Catalyst 6500 Qos Settings For Voip

When configuring the Catalyst 6500 as an access layer switch, the recommended software for the Supervisor is CatOS. As a result, anybody preparing to sit the CCIE Voice Lab Exam should be familiar with CatOS. One of the big challenges of familiarizing oneself with CatOS is understanding the principles and syntax of commands related to campus QoS.

Before attempting to answer some of the more frequently asked questions, it is worth reviewing the two main QoS functions that we can perform on the switch.

(1) Classification and marking  it is best practice to classify and mark packets from applications as close to their sources as technically and administratively feasible. This principle promotes end-to-end Differentiated Services/Per-Hop Behaviors. Sometimes endpoints can be trusted to set Class of Service (CoS)/Differentiated Services Code Point (DSCP) markings correctly.

(2) Police unwanted traffic flows as close to their sources as possible. There is little sense in forwarding unwanted traffic only to police and drop it at a subsequent node. This is especially the case when the unwanted traffic is the result of Denial of Service (DoS) or worm attacks. Such attacks can cause network outages by overwhelming network device processors with traffic.

Cisco IOS routers perform QoS in software. This places additional demands on the CPU, depending on the complexity and functionality of the policy. Cisco Catalyst switches, on the other hand, perform QoS in dedicated hardware ASICS and as such do not tax their main CPUs to administer QoS policies. This is another reason why you should enable QoS policies such as classification and marking policies to establish and enforce trust boundaries as well as policers to protect against undesired flows at the access edge of the LAN.

Enough of the theory- lets take a look at some of the useful commands:

Enabling QoS

QoS is globally disabled by default on Catalyst 6500s running either CatOS or IOS. When QoS is globally disabled, then all frames/packets that are passed-through the switch remain unaltered (which is equivalent to trusting all ports). When QoS is globally enabled, however, then all QoS markings are (by default) set to 0 (which is equivalent to an untrusted state on all ports).

The commands to enable QoS globally on the CatOS Catalyst 6500 are shown below.

CAT6500-PFC2-CATOS> (enable) set qos enable
QoS is enabled.

Classification and Marking from IP Phones

For traffic originating from IP phones we configure the switch to mark/trust/ignore settings at Layer 2 (Ethernet) in a field known as 802.1Q/p Class of Service (CoS)  the 802.1p User Priority bits of the 802.1Q header. There are three bits available for 802.1p marking. Therefore, only 8 classes of service (0-7) can be marked on Layer 2 Ethernet frames.

Typically we need to do two things on the ports to which IP Phones are connected- firstly we must instruct the IP Phone to ignore any CoS settings in 802.1Q frames originating from the PC behind the IP Phone (if applicable!). This is known as configuring the trust extension because the PC is plugged into the phone. Secondly, having instructed the phone to overwrite the markings from the PC, the switch should be configured to trust all traffic that the IP Phone is sending- RTP Media streams will be using CoS 5, SCCP Control traffic will be marked using CoS 3 and everything else will have a Cos value of 0.

The configuration to achieve this is as follows:

CAT6500-PFC2-CATOS> (enable) set port qos 3/1 cos-ext 0
! Sets CoS to 0 for all untrusted PC-generated packets (behind an IP Phone)
CAT6500-PFC2-CATOS> (enable) set port qos 3/1 trust-ext untrusted
! Ignore any CoS values for all PC-generated packets (behind an IP Phone)
CAT6500-PFC2-CATOS> (enable) set port qos 3/1 trust trust-cos
! Trust CoS markings from the IP Phone

Often we like to set a conditional trust boundary on the switch- if an IP Phone is connected to a particular port then we want to trust the CoS settings otherwise we want to set the CoS to a predetermined value (normally 0). The configuration is as follows:

CAT6500-PFC2-CATOS> (enable) set port qos 3/1 cos 0
! Sets CoS to 0 for all untrusted packets (when there is no IP Phone on the port)
CAT6500-PFC2-CATOS> (enable) set port qos 3/1 cos-ext 0
! Sets CoS to 0 for all untrusted PC-generated packets (behind an IP Phone)
CAT6500-PFC2-CATOS> (enable) set port qos 3/1 trust-ext untrusted
! Ignore any CoS values for all PC-generated packets (behind an IP Phone)
CAT6500-PFC2-CATOS> (enable) set port qos 3/1 trust-device ciscoipphone
! Conditional trust (for Cisco IP Phones only)

On non-GigabitEthernet modules (such as the WS-X6248-RJ-xx and WS-X6348-RJ-xx linecards), a hardware limitation prevents the proper functioning of port-based trust (which affects trust-cos, trust-ipprec, and trust-dscp).

On such modules, a workaround ACL can be used to achieve trust-functionality for trust-cos, trust-ipprec, and trust-dscp. The workaround ACL for trust-CoS functionality on such linecards is shown below.

