Network Time Protocol (NTP)



Network Time Protocol (NTP) is a protocol for synchronizing device clocks across TCP-based computer networks. The latest documented version is NTP v3, defined in IETF RFC 1305. NTP uses UDP port 123 for the distribution of Coordinated Universal Time (UTC) in a hierarchical tree structure. Clocks are synchronized based on their Stratum level, which indicates their precision. Stratum 0 clocks refer to devices that keep highly accurate time, such as atomic clocks. Stratum 1 clocks refer to computers that receive time directly from stratum 0 clocks. Stratum 2 clocks refer to computers that receive time from Stratum 1 computers, and so forth. Network administrators typically synchronize the clocks of network infrastructure devices to synchronize timestamps of event logs collected from routers and switches through SYSLOG and SNMP Traps.
Cisco TelePresence endpoints (CTS devices, CTS-MAN, and the CTMS) all support NTP for time synchronization, which is necessary within a TelePresence deployment for scheduling the resources for a meeting. Further, time must also be synchronized with any email and calendaring systems, such as Microsoft Exchange or IBM/Lotus Domino, used to schedule meetings. Finally, it should be noted that Cisco TelePresence deployments also rely on the use of digital certificates for secure communication; such as Secure Shell (SSH) and Hypertext Transer Protocol over Secure Socket Layer (HTTPS) for secure management, and Transport Layer Security (TLS) for secure SIP signaling. These security protocols often rely on the use of digital certificates, which have a range of dates for which the certificate is valid. Therefore, to prevent any issues with these security protocols due to incorrect dates configured within TelePresence equipment, time synchronization through mechanisms such as NTP are recommended.

IEEE 802.3af: Power over Ethernet



The IEEE 802.3af specification defines a standards-based mechanism for providing Power over Ethernet (PoE) to devices. Power is provided inline, using two of the four available pairs (4 wires) of the 8-pin modular jack used for twisted-pair Ethernet connections. The standard introduces two types of devices:
  • Power Sourcing Equipment (PSE): Includes devices such as Ethernet switches and power injectors that provide inline power to powered devices
  • Powered Devices: Includes devices such as IP Phones, access points, and IP cameras that receive power from PSE
The specification defines a nominal voltage of 48 volts direct current (min 44 Vdc to max 57 Vdc), with a maximum power output of 15.4 watts per PSE (switch) port. To support more intelligent power management, the PSE might optionally classify powered devices. Table 1 shows the currently defined power classifications.
Table 1: IEEE 802.3af Power Classifications 
Class
Max Output Power (Watts)
0
 
15.4
1
 
4.0
2
 
7.0
3
 
15.4
4
Treat device as Class 0
If the PSE cannot determine the power classification of a powered device, it should default to a Class 0 device with a maximum of 15.4 Watts. Class 4 is reserved for future use. The IEEE 802.3af task force is currently working on an extension to PoE, commonly referred to as PoE+, which might extend the amount of power supplied by a PSE to 24 watts per port.
In Cisco TelePresence deployments, IEEE 802.3af-based PoE is supplied by the primary codec to the attached IP 7975G Phone (Class 3 device) associated with the CTS endpoint. Power can also be provided locally to the IP 7975G Phone if desired. PoE is also supplied to the primary and auxiliary cameras connected to the primary codec. If the CTS endpoint supports multiple codecs, such as with the CTS-3200 or CTS-3000, the secondary codecs supply PoE to their associated primary camera Ethernet connections as well.

IEEE 802.1p/Q Utilization Within Cisco TelePresence Networks



When a TelePresence endpoint is configured to utilize a Voice VLAN (VVLAN) (consistent with current best practice recommendations for IP telephony deployments), the switch port to which the endpoint is connected effectively operates as a VLAN trunk. All traffic (voice, video, signaling, and management) received from the primary codec of the TelePresence endpoint includes an IEEE 802.1Q header with the VLAN tag corresponding to the VVLAN number. Likewise, all traffic sent to the primary codec from the Cisco Catalyst access edge switch also includes a VLAN tag corresponding to the VVLAN number. VLAN tagging is also extended to all traffic to and from the associated IP Phone attached to the primary codec of a CTS endpoint. Figure 1 shows an example of this.

