Guest

Cisco Catalyst 6500 Series Switches

Catalyst 6500 Sup2T System QOS Architecture White Paper

  • Viewing Options

  • PDF (1.9 MB)
  • Feedback

Abstract

This document explains the Quality of Service (QoS) capabilities available in the Catalyst 6500/6800 Switch as it applies to Policy Feature Card 4 (PFC4) engine and provides some examples of QoS implementation. It will expand on the concepts and terminologies detailed in the white paper, “Understanding Quality of Service on the Catalyst 6500/6800 Switch.” http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_538840.html.

This QoS paper focuses on hardware that is shipping as of the date of this publication, and is not meant to be a configuration guide. Configuration examples are used throughout this paper to assist in the explanation of QoS features of the Catalyst 6500/6800 hardware and software. For syntax reference for QoS command structures, please refer to the configuration and command guides for the Catalyst 6500/6800. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/index.htm.

1. Overview.. 4

2. New QOS Features in PFC 4-Based System... 4

3. QoS Hardware Support in Supervisor 2T Systems. 5

3.1. PFC 4. 5

3.2. Interface Types Supported. 6

3.3. Buffers, Queues, and Thresholds in PFC4-Based Line Cards. 6

3.4. Line Card Port ASIC Queue Structure. 8

3.4.1. 10 Gigabit Ethernet Line Card (WS-X6908-10G and WS-X6816-10G) 8

3.4.2. 40 Gigabit Ethernet Line Card (WS-X6904-40GE) 9

4. QoS Processing in PFC4 System... 10

5. QoS TCAM.. 11

6. Serial QoS Model with PFC4 Hardware. 11

7. Unified Policy Configuration with C3PL. 12

7.1. Change in Default QoS Behavior 12

7.2. Default State of Port Level QoS.. 13

7.3. Port Ingress CoS to Queue Mapping. 13

7.4. Configuration CLI 14

8. PFC4 Ingress Map and Port Trust 17

9. Layer 2 Classification of Layer 3 Packets. 17

9.1. Use Cases for Layer 2 Classification of Layer 3 Traffic. 18

9.2. Configuration. 18

10. Enhanced IPv4/IPv6 Classification. 19

11. Marking. 19

11.1. Use Case for Marking. 19

12. Policing. 19

12.1. Distributed Policer 19

12.1.1. Use Cases for Distributed Policing. 20

12.1.2. Configuration. 20

12.2. Microflow Policer 21

12.2.1. Packets and Bytes-Based Policing. 22

13. IP Tunnel QoS.. 22

13.1. Ability to Mark Inner Header with PFC4. 22

13.1.1. Use Case for IP Tunnel QoS.. 23

13.1.2. Configuration. 23

13.2. MPLS Over GRE Tunnels. 24

14. MPLS QoS.. 25

14.1. Ability to Distinguish IP-to-IP from IP-to-Tag Traffic. 25

14.1.1 Use Case for MPLS QoS.. 25

14.2. Improved Performance. 25

15. Multicast QoS.. 25

16. Two Level H-QOS with 6904. 26

17. Appendix 1. 28


1. Overview

Policy Feature Card 4 (PFC4) is the next-generation forwarding engine for the Cisco Catalyst 6500/6800 switch, and provides significant improvements over its predecessor, Policy Feature Card 3 (PFC3). Some of these improvements include support for distributed policing, expanded tables for holding more QoS policies, enhanced IPv4 and IPv6 classification, packet and byte mode policing, and more. Furthermore, one of the more significant enhancements is support for Cisco Common Classification Policy Language (C3PL), a platform-independent interface for configuring QoS that will now be supported in the Cisco Catalyst 6500/6800.

2. New QOS Features in PFC 4-Based System

As with the PFC3, the PFC4 consists of two ASIC components. The first ASIC is responsible for frame parsing and Layer 2 switching. The second ASIC is responsible for IPv4/IPv6 routing, MPLS label switching and imposition/disposition, Access Control Lists, QoS policies, NetFlow, and more.

The PFC4-based system supports the following new QOS capabilities:

Serialized QoS model in hardware

Separated ingress and egress processing

Port trust/COS defined both in PFC4/DFC4 (Distributed Forwarding Card 4)

Up to 256K QoS TCAM entries

Layer 2 classification for Layer 3 packet

Enhanced IPv4 classification (Packet Length, Time To Live, and Option)

Enhanced IPv6 classification (Extended Header and Flow Label)

Ingress/egress aggregate/microflow policer

Packet/byte mode policing

More accurate policing result, even at low policing rate

Distributed ingress/egress policing

Cisco Common Classification Policy Language (C3PL)-based Command Line Interface (CLI)

Before we look into these capabilities in detail, here is an overview of the hardware:

3. QoS Hardware Support in Supervisor 2T Systems

3.1. PFC 4

The PFC4 supports the following new capabilities from a QoS standpoint:

Microflow policer on both the ingress and egress directions

Improved microflow policer rate configuration accuracy

Distributed policers (hardware capable of 4 K)

Better hardware Control Plane Policing policy for Layer 2 traffic, matchable on exceptions

Internal/discard-class markdown without rewriting outgoing packet Differentiated Services Code Point (DSCP)

Bytes and packets-based policing, compared to bytes only in the PFC3

Ability to set QoS policies on IP tunnels

Ability to mark VPLS traffic on ingress

Unified policy configurations for ingress/egress queuing

Improved MPLS performance, with no packet recirculation when an IP policy is configured on an egress interface.

Support for MPLS pipe mode QoS model on an egress Provider Edge (PE) interface.

The policing feature comparison between PFC4 and PFC3 can be found in Table 1 below.

