Egress QoS and Ingress QoS

QoS, or Quality of Service, is a computer networking term that refers to any technique that establishes and executes a prioritization scheme for Internet packets. This allows the IT manager to establish QoS policies that can optimize your network in supporting critical traffic flows; both in the egress direction (traffic flowing out of your LAN and into the Internet) as well as the ingress direction (traffic that is flowing into your LAN).

Traditionally, consumers and enterprise networks download much more from the Internet than they upload to it, which is one of the reasons SLAs are always quite skewed when it comes to download/upload speeds. Often it may even be a 10:1 ratio – perhaps 100 Mbps download and 10 Mbps upload. But times are changing and with the large-scale adoption of “as-a-Service” cloud offerings and other cloud-based infrastructure, network traffic has significantly increased in both directions, egress and ingress. But the industry still treats QoS as primarily an “egress-oriented” treatment, although inbound QoS is becoming more and more important by the day.

Ingress Traffic Increasing

As mentioned, over about the last 10 years the amount of traffic into corporate LANs has exploded. Large-scale mesh networks, point-to-point communication between branch offices, cloud computing, “as-a-Service” offerings, VoIP, real-time video conferencing, live video streaming, and unified communications in general all constitute a large portion of the traffic that require QoS to perform well, primarily flowing into corporate and branch LANs. And another huge source of incoming real-time traffic is still in its infancy – IOT, or the Internet of Things.

Ingress QoS uses many of the same techniques as egress QoS, such as traffic classification, prioritization and traffic shaping (more below), but in the opposite direction. Traffic that is generated in-house (LAN-based), simply needs to be marked and then shaped (rate-limited) before it is sent out to bounce around the Internet, and hopefully each hop it encounters will be QoS (DSCP – more below) compliant and the packet will be queued and scheduled according to its priority.

Inbound QoS can only happen after traffic has gone through a bottleneck. If the bottleneck is a hop or two away from the LAN edge device, then the edge device at the office has no control over the packets traversing the bottleneck – that traffic can’t be shaped. The edge network responsible for the QoS must control the bottleneck node in order to queue and schedule incoming packets based on their priority to our LAN. A nice discussion about this can be found in this NetworkWorld article, which also states, “for an inbound QoS solution to be the authoritative control point for traffic entering a site, it must employ unique techniques to ensure it solely plays the role of traffic shaper.” The article also briefly discusses three of these techniques: TCP control, flow control, and link control.

Why QoS?

Some Internet applications and technologies are more forgiving than others. Some applications have no trouble operating in the presence of network performance issues, while other applications can tolerate much less. The underlying network parameters of interest here are bandwidth, latency, jitter, and packet loss. These parameters fluctuate constantly but as long as the network in general in not congested, most packets get through in a “timely enough” manner so applications perform well. One example of such application is file transfers commonly used for data replication between sites.

When the network starts becoming congested then by definition it has more packets flowing through it than it can handle. Queues and buffers become full or bloated, packets start being dropped out of necessity, and individual application performance and the overall network start suffering from unsatisfactory temporary performance degradations (brownouts) or crashes (blackouts).

The QoS System

QoS, in general terms, is a system of operations performed by various network components. The overall QoS system is typically comprised of the following activities:

• Identification, classification, marking – identify each packet as to its traffic classification and mark the packet, usually in the IP packet header or ethernet frame or both.
• Congestion management and avoidance (queue and schedule) – establishes numerous buffers or queues allowing high-priority packets additional resources (bandwidth) to ensure on-time delivery. Avoids congestion by dropping lower priority packets to keep buffers from becoming bloated.
• Traffic shaping and policing – enforcing network resource restrictions on each packet, and ensuring a pre-determined traffic profile is maintained.

How QoS Works

QoS has three general methods of improving network and application performance. The first is considered “best-effort” (really no QoS at all) where all packets are given the same priority and the overall network simply tries its best to deliver all packets. Packets are not guaranteed to be delivered in a timely fashion, or at all. Obviously, this is no longer an acceptable option, especially for real-time traffic, and more robust methods must be used.