 
Figure 1: Voice VLAN tagging of TelePresence traffic
The implementation of the Voice VLAN that includes TelePresence traffic and traditional VoIP traffic can be used to both isolate access to devices on the Voice VLAN and to provide a separate and consistent quality of service (QoS) for all traffic corresponding to the VVLAN across the network infrastructure. Traffic isolation can be accomplished by access control lists (ACL) defined on network infrastructure devices, which restrict access to the VVLAN only to those devices that require such access. Consistent QoS can be provided by trusting the CoS value of ingress frames from the VVVLAN and mapping CoS values to ingress or egress queues for prioritization. CoS values can also be mapped to DSCP values to provide a consistent QoS and prioritization as the TelePresence traffic flows across Layer 3 uplinks that do not use VLAN trunking.
The implementation of a VVLAN for TelePresence deployments is optional. If a VVLAN is not defined on the Cisco Catalyst access edge switch, all traffic to and from the TelePresence endpoint is sent without any IEEE 802.1Q VLAN tags. In such cases, the switch can be configured to trust the DSCP value within the Layer 3 IP header of the TelePresence traffic and then map the DSCP values into appropriate ingress or egress queues for prioritization across the network infrastructure.

IEEE 802.1p/Q: VLAN Tagging and CoS



The IEEE 802.1Q specification defines a standards-based mechanism for providing VLAN tagging and class of service (CoS) across Ethernet networks. This is accomplished through an additional 4-byte tag, which carries VLAN and frame prioritization information, inserted within the header of a Layer 2 Ethernet frame, as shown in Figure 1.

 
Figure 1: Ethernet frame with 802.1Q tag
The 802.1Q tag has a specific format, consisting of four fixed-length fields. Two of the four fields carry the frame prioritization and VLAN information. Figure 2 illustrates the format of the 802.1Q tag itself.

 
Figure 2: IEEE 802.1Q tag format
The following are the fields within the 802.1Q tag:
  • Tag Protocol Identifier (TPID): 802.1Q tagged Ethernet frames are indicated by a value of 0x8100 within this 16-bit field.
  • Priority Code Point (PCP): A 3-bit field that indicates the frame priority level.
  • Canonical Format Indicator (CFI): A 1-bit field set to 0 for Ethernet. Used for compatibility between Ethernet and Token Ring.
  • VLAN Identifier (VID): A 12-bit field that specifies the VLAN to which the frame belongs.
The IEEE 802.1Q standard allows up to 4096 VLANS. To ensure interoperability with devices that do not support 802.1Q, the concept of the native VLAN was also introduced. Frames belonging to the native VLAN are not modified by the sending device (that is, the 4-byte 802.1Q tag is not added to the frame) when they are sent over a trunk. Likewise, any frames received over a trunk that does not have an 802.1Q tag are put into the native VLAN of the receiving device.
The operation of the three bits of the Priority Code Point (PCP) field is defined within the IEEE 802.1p standard, which is an extension of 802.1Q. The IEEE 802.1p and 802.1Q standards, therefore, work together to provide expedited traffic capabilities at the Layer 2 frame level. The IEEE 802.1p standard establishes eight levels of priority, referred to as CoS values. Table 1 illustrates the mapping of the CoS value to the bit field.
Table 1: CoS Value to PCP Bit Field Mapping 
COS Value
Bit Field
CoS 7
111
CoS 6
110
CoS 5
101
CoS 4
100
CoS 3
011
CoS 2
010
CoS 1
001
CoS 0
000
Common practice is to map different classes of traffic into different CoS values as they are sent across VLAN trunks. For example, VoIP traffic might be sent with a CoS 5 value, TelePresence sent with a CoS 4 value, and normal data traffic sent with a default CoS 0 value. Separate queues within network infrastructure devices that send and receive the frames then implement prioritization of the traffic classes.

Hierarchal QoS policies


HQoS

A final element to consider about MQC-based QoS tools is that these can be combined in a hierarchical fashion, meaning, MQC policies can contain other “nested” QoS policies within them. Such policy combinations are commonly referred to as Hierarchal QoS policies or HQoS policies. HQoS policies are crucial in some TelePresence deployment scenarios, particularly with respect to subline rate services like Metro Ethernet or MPLS VPN services (with Ethernet handoffs).
Syntactically, HQoS policies can be constructed within MQC by attaching the service-policy command to a per-class action within a policy map, rather than to an interface. Incidentally, the output keyword is not required for such a policy because this is implied.
Consider a couple of examples where HQoS policies might be useful. First, look at an example of nested HQoS policies using the same QoS tool (such as a hierarchical policer), and then take a look at HQoS policies using a combination of different QoS tools (such as an HQoS shaping with queuing policy).
In the first case, you might encounter scenarios where some applications require policing at multiple levels. For example, it might be desirable to limit all TCP traffic to 5 Mbps, while, at the same time, limiting FTP traffic (which is a subset of TCP traffic) to no more than 1.5 Mbps. To achieve this nested policing requirement, Hierarchical Policing can be used.
The policer at the second level in the hierarchy acts on packets transmitted or marked by the policer at the first level. Therefore, any packets dropped by the first level are not seen by the second level. Up to three nested levels are supported by the Cisco IOS Hierarchical Policing feature.
Example 1 shows the configuration for the nested, two-level, hierarchical policing of TCP and FTP traffic.
Example 1: Hierarchical Policing Policy Example

