Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACL & QoS.

Published byBernard Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "ACL & QoS."— Presentation transcript:

1 ACL & QoS

2 Course Objectives To master the principles and functions of ACL
To master the principles and functions of QoS

3 Contenst ACL Principles QoS Principles

4 Concept of ACL ACL (Access Control List) is a way to judge, classify and filter the data that pass switches. ACL is applied as follows: Applied to interface To judge and decide whether packets are allowed to be forwarded through switches according to the characteristics of data packets and data segments Its purpose is to manage and control data traffic. Used to achieve policy route and control special traffic An ACL contains one or more IP data packet rules of specific types. ACL may include only one rule or many rules. It defines data packets that match rules through multiple rules. As a universal data traffic judgment criterion, ACL can work with other technologies on different occasions, such as firewall, QoS and queuing technology, policy route, data rate limit, routing policy, and NAT.

5 ACL Work Flow Select interface Input interface Check ACL rule
Packet dropped Output interface Route entry? Select interface Allow? Check ACL rule

6 Judgment Principle inside ACL

7 Judgment Criteria of ACL
ACL can use the following judgment criteria: Source IP Destination IP Protocol types(IP、UDP、TCP、ICMP) Source port number Destination port number

8 Judgment Criteria of ACL

9 ACL Rules Operations should be performed from top to bottom in order. After the first match is found, carry out the corresponding operation and then skip out of ACL and do not continue matching the subsequent syntax. The end is “deny all” by default. ACL can be applied on IP interface or some service. Before using ACL, first create the ACL or faults may occur. For a protocol, only one ACL can be configured at the same time in one direction one a port, and the direction that ACL configures on the interface is very important. Any configuration error may disable the function.

10 Display ACL

11 ACL Functions To achieve data packet filtering, policy route and special traffic control An ACL can involve one or more rules for data packets of specific types. These rules tell the device whether the data packets that match the rules are allowed or rejected to pass. Which ACL is to be carried out on a port is determined according to the order of the conditional syntax in the list. If a data packet header matches a conditional judgment syntax, the subsequent syntax will be ignored.

12 ACL Functions ACL is classified into eight types:
Basic ACL: To match source IP addresses only Extended ACL: To match source IP addresses, destination IP addresses, IP protocol types, TCP source port number, TCP destination port number, UDP source port number, UDP destination port number, ICMP types, ICMP code, DSCP, ToS, and Precedence Layer-2 ACL: To match source MAC addresses, destination MAC addresses, source VLAN ID, layer-2 Ethernet protocol type, 802.1p priorities Hybrid ACL: To match source MAC addresses, destination MAC address, source VLAN ID, source IP address, destination IP address, TCP source port number, TCP destination port number, UDP source port number, and UDP destination port number Basic IPv6 ACL: To match source IP addresses of IPv6 only Extended IPv6 ACL: To match source and destination addresses of IPv6 User-defined ACL: To match the number of VLAN TAGs and offset bytes ATM ACL: To match VPI, VCI, and time segment

13 ACL Functions ACL access list: Basic ACL:1~99,1000~1499
Extended ACL:100~199,1500~1999 Layer-2 ACL:200~299 Hybrid ACL:300~349 Basic IPv6 ACL:2000~2499 Extended IPv6 ACL:2500~2999 User-defined ACL:3000~3499 ATM ACL:4000~4499

14 Standard ACL and Extended ACL
Based on source address filtering Based on source, destination address, protocol types, and application type filtering Allow/reject the whole TCP/IP protocol cluster Specify a specific IP protocol and protocol number ACL number ranges from 1 to 99. ACL number ranges from 100 to 199.

15 Contents ACL Principles QoS Principles

16 Concept of QoS IP QoS refers to an IP network capability, namely, to provide the specific services with required services based on an IP network spanning multiple bottom-layer network technologies (FR、ATM、Ethernet、 SDH) QoS needs to perform the following jobs: To avoid and manage IP network congestion To reduce IP packet loss rate To adjust IP network traffic To provide dedicated bandwidth for special users or special services To support realtime services on IP network

17 QoS Model Integrated service: Intserv in short
Differentiated service: Diffserv in short

18 IntServ Model IntServ is an end-to-end flow-based QoS technology.
Before the terminal sends data, it needs to ask the network for QoS requirements according to service types. The network judges whether to adopt this service request according a certain adoption policy. IntServ establishes an end-to-end communication path through the out-band RSVP (RSVP Resource Reservation Protocol). RSVP only transmits QoS requests between network nodes. It does not realize these QoS requirements. The QoS requirements are realized through other technologies, such as PQ, CQ, and WFQ.

