Implement QoS in Cisco SD-WAN

Introduction

This document describes the Cisco-Viptela Approach in order to implement Quality of Service (QoS) with Software Defined WAN (SD-WAN). SD-WAN is the most recent innovation in order to integrate with enterprises, business, and organizations across the world. The new wave of SD-WAN technologies allows governments and businesses to provide critical application support without additional hassle. Even though the cloud has greatly simplified the capacity provisioning process, it possesses several novel challenges in the area of QoS management. The new SD-WAN needs to match the levels of performance, reliability, and availability offered by an application and by the platform or infrastructure that hosts it.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• SD-WAN Solution
• Traditional QoS and Policy Structure

Components Used

The information in this document is based on these software and hardware versions:

• Cisco vEdge Hardware Devices
• Cisco vEdge Software (VM)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Problem

Until recently, networks were strictly built based on how the underlying transmission networks are. Some solutions, such as Multiprotocol Label Switching (MPLS) Traffic Engineering influenced path selection between nodes, but every device from source to destination needed to be programmed in order to permit or deny traffic that flows between two endpoints and make completely autonomous decisions.

The traditional carrier services like an IP VPN or MPLS have been assumed by many to be the only way to reliably deliver the QoS services for an organization. The biggest downside of MPLS is bandwidth cost. Today’s consumers are increasingly interested in bandwidth-hogging multimedia content such as videos and Augmented Reality (AR)/ Virtual Reality (VR), and the high per-megabit cost that MPLS demands can be out of reach. Finally, an MPLS network doesn’t offer built-in data protection, and if incorrectly implemented, it can open the network to vulnerabilities.

Also, from the security point of view, MPLS traffic is not encrypted by default. MPLS networks offer many security features, however, their traditional VPN solutions are not without challenges. A pre‐shared key is used to authenticate VPN IPSec devices, but in order to manage a large number of pre‐shared keys across multiple devices does not scale and is less secure. 

Solution

On the other hand, SD-WAN approach uses centralized WAN controllers in order to host and manage all adjacencies with nodes in the network. It provides flexibility in the creation and enforcement of policies. Since each device peers only with controllers for connectivity and control plane policies in order to pass data traffic between service nodes, these can be dynamically adjusted based on overall visibility into network conditions. As shown here, each router advertises its local information to the controller. This allows data flow to be easily manipulated by the central controller with the use of policies enforced at every local router.

In this example, R1 and R4 have no pairwise adjacency just the data plane path. Therefore, the central controller easily controls and modifies traffic flow. For example, it can control all the prefixes from R1 that are advertised to R4 via R3, or that certain prefixes are advertised to R4 via R3, while certain are advertised directly from R1, where R3 could be a point of application for a firewall policy. This approach dramatically reduces the volume of data plane policies that would need to be implemented at each router, with the use of traditional networking topologies. SD-WAN is an overlay network which can help admins identify critical traffic and give it special treatment throughout the network.

Configure and Implement Cisco SD-WAN QoS

In the SD-WAN overlay network, the QoS works when it examines the packets that enter at the edge of the network. Each of the vEdge routers in the network must be configured to provision QoS. Once the SD-WAN overlay network and the control plane connections are up and running, the data traffic flows automatically over the IPsec connections between vEdge routers. The default data packet forwarding flow can be modified when centralized data policy or localized data policy are created and applied.

The centralized data policy gives the control to manage the traffic-path which is routed through the network and the traffic can be controlled (permit or block) based on the address, port, and Differentiated Services Code Point (DSCP) fields in the packet's IP header.

The localized data policy can control the flow of data traffic into and out of a vEdge router's interfaces and enables features such as QoS. The policies can be activated if you apply the access lists, either in the outbound direction or in the inbound direction.

Each interface has eight queues on hardware vEdge routers, numbered from 0 to 7. Queue 0 is reserved and is used for both control traffic and low-latency queuing (LLQ) traffic. For LLQ, any class that is mapped to queue 0 must also be configured to use LLQ. All control traffic is transmitted. Queues 1 to 7 are available for data traffic.

As illustrated in Image 2., the QoS policies are applied to a data packet as it is transmitted from one branch to the another:

1. Classify Input - The incoming traffic can be classified by associating each packet with a forwarding class. Forwarding classes group data packets and assign packets to output queues for transmission to their destination, based on the forwarding class.

2. Input ACLs and Define Policer - The maximum traffic rate of sent or received data on an interface can be controlled by configuring policers, and to partition a network into multiple priority levels. Policers applied to inbound interface traffic allow you to conserve resources by dropping traffic that does not need to be routed through the network.

