Enterprise QoS Solution Reference Network Design Guide

More documents

Recommendations

Info

Site-to-Site V3PN QoS Considerations 6-18 Figure 6-13 Anti-Replay Operation 69 Outside Window Enterprise QoS Solution Reference Network Design Guide 64-Packet 64 Packet Anti-Replay Sliding Sliding Window Window 68 4 64 65 66 67 3 Anti-Replay Drop Chapter 6 IPSec VPN QoS Design Anti-Replay drops can be eliminated in a pure IPSec tunnel design (no encrypted IP GRE tunnel) by creating separate security associations for voice and data; voice and data packets must match a separate line in the access list referenced by the crypto map. This is implemented easily if the IP phones are addressed by network addresses (such as private RFC 1918 addresses) separate from the workstations. However, if IPSec tunnel mode (with an encrypted IP GRE tunnel) is used for a converged network of voice and data, Anti-Replay drops impact data packets instead of voice packets because the QoS policies prioritize voice over data. Consider the effect of packet loss on a TCP-based application: TCP is connection oriented and incorporates a flow-control mechanism within the protocol. The TCP application cannot see why a packet was dropped. A packet dropped by a service policy on a congested output interface is no different to the application than a packet lost by an Anti-Replay drop. From a network perspective, however, it would be more efficient to drop the packet before sending it over the WAN link (where bandwidth is the most expensive, only to have it dropped by the Anti-Replay mechanism on the receiving IPSec VPN router), but the location or nature of the packet loss is immaterial to the TCP driver. Anti-Replay drops of data traffic flows are usually in the order of 1 percent to 1.5 percent on IPSec VPN links that experience sustained congestion and have queuing engaged (without any additional policy tuning). Output drops on the output WAN interface, however, tend to be few, if any, and certainly are far fewer than those dropped by Anti-Replay. This is because Anti-Replay triggers packet drops more aggressively than the output service policy, which is a function of the size of the output queues and the number of defined classes. By default, each CBWFQ class receives a queue with a length of 64 packets. This can be verified with the show policy interface verification command. Meanwhile, the receiving IPSec peer has a single 64-packet Anti-Replay window (per IPSec Security Association) with which to process all packets from all LLQ and CBWFQ bandwidth classes. So, it stands to reason that the Anti-Replay mechanism on the receiving VPN router will be more aggressive at dropping packets delayed by QoS mechanisms preferential to VoIP than the service policy at the sending router. This is because of the size mismatch of the queue depth on the sender’s output interface (multiple queues of 64 packets each) compared to the width of the receiver’s Anti-Replay window (a single sliding window of 64 packets per SA). As more bandwidth classes are defined in the policy map, this mismatch increases. As mentioned, this is an inefficient use of expensive WAN/VPN bandwidth because packets are transmitted only to be dropped before decryption. The default value of 64 packets per CBWFQ queue is designed to absorb bursts of data traffic and delay rather than drop those packets. This is optimal behavior in a non-IPSec–enabled network. Version 3.3
Chapter 6 IPSec VPN QoS Design Version 3.3 Site-to-Site V3PN QoS Considerations When IPSec authentication is configured (esp-sha-hmac) in the network, the scenario can be improved by reducing the queue limit (max threshold) of the bandwidth classes of the sender’s output service policy so that it becomes more aggressive at dropping packets than buffering or delaying them. Extensive lab testing has shown that such queue-limit tuning can reduce the number of Anti-Replay drops from 1 percent to less than a tenth of percent (< 0.1 percent). This is because decreasing the service policy queue limits causes the sender’s output service policy to become more aggressive in dropping instead of significantly delaying packets (which occurs with large queue depths). This, in turn, decreases the number of Anti-Replay drops. As a rule of thumb, the queue limits should be reduced in descending order of application priority. For example, the queue limit for Scavenger should be set lower than the queue limit for a Transactional Data class, as is shown later in Example 6-3 through Example 6-6. Note In many networks, the default queue limits and IPSec Anti-Replay performance are considered acceptable. A modification of queue-limit values