QoS
基本慨念
- Ingress Interface 的 Hardware Queue 可加長
- 不建議, 如出問題應查Router資源
- Egress Interface 的 Hardware Queue 可加長
- 什麼雜packet都放在一起, 累全部packet都delay, Hardware Queue爆滿也導致Tail Drop
- Tail Drop
- 在queue隊尾drop packet
- Software Queue
- 在Router Software Queue中, 先考慮哪些packet先放入hardware queue, Software Queue最多容納64 Packets
- Hardware queue爆滿才用Software Queue make decisions
- Weighted Fair Queuing (WFQ)
- Class-based Weighted Fair Queueing (CBWFQ)
- Software Queue爆滿再想想用咩方式drop packet, Congestion Avoidance
- Tail Drop
- Weighted Random Early Detection (WRED)
- Explicit Congestion Notification (ECN)
- 快慢線基本分類
- 緊急線: Routing Protocol
- 快線: (Voice/Video)
- 慢線: (TCP)
- IntServ
- 永久預留緊急行車道, 現在都不用
- DiffServ
- Congestion時才開啟緊急行車道
- Per-Hop Behavior (PHB), 每個hop之間的QoS behavior不影響其他hop之間的路段
Classification
就只是group一堆Address
class-map match-all CLASS-EF
match access-group name TRAFFIC-VOICE
class-map match-any CLASS-AF11
match protocol snmp
match protocol ssh
class-map match-all CLASS-AF43
match ip dscp af43
ip access-list extended TRAFFIC-VOICE
permit ip 192.168.100.0 0.0.0.255 any
Marking
Packet IP Header中有8bit用作ToS, router 可 mark IPP/DSCP 在ToS中, mark一直跟著packet。Mark在已有mark的packet則會Override。
policy-map POLICY-INCOMING
class CLASS-EF
set dscp ef
class CLASS-AF11
set dscp af11
class CLASS-AF43
set dscp af43
class class-default
set dscp default
R2(config-if)# service-policy input POLICY-INCOMING //Marking在進入口
- IPP (3bit)
| IPP名 | 二進制 | 建議分類 | 例子 |
| Routing (最不重要) | 000 | Best Effort Data | FTP, File Transfer |
| Priority | 001 | Medium Priority Data | 公司中度重要Application |
| Immediate | 010 | High Priority Data | 公司高度重要Application |
| Flash | 011 | Call Control/Signaling | RTSP |
| Flash Override | 100 | Video | RTP |
| Critical | 101 | VoIP | RTP |
| Internetwork Control | 110 | Internetworking/Routing | OSPF, EIGRP |
| Network Control (最重要) | 111 | Reserved | Reserved |
- DSCP (6bit)
| DSCP名 | 二進制 | 建議分類 | 例子 |
| DF (最不重要) | 000000 | Best Effort | Internet Browsing |
| CS1 | 001000 | Scavenger | iTunes, BitTorrent |
| AF11 (不易Drop) | 001010 | Bulk Data | E-mail, FTP |
| AF12 (中等Drop) | 001100 | Bulk Data | E-mail, FTP |
| AF13 (易Drop) | 001110 | Bulk Data | E-mail, FTP |
| CS2 | 010000 | Admin System | SNMP, SSH |
| AF21 (不易Drop) | 010010 | Transaction Data | Enterprise Application |
| AF22 (中等Drop) | 010100 | Transaction Data | Enterprise Application |
| AF23 (易Drop) | 010110 | Transaction Data | Enterprise Application |
| CS3 | 011000 | Signaling | SIP, H323 |
| AF31 (不易Drop) | 011010 | Multimedia Streaming | |
| AF32 (中等Drop) | 011100 | Multimedia Streaming | |
| AF33 (易Drop) | 011110 | Multimedia Streaming | |
| CS4 | 100000 | Real-time Interactive | |
| AF41 (不易Drop) | 100010 | Multimedia Conferencing | |
| AF42 (中等Drop) | 100100 | Multimedia Conferencing | |
| AF43 (易Drop) | 100110 | Multimedia Conferencing | |
| CS5 | 101000 | Broadcast Video | |
| EF | 101110 | VoIP Telephony | G711, G729 |
| CS6 | 110000 | Network Control | OSPF, HSRP, IKE |
| CS7 (最重要) | 111000 | Reserved | Reserved |
留意AF1, AF2, AF3, AF4 在DSCP不存在重要性差異, 但在只支援IPP環境才會有重要性差異。
