The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the Cisco-Viptela Approach in order to implement Quality of Service (QoS) with Software Defined WAN (SD-WAN). SD-WAN is the most recent innovation in order to integrate with enterprises, business, and organizations across the world. The new wave of SD-WAN technologies allows governments and businesses to provide critical application support without additional hassle. Even though the cloud has greatly simplified the capacity provisioning process, it possesses several novel challenges in the area of QoS management. The new SD-WAN needs to match the levels of performance, reliability, and availability offered by an application and by the platform or infrastructure that hosts it.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Until recently, networks were strictly built based on how the underlying transmission networks are. Some solutions, such as Multiprotocol Label Switching (MPLS) Traffic Engineering influenced path selection between nodes, but every device from source to destination needed to be programmed in order to permit or deny traffic that flows between two endpoints and make completely autonomous decisions.
The traditional carrier services like an IP VPN or MPLS have been assumed by many to be the only way to reliably deliver the QoS services for an organization. The biggest downside of MPLS is bandwidth cost. Today’s consumers are increasingly interested in bandwidth-hogging multimedia content such as videos and Augmented Reality (AR)/ Virtual Reality (VR), and the high per-megabit cost that MPLS demands can be out of reach. Finally, an MPLS network doesn’t offer built-in data protection, and if incorrectly implemented, it can open the network to vulnerabilities.
Also, from the security point of view, MPLS traffic is not encrypted by default. MPLS networks offer many security features, however, their traditional VPN solutions are not without challenges. A pre‐shared key is used to authenticate VPN IPSec devices, but in order to manage a large number of pre‐shared keys across multiple devices does not scale and is less secure.
On the other hand, SD-WAN approach uses centralized WAN controllers in order to host and manage all adjacencies with nodes in the network. It provides flexibility in the creation and enforcement of policies. Since each device peers only with controllers for connectivity and control plane policies in order to pass data traffic between service nodes, these can be dynamically adjusted based on overall visibility into network conditions. As shown here, each router advertises its local information to the controller. This allows data flow to be easily manipulated by the central controller with the use of policies enforced at every local router.
In this example, R1 and R4 have no pairwise adjacency just the data plane path. Therefore, the central controller easily controls and modifies traffic flow. For example, it can control all the prefixes from R1 that are advertised to R4 via R3, or that certain prefixes are advertised to R4 via R3, while certain are advertised directly from R1, where R3 could be a point of application for a firewall policy. This approach dramatically reduces the volume of data plane policies that would need to be implemented at each router, with the use of traditional networking topologies. SD-WAN is an overlay network which can help admins identify critical traffic and give it special treatment throughout the network.
In the SD-WAN overlay network, the QoS works when it examines the packets that enter at the edge of the network. Each of the vEdge routers in the network must be configured to provision QoS. Once the SD-WAN overlay network and the control plane connections are up and running, the data traffic flows automatically over the IPsec connections between vEdge routers. The default data packet forwarding flow can be modified when centralized data policy or localized data policy are created and applied.
The centralized data policy gives the control to manage the traffic-path which is routed through the network and the traffic can be controlled (permit or block) based on the address, port, and Differentiated Services Code Point (DSCP) fields in the packet's IP header.
The localized data policy can control the flow of data traffic into and out of a vEdge router's interfaces and enables features such as QoS. The policies can be activated if you apply the access lists, either in the outbound direction or in the inbound direction.
Each interface has eight queues on hardware vEdge routers, numbered from 0 to 7. Queue 0 is reserved and is used for both control traffic and low-latency queuing (LLQ) traffic. For LLQ, any class that is mapped to queue 0 must also be configured to use LLQ. All control traffic is transmitted. Queues 1 to 7 are available for data traffic.
As illustrated in Image 2., the QoS policies are applied to a data packet as it is transmitted from one branch to the another:
1. Classify Input - The incoming traffic can be classified by associating each packet with a forwarding class. Forwarding classes group data packets and assign packets to output queues for transmission to their destination, based on the forwarding class.
2. Input ACLs and Define Policer - The maximum traffic rate of sent or received data on an interface can be controlled by configuring policers, and to partition a network into multiple priority levels. Policers applied to inbound interface traffic allow you to conserve resources by dropping traffic that does not need to be routed through the network.
