Additional Platform-Specific QoS Design Options
These designs represent a generic building block for Catalyst 4500 QoS in a campus distribution switch role, but they are by no means the only design options available to you. Additional options and considerations include the following:
- Access-edge design options
- Per-VLAN QoS design
- Per-port/per-VLAN QoS design
- EtherChannel QoS design
- AutoQoS SRND4
- Control plane policing
Each of these additional QoS design options is discussed in turn.
Access-Edge Design Options
This chapter has focused on QoS designs for the Catalyst 4500 in the role of a campus distribution switch (which are generally equivalent to the QoS designs required were it serving in the role of a campus core switch). However, the Catalyst 4500 can also be deployed as a campus access switch. Therefore, a few additional design options would apply in such a role, including the following access-edge models:
- Conditional Trust Model
- Classification and Marking Model
- Classification, Marking, and Policing Model
Each of these access-edge design options will be discussed in turn.
Conditional Trust Model
As previously mentioned, MQC-based platforms trust at Layer 2 and Layer 3 by default and therefore do not require any explicit commands to perform such functions. Therefore, there are no equivalent commands to mls qos trust cos or mls qos trust dscp (nor are any required).
However, there is a need to provide conditional trust functionality for all switch platforms that may be deployed in the role of an access switch. Hence, there is a corresponding command for conditional trust on the Catalyst 4500 (namely, qos trust device).
At the time of this writing, the Catalyst 4500 supports conditional trust for the following devices:
- Cisco IP phone via the cisco-phone keyword option
- Cisco TelePresence systems via the cts keyword option
- Cisco IP video surveillance cameras systems via the ip-camera keyword option
- Cisco Digital Media Players via the media-player keyword option
When extending conditional trust to Cisco IP phones, it is important to remember that these can only re-mark class of service (CoS) bits (on PC-generated traffic). Therefore, the Conditional Trust Model on the Catalyst 4500 requires a dynamic conditional trust policy applied to the port in conjunction with a simple MQC policy that explicitly matches CoS 5 (for voice) and CoS 3 (for signaling) and marks the DSCP values of these packets to EF and CS3, respectively (essentially performing a CoS-to-DSCP mapping). Example 15-5 shows this conditional trust model for the Catalyst 4500.
Example 15-5 Configuring (CoS-Based) Conditional Trust to a Cisco IP Phone on a Catalyst 4500
! This section defines the class maps to match Voice and Signaling C4500(config-cmap)# class-map match-all VOICE C4500(config-cmap)# match cos 5 C4500(config-cmap)# class-map match-all SIGNALING C4500(config-cmap)# match cos 3 ! This section defines the CoS-to-DSCP re-marking policy map C4500(config-cmap)# policy-map CISCO-IPPHONE C4500(config-pmap)# class VOICE C4500(config-pmap-c)# set dscp ef ! Maps CoS 5 to DSCP EF C4500(config-pmap-c)# class SIGNALING C4500(config-pmap-c)# set dscp cs3 ! Maps CoS 3 to DSCP CS3 C4500(config-pmap-c)# class class-default C4500(config-pmap-c)# set dscp default ! All other traffic is set to DSCP DF ! This section applies conditional trust and policy map to the int(s) C4500(config)# interface GigabitEthernet 3/1 C4500(config-if)# switchport access vlan 10 C4500(config-if)# switchport voice vlan 110 C4500(config-if)# spanning-tree portfast C4500(config-if)#qos trust device cisco-phone
! Applies conditional-trust to the switch port C4500(config-if)#service-policy input CISCO-IPPHONE
! Attaches the CoS-to-DSCP mapping policy map
You can verify the configuration in Example 15-5 with the following commands:
- show qos interface
- show class-map
- show policy-map
- show policy-map interface
Medianet Metadata Classification Model
Beginning with Cisco IOS Release IOS XE 3.3.0SG and IOS 15.1(1)SG, you can configure a class map with metadata filters. A QoS policy that includes such classes is termed a metadata-based QoS policy. It allows you to classify flows based on user-friendly metadata attributes rather than on access control list (ACL)-based classification criteria (such as source/destination addresses/ports, and so on).
The following restrictions apply to using a metadata-based QoS policy on a Catalyst 4500 series switch:
- They can only be attached to target in input direction.
- They can only be attached to physical ports and EtherChannel port channel interfaces; they cannot be attached to VLANs, port VLANs, and switch virtual interfaces (SVIs).
- A policy can have multiple metadata-based classifiers.
- A class map can have one or more metadata filters with match-any or match-all semantics.
