430 likes | 743 Views
ACL & QoS. Course Objectives. To master the principles and functions of ACL To master the principles and functions of QoS. Contenst. ACL Principles QoS Principles. Concept of ACL. ACL (Access Control List) is a way to judge, classify and filter the data that pass switches.
E N D
Course Objectives • To master the principles and functions of ACL • To master the principles and functions of QoS
Contenst • ACL Principles • QoS Principles
Concept of ACL • ACL (Access Control List) is a way to judge, classify and filter the data that pass switches. • ACL is applied as follows: • Applied to interface • To judge and decide whether packets are allowed to be forwarded through switches according to the characteristics of data packets and data segments • Its purpose is to manage and control data traffic. • Used to achieve policy route and control special traffic • An ACL contains one or more IP data packet rules of specific types. ACL may include only one rule or many rules. It defines data packets that match rules through multiple rules. • As a universal data traffic judgment criterion, ACL can work with other technologies on different occasions, such as firewall, QoS and queuing technology, policy route, data rate limit, routing policy, and NAT.
Select interface Input interface Check ACL rule Route entry? Output interface Allow? Packet dropped Packet dropped ACL Work Flow
Judgment Criteria of ACL • ACL can use the following judgment criteria: • Source IP • Destination IP • Protocol types(IP、UDP、TCP、ICMP) • Source port number • Destination port number
Operations should be performed from top to bottom in order. After the first match is found, carry out the corresponding operation and then skip out of ACL and do not continue matching the subsequent syntax. The end is “deny all” by default. ACL can be applied on IP interface or some service. Before using ACL, first create the ACL or faults may occur. For a protocol, only one ACL can be configured at the same time in one direction one a port, and the direction that ACL configures on the interface is very important. Any configuration error may disable the function. ACL Rules
ACL Functions • To achieve data packet filtering, policy route and special traffic control • An ACL can involve one or more rules for data packets of specific types. These rules tell the device whether the data packets that match the rules are allowed or rejected to pass. • Which ACL is to be carried out on a port is determined according to the order of the conditional syntax in the list. If a data packet header matches a conditional judgment syntax, the subsequent syntax will be ignored.
ACL Functions • ACL is classified into eight types: • Basic ACL: To match source IP addresses only • Extended ACL: To match source IP addresses, destination IP addresses, IP protocol types, TCP source port number, TCP destination port number, UDP source port number, UDP destination port number, ICMP types, ICMP code, DSCP, ToS, and Precedence • Layer-2 ACL: To match source MAC addresses, destination MAC addresses, source VLAN ID, layer-2 Ethernet protocol type, 802.1p priorities • Hybrid ACL: To match source MAC addresses, destination MAC address, source VLAN ID, source IP address, destination IP address, TCP source port number, TCP destination port number, UDP source port number, and UDP destination port number • Basic IPv6 ACL: To match source IP addresses of IPv6 only • Extended IPv6 ACL: To match source and destination addresses of IPv6 • User-defined ACL: To match the number of VLAN TAGs and offset bytes • ATM ACL: To match VPI, VCI, and time segment
ACL Functions • ACL access list: • Basic ACL:1~99,1000~1499 • Extended ACL:100~199,1500~1999 • Layer-2 ACL:200~299 • Hybrid ACL:300~349 • Basic IPv6 ACL:2000~2499 • Extended IPv6 ACL:2500~2999 • User-defined ACL:3000~3499 • ATM ACL:4000~4499
Contents • ACL Principles • QoS Principles
Concept of QoS • IP QoS refers to an IP network capability, namely, to provide the specific services with required services based on an IP network spanning multiple bottom-layer network technologies (FR、ATM、Ethernet、SDH) • QoS needs to perform the following jobs: • To avoid and manage IP network congestion • To reduce IP packet loss rate • To adjust IP network traffic • To provide dedicated bandwidth for special users or special services • To support realtime services on IP network
QoS Model • Integrated service: Intserv in short • Differentiated service: Diffserv in short
IntServ is an end-to-end flow-based QoS technology. Before the terminal sends data, it needs to ask the network for QoS requirements according to service types. The network judges whether to adopt this service request according a certain adoption policy. IntServ establishes an end-to-end communication path through the out-band RSVP (RSVPResource Reservation Protocol). RSVP only transmits QoS requests between network nodes. It does not realize these QoS requirements. The QoS requirements are realized through other technologies, such as PQ, CQ, and WFQ. IntServ Model
DiffServ can satisfy users’ different QoS demands and is easy for expansion. Different from IntServ, it does not need signaling, hop-by-hop forwarding, namely, before a service sends a packet, it does not necessarily inform routers. DiffServ is a DSCP-based QoS solution. At the network entrance, classify the service and control service traffic. Also configure the DSCP domain of packets. In network , according to QoS mechanism and the grouped DSCP values, differentiate each type of communication and provide services, including resource allocation, queue scheduling, and packet drop policy. These are generally called PHB (per-hop behavior). All nodes in the DiffServ domain conform to PHB according to the grouped DSCP fields. DiffServ Model
Packet Classification and Mark • Packet classification refers to the operation that the data packets to be forwarded are put into queues.