Integrated Services (IntServ) is a QoS implementation in which applications request bandwidth and resource reservations from the network. The network monitors the flow of packets and adjusts bandwidth allocation appropriately. IntServ is difficult to scale and is highly taxing of network resources, so this method is no longer widely used.

Differentiated Services (DiffServ) is a more comprehensive solution to QoS as network traffic and data flows are classified and prioritized into general categories, such as VoIP or live-streaming media, and companies can also create customized prioritization schemes based on their requirements for specific traffic. The classification is packed into the IP packet header, using 6 bits from the deprecated ToS (type of service) field. Classification information may also be encoded in the Layer 2 ethernet frame.

The 6 bits allow for 64 unique prioritization/classification levels and are referred to as DSCP (Differentiated Services Code Point) values. DSCP-compliant devices, such as routers and switches, can then alter their behavior depending on the DSCP value for a given packet. This 6-bit value not only defines an overall traffic classification, but also defines the “per-hop behavior” (PHB) of each packet as it bounces its way through the Internet or your LAN. The DSCP values can be expressed in numeric form or by special keyword names. Three defined classes of DSCP PHBs exist: Best-Effort (BE), Assured Forwarding (AFxy, where x and y refer to AF class and drop precedence), and Expedited Forwarding (EF). Another DSCP classification exists referred to as CS (class selector), which uses the first 3 bits to ensure backward compatibility with the deprecated IP precedence interpretation of the ToS field.

Best-Effort Forwarding simply means the device will treat all packets equally and try to forward all of them when possible. When not possible, it will randomly drop packets as its queues max out. Expedited Forwarding means that these packets have highest priority and should be forwarded before other packets without queuing. And Assured Forwarding is used for medium-priority packets. This is further broken up into four classes, each with three levels of “drop-precedence”. So, for the most important packets that don’t quite qualify for expedited forwarding, they would be marked as AF41 (assured forwarding, highest priority class 4, low drop likelihood), and the least important packets that still deserve better treatment than “best effort” would be marked AF13 (assured forwarding, lowest priority class 1, higher drop likelihood).

The QoS Baseline is a strategic document designed to unify QoS within Cisco. This document remains a definitive reference. The document states that “The QoS Baseline provides uniform, standards-based recommendations to help ensure that QoS products, designs, and deployments are unified and consistent. The QoS Baseline defines up to 11 classes of traffic that may be viewed as critical to a given enterprise. A summary of these classes and their respective standards-based markings and recommended QoS configurations are shown below.”

So, using the above mappings, here are a few recommended baseline markings for common traffic types that use assured forwarding:

• Interactive Voice and Video: AF41, most important traffic
• Mission Critical Data (locally defined): AF31
• Transactional Data (DLSw, SQL, SAP): AF21
• Bulk Data (email, FTP, backups): AF11, least important traffic

Implementing QoS on SD-WAN routers

An IT manager needs to map all network traffic to QoS DSCP values in order to reap the benefits of an efficient prioritization scheme – in both egress and ingress directions. This mapping may be used to translate directly into some industry standard, such as the Cisco QoS Baseline, or it may be used to implement a vendor-specific or company proprietary QoS system.

As an example of how an IT manager might use QoS to prioritize IPSec or VoIP traffic, the procedure is straight-forward using an industry-leading SD-WAN router with broadband bonding, which should have sophisticated traffic management capabilities. The device should provide a simple way to establish QoS policy and implement bandwidth reservations for critical applications or traffic, as well as support application-aware (layer 7) traffic filtering. A simple web-based GUI should be provided to configure individual devices, and there should also be a management and monitoring portal to easily configure and monitor corporate assets.