- Policy actions corresponding to metadata class are applied on aggregate traffic; however, if the metadata filter is configured along with Flexible NetFlow record filter, the policy action (like policer) applies on individual flows.
Example 15-6 illustrates a metadata-based QoS policy with two classes using metadata filters.
Example 15-6 Medianet Metadata Classification Policy Example on a Catalyst 4500
! This section configures the medianet metadata class maps C4500(config-cmap)# class-map match-all REALTIME-INTERACTIVE C4500(config-cmap)# match application telepresence-media ! Identifies TelePresence media flows via metadata C4500(config-cmap)# class-map match-any MULTIMEDIA-CONFERENCING C4500(config-cmap)# match application webex-video ! Identifies WebEx video flows via metadata C4500(config-cmap)# match application webex-voice ! Identifies WebEx voice flows via metadata
You can verify the configuration in Example 15-6 with the following commands:
- show class-map
- show policy-map
- show policy-map interface
Classification and Marking Models
In many scenarios, trust models may not be available or sufficient to distinctly classify all types of traffic required by the end-to-end QoS strategic model. Therefore, explicit classification and marking policies may be needed at the access edge.
Example 15-7 shows a configuration example based on Figure 11-5 (An eight-class QoS model).
Example 15-7 Classification and Marking Policy Example on a Catalyst 4500
! This section configures the class maps C4500(config-cmap)# class-map match-all VOICE C4500(config-cmap)# match dscp ef ! Voice is matched on DSCP EF C4500(config-cmap)# class-map match-all INTERACTIVE-VIDEO C4500(config-cmap)# match access-group name INTERACTIVE-VIDEO ! Associates INTERACTIVE-VIDEO access-list with class map C4500(config-cmap)# class-map match-all SIGNALING C4500(config-cmap)# match cs3 ! Signaling is matched on DSCP CS3 C4500(config-cmap)# class-map match-all TRANSACTIONAL-DATA C4500(config-cmap)# match access-group name TRANSACTIONAL-DATA ! Associates TRANSACTIONAL-DATA access-list with class map C4500(config-cmap)# class-map match-all SCAVENGER C4500(config-cmap)# match access-group name SCAVENGER ! Associates SCAVENGER access-list with class map ! This section configures the Per-Port ingress marking policy map C4500(config-cmap)# policy-map PER-PORT-MARKING C4500(config-pmap)# class VOICE C4500(config-pmap-c)# set dscp ef ! VoIP is marked EF C4500(config-pmap-c)# class INTERACTIVE-VIDEO C4500(config-pmap-c)# set dscp af41 ! Interactive-Video is marked AF41 C4500(config-pmap-c)# class SIGNALING C4500(config-pmap-c)# set dscp cs3 ! Signaling is marked CS3 C4500(config-pmap-c)# class TRANSACTIONAL-DATA C4500(config-pmap-c)# set dscp af21 ! Transactional Data is marked AF21 C4500(config-pmap-c)# class SCAVENGER C4500(config-pmap-c)# set dscp cs1 ! Scavenger traffic is marked CS1 C4500(config-pmap-c)# class class-default C4500(config-pmap-c)# set dscp default ! All other traffic is marked DF ! This section attaches the service-policy to the interface(s) C4500(config)# interface range GigabitEthernet 2/1-48 C4500(config-if-range)# switchport access vlan 10 C4500(config-if-range)# switchport voice vlan 110 C4500(config-if-range)# spanning-tree portfast C4500(config-if-range)#qos trust device cisco-phone
! The interface is set to conditionally trust Cisco IP Phones C4500(config-if-range)#service-policy input PER-PORT-MARKING
! Attaches the Per-Port Marking policy to the interface(s)
You can verify the configuration in Example 15-7 with the following commands:
- show qos interface
- show class-map
- show policy-map
- show policy-map interface
Classification, Marking, and Policing Model
In addition to classification and marking, policing might also be required at the access edge. The Catalyst 4500 can perform single-rate (two-color) policing and three-color policing—via either the RFC 2697 single-rate three-color marker (srTCM) or the RFC 2698 two-rate three-color marker (trTCM). Example 15-8 shows a per-port single-rate policing example for the Catalyst 4500 (based on Figure 13-8), and Example 15-9 shows policy amendments to support a RFC 2698 two-rate three-color marker.
