IP Precedence
This month we begin learning how to define what type of service your packets get.
by Eric Quinn - courtesy of TCPMag.com
2/27/2001 -- There's a field within the IP header called Type of Service. In the Internet datagram header diagram below, the Type of Service is in the middle, at the top.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type of Service takes up a whole byte -- the second byte in the header. The items the bits represent can be seen in the diagram below. (To clear up any confusion at the outset, the header above shows the bits in four octet chunks, for a total of 32 bits across. The actual bytes start at zero on the left and go to seven, then begin at zero again. This is why we count to 10 above, but begin with the zero bit below.)
0 1 2 3 4 5 6 7
+-----+-----+-----+-----+-----+-----+-----+-----+
| | | | | |
| PRECEDENCE | STRM|RELIABILITY| S/R |SPEED|
| | | | | |
+-----+-----+-----+-----+-----+-----+-----+-----+
IP precedence is a value that can allow certain traffic to gain priority over other types of traffic. Now, you're thinking "So, isn't that what queuing does?" and you'd be correct. The difference here is that each packet carries its importance as it crosses the network. Queuing requires you to configure each router that a packet would be crossing.
IP precedence uses three bits to determine how important the traffic within this packet is. A value of zero (000) is routine traffic -- the default for most types of traffic. Values of six (110) and seven (111) are used for network update traffic.
Some devices will install new values by default. For example, the IP telephony modules on a 6500 series switch give traffic coming from an IP phone a precedence level of five, allowing those packets to have priority over other types of traffic.
Quality of Service (QoS) can also encompass CoS (Class of Service -- where traffic prioritization is encapsulated within the VLAN header) as well as RSVP (the Resource Reservation protocol, where priority info is carried in an RTP header). These are all methods of carrying the priority from network device to network device. But how is the priority set? I mentioned above that a certain blade on a 6500 will set the priority higher on ports connecting to IP phones, but you can do the same for any PC connecting to the 6500 using the QoS commands.
The first thing to do is determine if you want to trust any IP precedence values generated from outside the switch. Think carefully before you say, "No." Are you certain that database server isn't setting the priority on any packets? Find out before you erase any settings. If you want to set your own values, you do it by using Class of Service. You need to have trunks going throughout your network to carry the information.
Here are the basic commands to get this process going. In order to turn on QoS at the port use:
set port qos mod_num/port_num {port-based | vlan-based}
In order to determine if you want to believe what the device connected to this port is saying or not, use the command:
set port qos mod_num/port_num trust {untrusted | trust-cos | trust-ipprec | trust-dscp}
You'll notice three trust options above. One trust option is used if the outside device is using Class of Service, another for IP Precedence, and the third for DSCP (Differentiated Services Code Point). The cool thing is that you can translate from one to another. If you're using COS across your LAN but you still want to retain prioritization going across a WAN, you can translate it into IP precedence.
You need to set the CoS value that a packet will be given as it arrives in an untrusted port.
set port qos mod_num/port_num cos cos-value
Finally, you need to set some access control lists to determine applicable traffic. Since we're dealing with layer-three info at this stage, make sure your 6500 has a PFC on the Supervisor card.
You can usually justify the complexity of setting up true end-to-end quality of service by the resulting drop in congestion-related problems for important traffic. The documentation on all of the different ways to establish QoS on a 6500 can be found here:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_5/cnfg_gd/qos.htm.
Next time, we'll talk more about how to set IP precedence using a router and route maps.
Reprinted with permission from TCPMag.com, March 2001.
Eric Quinn, CCNP, CCDP, CCSI, is a security instructor and consultant. He is also co-author of the CCNP Remote Access Exam Cram by Coriolis Press. He writes the “Link State Update” column for TCPmag.com, and is a contributing editor for CertCities.com. Reach him at .
|