Router(config)# policy-map FTP-POLICER
Router(config-pmap)# class FTP
Router(config-pmap-c)# police cir 1500000
Router(config-pmap-c-police)# conform-action transmit
Router(config-pmap-c-police)# exceed-action drop
Router(config-pmap-c-police)# violate-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# policy-map TCP-POLICER
Router(config-pmap)# class TCP
Router(config-pmap-c)# police cir 5000000
Router(config-pmap-c-police)# conform-action transmit
Router(config-pmap-c-police)# exceed-action drop
Router(config-pmap-c-police)# violate-action drop
Router(config-pmap-c-police)# service-policy FTP-POLICER

Figure1 illustrates the logic of this hierarchical policing example.

 
Figure 1: Hierarchical policing logic example
Additionally, it is often useful to combine shaping and queuing policies in a hierarchical manner, particularly over subline rate access scenarios.
As previously discussed, queuing policies only engage when the physical interface is congested (as is indicated to IOS Software by a full Tx-Ring). This means that queuing policies never engage on media that has a contracted subline rate of access, whether this media is Frame Relay, ATM, or Ethernet. In such a scenario, queuing can be achieved only at a subline rate by introducing a two-part HQoS policy wherein
  • Traffic is shaped to the subline rate.
  • Traffic is queued according to the LLQ/CBWFQ policies within the subline rate.
With such an HQoS policy, it is not the Tx-Ring that signals IOS Software to engage LLQ/CBWFQ policies, but rather it is the Class-Based Shaper that triggers software queuing when the shaped rate has been reached.
Consider a practical example: A service provider offers an enterprise subscriber a GigabitEthernet handoff, but with a (subline rate) contract for only 60 Mbps, over which he wants to deploy IP Telephony and TelePresence and data applications. Normally, queuing policies will engage only on this GE interface when the offered traffic rate exceeds 1000 Mbps. However, the enterprise administrator wants to ensure that traffic within the 60 Mbps contracted rate is properly prioritized prior to the handoff so that both VoIP and TelePresence are given the highest levels of service. Therefore, he configures an HQoS policy so that the software shapes all traffic to the contracted 60 Mbps rate and attaches a nested LLQ/CBWFQ queuing policy within the shaping policy so that traffic is properly prioritized within this 60 Mbps subline rate. Finally, the shaping policy (with the nested queuing policy) is attached to the GE interface, as shown in Example 2.
Example 2: Hierarchical Shaping and Queuing Policy Example

Router(config)# class-map match-all VOIP
Router(config-cmap)# match dscp ef
Router(config-cmap)# ! Matches VoIP on DSCP EF
Router(config-cmap)# exit
Router(config)# class-map match-all TELEPRESENCE
Router(config-cmap)# match dscp cs4
Router(config-cmap)# ! Matches TelePresence on DSCP CS4 (per RFC4594)
Router(config-cmap)# exit
Router(config)#
Router(config)# policy-map LLQ-CBWFQ
Router(config-pmap)# class VOIP
Router(config-pmap-c)# priority percent 10
Router(config-pmap-c)# ! Provisions 6 Mbps of LLQ for VoIP
Router(config-pmap-c)# class TELEPRESENCE
Router(config-pmap-c)# priority percent 25
Router(config-pmap-c)# ! Provisions 15 Mbps of LLQ for TelePresence
Router(config-pmap-c)# class CALL-SIGNALING
Router(config-pmap-c)# bandwidth percent 5
Router(config-pmap-c)# class TRANSACTIONAL-DATA
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# class BULK-DATA
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# 
Router(config)# policy-map HQoS-60MBPS
Router(config-pmap)# ! HQoS Shaping policy
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average 60000000 1200000
Router(config-pmap-c)# ! Rate=650Mbps; Bc=1.2Mb, Tc=20ms
Router(config-pmap-c)# service-policy LLQ-CBWFQ
Router(config-pmap-c)# ! Forces queuing policy to engage at sub-line rate
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)#
Router(config)# interface GigabitEthernet0/1
Router(config-if)# description Access Edge (60 Mbps CIR over GE)
Router(config-if)# service-policy output HQoS-60MBPS
Router(config-if)# ! Attaches HQoS policy to GE interface
Router(config-if)# exit

Figure 2 illustrates the underlying mechanisms for this HQoS policy.

