[Top] [Prev] [Next] [Bottom]

Using TOS/DiffServe Quality of Service (QOS) Policies

Introducing TOS/DiffServe

The purpose of TOS/DiffServe is to provide a means for IP routers and hosts to differentiate among various classes of IP traffic in order to control Quality of Service (QOS) characteristics such as latency, bandwidth, and packet dropping strategies. QOS lets you provide different service levels for different types of traffic.

The term TOS/DiffServe refers to the definition and interpretation of the field in the IP header originally called Type of Service (TOS) and more recently redefined as the DiffServe Code Point (DSCP) field.

RFC Compliance

OpenROUTE software provides a useful set of features that conform to the DiffServe RFCs for the purpose of providing multiple levels of service quality to data arriving at and exiting the router.

OpenROUTE software supports the differentiated services that the following RFCs require.

[ARCH] An Architecture for Differentiated Services, RFC 2475, December 1998.
[DSFIELD] Definition of the Differentiated Services Field (DS Field), RFC 2474, December 1998.

In addition, the OpenROUTE software supports the Expedited Forwarding Per Hop Behavior (PHB) described in [EF] An Expedited Forwarding PHB, RFC 2598, June 1999.

How OpenROUTE QOS Features Differ from RFC Recommendations

OpenROUTE software currently does not fully implement the Assured Forwarding classes defined in RFC 2597. However, you can configure OpenROUTE software for similar service. OpenROUTE supports the reserved bandwidth, but not the reserved buffer allocation that Assured Forwarding requires.

Terminology and Acronyms

This document uses the following terms and acronyms

BRS

Bandwidth Reservation System, an OpenROUTE software feature.

Codepoint

Recommended bit patterns of the DS field. See DSCP.

CS

DiffServe Class Specifier.

DiffServe

Differentiated Services.

DSCP

DiffServe Code Point. Selects per-hop behavior for a packet.

IPDF

Internet Protocol Dynamic Filters, an OpenROUTE software feature.

PHB

Per-Hop Behavior. A fowarding behavior applied at each network node.

QOS

Quality of Service.

BRS	Bandwidth Reservation System, an OpenROUTE software feature.
Codepoint	Recommended bit patterns of the DS field. See DSCP.
CS	DiffServe Class Specifier.
DiffServe	Differentiated Services.
DSCP	DiffServe Code Point. Selects per-hop behavior for a packet.
IPDF	Internet Protocol Dynamic Filters, an OpenROUTE software feature.
PHB	Per-Hop Behavior. A fowarding behavior applied at each network node.
QOS	Quality of Service.

How DiffServe Works

The IP Dynamic Filters (IPDF) and Bandwidth Reservation System (BRS) features support the DiffServe concept.

IPDF can detect and rewrite the TOS/DiffServe field in the IP header. IPDF provides syntax for treating the old-style, 3-bit Precedence field (PREC), as well as syntax for treating the 6-bit DiffServe field (DSCP). The Precedence field is also called the Class Selector (CS).
BRS lets you allocate the bandwidth of an interface among a number of user-defined classes. BRS uses these classes to apply preferred treatment to some packets over others. BRS can use buffer tags assigned in IPDF to assign packets to its traffic classes.

A brief description of router features used to implement DiffServe follows. Later, a configuration example is presented that implements DiffServe policies.

Using IPDF to Classify Packets

IPDF is designed to be a packet classifier. Its principal intent is to provide filtering rules for implementing IP firewall policies. By extending the IPDF set of classifying rules to include the DSCP/PREC field, IPDF also can act as a DiffServe packet classifier.

The IPDF Tag facility allows a packet buffer to remember a classification that IPDF makes. An IPDF rule can set a buffer's tag. As the buffer moves through the router, this tag is preserved and the BRS feature can detect the tag.