Example 15-8 (Single-Rate Two-Color) Per-Port Policing Configuration Example on a Catalyst 4500
! This section configures the single-rate per-port policing policy map C4500(config)# policy-map PER-PORT-POLICING C4500(config-pmap)# class VVLAN-VOIP C4500(config-pmap-c)# set dscp ef C4500(config-pmap-c)# police 128k bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action drop ! VoIP is marked EF and policed to drop at 128 kbps C4500(config-pmap)# class VVLAN-SIGNALING C4500(config-pmap-c)# set dscp cs3 C4500(config-pmap-c)# police 32k bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action drop ! (VVLAN) Signaling is marked CS3 and policed to drop at 32 Kbps C4500(config-pmap)# class MULTIMEDIA-CONFERENCING C4500(config-pmap-c)# set dscp af41 C4500(config-pmap-c)# police 5m bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action drop ! Multimedia-conferencing is marked AF41 and policed to drop at 5 Mbps C4500(config-pmap)# class SIGNALING C4500(config-pmap-c)# set dscp cs3 C4500(config-pmap-c)# police 32k bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action drop ! (DVLAN) Signaling is marked CS3 and policed to drop at 32 Kbps C4500(config-pmap)# class TRANSACTIONAL-DATA C4500(config-pmap-c)# set dscp af21 C4500(config-pmap-c)# police 10m bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action set-dscp-transmit af22 ! Trans-data is marked AF21 and policed to re-mark (to AF22) at 10 Mbps C4500(config-pmap)# class BULK-DATA C4500(config-pmap-c)# set dscp af11 C4500(config-pmap-c)# police 10m bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action set-dscp-transmit af12 ! Bulk-data is marked AF11 and policed to re-mark (to AF12) at 10 Mbps C4500(config-pmap)# class SCAVENGER C4500(config-pmap-c)# set dscp cs1 C4500(config-pmap-c)# police 10m bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action drop ! Scavenger traffic is marked CS1 and policed to drop at 10 Mbps C4500(config-pmap)# class class-default C4500(config-pmap-c)# set dscp default C4500(config-pmap-c)# police 10m bc 8000 C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action set-dscp-transmit cs1 ! The implicit default class marks all other traffic to DF ! and polices all other traffic to re-mark (to CS1) at 10 Mbps ! This section attaches the service-policy to the interface(s) C4500(config)# interface range GigabitEthernet 2/1-48 C4500(config-if-range)# switchport access vlan 10 C4500(config-if-range)# switchport voice vlan 110 C4500(config-if-range)# spanning-tree portfast C4500(config-if-range)#qos trust device cisco-phone
! The interface is set to conditionally trust Cisco IP phones C4500(config-if-range)#service-policy input PER-PORT-POLICING
! Attaches the Per-Port Policing policy to the interface(s)
You can verify the configuration in Example 15-8 with the following commands:
- show qos interface
- show class-map
- show policy-map
- show policy-map interface
To avoid excessive repetition, Example 15-9 amends and expands the policer from a single-rate two-color marker to a two-rate three-color marker only on a single class (the Bulk Data class). However, similar amendments can be made on any Assured Forwarding (AF) class of traffic.
Example 15-9 (Two-Rate Three-Color) Per-Port Policing Configuration Amendment Example on a Catalyst 4500
! This section configures a dual-rate per-port policing policy map C4500(config)# policy-map TWO-RATE-POLICER <snip> C4500(config-pmap)# class BULK-DATA C4500(config-pmap-c)# set dscp af11 C4500(config-pmap-c)# police 10m bc 8000 pir 15m ! Bulk-data is policed to 10 Mbps rate and 15 Mbps peak rate C4500(config-pmap-c-police)# conform-action set-dscp-transmit af11 ! Bulk data under 10 Mbps will be marked AF11 C4500(config-pmap-c-police)# exceed-action set-dscp-transmit af12 ! Bulk data traffic between 10 Mbps and 15 Mbps will be marked AF12 C4500(config-pmap-c-police)# violate-action set-dscp-transmit af13 ! Bulk data traffic over 15Mbps will be marked AF13
You can verify the configuration in Example 15-9 with the following commands:
- show qos interface
- show class-map
- show policy-map
- show policy-map interface
Per-VLAN QoS Design
The Catalyst 4500 supports VLAN-based QoS. However, unlike the Catalyst 3750, the Catalyst 4500 does not support the mls qos vlan-based interface command. Furthermore, service policies are attached to VLANs via the VLAN configuration mode (instead of the interface configuration mode), as shown in Example 15-10.