 
Figure 2: HQoS Policy: Shaping to a Subline Rate with Queuing Within the Shaped Rate

Explicit Congestion Notification | Dropping Tools



Traditionally, the only way to inform sending hosts that there was congestion on the network and that the hosts should slow their transmission rates was by dropping TCP packets.
RFC 3168, however, defined a new and more efficient way that the network could communicate congestion to sending hosts, namely the “The Addition of Explicit Congestion Notification (ECN) to IP.” By marking the final two bits of the ToS byte of the IP header, devices can communicate to each other and to endpoints that they are experiencing congestion. These two bits have been defined as follows:
  • ECN-capable Transport (ECT) bit: This bit indicates whether the device and the transport protocol supports ECN.
  • Congestion Experienced (CE) bit: This bit (in conjunction with the ECT bit) indicates whether congestion was experienced en route.
Figure 1 shows the location of the ECN bits in the TOS byte of an IP packet header.

 
Figure 1: IP ToS byte ECN bits
During periods of congestion, WRED/DSCP-based WRED drops packets when the average queue length exceeds a specific threshold value. ECN is an extension to WRED, such that ECN marks packets, instead of dropping them, to communicate the existence of congestion when the average queue length exceeds a specific threshold value. Routers configured with the WRED ECN feature use this marking as a signal to application endpoints that the network is congested. This way, TCP transmission rates can be adjusted by the application endpoints without dropping packets, (or at least with dropping far fewer packets).
WRED ECN is enabled with the ecn keyword with the random-detect command. WRED ECN can be enabled by itself or in conjunction with WRED or DSCP-based WRED (as shown in Example 1).
Example 1: DSCP-Based WRED ECN Policy Example

Router(config)# policy-map WRED-ECN
Router(config-pmap)# class class-default
Router(config-pmap-c)# fair-queue
Router(config-pmap-c)# random-detect dscp-based
Router(config-pmap-c)# random-detect ecn

DSCP-Based WRED | Dropping Tools



As previously discussed, IP Precedence marking has been made obsolete by Differentiated Services, and as such, tools based on IPP, such as WRED, need to be modified accordingly. To achieve DiffServ compliance, the WRED algorithm can be optionally modified to operate based on the Assured Forwarding (AF) drop-preference values (as defined in RFC 2597) to influence its drop probability as queues fill. Such operation is referred to as DSCP-based WRED. Remember, the second digit of an AF codepoint indicates drop preference and can range from 1 (lowest drop preference) to 3 (highest drop preference). For example, if DSCP-based WRED is enabled on a queue servicing AF class 2 traffic, AF23 would be statistically dropped more often than AF22, which, in turn, would be statistically dropped more often than AF21. Figure 1 illustrates a simplified example of DSCP-based WRED for AF class 2.

 
Figure 1: DSCP-based WRED operation for AF class 2
DSCP-based WRED can be enabled on a CBWFQ—with or without a FQ pre-sorter—with the dscp-based keyword in conjunction with the random-detect command, as demonstrated in Example 1.
Example 1: Enabling DSCP-Based WRED on a CBWFQ

Router(config)# policy-map DSCP-WRED
Router(config-pmap)# class TCP
Router(config-pmap-c)# bandwidth percent 30
Router(config-pmap-c)# random-detect dscp-based
Router(config-pmap-c)# class UDP
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue
Router(config-pmap-c)# random-detect dscp-based

Additionally, DSCP-based WRED thresholds and mark probability denominators are tunable on a per-codepoint basis using the dscp keyword in conjunction with the random-detect command. In Example 2, the minimum threshold is set to begin dropping AF11-marked packets at 5 (meaning as soon as the queue depth reaches 5 packets, WRED randomly begins dropping AF11 packets). The maximum threshold for AF11 (at which all AF11-marked packets drop) is set to 20 packets. And the mark probability denominator is set to 8 (meaning that between these thresholds, up to 1 in 8 packets that are marked with AF11 drop).
Example 2: Tuned DSCP-Based WRED Example

Router(config)# policy-map TUNED-DSCP-WRED
Router(config-pmap)# class AF1
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# random-detect dscp-based
Router(config-pmap-c)# random-detect dscp af11 5 20 8