IPDF Profiles

IPDF rule sets, called profiles, are associated with a router interface. Each interface may have any number of profiles and each profile may encompass any number of rules. IPDF profiles can examine and act on both incoming and outgoing traffic. IPDF rules can classify a packet by any combination of the following:

DIR: Direction (inbound, outbound, or both)
PROTOCOL: Protocol (TCP, UDP, ICMP, etc.)
PTYPE: Recognizes some specific TCP and ICMP packet types.
SA or SOURCE: Source IP address
DA or DESTINATION: Destination IP address
SPORT: Source port number
DPORT: Destination port number
isPREC: Precedence value (Class Selector)
isDSCP: DSCP value, also called Codepoint
isTAG: recognizes packets the IPDF previously Tagged

Using IPDF to Mark Packets

IPDF can take the action of re-marking the DSCP (or PREC) value of a packet that it has classified. This allows marking and re-marking of DSCP/PREC based upon any of the IPDF recognizers. Marking may be necessary at the borders of DiffServe domains with differing policies. The following IPDF options are available for marking the DSCP/PREC bits:

DSCP: rewrite 6-bit DSCP (codepoint) value
PREC: rewrite 3-bit Precedence value (the Class Selector subset of DSCP)

Note that you can apply an IPDF filter that marks a packet on the inbound and/or outbound interface.

Marking inbound packets is appropriate for interfaces where the peer sending the packet is not trusted, and the DSCP field needs to be rendered consistent with the router's operational policy.
Marking outbound packets is useful when the router is at the border of a network and must alter the DSCP field to meet the policies of the targeted peer in another DiffServe domain.

DiffServe Policies

DiffServe policies, the actions taken in the router to implement differential services, are divided between the router's IPDF and BRS features.

IP Dynamic Filters (IPDF)

IPDF allows these actions:

Pass—Pass inbound packets to the routing engine and outbound packets to the transmitting interface. Does not compare the packet to any other filters.
Ignore—Does not make a decision about passing or blocking the packet. The software continues to compare the packet to other filters in the profile.
Block—Drops the packet and does not compare the packet to any other filters.

Bandwidth Reservation System (BRS)

BRS implements bandwidth reservation and priority queueing. The idea of BRS is that you can allocate the bandwidth of an interface among a number of user-defined classes. Each class reserves a percentage of the total bandwidth. Each class is guaranteed at least the configured percentage of its interface's bandwidth when the interface's capacity is fully utilized or overloaded.

The router applies BRS policies immediately before sending the packet to the outbound interface for transmission. BRS implements its own set of filters for recognizing packets. Most of these filters are redundant with those of IPDF. The exception is the BRS buffer tag recognizer. BRS can use buffer tags assigned in IPDF to assign packets to its traffic classes.

Two classes of service are mandatory: LOCAL and DEFAULT.

The LOCAL class is for packets the router itself generates. Its purpose is the reservation of bandwidth for routing protocols and other administrative traffic that originates on the router. It permits the router to do its job even in the face of overloaded interfaces.
The DEFAULT class is the classic "best effort" service. Any packet not assigned to a user-defined class or the LOCAL class is assigned to the DEFAULT class.

Within each class, you can further classify packets by priority. BRS supports four priority levels: LOW, NORMAL, HIGH and URGENT. The router always transmits packets in a BRS class in priority order. This means that the router never sends a NORMAL packet as long as a HIGH or URGENT packet is present in the class's queue. In addition, you can configure the maximum number of packets BRS queues in each priority level. There are two maximum queue sizes: one for normal operation and a smaller one for low-buffer conditions. The defaults for these queue sizes usually result in good forwarding performance.

DiffServe Configuration Tips

Using IPDF for DiffServe and Firewall

Since you can use the IPDF feature both as a Firewall and a DiffServe classifier and marker, we advise careful planning of your IPDF profiles and filter structure. Organizing IPDF filter rules into profiles by general functional classes is a good idea. It lets you treat profiles as a library of filters that you can apply as needed to various interfaces. The following examples use this approach.

IPDF rules for classifying, marking, and remarking packets usually use the Ignore action, which causes IPDF to continue the analysis of the packet with the next rule. This allows single profiles that can classify, mark, and then tag packets by applying a series of filters.

Using DiffServe with IPSEC Tunnels

IPSec packets arriving at the router consist of an outer IP header and an inner, possibly encrypted, IP packet payload.

When the router is an IPSec tunnel endpoint, it decrypts, authenticates, and decompresses the inner IP packet and then presents it to the routing engine as though it had arrived on an ordinary physical interface.

The important thing to note is that since the packet may have originated in a router on a network with different DiffServe policies than the local router, the packets must be treated as though they are arriving at a border router, even if the local router is not physically at the border of its DiffServe domain.

IPSec profiles has an option that causes the IPDF filters on the interface upon which the IPSec packet arrived to be applied to the inner IP packet after decapsulation. By this means, the DiffServe policy may be applied to tunnelled packets.