entails side effects on the QoS service policy and related CPU performance. When queue limits are tuned, a careful eye should be kept on CPU levels. Note As of IOS 12.3(14)T another potential remedy to QoS/IPSec Anti-Replay issues became available with the ability to expand or disable the IPSec Anti-Replay window. However it should be kept in mind that the IETF IPSec standards define the Anti-Replay window-sizes to be 64 packets and as such, this would not be a standards-compliant solution. On the other hand, the presented solution of tuning of the QoS queue-limits is fully standards-compliant. Control Plane Provisioning The documentation for IOS feature to allow the expanding or disabling of IPSec Anti-Replay is at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_iarwe.ht m As discussed in Chapter 3, “WAN Aggregator QoS Design,”, Cisco IOS Software has an internal mechanism for protecting control traffic, such as routing updates, called PAK_priority. PAK_priority marks routing protocols to DSCP CS6, but it currently does not protect IPSec control protocols, such as ISAKMP (UDP port 500). Therefore, it is recommended to provision an explicit CBWFQ bandwidth class for control plane traffic, including ISAKMP, as shown in Example 6-2. Example 6-2 Protecting IPSec Control Plan Traffic ! class-map match-any INTERNETWORK-CONTROL match ip dscp cs6 match access-group name IKE ! References ISAKMP ACL ! ! policy-map V3PN ... class INTERNETWORK-CONTROL bandwidth percent 5 ! Control Plane provisioning ... ! ip access-list extended IKE permit udp any eq isakmp any eq isakmp ! ISAKMP ACL Enterprise QoS Solution Reference Network Design Guide 6-19
Page 1 and 2:
Enterprise QoS Solution Reference N
Page 3 and 4:
Version 3.3 Preface xiii Revision H
Page 5 and 6:
Version 3.3 Enterprise QoS Solution
Page 7 and 8:
Version 3.3 Catalyst 6500 CatOS QoS
Page 9 and 10:
Version 3.3 Cisco Documentation 3-4
Page 11 and 12:
Version 3.3 QoS Baseline (11-Class)
Page 13 and 14:
Version 3.3 Preface Revision Histor
Page 15 and 16:
Preface Version 3.3 Cisco Systems A
Page 17 and 18:
Preface Version 3.3 Obtaining Addit
Page 19 and 20:
QoS Overview What is QoS? Version 3
Page 21 and 22:
Chapter 1 Quality of Service Design
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
QoS Design Overview Version 3.3 Cam
Page 55 and 56:
Chapter 2 Campus QoS Design Version
Page 57 and 58:
Chapter 2 Campus QoS Design Call Si
Page 59 and 60:
Chapter 2 Campus QoS Design Trusted
Page 61 and 62:
Page 63 and 64:
Chapter 2 Campus QoS Design Cisco I
Page 65 and 66:
Chapter 2 Campus QoS Design AutoQoS
Page 67 and 68:
Page 69 and 70:
Chapter 2 Campus QoS Design Catalys
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Chapter 2 Campus QoS Design Figure
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Chapter 2 Campus QoS Design show ml
Page 115 and 116:
Chapter 2 Campus QoS Design Figure
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Chapter 2 Campus QoS Design show qo
Page 141 and 142:
Chapter 2 Campus QoS Design show qo
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Chapter 2 Campus QoS Design WS-X674
Page 155 and 156:
Chapter 2 Campus QoS Design Configu
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Chapter 2 Campus QoS Design Referen
Page 179 and 180:
Version 3.3 WAN Aggregator QoS Desi
Page 181 and 182:
Chapter 3 WAN Aggregator QoS Design
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
Page 213 and 214:
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Page 223 and 224:
Page 225 and 226:
Page 227 and 228:
Page 229 and 230:
Version 3.3 Branch Router QoS Desig
Page 231 and 232:
Chapter 4 Branch Router QoS Design
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254: Version 3.3 MPLS VPN QoS Design CHA
Page 255 and 256: Chapter 5 MPLS VPN QoS Design Versi
Page 257 and 258: Chapter 5 MPLS VPN QoS Design Servi
Page 259 and 260: Chapter 5 MPLS VPN QoS Design Call-
Page 273 and 274: Chapter 5 MPLS VPN QoS Design Short
Page 285 and 286: Chapter 5 MPLS VPN QoS Design Books
Page 287 and 288: Version 3.3 IPSec VPN QoS Design CH
Page 289 and 290: Chapter 6 IPSec VPN QoS Design Vers
Page 295 and 296: Chapter 6 IPSec VPN QoS Design Pref
Page 297 and 298: Chapter 6 IPSec VPN QoS Design Dela
Page 299 and 300: Chapter 6 IPSec VPN QoS Design QoS
Page 303: Chapter 6 IPSec VPN QoS Design Anti
Page 317 and 318: Chapter 6 IPSec VPN QoS Design Digi
Page 319 and 320: Chapter 6 IPSec VPN QoS Design DSL
Page 327 and 328: Chapter 6 IPSec VPN QoS Design Summ
Page 329 and 330: Chapter 6 IPSec VPN QoS Design Book
show all

Enterprise QoS Solution Reference Network Design Guide

Create successful ePaper yourself

Delete template?

Save as template?