Configuring DiffServ on the SecureStacks/D-Series

FAQ_User — Wed, 27 Nov 2013 02:32:00 GMT

Article ID: 5848

Products
SecureStack B3
SecureStack B2
SecureStack A2
D-Series

Goals
Configure DiffServ
Sample configuration

Symptoms
'set diffserv'

Cause
The SecureStack A2 supports DiffServ (the 'set diffserv' command set), but not Policy (the 'set policy' command set).
The SecureStack B2 & B3 support DiffServ by default, as long as Policy licensing (5781) has not been applied.
The D-Series supports DiffServ by default, as long as Policy licensing (10791) has not been applied.

This article explains the subset of what may be accomplished using DiffServ functionality rather than the more full-featured Policy (including DSCP manipulation) functionality, and also provides detailed configuration guidance.

Solution
Differentiated Services configuration permits the user to classify incoming traffic (VLAN-tagged or not), and then either drop it or forward it. Forwarded traffic may optionally have an Inbound Rate Limiter (within the range of 1 Kbps through line speed) applied, and/or the traffic may optionally be "marked" with a value written to the first 3 (Precedence) bits of the TOS byte or to the first 6 (DSCP) bits of the TOS byte.

It is possible to assign an 802.1p Priority or an 802.1Q VLAN using Policy, but not using DiffServ.

For Layer 2 (switching) purposes, DiffServ can be effective for dropping or rate limiting inbound traffic.
For Layer 3 (routing) purposes, DiffServ can be effective for setting the routing precedence to be used during periods of network congestion.

Note: If DiffServ is used to mark the DSCP value of a frame based on a keyword of "ef" or a value of 46 (with either of these yielding L3 Express Forwarding), as a side-function the outgoing L2 frame will be placed into the highest priority hardware queue (Queue 5) for transmission (5859).

It is advisable that you review the background information contained in 5811 before proceeding with the remainder of this document.
Also, please review the DiffServ guidelines and limitations contained in the latest non-patch firmware release notes associated with your firmware version.

DiffServ configuration commands
set diffserv

adminmode Configure the DiffServ Admin mode.
enable Enable the DiffServ Admin mode.
disable Disable the DiffServ Admin mode.

class Configure a DiffServ Class to trigger a DiffServ Policy.
create Create a DiffServ collection of classification rules.
all All match conditions must be met, to trigger the Policy.
* New Class name, up to 31 alphanumeric characters
delete Delete a DiffServ collection of classification rules.
* Existing Class to be deleted
match Add a classification rule to a DiffServ Class.
dstip Match to this Destination IP Address value.
* Existing Class to which this rule should be added
* IP Address (example: 10.20.30.40)
* IP subnet bitmask (example: 255.255.255.0)
dstl4port Match to this Destination Layer 4 Port value.
keyword Match based on a Destination Layer 4 Port Keyword.
* Existing Class to which this rule should be added
* One of -> domain / echo / ftp / ftpdata / http /
smtp / snmp / telnet / tftp / www
number Match based on a Destination Layer 4 Port Number value.
* L4 port number within the range 0-65535
dstmac Match to this Destination MAC Address value.
* Existing Class to which this rule should be added
* MAC Address (example: 00-00-01-02-03-ab)
* MAC address bitmask (example: ff-ff-ff-00-00-00)
every Match to all untagged packets regardless of attributes.
* Existing Class to which this rule should be added
ipdscp Match to this DSCP value.
* Existing Class to which this rule should be added
* One of -> DSCP value within the range 0-63 -or-
keyword af12 / af21 / af22 / af31 / af32 / af33 / be
cs0 / cs1 / cs2 / cs3 / cs4 / cs5 / cs6 / cs7 / ef
ipprecedence Match to this IP Precedence (first 3 bits of TOS) value.
* Existing Class to which this rule should be added
* IP Precedence value within the range 0-7
iptos Match to this IP TOS (all 8 bits of TOS) value.
* Existing Class to which this rule should be added
* TOS bits value within the range 00-ff
* TOS bitmask value within the range 00-ff
protocol Match to this IP Protocol.
keyword Match based on a IP Protocol Keyword.
* Existing Class to which this rule should be added
* One of -> icmp / igmp / ip / tcp / udp
number Match based on an IP Protocol value.
* Existing Class to which this rule should be added
* IP Protocol value within the range 0-255
refclass Add or remove the match rules referenced by this Class.
add Add a set of match conditions.
* Existing Class to which the rules should be added
* Existing Class to be used as the rule source
remove Remove a set of match conditions.
* Existing Class from which the rules should be removed
* Existing Class to be used as the rule template
srcip Match to this Source IP Address value.
* Existing Class to which this rule should be added
* IP Address (example: 10.20.30.40)
* IP subnet bitmask (example: 255.255.255.0)
srcl4port Match to this Source Layer 4 Port.
keyword Match based on a Source Layer 4 Port Keyword.
* Existing Class to which this rule should be added
* One of -> domain / echo / ftp / ftpdata / http /
smtp / snmp / telnet / tftp / www
number Match based on a Destination Layer 4 Port Number value.
* L4 port number within the range 0-65535
srcmac Match to this Source MAC Address value.
* Existing Class to which this rule should be added
* MAC Address (example: 00-00-01-02-03-ab)
* MAC address bitmask (example: ff-ff-ff-00-00-00)
vlan Match to this assigned VLAN ID value.
* Existing Class to which this rule should be added
* VLAN ID within the range 1-4093

rename Rename a DiffServ Class.

