QoS Policies¶
Policies determine which action should be performed if packets matched selector conditions. It can be applied on interfaces’ ingress or egress traffic.
Note
The interface can’t be a loopback interface.
Several policies can be set on an interface in ingress or egress to perform different actions on the traffic.
Several selectors can be attached to a given policy, so that actions can be performed based on cumulative conditions defined by the selectors.
Selectors¶
Selectors describe attributes by which packets should be matched. There are two categories of selectors:
general selectors: matching arbitrary binary data of the packet
specific selectors: matching common packet header fields
General selectors¶
General selectors are configured following this model:
(match8bits|match16bits|match32bits) <value> <mask> <offset>
(match8bits|match16bits|match32bits) determines the size in bits of the value.
The extracted value is bit wise ANDed with a mask value.
The offset allows to match packets based on L2 header field.
The match succeeds if the result matches with any arbitrary packet data.
Specific selectors¶
Specific selectors are configured following this first model:
(ipv4|ipv6|tcp|udp|icmp|icmpv6) <field> <value> <mask>
(ipv4|ipv6|tcp|udp|icmp|icmpv6) determines the selector type.
The extracted value is bit wise ANDed with a mask value.
Note
The mask attribute is optional. If it not specified , the complete value
is matched.
The match succeeds if the result matches the packet header field.
There are several type/field combinations:
ipv4 protocol: matches the 8-bit protocol byte of an IPv4 packetipv4 tos: matches the TOS value of an IPv4 packetipv4 dscp: match the DSCP value of an IPv4 packet. There is no mask to provide. This matches the 6 most significant bits of the TOS field.ipv6 protocol: matches the 8-bit protocol byte of an IPv6 packetipv6 tos: matches the TC (Traffic Class) value of an IPv6 packetipv6 dscp: match the DSCP value of an IPv6 packet. There is no mask to provide. This matches the 6 most significant bits of the TC field.tcp source-port: matches the 16-bit source port of a TCP packettcp destination-port: matches the 16-bit destination port of a TCP packetudp source-port: matches the 16-bit source port of a UDP packetudp destination-port: matches the 16-bit destination port of a UDP packeticmp code: matches the 8-bit code field of an ICMPv4 packeticmp type: matches the 8-bit type field of an ICMPv4 packeticmpv6 code: matches the 8-bit code field of an ICMPv6 packeticmpv6 type: matches the 8-bit code field of an ICMPv6 packet
Additionally, there are selectors following this second model:
(ipv4|ipv6) (source|destination) <ipaddress>[/<prefixlen>]
ipv4 source: matches IPv4 source address/subnetipv4 destination: matches IPv4 destination address/subnetipv6 source: matches IPv6 source address/subnetipv6 destination: matches|ipv6| destination address/subnet
Enter the global qos context to create selectors. Here we create 4 selectors
of different types:
vsr running config# / qos
vsr running qos# selector esp-traffic
vsr running selector esp-traffic#! ipv4 protocol
vsr running protocol#! value 50
vsr running protocol# mask 0xff
vsr running protocol#
vsr running destination-port# / qos
vsr running qos# selector ssh-traffic tcp destination-port
vsr running destination-port#! value 22
vsr running destination-port# mask 0xffff
vsr running destination-port#
vsr running destination-port# / qos
vsr running qos# selector pub-iface-ip
vsr running selector pub-iface-ip#! ipv4 destination 200.11.1.0/29
vsr running selector pub-iface-ip#
vsr running selector pub-iface-ip# / qos
vsr running qos# selector matchall
vsr running selector matchall#! match8bits
vsr running match8bits#! value 0
vsr running match8bits#! mask 0x0
vsr running match8bits#! offset 0
vsr running match8bits#
vsr running match8bits# commit
It is also possible to create a selector which matches all traffic of a
particular by specifying the keyword match-all. Here we create a selector
matching all IPv4 traffic:
vsr running config# / qos
vsr running qos# selector match-all-ipv4 ipv4 match-all
vsr running ipv4#
vsr running ipv4# / qos
vsr running qos# show config
qos
class-mask 0xFFFFFFFF
selector match-all-ipv4
ipv4
match-all
..
..
..
Policies¶
Policies describe the actions to take when packets match selector attributes. A policy is created on an interface in ingress or egress. It takes the following parameters:
selector: the list of the selectors attached to the policy. They determine the set of conditions to matchpriority: determines the order in which the policies will be executed. The lower the number, the earlier the policy is applied.action: the action to take if the conditions set by the selectors are met.