Weighted-RED (WRED) | Dropping Tools


WRED

WRED is an enhancement to RED that enables a degree of influence over the randomness of the selection of packets to be dropped. WRED factors the weight of the packet into the drop selection process; in Cisco IOS routers, the weight is based on the IP Precedence (IPP) value of the packet, whereas in Cisco Catalyst switches, the weight might be the CoS value of the packet (which is termed CoS-based WRED). To simplify the discussion, IP Precedence-based WRED is discussed, but the principles apply equally to CoS-based WRED.
Within the WRED algorithm, a minimum threshold for a given IPP value determines the queue depth at which packets of a given IPP value will begin to be randomly dropped. Themaximum threshold determines the queue depth at which all packets of a given IPP value will be dropped. These thresholds are configurable, as is the Mark Probability Denominator (MPD), which determines how aggressively the packets of a given IPP value will be dropped. (For example, a mark probability denominator value of 10 indicates that up to 1 in 10 packets of a certain precedence value will be randomly dropped.)
By default, WRED drops packets with lower IPP values sooner than packets with higher IPP values. Figure 1 provides a simplified illustration of WRED operation.

 
Figure 1: Weighted RED operation
WRED is enabled on a per-class basis with the random-detect command, as demonstrated in Example 1. As previously noted, WRED is dependent on queuing; therefore, before WRED can be enabled on a class of traffic, a CBWFQ queuing option, with or without a FQ pre-sorter, needs to be applied to the class. (WRED is not appropriate on the LLQ, which is intended for latency and drop-sensitive traffic.)
Example 1: Enabling WRED on a Per-Class Basis

Router(config)# policy-map WRED
Router(config-pmap)# class TCP
Router(config-pmap-c)# bandwidth percent 30
Router(config-pmap-c)# random-detect
Router(config-pmap-c)# class UDP
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue
Router(config-pmap-c)# random-detect

Dropping Tools | Network Quality of Service



Although generally dropping policies is not applicable for TelePresence flows, these do play an important part in the overall QoS policy design on TelePresence networks. Dropping tools are complementary to (and dependent on) queuing tools; specifically, queuing algorithms manage the front of a queue (that is, how a packet exits a queue), whereas congestion avoidance mechanisms manage the tail of a queue (that is, how a packet enters a queue).
Dropping tools, sometimes called congestion avoidance mechanisms, are designed to optimize TCP-based traffic. TCP has built-in flow control mechanisms that operate by increasing the transmission rates of traffic flows until packet loss occurs. At this point, TCP abruptly squelches the transmission rate and gradually begins to ramp the transmission rates higher again. Incidentally, this behavior makes a strong case against the statement that “QoS isn’t necessary; just throw more bandwidth at it.” Because if left unchecked, lengthy TCP sessions (as are typical with bulk data and scavenger applications) will consume any and all available bandwidth, simply due to the nature of TCP windowing.
When no congestion avoidance algorithms are enabled on an interface, the interface is said to tail drop. That is, after the queuing buffers have filled, all other packets are dropped as they arrive.
In a constricted channel, such as in a WAN or VPN, all the TCP connections eventually synchronize with each other as they compete for the channel. Without congestion avoidance mechanisms, they all ramp up together, lose packets together, and then back off together. This behavior is referred to as global synchronization. In effect, waves of TCP traffic flow through the network nodes, with packets overflowing the buffers at each wave peak and lulls in traffic between the waves.
Figure 1 illustrates TCP global synchronization behavior attributable to tail-dropping and the suboptimal effect this behavior has on bandwidth utilization.

 
Figure 1: TCP global synchronization
Random Early Detect (RED) counters the effects of TCP global synchronization by randomly dropping packets before the queues fill to capacity.
Instead of waiting for queuing buffers to fill before dropping packets, RED causes the router to monitor the buffer depth and perform early discards (drops) on random packets when the defined queue threshold has been exceed.
RED drops occur within the operational bounds of TCP retry timers, which slow the transmission rates of the sessions but prevent these from slow-starting. Thus RED optimizes network throughput of TCP sessions.
Because UDP does not have any retry logic, congestion avoidance techniques such as RED (and variants) do not optimize UDP-based traffic.
Note 
Cisco IOS Software does not (directly) support Random Early Detect (RED), only Weighted-RED (WRED), discussed in the next section. However, if all packets assigned to a WRED-enabled queue have the same IP Precedence or DSCP markings, the effective policy is simply RED.

