ONT Notes – Classification, Marking, and NBAR

Here’s another set of notes from my ONT studies.  I’m sure someone will find it useful.  Please help to correct dumbass mistakes.

• Classification is done with traffic desriptors

  • Ingress interface
  • CoS value on ISL or 802.1P frames
  • Source/destination IP address
  • IP Precedence or DSCP value
  • MPLS EXP
  • Application type

• Layer 3 QoS

  • Type of Service (ToS) is 8-bit field.
  • First 3 bits of ToS are the IP precedence.
  • First 6 bits of ToS are the DSCP value.
  • Last 2 bits of ToS are explicit congestion notification (ECN).

• Layer 2 QoS

  • Ethernet
    • Class of Service (CoS)
    • On 802.1P frame
    • 3-bit priority (PRI) field
      • 000 - Routine - Best-effort
      • 001 - Priority - Medium priority
      • 010 - Immediate - High priority
      • 011 - Flash - Call signaling
      • 100 - Flash-Override - Video conferencing
      • 101 - Critical - Voice bearer
      • 110 - Internet - Reserved
      • 111 - Network - Reserved
  • Frame Relay
    • 1-bit discard eligible (DE) field
  • ATM
    • 1-bit cell loss priority (CLP) field
  • MPLS (layer 2 1/2)
    • 3-bit experimental (EXP) field
    • By default, the 3 most significant ToS bits (IP Precedence bits) are copied to EXP

• Per-hop Behavior (PHB)

  • “an externally observable fowarding behavior of a network node toward a group of IP packets that have the same DSCP value”
  • In other words, treat packets with the same DSCP value in the same manner - scheduling, queuing, policing, etc.
  • Behavior aggregate (BA) is a group of packets with the same DSCP value

• DSCP

  • DSCP is chopped up into 4 PHBs

    • Class selector PHB - (000) old IP precedence compatibility
    • Default PHB - (000) best effort
    • Assured forwarding (AF) PHB - (001, 010, 011, 100) guarantee bandwidth
      • Provides 4 queues for 4 classes of traffic (AF1-4)
      • Also specifies drop preference (ex., AF41, A13) where second number is preference (higher is more probable to be dropped)
      • Each queue must have (W)RED to avoid drops
      • No queue is any better than the other
      • Backward compatible with IP precedence
  • • Expedited forwarding (EF) PHB - (101) low delay - Minimum delay - Bandwidth guarantee - Policing

• Trust boundaries

  • Establish DSCP values as close to the source as possible
    • On the device (IP phone), access switch, or distribution switch
    • The core should never assign DSCP values
  • Only trust DSCP values from devices you trust
  • Examine and rewrite values from untrust sources

• Network-based Application Recognition (NBAR)

  • Protocol discovery - discovers what protocols you’re running on your network
  • Traffic statistics collection - keeps tracks of stats on each protocol
  • Traffic classification - NBAR protocols can be used in class-maps to define traffic to be services
  • Packet description language models (PDLMs) - table of what protocols NBAR recognizes
  • Limitations
    • Doesn’t work on EtherChannel interfaces
    • Only handles 24 URLs, hosts, or MIME types
    • Only analyzes first 400 bytes of the packets
    • Requires CEF
    • Doesn’t work on HTTPS, multicasts, or fragments
    • Ignored traffic destined for the router itself
  • NBAR commands
    • Router(config)# ip nbar pdlm pdlm-name : Update the PDLM table
    • Router(config)# ip nbar port-map protocol-name [tcp|udp] port-number : Adds an entry to the PDLM table
    • Router# show ip nbar port-map protocol-name : Shows what’s in the PDLM table
    • Router# show ip nbar protocol-discovery : Shows what’s been discovered
    • Router(config-cmap)# match protocol name : a class-map match for an NBAR-discovered protocol
  • Special protocol matching
    • Can match beyond the port number with deep packet inspection
    • Matches HTTP hostname, URL, or MIME type
    • Matches fast-track P2P
    • Matches RTP content