IWAN AVC/QoS Design. Kelly Fleshner, Communications Architect. CCIE # years BRKRST-2043

Transcription

1

2 IWAN AVC/QoS Design Kelly Fleshner, Communications Architect CCIE # years BRKRST-2043

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkrst Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Housekeeping Who am I? Intermediate Class This is not an Introduction to IWAN session This is not an IWAN Design session (Some design aspects will be discussed) This session is about how to configure AVC/QoS with your Cisco Intelligent WAN Session Abstract: The most expensive bandwidth in the enterprise is in the WAN; as such, it should be fully optimized to deliver maximum ROI. This session focuses on how to deliver such optimization by deploying Application Visibility and Control (AVC) and Quality of Service (QoS) over the Intelligent WAN (IWAN). Cisco s QoS paradigm will be reviewed and applied to the IWAN, along with best practice QoS design recommendations. Practical and detailed design configurations will be presented for hierarchical QoS policies for subline rate Ethernet handoffs, MPLS VPN Class-of-Service mapping and DMVPN per-tunnel QoS. Additionally, new AVC/QoS technologies, such as NBAR2 QoS attributes will be introduced and applied to the IWAN. Cisco Prime Infrastructure templates for deploying and managing the IWAN will be reviewed, as will Cisco s SD-WAN solution, the APIC-EM IWAN application, to show how the IWAN QoS and PfR can be centrally controlled. BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Agenda Cisco s Approach to AVC/QoS Ingress LAN AVC/QoS Design Egress WAN AVC/QoS Design SD-WAN QoS APIC-EM IWAN App Summary and References

6 The Why of AVC/QoS AVC & QoS Transform your business through powerful yet simple networks that are customized and optimized to meet your needs Why BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Cisco s Approach to AVC/QoS 7

8 Where to start? Strategic vs Tactical VS BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Levels of QoS Policy Abstraction Strategic vs. Tactical Strategic QoS Policy (WHY you want QoS) reflects business intent is not constrained by any technical or administrative limitation is end-to-end Tactical QoS Policy (HOW you are going to do it / WHAT you configure) adapts the strategic business intent to the maximum of platform s capabilities is limited by various tactical constraints, including: Media constraints (e.g. the WLAN has only 4 levels of service [access categories]) Platform constraints (e.g. a Catalyst 3750 has only 4 hardware queues) Interface constraints (e.g. a T1 WAN link has limited bandwidth) Role constraints (e.g. a CE may need to map into a reduced set of SP Classes-of-Service) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Strategic QoS Design Part 1 of 4: Always Start with Defining the Business Goals of QoS Guaranteeing voice quality meets enterprise standards Ensuring a high Quality of Experience for video applications Improving user productivity by minimizing network response times Managing business applications that are bandwidth hogs Identifying and de-prioritizing non-business applications Improving network availability by protecting the control planes Hardening the network infrastructure to deal with abnormal events BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Strategic QoS Design Part 2 of 4: Assign Business-Relevance to Applications Relevant Default Irrelevant These applications directly support business objectives Applications should be classified, marked and treated marked according to industry best-practice recommendations These applications may/may not support business objectives (e.g. HTTP/HTTPS/SSL) Applications of this type should be treated with a Default Forwarding service These applications do not support business objectives and are typically consumer-oriented Applications of this type should be treated with a less-than Best Effort service RFC 4594 RFC 2474 RFC 3662 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Strategic QoS Design Part 3a of 4: Assign Control Plane to traffic-classes Control Plane? Yes Network Control? Yes Network Control No No Signaling? Yes Signaling Is the protocol a Network Control protocol? This includes all network routing and control-plane protocols E.g. BGP, OSPF, EIGRP, HSRP, IKE, etc. Is the protocol a Signaling protocol? OAM? This includes all call signaling / bandwidth reservation protocols E.g. SIP, Skinny, H.323, RSVP etc. No Yes OAM Is the protocol an Operations / Administration / Management protocol? This includes all network management protocols (e.g. SNMP, Telnet, SSH, Syslog, NetFlow, etc.) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Strategic QoS Design Part 3b of 4: Assign Voice applications / sub-components to voice traffic-class Voice? Yes Voice No Is the application voice? Audio-only media (e.g. G.711, G.729 etc.) Note: This class may be used for the audio-component of multimedia applications, such as Cisco Jabber and/or Microsoft Lync; however, this option should ONLY be considered if this causes no conflict with your overall Call Admission Control strategy and voice-queue provisioning BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 12

14 Strategic QoS Design Part 3c of 4: Assign Video applications / sub-components to traffic-classes Video? Yes Unidirectional? Yes Elastic? Yes Multimedia-Streaming No No (Bidirectional) No (Inelastic) Broadcast Video Elastic? Yes Multimedia-Conferencing Is the application video? If yes: determine if the application is unidirectional or bidirectional? Then determine if the application is elastic (i.e. adaptive to congestion/drops) or inelastic? No (Inelastic) Realtime-Interactive BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 13

15 Strategic QoS Design Part 3d of 4: Assigning Data applications to traffic-classes Data? Yes Foreground? Yes Transactional Data No Best Effort No (Background) Bulk Data Is the application Data? Then determine: Is the application foreground or background? Foreground applications will directly impact user-productivity with network delays Background applications will not (as these are typically machine-to-machine flows) However, these apps can be very bandwidth intensive (if unrestrained) If it is not known if a data app is foreground, then assume it is background Otherwise the application/protocol remains in the default class (Best Effort) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 14

16 Strategic QoS Design Part 3e of 4: Apply RFC 4594-based Marking / Queuing / Dropping Treatments Application Class Per-Hop Behavior Queuing & Dropping Application Examples VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729) Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx Relevant Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs) Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE Signaling CS3 BW Queue SCCP, SIP, H.323 Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps Default Bulk Data AF1 BW Queue + DSCP WRED , FTP, Backup Apps, Content Distribution Best Effort DF Default Queue + RED Default Class Scavenger CS1 BW Queue (Deferential) YouTube, Netflix, itunes, BitTorrent, Xbox Live Irrelevant BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Strategic QoS Design Part 4 of 4: Assign bandwidth allocation targets BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Strategic QoS Design: At-A-Glance Reference BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 IWAN-Specific QoS Design Considerations 19

20 What is IWAN from a QoS Perspective? Replacing expensive MPLS service with business class internet Performance Routing (PfR) to load balance / provide resiliency / best path Dynamic Multipoint VPN (DMVPN) overlay on MPLS and Internet Up to 2,000 remote sites per hub router in a single domain MPLS will have Service Provider QoS, but with Internet we assume none BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 IWAN Hybrid Model MPLS and Internet Transports Hub MC Hub BR Hub BR MPLS INET T1 Branch 50 Mbps Branch 20 Mbps Branch 10 Mbps Branch T3 Branch BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Hub Site QoS Scheduling MPLS Transport Bandwidth Sharing Between Tunnels Shape for Service Rate Shape for Remote Site Last Mile 1.5 Mbps 50 Mbps T1 Branch 50 Mbps Branch Hub BR GE Per Site Bandwidth Sharing Within Tunnel 100 Mbps Service Rate 20 Mbps 10 Mbps 45 Mbps T3 Branch 20 Mbps Branch 10 Mbps Branch BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Hub Site QoS Scheduling Hierarchy Three Levels: Child / Parent / Grandparent Police 150K Per-SA QoS Site1 T1 Police 4.5M Per-SA QoS Site2 T3 Police 1M Per-SA QoS Site N 10 Mbps priority data class-default priority data class-default priority data class-default P1 P1 P1 Child Queuing Policy on Tunnel Bandwidth sharing within tunnel Parent Shaping Policies on Tunnel Bandwidth sharing between tunnels Shape for remote site last mile To Physical Grandparent Shaping Policy on Physical Shape for service rate BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Branch QoS Scheduling Hierarchy Two Levels: Child / Parent Police 1M priority data class-default Child Queuing Policy on Physical Bandwidth sharing within tunnel P1 To Physical Parent Shaping Policy on Physical Shape for service rate BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 QoS Tools Review: Policing Priority Queue with Always On Policer (Explicit Policer) Behavior with No Congestion Behavior with Congestion Offered Load 30 Mbps 30 Mbps 90 Mbps Always On Policer 20 Mbps Police 20M 20 Mbps Police 20M priority data class-default priority data class-default P1 P1 Expected Throughput Per Class 20 Mbps 100 Mbps Interface policy-map ALWAYS-ON-POLICER class PRIORITY priority level 1 police cir Mbps 100 Mbps Interface 80 Mbps BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 QoS Tools Review: Policing & Shaping Tools Shaping Effect on Traffic Patterns Line Rate Service Rate Without Traffic Shaping With Traffic Shaping Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate Policers typically drop traffic Shapers delay excess traffic, smooth bursts and prevent unnecessary drops policy-map CLASS-BASED-SHAPER class class-default shape average 10 Mbps service-policy WAN BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 QoS Tools Review: Queuing Bandwidth Percent vs Bandwidth Remaining Percent Bandwidth Percent specifies bandwidth allocation as a percentage of the value entered in the bandwidth command on the interface Bandwidth percentages have to take into account priority percent values They have to be adjusted when priority bandwidth values are changed Bandwidth Remaining Percent specifies bandwidth allocation as a percentage of the bandwidth value that has not been allocated to priority classes Bandwidth remaining percentages must equal 100% The bandwidth automatically adjusts when priority bandwidth values are changed The two features cannot be used in the same policy map Examples: Bandwidth Percent (BWP) Service Rate Bandwidth = 10Mbps Priority Queue 10% = 1 Mbps BWP of 30% = 10 x.30 = 3.0 Mbps Bandwidth Remaining Percent (BWR) Service Rate Bandwidth = 10Mbps Priority Queue 10% = 1 Mbps BWR of 30% = 10 1 = 9 x.30 = 2.7 Mbps BWR of 33% = 10 1 = 9 x.33 = 3.0 Mbps PQ Change in Value Service Rate Bandwidth = 10Mbps Priority Queue 20% = 2 Mbps BWR of 30% = 10 2 = 8 x.30 = 2.4 Mbps BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Aggregate Priority Load Priority Propagation / Passing Lanes Police 150K Police 4.5M Police 1M priority data class-default priority data class-default priority data class-default P1 P1 P1 Priority traffic is always serviced first at each level of the QoS scheduling hierarchy To Physical BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Aggregate Priority Load IWAN Conclusion For Voice, use an Always On policer, rather than a Conditional policer class VOICE priority level 1 police cir percent 10 For Video, use a Bandwidth Remaining Percent (BWR) queue with DSCP-based WRED, rather than a level 2 Priority queue class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based Always On Policer Police 10% BWR 30% Class-Based WFQ DSCP-based WRED voice data video class-default P1 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 IPsec Anti-Replay Message Integrity Designed to identify packet capture/replay by 3rd party Message Integrity Sender assigns sequence number per Security Association (SA) to encrypted packets Receiver maintains 64 packet sliding window by default Default 64 Packet Sliding Window Packet Flow into Router BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 IPsec Anti-Replay Message Integrity Designed to identify packet capture/replay by 3rd party Message Integrity Sender assigns sequence number per Security Association (SA) to encrypted packets Receiver maintains 64 packet sliding window by default Window moves right to include higher sequence numbers Window marks packets as received or not Packets to the left of the window are dropped Default 64 Packet Sliding Default Window 64 Packet Sliding Window Packet Flow into Router Anti-Replay Drops BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 IPsec Anti-Replay and QoS IWAN Conclusion Packets In Crypto Engine (Adds Sequence Number) On a congested interface, a low-priority packet may be delayed by queuing, and then, arrive at the next router after the anti-replay window has been exceeded Also, if an encrypted packet arrives out of sequence by the window size (default is 64 packets), the packet is dropped Increasing the anti-replay window size has no impact on throughput or security The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed Use the maximum replay window-size of 1024 for each supported platform Enqueue 25 Dropped By Policer Police priority data class-default P Queue Tail Drop crypto ipsec security-association replay window-size Packets Out BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Ingress LAN AVC/QoS Design 33