Hardware Queuing: 1PxQyT



To scale QoS functionality to campus speeds (like Gigabit Ethernet or 10 Gigabit Ethernet), Catalyst switches must perform QoS operations, including queuing, within hardware. For the most part, classification, marking, and policing policies (and syntax) are consistent in both Cisco IOS Software and Catalyst hardware; however, queuing and dropping are significantly different when implemented in hardware. Hardware queuing across Catalyst switches is implemented in a model that can be expressed as1PxQyT, where
  • 1P represents the support of a strict-priority hardware queue (which is usually disabled by default)
  • xQ represents x number of nonpriority hardware queues (including the default, Best-Effort queue)
  • yT represents y number of drop-thresholds per nonpriority hardware queue
For example, a Catalyst 6500 48-port 10/100/1000 RJ-45 Module (WS-X6748-GE-TX) has a 1P3Q8T queuing structure, meaning that it has
  • One strict priority hardware queue (which, incidentally, on this linecard is Queue 4)
  • Three additional nonpriority hardware queues, each with eight configurable Weighted Random Early Detect (WRED) drop thresholds per queue
Traffic assigned to the strict-priority hardware queue is treated with an Expedited Forwarding Per-Hop Behavior (EF PHB). That being said, it bears noting that on some platforms, there is no explicit limit on the amount of traffic that can be assigned to the PQ, and as such the potential to starve nonpriority queues exists. However, this potential for starvation can be effectively addressed by explicitly configuring input policers that limit (on a per-port basis) the amount of traffic that can be assigned to the priority queue (PQ). Incidentally, this is the recommended approach defined in RFC 3246 (Section 3).
Traffic assigned to a nonpriority queue will be provided with bandwidth guarantees, subject to the PQ being either fully-serviced or bounded with input policers.
For most platforms, there are typically multiple, configurable drop-thresholds per nonpriority queue. These are provided to allow for selective dropping policies (discussed in more detail in the next section) and to accommodate intraqueue QoS, which is more important in hardware queuing structures (where the number of queues is few and fixed) than in software queuing structures (where generally-speaking there are more queues available than needed). For example, if a campus network administrator had 12 classes of traffic to provision, yet had to work within a 1P3Q8T queuing structure, he could configure the drop thresholds to provide intraqueue QoS inline with his overall service-level objectives. In other words, he is not constrained to only provision four classes of traffic because that is the total number of queues his hardware supports.
To better understand the operation of a Catalyst hardware queuing, consider a simple example where the hardware supports a 1P2Q2T queuing structure, meaning one strict priority queue, two nonpriority queues each with two configurable drop-thresholds per nonpriority queue. In this example, bandwidth to these queues can be allocated so that Q1 (the default queue) is allocated 85 percent, Q2 (the network control queue) is allocated 10 percent, and Q3 (the priority queue) is allocated 5 percent.
Additionally, consider the use of Weighted Tail Drop (WTD) as the dropping algorithm. In this example, a drop threshold has been configured at 40 percent of Q1’s depth (Q1T1), and another drop threshold has been configured at 40 percent of Q2’s depth (Q2T1). Each queue also has a nonconfigurable drop threshold that corresponds to the tail of the queue (Q1T2 and Q2T2, respectively).
With these queues and thresholds thus provisioned, traffic can be assigned to these queues and thresholds based on CoS values; specifically CoS 5 (representing VoIP) is assigned to Q3, CoS 7 (representing network control protocols, such as Spanning Tree) is mapped to Q2T2, CoS 6 (representing internetworking protocols, such as routing protocols) is mapped to Q2T1, CoS values 2-4 (representing video and data applications) are mapped to Q1T2, and CoS values 0 and 1 are mapped to Q1T1.
Figure 1 illustrates this 1P2Q2T hardware queuing example, with WTD.

