Enterprise QoS Solution Reference Network Design Guide
Enterprise QoS Solution Reference Network Design Guide
Enterprise QoS Solution Reference Network Design Guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>QoS</strong> <strong>Design</strong> Overview<br />
Untrusted Endpoints<br />
2-8<br />
<strong>Enterprise</strong> <strong>QoS</strong> <strong>Solution</strong> <strong>Reference</strong> <strong>Network</strong> <strong>Design</strong> <strong>Guide</strong><br />
Chapter 2 Campus <strong>QoS</strong> <strong>Design</strong><br />
Wireless IP Phones—Mobile wireless IP Phones can mark DSCP values for VoIP and call signaling<br />
and pass these on to the wireless AP with which they are associated. Examples include the Cisco<br />
7920G wireless IP Phone.<br />
When trusted endpoints are connected to a switch port, all that is typically required is enabling the<br />
following interface command: mls qos trust dscp.<br />
Optionally, if the traffic rate of the trusted application is known, the network administrator could apply<br />
an access layer policer to protect against out-of-profile rates, in case the trusted endpoint is somehow<br />
compromised.<br />
For example, consider the case of an IP videoconferencing (IP/VC) station that transmits 384 kbps of<br />
video (not including Layer 2–4 overhead) and correctly marks this traffic to DSCP AF41. An access edge<br />
ingress policer could be applied to the switch port to which this IP/VC station is connected and be<br />
configured to trust up to 500 kbps, allowing for Layer 2–4 overhead and policer granularity of interactive<br />
video traffic marked AF41. Excess traffic could be marked to CS1. Such a policy prevents network abuse<br />
if another device is inserted, perhaps via a hub, into the path, or if the trusted endpoint itself becomes<br />
compromised.<br />
This section includes the following topics:<br />
Untrusted PC + SoftPhone with Scavenger-Class <strong>QoS</strong><br />
Untrusted Server with Scavenger-Class <strong>QoS</strong><br />
As previously mentioned, trusting end users and their PCs is generally a bad idea because newer<br />
operating systems like Windows XP and Linux make it relatively easy to set CoS or DSCP markings on<br />
PC NICs. Such markings may be set deliberately or even inadvertently. In either case, improperly set<br />
<strong>QoS</strong> markings can affect the service levels of multiple users within the enterprise and make<br />
troubleshooting a nightmare. Also, marking application traffic on server NICs has disadvantages as<br />
discussed in the previous section that may make it preferable to treat these as untrusted devices.<br />
While client PCs and data center servers are related and complimentary, they also have unique<br />
considerations that affect their classification and marking policies, and so will be examined individually.<br />
Untrusted PC + SoftPhone with Scavenger-Class <strong>QoS</strong><br />
Cisco generally recommends not trusting end user PC traffic. However, some PCs may be running<br />
applications that critically require <strong>QoS</strong> treatment. A classic example is a PC running Cisco IP Softphone.<br />
In such a case, the critical application needs to be identified using access lists and marked/remarked at<br />
the access edge. Remarking can be done with either an MLS <strong>QoS</strong> set ip dscp command or with a policer.<br />
A policer is recommended in this case because limits on the amount of traffic being marked can then be<br />
imposed to prevent abuse. Cisco SoftPhones can use regular G.711 codecs, in which case 128 kbps is<br />
adequate, or they can be configured use a G.722 (wide codec), in which case 320 kbps is required. The<br />
tighter the policer the better, provided that adequate bandwidth has been allocated for application<br />
requirements.<br />
Additionally, you can explicitly define the UDP ports used by Cisco SoftPhone within the application as<br />
opposed to simply picking random ports within the UDP range of 16383–32767. This is recommended<br />
because this allows for a more granular access list to match legitimate Cisco SoftPhone traffic, thereby<br />
tightening the overall security of the policy.<br />
Version 3.3