34 NBAR2 Overview Cisco Network Based Application Recognition (NBAR) can identify applications/protocols via deep-packet inspection (DPI) To assist in policy-definition and in browsing, the extensive application library is grouped by various attributes, such as categories and sub-categories Category Sub-category Application-group P2P-technology? First level grouping of applications with similar functionalities Second level grouping of applications with similar functionalities Grouping of applications based on brand or application suite Indicates application is peer-to-peer All DPI engines require symmetrical data paths to identify certain types of traffic. The most common types are peer-to-peer and application-group traffic. Since IWAN is inherently asymmetrical, NBAR classification and marking is not documented in the latest IWAN CVD. Encrypted? Indicates application is encrypted Tunneled? Indicates application uses tunneling technique Cisco is working on a solution for IWAN 2.x and IWAN 3.x to address this well-known problem. BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 New NBAR2 Attribute: Traffic-Class Name voip-telephony broadcast-video real-time-interactive multimedia-conferencing multimedia-streaming network-control signaling ops-admin-mgmt transactional-data bulk-data Description VoIP telephony (bearer-only) traffic Broadcast TV, live events, video surveillance High-definition interactive video applications Desktop software multimedia collaboration applications Video-on-Demand (VoD) streaming video Network control plane traffic Signaling traffic that supports IP voice and video telephony Network operations, administration, and management traffic Interactive data applications Non-interactive data applications Introduced in IOS XE 3.16S and IOS 15.5(3)M BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 New NBAR2 Attribute: Business-Relevance Name business-relevant default business-irrelevant Description Business critical applications Related business applications Non business applications Introduced in IOS XE 3.16S and IOS 15.5(3)M BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 New NBAR2 QoS Attributes Business Relevance Attribute and Traffic-Class Attribute show ip nbar protocol-attribute skype encrypted tunnel category sub-category application-group p2p-technology traffic-class business-relevance encrypted-yes tunnel-no consumer-messaging consumer-multimedia-messaging skype-group p2p-tech-yes Multimedia-conferencing business-irrelevant BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Changing the Business-Relevancy of an Application Step 1: Create an Attribute-Map with the Desired Setting ip nbar attribute-map BUSINESS-RELEVANT attribute business-relevance business-relevant Step 2: Associate the Application with the Desired Attribute-Map ip nbar attribute-set skype BUSINESS-RELEVANT BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 LAN Edge AVC/QoS for Applications class-map match-all VOICE-NBAR match protocol attribute traffic-class voip-telephony match protocol attribute business-relevance business-relevant class-map match-all BROADCAST_VIDEO-NBAR match protocol attribute traffic-class broadcast-video match protocol attribute business-relevance business-relevant class-map match-all REAL_TIME_INTERACTIVE-NBAR match protocol attribute traffic-class real-time-interactive match protocol attribute business-relevance business-relevant class-map match-all MULTIMEDIA_CONFERENCING-NBAR match protocol attribute traffic-class multimedia-conferencing match protocol attribute business-relevance business-relevant class-map match-all MULTIMEDIA_STREAMING-NBAR match protocol attribute traffic-class multimedia-streaming match protocol attribute business-relevance business-relevant class-map match-all SIGNALING-NBAR match protocol attribute traffic-class signaling match protocol attribute business-relevance business-relevant class-map match-all NETWORK_CONTROL-NBAR match protocol attribute traffic-class network-control match protocol attribute business-relevance business-relevant class-map match-all NETWORK_MANAGEMENT-NBAR match protocol attribute traffic-class ops-admin-mgmt match protocol attribute business-relevance business-relevant class-map match-all TRANSACTIONAL_DATA-NBAR match protocol attribute traffic-class transactional-data match protocol attribute business-relevance business-relevant class-map match-all BULK_DATA-NBAR match protocol attribute traffic-class bulk-data match protocol attribute business-relevance business-relevant class-map match-all SCAVENGER-NBAR match protocol attribute business-relevance business-irrelevant BRKRST-2043 policy-map INGRESS-MARKING class VOICE-NBAR set dscp ef class BROADCAST_VIDEO-NBAR set dscp cs5 class REAL_TIME_INTERACTIVE-NBAR set dscp cs4 class MULTIMEDIA_CONFERENCING-NBAR set dscp af41 class MULTIMEDIA_STREAMING-NBAR set dscp af31 class SIGNALING-NBAR set dscp cs3 class NETWORK_CONTROL-NBAR set dscp cs6 class NETWORK_MANAGEMENT-NBAR set dscp cs2 class TRANSACTIONAL_DATA-NBAR set dscp af21 class BULK_DATA-NBAR set dscp af11 class SCAVENGER-NBAR set dscp cs1 class class-default set dscp default <- Optional 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Implementing Ingress Marking on LAN Platform Specifics policy-map INGRESS-MARKING class VOICE-NBAR set dscp ef class BROADCAST_VIDEO-NBAR set dscp cs5 class REAL_TIME_INTERACTIVE-NBAR set dscp cs4 class MULTIMEDIA_CONFERENCING-NBAR set dscp af41 class MULTIMEDIA_STREAMING-NBAR set dscp af31 class SIGNALING-NBAR set dscp cs3 class NETWORK_CONTROL-NBAR set dscp cs6 class NETWORK_MANAGEMENT-NBAR set dscp cs2 class TRANSACTIONAL_DATA-NBAR set dscp af21 class BULK_DATA-NBAR set dscp af11 class SCAVENGER-NBAR set dscp cs1 class class-default set dscp default <- Optional ISR G2 Branch Router: interface GigabitEthernet0/2.64 service-policy input INGRESS-MARKING ISR 4K and ASR 1K Router on Physical: platform qos marker-statistics interface GigabitEthernet0/0/2.64 service-policy input INGRESS-MARKING ISR 4K Router on Port-Channel: platform qos marker-statistics port-channel load-balancing vlan-manual interface Port-channel1.64 service-policy input INGRESS-MARKING ASR 1K Router on Port-Channel: platform qos marker-statistics platform qos port-channel-aggregate 1 interface Port-channel1.64 service-policy input INGRESS-MARKING Must be added before policy-map is attached to an interface Must be added before creation of port-channel interface BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 NBAR QoS Attributes: At-A-Glance Reference BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Egress WAN AVC/QoS Design 42