Software Queue 以 WFQ 方式派Traffic去Hardware Queue
根據Packet的IPP, 計算Weight, 再計算要取的Bandwidth去Hardware Queue
IPP大 > Weight小 > 每秒取出Bandwidth大
Weight = 32384/(IPP+1), 如IPP=3; Weight=8096
Software Queue 以 CBWFQ 方式派Traffic去Hardware Queue
自己定bandwidth, Congestion發生時, 在EF拿走100K, AF11拿走200K, AF43拿走300K, Class-default即所有未分類的packet, 會行WFQ
policy-map POLICY-OUT
class CLASS-EF
bandwidth 100
class CLASS-AF11
bandwidth 200
class CLASS-AF43
bandwidth 300
class class-default
bandwidth 400
一個policy-map只可有一個priority, 即Low Latency Queue (LLQ), 最優先
policy-map POLICY-OUT
class CLASS-EF
priority 300
class CLASS-AF11
bandwidth 200
class CLASS-AF43
bandwidth 100
亦可用percent, 加埋一定要100%
policy-map POLICY-OUT
class CLASS-EF
priority percent 30
class CLASS-AF11
bandwidth percent 20
class CLASS-AF43
bandwidth percent 10
class class-default
bandwidth percent 10
如有set priority, 可用percent remaining, 假設interface bandwidth 1000K, priority 拿走了800K, 剩下的再計percent, 不用集齊100%
policy-map POLICY-OUT
class CLASS-EF
priority 800
class CLASS-AF11
bandwidth remaining percent 40 //80K
class CLASS-AF43
bandwidth remaining percent 20 //40K
Software Queue爆滿, 以Tail Drop去做Congestion Avoidance
不查ToS, 直接Drop Packet, TCP因timeout斷, TCP retransmit 然後 Global Synchronization
Software Queue爆滿, 以WRED去做Congestion Avoidance
按IPP/DSCP 設定不同Drop Policy
每條行車道分別有各自的:
- Minimum Threshold
- 幾時開始Drop packet
- Probability Denominator
- Drop多少Packet, 設10即是每10個隨機選1個packet drop
- Maximum Threshold
- 過了便強制Tail Drop
若要啟用, command為 random-detect, 用了priority的LLQ不可使用WRED
policy-map POLICY-OUT
class CLASS-EF
priority 100
class CLASS-AF11
bandwidth remaining percent 40
random-detect //或轉用DSCP random-detect dscp-based
class CLASS-AF43
bandwidth remaining percent 30
random-detect //或轉用DSCP random-detect dscp-based
class class-default
bandwidth remaining percent 20
random-detect //或轉用DSCP random-detect dscp-based
//更改每條Queue的值
random-detect precedence <IPP> <min><max><prob>
R2(config-pmap-c)# random-detect precedence 5 25 30 20
或 R2(config-pmap-c)# random-detect dscp af11 25 30 20
show policy-map interface
Software Queue爆滿, 以ECN去做Congestion Avoidance
Drop Packet可以緩和Congestion, 亦可用ECN去緩和
ToS 有8bits, DSCP只用了6個bits, 最後2個bit用作ECN
- ECN Capable Transport (ECT) bit
- Sender如支持ECN, Sender便set此為1
- 如過Minimum threshold, Software Queue 便不drop packet, 反而把CE set 1, 再繼續發給receiver, 告訴receiver 即將發生Congestion, receiver再ACK時告訴sender調整Window Size以減速
- Sender如不支持ECN, Sender便set此為0, 便依WRED drop packet
- command: random-detect ecn
- Congestion Experienced (CE) bit
Hierarchical Policies
Nested Policy, 先把所有inbound traffic 先 police 到10Mb, 再做Classification and Marking
policy-map TRAFFIC-POLICING
class class-default
police rate 10000000
service-policy POLICY-INCOMING
基本Configuration
設定ACL
Router(config)# access-list 100 permit ip host 192.168.1.1 any
OR
Router(config)# ip access-list extended SSLVPN
Router(config-ext-nacl)# permit ip host 192.168.1.1 any
設定class,並且和上面定義的 ACL 綁定
Router(config)# class-map SSLVPN
Router(config-cmap)# match access-group 100
OR
Router(config)# lass-map match-any to-SSLVPN
