Understanding QoS Features
Let’s look at the various QoS features available to the network administrator to optimize the traffic flows.
Port Trust Attribute and DSCP Map
A port’s configuration includes an implicit trust attribute. Its default setting is to trust the priority marking (CoS) in the 802.1Q header to use internally to the switch for subsequent QoS functions (see the sequence above in Figure 20-3).
In addition to trusting the CoS field, it is possible to trust the DSCP field, when present in a packet. This functionality can be enabled by applying a DSCP map to a port.
A DSCP map specifies the associations between CoS values (called priorities) and DSCP values. These associations are used for queuing and for 802.1Q marking of the IP packets egressing the switch.
NetVisor OS supports interoperable DSCP-based markings:
- A DSCP value range from 0 to 63.
- Standard differentiated services definition: these values are used by different vendors to facilitate common QoS levels.
- Class selector code points (CS1 through CS7) are backwards compatible with IP Precedence values in the TOS field.
- Assured Forwarding (AF) code points have 4 priority classes, each class has three code points indicating the drop precedence:
- Class1: AF11/12/13 (DSCP 10, 12, 14)
- Class2: AF21/22/23 (DSCP 18, 20, 22)
- Class3: AF31/32/33 (DSCP 26, 28, 30)
- Class4: AF41/42/43 (DSCP 34, 36, 38)
- DSCP (and IP Precedence) 0 corresponds to the best effort behavior
- DSCP 46 is the Expedited Forwarding (EF) code point, indicating critical traffic.
Policing (Rate Limiting)
Policing is the function of limiting the speed of the forwarded traffic.
NetVisor OS leverages vFlow policies to select the subset of the traffic to apply a maximum forwarding rate to. It supports the token bucket algorithm to implement the rate metering and limiting function. The maximum rate is called bw-max and is expressed in bps. It can be in a range between 0 and 40 Gbps.
Policing can be configured with a vFlow policy on a per-port basis or on a per-VLAN basis.
Per-port policers can be applied to traffic ingressing (in-port) or egressing (out-port) a switch port. VLAN-based policers instead apply to the aggregate of the traffic from all the ports in a certain VLAN.
Other filtering parameters that can be used in a vFlow policy to apply even more granular policing include: DSCP or TOS field, source and/or destination MAC address, source and/or destination IP address, source and/or destination L4 port, etc.
For more information on vFlow policies, refer to the Configuring and Using vFlows chapter.
With a plain rate limiter, traffic that exceeds a specified threshold is dropped. However, this action is not very TCP-friendly, and in general it could be undesirable in certain circumstances. For example, it may be desirable for certain protocols to allow traffic bursting for optimal performance, even if a burst may temporarily exceed the configured rate.
Therefore, NetVisor OS supports policing by using the popular token bucket algorithm, which includes both a maximum rate and a token bucket size (burst size). This allows for TCP traffic bursts up to the maximum configured size, and therefore it can make a host TCP stack’s behavior less “jittery” in case of traffic speeds being capped by the switch hardware.
Limiting traffic speeds in hardware (i.e., without any software overhead) can be used as a security measure too, typically to protect devices from Denial of Service (DoS) attacks (for specific destinations) or from potentially misbehaving sources. This security strategy can be critical to guarantee a deterministic behavior for devices that are particularly vulnerable to overloads or for mission critical ones that need to optimize their CPU utilization.
Of all the mission-critical entities in a network, the switch control planes play a very important role as they guarantee the stability and assist with the redundancy of the entire network. QoS is of great importance for the protection of the control plane and therefore historically network device vendors have created special QoS-based features to ensure network robustness and stability. As a case in point, NetVisor OS supports the Control Plane Traffic Protection (CPTP) feature.
For more information on the CPTP feature, refer to the Configuring Control Plane Traffic Protection (CPTP) section of the Configuring Network Security chapter.
Traffic remarking is a useful hardware forwarding capability to change the prioritization of the traffic downstream. By default, forwarded traffic is not remarked (in other words, the QoS fields of the packets are not modified) but a policy can be configured to implement that.
In vFlow policies, along with forwarding actions (such as copy-to-port or setvlan), NetVisor OS also supports the set-dscp action that can be used to remark the traffic while not modifying its egress queuing. This is useful to signal to a downstream device that traffic should be treated differently based on the remarked DSCP value (for example, with a lower priority compared to the original one, according to the network administrator’s requirements). As a matter of fact, it is not uncommon that host devices and network devices may not agree on the QoS markings to use. Or even different sections of the network, managed by different entities, may not have a complete agreement on the QoS markings to use. So remarking the traffic is used to apply the appropriate re-classification, when needed.
In addition, for example for non-IP traffic, it is possible to remark the frames by changing the priority/CoS field with the set-vlan-pri action.
In addition to set-dscp, NetVisor OS supports the dscp-map action to modify the egress port queuing based on the chosen remarked DSCP value. This type of action enables the administrator to select a different egress priority for the remarked traffic (for example, a lower priority compared to the original one).
To apply the CoS/DSCP association on an egress port basis, NetVisor OS supports the dscp-map parameter in the port-config-modify command. The DSCP map associates each CoS value to one or more DSCP values: hence, for each remarked DSCP value in a forwarded IP packet the egress queue can be selected by the hardware based on the associated CoS value.
Queue Scheduling and Shaping
NetVisor OS supports the Weighted Round Robin (WRR) algorithm for traffic scheduling. On egress ports eight queues are available to schedule traffic to, based on the packets’ CoS values. Network administrators can specify a minimum guaranteed bandwidth parameter, called min-bw-guarantee, as a percentage for each queue. They can also specify a per-queue scheduling weight (a value between 1 and 127) that is used by the hardware after the bandwidth guarantee is met. The queue number is referred to as “cos”.
In addition to specifying a minimum bandwidth guarantee, it is also possible to configure a maximum bandwidth limit parameter, called max-bw-limit, on a per queue basis. This function is called shaping: it buffers the traffic that exceeds the configured limit up to the capacity of the queue.
Strict Priority Queue
As discussed above, NetVisor OS supports the WRR algorithm to schedule traffic out of port queues. However, traffic that is highly latency-sensitive and jitter-sensitive may not always work well with this type of scheduling, even when high weights are allocated to it. Therefore, for this kind of traffic, a special case (equivalent to an infinite weight) is supported and is called strict priority: NetVisor OS supports the weight priority queue configuration to enable special traffic to be scheduled for forwarding as soon as it’s queued. This configuration minimizes forwarding latency and jitter, but it’s generally reserved to low bandwidth protocols (for example, VoIP) that cannot monopolize the entire bandwidth of the port.