Table 1. Policing Capability Differences Between PFC4 and PFC3

Policing Capability

PFC3 System

PFC4 System

Aggregate Policer

Number

1 K

16 K

Direction

Both

Both

Configuration

1023

1023

Accuracy

<=3-5%

Maximum (0.1%,1 kbps)

Distributed

No

Yes (supports up to 4095 distributed policers)

Microflow Policer

Number

256K

512 K/1 M (depending on non-XL or XL PFC

Direction

In

Both

Configuration

63

127

Accuracy

<=3-5%

Maximum (0.1%, 1 kbps)

3.2. Interface Types Supported

PFC3 provided features on a per-port or per-VLAN basis. PFC4 provides an additional way to map a port or VLAN or a port-VLAN combination to a Logical Interface (LIF). This represents an internal (to the operating system) structure for forwarding services/features for a port, VLAN or port-VLAN pair. This capability increases granularity by allowing for association of properties or features at port, VLAN, or port-VLAN level. Table 2 captures the hardware interface capability differences between the PFC3 and PFC4.

Table 2. Hardware Interface Capability Differences Between PFC3 and PFC4

Capability

PFC3

PFC4

Maximum number of physical ports

2 k

10 k

Maximum number of routed Interfaces

4 k

128 k

Maximum number of L3 sub-interfaces

4 k

128 k

Maximum number of SVI

4 k

16 k

Number of tunnel interfaces

2 k

128 k

Global VLAN map

No

Yes

3.3. Buffers, Queues, and Thresholds in PFC4-Based Line Cards

Buffers are used to store frames while forwarding decisions are made within the switch, or as packets are enqueued for transmission on a port at a rate greater than the physical medium can support. When QoS is enabled on the switch, the port buffers are divided into one or more individual queues. Each queue has one or more drop thresholds associated with it. The combination of multiple queues within a buffer, and the drop thresholds associated with each queue, allow the switch to make intelligent decisions when faced with congestion. Traffic sensitive to jitter and delay variance, such as VoIP packets, can be moved to a higher priority queue for transmission, while other less important or less sensitive traffic can be buffered or dropped.

The number of queues and the amount of buffering per port is dependent on the line card module and the port ASIC that is used on that module. Table 3 provides an overview of the QoS queue and buffer structures for the Supervisor 2T and the 69xx and 68xx line card modules. The following information is detailed for each of the Catalyst 6500/6800 series Ethernet modules in the following table:

Total buffer size per port (total buffer size)

Overall receive buffer size per port (Rx buffer size)

Overall transmit buffer size per port (Tx buffer size)

Port receive queue and drop threshold structure (Rx port type)

Port transmit queue and drop threshold structure (Tx port type)

Default size of receive buffers per queue with QoS enabled (Rx queue sizes)

Default size of transmit buffers per queue with QoS enabled (Tx queue sizes)

The individual queues and thresholds on a port are represented in the table using a simple terminology, which describes the number of strict priority queues (if present), the number of standard queues, and the number of tail-drop or Weighted Random Early Detection (WRED) thresholds within each of the standard queues. For example, a transmit queue of 1p7q4t will represent one strict priority queue, seven standard queues with four WRED drop thresholds per queue, supporting both Deficit Weighted Round Robin (DWRR) and Shaped Round Robin (SRR). Similarly, a receive queue of 8q4t will represent zero strict priority queues, eight standard queues with four tail-drop thresholds per queue.

Table 3. Buffers, Queues, and Thresholds in PFC4-Based Line Cards

Module Model Name

Module Description

Total Buffer Size

Rx Buffer Size

Tx Buffer Size

Rx Port Type

Tx Port Type

Rx Queue Size

Tx Queue Size

Supervisor Module

VS-S2T-10G-XL

Supervisor 2T 10 Gb uplink ports in 10 G only mode

191.8 MB

104.2 MB

87.6 MB

8q4t

1p7q4t

Q8-20.8 MB

Q7-0 MB

Q6-0 MB

Q5-0 MB

Q4-0 MB

Q3-0 MB

Q2-0 MB

Q1-83.4 MB

SP-13.9 MB

Q7-0 MB

Q6-0 MB

Q5-0 MB

Q4-0 MB

Q3-13.0 MB

Q2-17.3 MB

Q1-43.4 MB

Supervisor 2T 10 Gb uplink ports

191.8 MB

104.2 MB

87.6 MB

2q4t

1p3q4t, DWRR, SRR

Q2-20.8 MB

Q1-83.4 MB

SP-13.9 MB

Q3-13.0 MB

Q2-17.3 MB

Q1-43.4 MB

Supervisor 2T Gb uplink ports

17.7 MB

9.6 MB

8.1 MB

2q4t

1p3q4t, DWRR, SRR

Q2-1.9 MB

Q1-7.7 MB

SP-1.2 MB

Q3-1.2 MB

Q2-1.6 MB

Q1-4.1 MB

WS-X6908-10G

10 Gb Ethernet line card

191.8 MB

104.2 MB

87.6 MB

8q4t

1p7q4t

Q8-20.8 MB

Q7-0 MB

Q6-0 MB

Q5-0 MB

Q4-0 MB

Q3-0 MB

Q2-0 MB

Q1-83.4 MB

SP-13.9 MB

Q7-0 MB

Q6-0 MB

Q5-0 MB

Q4-0 MB

Q3-13.0 MB

Q2-17.3 MB

Q1-43.4 MB

WS-X6816-10G

10 Gb Ethernet 16-port line card

(oversubscription mode)

