In qos is nbar and acl a marking tool just like dscp? and is dscp a classification tool ?

dolanduck. · ‎05-18-2020

The reason i ask is because in the book the official cert guide make it seem like its a classification tool. and its really confusing me. and on a udemy course i found the instructor says you can use DSCP as a marking and classification tool.

Georg Pauwen · ‎05-19-2020

Hello,

I am not sure what exactly your instructor is referring to, but by itself, ACLs and NBAR are just classification tools, they don't change or mark any DSCP values by themselves. You need to specify any DSCP related action in QoS.

Giuseppe Larosa · ‎05-19-2020

Hello @dolanduck. ,

you need to look at the picture of a relative big network like that of an ISP.

On the edge devices near the customers ACL and NBAR are used to classify traffic and the policy-map are then used on edge devices to mark with a DSCP value packets belonging to the different QoS class-maps.

Devices in the core/backbone rely on the detailed classification performed at the edge and they do not use NBAR or ACLs because they are too expensive in terms of resources. Core devices rely on DSCP settings performed at edge to provide differentiated service to the different DSCP values.

This is the DiffServ QoS model that is the most scalable one.

The DSCP values are used to place packets on different queues and to decide how to treat them when the queue is near to be full.

We can also add that on networks using MPLS the core devices are simply swapping the external MPS label where a 3 bit field that was called EXP can reflect the DSCP marking performed at edge.

This kind of devices do not perform an IP lookup of MPLS switched packets as they act as P nodes.

So in the edge DSCP is usually the action performed by marking using more detailed criteria like ACL or NBAR, in the core the DSCP value is trusted and used as a match criteria to decide to what output queue the packet belongs.

Hope to help

Giuseppe

paul driver · ‎05-19-2020

Hello
Just like to add, NBAR is also a great discovery tool, Ran in a passive mode you can apply it to discover what traffic types are traversing and utilizing your network.

It has a large protocol pack which can be automated to be download to the rtr so it is constantly upto date which allows it to not only identify 1000+ applications category’s, along custom based ones, But you can as stated by @Giuseppe Larosa ran in an active mode will allow you to mark and control that traffic based on polices you apply.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎05-19-2020

As Georg has already noted, NBAR and/or ACLs can be used for classification. As also noted by Georg, the result of such classification might be DSCP marking but that's not required.

I suspect what is intended by the instructor's remark, a DSCP tag is a marking tool, as it sets the IP packet's ToS field, but once a IP packet has as DSCP tag, that tag can be used as a shortcut for classification. The two can be combined.

For example, you might have a CBWFQ policy like: (NB: command syntax for what follows might be incorrect)

class-map match-all OverrateFTP
!match both
match protocol FTP
match IP DSCP BE

policy-map Sample
class OverrateFTP
!remark "too Fast" FTP traffic
police 1000000 conform-action transmit exceed-action set ip dscp CS1