CAT6500-PFC2-CATOS> (enable) set port qos 3/1 vlan-based
CAT6500-PFC2-CATOS> (enable) set qos acl ip TRUST-CoS trust-cos any
TRUST-COS editbuffer modified. Use 'commit' command to apply changes.
CAT6500-PFC2-CATOS> (enable) commit qos acl TRUST-CoS
QoS ACL 'TRUST-CoS' successfully committed.
CAT6500-PFC2-CATOS> (enable)
CAT6500-PFC2-CATOS> (enable) set qos acl map TRUST-CoS 220

QoS policies can be applied to either Vlans or ports. In the example above we apply the ACL to a Vlan (220) since typically all phones will have the same QoS configuration. By default, ports are configured for port-based QoS policies, which is normally used for applying ACL's to ports to which servers are connected.

To apply the QoS ACL defined above, the ACL must be committed to hardware. This is the process of committing copies the ACL from a temporary editing buffer to the PFC hardware. Once resident in the PFC memory, the policy defined in the QoS ACL can be applied to all traffic that matches the Access Control Entries (ACEs).

The final step is to correctly ensure that Layer 2 markings are correctly mapped to the appropriate Layer 3 values (using the Differentiated Service Code Point or DSCP field in the IP header) for traffic bound for the WAN where the Layer 2 type is different and markings are lost. For example there is no equivalent of CoS in Frame Relay whereas the IP headers should be unaltered regardless of Layer 2. The configuration below shows CoS 3 being mapped to DSCP CS3 (24) which is actually the default and CoS 5 mapped to DSCP EF (46)- other values are not related to VoIP traffic and are not considered here.

CAT6500-PFC2-CATOS> (enable) set qos cos-dscp-map 0 8 16 24 32 56 48 56
! Modifies default CoS-DSCP mapping so that CoS 5 is mapped to DSCP EF

Classification and Marking from Call Manager

CallManager does not send Ethernet frames with the additional 802.1Q extension and hence frames originating from CallManager does not contain any CoS markings. We do however have the option to trust markings at Layer 3- using the 6 bit DSCP field in the IP header.

The same hardware limitation exists as before- that is to say on non-GigabitEthernet linecards we must trust DSCP inside an ACL. In order to trust DSCP from packets originating from Call Manager, enter the following configuration:

CAT6500-PFC2-CATOS> (enable) set port qos 4/1 trust trust-dscp
Port 4/1 qos set to trust-dscp.
CAT6500-PFC2-CATOS> (enable) set qos acl ip TRUST-DSCP trust-dscp any
TRUST-DSCP editbuffer modified. Use 'commit' command to apply changes.
CAT6500-PFC2-CATOS> (enable) commit qos acl TRUST-DSCP
QoS ACL 'TRUST-DSCP' successfully committed.
CAT6500-PFC2-CATOS> (enable)
CAT6500-PFC2-CATOS> (enable) set qos acl map TRUST-DSCP 4/1

You will notice we apply the ACL to a port rather than a VLan.

Queuing and Dropping

When we talk about queuing and dropping in the context of VoIP applications running on a Catalyst 6500, we generally talk about queuing and dropping on the Transmit (Tx) queue as opposed to the Receive (Rx) queue. This is because default settings in CatOS on the Catalyst 6500 are more than adequate to deal with ingress congestion but not for egress congestion.

The 10/100Base-T ports on the WS-X6348 module operate using a 2Q2T structure on the Tx queue- 2 separate queues each with 2 tail-drop thresholds to prevent congestion from occurring- with a Weighted Round Robin Scheduler (WRR). The buffer size is 128KB per port. Other switches such as the Catalyst 3550 and other modules for the Catalyst 6500 have hardware Priority Queues (PQ) which should be used by real-time traffic flows. The 6348 module on the other hand has no PQ. To run VoIP traffic optimally, you should fine tune the WRR settings to fabricate a Priority Queue and then place Voice traffic into this fabricated" Priority Queue.

The WRR weights for how the two queues are serviced can be adjusted to a specified ratio, for example 30:70 for Q1:Q2.

CAT6500-PFC2-CATOS> (enable) set qos txq-ratio 2q2t 30 70
! Sets the buffer allocations to 30% for Q1 and 70% for Q2
CAT6500-PFC2-CATOS> (enable) set qos wrr 2q2t 30 70
! Sets the WRR weights for 30:70 (Q1:Q2) bandwidth servicing

Since the 2Q2T model supports configurable Tail-Drop thresholds, these can be tuned to provide an additional layer of QoS granularity. For example, the first queue's first threshold can be set at 40% to prevent Scavenger/Bulk traffic from dominating Q1. Similarly, the second queue's first threshold can be set to 80% to always allow some room in the queue for VoIP. The second threshold of each queue should alwaysbe set to the tail of the queue (100%).