The possible actions when a packet matches all the selectors of a policy are:
pass: matched packets are passed through the stack.set-mark <mark>: set a firewall mark to a specified value on matched packets. This mark will be used for QoS classification.restore-connmark: if the packet belongs to a connection identified by the conntrack module and a mark was assigned to the connection via a save-mark, then set the packet mark to the set value. If no connection is associated with the packet, its mark is set to 0. This mark will be used for QoS classification.redirect <qos_hub_iface>: redirect matched packets to a QoS-hub interface.set-priority <packet_priority>: set packet priority to specified value onmatched packets.The packet priority are used for VLAN/MPLS QOS egress mapping.
Redirection to QoS-hub interfaces is used in two cases:
To perform QoS scheduling on ingress traffic: a policy is created in ingress with an action of redirection to a QoS-hub interface. On this QoS-hub interface, a scheduler is created in egress. Once the traffic is scheduled on this QoS-hub interface, it is reinjected in ingress to the original interface.
To aggregate traffic from a group of interfaces: on each of these interfaces, a policy is created in ingress or egress with an action of redirection to a QoS-hub interface. On this QoS-hub interface, a scheduler is created in egress. Once the traffic is scheduled on this QoS-hub interface, it is reinjected in each original interfaces on the respective traffic direction it has originally been sent to.
Note
The redirection can only be made to interfaces of type QoS-hub.
Note
The interface on which the policy for redirection and the QoS-hub interface must be in the same VRF or L3VRF.
Note
Only interfaces supporting Ethernet frames can be redirected.
Note
QoS-hub traffic cannot be redirected.
Policy templates¶
Policy templates are created in the global qos context with the policy
command. They can then be referenced by a physical interface on ingress or
egress.
Enter the global qos context, to create policies, here we create 3 policies
that use the selectors configured above:
vsr running config# / qos
vsr running qos# policy esp-pass
vsr running policy esp-pass#! priority 1
vsr running policy esp-pass#! selector esp-traffic
vsr running policy esp-pass#! selector pub-iface-ip
vsr running policy esp-pass#! action pass
vsr running policy esp-pass#
vsr running policy esp-pass# / qos
vsr running qos# policy ssh-pass
vsr running policy ssh-pass#! priority 2
vsr running policy ssh-pass#! selector ssh-traffic
vsr running policy ssh-pass#! selector pub-iface-ip
vsr running policy ssh-pass#! action pass
vsr running policy ssh-pass#
vsr running policy ssh-pass# / qos
vsr running qos# policy rest-redir
vsr running policy rest-redir#! priority 3
vsr running policy rest-redir#! selector matchall
vsr running policy rest-redir#! action redirect ifb1
vsr running policy rest-redir#
vsr running policy rest-redir# commit
Configuration committed.
Review the QoS configuration:
vsr running config# / qos
vsr running qos# show config
qos
class-mask 0xFFFFFFFF
selector esp-traffic
ipv4
protocol
value 50
mask 0xff
..
..
..
selector ssh-traffic
tcp
destination-port
value 22
mask 0xffff
..
..
..
selector pub-iface-ip
ipv4
destination 200.11.1.0/29
..
..
selector matchall
match8bits
value 0
mask 0x0
offset 0
..
..
policy esp-pass
priority 1
selector esp-traffic
selector pub-iface-ip
action
pass
..
..
policy ssh-pass
priority 2
selector ssh-traffic
selector pub-iface-ip
action
pass
..
..
policy rest-redir
priority 3
selector matchall
action
redirect ifb1
..
..
..
The same settings can be applied using the following NETCONF XML configuration:
vsr running config# / qos
vsr running config qos# show config xml absolute
<config xmlns="urn:6wind:vrouter">
<qos xmlns="urn:6wind:vrouter/qos">
<class-mask>0xFFFFFFFF</class-mask>
<selector>
<name>esp-traffic</name>
<ipv4>
<protocol>
<value>50</value>
<mask>0xff</mask>
</protocol>
</ipv4>
</selector>
<selector>
<name>ssh-traffic</name>
<tcp>
<destination-port>
<value>22</value>
<mask>0xffff</mask>
</destination-port>
</tcp>
</selector>
<selector>
<name>pub-iface-ip</name>
<ipv4>
<destination>200.11.1.0/29</destination>
</ipv4>
</selector>
<selector>
<name>matchall</name>
<match8bits>
<value>0</value>
<mask>0x0</mask>
<offset>0</offset>
</match8bits>
</selector>
<policy>
<name>esp-pass</name>
<priority>1</priority>
<selector>esp-traffic</selector>
<selector>pub-iface-ip</selector>
<action>
<pass/>
</action>
</policy>
<policy>
<name>ssh-pass</name>
<priority>2</priority>
<selector>ssh-traffic</selector>
<selector>pub-iface-ip</selector>
<action>
<pass/>
</action>
</policy>
<policy>
<name>rest-redir</name>
<priority>3</priority>
<selector>matchall</selector>
<action>
<redirect>ifb1</redirect>
</action>
</policy>
</qos>
</config>
Configuring a policy on an interface¶
Policies are configured in the qos context of physical interfaces in ingress
or egress.