43 QoS Scheduling Requirements Review Bandwidth Sharing Between Tunnels Shape for Service Rate Shape for Remote Site Last Mile 1.5 Mbps 50 Mbps T1 Branch 50 Mbps Branch Hub BR GE Per Site Bandwidth Sharing Within Tunnel 100 Mbps Service Rate 20 Mbps 10 Mbps 45 Mbps T3 Branch 20 Mbps Branch 10 Mbps Branch BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Bandwidth Sharing within Tunnel Combining 12 Classes into an 8-Class Queueing Model Application DSCP 8-Class Model Internetwork Control CS6 VoIP EF Broadcast Video CS5 VOICE 10% PQ NET-CTRL 5% BWR Multimedia Conferencing Real-Time Interactive Multimedia Streaming Signaling Transactional Data Network Management (OAM) Bulk Data Scavenger Best Effort AF41 CS4 AF31 CS3 AF21 CS2 AF11 CS1 DF INTERACTIVE-VIDEO 30% BWR STREAMING-VIDEO 10% BWR CALL-SIGNALING 4% BWR CRITICAL-DATA 25% BWR SCAVENGER 1% BWR DEFAULT 25% BWR PQ = Priority Queue BWR = Bandwidth Remaining Note: Bandwidth Remaining Percentages must equal 100% BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Bandwidth Sharing within Tunnel Child Policy for Hub and Branch IWAN 8-Class Class-Maps class-map match-any VOICE match dscp ef class-map match-any INTERACTIVE-VIDEO match dscp cs4 af41 af42 af43 class-map match-any STREAMING-VIDEO match dscp cs5 af31 af32 af33 class-map match-any NET-CTRL match dscp cs6 class-map match-any CALL-SIGNALING match dscp cs3 class-map match-any CRITICAL-DATA match dscp cs2 af11 af12 af13 af21 af22 af23 class-map match-any SCAVENGER match dscp cs1 NOTE: The following command is only needed in WRED classes for ISR 4K platforms due to an inadvertent change in the default setting when we transitioned ISRs from IOS to IOS XE CSCve15383 is committed so the default will change automatically in an upcoming release IWAN 8-Class Policy-Map policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 class NET-CTRL bandwidth remaining percent 5 class CALL-SIGNALING bandwidth remaining percent 4 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 class SCAVENGER bandwidth remaining percent 1 class VOICE priority level 1 police cir percent 10 class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 Bandwidth Sharing within Tunnel (Optional) Child Policy for Hub and Branch with Increased Granularity IWAN 8-Class Class-Maps class-map match-any VOICE match dscp ef class-map match-any INTERACTIVE-VIDEO match dscp cs4 match dscp af41 match dscp af42 match dscp af43 class-map match-any STREAMING-VIDEO match dscp cs5 match dscp af31 match dscp af32 match dscp af33 class-map match-any NET-CTRL match dscp cs6 class-map match-any CALL-SIGNALING match dscp cs3 class-map match-any CRITICAL-DATA match dscp cs2 match dscp af11 match dscp af12 match dscp af13 match dscp af21 match dscp af22 match dscp af23 class-map match-any SCAVENGER match dscp cs1 List each match dscp on its own line for more granularity IWAN 8-Class Policy-Map policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 class NET-CTRL bandwidth remaining percent 5 class CALL-SIGNALING bandwidth remaining percent 4 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 class SCAVENGER bandwidth remaining percent 1 class VOICE priority level 1 police cir percent 10 class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Hub QoS Scheduling Three Levels: Child / Parent / Grandparent Review Police 150K Police 4.5M Police 1M priority data class-default priority data class-default priority data class-default P1 P1 P1 Child Queuing Policy on Tunnel Parent Shaping Policies on Tunnel WAN Aggregation Node Grandparent Shaping Policy on Physical BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 DMVPN Per Tunnel QoS Implementing Per-Site Traffic Shaping policy-map RS-GROUP-50MBPS-POLICY class class-default shape average 50 Mbps bandwidth remaining ratio 50 service-policy WAN policy-map RS-GROUP-20MBPS-POLICY class class-default shape average 20 Mbps bandwidth remaining ratio 20 service-policy WAN policy-map RS-GROUP-10MBPS-POLICY class class-default shape average 10 Mbps bandwidth remaining ratio 10 service-policy WAN Separate child / parent policies for each remote-site bandwidth policy-map TRANSPORT-1-SHAPE-ONLY class class-default shape average 100 Mbps interface GigabitEthernet0/0/3 bandwidth service-policy output TRANSPORT-1-SHAPE-ONLY Signal from the spoke to the hub to use the correct parent policy for each remote site Bandwidth remaining ratio provides proportional sharing between tunnels Grandparent policy on physical interface Tunnel10 bandwidth nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY nhrp map group RS-GROUP-20MBPS service-policy output RS-GROUP-20MBPS-POLICY nhrp map group RS-GROUP-50MBPS service-policy output RS-GROUP-50MBPS-POLICY 10/10 Mbps spoke (symmetrical) 20/15 Mbps spoke (asymmetrical) 50/30 Mbps spoke (asymmetrical) List all available parent policies as map groups on hub tunnel interface Add a class-default shape-only grandparent policy on the hub physical interface for the service rate BRKRST-2043 Branch Tunnel Configurations interface Tunnel10 bandwidth bandwidth receive nhrp group RS-GROUP-10MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 interface Tunnel10 bandwidth bandwidth receive nhrp group RS-GROUP-20MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 interface Tunnel10 bandwidth bandwidth receive nhrp group RS-GROUP-50MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 Per-Tunnel shapers 50 Mbps 50 Mbps 20 Mbps 20 Mbps 10 Mbps 10 Mbps BRR=50 BRR=50 BRR=20 BRR=20 BRR=10 BRR=10 Service rate shaper Shape (100 Mbps) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Bandwidth Remaining Ratio IWAN Details Bandwidth Remaining Ratio (BRR) provides proportional sharing to parent shapers during times of congestion. If you over-subscribe your hub BR outbound bandwidth with per-tunnel policies that exceed the service rate, the BRR commands on each parent policy means they will get their fair share of the remaining bandwidth as compared to the other branch sites. If all the per-tunnel BW amounts are 5 Mbps or greater, we use a BRR value of BW / 1 Mbps. (i.e. 10 Mbps is BRR of 10, 50 Mbps is BRR of 50, etc.) If any of the per-tunnel BW values are less than 5 Mbps, we use a BRR value of BW / 100 Kbps. (i.e. 3 Mbps is BRR of 30, 1.5 Mbps is BRR of 15, etc.) Per-Tunnel shapers 50 Mbps 50 Mbps BRR=50 BRR=50 Service rate shaper When the total bandwidth exceeds 100 Mbps, each of the per-tunnel shapers will get their fair share based on their BRR values. 20 Mbps 20 Mbps 10 Mbps 10 Mbps BRR=20 BRR=20 BRR=10 BRR=10 Shape (100 Mbps) Example: 50 Mbps site gets 50 / 160 or 31.25% 20 Mbps site gets 20 / 160 or 12.5% 10 Mbps site gets 10 / 160 or 6.25% BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Branch QoS Scheduling Two Levels: Child / Parent Review Police 1M priority data class-default Child Queuing Policy on Physical P1 Parent Shaping Policy on Physical To Physical BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Service Rate Traffic Shaping Child / Parent Policy for Branch Child Queuing Policy policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 class NET-CTRL bandwidth remaining percent 5 class CALL-SIGNALING bandwidth remaining percent 4 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 class SCAVENGER bandwidth remaining percent 1 class VOICE priority level 1 police cir percent 10 class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 Parent Shaping Policy on Physical policy-map POLICY-TRANSPORT-1 class class-default shape average 10 Mbps service-policy WAN interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1 A parent shaper guarantees traffic will not exceed the service rate A nested queuing policy will force queuing to engage at the contracted service rate to prioritize packets prior to shaping Always On Policer Police 1M Physical Interface priority data class-default P1 Min: 0 Max: 10M Excess: 10 GigE Interface with 10 Mbps Service Rate BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Multiple Sender QoS for Hub Routers Bandwidth Sharing Between Multiple Senders Bandwidth can exceed 100% of the remote-site inbound Service Rate using a calculated oversubscription of ~ 1.6:1 Bandwidth has to be divided equally due to one NHRP group QoS child policies do not have to be the same per Sender but DSCP markings must match for PfR TC channels to establish As the number of senders increase, the percentages need to come down accordingly based on the network administrators knowledge of their traffic patterns Hub BR1 (MNH/MDC) Hub BR2 (MNH/MDC) Remote Site Example: 50 Mb/s *.80 = 40 Mb/s per Hub BR Branch Tunnel Interface Total bandwidth should not exceed 160% of remote-site inbound Service Rate 80% BW 80% BW interface Tunnel10 bandwidth receive nhrp nhs nbma multicast nhrp nhs nbma multicast nhrp group RS-GROUP-50MBPS-80 Hub Policy policy-map RS-GROUP-50MBPS-80-POLICY class class-default description 80% of 50 Mbps shape average 40 Mbps bandwidth remaining ratio 40 service-policy WAN To avoid unwanted SP drops of voice traffic, priority traffic from all senders should not exceed the remote site inbound service rate Remote Site Inbound Service Rate BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Multiple VRF QoS for Hub Routers Bandwidth Sharing Between Multiple VRF Tunnels Bandwidth can exceed 100% of the remote-site inbound Service Rate using an oversubscription ratio of ~ 2:1 Bandwidth does not have to be divided equally between VRFs QoS policies do not have to be the same per VRF As the number of VRFs increase, the percentages need to come down accordingly based on the network administrators knowledge of their traffic patterns Default VRF Contractor VRF Guest VRF IOT VRF 75% BW 75% BW 40% BW 10% BW Total bandwidth for VRFs should not exceed 200% of remote-site inbound Service Rate as oversubscription traffic will be dropped in the SP cloud Bandwidth for Guest traffic is normally less than non-guest Bandwidth for low volume VRFs like IOT and PCI should use a much smaller percentage Aggregate Priority Load: Priority traffic from all VRFs cannot exceed the hub BR outbound service rate VRF = Virtual Routing and Forwarding To Physical Grandparent Shaping Policy on Physical Shape for Outbound Service Rate BRKRST-2043 Remote Site Example: 40 Mb/s *.75 = 30 Mb/s per VRF 40 Mb/s *.40 = 16 Mb/s per VRF 40 Mb/s *.10 = 4 Mb/s per VRF Default VRF / Contractor VRF interface Tunnel101 bandwidth receive nhrp group RS-GROUP-40MBPS-75 Guest VRF interface Tunnel103 bandwidth receive nhrp group RS-GROUP-40MBPS-40 IOT VRF interface Tunnel104 bandwidth receive nhrp group RS-GROUP-40MBPS Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Multiple VRF QoS for Branch Using normal IWAN recommendations, QoS policy is applied to the physical interface at an IWAN remote site which means all VRFs share the same QoS policy by default If you want to use different QoS policies for each VRF, you can deploy per-tunnel QoS in the spoke to hub direction using the same tools and limitations described on the previous slide BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Enterprise to SP Mapping 55