Example 15-10 Per-VLAN Marking Configuration Example on a Catalyst 4500
! This section configures the interface(s) for conditional trust, C4500(config)# interface range GigabitEthernet 2/1-48 C4500(config-if-range)# switchport access vlan 10 C4500(config-if-range)# switchport voice vlan 110 C4500(config-if-range)# spanning-tree portfast C4500(config-if-range)#qos trust device cisco-phone
! The interface is set to conditionally trust Cisco IP phones ! This section attaches a marking policy to the DVLAN C4500(config)#vlan config 10
C4500(config-vlan-config)#service-policy input DVLAN-MARKING
! This section attaches a marking policy to the VVLAN C4500(config)#vlan config 110
C4500(config-vlan-config)#service-policy input VVLAN-MARKING
You can verify the configuration in Example 15-10 with the following commands:
- show qos interface
- show class-map
- show policy-map
- show policy-map vlan vlan-number (This command is nearly identical to show policy map interface, except that it references a VLAN directly, rather than a VLAN interface.)
Per-Port/Per-VLAN QoS
Although it is technically possible to apply a (aggregate) policing policy on a per-VLAN basis, it is not advisable to do so. This is because the number of endpoints in a given VLAN can dynamically vary, yet the policing rates are statically fixed at an aggregate level, resulting in unpredictable bandwidth allotments per endpoint.
However, a more flexible and discrete approach for deploying policing policies exists on the Catalyst 4500 platforms—namely, to deploy these on a per-port/per-VLAN basis. The Catalyst 4500 has a very elegant syntax for deploying per-port/per-VLAN policies, as follows: Within a (trunked) switch port’s interface configuration, each VLAN carried over that trunked port can have a separate policy applied to it via an interface-vlan configuration mode, as shown in Example 15-11.
Example 15-11 Per-Port/Per-VLAN Policing Configuration Example on a Catalyst 4500
! This section attaches the policy to the VLANs on a per-port basis C4500(config)# interface range GigabitEthernet 2/1-48 C4500(config-if-range)# switchport access vlan 10 C4500(config-if-range)# switchport voice vlan 110 C4500(config-if-range)# spanning-tree portfast C4500(config-if-range)# qos trust device cisco-phone ! The interface is set to conditionally trust Cisco IP phones C4500(config-if-range)#vlan 10
C4500(config-if-vlan-range)#service-policy input DVLAN-POLICERS
! Attaches the per-port/per-VLAN DVLAN policing policy to the ! DVLAN of the trunked switch port(s) C4500(config-if-range)#vlan 110
C4500(config-if-vlan-range)#service-policy input VVLAN-POLICERS
! Attaches the per-port/per-VLAN VVLAN policing policy to the ! VVLAN of the trunked switch port(s)
You can verify the configuration in Example 15-11 with the following commands:
- show qos interface
- show class-map
- show policy-map
- show policy-map interface
- show policy-map interface interface x/y vlan vlan-number
EtherChannel QoS Design
The following rules apply when deploying QoS service policies on Catalyst 4500 EtherChannels:
- Classification, marking, and policing policies (whether ingress or egress) are applied to the logical port channel interfaces.
- Queuing policies are applied to the physical port-member interfaces.
For EtherChannel interfaces configured on Catalyst 4500 switches, the ingress QoS policies (including classification, marking, and policing policies) are applied via MQC service-policy statements (in the ingress direction using the input keyword) configured on the logical port channel interface. Trust statements are not required because this MQC-based platform trusts by default.
In addition, the Catalyst 4500 supports egress QoS policies (including marking/policing policies) to be similarly applied via MQC service-policy statements (in the egress direction using the output keyword) on the logical port channel interface.
Egress queuing policies, however, are applied via MQC service-policy statements (in the egress direction using the output keyword) on the physical port-member interfaces, as shown in Example 15-12.
Example 15-12 EtherChannel QoS Design on a Catalyst 4500
! This section configures the logical port channel interface C4500(config)# interface Port-channel1 C4500(config-if)# description ETHERCHANNEL-LOGICAL-INTERFACE C4500(config-if)# switchport mode trunk C4500(config-if)# switchport trunk encapsulation dot1q C4500(config-if)# switchport trunk allowed vlan 10,110 C4500(config-if)#service-policy input MARKING
! This section configures 1P3Q1T+DBL queuing on physical port-member interfaces C4500(config)# interface range TenGigabitEthernet1/1-2 C4500(config-if-range)# description PORT-CHANNEL1-PORT-MEMBER C4500(config-if-range)# switchport mode trunk C4500(config-if-range)# switchport trunk encapsulation dot1q C4500(config-if-range)# switchport trunk allowed vlan 10,110 C4500(config-if-range)# channel-group 1 mode auto C4500(config-if-range)#service-policy output 1P7Q1T-QUEUING
! Applies 1P7Q1T+DBL-QUEUING queuing policy to physical port member
You can verify the configuration in Example 15-12 with the following commands:
- show class-map
- show policy-map
- show policy-map interface
Flow-Based QoS
Flow-based QoS enables microflow policing and marking capability to dynamically learn traffic flows, providing the capability to police every unique flow to an individual rate. Flow-based QoS is available on a Catalyst 4500 series switch with the built-in NetFlow hardware support. It can be applied to ingress traffic on both switched and routed interfaces with flow masks defined using Flexible NetFlow (FNF). Flow-based QoS is typically used in environments where per-user, granular rate limiting is required. Flow-based QoS is also referred to as user-based rate limiting (UBRL).