* Existing Class name to be renamed * New Class name, up to 31 alphanumeric characters policy Configure a DiffServ Policy to perform an action. class Add or remove a member Class to/from a Policy. add Add a class instance to a Policy. * Existing Policy to which this Class should be added * Existing Class to be added to the Policy remove Remove a class instance from the Policy. * Existing Policy from which this Class should be removed * Existing Class to be removed from the Policy create Create a DiffServ Policy. * New Policy name, up to 31 alphanumeric characters in Only Ingress policies are supported. delete Delete a DiffServ Policy. * Existing Policy to be deleted mark Configure a Marking action in the absence of Policing. ipdscp Rewrite this IP DSCP (TOS bits 0x'11111100') value. * Existing Policy to utilize the Mark action * Existing embedded Class to trigger the Mark action * One of -> DSCP value within the range 0-63 -or- keyword af12 / af21 / af22 / af31 / af32 / af33 / be cs0 / cs1 / cs2 / cs3 / cs4 / cs5 / cs6 / cs7 / ef ipprecedence Rewrite this IP Precedence (TOS bits 0x'11100000') value. * Existing Policy to utilize the Mark action * Existing embedded Class to trigger the Mark action * IP precedence value within the range 0-7 police Configure a Policing Action or Style. action Configure a Policing Action. conform Specify an action taken on rule-conforming traffic. drop Conforming traffic should be dropped. * Existing Policy to utilize the Drop action * Existing embedded Class to trigger the Drop action send Conforming traffic should be forwarded. * Existing Policy to utilize the Forward action * Existing embedded Class to trigger the Forward action markdscp Rewrite this IP DSCP (TOS bits 0x'11111100') value. * Existing Policy to utilize the Mark action * Existing embedded Class to trigger the Mark action * One of -> DSCP value within the range 0-63 -or- keyword af12 / af21 / af22 / af31 / af32 / af33 / be cs0 / cs1 / cs2 / cs3 / cs4 / cs5 / cs6 / cs7 / ef markprec Rewrite this IP Precedence (TOS bits 0x'11100000') value. * Existing Policy to utilize the Mark action * Existing embedded Class to trigger the Mark action * IP precedence value within the range 0-7 nonconform Specify an action taken on rule-nonconforming traffic. drop Conforming traffic should be dropped. * Existing Policy to utilize the Drop action * Existing embedded Class to trigger the Drop action send Conforming traffic should be forwarded. * Existing Policy to utilize the Forward action * Existing embedded Class to trigger the Forward action markdscp Rewrite this IP DSCP (TOS bits 0x'11111100') value. * Existing Policy to utilize the Mark action * Existing embedded Class to trigger the Mark action * One of -> DSCP value within the range 0-63 -or- keyword af12 / af21 / af22 / af31 / af32 / af33 / be cs0 / cs1 / cs2 / cs3 / cs4 / cs5 / cs6 / cs7 / ef markprec Rewrite this IP Precedence (TOS bits 0x'11100000') value. * Existing Policy to utilize the Mark action * Existing embedded Class to trigger the Mark action * IP precedence value within the range 0-7 style Configure a Policing Style for limiting forwarded traffic. simple Only simple policing is supported. * Existing Policy to utilize the Rate Limiting action * Existing embedded Class to trigger the Rate Limiting * Rate limit within the range 1-4294967295 Kbits/s * Maximum burst size within the range 1-128 KBytes rename Rename a DiffServ Policy. [list=1] * Existing Policy name to be renamed * New Policy name, up to 31 alphanumeric characters service Configure a DiffServ Service to tie a Policy to a Port. add Add a Policy to a Port. in Only Ingress policies are supported. * Port(s) which should receive this Policy (ex. ge.1.1-2) * Existing Policy to be added to the port(s) remove Remove a Policy from a Port. in Only Ingress policies are supported. * Port(s) which should lose this policy (ex. ge.1.1-2) * Existing Policy to be removed from the port(s) To display diffserv configuration results, here are some useful commands: show diffserv class detailed show diffserv policy detailed show diffserv service info detailed in To delete DiffServ configurations, remove in order: service commands, policy commands, and classcommands; then globally disable DiffServ to restore the default condition: set diffserv service remove in set diffserv policy delete set diffserv class delete set diffserv adminmode disable show config diffserv DiffServ configuration examples When using the diffserv command set; one would generally enable DiffServ, create a Class, create one or more classification rules within the Class, create a Policy, add one or more Classes to it, add Policing (Conforming/Non-conforming, Drop/Forward, Rate Limit, Precedence/DSCP Rewrite) styles & actions (both or neither) or just Marking (Precedence/DSCP Rewrite) actions to the Policy, and then assign the Policy to one or more ports. This example creates two separate policies:[list=1]
