3. QoS Classification and Marking
On any given network there is multiple applications and services running. The concept of quality of service is to provide different service levels based on how important are the packet or the session. So some applications requires low latency queuing, for example like voice, some applications require allocated bandwidth and so on. How would you determine what type of treatment you give the packets? IP protocol call have an eight bit field allocated to provide indication on how important is the packet. Or we call this the type of service. QS requires configuration on network equipment. If you don’t configure QS on your network equipment on your Firewall, for example, it will treat all the packets equally, regardless of what type of service is tagged in the eight bits field, the Firewall will treat all packets the same way out of the box. And this is not a good thing.
How is the it bit field marked? The eight bit field can be marked by applications. So for example, a voicemail IP phone would mark its RTP audio stream as expedited forwarding, which requires the lowest level of latency. And routing devices can also receive the packet and write their own value in the input field as a routing device takes the packet out of one interface and process it and can rewrite the IP header and change the input field to something else and send it out its interface, its egress interface, and this is called marking. So the policy Firewall as a network device or routing device can also mark the packet differently. The marking of the Abbey field can be done by the applications or can be done by the routing device itself.
So should you trust all the applications DSCP values? The reality is no, you can have a bad application like peer to peer application that writes its own DSCP value, indicated that it’s expedited forwarding to get preferential treatment and get more bandwidth on your network. While Alto Firewall as a routing device can look at this traffic and determine that the application is peer to peer and mark it down to a different value. Let’s say this is a peer to peer application, it’s sending its packets with a high priority and then the router. Let’s say this is a Palo Alto Firewall. It looks at the application and say oh, this is peer to peer, I’m going to mark it down to a different eight bit value. So the QS marking should be done closer to the source, but can be overridden downstream on the network by other routing devices.
So the IPV Four and IPV Six headers have those eight bit field in the header indicating the type of service or the quality of service required by the device processing. The packet IPV Six header has the same eight bit field. It’s placed in a different location, but it’s still interpreted the same way. However, it adds also a flow label to further enhance the quality of service understanding of network devices. The way that the IP header is interpreted change over different RFCs. RFC 791, the entire it bit field was called the Tos Octet and the first three are called the precedence field. That indicates the importance of the packet. The higher the value, the more important is the packet, the lower the value, the less important is the packet.
And then the other three fields indicate the delay requirement throughput what type of throughput normal or high, throughput what type of reliability and so on. The original RFC had the first three as precedents and the second three as top of service as the top of service field. RFCs change the way the devices are interpreting this. The reality is you have the legacy interpretation of RFCs which has the precedence as the first three bits, the the most significant three bits the type of service as the following four bits the entire Octet is called type of service Octet. So the DSCP means differentiated service code points and the goal of DSCP is to provide differentiated differentiated service based on the values and the differentiation of services is done per hop.
So you have a network with multiple hops, multiple routers. Each router would look at the IP marking and decide what to do with the packet. However, there’s different way of categorizing the packet. You have the expedited forwarding which requires low latency which is basically a tag for traffic that requires low latency low generator. They typically would go into the real time queue. This perhaps behavior acts as a building block for the transport of real time traffic over a diff server network. So voice should be going under expedited forwarding, assured forwarding they give you twelve categorization buckets so that you can categorize different traffic based on different classes.
So class one through four, class one is least important, class four is more important and then in each class there is different drop precedence. If you have AF eleven you have lower drop precedence than AF twelve and AF one three. Meaning that if I have traffic coming in onto the router that falls into AF eleven, AF twelve and AF 13 if the router don’t have enough bandwidth it will start dropping AF 13 1st, then dropping AF twelve and then dropping AF eleven. So it gives you different drop precedent. Expedited forwarding is the low latency queue and should be allocated to bandwidth, specifically a bandwidth for backward compatibility.