Network administrators can set the packet classification policy. This policy may include: Physical port Source address Destination address MAC address IP protocol Port number of application programs The classification result has no scope limit. It can be a flow with a five-element group (source address, source port number, protocol number, destination address, and destination port number), or all packets going to some network segment. Packets are classified with the following methods: Based on ACL Based on IP priorities Packet Classification and Mark
Token bucket is a common algorithm for the control interface rate. Its parameters include: CIR: committed information rate Bc:committed burst size; data size that the network allows users to transmit at the rate of CIR and at the interval of Tc Be: Excess burst size; data size that exceeds Bc and that the network allows users to transmit at the interval of Tc Tc: Sampling interval; monitor and control the data traffic on the virtual circuit at the interval of Tc; Tc= Bc/CIR In Tc: When the user data transmission size is less than or equal to Bc, the received frames will continue to be sent. When the user data transmission size is greater than Bc but less than or equal to Bc+Be, if the network is not seriously congested, the frames will continue to be sent, otherwise they will be dropped. When the user data transmission size is greater than Bc+Be, the frames that exceeds the scope will be dropped. Traffic Monitoring
Traffic Monitoring • Token bucket mechanism
CAR uses token bucket to control traffic. First the packet is classified. If the classified packet is distinguished as a type of packet to be processed, the packet then goes to the token bucket for processing. If there are sufficient tokens used to send packets in the token bucket, it is considered “Conform”; if the tokens are not sufficient, it is considered as “Exceed”. In the subsequent action mechanism, the “Conform” packets can be sent, dropped, or tinted When CAR is used for traffic monitoring, it is configured as follows: Send the “Conform” packet and drop the “Exceed” packet. Namely, when the tokens are enough in the token bucket, the packet is to be sent; when the tokens are not enough, the packet is dropped. Thus, the traffic of packets can be controlled. CAR can also be used to mark the packets or tint the packets through Precedence or DSCP. CAR(Committed Access Rate)
Data packet Go to queue Output queue Send Congestion Management • Characteristics of Congestion Management: • To ensure that different types of packets can obtain different services when the network is congested. • Put different types of packets into different queues to obtain different scheduling priorities, probability or bandwidth assurance.
Congestion Management • The algorithm for congestion management includes: • FIFO( First In First Out ) • PQ( Priority Queuing ) • CQ( Custom Queuing ) • WFQ( Weighted Fair Queuing )
FIFO • FIFO: First In First Out • FIFO does not classify the packets. When packets arrive, FIFO allows the packets to come into the queue in arriving sequence. Meanwhile, FIFO allows the packets to go out of the queue in arriving sequence at the exit. Packets arriving first will go out first. Packets arriving late will go out late. • The default service mode of the Internet—Best-Effort adopts the FIFO queuing policy.
PQ • PQ: Priority Queueing • PQ performs strict priority scheduling. Packets can be classified into four types at most. They respectively belong to one of the four queues. Then put the packets into the corresponding queues according to their types. • The four queues of PQ are high-priority queue, medium-priority queue, normal-priority queue, and low-priority queue. Their priorities decrease in order.
CQ: Custom Queueing CQ adopts round robin scheduling. Packets can be classified into 17 types at most. They respectively belong to one of 17 queues of CQ. In 17 queues of CQ, queue 0 is a priority queue. The router always send the packet in queue 0 first and then send the packets in queue 1 to queue 16. Therefore, queue 0 is generally taken as the system queue. These interactive protocol packets with high realtime requirements are put in queue 0. Queue 1 to Queue 16 can be allocated with the bandwidth proportion according to users’s requirements. When packets go out of the queue, CQ takes a certain quantity of packets from queue1 to queue 16 to send out on the interface according to the defined bandwidth proportion. CQ
PQ assigns the absolute priority to the higher-priority packets which can ensure the precedence of the key services, yet when the rate of the packets with high priorities is always higher than that of the interface, the packets with low priorities can never obtain a chance to be sent. This situation can be avoided by using CQ. CQ can classify packets and then allocate packets to a queue of CQ according to types. For each queue, the bandwidth rate that a packet occupies the interface in the queue is specified. Thus, packets of different services can obtain the reasonable bandwidth, which can ensure that the key services can obtain sufficient bandwidth, and that the non-key services can be processed. Difference between CQ and PQ
WFQ • WFQ WeightedFair Queueing • WFQ adopts weighted round robin scheduling. Packets can be classified into 64 types at most. WFQ is a complicated queuing process, which can ensure fairness among services of the same priority and weight among services of different priorities. The weight is calculated depending on priorities. The weight depends on the IP precedence carried in the IP packet header.
CBWFQ (Class Based Weight Fair Queuing) is a class-based weight fair queuing. It is actually a combination of CQ and WFQ CBWFQ
Bandwidth occupancy Time Congestion Avoidance • Network Congestion
Congestion Avoidance • Ways to avoid congestion are: RED, WRED • RED: Random Early Detection • WRED: Weighted Random Early Detection • Different from RED, WRED introduces IP priorities to distinguish the drop policy. • WRED adopts random drop policy. It avoids the tail drop mode which may lead to global TCP synchronization.
Go to queue Data packet Output queue Send Lower threshold Upper threshold Drop WRED Work Principles Send
QoS Functions • QoS Functions • Traffic classification • Traffic policy • Congestion avoidance • Queue scheduling • Traffic shaping • Tunnel QoS function • Ethernet QoS function
ACL rule Traffic control Traffic list Congestion avoidance Packet classification Traffic shaping Drop Drop Drop Drop QoS Functional Model