91 MB

1 MB

90 MB

1p7q2t

1p7q4t

10 Gb Ethernet 16-port line card (performance mode)

199 MB

109 MB

90 MB

8q4t

1p7q4t

WS-X6904-40G

40 Gb Ethernet line card (40 Gmode)

93 MB

5 MB

88 MB

1p7q4t

1p7q4t

WRR, DWRR, SRR*

SP-640 KB

Q7-640 KB

Q6-640 KB

Q5-640 KB

Q4-640 KB

Q3-640 KB

Q2-640 KB

Q1-640 KB

SP-11 MB

Q7-11 MB

Q6-11 MB

Q5-11 MB

Q4-11 MB

Q3-11 MB

Q2-11 MB

Q1-11 MB

WS-X6904-40G (10G mode)

40 Gb Ethernet line card (10 Gmode)

22.25 MB

1.25 MB

21 MB

8q4t

1p7q4t

WRR

DWRR, SRR*

Q8- 160 KB

Q7-160 KB

Q6-160 KB

Q5-160 KB

Q4-160 KB

Q3-160 KB

Q2-160 KB

Q1-160 KB

Q8-2.65 MB

Q7-2.65 MB

Q6-2.65 MB

Q5-2.65 MB

Q4-2.65 MB

Q3-2.65 MB

Q2-2.65 MB

Q1-2.65 MB

Learn more about buffers and queues for the Catalyst 6500/6800 switch Ethernet line cards. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper09186a0080131086.html.

3.4. Line Card Port ASIC Queue Structure

It is important to note that PFC4-based line cards (WS-X6816-10G, WS-6908-10G, and WS-6904-40G) are compatible only with the Supervisor 2T, and not with previous- generation Supervisors. QoS details for these new PFC4-based line cards are provided below.

3.4.1. 10 Gigabit Ethernet Line Card (WS-X6908-10G and WS-X6816-10G)

The 6908 is a 1:1 oversubscribed 8-port 10 Gb Ethernet line card that ships with a DFC4 on board. This module has a total of 80 Gb of bandwidth connecting into the switching fabric, and supports Cisco Trusted Security (CTS) and Layer 2 encryption (based on the IEEE 802.1ae standard) on all ports at wire speed.

The WS-6816-10G line card is 4:1 oversubscribed and has a 40 Gb connection to the switching fabric. It can operate in two modes: performance mode and oversubscription mode.

When configured in performance mode, the line card ports are classified by port groups, wherein each port group consists of four physical ports. It is important to note that only the first port of the port group is enabled, and that port comes with enhanced buffering and QoS functionality. The other three ports in the port group will be administratively shut down.

When configured in oversubscription mode, the default mode of operation, all 16 ports are operational, although they are oversubscribed. The QoS specifications for both line cards are detailed in the following table:

Table 4. Line Card Port ASIC Queue Structure for PFC4-Based 10 G Cards

WS-X6708-10 G

WS-X6816-10 G

Number of 10 GE ports

8

16

Number of port ASICs in the line card

8

16

Number of physical ports per port ASIC

1

1

Transmit (Tx) queue structure per port

1p7q4t

1p7q4t

Receive (Rx) queue structure per port

8q4t

1p7q4t

(oversubscription mode)

8q4t

(performance mode)

Receive strict priority queue

No

Yes

(oversubscription mode)

No

(performance mode)

Transmit strict priority queue

Yes

Yes

Port level shaping capability

No

No

Note that both line cards require a Supervisor 2T to be installed in the chassis.

3.4.2. 40 Gigabit Ethernet Line Card (WS-X6904-40GE)

This line card comes pre-installed with a DFC4 and is capable of 80 Gbps (4 * 40 G or 16 * 10 G) bandwidth per slot. In both 40 G and 10 G mode, this line card is 2:1 oversubscribed. The line card supports 10 G interfaces through SFP+ and the FourX adapter. All ports in both modes support Cisco Trusted Security (CTS) and Layer 2 encryption IEEE 802.1ae at wire speed. The line card is capable of port level shaping; however, this will be supported in a post-FCS software release. The QoS specifications for this line card are detailed in the following table.

Table 5. Line Card Port ASIC Queue Structure for PFC4-Based 40 G Cards

WS-X6904-40 G (40 G mode)

WS-X6904-40 G (10/1 G mode)

Number of 40 GE ports

4

0

Number of 10 GE ports

0

16

Number of port ASICs in the line card

2

2

Number of physical ports per port ASIC

2

8

Transmit queue structure per port

1p7q4t

1p7q4t

Receive queue structure per port

1p7q4t

8q4t

Receive (Rx) strict priority queue

Yes

No

Transmit (Tx) strict priority queue

Yes

Yes

Port level shaping capability

Yes (egress only)

Yes (egress only)

It is important to note that this line card requires a Supervisor 2T to be installed in the chassis.

4. QoS Processing in PFC4 System

QoS processing for the PFC4-based line cards can be split into three processing steps, with each step occurring at a different point in the system. These three steps are:

1. Ingress QoS is performed on the ingress line card port; features include input queue scheduling and congestion avoidance.

2. PFC4 QoS features include port trust, marking, classification, QoS ACLs, and policing.

3. Egress QoS is performed on the egress line card port; features include queue scheduling, congestion avoidance, and, in some line cards, shaping.

5. QoS TCAM

In PFC3, QoS and ACL functions own separate Ternary Content Addressable Memories (TCAMs), with each TCAM supporting 32 K. The PFC4 moves to using a single TCAM with a flexible bank utilization capability supporting both QoS and other ACL features together. The TCAM size differences in the PFC4 (XL) and PFC4 (non-XL) modes can be found in Table 6.

Table 6. TCAM Resource Differences for QoS in PFC4

Resources

PFC3/PFC3XL

PFC4

PFC4-XL

QoS TCAM

32 K

16 K (default)

64 K (default)

Security ACL TCAM

32 K

48 K (default)

192 K (default)

6. Serial QoS Model with PFC4 Hardware

One of the limitations of the PFC3 is that decisions are made in multiple cycles, thereby adding latency to the whole forwarding process. PFC4 makes many of these decisions in a single pass, albeit by going through the Layer 2 and Layer 3 components in a step-by-step process. The component that performs Layer 3 and QoS functionalities is implemented in a pipeline mode, with each stage in the pipeline performing a specific task. The two logical pipelines that make up the physical pipeline are the Input Forwarding Engine (IFE) and Output Forwarding Engine (OFE).