 
Figure 1: 1P2Q2T hardware queuing with WTD example
As shown in Figure 1, packets marked CoS 5 are assigned to the strict priority queue (Q3) and are serviced ahead of all other traffic. Additionally, packets with CoS values 0 through 4 are assigned on a first-come, first-serve basis to Q1 until Q1T1 is reached. At this point, the queuing algorithm no longer buffers packets marked with CoS values 0 and 1, but drops these; therefore, the remainder of Q1 is exclusively reserved for packets marked to CoS values 2 to 4 (representing higher-priority traffic). Similarly, packets with CoS values 6 and 7 are assigned to Q2, but packets marked CoS 6 are dropped if Q2T1 is exceeded.
Additionally, on some platforms and linecards, queuing is possible not only on egress, but also on ingress. This is because some platforms and linecards are engineered based on oversubscriptions ratios. This engineering approach is often taken as most campus links have average utilization rates far below link capacity and, therefore, can be more economically provisioned for with architectures based on oversubscription.
For example, the Cisco Catalyst 3750G is a fixed-configuration switch that supports up to 48 10/100/1000 ports, plus 4 Small Form-Factor Pluggable (SFP) ports for either GE or 10GE uplinks, representing a (minimum) total input capacity of (48 Gbps + 4 Gbps) 52 Gbps. The backplane of the 3750G is a dual 16 Gbps counter-rotating ring, with a total capacity of 32 Gbps. Thus, this 3750G architecture is engineered with a minimum oversubscription ratio of 52:32 or 13:8 or 1.625:1. However, when 10GE SFP uplinks are used or when (up to 9) 3750G switches are stacked (through Cisco Stackwise technology) into one logical grouping sharing the same dual-ring backplane, the oversubscription ratio becomes much higher. Thus, to protect real-time and critical traffic from being potentially dropped during extreme scenarios, when input rates exceed ring capacity, ingress queuing can be enabled on this platform through a 1P1Q3T queuing structure.
Remember that hardware queuing is (as the name implies) hardware-specific; therefore, there is considerable disparity in ingress and egress queuing structures and feature support across Catalyst switches platforms. For example, hardware egress queuing structures include the following:
  • 1P3Q3T (Catalyst 2960 and 3560 or 3750)
  • 1P3Q1T (Catalyst 4500 or 4900) and 1P7Q1T, (Catalyst 4500-E or 4900M)
  • 1P2Q1T, 1P2Q2T, 1P3Q1T, 1P3Q8T, 1P7Q4T, and 1P7Q8T (Catalyst 6500, module-dependent)
Note 
Some older Cisco Catalyst 6500 linecards also support 2Q2T, but these linecards are considered legacy and not recommended for IP Telephony and TelePresence deployments. For the full matrix of Catalyst 6500 queuing structures by module, refer to http://tinyurl.com/bgjkr5.
Additionally, some switches support CoS-to-Queue mappings only (like the Catalyst 6500), others support either CoS- or DSCP-to-Queue mappings (like the Catalyst 2960, 3560 and 3750, and 4500 and 4900). Similarly, when it comes to dropping algorithms, some platforms support CoS-based WRED (Catalyst 6500), others support CoS- or DSCP-based Weighted-Tail Drop (WTD) (Catalyst 2960 and 3560 and 3750), or even platform-specific dropping algorithms, such as Dynamic Buffer Limiting (DBL) (Catalyst 4500 and 4900).
Long story short—network administrators need to be thoroughly familiar with the mapping, queuing, and dropping features of their Catalyst switches and linecard platforms to properly provision QoS policies within the campus.

Low-Latency Queuing (LLQ)


LLQ

Low-Latency Queuing (LLQ) is essentially CBWFQ combined with a strict priority queue. Traffic assigned to the strict priority queue, using the priority command, is completely serviced before all other CBWFQ queues are serviced. LLQ bandwidth, like CBWFQ bandwidth, can be assigned either in absolute kbps or as a percentage of the link’s bandwidth (using the priority percent command).
Note 
The original name for the LLQ algorithm was Priority-Queue-Class-Based Weighted-Fair Queuing (PQ-CBWFQ). Although this name was technically more descriptive, it was obviously clumsy from a marketing perspective, hence, the algorithm was renamed LLQ.
To better understand how LLQ works, Example 1 adds a strict priority queue, to support VoIP
Example 1: LLQ/CBWFQ Policy Example

Router(config)# policy-map LLQ
Router(config-pmap)# class VOICE
Router(config-pmap-c)# priority 100
Router(config-pmap-c)# class CALL-SIGNALING
Router(config-pmap-c)# bandwidth percent 5
Router(config-pmap-c)# class TRANSACTIONAL-DATA
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# class BULK-DATA
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue

Next, look at Figure 1 to see what has changed in the underlying queuing mechanisms when LLQ has been combined with CBWFQ.

 
Figure 1: LQ and CBWF Q mechanisms
Note 
For the sake of simplicity, some Layer 2 subsystems (including Link Fragmentation and Interleaving) have been omitted from Figure 1 because these mechanisms simply aren’t relevant at the link speeds required by TelePresence.
In Figure 1, you see a router interface that has been configured with a 5-class LLQ/CBWFQ policy, with voice assigned to a 100-kbps LLQ, and additional three explicit CBWFQs defined for Call-Signaling, Transactional Data, and Bulk Data respectively, and a default queue that has a Fair-Queuing pre-sorter assigned to it. However, an underlying mechanism that might not be obvious from the configuration, but is shown in the illustration, is an implicit policer attached to the LLQ.
The threat posed by any strict priority-scheduling algorithm is that it can completely starve lower-priority traffic. To prevent this, the LLQ mechanism has a built-in policer. This policer (like the queuing algorithm itself) engages only when the LLQ-enabled interface is experiencing congestion. Therefore, it is important to provision the priority classes properly. In this example, if more than 100 kbps of voice traffic was offered to the interface, and the interface was congested, the excess voice traffic would be discarded by theimplicit policer. However, traffic that is admitted by the policer gains access to the strict priority queue and is handed off to the Tx-Ring ahead of all other CBWFQ traffic.
Now, consider the case of servicing not just voice with strict-priority LLQ, but also real-time interactive-video (which, for these two following examples, is abbreviated simply asvideo).
Two options exist to the network administrator. The first is to admit both voice and video to the same LLQ. Thus the second LLQ example policy becomes what is shown in Example 2.
Example 2: Aggregate LLQ for Voice and Video Policy Example

