Hour 465: Single-Rate Policers and Dual-Rate Three-color Policer

In class based policing there are three main classification methods used to manage traffic: the single-rate two-color policer, the single-rate three-color policer and the dual-rate three-color policer. It took me sometime to understand how these work as they are in my opinion, advanced QoS concepts. This being said, let’s do a quick review on the QoS traffic terminology and how the Token bucket concept works before we show how these different policers function.

**Please note that I am not going to go over the fundamentals of QoS. I will only do a quick overview of the terminologies that you should already know like the Tc, Bc and Be.

In a Cisco router, the IOS divides a single second into multiple sub-second intervals. Each of these intervals is called a Tc. In traffic shaping, a router can send a burst of traffic equal to the commited burst (Bc) during each of these intervals. Now in the Token bucket scenario, imagine a bucket and Tokens. Each token equates to 1 bit of information that can be sent into the bucket. The size of the Token bucket is defined by the commited burst value (Bc). There are two actions that can happen; either Tokens are replenished or Tokens are consumed. At the beginning of each Tc interval, the Token bucket will be replenished with Tokens equal to the value of the Bc. If the Token bucket is full or there is not enough room for all the replenished Tokens then some or all of the Tokens spill out. This is where the concept of the excess burst (Be) comes into play. In a scenario where there is an excess burst (Be) defined, these spilled tokens are not discarded and can be re-used. Continue reading

Hour 192: Cisco Order of Operations

The order of operations in IOS is one of the most important topic an engineer can learn.  You can spend countless hours trying to figure out the solution to a problem involving NAT, routing, ACL, QoS and IPSEC if you don’t understand in what order flows get processed within the Cisco IOS. For example if you are doing NAT on a device, and you want to route traffic going through NAT, will you use the inside or outside NAT IP address?

The answer is: it depends. Order of operation will vary depending if the traffic is going from the inside-to-outside interface or from outside-to-inside interface. It will also vary if it’s from an inbound interface to an outbound interface. Let’s look at the official release from Cisco:

OrderOfOps Continue reading

Hour 170: Trust DSCP vs Trust CoS

In QoS, you can use either DSCP or CoS to classify and mark your network as you wish. It is important to remember that DSCP is L3 and will be present in the IP header of a packet and CoS is L2 and will only be present in an ISL or 802.1Q VLAN frame.

Since 802.1p only exists in a VLAN tag, I was wondering if you should trust DSCP or trust CoS on the uplinks of a L2 environment. I found a lot of people on forums with contradicting arguments and opinions so I decided to investigate for myself. The question is: Do you have to trust DSCP over your trunk links or trust CoS since only VLAN tags are carried around the network?

After setting up a lab with two 3550’s and sniffing a trunk link setup between them, I finally got my answer. I was expecting the DSCP value to be dropped (because there is only a CoS value) or to be passed determined by the egress switch DSCP value. The results were unexpected and here is my analysis.

Continue reading

Hour 157: Leveraging QoS DPI features with PBR

One of the most powerful features that the MQC (Modular QoS CLI) offers is NBAR (Network Based Application Recognition) or also called DPI (Deep Packet Inspection). Today, I will be showing you how to manipulate routing based on upper layer levels of data packet.

What’s so powerful with MQC is that by using NBAR, you can inspect any part of a L4+ data packet and do whatever you like with it. In this example, I will be using the MQC to classify and mark web traffic such as youtube.com or facebook.com and then routing it to null0 (the bit bucket). This will result in black-holing traffic for anyone trying to reach those webpages.

  1. Lets start by identifying our traffic using the class-map feature of the MQC:
class-map match-any http-bad-traffic
match protocol http host “*youtube.com*”
match protocol http host “*myspace*”
match protocol http host “*facebook*”


Continue reading