CAT6500-PFC2-CATOS> (enable) set qos drop-threshold 2q2t tx queue 1 40 100
! Sets Q1T1 to 5% to limit Scavenger/Bulk from dominating Q1
CAT6500-PFC2-CATOS> (enable) set qos drop-threshold 2q2t tx queue 2 80 100
! Sets Q2T1 to 80% to always have room in Q2 for VoIP

Once the queues and thresholds have been defined as above, then CoS 1 (Scavenger/Bulk) can be assigned to Q1T1; CoS 0 (Best Effort) can be assigned to Q1T2; CoS 2 (Network Management and Transactional Data), CoS 3 (call signaling and Mission-Critical Data), CoS 4 (Interactive and Streaming Video), and CoS 6 and 7 (Internetwork and Network Control) can be assigned to Q21T; and CoS 5 (VoIP) can be assigned to Q2T2.

CAT6500-PFC2-CATOS> (enable) set qos map 2q2t tx 1 1 cos 1
! Assigns Scavenger/Bulk to Q1T1
CAT6500-PFC2-CATOS> (enable) set qos map 2q2t tx 1 2 cos 0
! Assigns Best Effort to Q1T2
CAT6500-PFC2-CATOS> (enable) set qos map 2q2t tx 2 1 cos 2,3,4,6,7
! Assigns CoS 2,3,4,6 and 7 to Q2T1
CAT6500-PFC2-CATOS> (enable) set qos map 2q2t tx 2 2 cos 5
! Assigns VoIP to Q2T2
                                                                                                                       
Policing
QoS policing on a network determines whether network traffic is within a specified profile (contract). This may cause out-of-profile traffic to drop or to be marked down to another DSCP value to enforce a contracted service level. The Catalyst 6500/6000 Policy Feature Card (PFC) and PFC2 only support ingress policing. To set up policing, you define the policers and apply them to ports (port-based QoS) or to VLANs (VLAN-based QoS). Each policer defines a name, type, rate, burst, and actions for in-profile and out-of-profile traffic. There are two types of policers: microflow and aggregate.

    * Microflowpolice traffic for each applied port/VLAN separately on a per-flow basis.
    * Aggregatepolice traffic across all of the applied ports/VLANs.

Each policer can be applied to several ports or VLANs. The flow is defined using these parameters:

    * source IP address
    * destination IP address
    * Layer 4 protocol (TCP/UDP)
    * source port number
    * destination port number

As an example, if you configure a microflow policer to limit the TFTP traffic to 1 Mbps on VLAN 1 and VLAN 3, then 1 Mbps is allowed for each flow in VLAN 1 and 1 Mbps for each flow in VLAN 3. In other words, if there are three flows in VLAN 1 and four flows in VLAN 3, the microflow policer allows each of these flows 1 Mbps. If you configure an aggregate policer, it limits the TFTP traffic for all flows combined on VLAN 1 and VLAN 3 to 1 Mbps.

If you apply both aggregate and microflow policers, QoS always takes the most severe action specified by the policers. For example, if one policer specifies to drop the packet, but another specifies to mark down the packet, the packet is dropped. By default, microflow policers work only with routed or Layer 3 traffic.

When configuring a policer you define a rate, burst size and markdown policy (or drop policy). A policer will treat each packet received differently- either it is Conforming traffic (within the normal rate), Excess traffic (exceeding the normal rate but less than the excess rate) or Violating traffic (exceeding both the normal and excess rate). At present on this platform excess and violating control traffic which is marked with a DSCP value of CS3 should be remarked to the Scavenger traffic class which is DSCP CS1 (8) then transmitted whilst traffic which conforms to the policed rate should be transmitted unchanged.

The configuration steps for setting up a policer on the Catalyst 6500 involves first defining the policer- the example below shows a microflow policer called POLICE-SKINNY being created with a policed rate of 32kbps and a burst size of 8kbps. Any excess or violating traffic is going to be remarked and transmitted (as opposed to dropped).

CAT6500-PFC2-CATOS> (enable) set qos policer microflow POLICE-SKINNY rate 32 burst 8 policed-dscp

The markdown policy is defined below- excess Skinny traffic which is marked with DSCP CS3 will remarked to DSCP CS1 if a particular flow exceeds 32kbps.

CAT6500-PFC2-CATOS> (enable) set qos policed-dscp-map 24:8

The next step is we bind the policer to an ACL we have set up to trust the DSCP values of all Skinny traffic originating from CallManager- the ACL is applied to the port to which CallManager is connected.

CAT6500-PFC2-CATOS> (enable) set qos acl ip UNTRUSTED-CCM trust-dscp microflow POLICE-SKINNY tcp range 2000 2002 any
CAT6500-PFC2-CATOS> (enable)
CAT6500-PFC2-CATOS> (enable) commit qos acl UNTRUSTED-CCM
CAT6500-PFC2-CATOS> (enable) set qos acl map UNTRUSTED-CCM 4/1