11. Security QoS and Security QoS Policies
This chapter provides information on security QoS used to control firewall traffic that is extracted to the CSM for examination. It also provides information about configuring security queue QoS policies using the command line interface.
Topics in this chapter include:
11.1. Security QoS and Security QoS Policy Overview
When a security zone, security profile, and policies are configured for security sessions on the 7705 SAR, data packets entering and leaving the zone are extracted, if required, from the datapath to the CSM for examination. QoS is applied on these packets to control the amount of traffic being extracted to the CSM. For information about requirements for packet extraction to the CSM, refer to “Security Session Creation” in the 7705 SAR Router Configuration Guide.
11.2. QoS for Firewall-Extracted Packets to the CSM
When security parameters are configured, data packets entering or leaving a zone are extracted from the datapath to the CSM for examination. Application Level Gateway (ALG) TFTP/FTP or strict TCP data packets that are extracted are placed into access or network security data queues. These access and network security queues are able to control the rate of traffic scheduled through these queues by using security queue QoS policies (see Security Queue QoS Policies for information).
Non-ALG and non-strict TCP datapath traffic that is extracted from the datapath for CSM security examination is extracted into a security control queue that has one queue per security zone.
In order to limit the aggregate datapath traffic being extracted to the CSM via the access/network security queues and all the security control queues (one per zone), a security-aggregate-rate shaper can be configured, which defaults to a rate of 50 Mb/s. For information about configuring the security-aggregate-rate shaper, refer to the 7705 SAR Interface Configuration Guide, “Adapter Card Commands”.
Firewall traffic that is permitted through the firewall will be forwarded across the data path using datapath traffic management.
11.3. Multi-Chassis Firewall QoS
In a multi-chassis configuration, the slave router has the same security configuration as the master. When the slave router receives datapath packets that are entering or leaving a security zone, the data packets are extracted into the same access or network data queues and security control queues that exist on the master. However, the data packets that are extracted must be processed by the master firewall security engine. The slave sends these extracted data packets to the master over the multi-chassis link (MCL).
The access queues, network data queues, and security control queues used on the slave have QoS configurations that control the traffic rate from the slave to the master. These QoS configurations on the slave, specifically security queue QoS policies and the aggregate shaping rate, should be configured identically on the master. For information, see Security Queue QoS Policies and also refer to the 7705 SAR Interface Configuration Guide, “Adapter Card Commands” for information on configuring the security-aggregate-rate command.
The extracted data packets that the master receives from the slave are stored in a multi-chassis firewall queue for extraction to the CSM on the master. In order to limit the rate of datapath traffic being extracted and sent to the master CSM, this extraction queue is rate-limited to 80 Mb/s. In addition, this extraction queue, along with the security control queues and the access/network security queues, are rate-limited by the security-aggregate-rate command. These QoS settings and configurations make it possible to control the datapath traffic being extracted on the master and slave for firewall security processing.
11.4. Security Queue QoS Policies
For ALG TFTP/FTP or strict TCP traffic that egresses one security zone and ingresses a different security zone, every packet must be forwarded to the CSM for processing. To control this traffic to the CSM, the packets are extracted from the data path and queued into either network security data queues or access security data queues. These queues each contain two further queues: expedited (EXP) queues and best-effort (BE) queues. On the 7705 SAR-8 Shelf V2 and 7705 SAR-18, expedited and best-effort queues are created per adapter card.
For further details about zone configuration and firewall session creation, refer to the 7705 SAR Router Configuration Guide, “Configuring Security Parameters”.
11.4.1. Packet Queuing with DSCP
By default, packets are assigned to the EXP and BE queues as follows.
- For the base router context, packets are assigned to the EXP and BE queues based on the DSCP marking in the packet IP header.
- For the VPRN or IPSec context, packets are assigned to the EXP and BE queues based on the EXP or DSCP marking of the outer tunnel. The EXP marking is used for Layer 3 MPLS VPRNs, and the DSCP marking is used for IPSec or Layer 3 GRE VPRNs.
However, it is possible to queue packets based on the inner (customer) IP header DSCP marking by using the command config>qos>network>ingress>ler-use-dscp. This is useful where customers have policed bandwidth at the PE and wish to differentiate their own network packets on the access PEs. By enabling the ler-use-dscp command, the following occurs for encrypted VPRN, IPSec, and NGE packets:
- packets will be queued in the encryption queues based on the outer tunnel MPLS EXP or IPSec/GRE DSCP marking
- after decryption, for either firewall datapath queues or the regular datapath queues, the packets will be queued based on the inner (customer) IP header DSCP marking
For more information, see ler-use-dscp in the Network QoS Policy Command Reference chapter.
11.5. Basic Configuration
This section contains the following topics related to creating security queue policies:
A basic security queue policy must conform to the following rules.
- Each security queue policy must have a unique policy ID.
- Default values can be modified but parameters cannot be deleted.
 | Note: Queue 1 is always best effort and queue 2 is always expedited. |
11.5.1. Creating a Security Data Queue QoS Policy
Configuring a security data queue QoS policy is optional. If no security queue QoS policy is explicitly defined, the default security queue QoS parameters are applied.
To create a new security queue policy, define the following:
- a security queue policy identifier — the system does not dynamically assign an identifier
- a description — a brief description of the policy
Use the following CLI syntax to configure a security queue QoS policy:
The following output shows the configuration for SecurityQueue 2:
11.5.2. Default Security Queue Policy Parameter Values
Table 68 displays the default security queue policy parameter values.
Table 68: Security Queue Parameter Defaults
Parameter | Default Values–Best Effort | Default Values–Expedited |
CBS | 10 kbytes | 40 kbytes |
High-prio-only | 10 | n/a |
MBS | 5000 kbytes | 5000 kbytes |
PIR | 400000 kbytes | 400000 kbytes |
CIR | 1500 kbytes | 35000 kbytes |
11.6. Service Management Tasks
This section describes the following service management tasks:
11.6.1. Deleting QoS Policies
Use the following CLI syntax to delete a security queue QoS policy:
11.6.2. Copying and Overwriting QoS Policies
You can copy an existing security queue QoS policy, rename it with a new policy ID value, or overwrite an existing policy ID. The overwrite option must be specified or an error occurs if the destination policy ID exists.
Use the following syntax to overwrite an existing security queue QoS policy.
11.6.3. Editing QoS Policies
You can change existing policies and entries in the CLI. The changes are applied immediately to all queues where this policy is applied. To prevent configuration errors, copy the policy to a work area, make the edits, and then write over the original policy.