19 DiffServ Model DiffServ can satisfy users’ different QoS demands and is easy for expansion. Different from IntServ, it does not need signaling, hop-by-hop forwarding, namely, before a service sends a packet, it does not necessarily inform routers. DiffServ is a DSCP-based QoS solution. At the network entrance, classify the service and control service traffic. Also configure the DSCP domain of packets. In network , according to QoS mechanism and the grouped DSCP values, differentiate each type of communication and provide services, including resource allocation, queue scheduling, and packet drop policy. These are generally called PHB (per-hop behavior). All nodes in the DiffServ domain conform to PHB according to the grouped DSCP fields.

20 Packet Classification and Mark
Packet classification refers to the operation that the data packets to be forwarded are put into queues.

21 Packet Classification and Mark
Network administrators can set the packet classification policy. This policy may include: Physical port Source address Destination address MAC address IP protocol Port number of application programs The classification result has no scope limit. It can be a flow with a five-element group (source address, source port number, protocol number, destination address, and destination port number), or all packets going to some network segment. Packets are classified with the following methods: Based on ACL Based on IP priorities

22 Traffic Monitoring Token bucket is a common algorithm for the control interface rate. Its parameters include: CIR: committed information rate Bc:committed burst size; data size that the network allows users to transmit at the rate of CIR and at the interval of Tc Be: Excess burst size; data size that exceeds Bc and that the network allows users to transmit at the interval of Tc Tc: Sampling interval; monitor and control the data traffic on the virtual circuit at the interval of Tc; Tc= Bc/CIR In Tc: When the user data transmission size is less than or equal to Bc, the received frames will continue to be sent. When the user data transmission size is greater than Bc but less than or equal to Bc+Be, if the network is not seriously congested, the frames will continue to be sent, otherwise they will be dropped. When the user data transmission size is greater than Bc+Be, the frames that exceeds the scope will be dropped.

23 Traffic Monitoring Token bucket mechanism

24 CAR(Committed Access Rate)
CAR uses token bucket to control traffic. First the packet is classified. If the classified packet is distinguished as a type of packet to be processed, the packet then goes to the token bucket for processing. If there are sufficient tokens used to send packets in the token bucket, it is considered “Conform”; if the tokens are not sufficient, it is considered as “Exceed”. In the subsequent action mechanism, the “Conform” packets can be sent, dropped, or tinted When CAR is used for traffic monitoring, it is configured as follows: Send the “Conform” packet and drop the “Exceed” packet. Namely, when the tokens are enough in the token bucket, the packet is to be sent; when the tokens are not enough, the packet is dropped. Thus, the traffic of packets can be controlled. CAR can also be used to mark the packets or tint the packets through Precedence or DSCP.

25 Congestion Management
Characteristics of Congestion Management: To ensure that different types of packets can obtain different services when the network is congested. Put different types of packets into different queues to obtain different scheduling priorities, probability or bandwidth assurance. Data packet Go to queue Output queue Send

26 Congestion Management
The algorithm for congestion management includes: FIFO( First In First Out ) PQ( Priority Queuing ) CQ( Custom Queuing ) WFQ( Weighted Fair Queuing )

27 FIFO FIFO: First In First Out
FIFO does not classify the packets. When packets arrive, FIFO allows the packets to come into the queue in arriving sequence. Meanwhile, FIFO allows the packets to go out of the queue in arriving sequence at the exit. Packets arriving first will go out first. Packets arriving late will go out late. The default service mode of the Internet—Best-Effort adopts the FIFO queuing policy.

28 FIFO

29 PQ PQ: Priority Queueing
PQ performs strict priority scheduling. Packets can be classified into four types at most. They respectively belong to one of the four queues. Then put the packets into the corresponding queues according to their types. The four queues of PQ are high-priority queue, medium-priority queue, normal-priority queue, and low-priority queue. Their priorities decrease in order.

30 PQ

31 CQ CQ: Custom Queueing CQ adopts round robin scheduling. Packets can be classified into 17 types at most. They respectively belong to one of 17 queues of CQ. In 17 queues of CQ, queue 0 is a priority queue. The router always send the packet in queue 0 first and then send the packets in queue 1 to queue 16. Therefore, queue 0 is generally taken as the system queue. These interactive protocol packets with high realtime requirements are put in queue 0. Queue 1 to Queue 16 can be allocated with the bandwidth proportion according to users’s requirements. When packets go out of the queue, CQ takes a certain quantity of packets from queue1 to queue 16 to send out on the interface according to the defined bandwidth proportion.

