3. Network QoS Policies
3.1. In This Section
This section provides information about configuring network QoS policies using the CLI.
Topics in this section include:
3.2. Network QoS Policies Overview
The ingress component of the policy defines how DiffServ code points (DSCPs) and MPLS EXP bits are mapped to internal forwarding class and profile state. The forwarding class and profile state define the Per Hop Behavior (PHB) or the QoS treatment through the router. The mapping on each network interface defaults to the mappings defined in the default network QoS policy until an explicit policy is defined for the network interface.
The egress component of the network QoS policy defines the DiffServ oriented queuing parameters associated with each forwarding class.
Each forwarding class defined within the system automatically creates a queue on each network interface. This queue gets all the parameters defined within the default network QoS policy 1 until an explicit policy is defined for the network interface.
If the egressing packet originated on an ingress SAP, or the remarking parameter is defined for the egress interface, the egress QoS policy also defines the IP DSCP or MPLS EXP bit marking based on the forwarding class and the profile state.
Network policy-id 1 exists as the default policy that is applied to all network interfaces by default. The network policy-id 1 cannot be modified or deleted. It defines the default DSCP-to-FC mapping and MPLS EXP-to-FC for the ingress. For the egress, it defines six forwarding classes then represent individual queues and the packet marking criteria.
New (non-default) network policy parameters can be modified. The no form of the command reverts the object to the default values. A new network policy must include the definition of at least one queue and specify the default-action. Incomplete network policies cannot be applied to network interfaces.
Changes made to a policy are applied immediately to all network interface where the policy is applied. For this reason, when a policy requires several changes, it is recommended that you copy the policy to a work area policy-id. The work-in-progress copy can be modified until all the changes are made then the original policy-id can be overwritten with the config qos copy command.
For information about the tasks and commands necessary to access the CLI and to configure and maintain your router devices, refer to CLI Usage chapter in the Basic System Configuration Guide.
3.3. Network Ingress Tunnel QoS Override
3.3.1. Override For Tunnel Terminated IP Routing Decisions
This section describes a mechanism that provides the ability to ignore the network ingress QoS mapping of a terminated tunnel containing an IP packet that is to be routed to a base router or VPRN destination. This is advantageous when the mapping for the tunnel QoS marking does not accurately or completely reflect the required QoS handling for the IP routed packet. When the mechanism is enabled on an ingress network IP interface, the IP interface will ignore the tunnel’s QoS mapping and derive the internal forwarding class and profile based on the precedence or DiffServe Code Point (DSCP) values within the routed IP header ToS field compared to the Network QoS policy defined on the IP interface.
3.3.1.1. Normal QoS Operation
The following types of QoS mapping decisions are applicable on a network ingress IP interface.
- Ethernet dot1p value mapping (if defined)
- Default QoS mapping
- IP ToS precedence mapping
- IP ToS DSCP mapping
- MPLS LSP EXP mapping
The default QoS mapping always exists on an ingress IP interface and every received packet will be mapped to this default if another explicitly defined matching entry does not exist.
A tunnel that terminates on the ingress IP interface (the node is the last hop for the tunnel) is evaluated based on the type of tunnel, IP GRE or MPLS LSP. An IP tunneled packet may match a dot1p entry, IP ToS precedence entry or IP ToS DSCP entry when defined in the applied policy. An MPLS LSP may match a dot1p entry or MPLS EXP entry when defined.
The internal tunnel encapsulated packet is never evaluated for QoS determination when operating in normal mode.
3.3.1.2. Network Ingress IP Match Criteria
IP match criteria classification is supported in the ingress section of a network QoS policy.
The classification only applies to the outer IPv4 header of non-tunneled traffic, consequently the use of an ip-criteria statement in a network QoS policy is ignored for received traffic when the network QoS policy is applied on the ingress network IP interface in the following cases:
- Mesh SDPs in VPLS services
- Spoke SDPs in VPLS and Xpipe services
- Spoke SDP under an IP interface in an IES or VPRN service
- Spoke SDPs in a VPRN service
- Automatically created bindings using the auto-bind-tunnel command in a VPRN service
- IPv6 over IPv4 tunnels
- VXLAN bindings (egress VTEP, VNI)
The only exception is for traffic received on a Draft Rosen tunnel for then classification on the outer IP header only is supported.
Attempting to apply a network QoS policy containing an ip-criteria statement to any object except a network IP interface will result in an error.
An example configuration is shown below:
3.3.1.3. Network Ingress IPv6 Match Criteria
IPv6 match criteria classification is supported in the ingress section of a network QoS policy.