56 Enterprise to SP Mapping ToS Byte Preservation ToS ToS ToS ToS ToS The 12-class view is preserved across the enterprise even though we treat it differently at the egress of the router and send it to different channels within the SP network The twelve classes remain intact on the inner header and the outer tunnel header is remarked as the traffic leaves the tunnel interface The remarked outer header is discarded after arriving at the tunnel interface on the receiving router, thus leaving the inner header marking unchanged IP Packet By default, ToS byte is copied to the new IP Header IP HDR GRE Tunnel IP Payload IP HDR GRE HDR IP HDR IP Payload IPSec Tunnel mode IP HDR ESP HDR IP HDR IP Payload ESP Trailer ESP Auth BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Enterprise to SP Mapping Set dscp tunnel outbound on tunnel (Hub) Term-A Video Flow from Term-A To Term-B class-map match-all MULTIMEDIA_CONFERENCING-NBAR match protocol attribute traffic-class multimedia-conferencing match protocol attribute business-relevance business-relevant policy-map INGRESS-MARKING class MULTIMEDIA_CONFERENCING-NBAR set dscp af41 Marking the User IP header Gig0/0/ Packet View 1 L2 Dest L2 Src Packet View 2 Type Type User IP Header Src IP: Dst IP: DSCP: 0 User IP Header User Data User Data interface GigabitEthernet0/0/0 service-policy input INGRESS-MARKING class-map INTERACTIVE-VIDEO match dscp af41 Tunnel Tun SP Network Gig0/0/ Packet View 3 L2 Dest L2 Src Type Tunnel IP Header Src IP: Dst IP: DSCP: af31 Src IP: Dst IP: DSCP: af41 User IP Header Src IP: Dst IP: DSCP: af41 User Data policy-map RS-GROUP-10MBPS-POLICY class INTERACTIVE-VIDEO set dscp tunnel af31 Marking the Tunnel IP header interface Tunnel10 nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY Tun Set dscp tunnel means don t copy but instead remember and mark this value once tunnel header is imposed Packet View 4 L2 Dest L2 Src Type User IP Header User Data Term-B Src IP: Dst IP: DSCP: af41 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Enterprise to SP Mapping Set dscp outbound on physical (Branch) Term-B Video Flow from Term-B To Term-A class-map match-all MULTIMEDIA_CONFERENCING-NBAR match protocol attribute traffic-class multimedia-conferencing match protocol attribute business-relevance business-relevant policy-map INGRESS-MARKING class MULTIMEDIA_CONFERENCING-NBAR set dscp af41 Marking the User IP header Gig0/0/ Packet View 1 L2 Dest L2 Src Packet View 2 Type Type User IP Header Src IP: Dst IP: DSCP: 0 User IP Header User Data User Data interface GigabitEthernet0/0/0 service-policy input INGRESS-MARKING class-map INTERACTIVE-VIDEO match dscp af41 Tunnel Tun SP Network Gig0/0/ Packet View 3 L2 Dest L2 Src Type Tunnel IP Header Src IP: Dst IP: DSCP: af31 Src IP: Dst IP: DSCP: af41 User IP Header Src IP: Dst IP: DSCP: af41 User Data policy-map POLICY-TRANSPORT-1 class INTERACTIVE-VIDEO set dscp af31 Marking the Tunnel IP header interface GigabitEthernet0/0/1 service-policy output POLICY-TRANSPORT-1 Tun Term-A DSCP copied Inner-to-Outer *BUT* we over-write Outer after the copy Packet View 4 L2 Dest L2 Src Type User IP Header Src IP: Dst IP: DSCP: af41 User Data BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Enterprise to SP Mapping Example: 4-Class SP Model Application Internetwork Control VoIP DSCP CS6 EF CS6 Sent Unchanged EF 4-Class Model SP-VOICE Broadcast Video CS5 AF31 Multimedia Conferencing Real-Time Interactive AF41 AF31 CS4 AF31 AF31 SP-CLASS1DATA (UDP) Multimedia Streaming AF31 Signaling CS3 AF21 Transactional Data Network Management AF21 CS2 AF21 AF21 SP-CLASS2DATA (TCP) Bulk Data AF11 AF21 Scavenger CS1 DF SP-DEFAULT Best Effort DF BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 4-Class SP QoS Model Configuration Tunnel Interface IWAN Hub BR policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af31 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af31 class NET-CTRL-MGMT bandwidth remaining percent 5 set dscp tunnel cs6 class CALL-SIGNALING bandwidth remaining percent 4 set dscp tunnel af21 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af21 class SCAVENGER bandwidth remaining percent 1 set dscp tunnel default class VOICE priority level 1 police cir percent 10 set dscp tunnel ef class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 set dscp tunnel default Hub Router: policy-map RS-GROUP-10MBPS-POLICY class class-default shape average 10 Mbps bandwidth remaining ratio 10 service-policy WAN interface Tunnel10 bandwidth <service-rate> nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY Branch Router: interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1! interface Tunnel10 bandwidth nhrp group RS-GROUP-10MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 4-Class SP QoS Model Configuration Physical Interface IWAN Branch policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af31 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af31 class NET-CTRL-MGMT bandwidth remaining percent 5 set dscp cs6 class CALL-SIGNALING bandwidth remaining percent 4 set dscp af21 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af21 class SCAVENGER bandwidth remaining percent 1 set dscp default class VOICE priority level 1 police cir percent 10 set dscp ef class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 set dscp default Branch Router: policy-map POLICY-TRANSPORT-1 class class-default shape average 10 Mbps service-policy WAN interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1 The PfR Traffic Class channels will not establish if the DSCP values from the hub and branch routers do not match BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Enterprise to SP Mapping Example: 5-Class SP Model Reference Application Internetwork Control VoIP DSCP CS6 EF CS6 Sent Unchanged EF 5-Class Model SP-VOICE Broadcast Video CS5 AF31 Multimedia Conferencing Real-Time Interactive AF41 AF31 CS4 AF31 AF31 SP-CLASS1DATA (UDP) Multimedia Streaming AF31 Signaling CS3 AF21 Transactional Data Network Management AF21 CS2 AF21 AF21 SP-CLASS2DATA (TCP) Bulk Data Scavenger Best Effort AF11 AF21 CS1 AF11 DF AF11 DF SP-CLASS3DATA SP-DEFAULT * * - Specified by ISP BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 5-Class QoS Model Configuration Tunnel Interface IWAN Hub BR policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af31 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af31 class NET-CTRL-MGMT bandwidth remaining percent 5 set dscp tunnel cs6 class CALL-SIGNALING bandwidth remaining percent 4 set dscp tunnel af21 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af21 class SCAVENGER bandwidth remaining percent 1 set dscp tunnel af11 class VOICE priority level 1 police cir percent 10 set dscp tunnel ef class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 set dscp tunnel default Hub Router: policy-map RS-GROUP-10MBPS-POLICY class class-default shape average 10 Mbps bandwidth remaining ratio 10 service-policy WAN Reference interface Tunnel10 bandwidth <service-rate> nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY Branch Router: interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1! interface Tunnel10 bandwidth nhrp group RS-GROUP-10MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 5-Class QoS Model Configuration Physical Interface IWAN Branch policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af31 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af31 class NET-CTRL-MGMT bandwidth remaining percent 5 set dscp cs6 class CALL-SIGNALING bandwidth remaining percent 4 set dscp af21 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af21 class SCAVENGER bandwidth remaining percent 1 set dscp af11 class VOICE priority level 1 police cir percent 10 set dscp ef class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 set dscp default Branch Router: policy-map POLICY-TRANSPORT-1 class class-default shape average 10 Mbps service-policy WAN Reference interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Enterprise to SP Mapping Example: 6-Class SP Model Reference Application Internetwork Control VoIP DSCP CS6 EF CS6 Sent Unchanged EF 6-Class Model SP-VOICE Broadcast Video Multimedia Conferencing CS5 AF1 AF41 AF41 SP-VIDEO Real-Time Interactive Multimedia Streaming Signaling CS4 AF41 AF31 CS3 AF21 AF31 SP-CLASS1DATA (UDP) Transactional Data Network Management Bulk Data Scavenger Best Effort AF21 CS2 AF21 AF11 AF21 CS1 AF11 DF AF21 AF11 DF SP-CLASS2DATA (TCP) SP-CLASS3DATA SP-DEFAULT * * - Specified by ISP BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 6-Class QoS Model Configuration Tunnel Interface IWAN Hub BR policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af41 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af31 class NET-CTRL-MGMT bandwidth remaining percent 5 set dscp tunnel cs6 class CALL-SIGNALING bandwidth remaining percent 4 set dscp tunnel af21 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp tunnel af21 class SCAVENGER bandwidth remaining percent 1 set dscp tunnel af11 class VOICE priority level 1 police cir percent 10 set dscp tunnel ef class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 set dscp tunnel default Hub Router: policy-map RS-GROUP-10MBPS-POLICY class class-default shape average 10 Mbps bandwidth remaining ratio 10 service-policy WAN Reference interface Tunnel10 bandwidth <service-rate> nhrp map group RS-GROUP-10MBPS service-policy output RS-GROUP-10MBPS-POLICY Branch Router: interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1! interface Tunnel10 bandwidth nhrp group RS-GROUP-10MBPS tunnel source GigabitEthernet0/0 tunnel vrf IWAN-TRANSPORT-1 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 6-Class QoS Model Configuration Physical Interface IWAN Branch policy-map WAN class INTERACTIVE-VIDEO bandwidth remaining percent 30 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af41 class STREAMING-VIDEO bandwidth remaining percent 10 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af31 class NET-CTRL-MGMT bandwidth remaining percent 5 set dscp cs6 class CALL-SIGNALING bandwidth remaining percent 4 set dscp af21 class CRITICAL-DATA bandwidth remaining percent 25 random-detect dscp-based random-detect exponential-weighting-constant 9 set dscp af21 class SCAVENGER bandwidth remaining percent 1 set dscp af11 class VOICE priority level 1 police cir percent 10 set dscp ef class class-default bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 9 set dscp default Branch Router: policy-map POLICY-TRANSPORT-1 class class-default shape average 10 Mbps service-policy WAN Reference interface GigabitEthernet0/0 bandwidth service-policy output POLICY-TRANSPORT-1 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Enterprise to SP Mapping: Summary Application Class Internetwork Control Per-Hop Behavior Queuing & Dropping 12-Class 8-Class For IWAN Router 6-Class For Tunnel 5-class For Tunnel 4-Class For Tunnel CS6 BR Queue Net-Ctrl NET-CTRL CS6 CS6 CS6 VoIP Telephony EF Priority Queue (PQ) Voice VOICE EF EF EF Relevant Multimedia Conferencing Real-Time Interactive AF4 CS4 BR Queue + DSCP WRED BR Queue + DSCP WRED Broadcast Video CS5 BR Queue + DSCP WRED Multimedia Streaming AF3 BR Queue + DSCP WRED Interactive-Video INTERACTIVE-VIDEO AF41 AF31 AF31 Real-Time INTERACTIVE-VIDEO AF41 AF31 AF31 Broadcast-Video STREAMING-VIDEO AF31 AF31 AF31 Streaming-Video STREAMING-VIDEO AF31 AF31 AF31 Signaling CS3 BR Queue Call-Signaling CALL-SIGNALING AF21 AF21 AF21 Ops / Admin / Mgmt CS2 BR Queue + DSCP WRED Net-Mgmt CRITICAL-DATA AF21 AF21 AF21 Default Transactional Data AF2 BR Queue + DSCP WRED Bulk Data AF1 BR Queue + DSCP WRED Transactional- Data CRITICAL-DATA AF21 AF21 AF21 Bulk-Data CRITICAL-DATA AF21 AF21 AF21 Best Effort DF BR Queue + RED Default DEFAULT Default Default Default Scavenger CS1 Min BR Queue Scavenger SCAVENGER AF11 AF11 Default Irrelevant BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 IWAN QoS Design: At-A-Glance Reference BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 SD-WAN QoS APIC-EM IWAN App 70