Router(config)# class-map match-any REALTIME
Router(config-cmap)# match dscp ef
Router(config-cmap)# ! Matches VoIP on DSCP EF (per RFC4594)
Router(config-cmap)# match dscp cs4
Router(config-cmap)# ! Matches Realtime-Interactive Video on CS4 (per RFC4594)
Router(config-cmap)#
Router(config-cmap)# policy-map LLQ2
Router(config-pmap)# class REALTIME
Router(config-pmap-c)# priority 500
Router(config-pmap-c)# ! Combined LLQ for VoIP and Video
Router(config-pmap-c)# class CALL-SIGNALING
Router(config-pmap-c)# bandwidth percent 5
Router(config-pmap-c)# class TRANSACTIONAL-DATA
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# class BULK-DATA
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue

Figure 2 illustrates the corresponding IOS mechanisms for this second LLQ example.

 
Figure 2: Aggregate LLQ for voice and video policy mechanisms
In Figure 2, you can see that not only has the LLQ been expanded in size (to 500 kbps), but also the implicit policer (for the combined VoIP and TelePresence class) has been increased to 500 kbps. Such a policy can continue to protect voice from data and video from data. However, this policy does potentially allow video to interfere with voice. This is because traffic offered to the LLQ class is serviced on a first-come, first-serve basis. Therefore, should video traffic suddenly burst, it is possible (even likely) that voice traffic would be dropped.
At this point, you can realize another benefit of the implicit policer for the LLQ—not only does this mechanism protect nonreal-time queues from bandwidth-starvation, but also it allows for Time-Division Multiplexing (TDM) of the LLQ. TDM of the LLQ allows for the configuration and servicing of multiple LLQs, while abstracting the fact that there is only a single LLQ “under-the-hood,” so to speak. Pertinent to the example, by configuring two LLQs, not only are voice and video protected from data applications, but also voice and video are protected from interfering with each other.
Example 3 provides the final policy example to cover this point, wherein a dual-LLQ design is used, one each for voice and video.
Example 3: Dual-LLQ for Voice and Video Policy Example

Router(config)# class-map match-all VOICE
Router(config-cmap)# match dscp ef
Router(config-cmap)# ! Matches VoIP on DSCP EF (per RFC4594)
Router(config-cmap)# class-map match-all VIDEO
Router(config-cmap)# match dscp cs4
Router(config-cmap)# ! Matches Realtime-Interactive Video on CS4 (per RFC4594)
Router(config-cmap)# !
Router(config-cmap)# policy-map LLQ3
Router(config-pmap)# class VOICE
Router(config-pmap-c)# priority 100
Router(config-pmap-c)# ! Provisions 100 kbps of LLQ for VoIP
Router(config-pmap-c)# class VIDEO
Router(config-pmap-c)# priority 400
Router(config-pmap-c)# ! Provisions 400 kbps of LLQ for Realtime-Interactive Video
Router(config-pmap-c)# class CALL-SIGNALING
Router(config-pmap-c)# bandwidth percent 5
Router(config-pmap-c)# class TRANSACTIONAL-DATA
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# class BULK-DATA
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue

Figure 3 illustrates the corresponding IOS mechanisms for this third LLQ example.

 
Figure 3: Dual-LLQ for vice and video policy mechanisms
In Figure 3, you see that two separate implicit policers have been provisioned, one each for the VoIP class (to 100 kbps) and another for the Video class (to 400 kbps), yetthere remains only a single strict-priority queue, which is provisioned to the sum of all LLQ classes, in this case to 500 kbps (100 kbps + 400 kbps). Traffic offered to either LLQ class is serviced on a first-come, first-serve basis until the implicit policer for each specific class has been invoked. For example, if the video class attempts to burst beyond its 400 kbps rate, it will be dropped.
Therefore, when considering designs to support real-time applications, such as VoIP and TelePresence (an Interactive-Video application, as defined in RFC 4594), a dual-LLQ design can provide the best levels of service for VoIP and TelePresence, while preventing these from interfering with each other.