11. Security Queue QoS Policies

This chapter provides information to configure security queue QoS policies using the command line interface.

Topics in this chapter include:

  1. Overview
  2. Basic Configuration
  3. Service Management Tasks
  4. Security Queue QoS Policy Command Reference

11.1. Overview

When a security zone and the corresponding security profile and policies have been configured for security sessions on the 7705 SAR, data packets entering the zone are extracted from the datapath to the CSM for examination. For packets being extracted, there are two sets of queues from the datapath to the CSM: network queues and access queues. These queues each contain two further queues: expedited (EXP) queues and best-effort (BE) queues. The expedited and best-effort queues are used only by security sessions that require all firewall processing to occur in the CSM, such as security sessions configured with strict TCP. On the 7705 SAR-8 and 7705 SAR-18, expedited and best-effort queue are created per MDA. Security sessions that use the datapath for firewall processing use the usual datapath queues.

For further details about zone configuration and firewall session creation, refer to the 7705 SAR Router Configuration Guide, “Configuring Security Parameters”.

11.1.1. Packet Queuing with DSCP

By default, packets are assigned to the EXP and BE queues as follows.

  1. For the base router context, packets are assigned to the EXP and BE queues based on the DSCP marking in the packet IP header.
  2. For the VPRN or IPSec context, packets are assigned to the EXP and BE queues based on the EXP or DSCP marking of the outer tunnel. The EXP marking is used for Layer 3 MPLS VPRNs, and the DSCP marking is used for IPSec or Layer 3 GRE VPRNs.

However, it is possible to queue packets based on the inner (customer) IP header DSCP marking by using the command config>qos>network>ingress>ler-use-dscp. This is useful in situations where customers have policed bandwidth at the PE and wish to differentiate their own network packets on the access PEs. By enabling the ler-use-dscp command, the following occurs for encrypted VPRN, IPSec, and NGE packets:

  1. packets will be queued in the encryption queues based on the outer tunnel MPLS EXP or IPSec/GRE DSCP marking
  2. after decryption, for either firewall datapath queues or the regular datapath queues, the packets will be queued based on the inner (customer) IP header DSCP marking

For more information, see ler-use-dscp in the Network QoS Policy Command Reference chapter.

11.2. Basic Configuration

This section contains the following topics related to creating security queue policies:

  1. Creating a Security Queue QoS Policy
  2. Default Security Queue Policy Parameter Values

A basic security queue policy must conform to the following rules.

  1. Each security queue policy must have a unique policy ID.
  2. Default values can be modified but parameters cannot be deleted.
Note:

Queue 1 is always best effort and queue 2 is always expedited.

11.2.1. Creating a Security Queue QoS Policy

Configuring a security queue QoS policy is optional. If no security queue QoS policy is explicitly defined, the default security queue QoS parameters are applied.

To create a new security queue policy, define the following:

  1. a security queue policy identifier — the system does not dynamically assign an identifier
  2. a description — a brief description of the policy

Use the following CLI syntax to configure a security queue QoS policy:

CLI Syntax:
config>qos#
security-queue policy-id
description description-string
queue queue-id
cbs size
high-prio-only percent
mbs size
rate pir [cir]
Example:
*A:ALU-1#
config>qos>security-queue "SecurityQueue 2" create
config>qos>security-queue$ description "Test1"
config>qos>security-queue$ queue 1
config>qos>security-queue>queue$ cbs 112
config>qos>security-queue>queue$ high-prio-only 25
config>qos>security-queue>queue$ mbs 300 kilobytes
config>qos>security-queue>queue$ rate pir max cir max
config>qos>security-queue>queue$ exit
config>qos>security-queue$ queue 2
config>qos>security-queue>queue$c bs 40
config>qos>security-queue>queue$ mbs 5000
config>qos>security-queue>queue$ rate pir 400000 cir 35000
config>qos>security-queue>queue$ exit
config>qos>security-queue$ exit
*A:ALU-1#

The following output shows the configuration for SecurityQueue 2:

*A:ALU-1>config>qos# info
#--------------------------------------------------
echo "QoS Policy Configuration"
#--------------------------------------------------
        “SecurityQueue 2” create
            description "Test1"
            queue 1 best-effort
                rate max cir max
                mbs 300 kilobytes
                cbs 112
                high-prio-only 25
            exit
            queue 2 expedite
                rate 400000 cir 35000
                mbs 5000 kilobytes
                cbs 40
            exit
        exit
#-------------------------------------------------- 

11.2.2. Default Security Queue Policy Parameter Values

Table 68 displays the default security queue policy parameter values.

Table 68:  Security Queue Parameter Defaults  

Parameter

Default Values–Best Effort

Default Values–Expedited

CBS

10 kbytes

40 kbytes

High-prio-only

10

n/a

MBS

5000 kbytes

5000 kbytes

PIR

400000 kbytes

400000 kbytes

CIR

1500 kbytes

35000 kbytes

11.3. Service Management Tasks

This section describes the following service management tasks:

  1. Deleting QoS Policies
  2. Copying and Overwriting QoS Policies
  3. Editing QoS Policies

11.3.1. Deleting QoS Policies

Use the following CLI syntax to delete a security queue QoS policy:

CLI Syntax:
config>qos# no security-queue policy-id
Example:
config>qos# no security-queue SecurityQueue 2

11.3.2. Copying and Overwriting QoS Policies

You can copy an existing security queue QoS policy, rename it with a new policy ID value, or overwrite an existing policy ID. The overwrite option must be specified or an error occurs if the destination policy ID exists.

Use the following syntax to overwrite an existing security queue QoS policy.

CLI Syntax:
config>qos> copy security-queue source-policy-id dest-policy-id [overwrite]
Example:
*A:ALU-1>config>qos# copy security-queue SecurityQueue1 SecurityQueue2 overwrite
config>qos# exit
*A:ALU-2#

11.3.3. Editing QoS Policies

You can change existing policies and entries in the CLI. The changes are applied immediately to all queues where this policy is applied. To prevent configuration errors, copy the policy to a work area, make the edits, and then write over the original policy.