If you do set up IPSec to apply IP filters to a peer, the router applies filters to the application IP header, which is the inner IP header, and not to IPSec headers. IPSec and IP filters work together in this way,

For inbound traffic, IPSec processes the traffic first so that filters are applied to the inner IP packet after IPSec encapsulation is removed.
For outbound traffic, IP filters are applied to a packet before IPSec processes the packet. Thus, IPSec protection is wrapped around packets.

Example DiffServe Configuration

This section has an example that demonstrates the implementation of a DiffServe policy. The next section contains the actual OpenROUTE CLI commands that implement this example DiffServe policy.

The purpose of the DiffServe policy is to provide preferred treatment to Voice over IP (VoIP) traffic. The example has two domains. The two domains communicate via PPP over the WAN link.

Domain One uses DiffServe. It has a 3000 Series router that has an Ethernet interface (0), a WAN interface (1) and a built-in Voice module (2). In this example, we will configure the 3000 Series router in Domain One.

Domain Two is a neighbor network that uses the older, TOS IP Precedence scheme.

Classes of Service

The following illustration shows the classes of service provided to the two domains in this example.

Classes of Service in Policy Domain One

Domain One uses DiffServe to classify and prioritize traffic. This policy shall have two classes of service:

: 1. Voice Traffic uses Expedited Forwarding (EF), as defined in RFC 2598, which defines a codepoint value of 101110 (or 46 decimal) for EF. The policy gives packets bearing codepoint 46 forwarding priority over all packets in the default class.
Real-time traffic, including Voice over IP (VoIP) traffic, is authorized to use the EF codepoint.
: 2. Default, best effort forwarding for all other traffic using the default codepoint (0). When a network becomes congested, EF traffic continues to get preferred treatment, but at least 10% of the bandwidth is always reserved for default traffic.

Codepoints 46 and 0 are the only two codepoints used in this network.

Classes of Service in Policy Domain Two

Domain Two uses the older, TOS IP Precedence scheme to classify and prioritize traffic. This policy shall have two classes of service:

IP Precedence of 5 is assigned to voice traffic to provide preferred treatment to that traffic.
Default IP Precedence of zero (0) is assigned to all other traffic.

IPDF Profile Definitions

For convenience, the IPDF rules involved are separated into several profiles as follows:

Profile Name Description

mark_local Change incoming packets' DSCP values to be consistent with local policy.

mark_foreign Translate foreign network's policy into our own.

classifier Apply buffer tags to packets based on DSCP and other values.

firewall Block or pass packets as determined by the security policy.

trace Generate ELS messages to trace traffic flow, DSCP, and tag changes.

Profile Name	Description
mark_local	Change incoming packets' DSCP values to be consistent with local policy.
mark_foreign	Translate foreign network's policy into our own.
classifier	Apply buffer tags to packets based on DSCP and other values.
firewall	Block or pass packets as determined by the security policy.
trace	Generate ELS messages to trace traffic flow, DSCP, and tag changes.

The following illustration shows how these profiles are applied to the router interfaces in Domain One.

Profile mark_local

This profile resides on the Voice module interface and on the LAN interface. It examines incoming packets and ensures that they conform with the local DiffServe policy, which means the profile marks voice traffic with a DSCP
of 46.

Note that all time-critical traffic to and from the Voice module is in UDP packets, which are the only significant use of UDP packets the Voice
module has.

The mark_local profile has the following filters:

Assigning Profiles to Interfaces

This section shows how to attach the profiles in the previous section to each interface.

To Interface 0, the local LAN interface, assign profiles in this order:

: 1. mark_local—enforce local DiffServe policy
: 2. classifier—tag packets for BRS
: 3. trace (optionally)—generate ELS trace
: 4. firewall—observe security policy

To Interface 1, the PPP WAN link to the neighbor network with a different DiffServe policy, assign profiles in this order:

: 1. mark_foreign—remark packets consistent with local policy
: 2. classifier—tag packets for BRS
: 3. trace (optionally)—generate ELS trace
: 4. firewall—observe security policy

To Interface 2, the Voice Module, assign profiles in this order:

: 1. mark_local—enforce local DiffServe policy
: 2. classifier—tag packets for BRS
: 3. trace (optionally)—generate ELS trace
: 4. firewall—observe security policy

Bandwidth Reservation System (BRS) Configuration

For the packets IPDF classifies to receive differential forwarding treatment, you must configure BRS on each interface these packets traverse. In our example, this is all three of the router's interfaces. Since we have selected buffer tags as the basis for preferential treatment and since IPDF tags all incoming packets according to our DiffServe policy, the BRS configuration on each interface is similar to IPDF.