'policyef' rate-limits ingressed traffic on port fe.1.1 to a maximum of 100Mb/s, and on the same traffic also rewrites the six DSCP bits to a decimal value of 46 for Express Forwarding on layer 3.
'policyaf31' rate-limits ingressed traffic on port fe.1.2 to a maximum of 100Mb/s, and on the same traffic also rewrites the six DSCP bits to a decimal value of 26 for Flash forwarding on layer 3.
#diffserv
set diffserv adminmode enable
set diffserv class create all classevery
set diffserv class match every classevery
set diffserv policy create policyef in
set diffserv policy class add policyef classevery
set diffserv policy police style simple policyef classevery 100000 128
set diffserv policy police action conform markdscp policyef classevery ef
set diffserv policy create policyaf31 in
set diffserv policy class add policyaf31 classevery
set diffserv policy police style simple policyaf31 classevery 100000 128
set diffserv policy police action conform markdscp policyaf31 classevery af31
set diffserv service add in fe.1.1 policyef
set diffserv service add in fe.1.2 policyaf31
This example creates one policy which identifies VOIP traffic (DSCP value 46 or 32) on ports ge.1.1 through ge.1.10, and drops all other traffic.
#diffserv
set diffserv adminmode enable
set diffserv class create all classVOIP
set diffserv class match ipdscp classVOIP ef
set diffserv class match ipdscp classVOIP cs4
set diffserv policy create policyQOS in
set diffserv policy class add policyQOS classVOIP
set diffserv policy police style simple policyQOS classVOIP 1000000 128
set diffserv policy police action nonconform drop policyQOS classVOIP
set diffserv service add in ge.1.1-10 policyQOS
This example creates one policy which identifies VOIP traffic (TOS value b8) on port fe.1.32, and overwrites the six DSCP bits to their pre-existing value, incidentally placing the packet into the high priority transmit queue as described at the top of this document.
#diffserv
set diffserv adminmode enable
set diffserv class create all classVoice
set diffserv class match iptos classVoice b8 ff
set diffserv policy create policyPhones in
set diffserv policy class add policyPhones classVoice
set diffserv policy mark ipdscp policyPhones classVoice ef
set diffserv service add in fe.1.32 policyPhones
This example creates one policy which identifies ICMP (PING) traffic, denying it when sourced from any user plugged into port ge.1.5.
#diffserv
set diffserv adminmode enable
set diffserv class create all classICMP
set diffserv class match protocol keyword classICMP icmp
set diffserv policy create policyDropICMP in
set diffserv policy class add policyDropICMP classICMP
set diffserv policy police style simple policyDropICMP classICMP 1000000 128
set diffserv policy police action conform drop policyDropICMP classICMP
set diffserv service add in ge.1.5 policyDropICMP
This example creates one policy which identifies traffic sourced from the 10.16.17.0/24 subnet, denying it on all ports. It was developed to serve as a form of Layer2 ACL (an A2 feature which does not support subnet masking).
#diffserv
set diffserv adminmode enable
set diffserv class create all class17dot0
set diffserv class match srcip class17dot0 10.16.17.0 255.255.255.0
set diffserv policy create policyDrop17dot0 in
set diffserv policy class add policyDrop17dot0 class17dot0
set diffserv policy police style simple policyDrop17dot0 class17dot0 1000000 128
set diffserv policy police action conform drop policyDrop17dot0 class17dot0
set diffserv service add in fe.1.1-24 policyDrop17dot0
This example is an elaboration of the previous one (Layer2 ACL), creating one policy which identifies traffic sourced from IP 10.10.2.49 or 10.10.2.177, denying it on all ports. It demonstrates the use of more than one class per policy. Though not true here, each class may optionally invoke a unique action.
#diffserv
set diffserv adminmode enable
set diffserv class create all classIP49
set diffserv class match srcip classIP49 10.10.2.49 255.255.255.255
set diffserv class create all classIP177
set diffserv class match srcip classIP177 10.10.2.177 255.255.255.255
set diffserv policy create policyAccessACL in
set diffserv policy class add policyAccessACL classIP49
set diffserv policy class add policyAccessACL classIP177
set diffserv policy police style simple policyAccessACL classIP49 1000000 128
set diffserv policy police action conform drop policyAccessACL classIP49
set diffserv policy police style simple policyAccessACL classIP177 1000000 128
set diffserv policy police action conform drop policyAccessACL classIP177
set diffserv service add in fe.1.1-24 policyAccessACL
See also: 5847.

topic Configuring DiffServ on the SecureStacks/D-Series in FAQs

Configuring DiffServ on the SecureStacks/D-Series