The IP precedents and DSCP the class selector matches the president’s the first three bits which is precedents. So presidents zero is matching CS zero, president Swan is matching CS one and so on. So if I have a device that doesn’t understand DSCP markings and it gets an AF Eleven, a packet mark with AF eleven it’s going to interpret this as class one or IP precedence one. It’s basically a way of backward compatibility with the previous RFCs. So best practices over time there is different RFCs created to provide best practices. As a consequence, you have certain best practices in place that you should follow. For example, routing should have a CS Six routing package should be marked with CS Six.
Voice should be marked with EF interactive video. AF 41 streaming video. CS four control. CS three controls like RTCP H 323, AF 21. Like applications like Telnet and SSH. AF Eleven is for applications that is not very sensitive to a packet drop. So they should be in their own category, applications that you want to give them worse treatment. It should be marked as a scaffenger like peer to peer applications or other unwanted application should be a CS One management. Top application should be a CS Two. So those are best practices. Best effort is everything else right? So best effort is certain amount of bandwidth is allocated for best effort and then basically all the applications that are best effort would be in that treatment queue and allocated the bandwidth for the best effort.
So, QS domain, what is the QS domain? When a packet enters the network, it can be marked by the application. Typically you don’t want to trust the marking. That’s not necessarily a trusted marking because you can have a peer to peer application, like I mentioned, that give itself higher priority. The routing device should be kind of a checkpoint for is the DSCP marking accurate or not? Should I mark it down and mark it up? If you have, for example, as an entry point on the network, a switch, the switch can be configured with a QoS policy that looks at the traffic and determine if the marking is correct and then change the marking if needed. Once the packet enters the network, it will get processed by all the routers along the path.
So the entry point should be the classification and marking entry point and the devices that are receiving the traffic, the network devices that are receiving the traffic should basically classify and mark the packets correctly. Don’t rely on untrusted marking from computers, for example. And then you have your internal network, you have all your routers and when routers and so on. And this is under a QS domain. So once you classify it on market, the routing devices in your QS domain should be giving it the proper queuing methodology, whether it’s low, latency, which is real time, high, medium or low. And devices in the path can mark down the traffic if need be. And then on the receiving end it will be received marked with the proper tag as it gets received by the receiving equipment.
So Palo Alto Firewall will need to follow your internal policies by marking the traffic correctly. So if this is a Paulo firewall here, it should be looking at the traffic, looking at the type of applications and services running in that traffic and classify it based on your internal QoS policy. So on your network you can have multiple div serve domain or QoS domains. For example, this could be your company network and then you’re going across another Div Serve domain. Like this is the service provider. So let’s say this is HQ and this is remote side. The traffic will have to go through the when or the service provider network and should be treated the same way you treat on your internal domain.
Palo Alto Firewall can act as a wind router. So if I have this device as my When Firewall or the Palo Alto Firewall, it should mark the packet the same way the service provider is expecting it to be tagged for it to be treated correctly. So service provider typically have different QoS classes that they provide to customers platinum, gold, bronze and silver. So if a packet is coming in from your Diff serve domain, from your QoS domain, and this packet is tagged with EF when, it process would treat it in the platinum queue, given it low latency and given it allocated bandwidth, the service provider can also mark down the packets to a different level.
This markdown could impact your applications, for example. So you have to basically mark your packets correctly so that the service provider receives it correctly and doesn’t mark it down. And once it crosses the when provider network and get it treated with a proper QoS and doesn’t get marked down when it arrives to your remote site, for example, policy has to be consistent. So let’s say if I give my voice expedited forwarding in QS domain, the HQs domain, and then in the remote side I don’t give it expedited forwarding. So if it’s not configured correctly end to end, meaning that my configuration here will not help much because the packet might be delayed on the other side.
So consistency has to be done across the board. So you have to have an understanding on what routers or what devices on the path can mark down your traffic and what type of tag is expected on the service provider network so that you don’t get marked down. And then you have to have your devices configured correctly on both sides so that the application that gets a special treatment on QS domain A and HQ can get the same treatment on the QS domain in the remote site.