BRS on Interface 0 (Ethernet)

By default, BRS gives traffic in the LOCAL class 10% of the bandwidth using NORMAL priority. Configure the remainder of the bandwidth as follows:

Assign 40% bandwidth to the DEFAULT class with NORMAL priority. Untagged traffic is queued in the DEFAULT class.
Add a class called EF and assign the remaining 50% bandwidth to the EF class.
Assign TAG10 to the EF class and assign a HIGH priority to the class, thus giving the traffic tagged with buffer tag 10 the preferential treatment our policy requires.

BRS on Interface 1 (PPP on WAN)

Same configuration as for Interface 0 (Ethernet).

BRS on Interface 2 (Voice Module)

The link to the internal Voice module is a Frame Relay link with all data run over a single PVC with the DLCI 16. BRS over Frame Relay configuration is a little more complicated than BRS over PPP or Ethernet. The reason is that you need to define BRS parameters at both the top, aggregate level and on the individual DLCIs.

At the top level, assign DLCI 16 to the DEFAULT class and give DEFAULT 90% of the aggregate bandwidth.

At the CIRCUIT 16 level, configure BRS as for Interface 0 and Interface 1.

Configuring Event Logging

Turning on ELS messages and observing the router's behavior is the way to tell whether things are working correctly. Filters in IPDF can generate very useful ELS information. ELS messages in BRS can confirm that packets are being queued in the proper classes with the proper priority.

The IPDF ELS=<n> keyword, as used in the trace profile described above, produces ELS messages denoted "FLT.<10+n> for 1 <= n <= 10."

Be sure to configure ELS to display these messages if you want to see them. See Turning on ELS Messages on page 41.

Entering Commands

It is wise to save a backup of the configuration in either the router's local memory or on an external TFTP server before you change your configuration. You can do so at the Boot configuration prompt.

Config>boot
TFTP Boot/dump configuration
Boot config>

Using the Configuration Prompts

The configuration of DiffServe policies may affect a number of router subsystems, and we recommend implementing them at the Config> prompts so that service is not interrupted while you are entering the new configuration. Your new configuration does not take affect until you restart the router.

Using the Monitor Prompts

You can also enter the Filter and ELS commands at the Monitor> prompts, but each change takes effect immediately, possibly affecting the operation of the router adversely. Once a configuration is up and running, using the MONITR process to make minor alterations is useful.

If you do enter commands at the Monitor> prompts, be sure to save each subsystem's changes before restarting the router, or they will be lost. If you are working in the Monitor process, you can revert to your saved configuration using the revert command or by restarting the router without first saving your changes.

Steps to Implement Example DiffServe Policy

The following sections show how to implement the policy described in the preceding sections. Specifically, it covers the following tasks:

Our example router has 3 interfaces:

0) Ethernet LAN,

1) PPP WAN to the neighbor network, and

2) Internal Voice module. The Voice module in this example uses IP address 192.168.1.10.

Creating IPDF Profiles and Filters

Display the IP Filter configuration prompt.

*config

Config>PROTOCOL ip
Internet protocol user configuration

IP config>filters

IP Filters Config>

Create the mark_local Profile

Below are the steps to create the profile, mark_local, which will hold filters that check and mark the DSCP of packets coming into the Ethernet interface and the Voice module.

1. Add the profile.

IP Filters Config>add profile mark_local

2. Add a filter to check the DSCP of incoming packets. If the DSCP is not equal to 46, set the DSCP to 0. Pass the packet to the next filter.

IP Filters Config>add filter mark_local.dscp dir=in isdscp = 0-45,47-63 dscp=0 action=ignore

3. Add a filter to the mark_local profile that checks for UDP packets coming from the Voice module. Remark those packets to DSCP=46.

IP Filters Config>add filter mark_local.from_voice dir = in 
sa = 192.168.1.10 protocol = udp dscp = 46 action = Ignore

4. Add a filter to the mark_local profile that checks for UDP packets addressed to the Voice module. Remark those packets to DSCP=46.