The classification only applies to the outer IPv6 header of non-tunneled traffic, consequently the use of an ipv6-criteria statement in a network QoS policy is ignored for received traffic when the network QoS policy is applied on the ingress network IP interface in the following cases:
- Mesh SDPs in VPLS services
- Spoke SDPs in VPLS and Xpipe services
- Spoke SDP under an IP interface in an IES or VPRN service
- Spoke SDPs in a VPRN service
- Automatically created bindings using the auto-bind-tunnel command in a VPRN service
- IPv6 over IPv4 tunnels
- VXLAN bindings (egress VTEP, VNI)
Attempting to apply a network QoS policy containing an ipv6-criteria statement to any object except a network IP interface will result in an error.
An example configuration is shown below:
3.3.1.4. Tunnel Termination QoS Override Operation
Tunnel termination QoS override only applies to IP routing decisions once the tunnel encapsulation is removed. Non-IP routed packets within a terminating tunnel are ignored by the override and are forwarded as described in the Normal QoS Operation section.
When tunnel termination QoS override is enabled, the ToS field within the routed IP header is evaluated against the IP ToS precedence and DSCP entries in the applied network QoS policy on the ingress IP interface. If an explicit match entry is not found, the default QoS mapping is used. Any dot1p and MPLS LSP EXP bits within the packet are ignored. If the packet was IP GRE tunneled to the node, the tunnel IP header ToS field is ignored as well.
Any tunnel received on the ingress IP interface that traverses the node (the node is not the ultimate hop for the tunnel) is not affected by the QoS override mechanism and is forwarded as described in Normal QoS Operation section.
3.3.1.5. Enabling and Disabling Tunnel Termination QoS Override
Tunnel termination QoS override is enabled and disabled within the network QoS policy under the ingress node. The default condition within the policy is not to override tunnel QoS for IP routed packets.
3.3.2. QoS for Self-Generated (CPU) Traffic on Network Interfaces
Differentiated services code point (DSCP), forwarding class (FC), and IEEE 802.1p values can be specified to be used by protocol packets generated by the node. This enables prioritization or deprioritization of every protocol (as required). The markings effect a change in behavior on ingress when queuing. For example, if OSPF is not enabled, then traffic can be deprioritized to best effort (BE) DSCP. This change deprioritizes OSPF traffic to the CPU complex.
DSCP marking for internally generated control and management traffic should be used for the given application. This can be configured per routing instance. For example, OSPF packets can carry a different DSCP marking for the base instance then for a VPRN service. ARP, IS-IS, and PPPoE are not IP protocols, so only 802.1p values can be configured.
The DSCP value can be set per application. When an application is configured to use a specified DSCP value, the 802.1p and MPLS EXP bits will be marked in accordance with the network (default 802.1p value of 7) or access (default 802.1p value of 0) egress policy as it applies to the logical interface the packet will be egressing.
The configuration of self-generated QoS is supported in the base router, VPRN, and management contexts.
The default values for self-generated traffic on network interfaces are:
- Routing protocols (OSPF, BGP, etc.)
- Forwarding class: Network Control (NC)
- DSCP value: NC1 (not applicable for ARP, IS-IS, and PPPoE)
- 802.1p value: according to the egress QoS policy (7 by default)
- Management protocols (SSH, SNMP, etc.)
- Forwarding class: Network Control (NC)
- DSCP value: AF41
- 802.1p value: according to the egress QoS policy (7 by default)
Table 19: Default QoS Values for Self-Generated Traffic
Protocol | DSCP | FC |
ARP | N/A | NC |
BFD | NC1 | NC |
BGP | NC1 | NC |
Cflowd | NC1 | NC |
DHCP | NC1 | NC |
Diameter | AF41 | NC |
DNS | AF41 | NC |
FTP | AF41 | NC |
GTP | NC2 | NC |
ICMP/ICMPv6 | BE | NC |
IGMP | NC1 | NC |
IS-IS | N/A | NC |
L2TP | NC1 | NC |
LDP | NC1 | NC |
MLD | NC1 | NC |
MSDP | NC1 | NC |
Neighbor Discovery (NDIS) RS/RA/NS/NA | NC2 | NC |
NTP/SNTP | NC1 | NC |
OSPF | NC1 | NC |
PCEP | NC1 | NC |
PIM | NC1 | NC |
PPPoE | N/A | NC |
PTP | NC1 | NC |
RADIUS | AF41 | NC |
RIP | NC1 | NC |
RSVP | NC1 | NC |
sFlow | NC1 | NC |
SNMP | AF41 | NC |
SRRP | NC1 | NC |
SSH | AF41 | NC |
Syslog | AF41 | NC |
TACACS+ | AF41 | NC |
Telnet | AF41 | NC |
TFTP | AF41 | NC |
Traceroute | BE | NC |
VRRP | NC1 | NC |
 | Note: ICMP echo requests (type 8) and ICMPv6 echo requests (type 128) initiated from the router will use the DSCP value set by the sgt-qos command. The FC value is NC by default, or the value specified in the ping command parameter fc fc-name. |
| Note: Configurable values for BFD are not supported. |
3.3.2.1. Default DSCP Mapping Table
*The default forwarding class mapping is used for all DSCP names/values for then there is no explicit forwarding class mapping.