3. Route Lookup - vEdge router checks the local route table in order to determine which interface the packet should use to reach its destination.

4. Output ACLs and Policer - Traffic that conforms to the policer rate, is transmitted, and traffic that exceeds the policer rate is sent with a decreased priority or is dropped. The Policers applied to outbound interface traffic control the amount of bandwidth used.

5. Output Scheduling - The packets can be prioritized by configuring a QoS map for each output queue in order to specify the bandwidth, delay buffer size, and Packet Loss priority (PLP) of output queues. It depends on the priority of the traffic that you can assign packets higher or lower bandwidth, buffer levels, and drop profiles.

6. Rewrite Output - If you rewrite rules, it allows you to map traffic in order to code points when the traffic exits in the system. Define rewrite-rule to overwrite the DSCP field of the outer IP header. Apply the rewrite-rule on the outbound (egress) interface.

Configure QoS Policy

These steps describe the Localized Data Policy (QoS) Configuration:

Step 1. Configure the forwarding classes and mapping to output queues. Define class map in order to classify packets, by importance, into appropriate forwarding classes. Refer to the class map in an access list.  

policy

 class-map

  class best-effort queue 3

  class bulk-data queue 2

  class critical-data queue 1

  class voice queue 0

Step 2. Configure the QoS scheduler forwarding classes. Define qos scheduler and specify the rate at which traffic is sent on the interface. Refer to the policer in an access list.

policy

 qos-scheduler be-scheduler

  class                          best-effort

  bandwidth-percent     20

  buffer-percent            20

  scheduling                 wrr

  drops                         red-drop

 !

 qos-scheduler bulk-scheduler

  class                          bulk-data

  bandwidth-percent     20

  buffer-percent            20

  scheduling                 wrr

  drops                         red-drop

 !

 qos-scheduler critical-scheduler

 class                           critical-data

  bandwidth-percent     40

  buffer-percent            40

  scheduling                 wrr

  drops                         red-drop

 !

 qos-scheduler voice-scheduler

  class                          voice

  bandwidth-percent     20

  buffer-percent            20

  scheduling                 llq

  drops                         tail-drop

Step 3. Group QoS schedulers and define QoS map:

policy

 qos-map MyQoSMap

  qos-scheduler be-scheduler

  qos-scheduler bulk-scheduler

  qos-scheduler critical-scheduler

  qos-scheduler voice-scheduler

Step 4. Apply the QoS map to the egress interface:

interface ge0/1

  qos-map  MyQoSMap

Step 5. Define an access list in order to classify data packets into appropriate forwarding classes:

policy

 access-list MyACL

  sequence 10

   match

    dscp 46

   !

   action accept

    class voice

   !

  !

  sequence 20

   match

    source-ip          10.1.1.0/24

    destination-ip   192.168.10.0/24

   !

   action accept

    class bulk-data

    set

     dscp 32

    !

   !

  !

  sequence 30

   match

    destination-ip  192.168.20.0/24

   !

   action accept

    class critical-data

    set

     dscp 22

    !

   !

  !

  sequence 40

   action accept

    class best-effort

    set

     dscp 0

    !

   !

  !

  default-action drop

Step 6. Apply the Access List to an interface:

vpn 10

 interface ge0/0

  access-list MyACL in

 !

Related Information

Ideal requirements in order to achieve guaranteed QoS with SD-WAN:

It is easy to understand as to why this as a solution threatens the traditional MPLS WANs out there as Cisco SD-WAN QoS solution can deliver the QoS levels that match over the Internet with the use of dynamic methods. Cisco SD-WAN dynamically selects the most cost-effective assortment of private links and public Internet connections. With SD-WAN, applications are not at the mercy of standard bandwidth, but instead, the connection that’s most applicable to each app is selected.

Regardless of whether MPLS or SD-WAN is the best solution, it is important to note that the QoS with SD-WAN can be achieved without MPLS with a symmetric Internet with no packet loss with VPN. If traffic traverses multiple hops via multiple ISP's, a business cannot guarantee how mission-critical and delay-sensitive services will perform. Fact is, the SD-WAN products need active-active configurations in order to improve the reliability and QoS of the WAN.

In short, SD-WAN is a fantastic technology which reduces the dependency on MPLS networks in the future. You can offload some of the non-interactive traffic to a broadband Internet connection. For example, the SD-WAN might route latency-sensitive traffic such as voice over an MPLS link, which guarantees QoS, and everything else over a broadband Internet connection or it might combine two broadband links to approximate MPLS.