IP Filters Config>add filter mark_local.to_voice dir = in 
da = 192.168.1.10 protocol = udp dscp = 46 action = Ignore

Create the mark_foreign Profile

Below are the steps to create the profile, mark_foreign, which will hold filters that mark the DSCP of packets coming into and going out of the WAN link.

1. Add the profile.

IP Filters Config>add profile mark_foreign

2. Add a filter to the mark_foreign profile that checks all inbound packets for a Precedence of 5, and re-marks the DSCP of matching packets to 46.

IP Filters Config>add filter mark_foreign.from_prec5 dir=in isprec=5 dscp=46 action=Ignore

3. Add a filter to the mark_foreign profile that checks the Precedence of all inbound packets. If the Precedence is not equal to 5, re-mark the DSCP of matching packets to 0.

IP Filters Config>add filter mark_foreign.not_ef dir=in isprec=0-4,6-7 dscp=0 action=ignore

Create the classifier Profile

Below are the steps to create the profile, classifier. The filters in this profile tag all default traffic with tag 1 and tag all EF traffic with tag 10.

1. Add the profile.

IP Filters Config>add profile classifier

2. Add a filter to the classifier profile that tags all outgoing traffic with tag 1. By default, this causes all traffic to have tag 1.

IP Filters Config>add filter classifier.default dir=out tag=1 action=Ignore

3. Add a filter to the classifier profile that checks the DSCP of outgoing packets. If the DSCP is 46, the filter tags the packet with tag 10.

IP Filters Config>add filter classifier.ef dir=out isdscp=46 tag=10 action=Ignore

Create the firewall Profile

Below are the steps to create the profile, firewall. The filter in this profile allows all traffic to pass through the interface.

1. Add the profile, firewall.

IP Filters Config>add profile firewall

2. Add a filter to the firewall profile that allows all traffic to pass through the interface.

IP Filters Config>add filter firewall.null dir=both action=pass

Create the trace Profile

Below are the steps to create the profile, trace. The filter in this profile causes ELS to generate an event when it recognizes a packet.

1. Add the profile, trace.

IP Filters Config>add profile trace

2. Add a filter to the trace profile that causes incoming and outgoing packets to generate an ELS message.

The text in this ELS message shows the following information about each packet: the interface number on which the packet arrived, the direction, source address and port number, destination address and port number, the buffer tag value, and the DCSP value.

IP Filters Config>add filter trace.dump dir=both els=1 action=ignore elstext="DUMP: %i-%d %:a --> %:A TAG=%g DS=%C"

Attach Profiles to Interfaces

Use the following steps to attach profiles to interfaces. It is important to enter the profiles in the order shown here.

1. Attach the following profiles to Interface 0.

IP Filters Config>set interface 0 profiles = mark_local,classifier,trace,firewall

2. Attach the following profiles to Interface 1.

IP Filters Config>set interface 1 profiles =mark_foreign,classifier,trace,firewall

3. Attach the following profiles to Interface 2.

IP Filters Config>set interface 2 profiles = mark_local,classifier,trace,firewall

Enabling BRS

The first step is to enable BRS on the interfaces. BRS does not allow any further configuration of its parameters until you enable BRS and restart the router.

1. Enable BRS on Interface 0, the Ethernet LAN.

*config
Gateway user configuration
Config>network 0
Ethernet interface configuration
ETH config>brs
Bandwidth Reservation User Configuration
BRS Config <Ethernet1> enable
Please restart router for this command to take effect.

BRS Config <Ethernet1> exit
ETH config>exit
Config>

2. Enable BRS on Interface 1,the PPP WAN.

Config>NETWORK 1
Circuit Configuration
Circuit Config <NET-1> brs
Bandwidth Reservation User Configuration
BRS Config <WAN1> enable
Please restart router for this command to take effect.
BRS Config <WAN1> exit
Circuit Config <NET-1> exit 
Config>

3. Enable BRS on Interface 2, the Voice Module. On this interface, you will also enable BRS circuit 16.

Config>NETWORK 2
Circuit Configuration

Circuit Config <NET-2> brs
Bandwidth Reservation User Configuration

BRS Config <NET-2> enable
Please restart router for this command to take effect.