Router(config-cmap)# match access-group name SSLVPN
設定policy,set Class的行為
Router(config)# policy-map to-SSLVPN-qos
Router(config-pmap)# class to-SSLVPN
Router(config-pmap-c)# police 4m conform-action transmit exceed-action drop //設定速率為4M ,超過丟棄
設定介面上運用 policy
Router(config)# interface FastEthernet0/1 //一般堵出口。
Router(config-if)# service-policy output to-SSLVPN-qos
測試 用Traffic generator tfgen,發送給指定目標UTP封包。
Router(config)# interface FastEthernet0/1
Router(config-if)# load-interval 30 //拿30秒的平均值看每秒
Router# show interface FastEthernet0/1
30 second input rate 1000 bits/sec, 2 packets/sec
30 second output rate 3999000 bits/sec, 344 packets/sec
確認目前封包30秒之內都是4M上下,如果沒有修改30秒,會以5分鐘計算。
Router# show policy-map interface fa0/1
30 second offered rate 13277000 bps,drop rate 9271000 bps
測試封包大約10m,如果這邊drop是0,那就100%沒有吃到設定。
Shaping
ISP提供不高於CIR的服務保證
10Mbps的Interface為附合2Mbps的CIR, 唯有用0.2秒來傳2M, 然後等0.8秒。
VoIP最多packet之間等0.1秒, 等0.8秒太久了。
唯有每0.25秒, 用0.05秒來傳0.5M, Packet之間等待0.2秒
Bucket and Token Algorithm
- Tc: 0.25秒 (Packet間距)
- Bc: 桶有0.5M 容量裝Token (每次噴多少)
- CIR*Tc = Bc
意味interface每0.25秒可開始發0.5M
Lead Time
- 水桶Bc最好等於或大過Traffic Packet Size, 務求一桶一個packet, 不然多桶水來傳一個packet費時失事
- 如FTP File Transfer MTU 1500 Bytes (12,000 Bits)
- 如VoIP G711 160 Bytes (1280 Bits)
Shaping 基本Configuration
R2(config)# policy-map SHAPE-TO-1M
R2(config-pmap)# class class-default
R2(config-pmap-c)# shape average 1m 12000 0 //CIR, Bc, Be
R2(config)# int ethernet 1/1
R2(config-if)# service-policy output SHAPE-TO-1M
R2# show policy-map interface eth1/1
shape (average) cir 1000000, bc 12000, be 0
ISP可在非繁忙時段超賣Bandwidth, Be [閒時更多瞬發Bandwidth, 但平均Bandwidth依舊]
R2(config)# policy-map SHAPE-TO-1M
R2(config-pmap)# class class-default
R2(config-pmap-c)# shape average 1m 12000 6000 //CIR, Bc, Be
R2# show policy-map int e1/1
shape average cir 1000000, bc 12000, be 6000
ISP可在非繁忙時段超賣Bandwidth, PIR [閒時更多瞬發Bandwidth, 同時Bandwidth跟得上Be的容量, 小心ISP只為CIR Bandwidth作保證]
R2(config)# policy-map SHAPE-TO-1M
R2(config-pmap)# class class-default
R2(config-pmap-c)# shape peak 1m 12000 6000 //CIR, Bc, Be
R2# show policy-map int e1/1
target shape rate 1500000
queue-limit, Shaping 中的buffer大小
R2(config-pmap-c)# queue-limit 200
R2# show policy-map int e1/1
Queue limit 200 packets
除以packet做單位, 亦可用delay作單位, Live Video的packet如delay超過1秒便沒作用。
R2(config-pmap-c)# queue-limit 1000ms
Policing
- 站在ISP角度, 要Police從客而來的traffic
- Policing Token 單位是Bytes, Shaping Token 單位是bits
- Token refill speed 為CIR
- Policy or Color
- Single-rate Two-color Policer
- Single-rate Three-color Policer
- Two-rate Three-color Policer
Single-rate Two-color Policer
桶有token就過, 無就drop
R3(config)# policy-map ONE-RATE-TWO-COLOR
R3(config-pmap)# class class-default
R3(config-pmap-c)# police cir 1000000 bc 1500 //CIR 1M Bc 1500Byte
//Compare to Shaping: shape average 1m 12000 6000, cir, Bc, Be
R3(config-pmap-c-police)# conform-action transmit
R3(config-pmap-c-police)# exceed-action drop
R3(config)# int e1/0
R3(config-if)# service-policy input ONE-RATE-TWO-COLOR
R3# show policy-map int e1/0
Conformed 27 packets, transmit
Exceeded 15 packets, drop