Layer-2 QoS Config Guide

About

This document describes the Layer-2 QoS functionality in switched LANs.

Layer-2 QoS Priority

When Ethernet operates in full-duplex mode there is no risk for collisions. However, there is a risk for congestion if the traffic destined for a port exceeds its capacity.

Consider the example below, showing a switch with 4 Fast Ethernet ports (100 Mbit/s). Ports 1 and 2 both receive data flows of 100 Mbit/s load. All traffic from port 2, and half of the traffic port 1 are heading for port 4, exceeding the capacity of port 4. The egress queue (output queue) at port 4 will build up, and if the situation sustains, packets will eventually have to be dropped.

                   .-------------------------.
        100 Mbit/s |1             50 Mbit/s 3| 50 Mbit/s
        ---------->+----------+------------->+---------->
                   |           \             |
                   |            \ 50 Mbit/s  |
        100 Mbit/s |2 100 Mbit/s \          4| 150 Mbit/s > 100 Mbit/s!!
        ---------->+--------------+--------->+---------->
                   |                         |
                   '-------------------------'

Figure 1: Load from multiple ports exceeds egress/output capacity.

Layer-2 priority address two issues in this scenario:

  • It ensures that low priority packets are dropped before high priority packets. For example, assume packets entering port 1 have higher priority than packets from port 2. Then we would not expect any loss in packets from port 1 destined for port 4, while 50% of the ‘’port 2’’ packets would be lost, once the port 4 egress queue becomes full.
  • When the is a queue on an egress port, layer-2 priority ensures that the high priority packets are transmitted first, assuming the switch implements strict priority scheduling.

The example above illustrates congestion occurring when a traffic load from multiple ports exceeds the capacity of the egress port where it is heading. The same could occur with traffic from a single port, if the egress port has lower capacity; e.g., a Gbit/s ingress port and a Fast Ethernet egress port, or if ingress and egress ports are of the same type, but egress rate limiting is applied to reduce the speed of the egress port.

Traffic classes, priority and congestion

Each port has multiple priority queues for egress traffic. We refer to egress queues and traffic classes interchangeably. Switches described here have 8 egress queues per port, thus can prioritize between 8 traffic classes. (Switches with 4 egress queues per port are also common, providing somewhat lower prioritization granularity.)

The example below illustrates the use of output queues to manage priority. To make the example more compact, these ports only support 4 traffic classes.

- Step 1: Packet W ingress P2, heads for P5
                  .---------------------.
                  |            --Q3--.  |
    ------------->+P1            | | |  |
                  |            ------'  |
           [W]->  |            --Q2--.  |
    ------------->+P2            | |T|  |
                  |            ------'  |
                  |            --Q1--.P5+-----------
    ------------->+P3            |S|R|  |
                  |            ------'  |
                  |            --Q0--.  |
    ------------->+P4            | |U|  |
                  |            ------'  |
                  '---------------------'

- Step 2: Packet W mapped to Queue 1 (last in FIFO)
                  .---------------------.
                  |            --Q3--.  |
    ------------->+P1            | | |  |
                  |            ------'  |
                  |            --Q2--.  |
    ------------->+P2            | |T|  |
                  |            ------'  |
                  |            --Q1--.P5+-----------
    ------------->+P3           W|S|R|  |
                  |            ------'  |
                  |            --Q0--.  |
    ------------->+P4            | |U|  |
                  |            ------'  |
                  '---------------------'

- Step 3: High priority queues are served first
                  .---------------------.
                  |            --Q3--.  |
    ------------->+P1            | | |  |
                  |            ------'  |
                  |            --Q2--.  |
    ------------->+P2            | | |  |
                  |            ------'  |  [R][T]->
                  |            --Q1--.P5+--------------------
    ------------->+P3            |W|S|  |
                  |            ------'  |
                  |            --Q0--.  |
    ------------->+P4            | |U|  |
                  |            ------'  |
                  '---------------------'

Figure 2: Example with 4 Queues/Traffic Classes.

In step 2, packet W is mapped to traffic class 1 (queue 1). This is just an example. See below for information on determining packet priority.

