This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: Any implication using ACL to classify ALL traf...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Any implication using ACL to classify ALL traffic?
Any implication using ACL to classify ALL traffic?
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-23-2016 04:53 PM
Been given a requirement to implement a QoS configuration that I will be prioritising Voice and Video via an ACL on certain ports numbers.
My query is that I would then use a permit all on all remaining traffic to mark it with CS1 (DSCP and then put this into QP2.
The idea I believe is that anything quantified as 'bad' traffic can then be put into best effort, QP1, if required.
So my question is, all though I know ACL's are done in hardware I'm not sure if using an ACL for this purpose on every single packet would over burden the switch in some manner?
The switch is an X440, but interested if the outcome should this be a G2 or any other model be the same?
Many thanks in advance.
My query is that I would then use a permit all on all remaining traffic to mark it with CS1 (DSCP and then put this into QP2.
The idea I believe is that anything quantified as 'bad' traffic can then be put into best effort, QP1, if required.
So my question is, all though I know ACL's are done in hardware I'm not sure if using an ACL for this purpose on every single packet would over burden the switch in some manner?
The switch is an X440, but interested if the outcome should this be a G2 or any other model be the same?
Many thanks in advance.
8 REPLIES 8
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-27-2016 01:38 PM
Thanks for the help - there is a slight problem with that in the why QoS is going to be implemented.
Basically the idea is not to trust anything at the edge, as it has been known for users to actively mark traffic with a QoS (DSCP) value. As an example a user could mark all their web traffic with a DSCP of 46 and then take advantage of QoS mechanisms employed, say for voice, also using DSCP 46.
So the idea is to create a untrusted and trusted area in the design. Everything south of the edge is untrusted. Everything north of the uplinks is trusted.
To make this demarcation work I will basically be turning off dot1p and diffserv examination south of the edge and enable it north of the uplinks.
ACL's will then be used at the edge to classify Voice and Video using port numbers with the use of diffserv replacement. Also the ACL will capture all remaining traffic and put it into QP2 as this thread details.
Now all traffic that enters the north side should be appropriately marked and we can use diffserv examination then onwards to trust the traffic. I will of course need to make sure any other traffic coming into the network, say from servers, web, are all put into QP2 (CS1, DSCP .
So you can see I need the ACL to profile all traffic into QP2 as a kind of permit all, without trusting any 802.1p or DSCP values, while at the same time not effecting control traffic. It might be that I don't actually need to worry about any control traffic if I'm only applying this to an edge port?
Basically the idea is not to trust anything at the edge, as it has been known for users to actively mark traffic with a QoS (DSCP) value. As an example a user could mark all their web traffic with a DSCP of 46 and then take advantage of QoS mechanisms employed, say for voice, also using DSCP 46.
So the idea is to create a untrusted and trusted area in the design. Everything south of the edge is untrusted. Everything north of the uplinks is trusted.
To make this demarcation work I will basically be turning off dot1p and diffserv examination south of the edge and enable it north of the uplinks.
ACL's will then be used at the edge to classify Voice and Video using port numbers with the use of diffserv replacement. Also the ACL will capture all remaining traffic and put it into QP2 as this thread details.
Now all traffic that enters the north side should be appropriately marked and we can use diffserv examination then onwards to trust the traffic. I will of course need to make sure any other traffic coming into the network, say from servers, web, are all put into QP2 (CS1, DSCP .
So you can see I need the ACL to profile all traffic into QP2 as a kind of permit all, without trusting any 802.1p or DSCP values, while at the same time not effecting control traffic. It might be that I don't actually need to worry about any control traffic if I'm only applying this to an edge port?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-27-2016 01:38 PM
Thanks Erik, much appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-27-2016 01:38 PM
By changing the default mapping to have everything that would usually enter QP1 sent to QP2 changes nothing except providing an even lower queue to sent traffic to via ACL.
Traffic that would be sent to QP8 by default should not be allowed into access ports (e.g. by replacing the dot1p and/or DSCP fields). Inter switch links need to allow QP8 traffic.
Any traffic that shall be (de-)prioritized should be identified by an ACL and set to the intended "qosprofile".
Thus there is no trust for access ports.
You are right, applying the classification ACLs to access (edge) ports only should leave any network control traffic untouched.
Traffic that would be sent to QP8 by default should not be allowed into access ports (e.g. by replacing the dot1p and/or DSCP fields). Inter switch links need to allow QP8 traffic.
Any traffic that shall be (de-)prioritized should be identified by an ACL and set to the intended "qosprofile".
Thus there is no trust for access ports.
You are right, applying the classification ACLs to access (edge) ports only should leave any network control traffic untouched.
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-27-2016 06:18 AM
Thanks for posting Erik.
Your answer nicely lead into my next question in how exactly I would not downgrade network control traffic.
My assumption would be that using a permit all rule to classify all traffic into QP2 would also capture network control traffic, which means I would have to create a rule to capture all the control traffic and queue appropriately.
My other thought is that I might be able to create the ACL so that I can simply just exempt all QP8 and QP7 (used for stacking) traffic.
Any ideas how you would do it?
Many thanks.
Your answer nicely lead into my next question in how exactly I would not downgrade network control traffic.
My assumption would be that using a permit all rule to classify all traffic into QP2 would also capture network control traffic, which means I would have to create a rule to capture all the control traffic and queue appropriately.
My other thought is that I might be able to create the ACL so that I can simply just exempt all QP8 and QP7 (used for stacking) traffic.
Any ideas how you would do it?
Many thanks.