Figure 6. IFE and OFE Process

IFE performs input classification, QoS, ACL, input NetFlow, FIB forwarding, RPF check, and ingress NetFlow.

OFE performing adjacency lookup, egress classification, egress NetFlow, and rewrite instruction generation

IFE and OFE are two separate processes within the same physical hardware. The PFC4 architecture allows ingress and egress policing mechanisms in a single pass through the forwarding engine.

Learn more details about PFC4 hardware in the Cisco Catalyst 6500/6800 Supervisor 2T Architecture White Paper.

7. Unified Policy Configuration with C3PL

Cisco Common Classification Policy Language (C3PL) is similar to the Modular QoS CLI (MQC), in which class maps identify the traffic that is affected by the action that the policy map applies. C3PL supports configuration for QoS across Cisco platforms, and provides a platform-independent interface for configuring QoS.

Due to differences in queueing implementation in port ASICs, Modular Quality of Service (MQC)-compliance in PFC3-based Catalyst 6500/6800 systems is limited to marking and policing. Queuing configuration can map incoming traffic to a specific queue, allowing other functionalities such as trust, global maps, and more. This is configurable through platform-specific command-line interfaces (CLI). PFC4-based Supervisor 2T system removes these limitations by supporting C3PL, which is a policy-driven CLI syntax, for marking, policing, and queueing.

7.1. Change in Default QoS Behavior

Prior to Supervisor 2T, there was a single global command to enable or disable QoS, which applied both at the PFC and port level. The major change with QoS in a PFC4 system is the behavior of default QoS at the PFC level. By default, QoS will be enabled in the PFC4, and there will only be a global command option to enable or disable QoS at the port level. The main changes can be broadly summarized as follows:

No global CLI required to enable QoS in the box

QoS for an interface is always defined by the attached service policies

By default, packets are passed through without a change in DSCP, EXP, or CoS for L2 packets or L2-classified L3 packets

Service-policy marking does not depend on port trust

The port state has no effect on marking, by default.

The PFC3-based mls qos global command is replaced with the auto qos default global command, which is used for enabling QoS just at the port level and not at the PFC level.

7.2. Default State of Port Level QoS

As alluded to in the previous section, the PFC4 global QoS command cannot be used to control QoS at the PFC. By default, the port level QoS is disabled and the port level ingress queue scheduling and congestion avoidance are CoS-based.

Figure 8. PFC4 Default Port QoS Status

If a port is trusted and is not a Dot1Q trunk port, it will also use the default port CoS.

7.3. Port Ingress CoS to Queue Mapping

When port is in default QoS mode, frames entering the switch get placed into either the strict priority queue or normal queue, based on ingress CoS values.

Figure 9. PFC4 Default Port Ingress CoS to Queue Mapping

If a strict priority queue is present, frames with a CoS value of 5 are placed in it. All other frames are queued in the normal queue. The normal queues are configured with drop thresholds that define which CoS packets can be dropped when the queue fills up beyond the threshold.

7.4. Configuration CLI

The QoS status for the system can be identified using the following command:

6513E.SUP2T.SA.1#show auto qos default
"auto qos default" is configured
Earl qos Enabled port qos Enabled queueing-only No
6513E.SUP2T.SA.1#
6513E.SUP2T.SA.1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
6513E.SUP2T.SA.1(config)#no auto qos defa
6513E.SUP2T.SA.1(config)#no auto qos default
6513E.SUP2T.SA.1(config)#end
6513E.SUP2T.SA.1#
6513E.SUP2T.SA.1#show auto qos default
"auto qos default" is not configured
Earl qos Enabled port qos Disabled queueing-only No
6513E.SUP2T.SA.1#

The QoS status, such as the queueing at the port level, can be obtained using the following CLI:

6513E.SUP2T.SA.1#show queueing interface Gig1/24
Interface GigabitEthernet1/24 queueing strategy: Weighted Round-Robin
Port QoS is enabled globally
Queueing on Gi1/24: Tx Enabled Rx Enabled
Trust boundary disabled
Trust state: trust DSCP
Trust state in queueing: trust COS
Extend trust state: not trusted [COS = 0]
Default COS is 0
Queueing Mode In Tx direction: mode-cos
Transmit queues [type = 1p3q8t]:
Queue Id Scheduling Num of thresholds
-----------------------------------------
01 WRR 08
02 WRR 08
03 WRR 08
04 Priority 01
WRR bandwidth ratios: 100[queue 1] 150[queue 2] 200[queue 3]
queue-limit ratios: 50[queue 1] 20[queue 2] 15[queue 3] 15[Pri Queue]
queue tail-drop-thresholds
--------------------------
1 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
2 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
3 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
queue random-detect-min-thresholds
----------------------------------
1 40[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8]
2 40[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8]
3 70[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8]
queue random-detect-max-thresholds
----------------------------------
1 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
2 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
3 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
WRED disabled queues:
queue thresh cos-map
---------------------------------------
1 1 0
1 2 1
1 3
1 4
1 5
1 6
1 7
1 8
2 1 2
2 2 3 4
2 3
2 4
2 5
2 6
2 7
2 8
3 1 6 7
3 2
3 3
3 4
3 5
3 6
3 7
3 8
4 1 5
Queueing Mode In Rx direction: mode-cos
Receive queues [type = 1q8t]:
Queue Id Scheduling Num of thresholds
-----------------------------------------
01 WRR 08
WRR bandwidth ratios: 100[queue 1]
queue-limit ratios: 100[queue 1]
queue tail-drop-thresholds
--------------------------
1 50[1] 50[2] 60[3] 60[4] 80[5] 80[6] 100[7] 100[8]
queue thresh cos-map
---------------------------------------
1 1 0
1 2
1 3 1 2 3 4
1 4
1 5 6 7
1 6
1 7 5
1 8
Packets dropped on Transmit:
BPDU packets: 0
queue dropped [cos-map]
---------------------------------------------
1 0 [0 1 ]
2 0 [2 3 4 ]
3 0 [6 7 ]
4 0 [5 ]
Packets dropped on Receive:
BPDU packets: 0
queue dropped [cos-map]
---------------------------------------------
1 0 [0 1 2 3 4 6 7 5 ]
6513E.SUP2T.SA.1#
6513E.SUP2T.SA.1#