3.4. Basic Configurations
A basic network QoS policy must conform to the following:
- Each network QoS policy must have a unique policy ID.
- Include the definition of at least one queue.
- Specify the default-action.
3.4.1. Creating a Network QoS Policy
Configuring and applying QoS policies other than the default policy is optional. A default network policy of the appropriate type is applied to each router interface.
To create a network QoS policy when operating, define the following:
- A network policy ID value. The system will not dynamically assign a value.
- Include a description. The description provides a brief overview of policy features.
- You can modify egress criteria to customize the forwarding class queues to be instantiated. Otherwise, the default values are applied.
- Remarking — When enabled, this command remarks all packets that egress on the specified network port. The remarking is based on the forwarding class to DSCP and LSP EXP bit mapping defined under the egress node of the network QoS policy.
- Forwarding class criteria — The forwarding class name represents an egress queue. The forwarding class criteria define the egress characteristics of the queue and the marking criteria of packets flowing through it.
- DE marking — Specifies if the DE bit should be marked based on whether the packet profile is in-profile, inplus-profile, out-of-profile, or exceed-profile.
- dot1p —The dot1p value is used for all VLAN-tagged packets requiring marking that egress on this forwarding class queue, with the option of specifying a different value for packets that are in-profile or out-of-profile. inplus-profile traffic is marked with the same values as in-profile traffic. Exceed-profile traffic is marked with the same values as out-of-profile traffic.
- DSCP — The DSCP value is used for all IP packets requiring marking that egress on this forwarding class queue that are in-profile or out-of-profile. inplus-profile traffic is marked with the same values as in-profile traffic. Exceed-profile traffic is marked with the same values as out-of-profile traffic.
- LSP EXP — The EXP value is used for all MPLS-labeled packets requiring marking that egress on this forwarding class queue that are in-profile or out-of-profile. inplus-profile traffic is marked with the same values as in-profile traffic. Exceed-profile traffic is marked with the same values as out-of-profile traffic.
- Port redirection — Specifies that the traffic should be redirected to a network egress queue group policer or queue.
- DSCP — Creates a mapping between the DSCP of the network egress traffic and the forwarding class and profile. Egress traffic that matches the specified DSCP is assigned to the corresponding forwarding class with the specified profile.
- Prec — Creates a mapping between the IP precedence of the network egress traffic and the forwarding class and profile. Egress traffic that matches the specified IP precedence is assigned to the corresponding forwarding class with the specified profile.
- Ingress criteria — Specifies the DSCP- or dot1p to forwarding class mapping for all IP packets and define the MPLS EXP bits to forwarding class mapping for all labeled packets.
- Default action — Defines the default action to be taken for packets that have an undefined configured classification. The default action specifies the forwarding class and profile to then such packets are assigned.
- dot1p - Creates a mapping between the dot1p of the network ingress traffic and the forwarding class and profile. Ingress traffic that matches the specified dot1p is assigned to the corresponding forwarding class and profile.
- DSCP — Creates a mapping between the DSCP of the network ingress traffic and the forwarding class and profile. Ingress traffic that matches the specified DSCP is assigned to the corresponding forwarding class.
- Forwarding class — The forwarding class name represents an ingress queue.
- IP criteria — Creates a mapping between the possible match criteria of the network ingress traffic and the forwarding class and profile. Ingress traffic that matches the IPv4 criteria is assigned to the corresponding forwarding class and profile.
- IPv6 criteria — Creates a mapping between the possible match criteria of the network ingress traffic and the forwarding class and profile. Ingress traffic that matches the IPv6 criteria is assigned to the corresponding forwarding class and profile.
- LER use DSCP — Specifies that DSCP matching based on the tunneled IP packet should be used on an LER rather than matching on the outer encapsulated header.