32 CQ

33 Difference between CQ and PQ
PQ assigns the absolute priority to the higher-priority packets which can ensure the precedence of the key services, yet when the rate of the packets with high priorities is always higher than that of the interface, the packets with low priorities can never obtain a chance to be sent. This situation can be avoided by using CQ. CQ can classify packets and then allocate packets to a queue of CQ according to types. For each queue, the bandwidth rate that a packet occupies the interface in the queue is specified. Thus, packets of different services can obtain the reasonable bandwidth, which can ensure that the key services can obtain sufficient bandwidth, and that the non-key services can be processed.

34 WFQ WFQ Weighted Fair Queueing
WFQ adopts weighted round robin scheduling. Packets can be classified into 64 types at most. WFQ is a complicated queuing process, which can ensure fairness among services of the same priority and weight among services of different priorities. The weight is calculated depending on priorities. The weight depends on the IP precedence carried in the IP packet header.

35 WFQ

36 CBWFQ CBWFQ (Class Based Weight Fair Queuing) is a class-based weight fair queuing. It is actually a combination of CQ and WFQ

37 Congestion Avoidance Network Congestion Bandwidth occupancy Time

38 Congestion Avoidance Ways to avoid congestion are: RED, WRED
RED: Random Early Detection WRED: Weighted Random Early Detection Different from RED, WRED introduces IP priorities to distinguish the drop policy. WRED adopts random drop policy. It avoids the tail drop mode which may lead to global TCP synchronization.

39 WRED Work Principles Data packet Go to queue Output queue Drop Send
Upper threshold Lower threshold Send Send

40 QoS Functions QoS Functions Tunnel QoS function Ethernet QoS function
Traffic classification Traffic policy Congestion avoidance Queue scheduling Traffic shaping Tunnel QoS function Ethernet QoS function

41 Packet classification
QoS Functional Model ACL rule Traffic control Packet classification Drop Congestion avoidance Traffic list Traffic shaping

42

Download ppt "ACL & QoS."

Similar presentations

Quality of Service CCDA Quick Reference.

Quality of Service CCDA Quick Reference.
Quality of Service CS 457 Presentation Xue Gu Nov 15, 2001.

Quality of Service CS 457 Presentation Xue Gu Nov 15, 2001.
© 2006 Cisco Systems, Inc. All rights reserved.QoS v2.2—5-1 Congestion Management Configuring LAN Congestion Management.

© 2006 Cisco Systems, Inc. All rights reserved.QoS v2.2—5-1 Congestion Management Configuring LAN Congestion Management.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.

William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.
Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.

Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.
Top-Down Network Design Chapter Thirteen Optimizing Your Network Design Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Thirteen Optimizing Your Network Design Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Tiziana Ferrari Differentiated Services Test: Report1 Differentiated Service Test REPORT TF-TANT Tiziana Ferrari Frankfurt, 1 Oct.

Tiziana Ferrari Differentiated Services Test: Report1 Differentiated Service Test REPORT TF-TANT Tiziana Ferrari Frankfurt, 1 Oct.
CS640: Introduction to Computer Networks Aditya Akella Lecture 20 – QoS.

CS640: Introduction to Computer Networks Aditya Akella Lecture 20 – QoS.
1 Providing Quality of Service in the Internet Based on Slides from Ross and Kurose.

1 Providing Quality of Service in the Internet Based on Slides from Ross and Kurose.
Real-Time Protocol (RTP) r Provides standard packet format for real-time application r Typically runs over UDP r Specifies header fields below r Payload.

Real-Time Protocol (RTP) r Provides standard packet format for real-time application r Typically runs over UDP r Specifies header fields below r Payload.
Managing Network Performance Queuing & Compression.

Managing Network Performance Queuing & Compression.
© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.10: Deploying End-to-End QoS.

© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.10: Deploying End-to-End QoS.
Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.
ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.

ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.
Chapter 6 Packet Processing Functions

Chapter 6 Packet Processing Functions
CSE 401N Multimedia Networking-2 Lecture-19. Improving QOS in IP Networks Thus far: “making the best of best effort” Future: next generation Internet.

CSE 401N Multimedia Networking-2 Lecture-19. Improving QOS in IP Networks Thus far: “making the best of best effort” Future: next generation Internet.
ACN: Congestion Control1 Congestion Control and Resource Allocation.

ACN: Congestion Control1 Congestion Control and Resource Allocation.
School of Information Technologies IP Quality of Service NETS3303/3603 Weeks 10-11.

School of Information Technologies IP Quality of Service NETS3303/3603 Weeks
Internet QoS Syed Faisal Hasan, PhD (Research Scholar Information Trust Institute) Visiting Lecturer ECE CS/ECE 438: Communication Networks.

Internet QoS Syed Faisal Hasan, PhD (Research Scholar Information Trust Institute) Visiting Lecturer ECE CS/ECE 438: Communication Networks.

Similar presentations

Ads by Google