3. Route Lookup - vEdge router checks the local route table in order to determine which interface the packet should use to reach its destination.
4. Output ACLs and Policer - Traffic that conforms to the policer rate, is transmitted, and traffic that exceeds the policer rate is sent with a decreased priority or is dropped. The Policers applied to outbound interface traffic control the amount of bandwidth used.
5. Output Scheduling - The packets can be prioritized by configuring a QoS map for each output queue in order to specify the bandwidth, delay buffer size, and Packet Loss priority (PLP) of output queues. It depends on the priority of the traffic that you can assign packets higher or lower bandwidth, buffer levels, and drop profiles.
6. Rewrite Output - If you rewrite rules, it allows you to map traffic in order to code points when the traffic exits in the system. Define rewrite-rule to overwrite the DSCP field of the outer IP header. Apply the rewrite-rule on the outbound (egress) interface.
These steps describe the Localized Data Policy (QoS) Configuration:
Step 1. Configure the forwarding classes and mapping to output queues. Define class map in order to classify packets, by importance, into appropriate forwarding classes. Refer to the class map in an access list.
policy
class-map
class best-effort queue 3
class bulk-data queue 2
class critical-data queue 1
class voice queue 0
Step 2. Configure the QoS scheduler forwarding classes. Define qos scheduler and specify the rate at which traffic is sent on the interface. Refer to the policer in an access list.
policy
qos-scheduler be-scheduler
class best-effort
bandwidth-percent 20
buffer-percent 20
scheduling wrr
drops red-drop
!
qos-scheduler bulk-scheduler
class bulk-data
bandwidth-percent 20
buffer-percent 20
scheduling wrr
drops red-drop
!
qos-scheduler critical-scheduler
class critical-data
bandwidth-percent 40
buffer-percent 40
scheduling wrr
drops red-drop
!
qos-scheduler voice-scheduler
class voice
bandwidth-percent 20
buffer-percent 20
scheduling llq
drops tail-drop
Step 3. Group QoS schedulers and define QoS map:
policy
qos-map MyQoSMap
qos-scheduler be-scheduler
qos-scheduler bulk-scheduler
qos-scheduler critical-scheduler
qos-scheduler voice-scheduler
Step 4. Apply the QoS map to the egress interface:
interface ge0/1
qos-map MyQoSMap
Step 5. Define an access list in order to classify data packets into appropriate forwarding classes:
policy
access-list MyACL
sequence 10
match
dscp 46
!
action accept
class voice
!
!
sequence 20
match
source-ip 10.1.1.0/24
destination-ip 192.168.10.0/24
!
action accept
class bulk-data
set
dscp 32
!
!
!
sequence 30
match
destination-ip 192.168.20.0/24
!
action accept
class critical-data
set
dscp 22
!
!
!
sequence 40
action accept
class best-effort
set
dscp 0
!
!
!
default-action drop
Step 6. Apply the Access List to an interface:
vpn 10
interface ge0/0
access-list MyACL in
!
Ideal requirements in order to achieve guaranteed QoS with SD-WAN:
It is easy to understand as to why this as a solution threatens the traditional MPLS WANs out there as Cisco SD-WAN QoS solution can deliver the QoS levels that match over the Internet with the use of dynamic methods. Cisco SD-WAN dynamically selects the most cost-effective assortment of private links and public Internet connections. With SD-WAN, applications are not at the mercy of standard bandwidth, but instead, the connection that’s most applicable to each app is selected.
Regardless of whether MPLS or SD-WAN is the best solution, it is important to note that the QoS with SD-WAN can be achieved without MPLS with a symmetric Internet with no packet loss with VPN. If traffic traverses multiple hops via multiple ISP's, a business cannot guarantee how mission-critical and delay-sensitive services will perform. Fact is, the SD-WAN products need active-active configurations in order to improve the reliability and QoS of the WAN.
In short, SD-WAN is a fantastic technology which reduces the dependency on MPLS networks in the future. You can offload some of the non-interactive traffic to a broadband Internet connection. For example, the SD-WAN might route latency-sensitive traffic such as voice over an MPLS link, which guarantees QoS, and everything else over a broadband Internet connection or it might combine two broadband links to approximate MPLS.