71 APIC-EM IWAN App Demo

72 APIC-EM IWAN App Click to administer application policies BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 IWAN-App QoS Configuration Classification and Marking Policy Business-Relevant Class-Map (List of Categories that are Business-Relevant) class-map match-any prm-biz-relevant-cats match protocol attribute category business-and-productivity-tools match protocol attribute category voice-and-video match protocol attribute category backup-and-storage match protocol attribute category software-updates match protocol attribute category file-sharing match protocol attribute category match protocol attribute category database match protocol attribute category browsing Implements Categoryto-Business-Relevance mapping Vs. Application-to- Business-Relevance mapping Parent Class-Maps to Combine Category-Based BR with Traffic-Classes class-map match-all prm-nbar-12-cls#broadcast-video match protocol attribute traffic-class broadcast-video match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#bulk-data match protocol attribute traffic-class bulk-data match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#interactive-video match protocol attribute traffic-class real-time-interactive match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#network-control match protocol attribute traffic-class network-control match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#multimedia-conferencing match protocol attribute traffic-class multimedia-conferencing match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#voice match protocol attribute traffic-class voip-telephony match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#signaling match protocol attribute traffic-class signaling match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#network-management match protocol attribute traffic-class ops-admin-mgmt match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#transactional-data match protocol attribute traffic-class transactional-data match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#multimedia-streaming match protocol attribute traffic-class multimedia-streaming match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#scavenger match class-map prm-biz-irrelevant-cats BRKRST-2043 Business-Irrelevant Class-Map (List of Categories that are Business-Irrelevant) class-map match-any prm-biz-irrelevant-cats match protocol attribute category consumer-messaging match protocol attribute category consumer-streaming match protocol attribute category gaming match protocol attribute category social-networking match protocol attribute category instant-messaging RFC 4594-Based Marking Policy-Map policy-map prm-nbar-12-cls class prm-nbar-12-cls#voice set dscp ef class prm-nbar-12-cls#broadcast-video set dscp cs5 class prm-nbar-12-cls#interactive-video set dscp cs4 class prm-nbar-12-cls#multimedia-conferencing set dscp af41 class prm-nbar-12-cls#multimedia-streaming set dscp af31 class prm-nbar-12-cls#signaling set dscp cs3 class prm-nbar-12-cls#network-control set dscp cs6 class prm-nbar-12-cls#network-management set dscp cs2 class prm-nbar-12-cls#transactional-data set dscp af21 class prm-nbar-12-cls#bulk-data set dscp af11 class prm-nbar-12-cls#scavenger set dscp cs1 class class-default set dscp default 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 IWAN-App QoS Configuration Ingress Marking and Egress Queuing in Branch Ingress Marking on LAN interface GigabitEthernet0/0/0.10 description Data encapsulation dot1q 10 ip address ip helper-address ip pim sparse-mode standby version 2 standby 1 ip standby 1 priority 105 standby 1 authentication md5 key-string c1sco123 performance monitor context IWAN-Context service-policy input prm-nbar-12-cls Marking Policy Map on Previous Page Child Policy: 8-class WAN queuing and 6-class SP policy-map prm-dscp#iwan-8-id0 class prm-iwan8#voice priority level 1 police cir percent 10 set dscp ef class prm-iwan8#streaming-video bandwidth remaining percent 10 set dscp af31 random-detect dscp-based class prm-iwan8#call-signaling bandwidth remaining percent 4 set dscp cs3 class prm-iwan8#net-ctrl-mgmt bandwidth remaining percent 5 set dscp cs6 class prm-iwan8#interactive-video bandwidth remaining percent 30 set dscp af41 random-detect dscp-based class prm-iwan8#critical-data bandwidth remaining percent 25 set dscp af21 random-detect dscp-based class prm-iwan8#scavenger bandwidth remaining percent 1 set dscp cs1 class class-default bandwidth remaining percent 25 set dscp default random-detect dscp-based Parent Policy: Shape for Service Rate policy-map prm-dscp#iwan-8-id0#shape#30.0 class class-default shape average service-policy prm-dscp#iwan-8-id0 Egress Queuing on Physical Interface interface GigabitEthernet0/0/2 bandwidth ip vrf forwarding IWAN-TRANSPORT-1 ip address media-type rj45 negotiation auto no cdp enable service-policy output prm-dscp#iwan-8-id0#shape#30.0 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Summary and References 75

76 Key Takeaways IWAN Considerations Design Issues QoS Scheduling Aggregate Priority Load IPsec Anti-Replay IWAN 2.2 CVD Ingress LAN Marking NBAR2 QoS Attributes Traffic-Class Business-Relevance Coming in IWAN 2.3 CVD Egress WAN Queuing QoS and App Control WAN Queuing Sub-Line Rate Interfaces DMVPN Per Tunnel QoS Enterprise to SP Mapping IWAN 2.2 CVD Or just click on the Easy button with the APIC-EM IWAN App! BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Cisco CVDs for Intelligent WAN IWAN Design Guide IWAN Base and Advanced Deployment Guides IWAN Configurations Files Guide Design Overview Technology Type Design Models IWAN Design Summary IWAN All Overview Deployment Guides Profile Type Design Models IWAN Deployment IWAN Configuration Files (All) Base ASR 1K CSR 1K (Hub MC) ISR 4K ISR G2 Hybrid Single Router Dual Router IWAN HA and Scalability Advanced All Hybrid (Hub MC HA & MNH) IWAN Multiple Data Center Advanced All Hybrid (MDC) IWAN Multiple Transport Advanced All Dual Hybrid w/ PLR (MTT) IWAN Multiple VRF (Coming in July) Advanced All Dual Hybrid w/ PLR (Multi-VRF) IWAN Public Key Infrastructure Advanced All All (PKI) IWAN NetFlow Monitoring Advanced All All (NetFlow) IWAN Remote Site 4G LTE Advanced All All (4G LTE) IWAN DIA Design Advanced ISR 4K Remote Site DIA IWAN WAAS and Akamai Advanced ISR 4K WAAS and Akamai Connect March 2017 April 2017 April 2017 Dec 2016 March 2015 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Recommended Reading Explains all key IWAN technologies and components VIRL labs are available so that you can practice these concepts as you read them in the book Copies are available at the CLUS Cisco Press bookstore BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 IWAN Breakout Sessions Understanding IWAN Design, Architecture and Building Blocks: BRKCRS-2000 IWAN Architecture BRKRST-2043 IWAN AVC/QoS Design BRKSEC-4054 Advanced Concepts of DMVPN BRKRST-2362 IWAN - Implementing Performance Routing (PfRv3) BRKCRS-2002 IWAN Design and Deployment Workshop IWAN Migration, Operation and Troubleshooting: BRKCRS-2007 Migrating Your Existing WAN to Cisco's IWAN BRKRST-3018 Understanding and Troubleshooting Intelligent Path Control in IWAN BRKRST-3413 IWAN Serviceability: Deploying, Monitoring, and Operating BRKNMS-1040 IWAN and AVC Management using Cisco Prime Infrastructure and APIC-EM IWAN for Service Providers: BRKRST-2557 IWAN and NFV Orchestration for Managed Service Providers PSOSPG-2003 Cisco SD WAN for Service Providers BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 IWAN Labs Instructor-led ( 4 hours): LTRCRS-2005 Building and Migrating to Cisco's Intelligent WAN (IWAN) LTRRST-3015 Advanced IWAN PfR w/qos Hands on Lab LTRRST-3019 Design, Deploy, and Operate an Intelligent WAN (IWAN) Network Walk-in Self-Placed (45 Min): LABSDN-2005 Introduction to iwan LABRST-2013 DMVPN overlay routing for IWAN deployments LABSDN-2910 iwan deployment with APIC-EM BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 IWAN Case Studies Enterprise: CCSRST-2000 IWAN Migration Case Study (Huntington Bank) Service Provider: CCSSP-1000 Cisco + Verizon: Virtualized Managed Services (VMS) Success Story BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