BRS Config <WAN2> circuit
Circuit to reserve bandwidth [16]?
BRS Config <dlci 16>enable
Please restart router for this command to take effect. 

BRS Config <dlci 16>exit
BRS Config <WAN2> exit
Circuit Config <NET-2> exit
Config>

4. Restart the router for the above changes to take affect.

Config> <CTRL-P>
*restart
Are you sure you want to restart the gateway? (Yes or [No]): yes

Configuring BRS

The following steps show how to set up BRS on each of the router's interfaces.

1. Set up BRS on Interface 0 as described in BRS on Interface 0 (Ethernet) on page 34.

Note: Class names are case sensitive.

Config>NETWORK 0

Ethernet interface configuration
ETH config>brs
Bandwidth Reservation User Configuration
BRS Config <Ethernet1> add-class EF 50
BRS Config <Ethernet1> assign TAG10 EF high
BRS Config <Ethernet1> change-class DEFAULT 40
BRS Config <Ethernet1> default-class DEFAULT normal 
BRS Config <Ethernet1> exit
ETH config>exit
Config>

2. Set up BRS on Interface 1 the same way you set up BRS on Interface 0.

Config>NETWORK 1
Ethernet interface configuration
ETH config>brs
Bandwidth Reservation User Configuration

BRS Config <Ethernet2> add-class EF 50
BRS Config <Ethernet2> assign TAG10 EF high
BRS Config <Ethernet2> change-class DEFAULT 40
BRS Config <Ethernet2> default-class DEFAULT normal
BRS Config <Ethernet2> exit
ETH config>exit
Config>

3. Set up BRS on Interface 2 as described in BRS on Interface 2 (Voice Module) on page 34.

Config>NETWORK 2
Circuit Configuration

Circuit Config <NET-2> brs
Bandwidth Reservation User Configuration

BRS Config <WAN2> assign-circuit 16 DEFAULT
BRS Config <WAN2> change-circuit-class DEFAULT 90
BRS Config <WAN2> circuit
Circuit to reserve bandwidth [16]?
BRS Config <dlci 16>add-class EF 50
BRS Config <dlci 16>assign TAG10 EF high
BRS Config <dlci 16>change-class DEFAULT 40  
BRS Config <dlci 16>default-class DEFAULT normal
BRS Config <dlci 16>exit
BRS Config <WAN2> exit
Circuit Config <NET-2> exit
Config>

Turning on ELS Messages

To display the messages that the trace profile generates, configure the following in ELS.

1. Turn on the ELS=1 message, which is the message we added to the trace profile.

Config>event
Event Logging System user configuration

ELS config>display event flt.11

2. Turn on ELS to follow the operation of IPDF (ELS keyword FLT) and BRS. For example

ELS config> display subsystem flt all
ELS config> display subsystem brs all

Remember, enabling lots of ELS messages can generate a lot of message output. The router discards messages that overflow its message buffer, so such broad message enabling is useful only in controlled situations.

Restarting the Router

To get your new configuration to take effect in the running router, you need to restart the router.

Config> <CTRL-P>

*restart

Are you sure you want to restart the gateway? (Yes or [No]): yes

Displaying Your IP Filter Configuration

Once you have restarted the router, you can display your IP filters as follows:

*config

Config>PROTOCOL ip
Internet protocol user configuration

IP config>filters

IP Filters Config>list interface

Listing Interface Information
Interface   Attached Profiles
--------------------------------
0           mark_local
            classifier
            trace
            firewall
1           mark_foreign
            classifier
            trace
            firewall
2           mark_local
            classifier
            trace
            firewall

Listing Filters Attached to Interface 0

Name                     Dir  Address        Port          Protocol    Idle
                                                             Action
-----------------------------------------------------------------------
mark_local.dscp        In   isDscp=0-45                 Any  dscp=0 Off
                            isDscp=47-63                     Ignore
mark_local.voice       In   sa=192.168.1.10             UDP  dscp=46
                            da=192.168.1.10                  Ignore Off
classifier.default     Out                                 Any  Tag=1  Off
                                                             Ignore
classifier.ef           Out  isDscp=46                     Any  Tag=10 Off
                                                             Ignore
trace.dump               Both                                Any  Ignore Off
                       ELS Event=1
                       ELS Text="Dump: %i-%d %:a --> %:A TAG=%g DS=%C"