A table detailing summary of changed CLIs for a PFC4-based system can be found in Appendix 1.

8. PFC4 Ingress Map and Port Trust

In a PFC4 system, port trust is now defined in the PFC4/DFC4, instead of being taken from the port ASIC. The Layer 3 forwarding logic will assign a 6-bit Discard Class value for the packet passing through the whole packet processing pipeline.

As represented in Figure 11, each frame’s CoS, IP precedence, EXP, and DSCP value gets mapped to a corresponding discard value, based on an ingress map maintained in the PFC4.

9. Layer 2 Classification of Layer 3 Packets

PFC4 provides a new capability to perform classification on a Layer 3 packet using Layer 2 information. The decision matching is performed on the MAC address, even though the packet may not have arrived on a Layer 2 interface. This feature allows:

Separate ingress/egress control

Control of Layer 2 or Layer 3 NetFlow creation

DSCP for Layer 2-classified IP packets preserved by default, unless rewritten by an explicit DSCP marking command

Per-port option to choose VLAN-based packet classification setting

In a PFC3 system, MAC access list functions are for non-IP traffic only, as it is not possible to police Layer 3 traffic based on Layer 2 MAC information. In a PFC4 system, this limitation has been lifted, so a class map using Layer 2 information can be applied to IP traffic.

9.1. Use Cases for Layer 2 Classification of Layer 3 Traffic

Consider a provider edge with pure Layer 2 network that wants to classify Layer 3 traffic, based on one of the following Layer 2 elements:

Match incoming CoS for Layer 3 traffic

Match outer VLAN for Q-in-Q traffic

Match inner VLAN for Q-in-Q traffic

Match inner Dot1Q CoS for Q-in-Q traffic

Match Layer 2 destination missed traffic

Match ARP traffic

Match BPDU traffic

9.2. Configuration

SUP2T(config-if)#mac packet-classify ?
input classify L3 packets as layer2 on input
output classify L3 packets as layer2 on output
SUP2T(config)#class-map match-all [Name]
SUP2T(config-cmap)# match cos 5
Sup2T(config)#mac packet-classify use outer-vlan ?
in Apply to Ingress mac acl
out Apply to egress mac acl
Sup2T(config)#mac access-list extended [Name]
Sup2T(config-ext-macl)#permit any any ce_vlan [ID]
SUP2T(config-if)#mac packet-classify use ce_cos ?
input User inner cos for classification in ingress direction

Match Layer 2 Destination Missed Traffic:

SUP2T(config)#class-map match-all [Name]
SUP2T(config-cmap)# match l2 miss

Match ARP:

SUP2T(config)#arp access-list test
SUP2T(config-arp-nacl)#permit ip any mac ?
H.H.H Senders MAC address (and mask)
any Any MAC address
host Single Sender host

BPDU Classification:

SUP2T(config)# mac packet-classify bpdu

10. Enhanced IPv4/IPv6 Classification

With the PFC4 system, classification for IPv4 and IPv6 packets can now be performed based on packet length, Time To Live (TTL), and various different fields in the headers. For the IPv6 packets, classification can be performed using flow label and extended header.

11. Marking

The important changes for QoS marking in PFC4 involve compatibility to the C3PL and are summarized below:

No global CLI required to enable PFC QoS

QoS global maps defined using C3PL table-map syntax

DSCP is preserved by default, independent of port state

CoS is preserved by default for Layer2 packets, independent of port state

Port trust dscp/precedence command is eliminated

In the PFC3-based system, prioritizing a packet resulted in a rewrite of the IP packet and, therefore, the DSCP. The PFC4 provides the ability to prioritize a packet without rewriting the IP packet. DSCP transparency can be controlled on a per-policy class basis.

11.1. Use Case for Marking

Consider a scenario where a user gets packets with a certain discard-class on the ingress, but does not want them to be classified with a discard-class on the egress. Here, both match dscp and match discard-class commands can be present in the configuration. With the PFC4 system, it is possible for match dscp to use the incoming packet’s DSCP to classify and for match discard-class to use the discard-class after the rewrite for classification.

12. Policing

12.1. Distributed Policer

Distributed Policing is a new PFC4 feature with which policers from multiple DFC4 line cards can be configured to collectively rate-limit the aggregate traffic received on a set of interfaces. This is not possible with previous-generation PFC systems, which can only rate limit traffic received local to the specific line card. As illustrated in Figure 11, Distributed Policing is desirable when customers want to apply rate-limiting on a set of interfaces that belong to a cluster. This can include, for example, a VLAN or ether channel with member ports on different PFC-based line cards.

In addition to metering traffic independently, each policer within the system is capable of synchronizing with other policers. As a result, a policer on any PFC4 effectively sees all the traffic received for that cluster throughout the system across all PFC4s.

A distributed policer maintains two sets of buckets and thresholds:

Global counts and thresholds, which reflect the aggregate traffic across all PFC4s.