83 Thank you

84 Reference Slides

85 R&S Related Cisco Education Offerings Course Description Cisco Certification CCIE R&S Advanced Workshops (CIERS-1 & CIERS-2) plus Self Assessments, Workbooks & Labs Implementing Cisco IP Routing v2.0 Implementing Cisco IP Switched Networks V2.0 Troubleshooting and Maintaining Cisco IP Networks v2.0 Interconnecting Cisco Networking Devices: Part 2 (or combined) Interconnecting Cisco Networking Devices: Part 1 Expert level trainings including: instructor led workshops, self assessments, practice labs and CCIE Lab Builder to prepare candidates for the CCIE R&S practical exam. Professional level instructor led trainings to prepare candidates for the CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in self study elearning formats with Cisco Learning Labs. Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 networks. Also available in self study elearning format with Cisco Learning Lab. Installation, configuration, and basic support of a branch network. Also available in self study elearning format with Cisco Learning Lab. CCIE Routing & Switching CCNP Routing & Switching CCNA Routing & Switching CCENT Routing & Switching For more details, please visit: Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 QOS Tools Classification and Marking 86

87 QoS Tools Review: Classification & Marking Classification vs. Marking Classification: An action that organizes packets into different traffic types, to which different policies can then be applied Classification of packets can happen without marking Marking: Writes a value into the packet header Establishes a trust boundary at the network edge Can be used in other locations in the network and is not always used solely for purposes of classification BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 QoS Tools Review: Classification & Marking Tools Classification and Marking Options for the WAN Classification can be done on: Layer 1 criteria such as ingress physical interface Layer 2 criteria such as IEEE 802.1Q/p CoS Layer 3 criteria such as IP DSCP Layer 4 criteria such as TCP/UDP port(s) Layer 7 criteria such as NBAR application signatures Marking can be done on: Layer 2 fields such as IEEE 802.1Q/p CoS Layer 2.5 fields such as MPLS EXP Layer 3 fields such as IP DSCP Internal fields such as QoS Group BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 QoS Tools Review: Classification & Marking Tools Layer 7 Classification: Network Based Application Recognition (NBAR/NBAR2) IP Packet TCP/UDP Segment Data Payload ToS Protocol IP SA IP DA Src Port Dst Port Deep Packet Inspection Identifies applications and protocols Application payload deep packet inspection Supports application media-sub-component classification class-map CISCO-JABBER-VOICE match protocol cisco-jabber-audio class-map CISCO-JABBER-VIDEO match protocol cisco-jabber-video class-map CISCO-JABBER-MESSAGING match protocol cisco-jabber-im class-map CISCO-JABBER-SIGNALING match protocol cisco-jabber-control BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 QoS Tools Review: Classification & Marking Tools Layer 2 Marking: IEEE 802.1Q/p CoS Pream SFD DA SA Type 802.1Q 4 Bytes PT Data FCS Three Bits Used for CoS (802.1p Class of Service) PRI CFI VLAN ID Ethernet Frame IEEE 802.1Q p User Priority field also called Class of Service (CoS) Different types of traffic are assigned different CoS values CoS 6 and 7 are reserved for network use class-map VOICE match cos 5 policy-map MARKING class INTERACTIVE-VIDEO set cos 4 CoS Acronym Traffic characteristics 0 BE Best Effort 1 BK Background 2 EE Excellent Effort 3 CA Critical Applications 4 VI Video, < 100 ms latency 5 VO Voice, < 10 ms latency 6 IC Internetwork Control 7 NC Network Control BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 QoS Tools Review: Classification & Marking Tools Layer 3 Marking: IP Type of Service (ToS) Byte Version/ Header_Len ToS Byte Length ID Offset TTL Protocol FCS IP SA IP DA Data IPv4 Packet IP Precedence Unused DiffServ Code Point (DSCP) IP ECN IP Precedence (relegated): Three most significant bits of ToS byte are called IP Precedence (IPP) other bits unused Differentiated Services: Six most significant bits of ToS byte are called DiffServ Code Point (DSCP) remaining two bits used for Explicit Congestion Notification (ECN) DSCP and ECN are also used in IPv6 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 QoS Tools Review: Classification & Marking Tools Layer 3 Marking: DSCP Per-Hop Behaviors (PHBs) Per-Hop Behaviors (PHB) Diff-Serv Code Points IP Header ToS Byte Expedited Forwarding RFC 3246 EF AFxy x x x y y 0 Class DSCP Drop Precedence Assured Forwarding RFC 2597 Class 1 Class 2 Class 3 Class 4 Low Drop Pref AF11 AF21 AF31 AF41 Med Drop Pref AF12 AF22 AF32 AF42 High Drop Pref AF13 AF23 AF33 AF class-map VOICE match dscp ef Default Forwarding (Best Effort) RFC 2474 DF CS policy-map MARKING class INTERACTIVE-VIDEO set dscp af41 Class Selector (Matches IP Precedence) RFC 2474 CS1 CS2 CS3 CS4 CS5 CS CS BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 QoS Tools Policing and Shaping 93

94 QoS Tools Review: Policing & Shaping Tools Policers vs. Shapers Policers: Perform checks for traffic violations against a configured rate and take immediate prescribed actions (such as remarking or dropping) Policers do not delay traffic Policers may be applied to the data plane or the control plane Shapers: Smooth out traffic flows so that it never exceeds the configured rate If the offered traffic momentarily spikes above the contracted rate, the excess traffic is buffered and delayed until the offered traffic once again dips below the defined rate Shapers usually are employed to meet a Service Level Agreement (SLA) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 QoS Tools Review: Policing & Shaping Tools RFC 2697 Single-Rate Three-Color Marker CIR Overflow CBS EBS B<Tc No B<Te No Packet of Size B Yes Yes Conform Exceed Violate CIR = Committed Information Rate CBS = Committed Burst Size EBS = Excess Burst Size Tc = Token Committed (CBS) Te = Token Excess (EBS) Action Action Action Bc = Burst Committed (CBS) Be = Burst Excess (EBS) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 QoS Tools Review: Policing & Shaping Tools RFC 2697 Single-Rate Three-Color Marker CIR Overflow CBS EBS B<Tc No B<Te No CIR = Committed Information Rate CBS = Committed Burst Size EBS = Excess Burst Size Tc = Token Committed (CBS) Te = Token Excess (EBS) Bc = Burst Committed (CBS) Be = Burst Excess (EBS) Packet of Size B Yes policy-map Yes RFC2697-POLICER Conform class Exceed CLASS-1 Violate Action police cir bc be conform-action set-dscp-transmit af11 exceed-action set-dscp-transmit af12 Action Action violate-action set-dscp-transmit af13 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 96

97 QoS Tools Review: Policing & Shaping Tools RFC 2698 Two-Rate Three-Color Marker PIR CIR PBS CBS B>Tp No B>Tc No PIR = Peak Information Rate PBS = Peak Burst Size Packet of Size B Yes Violate Yes Exceed Conform CIR = Committed Information Rate CBS = Committed Burst Size Tp = Token Peak (PBS) Tc = Token Committed (CBS) Action Action Action Bc = Burst Committed (CBS) Be = Burst Excess (PBS) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 QoS Tools Review: Policing & Shaping Tools RFC 2698 Two-Rate Three-Color Marker PIR CIR PBS CBS B>Tp No B>Tc No PIR = Peak Information Rate PBS = Peak Burst Size CIR = Committed Information Rate CBS = Committed Burst Size Tp = Token Peak (PBS) Tc = Token Committed (CBS) Bc = Burst Committed (CBS) Be = Burst Excess (PBS) Packet of Size B Yes Violate Action Yes Exceed policy-map RFC2698-POLICER class CLASS-2 Conform police cir bc pir be conform-action set-dscp-transmit af11 exceed-action set-dscp-transmit af12 Action Action violate-action set-dscp-transmit af13 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 QoS Tools Review: Policing & Shaping Tools Priority Queue with Conditional Policer Not Recommended Behavior with No Congestion Behavior with Congestion Offered Load 30 Mbps 30 Mbps 90 Mbps No Congestion No Policing Police 20M Police 20M 30 Mbps 20 Mbps Congestion Feedback Congestion Feedback priority data class-default priority data class-default P1 P1 Expected Throughput Per Class 30 Mbps policy-map CONDITIONAL-POLICER class PRIORITY priority Mbps 80 Mbps 100 Mbps Interface 100 Mbps Interface BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 QoS Tools Review: Policing & Shaping Tools Priority Queue with Always On Policer (Explicit Policer) Behavior with No Congestion Behavior with Congestion Offered Load 30 Mbps 30 Mbps 90 Mbps Always On Policer 20 Mbps Police 20M 20 Mbps Police 20M priority data class-default priority data class-default P1 P1 Expected Throughput Per Class 20 Mbps 100 Mbps Interface policy-map ALWAYS-ON-POLICER class PRIORITY priority level 1 police cir Mbps 100 Mbps Interface 80 Mbps BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 QoS Tools Review: Policing & Shaping Tools Aggregate Priority Load Details IWAN supports 2,000 remote sites in a single domain Consider an average 2 Mbps access rate for remote sites Aggregate: 4 Gbps On a GE connected Hub BR, we are already 4:1 oversubscribed If service-rate is less than GE (likely say 500 Mbps) the oversubscription increases to 8:1 An Aggregate Priority Load greater than Service Rate will starve non-priority (including network control) Voice at 10% Potential aggregate voice = 400 Mbps (10% of 4 Gbps sum of shapers) Always On Policer for Voice means we stay under the service rate Conditional Policer means individual sites could send more and over run the service rate Realtime Interactive Another 27% of Priority queue (30% *.90) Potential Aggregate Priority Load 37% of 4 Gbps = 1.48 Gbps (Greater than access rate) If these are Cisco Adaptive Video codecs that Like to grow => your risk is greater BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 QoS Tools Review: Policing & Shaping Tools Shaping Effect on Traffic Patterns Line Rate Service Rate Without Traffic Shaping With Traffic Shaping Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate Policers typically drop traffic Shapers delay excess traffic, smooth bursts and prevent unnecessary drops policy-map CLASS-BASED-SHAPER class class-default shape average 10 Mbps service-policy WAN BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 QoS Tools Queuing and Dropping 103

