Re: NBAR Classifying and QoS Marking

nicolas.steinbusch · ‎02-04-2021

Hi,

In QoS process, I understand that NBAR and DSCP are two of the multiple possibilities to classify the packets. Once the packets are classified, we can apply specific policies to them to avoid or reduce congestion.

From my understanding, I can't figure out why using DSCP (with all the configuration it implies like set trust boundaries, translate from CoS sometimes,...) while NBAR is available to classify the packets way more granulary.

I am certainly wrong in my reasonment, DSCP is way more popular to classify packets and there is a reason for that, but I am confused understanding the why of that.

Thanks for all your input, I hope I'm not too much confusing.

Have a nice day !

Joseph W. Doherty · ‎02-04-2021

DSCP doesn't, per se, classify packets, it's a tag, which something else has used to classify the packet. The source of the packets might use DSCP tags which may, or may not, be used for QoS processing and which may, or may not be, changed on a transit network device.

NBAR is (I believe) a Cisco feature (on some platforms, generally routers) that can further analyze a packet. It's sort of like a "super" ACLs' ACEs used for packet analysis. (Sometimes it's nothing more than a pretty face on an ACL's ACE.) The result of the analysis could be to mark the packet with a DSCP tag and/or immediately use it in a QoS policy.

The big advantage of DSCP tags, it can be set once and easily used by other devices for QoS treatment. NBAR, on the other hand, unless it's marking packets on every device would need to be used on every transit device and it can be much more processing intensive than examination of a DSCP value. (It's complexity of analysis is also why you generally don't see it supported on L3 switches. The closest to NBAR might have been the 6500 sup32-PISA supervisor.)