Local counts and thresholds, which reflect the local unpoliced traffic.

Policing decisions are made using the global and local bucket counts. When the sum of these two counts exceeds the global threshold, the policer on each PFC4-based line card applies the policer action independently.

Distributed policing is supported in the first 4 K of the 16 K aggregate policers available on any PFC4 in the system. There are two modes of distributed policing:

Strict mode, where a single policy map will be rejected on the interface if it cannot fit fully within the 4 k distributed policer region

Loose mode, where the policy map will not be rejected, but will be installed in the non-distributed policer region, and will behave as in PFC3

12.1.1. Use Cases for Distributed Policing

The following use cases are applicable for distributed policing:

1. When the traffic for a particular VLAN that is spread across multiple line cards needs to be rate-limited.

2. When a port channel has members across line cards, and a rate-limiting policy is applied to it

3. When traffic of a set of interfaces on different line cards needs to be policed together as a cluster; specifically, a shared/aggregate policer that is also distributed across PFC4-based line cards.

12.1.2. Configuration

Distributed Policing is disabled by default, and can be enabled or disabled with a global command, making the feature very flexible for customers. Since we can have only up to 4 K distributed policers, if there are more number of policers configured on the VLANs or port-channels, subsequent ones will not be distributed and will behave as in PFC3.

Disabling Distributed Policing Globally:

Cat6500(config)#no platform qos police distributed strict | loose

Enabling Distributed Policing Globally:

Cat6500(config)#platform qos police distributed

The distributed policer status can be obtained by issuing the following command:

6513E.SUP2T.SA.1#show platform qos
QoS is enabled globally
Port QoS is disabled globally
QoS serial policing mode enabled globally
Distributed Policing is Loose enabled
Secondary PUPs are enabled
QoS 10g-only mode supported: Yes [Current mode: Off]
----- Module [3] -----
Counter IFE Pkts IFE Bytes OFE Pkts OFE Bytes
-----------------------------------------------------------
Policing Drops 0 0 0 0
Policing Forwards 718139331 75135381110 718203413 75162822588
Police-hi Actions (Lvl3) 0 0 0 0
Police-lo Actions (Lvl2) 0 0 0 0
Aggregate Drops 0 0 0 0
Aggregate Forwards 718139342 75135382034 718203424 75162823512
Aggregate Exceeds-Hi 0 0 0 0
Aggregate Exceeds-Lo 0 0 0 0
NF Drops 0 0 0 0
NF Forwards 0 0 0 0
NF Exceeds 0 0 0 0
TOS Changes 0
TC Changes 0
EXP Changes 0
COS Changes 250238
Tunnel Decaps 0
Tunnel Encaps 0

12.2. Microflow Policer

Microflow policing is predominantly used to perform traffic control and accounting. Like aggregate policing, all flows arriving on ports associated with the policer are policed down to the stated rate. PFC4 supports double the number of microflow policers, compared to the number supported on PCF3, and has the additional capability to perform egress microflow policing. The important capability differences between PFC3 and PFC4 can be found in Table 6.

Table 7. Microflow Policer Capability Differences Between PFC3 and PFC4

Feature

PFC4

PFC3

Number of microflow policers

1 M (input + output)

128 K/256 K

(Non-XL and XL-based PFC3)

Number of microflow policer Configurations

128

64

Egress microflow policing

Yes

No

Shared NetFlow and microflow policing

Yes

No

In addition to supporting a greater number of microflow policers, the PFC4 improves the policer configuration accuracy down to 0.1 percent for microflow and distributed policing. (Previously, in PFC3, it was 3 to 5 percent.) This accuracy is maintained even at low policing rates.

12.2.1. Packets and Bytes-Based Policing

PFC4-based line cards, including the Supervisor 2T, can now be configured for either packet-based or byte-based policing, unlike PFC3-based cards that support byte-based policing only.

Packet-Based Policer Configuration:

6513E.SUP2T.SA.1(config-pmap-c)#police rate < 7-10,000,000,000 > pps burst < 1-2000000> packets peak-rate < 7-10,000,000,000> pps peak-burst < 1-2000000> packets conform-action … etc

Byte-Based Policer:

6513E.SUP2T.SA.1(config-pmap-c)#police rate <7-10,000,000,000 > bps burst <1-512000000> bytes peak-rate <7-10,000,000,000> bps
peak-burst <1-512000000> bytes conform-action … etc

13. IP Tunnel QoS

13.1. Ability to Mark Inner Header with PFC4

The need to distinguish inner from outer headers in an IP tunnel packet for classification and marking poses challenges for QoS. Equally challenging is the additional requirement to recirculate, in order to forward tunnel packets. The first pass of the address lookup identifies the tunnel to which the packet is destined for or arriving from. The second pass lookup identifies the actual egress interface for the encapsulated (tunneled) packet.

With PFC3, it is not possible to mark the inner header of a tunnel packet upon encapsulation. PFC4 removes this limitation and adds the capability to mark both the outer and inner header or mark just the outer header.

As represented in Figures 15 and 16, the PFC4 system supports the following two operational modes for tunneled traffic:

Diff-serv uniform mode

Diff-serv pipe mode

Although PFC3 supported these operational modes, support for these modes with tunnel interfaces is available only with the PFC4. Additionally, PFC4 offers better control for tunnel interface trust, as the bits after recirculation are no longer derived from the port ASIC.

Note that in the absence of ingress QoS policy, default mode in PFC4 is uniform mode, whereas the default mode in PFC3 is pipe mode.

13.1.1. Use Case for IP Tunnel QoS

Customers willing to control the marking of packets in an IP tunnel interface for uniform or pipe tunnel modes can use the new PFC4 capability.