104 QoS Tools Review: Queuing & Dropping Tools Tx-Ring IOS Interface Buffers interface Serial2/0 tx-ring-limit 4 Packets In Tx-Ring Packets Out If the Tx-Ring is filled to capacity, then the IOS software knows that the interface is congested and it should activate any LLQ/CBWFQ policies that have been applied to the interface BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 QoS Tools Review: Queuing & Dropping Tools (Flow-Based) Fair-Queuing Packets In Fair-Queuing Sorter/Pre-Sorter policy-map FQ class class-default fair-queue Packets Out A flow is defined by five matching tuples: Source Address + Source Port Destination Address + Destination Port Layer 4 Protocol (TCP or UDP) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 105

106 QoS Tools Review: Queuing & Dropping Tools CBWFQ Packets In FQ FQ FQ IOS Interface Buffers Network Control CBWFQ Call Signaling CBWFQ OAM CBWFQ Multimedia Conferencing CBWFQ Multimedia Streaming CBWFQ Transactional Data CBWFQ CBWFQ Scheduler policy-map WAN class NETWORK-CONTROL bandwidth remaining percent 5 class CALL-SIGNALING bandwidth remaining percent 4 class STREAMING-VIDEO bandwidth remaining percent 10 fair-queue random-detect dscp-based class MM-CONFERENCING bandwidth remaining percent 30 fair-queue random-detect dscp-based Tx-Ring Packets Out FQ FQ FQ Pre-Sorters Bulk Data CBWFQ Best Effort / Default CBWFQ Scavenger CBWFQ BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 QoS Tools Review: Queuing & Dropping Tools LLQ: Single-LLQ Operation and Configuration IOS Interface Buffers 10% Strict VOICE Policer LLQ policy-map WAN class VOICE priority level 1 police cir percent 10 Packets In CBWFQ Scheduler Tx-Ring Packets Out FQ Pre-Sorters CBWFQs BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 107

108 QoS Tools Review: Queuing & Dropping Tools LLQ: Multi-LLQ Operation and Configuration 1 Mbps VOICE Policer 4 Mbps Bscst-Video Policer 5 Mbps RT-Interactive Policer LLQ policy-map MULTI-LLQ class VOICE priority 1000 class BROADCAST-VIDEO priority 4000 class REALTIME-INTERACTIVE priority 5000 Packets In CBWFQ Scheduler Tx-Ring Packets Out CBWFQs BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 108

109 QoS Tools Review: Queuing & Dropping Tools The Need for Congestion Avoidance 100% BW All TCP flows synchronize in waves TCP synchronization wastes available bandwidth Bandwidth Utilization Time Tail Drop Three Traffic Flows Start at Different Times Another Traffic Flow Starts at This Point BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 109

110 Fair- Queuing Pre-Sorter QoS Tools Review: Queuing & Dropping Tools DSCP-Based WRED Tail of Queue Bulk Data CBWFQ policy-map BULK-WRED class BULK bandwidth remaining percent 10 random-detect dscp-based Front of Queue Direction of Packet Flow AF13 Minimum WRED Threshold: Begin randomly dropping AF13 packets AF12 Minimum WRED Threshold: Begin randomly dropping AF12 packets AF11 Minimum WRED Threshold: Begin randomly dropping AF11 packets Maximum WRED Thresholds for AF11, AF12 and AF13 are set to the tail of the queue in this example BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 110

111 Latency for Low Speed Sites Police 150K priority data class-default P1 64 Packets Bandwidth remaining percent means each queue gets a queue limit as if it had full bandwidth of parent (means high speed links will buffer 0.5 sec of data) Queue-Limit = (Intf Speed *.05) / 8 / 1500 Anything less than 15M service rate gets 64 packets Aggregate T1: ~1.5 Sec of buffering IMIX (12 queues * 64 packets * 8 bits * 350 bytes / 1.5M) Traffic Type / Percentage Service Rate Drain Byte Packets Drain Byte Packets Transactional Data / 10% 150K 1.2 secs 5 secs Bulk Data / 4% 60K 3 secs 13 secs Network Control / 2% 30K 6 secs 26 secs IWAN Conclusion: Use appropriate number of queues for the 12 classes on the WAN depending on the service rate Example: 4 queues for service rate < 5 Mbps 8 queues for service rate => 5 Mbps and < 100 Mbps 12 queues for service rate => 100 Mpbs BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 PfR and QoS Interaction 112

113 IWAN Layers AVC PfR QoS Intelligent Path Selection Overlay Routing Protocol (BGP, EIGRP) Overlay routing over tunnels Transport Independent Design (DMVPN) Transport Overlay MPLS Routing Internet Routing ZBFW CWS Infrastructure Routing BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 113

114 PfRv3 How it Works ISR G2 ASR1K MC Traffic Classes Learning Active TCs MC Performance Measurements MC TC Path BR BR BR BR BR BR Define your Traffic Policy Learn the Traffic Measurement Path Enforcement Define path optimization policies on the Hub MC load balancing, path preference, application metrics DSCP Based Policies Application Based Policies Traffic flowing through the Border Routers (BRs) that match a policy are learned Traffic Classes Unified Performance Monitor Report the measured TC performance metrics to the Master Controller for policy compliance Unified Performance Monitor Master Controller directs BR path changes to keep traffic within policy Route Enforcement module in feature path BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 IWAN Design PfR Policy domain IWAN vrf default master hub load-balance class VOICE sequence 10 match dscp ef policy voice path-preference MPLS fallback INET class INTERACTIVE_VIDEO sequence 20 match dscp cs4 policy real-time-video match dscp af41 policy real-time-video match dscp af42 policy real-time-video match dscp af43 policy real-time-video path-preference MPLS fallback INET class LOW_LATENCY_DATA sequence 30 match dscp cs2 policy low-latency-data match dscp cs3 policy low-latency-data match dscp af21 policy low-latency-data match dscp af22 policy low-latency-data match dscp af23 policy low-latency-data path-preference MPLS fallback INET class BULK_DATA sequence 40 match dscp af11 policy bulk-data match dscp af12 policy bulk-data match dscp af13 policy bulk-data path-preference MPLS fallback INET class SCAVENGER sequence 50 match dscp cs1 policy scavenger path-preference INET fallback MPLS class DEFAULT sequence 60 match dscp default policy best-effort path-preference INET fallback MPLS Create the PfR classes with matching policy names and DSCP values to simplify the configuration Define the path preference for traffic Load balance non-priority traffic IWAN Master Controller BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 115

116 PfR Built-in Policy Templates Pre-defined Template Threshold Definition Voice priority 1 one-way-delay threshold 150 threshold 150 (msec) priority 2 packet-loss-rate threshold 1 (%) priority 2 byte-loss-rate threshold 1 (%) priority 3 jitter 30 (msec) Real-time-video priority 1 packet-loss-rate threshold 1 (%) priority 1 byte-loss-rate threshold 1 (%) Low-latencydata priority 2 one-way-delay threshold 150 (msec) priority 3 jitter 20 (msec) priority 1 one-way-delay threshold 100 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) Pre-defined Template Bulk-data Best-effort Scavenger Threshold Definition priority 1 one-way-delay threshold 300 (msec) priority 2 byte-loss-rate threshold 5 (%) priority 2 packet-loss-rate threshold 5 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 10 (%) priority 2 packet-loss-rate threshold 10 (%) priority 1 one-way-delay threshold 500 (msec) priority 2 byte-loss-rate threshold 50 (%) priority 2 packet-loss-rate threshold 50 (%) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 116

117 PfR Manages Traffic Class Prefix DSCP AppID Dest Site Next- Hop /24 EF N/A Site 11? /24 AF41 N/A Site 11? /24 AF31 N/A Site 11? /24 0 N/A Site 11? /24 EF N/A Site 10? /24 AF41 N/A Site 10? /24 AF31 N/A Site 10? /24 0 N/A Site 10? MC1 IWAN POP Traffic with EF, AF41, AF31 and 0 BR1 BR2 MPLS INET Traffic Class Destination Prefix DSCP Value Application (N/A when DSCP policies used) R10 R11 R12 R / / / /24 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 117

118 SDWAN QoS APIC-EM IWAN App 118

119 APIC-EM IWAN App Click to administer application policies BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 119

120 IWAN App Categorize Applications Categorize applications Add custom applications BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 120

121 IWAN App Categorize Applications Drag and drop each application (one ore more) from one business class to the other BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 121

122 IWAN App Define Application Policy Drag and Drop a business category among: business critical scavenger default Application priority policy setting in IWAN app Path preference: Set primary and action on threshold crossing, which can be a second path or drop traffic Drag and drop business buckets BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 122