firewall.null            Both                                 Any  Pass  Off 

Listing Filters Attached to Interface 1

Name                     Dir  Address          Port   Protocol    Idle
                                                             Action
-----------------------------------------------------------------------
mark_foreign.from_prec5  In   isPrec=ExpressFwd(5)    Any  dscp=46
                                                           Ignore Off
mark_foreign.not_ef      In   isPrec=0-4              Any  dscp=0 Off
                              isPrec=6-7                   Ignore
mark_foreign.to_prec5    Out  isDscp=46                 Any  Prec=Express
Fwd(5)                                                     Ignore Off
classifier.default       Out                          Any  Tag=1  Off
                                                           Ignore
classifier.ef            Out  isDscp=46               Any  Tag=10 Off
                                                           Ignore
trace.dump               Both                         Any  Ignore Off
                         ELS Event=1
                           ELS Text="Dump: %i-%d %:a --> %:A TAG=%g DS=%C"
firewall.null             Both                        Any  Pass   Off 

Listing Filters Attached to Interface 2

Name                   Dir  Address          Port     Protocol   Idle
                                                            Action
-----------------------------------------------------------------------
mark_local.dscp          In   isDscp=0-45             Any   dscp=0 Off
                              isDscp=47-63                  Ignore
mark_local.from_voice    In   sa=192.168.1.10         UDP   dscp=46
                                                            Ignore Off
mark_local.to_voice      In   da=192.168.1.10         UDP   dscp=46    
                                                            Ignore Off
classifier.default       Out                          Any   Tag=1  Off
                                                            Ignore
classifier.ef            Out  isDscp=46               Any   Tag=10 Off
                                                            Ignore
trace.dump               Both                         Any   Ignore Off
                         ELS Event=1
                           ELS Text="Dump: %i-%d %:a --> %:A TAG=%g DS=%C"
firewall.null            Both                         Any   Pass   Off

Displaying Your BRS Configuration

BRS Config <Ethernet1> list

BANDWIDTH RESERVATION listing from SRAM
bandwidth reservation is enabled
interface number 0
maximum queue length 10 minimum queue length 3
total bandwidth allocated 100%
total classes defined (counting one local and one default) 3
class LOCAL has 10% bandwidth allocated
  protocols and filters cannot be assigned to this class.
class DEFAULT has 40% bandwidth allocated
  the following protocols and filters are assigned:
    protocol IP with default priority
    protocol ARP with default priority
class EF has 50% bandwidth allocated
  the following protocols and filters are assigned:
    filter TAG10 with priority HIGH

New and Modified IP Filter Commands

The following sections cover new or enhanced options to the add filter and set filter commands that support the DiffServe feature.

You can enter these commands at either the IP Filters Config> prompt or the IP Filters> prompt. Nx Networks recommends that you enter these commands at the configuration prompt. See Using the Configuration Prompts and Using the Monitor Prompts for more information.

elstext

This elstext option is enhanced to support variables related to DiffServe.

When you set up a filter to generate an ELS message, you can include text to describe the event.

You can use the following variables in the text. When the software generates an ELS message, it substitutes the variable with the actual information. Be sure to put double quotation marks around the text.

%a
Source Address.

%:a
Source Address and port number. If the protocol supports port numbers, the address is followed by a colon (:) and then the port number.

%A
Destination Address. (If the protocol supports port numbers, the address is followed by a colon (:) and then the port number.)

%:A
Destination Address and port number. If the protocol supports port numbers, the address is followed by a colon (:) and then the port number.

%C
The packet's DSCP (codepoint) value. Ranges from 0 to 63.

%d
Direction

%g
The packet's buffer tag value. This is zero by default. You can set to 1-64 using IP filters and 1-5 using MAC filters.

%i
Interface number on which the packet arrived.

%p
Source Port

%P
Destination Port

%r
Protocol

%t
Packet Type

%T
The packet's Precedence or TOS value. This is the 3 most significant bits of DSCP. Its range is 0 to 7.