13.1.2. Configuration

It is important to note that QoS policies and configurations are similar between PFC3 and PFC4, except that PFC4 allows a new action to be defined under the policy class, where marking can be performed based on either outer and inner or outer header.

Marking Based on Inner Header

SUP2T(config)#policy-map [Name]
SUP2T(config-pmap)#class class-default
SUP2T(config-pmap-c)#set dscp [Value]

Marking Based on Outer Header

SUP2T(config)#policy-map [Name]
SUP2T(config-pmap)#class class-default
SUP2T(config-pmap-c)#set dscp tunnel [Value]

Example of a Tunnel Interface Attached with a Service Policy

Sup2T#show run interface g6/1
Building configuration...
Current configuration : 117 bytes
!
interface GigabitEthernet6/1
ip address 3.0.0.2 255.0.0.0
service-policy input interface-ingress-policy
service-policy output interface-egress-policy
end
Sup2T#show run interface Tunnel0
Building configuration...
Current configuration : 168 bytes
!
interface Tunnel0
ip address 5.0.0.2 255.0.0.0
tunnel source GigabitEthernet6/1
tunnel destination 4.0.0.2
service-policy input tunnel-ingress-policy
service-policy output tunnel-egress-policy
end

13.2. MPLS Over GRE Tunnels

In order to enable hardware switching of MPLSoGRE packets, the ingress line card must remove the IP GRE encapsulation before forwarding them to the PFC, and the egress line card must add the IP GRE encapsulation to the egress tag packets. PFC3 did not support MPLS over GRE natively, so Sup 720 PFC3 supervisors provide support using WAN line cards, which performed the actual GRE encapsulation and decapsulation operations.

The PFC4 eliminates the need for WAN modules by supporting MPLSoGRE natively in the hardware. PFC4 handles both single MPLS label push/swap followed by GRE encapsulation on an IPv4 tunnel in one single pass. After GRE encapsulation, the packet is recirculated for Layer 2 MAC rewrite. For GRE decapsulation, the GRE header is removed in the first pass and the packet must be recirculated for further processing.

MPLS over GRE tunnels operate in pipe mode by default. If there is an explicit uniform mode policy, marking is done for both outer tunnel header DSCP and inner MPLS EXP bits.

14. MPLS QoS

Previous-generation PFCs support comprehensive MPLS features, along with QoS for MPLS packets. PFC3-based systems support MPLS pipe mode, as well as the ability to perform EXP marking.

For an IP to MPLS packet, IP DSCP can be mapped into the outgoing EXP value, with an option to override the EXP value

For MPLS packets, the packet EXP can be mapped into an internal DSCP, so that the regular QoS marking and policing logic can be applied

For MPLS-to-IP, there is an option to propagate CoS value from EXP into IP DSCP in the underlying IP packet

Note that the above can be performed only at the egress PE side. PFC4 overcomes this limitation with a new capability

14.1. Ability to Distinguish IP-to-IP from IP-to-Tag Traffic

Unlike PFC3, PFC4 supports the capability to distinguish IP-to-IP traffic from IP-to-MPLS traffic at ingress. As a result, it can perform MPLS EXP marking for IP-to-MPLS traffic both on an ingress and egress PE. Additionally, this capability helps avoid the need to do ingress pipe policy for an IP-to-IP packet. Although PFC3 supports MPLS pipe mode and the ability to do EXP marking, the lack of this new capability means that it can only be used at the ingress PE side for tunnel interfaces.

14.1.1 Use Case for MPLS QoS

Consider scenarios where QoS implemented by service providers in an MPLS cloud needs to be different from the QoS implemented by a customer’s IP policy. PFC4 MPLS QoS capabilities can be utilized for cases where IP packets need to be tunneled through an MPLS network without losing the DSCP.

14.2. Improved Performance

In the PFC3, a packet gets recirculated if its IP policy is configured on an egress interface. PFC4 does not have this limitation, and is capable of delivering improved performance.

15. Multicast QoS

For ingress QoS, multicast behavior in PFC4 is similar to that in PFC3. While PFC4 has the hardware capability to perform egress policing in egress replication mode, there are several limitations:

For egress QoS, Supervisor 2T has restrictions for multicast packets, as egress policing and marking of bridged multicast packets is not supported

Egress policing is not supported with egress replication enabled

16. Two Level H-QOS with 6904

The 6904 LC supports 1p7q4t/2p6q4t that can be configured using the new MQC CLI supported on Sup2T. The 1p7q4t/2p6q4t hardware queues can be configured using child class-maps and a Parent Shaper can be added in the default-class.

Here are some of the key features and restrictions for the 2 Level H-QOS Support:

8 Child Classes mapped to 8 queues (7 defined, 1 default-class) Parent Shaper is a port based shaper defined in the parent class

Bandwidth Remaining % is required for rest of the class-maps if PQ Configured

Bandwidth can be used if PQ is Configured

Bandwidth Remaining % (BRR) can be used if no PQ configured

Shaping on Child Class-maps can only be configured with Bandwidth Remaining %

Shaping is applied % of Physical Interface lowest is 1% of link bandwidth

Only Shape Average % supported. Absolute shape rates will be added in a later software release

Shaping of Priority Queues is supported by using Priority % CLI

2 Levels of Priority Queues are supported for Voice and Video. The 2 PQ uses 2 Queues of the 8 available queues

Buffer is assigned based on weight of the queues

In Child Policy-map the default class doesn't allow BR% or Shapers

Bandwidth Remaining Percent is required for Shaping to be turned on a per-queue basis

Only 8 class-map allowed in child level class-maps

Policies which are modified will get applied after user exits policy-map mode

When running in 1G Mode with the FourX Adapter and 1G Optics, the parent shaper will take 1G as the rate even though the interface shows up as tenGigabit Ethernet

Configuration Example 1:

Configuration Example 2:

17. Appendix 1

A summary of commands with changes necessary to migrate from PFC3 to PFC4 is shown in Tables 8, 9, and 10. The status column is indicated by letters that refer to:

R: Retained and converted to a new CLI

I: Ignored

P: To be phased out, converted to a temporary “platform” CLI

Table 8. Summary of Command Migration for Cat6500 Specific Global CLI

PFC3 Command

Sta-tus

PFC4 Migration NVGEN and Action

Comments on PFC4 Behavior

mls qos

P

auto qos default

Used in mls qos trust migration actions as indicator of existing PFC3 configuration

Auto-configure default queueing on ports without queueing policy. No direct effect on Earl policing/marking.