123 IWAN-App QoS Configuration Classification and Marking Policy Business-Relevant Class-Map (List of Categories that are Business-Relevant) class-map match-any prm-biz-relevant-cats match protocol attribute category business-and-productivity-tools match protocol attribute category voice-and-video match protocol attribute category backup-and-storage match protocol attribute category software-updates match protocol attribute category file-sharing match protocol attribute category match protocol attribute category database match protocol attribute category browsing Implements Categoryto-Business-Relevance mapping Vs. Application-to- Business-Relevance mapping Parent Class-Maps to Combine Category-Based BR with Traffic-Classes class-map match-all prm-nbar-12-cls#broadcast-video match protocol attribute traffic-class broadcast-video match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#bulk-data match protocol attribute traffic-class bulk-data match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#interactive-video match protocol attribute traffic-class real-time-interactive match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#network-control match protocol attribute traffic-class network-control match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#multimedia-conferencing match protocol attribute traffic-class multimedia-conferencing match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#voice match protocol attribute traffic-class voip-telephony match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#signaling match protocol attribute traffic-class signaling match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#network-management match protocol attribute traffic-class ops-admin-mgmt match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#transactional-data match protocol attribute traffic-class transactional-data match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#multimedia-streaming match protocol attribute traffic-class multimedia-streaming match class-map prm-biz-relevant-cats class-map match-all prm-nbar-12-cls#scavenger match class-map prm-biz-irrelevant-cats BRKRST-2043 Business-Irrelevant Class-Map (List of Categories that are Business-Irrelevant) class-map match-any prm-biz-irrelevant-cats match protocol attribute category consumer-messaging match protocol attribute category consumer-streaming match protocol attribute category gaming match protocol attribute category social-networking match protocol attribute category instant-messaging RFC 4594-Based Marking Policy-Map policy-map prm-nbar-12-cls class prm-nbar-12-cls#voice set dscp ef class prm-nbar-12-cls#broadcast-video set dscp cs5 class prm-nbar-12-cls#interactive-video set dscp cs4 class prm-nbar-12-cls#multimedia-conferencing set dscp af41 class prm-nbar-12-cls#multimedia-streaming set dscp af31 class prm-nbar-12-cls#signaling set dscp cs3 class prm-nbar-12-cls#network-control set dscp cs6 class prm-nbar-12-cls#network-management set dscp cs2 class prm-nbar-12-cls#transactional-data set dscp af21 class prm-nbar-12-cls#bulk-data set dscp af11 class prm-nbar-12-cls#scavenger set dscp cs1 class class-default set dscp default 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123

124 IWAN-App QoS Configuration Ingress Marking and Egress Queuing in Branch Ingress Marking on LAN interface GigabitEthernet0/0/0.10 description Data encapsulation dot1q 10 ip address ip helper-address ip pim sparse-mode standby version 2 standby 1 ip standby 1 priority 105 standby 1 authentication md5 key-string c1sco123 performance monitor context IWAN-Context service-policy input prm-nbar-12-cls Marking Policy Map on Previous Page Child Policy: 8-class WAN queuing and 6-class SP policy-map prm-dscp#iwan-8-id0 class prm-iwan8#voice priority level 1 police cir percent 10 set dscp ef class prm-iwan8#streaming-video bandwidth remaining percent 10 set dscp af31 random-detect dscp-based class prm-iwan8#call-signaling bandwidth remaining percent 4 set dscp cs3 class prm-iwan8#net-ctrl-mgmt bandwidth remaining percent 5 set dscp cs6 class prm-iwan8#interactive-video bandwidth remaining percent 30 set dscp af41 random-detect dscp-based class prm-iwan8#critical-data bandwidth remaining percent 25 set dscp af21 random-detect dscp-based class prm-iwan8#scavenger bandwidth remaining percent 1 set dscp cs1 class class-default bandwidth remaining percent 25 set dscp default random-detect dscp-based Parent Policy: Shape for Service Rate policy-map prm-dscp#iwan-8-id0#shape#30.0 class class-default shape average service-policy prm-dscp#iwan-8-id0 Egress Queuing on Physical Interface interface GigabitEthernet0/0/2 bandwidth ip vrf forwarding IWAN-TRANSPORT-1 ip address media-type rj45 negotiation auto no cdp enable service-policy output prm-dscp#iwan-8-id0#shape#30.0 BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 124

125 Adaptive QoS 125

126 Adaptive QoS with DMVPN How To Compute Available BW & Adjust Shapers Monitoring at the Receiver Short Term: Monitor loss per tunnel OR Rx-rate per tunnel (aggregate tunnel monitoring) Long term: Monitor loss per policy/class on a tunnel Monitoring & Feedback is a recurring/periodic process Feed-back loss per tunnel to the sender (any transport of choice) Processing at the Sender Receive feedback from receiver Read relevant tunnel s Tx-rate at the sender Evaluate loss based on difference between Rx-rate and Tx-rate Once loss is known at the sender (through explicit feed-back of loss or via <Rx-rate, Tx-rate> calculation), map it to QoS policy/class Adjust shape rate to dynamically adjust to the current Internet BW if required Static Bandwidth Management - Not adapting shapers in fluctuating BW environments can make the shapers irrelevant and admins would lose control of which applications are getting dropped! BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 126

127 Adaptive QoS How To Compute Available BW & Adjust Shapers DMVPN Spoke Site Egress shaper = 5 Mbps (offered) Shaper towards this spoke = 6 Mbps (offered) DMVPN Hub Site 5 Mbps Internet based WAN 6 Mbps BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 127

128 Adaptive QoS How To Compute Available BW & Adjust Shapers Egress shaper = 3 Mbps available) Shaper towards this spoke = 4 Mbps (available) DMVPN Spoke Site DMVPN Hub Site Available BW check: Tunnel Rx Loss, Rx/Tx compute Compute Available BW - function of the router Internet based WAN Available downstream BW = 4 Mbps Available upstream BW = 3 Mbps Algorithm to compute available upstream and downstream BW Benefits: Accurate view of available BW in non SLA environments Adapting business critical applications to what is available on link No more indiscriminate drops - tighter control of business policies for IWAN BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 128

129 Adaptive QoS For DMVPN How Does It Work? Adapt shaping rate at the Sender based on the available bandwidth between specific Sender and Receiver (two end-points of a DMVPN tunnel) Configure MQC Policy with Adaptive Shaping Attach service-policy to nhrp-group in Egress Create State for Periodic Collection of Stats on a Relevant Target Transport Monitoring Enablement Message DMVPN Tunnel Sender Transport Received Rate 1) Calculate Available Bandwidth in the Cloud 2) Adapt Egress Shaper to New Calculated Rate Receiver BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 129

130 High Level Algorithm to Compute Available BW Use a Training Period to estimate Transmit and Receive Counter Clock Shift (roughly) After Compensating for the Clock Shift, use transmit and receive count values difference to determine whether losses have occurred Transmitter shapes the traffic to a configured percentage of bottleneck link bandwidth once drops are detected If no drop is detected for a period of time, the shaper will increase its rate BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 130

131 Algorithm To Compute Available BW DRAC (Dynamic Rate Control) Shaped Rate Sent pkt Received pkt Dropped Source Transmit Intelligent, determine shaper rate based on transmit and receive count difference Sink Receive Passive, feedback receive counter values every 10sec BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 131

132 Adaptive QoS for DMVPN Configuration (Hub) HUB interface Tunnel1 ip address no ip redirects ip nhrp authentication GetDm0 ip nhrp group 1 ip nhrp map multicast dynamic ip nhrp map group 1 service-policy output qos ip nhrp network-id 1 ip tcp adjust-mss 1360 load-interval 30 cdp enable tunnel source Loopback1 tunnel mode gre multipoint tunnel key tunnel protection ipsec profile P1 policy-map qos class class-default shape adaptive upper-bound lower-bound service-policy child policy-map child class prec5 priority percent 20 class class-default bandwidth percent 80 Adaptive Shaper on Parent Class - Not allowed to configuring in Child Class Policy on DMVPN Tunnel - Assigned per NHRP spoke - consistent with Per Tunnel QoS Hub->Spoke, Spoke-Hub - Adaptive shapers supported on hub->spoke & spoke->hub - spoke->spoke in roadmap shape adaptive upper-bound <<bps> percent <value>> [lower-bound <<bps> percent <value>>] upper-bound lower-bound : Mandatory (max ceiling for shaper) & Initial Value : Optional (0 if not specified) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 132

133 Adaptive QoS for DMVPN Configuration (Spoke) Spoke interface Tunnel1 ip address no ip redirects ip nhrp authentication GetDm0 ip nhrp group 1 ip nhrp map ip nhrp map multicast ip nhrp map group 1 service-policy output qos ip nhrp network-id 1 ip nhrp nhs ip nhrp server-only ip nhrp hold-time 360 ip tcp adjust-mss 1360 load-interval 30 cdp enable tunnel source Loopback1 tunnel mode gre multipoint tunnel key tunnel protection ipsec profile P1 Policy on DMVPN Tunnel - Assigned per NHRP spoke - consistent with Per Tunnel QoS Hub->Spoke, Spoke-Hub - Adaptive shapers supported on hub->spoke & spoke->hub - spoke->spoke in roadmap policy-map qos class class-default shape adaptive upper-bound lower-bound service-policy child policy-map child class class-default bandwidth percent 80 service-policy grand_child policy-map grand_child class class-default Adaptive Shaper on Parent Class - Not allowed to configuring in Child Class shape adaptive upper-bound <<bps> percent <value>> [lower-bound <<bps> percent <value>>] upper-bound lower-bound : Mandatory (max ceiling for shaper) & Initial Value : Optional (0 if not specified) BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 133

134 Adaptive QoS Summary The Adaptive QoS feature is not going to be documented in the CVD, but is a valid corner case that can be used in portions of a customers network. Adaptive QoS conflicts with PfR, because they are both trying to control traffic on the same interface at the same time. Adaptive QoS and PfR have not been officially tested together. Using it with IWAN is considered a custom design. BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 134

135 Ethernet Overhead Accounting 135