To set up QoS on a particular WAN interface, first the IT manager needs to create a WAN QoS shaper rule on that interface. Typically, the interface is shaped around 90% of the bandwidth provided by the service provider, in both egress and ingress directions. So if the uplink rate is 100 Mbps, the shaping rule would specify a rate of 90 Mbps. This shaping maximizes the likelihood of the packet queue in edge device staying as the smallest queue in the path. This provides the edge device with the ability to allocate bandwidth to different application classes even in the presence of ISP throttling and/or traffic bursts and spikes.

Once the interface has been shaped appropriately, application traffic reservations and prioritizations can be created. To carve out 10 Mbps uplink (egress) for IPSec traffic, the IT manager simply chooses the desired WAN interface and then allocates the 10 Mbps based on protocol and sets the priority level. For IPSec traffic, the protocol would be “esp”.

Using an application-aware traffic layer 7 filtering capability, one can reserve and assign a high priority for SIP (Session Initiation Protocol) traffic, the most popular protocol currently utilized for unified communications. To carve out 1 Mbps for VoIP traffic, the IT manager would choose the pre-shaped WAN interface, choose the desired bandwidth and priority, and then assign it to the layer 7 protocol “SIP”.

Once these QoS rules are established, WAN interface 1 will guarantee the allocated bandwidth to the appropriate traffic. If there is no SIP traffic detected, then the bandwidth reserved for SIP will be used for generic traffic. As soon as SIP traffic is detected, the bandwidth allocation will kick in and SIP will have guaranteed bandwidth and high priority over other traffic types.

Tunnels need QoS too

If you’re interested in maximizing the performance of your networks, hopefully you’re already using SD-WAN (software-defined wide area networking) to provide WAN aggregation or broadband bonding to combine your various WAN resources. Overlay SD-WAN tunnels can be utilized to create VPN-like connections using algorithms that enable working around networking problems to shield applications from connectivity issues. QoS control of these tunnels, in both egress and ingress directions, should allow for bandwidth reservations and prioritization to the tunnel itself, as well as all the traffic it carries. The solution should provide a rich portfolio of capabilities for the overlay tunnels optimizing performance per application.

There are select SD-WAN vendors that take a more turnkey approach to QoS with their tunneling technologies where the SD-WAN systems support built-in capabilities and configurations that ensure automated recognition of application classes and accordingly implement the QoS appropriate for that class. This approach provides the autopiloting of the network with minimal human intervention and should be preferred. Further customization is usually provided for more advanced configuration options.

Next Steps

If your company’s QoS capabilities could use an upgrade, here are the 3 primary requirements that you, the IT manager, should demand from your QoS router:

• Real-time traffic handling – An agile and flexible toolset for bandwidth management of interactive traffic such as VoIP (Voice over IP) and VC (Video Conferencing) is a must-have in a QoS router. Look for layer 7 deep-packet inspection capabilities with built-in layer 7 libraries and more importantly the ability to carve out guaranteed bandwidth for those applications in an adaptive manner.

• Agile Egress/Outbound QoS – Legacy QoS routers are not able to guarantee bandwidth to specific traffic types and applications in a dynamic manner. Having a highly adaptive outbound QoS capability will provide guaranteed, carved-out bandwidth dedicated to the application, without compromising effective bandwidth utilization. In other words, the QoS mechanism should be smart enough to enable that carved-out bandwidth to be utilized by other applications if the real-time application at hand is not present in the network at that very moment.

• Ingress/Inbound QoS – The importance of inbound QoS is usually overlooked and sometimes neglected by QoS router vendors because of its complicated nature, but as a client, you should demand effective inbound QoS features from your QoS router and they are as automated as possible. Modern routers with cutting-edge bandwidth managers will be able to manage the inbound traffic with high accuracy, providing much needed QoS in the inbound direction. This means that you will have crystal clear VoIP calls even while your coworker at the next desk is downloading his favorite dancing cat video from YouTube.

Rob Stone, Mushroom Networks, Inc. 

Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.

https://www.mushroomnetworks.com