pdlm-name
command to the configuration, area pdlm-name is the name of the PDLM book in Flash memory.
NBAR can again allocate based on the agreement advice from the new PDLM.
CB Appearance Architecture Choices
The absorbed of CB Appearance is to abridge the assignment adapted of added QoS accoutrement by appearance packets of
the aforementioned chic with the aforementioned QoS marking. For added QoS accoutrement to booty advantage of those markings,
packets should about be apparent as abutting to the admission point of the packet as possible. However,
the ancient accessible point may not be a trusted device. For instance, in Amount 12-5 (the amount upon
which Examples 12-3 and 12-4 are based), Server1 could set its own DSCP and alike CoS if its NIC
supported trunking. However, dupe the server ambassador may or may not be desirable. So, the
following aphorism summarizes how to accept the best area to accomplish marking:
Mark as abutting to the admission bend of the arrangement as possible, but not so abutting to the edge
that the appearance is fabricated by an untrusted device.
! absolute of those created by CB Marking. This archetype shows several of
! the ample cardinal of options on the command.
R3# appearance ip nbar protocol-discovery interface fastethernet 0/0 stats packet-count top-n 5
FastEthernet0/0
Input Output
Protocol Packet Count Packet Count
------------------------ ------------------------ ------------------------
http 721 428
eigrp 635 0
netbios 199 0
icmp 1 1
bgp 0 0
unknown 46058 63
Total 47614 492
NOTE Afore the 12.2T/12.3 IOS releases, the ip nbar protocol-discovery command was
required on an interface afore appliance a service-policy command that acclimated NBAR matching.
With 12.2T/12.3 alternation releases, this command is no best required.
The use of the bout agreement command implies that NBAR will be acclimated to bout the packet.
Example 12-5 CB Appearance Based on URLs, Appliance NBAR for Allocation (Continued)
Classification and Appearance Accoutrement 427
Cisco QoS architecture adviser abstracts accomplish recommendations not alone as to area to perform
marking, but additionally as to which CoS, IPP, and DSCP ethics to set for assertive types of traffic.
Table 12-9 summarizes those recommendations.
Marking Appliance Policers
Traffic policers admeasurement the cartage amount for abstracts entering or departure an interface, with the ambition of
determining if a configured cartage arrangement has been exceeded. The arrangement has two components:
a cartage rate, configured in bits/second, and a access size, configured as a cardinal of bytes. If
the cartage is aural the contract, all packets are advised to acquire accommodated to the contract.
However, if the amount or access exceeds the contract, again some packets are advised to have
exceeded the contract. QoS accomplishments can be taken on both categories of traffic.
The simplest anatomy of policing enforces the cartage arrangement carefully by forwarding conforming
packets and auctioning packets that beat the contract. However, both IOS policers acquiesce a
compromise activity in which the policer marks bottomward packets instead of bottomward them. To mark
down the packet, the policer re-marks a QoS field, about IPP or DSCP, with a amount that makes
the packet added acceptable to be alone downstream. For instance, a policer could re-mark AF11
packets that beat a arrangement with a new DSCP amount of AF13, but not abandon the packet. By
doing so, the packet still passes through the router, but if the packet adventures bottleneck later
in its travels, it is added acceptable to be alone than it would acquire contrarily been. (Remember,
DiffServ suggests that AF13 is added acceptable to be alone than AF11 traffic.)
Table 12-9 RFC-Recommended Ethics for Marking
Type of Cartage CoS IPP DSCP
Voice burden 5 5 EF
Video burden 4 4 AF41
Voice/video signaling 3 3 CS3
Mission-critical abstracts 3 3 AF31, AF32, AF33
Transactional abstracts 2 2 AF21, AF22, AF23
Bulk abstracts 1 1 AF11, AF12, AF13
Best accomplishment 0 0 BE
Scavenger (less than best effort) 0 0 2, 4,6
Also agenda that Cisco recommends not to use added than four or bristles altered account classes for abstracts traffic. By using
more classes, the aberration in behavior amid the assorted classes tends to blur. For the aforementioned reason, do not accord too
many abstracts account classes acute service.
428 Affiliate 12: Allocation and Marking
When appearance requirements can be performed by appliance CB Marking, CB Appearance should be used
instead of either policer. However, if a claim exists to mark packets based on whether they
conform to a cartage contract, appearance with policers charge be used. Affiliate 14, “Shaping and
Policing,” covers CB policing, with an archetype of the syntax it uses for appearance packets.
QoS Pre-Classification
With unencrypted, unencapsulated traffic, routers can bout and mark QoS values, and perform
ingress and departure accomplishments based on markings, by analytical the IP headers. However, what
happens if the cartage is encrypted? If we abbreviate cartage central a VPN tunnel, the original
headers and packet capacity are bare for inspection. The alone affair we acquire to assignment with
is the ToS byte of the aboriginal packet, which is automatically affected to the adit attack (in IPsec
transport mode, in adit mode, and in GRE tunnels) back the packet is encapsulated. But
features like NBAR are burst back we are ambidextrous with encapsulated traffic.
The affair that arises from this inherent behavior of adit encapsulation is the disability of a router
to booty departure QoS accomplishments based on encrypted traffic. To abate this limitation, Cisco IOS
includes a affection alleged QoS pre-classification. This affection can be enabled on VPN endpoint
routers to admittance the router to accomplish departure QoS decisions based on the aboriginal traffic, before
encapsulation, rather than aloof the encapsulating adit header. QoS pre-classification works by
keeping the original, unencrypted cartage in anamnesis until the departure QoS accomplishments are taken.
You can accredit QoS pre-classification in adit interface agreement mode, virtual-template
configuration mode, or crypto map agreement approach by arising the qos pre-classify command.
You can appearance the furnishings of pre-classification appliance several appearance commands, which accommodate show
interface and appearance crypto-map.
Table 12-10 lists the modes in which you administer the qos pre-classify command.
Table 12-10 Area to Use the qos pre-classify Command
Configuration Command Beneath Which qos pre-classify Is Configured VPN Type
interface adit GRE and IPIP
interface virtual-template L2F and L2TP
crypto map IPsec
Classification and Appearance Accoutrement 429
Policy Acquisition for Marking
Policy acquisition provides the adequacy to avenue a packet based on advice in the packet besides
the destination IP address. The activity acquisition agreement uses avenue maps to allocate packets.
The route-map clauses accommodate set commands that ascertain the avenue (based on ambience a next-hop
IP abode or approachable interface).
Policy acquisition can additionally mark the IPP field, or the absolute ToS byte, appliance the set command in a route
map. Back appliance activity acquisition for appearance purposes, the afterward argumentation arrangement is used:
1. Packets are advised as they access an interface.
2. A avenue map is acclimated to bout subsets of the packets.
3. Mark either the IPP or absolute ToS byte appliance the set command.
4. The acceptable activity acquisition activity of appliance the set command to ascertain the avenue may also
be configured, but it is not required.
Policy acquisition should be acclimated to mark packets alone in cases area CB Appearance is not available,
or back a router needs to both use activity acquisition and mark packets entering the aforementioned interface.
Refer to Affiliate 6, “IP Forwarding (Routing),” for a analysis of activity acquisition configuration, and
note the syntax of the set commands for marking, listed in Table 6-5.