A flow is defined as a stream of packets having the same properties as those defined by the key fields in the FNF flow record. A new flow is created when the value of data in packet’s key fields is unique with respect to the flows that already exist.
A flow-based QoS policy is possesses one or more class maps matching on a FNF flow record. Such a class map must be configured as match-all to match all the match criteria specified in the class map. When a flow-based QoS policy is attached to a QoS target, ingress traffic on the target is first classified based on the classification rules specified in the class map. If the classifier has an FNF flow record, the key fields specified in the FNF flow record are applied on the classified traffic to create flows provided the flow does not already exist. The corresponding policy actions (policing and marking) are then applied to these individual flows. Flow-based policers (termed microflow policers) rate limit each unique flow. Flows are dynamically created and inactive flows are periodically aged out.
Flow-based QoS policy can be applied on a per-port basis, per-port/per-VLAN basis, or on an EtherChannel port channel interface (but only in the ingress direction). Therefore, flow-based QoS may be deployed at either the access layer or distribution layer (wherever UBRL may be of value).
Note that flow-based policies will apply to all flows matched within a given class. For example, if a flow-based policer is applied to the default class and attached to port or VLAN, all flows originating from that port or VLAN (respectively) will be subject to the policer. If this is not to be the intent, additional classification is recommended and the flow-based policer should be more selectively applied.
Example 15-13 shows how to configure a flow-based QoS policy that uses microflow policing in the context of user-based rate limiting. Any and all flows sourced from the subnet 192.168.10.* are microflow policed to 1 Mbps.
Example 15-13 Configuring Flow-Based QoS (UBRL) on Catalyst 4500
! This section defines an ACL to match traffic from subnet C4500(config)# ip access-list extended USERGROUP-1 C4500(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 any ! Traffic sourced from the 1922.168.10.x subnet is matched ! This section defines a flow record with source address as key C4500(config)#flow record FLOW-RECORD-1
C4500(config-flow-record)# match ipv4 source address ! Source address is defined as the key tuple ! This section defines the class map to match on USERGROUP-1 ACL ! and specify FLOW-RECORD-1 definition for flow creation C4500(config)# class-map match-all USER-GROUP-1 C4500(config-cmap)# match access-group name USERGROUP-1 C4500(config-cmap)#match flow record FLOW-RECORD-1
! A "match-all" class map binds the ACL and flow-record ! to identify unique flows ! This section defines the microflow policer policy map C4500(config)# policy-map 1MBS-MICROFLOW-POLICER C4500(config-pmap)# class USER-GROUP-1 C4500(config-pmap-c)# police cir 1m C4500(config-pmap-c-police)# conform-action transmit C4500(config-pmap-c-police)# exceed-action drop ! Specifies each discrete microflow is to be limited to 1Mbs ! This section applies the microflow policer to the interface C4500(config)# interface gigabitEthernet3/1 C4500(config-if)#service-policy input 1MBS-MICROFLOW-POLICER
You can verify the configuration in Example 15-13 with the following commands:
- show flow record (demonstrated in Example 15-14)
- show class-map
- show policy-map
- show policy-map interface
Example 15-14 Verifying Flow-Based QoS Policies on a Catalyst 4500: show flow record
C4500# show flow record flow record FLOW-RECORD-1: Description: User defined No. of users: 1 Total field space: 4 bytes Fields: match ipv4 source address
AutoQoS SRND4
AutoQoS SRND4 is supported on the Cisco Catalyst 4500 beginning with Cisco IOS Release IOS XE 3.3.0SG and IOS 15.1(1)SG and is detailed in Appendix A, “AutoQoS for Medianet.”
Control Plane Policing
Control plane policing (CPP) is supported on the Catalyst 4500 and is detailed in Appendix B, “Control Plane Policing.”