4. QoS Classification and Markings Example
In this lecture we will see how to do the QoS marking on the Palo Alto Firewall. So in the previous lecture or two lectures back, we did restrict the upload and download bandwidth for an application. In this lecture we want to make sure that the traffic, if it goes across the Palo Alto Firewall, it has the proper marking. So this is achieved in the security profile rules. So in our case, I want to make sure, based on best practices, the voice traffic from trust to untrust if it matches the application RTP which is the audio stream and the voice application or RTP based RTP audio. So those are typical voice of IP media channels. I want to basically give it a QS marking of the best practice which is EF. In order for me to test it. I’m going to add another application here so I can test it. That’s CNN video just to be able to test it and I’m going to mark it to EF.
Basically the firewall is my trust boundary and I want to enforce that voice RP traffic gets marked with EF. So I’m going to basically mark it with EF. But then I need to put it in a class that guarantees the real time queue, which is the low latency queue, and give it a bandwidth allocation and put this up top so it matches. And then I’m going to add another one for signaling. Voice signaling source is trust, destination is on Trust and put the application H 323, Sip. And those are the two voice signaling and RTCP. In order for me to test it, I’m going to add Yahoo. We’ll put yahoo. Find another category here, MSN base, so that’s going to be MSN and we will basically give it the QS marking of AF 41.
So you see here I got another icon that shows up under options for QS marking. And then I am going to put a category of business apps. We’ll put as an example destination on trust application telenet SSH. We’ll give it marking Rpdscp F 21 and I can test easily association from that. And then I’m going to put the Scavenger, which is application. I want to get to it all scavenger on trust, peer to peer applications, add an application filter and then specify that it’s peer to peer application technology, peer to peer risk five excessive bandwidth. And then I’m going to give this, this Scavenger class which is CS one in order for me to test it. I am going to add an application here, Netflix and give it a CS One.
What I did here is unmarked the traffic to make sure when it leaves my QS domain it has the proper marking. So like I mentioned in a previous lecture, it doesn’t get dropped by the service provider. So the marking in of itself is not going to allow me to give it preferential treatment or lower treatment. On the firewall. I have to assign it to a class. So to assign it to a class, I’m going to go to the QS rules. Right now I have SSL and web class one. I’m going to add rules here with voiceover IP traffic basically match the same thing as I did on the policy itself. But the goal of this is to put it in its own category, application RTP, Rtpbase, RTP Audio and then put CNN and then the other settings.
I’m going to put it in class. This is voice wrappy. So I’m going to give it the class seven. So now I put it up top. So first match text effect. In this case it’s not going to match the first rule because it’s not yeah, SSL or web browsing. I’m gonna add another rule here for signaling. It was RTCP H dot 323 and sip. And I’m gonna give it class six. Other one that I put in here for testing, I put MSM base. So this is class six. And then the rule for business apps that has association telnet, give it class four. I need to add the applications, give it class four. And then Scavenger, which the application I want to get rid of or I want to basically make it slight miserable applications. We had peer to peer application filter and I think I had also another application here, I’ll leave this for now.
And then other settings, I’m going to give it class two. Let’s see what the security policy had here. Peer to peer, Netflix based and Netflix streaming. Okay, so now I basically allocated four different classes and I want to enforce bandwidth and queue and requirements on my egress interface. So my egress interface in this case, in my case is actually Ethernet one one. I’m going to go to networks and then I’m going to add a QS profile untrust. And then class seven is my voice, so it needs to have real time. And then I can give it an egress guarantee of one meg. Class seven. Class six is signaling. I’m going to give it priority medium and give it the bandwidth. Eager is guaranteed of 250 kwh. And then class four was for my class four was class four was for my Association Telnet and I’m going to give Association Telnet medium priority.