Migration actions triggered if mls qos is seen on bootup or on configuration copy.

no mls qos

I

Ignored

No effect in PFC4 platform

mls qos queueing-only

R

platform qos queueing-only

Queueing behavior identical to auto qos default. Policing/marking and DSCP/CoS rewrite is disabled.

no mls qos rewrite ip dscp

P

no platform qos rewrite ip dscp

Same behavior as in PFC3. Not necessary: PFC4 rewrite control is per-class

mls qos marking ignore port-trust

I

Used as indicator that PFC3 port trust commands can be ignored

Port trust ignored in PFC4 marking, by default

mls qos marking statistics

R

platform qos marking statistics

Same behavior as in PFC3

mls qos police serial

I

Ignored

Serial mode is always on in PFC4

mls qos police redirected

I

Ignored

Ingress policing of redirected packets is always enabled

Egress policing of packets to RP is always disabled, except for CPP

Egress policing of packets, redirected to service cards, is controlled by a policy on the respective egress VLAN

mls qos map

R

table-map

Same behavior as in PFC3. Certain dscp map names are auto-converted to discard-class map names

mls qos aggregate-policer

R

platform qos aggregate-policer

Same behavior as in PFC3

mls qos protocol

R

platform qos protocol

Same behavior as in PFC3

mls qos statistics-export

R

platform qos statistics-export

Same behavior as in PFC3

mac packet-classify use vlan

I

N/A

VLAN field is always enabled in PFC4 MAC ACLs

mls qos gre input uniform-mode (ST2)

I

N/A

Uniform mode is default and is controlled by C3PL per ingress policy class

mls mpls input uniform-mode (ST2)

I

N/A

Uniform mode is default and is controlled by C3PL per ingress policy class

Table 9. Summary of Command Migration for Cat6k Specific Interface CLI

PFC3 Command

Sta-tus

PFC4 Migration NVGEN and Action

Comments on PFC4 Behavior

mls qos trust cos

R

platform qos trust cos

Initial ingress discard-class mapped from COS. Does not rewrite packet DSCP.

PFC4 Differences:

In port-based mode, port trust cos is ignored if there is a port (ingress) policy

In VLAN-based mode, port trust cos is ignored in both default and VLAN policy case

mls qos trust dscp

I

N/A

Default behavior in PFC4 and C3PL

mls qos trust precedence

I

N/A

Handling is the same as mls qos trust dscp. Low 3 bits of incoming DSCP are not zeroed

no mls qos trust

R

platform qos trust none remark

Converted to trust none if mls qos present, otherwise, ignored. Ignored in VLAN-based mode

mls qos trust extend

R

platform qos trust extend

Same behavior as in PFC3

mls qos trust device

R

platform qos trust device

Same behavior as in PFC3

mls qos mpls trust experimental

R

platform qos mpls trust experimental

Same behavior as in PFC3

mls qos vlan-based

R

platform qos vlan-based

Same behavior as in PFC3

mls qos dscp-mutation

R

platform qos dscp-mutation

Same behavior as in PFC3

mls qos exp-mutation

R

platform qos exp-mutation

Same behavior as in PFC3

mls qos statistics-export

R

platform qos statistics-export

Same behavior as in PFC3

mls qos bridged

I

N/A

Auto-enabled/disabled internally per NetFlow profile, depending on the presence of microflow policing

mac packet-classify

R

mac packet-classify input

Equivalent to mac packet-classify input

mls qos loopback

R

platform qos loopback

Same behavior as in PFC3

mls qos queueing mode

R

platform qos queueing mode

Same behavior as in PFC3. Not supported in C3 LCs

mls qos cos

R

platform qos cos

Same behavior as in PFC3

wrr-queue

R

wrr-queue

Same behavior as in PFC3. Not supported in C3 LCs

rcv-queue

R

rcv-queue

Same behavior as in PFC3. Not supported in C3 LCs

pri-queue

R

pri-queue

Same behavior as in PFC3. Not supported in C3 LCs

mls qos channel-consistency

R

platform qos channel consistency

Enabled by auto qos default. Future: member ports must have the same ingress and egress queueing policy.

Table 10. Summary of Migration for Cat6K Specific Policy Map Commands

PFC3 Command

Sta-tus

PFC4 Migration NVGEN and Action

Comments on PFC4 behavior

trust dscp

R

trust dscp

Default behavior in PFC4 and C3PL

trust precedence

R

trust precedence

Handling is the same as trust dscp. Low 3 bits of incoming DSCP are not zeroed

trust cos

R

trust cos

PFC4 Differences:

The incoming 802.1q CoS is always used unless port CoS override configured. Warning to user to use set dscp cos or set-dscp-cos-transmit in police conform-action.

no trust

I

N/A

Packet QoS is preserved by default

police {exceed| violate} policed-dscp

R

police… {exceed| violate} policed-dscp

Retained as part of C3PL syntax

police flow

R

police flow

Retained as part of C3PL syntax

police aggregate

R

police aggregate

Retained as part of C3PL syntax