Additional information on traffic classes and queue management:

  • Ethernet ports support 8 traffic classes (8 egress queues per port)
  • Virtual LAN ports, e.g., layer-2 VPN SSL ports, also support 8 traffic classes
  • High priority queues are emptied first (strict priority scheduling)
  • If a high priority packet arrives while a packet from a low priority queue is being transmitted, the transmission will finish before serving the high priority queue (no pre-emption)

Determining a Packet’s Priority

A packet’s priority is determined on ingress, i.e., when the packet enters the switch. Three priority modes are available for per-prot configuration.

  • Port Priority mode
  • VLAN tag mode
  • IP DSCP/ToS mode

The below sections detail the behaviour of each mode.

Port Priority mode

If priority mode ‘port’ is configured on the port, then all ingress packets will be assigned the ingress port’s port priority. The port priority can be configured in range 0-7 (default ‘0’). Thus, a packet entering a port with port priority ‘2’ and priority mode ‘port’ will is determined to have (IEEE) priority ‘2’.

VLAN tag mode

If priority mode VLAN ‘tag’ is configured on the port, then all ingress packets arriving with an 802.1Q tag will get priority specified in the PCP field of the VLAN tag (IEEE 802.1p/802.1Q).

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PCP |C|        VID            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

PCP:   Priority Code Point (0-7)
C/CFI: Canonical Format Indicator
VID:   VLAN Identifier (0-4095)

Figure 3: VLAN Tag Control Information (IEEE 802.1Q).

Thus, a packet with PCP value ‘3’ in its VLAN tag, entering a port configured with priority mode ‘tag’ is determined to have (IEEE) priority ‘3’.

If no VLAN tag is present in the arriving packet, priority is based on the port priority of the ingress port, see above.

IP DSCP/ToS mode

If priority mode ‘ip’ is configured, then all ingress IPv4 packets will be assigned priority based on the DSCP value (formerly ToS) in the packets IP header.

+-+-+-+-+-+-+-+-+
|   DSCP    |CU |
+-+-+-+-+-+-+-+-+

DSCP: Differentiated Services Codepoint (0-63)
CU:   Currently Unused

Figure 4: Differentiated Services Field (RFC 2474).

Thus, a packet with DSCP value ‘42’ in its IP header, entering a port configured with priority mode ‘ip’ is determined to have (IP) priority ‘42’.

If the incoming packet is not an IP packet (e.g., an ARP packet), priority is based on the port priority of the ingress port, see above.

By default, ports are configured with:

  • priority mode ‘VLAN tag’
  • port priority ‘0’ (zero)

Below is an example where priority mode is changed to ‘port’ and the port priority is changed to 5 for port 2 (eth2).

example:/#> configure
example:/config/#> port eth2
example:/config/port-eth2/#> priority-mode port
example:/config/port-eth2/#> priority 5
example:/config/port-eth2/#> leave
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
example:/#>

Note

Packets relating to layer-2 network control (RSTP, FRNT, etc.) are typically assigned highest (IEEE) priority (‘7’), irrespective of the priority mode configured for the port.

Mapping Priority to Traffic Class

The scheme to map priority to traffic class depends on the priority mode used to determine the packet’s priority as described in the following two subsections.

IEEE Priority to Traffic Class

When priority is based on VLAN tag or port priority, a priority value in range 0-7 is determined for the packet. This priority is referred to as IEEE priority. For ports with 8 traffic classes, the IEEE Priority to Traffic Class mapping scheme is a simple 1-to-1 mapping.

IEEE Priority Traffic Class
7 (111) 7 (111)
6 (110) 6 (110)
5 (101) 5 (101)
4 (100) 4 (100)
3 (011) 3 (011)
2 (010) 2 (010)
1 (001) 1 (001)
0 (000) 0 (000)

IP (DSCP) Priority to Traffic Class

When priority is based on the IP DSCP field, a priority value in range 0-63 is determined for the packet. This priority is referred to as IP priority. For ports with 8 traffic classes, the IP Priority to Traffic Class mapping scheme looks at the three most significant bits (MSBs) of the DSCP field as shown below.