Let’s give signaling higher priority in the medium. So class four is medium and egress guaranteed. We’re going to give it 0. 5 meg. And then class two is my Scavenger. So that will be low priority. Low means it can draw, get dropped sooner and I’m going to restrict its bandwidth to 00:25 meg. And then my general population traffic was class one. Class one, it was basically not marked. So basically any other traffic in my case matches SSL and web browsing. So I’m going to give that class one the rest of the bandwidth and give it the egress guaranteed of Tubac because that’s the majority of my traffic. Then I’m going to go to the QS profile and attach it to the interface. Interface name ethernet eleven clear text is untrust and that’s basically all what I need to do. And then I’m going to go ahead and commit go to policies.
So let’s test the CNN video. I’m going to go ahead and SSH to my firewall so I can see the sessions and I’m going to try to access CNN from my machine. Let’s find a video on CNN. Let’s see the statistics. Oh, the wrong class here. Isn’t that one one statistics. I see class one or class seven applications, not sure why, it’s too slow. So the default class is class four and I basically showed down class four to because everything goes under class four by default. So let me fix that under QS profile and I’m going to change class four to class five policies. Change class four to class five and I’m going to remove the other profile on the trust side so that they don’t have showcase on the trust side.
So under QoS I’m going to remove the trust interface policy. So let’s find a session for CNN video application CNN. Okay, I have the CNN video here, session 84, ID 84. So you see here that’s assigned class seven. And if I look at the interface statistics I will see class seven has okay, it’s here. Class seven has the bandwidth and it’s allocated the bandwidth, you’ll see the application matching. So I did two things. If I look at the session through session I’ll find the latest 1423. I see here that it got assigned a QS class on the Egress interface which is client to server. And we see that it was assigned class seven and also it was marked with EF. But because I marked it with EF, probably CNN itself down so it’s causing it to be sluggish. I can do the same thing with SSH, intel net basically that’s the concept. We’ll look at it further in the next lecture.
5. IPSec QoS lab setup overview
So in this lecture we will look at IPsec QoS. Outside of providing QS for regular traffic, you can provide QoS for IPsec traffic. So what I have created is this network. There’s three sites, basically all three sites have an untrust interface connected to an internet router. The inside interface is connected to land router and then you have internal network where a host device is connected PC. It’s a Windows XP machine. So I have those three sides here and you’re more than welcome to create the same type of diagram and your even G if you use even G for that. So what I’m going to do is provide you guys the configuration of all those three Palo ALOTO firewalls, the internet router, the three routers, those are IOL routers and then the Windows Ten machine, you configure them on the network for the site.
So for example this Windows XP machine or this Windows machine, ten 113, five on the same network as the internal router. Then when ten dot one dot 23, five on the same network as the internal land network and so on, we look at the configuration of the Palo Alto firewalls. What I basically have right now is let’s show you the configuration. If you look at the network interfaces we have ethernet interfaces for site one, Palo Alto one one three for the untrust and ten 1124 for the trust and then the same for the other two corresponding IP address changes for the untrust and trust you have the two dot two dot one two three dot one.
And this internet router has just three interfaces, 11212 and three two providing an activity to between those three sites. And then I have this new, this link just in case I want to connect to the rest of the network. I can basically establish default route here and add it net the traffic and then send the traffic out the focus. And then this lecture and the upcoming lecture is the QoS configuration. Then we have I detect tunnels to the other remote locations. So on site one firewall we have two tunnels site from site one to side two and one from site one to side three. And then we kind of have a full mesh in side two. We have a tunnel from side two to side one and from side two to side three.
And then inside three we have a tunnel between site two and site one. So we have a full mesh between the networks. On the policy side, our focus right now is on the QIS. So security policies allow all the traffic across all three firewalls. Allow all traffic across three firewalls. So I’m going to post the configuration for the routers and for the Palo Alto firewall and the lecture resources so you can build it in your environment. I’ll also put the Evange file this way you can import it. However we’re going to have to change those devices to match your own Windows machine or Linux machine that you create on your. eveng so this way you can do testing and ping across the different sites.