%a	Source Address.
%:a	Source Address and port number. If the protocol supports port numbers, the address is followed by a colon (:) and then the port number.
%A	Destination Address. (If the protocol supports port numbers, the address is followed by a colon (:) and then the port number.)
%:A	Destination Address and port number. If the protocol supports port numbers, the address is followed by a colon (:) and then the port number.
%C	The packet's DSCP (codepoint) value. Ranges from 0 to 63.
%d	Direction
%g	The packet's buffer tag value. This is zero by default. You can set to 1-64 using IP filters and 1-5 using MAC filters.
%i	Interface number on which the packet arrived.
%p	Source Port
%P	Destination Port
%r	Protocol
%t	Packet Type
%T	The packet's Precedence or TOS value. This is the 3 most significant bits of DSCP. Its range is 0 to 7.

Syntax: elstext="text"

Example: add filter external.in elsevent=8 elstext= "packet from %a going to %A blocked"

When this filter recognizes a packet, it generates a message similar to this:

FLT.018 IPDF-8 packet from 128.185.22.2 going to 162.1.1.8 blocked

isdscp

Sets the filter to check the value of the DSCP field. You can enter a number, a range of numbers, or a list of numbers and/or ranges. Valid values are between 0 (zero) and 63.

Note: You cannot check and change the value of both the DSCP field and the Precedence field. If you are already using the isprec option in a filter, this option becomes disabled.


Enter . . .	To . . .
isdscp=	Replace the existing isdscp setting.
isdscp+=	Add one or more values to the current setting.
isdscp-=	Remove one or more values from the current setting.

Syntax: isdscp=number

number-number

Example: add filter External.Client isdscp = 1-45,47-63

Entry Description

number One number.

number-number A range of numbers.

list A comma-separated list of numbers and/or ranges of numbers.

Entry	Description
number	One number.
number-number	A range of numbers.
list	A comma-separated list of numbers and/or ranges of numbers.

dscp

Modifies the DSCP field of packets that match this filter. The dscp option changes the value of the entire TOS/DiffServe field. To change just the precedence field, which makes up the first three bits of the TOS/DiffServe field, use the prec option.

Note: You cannot change the value of both the DSCP field and the Precedence field. If you turn on one option, the other option becomes disabled.

You can assign a DSCP from 0 (zero) to 63. Zero (0) is best effort.

Syntax: dscp=number

Example: add filter External.Client dscp=1

isprec

Matches the packet precedence value. You can enter a single number from 0 to 7, a range of numbers, a comma-separated list of numbers, or a well-known precedence name. To turn off matching the packet precedence, use the isprec-= option to remove your configured values.

Note: You cannot check and change the value of both the DSCP field and the Precedence field. If you are already using the dscp or isdscp option in a filter, this option becomes disabled.


Enter . . .	To . . .
isprec=	Replace the existing isprec setting.
isprec+=	Add one or more precedence to the current setting.
isprec-=	Remove one or more precedence from the current setting. Notes: You can only remove a precedence using a well-known name; you cannot use a number. If you attempt to delete a precedence using a number, the error message displayed incorrectly states that you can enter a number.

Syntax: isprec

number
number-number
precedence name
list of numbers, names


Entry	Description
number	One precedence number.
number-number	A range of precedence numbers.
name	The name of a well-known precedence name. Below is a list of well-known names. BestEffort Class1(1) Class2(2) Class3(3) Class4(4) ExpressFwd(5) InternetCtrl(6) NetworkCtrl(7)
list	A list of precedence numbers, ranges of precedence numbers, and/or well-known precedence names in a comma-separated list.

Example: set filter External.Client isprec = ExpressFwd(5)

Example: set filter External.Client isprec = 1-4,7

prec

Modifies the value of the packet precedence field with the value you enter here. The precedence field makes up the first three bits of the DiffServe field. To change the value of the entire TOS/DiffServe field, use the dscp option.

Note: You cannot change the value of both the precedence field and the DSCP field. If you turn on one option, the other option becomes disabled.


Enter . . .	To . . .
prec=	Replace the existing prec setting.
prec-=	Remove the exiting precedence setting. Notes: You can only remove a precedence using a well-known name; you cannot use a number. If you attempt to delete a precedence using a number, the error message displayed incorrectly states that you can enter a number.

Syntax: prec

=
-=

Example: set filter External.Client prec = Class4(4)

Entry Description

number One precedence number.

name The name of a well-known precedence name. Below is a list of well-known names.

BestEffort

Class1(1)

Class2(2)

Class3(3)

Class4(4)

ExpressFwd(5)

InternetCtrl(6)

NetworkCtrl(7)

[Top] [Prev] [Next] [Bottom]