IP (DSCP) Priority Traffic Class
56-63 (111xxx) 7 (111)
48-55 (110xxx) 6 (110)
40-47 (101xxx) 5 (101)
32-39 (100xxx) 4 (100)
24-31 (011xxx) 3 (011)
16-23 (010xxx) 2 (010)
8-15 (001xxx) 1 (001)
0-7 (000xxx) 0 (000)

VLAN tag priority upon egress

A packet leaving the switch with a VLAN tag, will have its VLAN tag priority (PCP bits) set to a value corresponding to its traffic class (0-7).

Rate Limiting

Ingress Rate Limiting

The switch can be configured to limit the rate of a port’s incoming traffic, this is called ingress rate limiting. By default a port accepts packets at a rate up to the link speed, with ingress rate limiting activated the switch starts dropping packets when data arrives above the given rate threshold. This feature can be useful as a complement to layer-2 priority handling when congestion within the network is to be avoided.

The rate may be specified in bits per second, such as 64 kbit/s, or 250 Mbit/s. By default, a configured rate limit will apply to all ingress traffic, however, it is possible to restrain the rate limit to specific (layer-2) traffic types: broadcast, multicast and/or unknown unicast.

Unknown unicast traffic is traffic with a unicast destination MAC address not present in the switch forwarding database. Unknown unicast traffic is flooded onto all ports within the VLAN.

Note

For virtual L2 ports, e.g., SSL L2 VPN ports, all unicast MACs are unknown. Thus, rate limiting unknown unicast on such ports will apply to all unicast traffic ingressing the port.

example:/#> configure
example:/config/#> port eth1
example:/config/port-eth1/#> ingress-rate-limit 2M
example:/config/port-eth1/#> end
example:/config/#> port eth2
example:/config/port-eth2/#> ingress-rate-limit 1M match bc,mc
example:/config/port-eth2/#> leave
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
example:/#>

Egress Rate Limiting

The switch can be configured to limit the outbound data rate on a port egress rate limiting. By default each port will send at the maximum speed of the link, with egress rate limiting activated the switch limits the outbound rate to a given threshold.

The rate may be specified in bits per second, such as 350 kbit/s, or 500 Mbit/s. If egress rate limit is set, all outgoing traffic is limited to the specified threshold.

example:/#> configure
example:/config/#> port eth3
example:/config/port-eth3/#> egress-rate-limit 8M
example:/config/port-eth3/#> show egress-rate-limit 
8000 kbps
example:/config/port-eth3/#> leave
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
example:/#>

Configuration

Per-port priority settings are located in the port configuration context in the CLI. One or more physical LAN ports can be configured at the same time. The range can be given as: port eth3,eth5..eth10

example:/#> configure
example:/config/#> port eth3
example:/config/port-eth3/#>

When you are done, use leave to activate settings and return to Admin Exec context.

Syntax

[no|show] priority-mode [tag|ip|port]
Select the classification mode used at ingress; tag for VLAN tag (PCP), ip for DSCP/ToS, and port for port priority. The no form of the command resets the setting to its default value, tag.
[no|show] priority [0-7]
If priority mode is set to port this setting defines the priority assigned to ingressing packets. The no form of the command resets the setting to its default value, 0 (zero).
[no|show] ingress-rate-limit <64-1000000>
Set ingress limit in kbps. The value can also be given with ISO modifiers k/M/G as specifiers for kbps and Mbps, e.g., 256k or 10M. The no form of the command disables rate limiting, which is the default.
[no|show] ingress-rate-limit <64-1000000> match <bc,mc,u-uni|all>
By default, the rate limit applies to all traffic types. To limit a specific type of traffic, use the optional match [bc,mc,u-uni] setting to limit MAC broadcast (bc), MAC multicast (mc) or unknown MAC unicast (u-uni). E.g., ingress-rate-limit 2M match bc,mc limits the total MAC broadcast and multicast to 2 Mbps.
[no|show] egress-rate-limit <64-1000000>
Set egress rate limit in kbps. The value can also be given with ISO modifiers k/M/G as specifiers for kbps and Mbps, e.g., 256k or 10M. The no form of the command disables rate limiting, which is the default.

Note

Ingress and egress rate values are always rounded off to the nearest possible setting in the underlying switch hardware.