- LSP EXP — Creates a mapping between the LSP EXP bits of the network ingress traffic and the forwarding class and profile. Ingress traffic that matches the specified LSP EXP bits is assigned to the corresponding forwarding class and profile.
Use the following CLI syntax to create a network QoS policy:
3.4.2. Applying Network QoS Policies
Use the following CLI syntax to apply network policies to the router access uplink port’s IP interfaces:
The following output displays the configuration for router interface ALA-1-2 with network policy 600 applied to the interface.
3.4.3. Default Network QoS Policy Values
The default network policy for IP interfaces is identified as policy-id 1. Default policies cannot be modified or deleted. The following displays default network policy parameters:
Table 20: Network Policy Defaults
Field | Default | ||||
description | Default network QoS policy. | ||||
scope | template | ||||
ingress | |||||
default-action | fc be profile out | ||||
dscp | |||||
be | fc be | profile out | |||
ef | fc ef | profile in | |||
cs1 | fc l2 | profile in | |||
nc1 | fc h1 | profile in | |||
nc2 | fc nc | profile in | |||
af11 | fc af | profile in | |||
af12 | fc af | profile out | |||
af13 | fc af | profile out | |||
af21 | fc l1 | profile in | |||
af22 | fc l1 | profile out | |||
af23 | fc l1 | profile out | |||
af31 | fc l1 | profile in | |||
af32 | fc l1 | profile out | |||
af33 | fc l1 | profile out | |||
af41 | fc h2 | profile in | |||
af42 | fc h2 | profile out | |||
af43 | fc h2 | profile out | |||
lsp-exp | |||||
0 | fc be | profile out | |||
1 | fc l2 | profile in | |||
2 | fc af | profile out | |||
3 | fc af | profile in | |||
4 | fc h2 | profile in | |||
5 | fc ef | profile in | |||
6 | fc h1 | profile in | |||
7 | fc nc | profile in | |||
egress | |||||
remarking | no | ||||
fc af | |||||
dscp-in-profile | af11 | ||||
dscp-out-profile | af12 | ||||
lsp-exp-in-profile | 3 | ||||
lsp-exp-out-profile | 2 | ||||
fc be | |||||
dscp-in-profile | be | ||||
dscp-out-profile | be | ||||
lsp-exp-in-profile | 0 | ||||
lsp-exp-out-profile | 0 | ||||
fc ef | |||||
dscp-in-profile | ef | ||||
dscp-out-profile | ef | ||||
lsp-exp-in-profile | 5 | ||||
lsp-exp-out-profile | 5 | ||||
fc h1 | |||||
dscp-in-profile | nc1 | ||||
dscp-out-profile | nc1 | ||||
lsp-exp-in-profile | 6 | ||||
lsp-exp-out-profile | 6 | ||||
fc h2 | |||||
dscp-in-profile | af41 | ||||
dscp-out-profile | af42 | ||||
lsp-exp-in-profile | 4 | ||||
lsp-exp-out-profile | 4 | ||||
fc l | |||||
dscp-in-profile | af21 | ||||
dscp-out-profile | af22 | ||||
lsp-exp-in-profile | 3 | ||||
lsp-exp-out-profile | 2 | ||||
fc l2 | |||||
dscp-in-profile | cs1 | ||||
dscp-out-profile | cs1 | ||||
lsp-exp-in-profile | 1 | ||||
lsp-exp-out-profile | 1 | ||||
fc nc | |||||
dscp-in-profile | nc2 | ||||
dscp-out-profile | nc2 | ||||
lsp-exp-in-profile | 7 | ||||
lsp-exp-out-profile | 7 | ||||
The following output displays the default configuration:
3.5. Service Management Tasks
3.5.1. Deleting QoS Policies
A network policy is associated by default with router interfaces.
You can replace the default policy with a non-default policy, but you cannot remove default policies from the configuration. When you remove a non-default policy, the policy association reverts to the appropriate default network policy.
The following output displays a sample configuration.
3.5.2. Removing a Policy from the QoS Configuration
To delete a network policy, enter the following commands:
3.5.3. Copying and Overwriting Network Policies
You can copy an existing network policy to a new policy ID value or overwrite an existing policy ID. The overwrite option must be specified or an error occurs if the destination policy ID exists.
The following output displays the copied policies:
3.5.4. Editing QoS Policies
You can change existing policies, except the default policies, and entries in the CLI. The changes are applied immediately to all interfaces where the policy is applied. To prevent configuration errors use the copy command to make a duplicate of the original policy to a work area, make the edits, then overwrite the original policy.