Enter the qos context of the eth0 physical interface:
vsr running config# vrf main
vsr running vrf main# interface physical eth0
vsr running physical eth0# qos
Configure the policies esp-pass and ssh-pass in ingress and rest-redir in
egress of the eht0 interface. Configuring this last policy should be done with
the configuration of a QoS-hub interface and the configuration of a scheduler
in egress on it.
See QoS-hub for details about creating QoS-hub interfaces.
See Scheduling for details about the creation of schedulers.
vsr running qos# egress
vsr running egress# policy esp-pass
vsr running egress# policy ssh-pass
vsr running egress#
vsr running egress# ..
vsr running qos# ingress
vsr running ingress# policy rest-redir
Note
The policy templates offer the convenience to reuse the same policy configuration on other interfaces.
Review the eth0 configuration:
vsr running physical eth0# show config nodefault
physical eth0
port pci-b0s04
qos
ingress
policy rest-redir
..
egress
policy esp-pass
policy ssh-pass
..
..
..
The same settings can be applied using the following NETCONF XML configuration:
vsr running config# show config xml absolute vrf main interface physical eth0
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<interface xmlns="urn:6wind:vrouter/interface">
<physical>
<name>eth0</name>
<ipv4>
<enabled>true</enabled>
</ipv4>
<enabled>true</enabled>
<port>pci-b0s04</port>
<ipv6>
<enabled>true</enabled>
</ipv6>
<network-stack>
<ipv4/>
<ipv6/>
</network-stack>
<ethernet/>
<qos>
<ingress>
<policy>rest-redir</policy>
</ingress>
<egress>
<policy>esp-pass</policy>
<policy>ssh-pass</policy>
</egress>
</qos>
</physical>
</interface>
</vrf>
</config>
Commit the configuration:
vsr running physical eth0# commit
Configuration committed.
vsr running physical eth0# /
vsr running config#
Review the QoS state of the interface:
vsr running config# show state vrf main interface physical eth0 qos
qos
egress
policy esp-pass
priority 1
selector esp-traffic
ipv4
protocol
value 50
mask 0xff
..
..
..
selector pub-iface-ip
ipv4
destination 200.11.1.0/29
..
..
action
pass
..
stats
match-packets 0
drop-packets 0
..
..
policy ssh-pass
priority 2
selector pub-iface-ip
ipv4
destination 200.11.1.0/29
..
..
selector ssh-traffic
tcp
destination-port
value 22
mask 0xffff
..
..
..
action
pass
..
stats
match-packets 0
drop-packets 0
..
..
..
..
The same settings can be applied using the following NETCONF XML configuration:
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<interface xmlns="urn:6wind:vrouter/interface">
<physical>
<name>eth0</name>
<port>pci-b0s5</port>
<qos>
<ingress>
<policy>rest-redir</policy>
</ingress>
<egress>
<policy>esp-pass</policy>
<policy>ssh-pass</policy>
</egress>
</qos>
</physical>
</interface>
</vrf>
<qos xmlns="urn:6wind:vrouter/qos">
<class-mask>0xFFFFFFFF</class-mask>
<selector>
<name>esp-traffic</name>
<ipv4>
<protocol>
<value>50</value>
<mask>0xff</mask>
</protocol>
</ipv4>
</selector>
<selector>
<name>ssh-traffic</name>
<tcp>
<destination-port>
<value>22</value>
<mask>0xffff</mask>
</destination-port>
</tcp>
</selector>
<selector>
<name>pub-iface-ip</name>
<ipv4>
<destination>200.11.1.0/29</destination>
</ipv4>
</selector>
<selector>
<name>matchall</name>
<match8bits>
<value>0</value>
<mask>0x0</mask>
<offset>0</offset>
</match8bits>
</selector>
<policy>
<name>esp-pass</name>
<priority>1</priority>
<selector>esp-traffic</selector>
<selector>pub-iface-ip</selector>
<action>
<pass/>
</action>
</policy>
<policy>
<name>ssh-pass</name>
<priority>2</priority>
<selector>ssh-traffic</selector>
<selector>pub-iface-ip</selector>
<action>
<pass/>
</action>
</policy>
<policy>
<name>rest-redir</name>
<priority>3</priority>
<selector>matchall</selector>
<action>
<redirect>ifb1</redirect>
</action>
</policy>
</qos>
</config>