Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1347
Views
5
Helpful
6
Replies

QoS for BGP and SSH Traffic

Go to solution
Ashley Hare
Level 1
Level 1

‎05-16-2016 04:53 AM - edited ‎03-08-2019 05:46 AM

Hello,

I'm looking to implement a single layer 2 switch (2960X) for a client, which will aggregate firewall and PE infrastructure.

The basic topology will be along the lines of :

External PE - 2960X - Firewall - 2960X - Internal PE


VLAN segregation will isolate the traffic on the switch between the inside and outside interfaces of the firewall, but the physical connectivity for the inside and outside interfaces of the firewall will be to separate gigabit interfaces of the switch.

The PE and firewall devices are from a mixture of vendors (non-Cisco) but will have a consistent QoS policy across the board.

Between the External and Internal PEs there will be a BGP peering session, which will be critical to the flow of traffic through this infrastructure.

I'd like to prioritise this traffic, as well as the local SSH traffic on the switch to ensure that it is passed through during periods of congestion.

The model of 2960X is gigabit capable and whilst the risk is minimal, there are scenarios which could result in BGP traffic being dropped. Given the criticality of the session we want to minimise/negate the risk of it dropping.

The idea is that the BGP traffic will be marked by the PE routers and trusted through the firewall/switch infrastructure. All other traffic would be classified as best effort.

I understand that Cisco devices mark locally sourced BGP as CS6, but in this situation the layer 2 switch is simply passing the traffic, so this does not apply. If I were to classify the traffic and apply it to a queue:

Is there a recommended method of prioritising BGP traffic? (CBWFQ/LLQ etc?)

Is there a recommendation for the amount of bandwidth to reserve within QoS to ensure a reliable BGP session?

Also any recommended template configurations would be of great help.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Carlos Villagran
Cisco Employee
Cisco Employee

‎05-16-2016 08:02 AM

Hi!

If the signaling/control traffic is CRITICAL I would suggest going for LLQ and provide TCP messages sourced by peers addresses with a bandwidth reservation of 720 kbps. 

Something like that. It will be able to send signaling messages at max speed of 0.22 ms. 

Remember you can always match protocol BGP since QoS can provide NBAR capabilities so you can split BGP traffic from other type of TCP traffic.

Hope it helps, best regards!

JC

View solution in original post

6 Replies 6

Go to solution
Tagir Temirgaliyev
Spotlight
Spotlight

‎05-16-2016 06:36 AM

What is throughput of PE router?  more or less 1 gb ?

What is throughput of firewall? more or less 1 gb ?

0 Helpful

Go to solution
Ashley Hare
Level 1
Level 1
In response to Tagir Temirgaliyev

‎05-16-2016 08:47 AM

Hello,

The total throughput of the firewall/routers to be used are greater than 1Gbit. All interfaces connecting to the switch from these devices will be running at 1Gbit.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎05-16-2016 07:53 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I believe the 2960X supports QoS like a 3560/3750.

If so, yes you can prioritize or guarantee bandwidth for BGP. "Recommended" would be to guarantee enough bandwidth for your BGP service needs.  (What that would be, I cannot say without much more information.)

If all traffic is to be marked BE, how are you planning to treat SSH differently?

BTW, you got to be careful with SSH, you can have something like SCP in it, which can be adverse to other SSH interactive traffic and/or non-SSH traffic.

0 Helpful

Go to solution
Ashley Hare
Level 1
Level 1
In response to Joseph W. Doherty

‎05-16-2016 08:49 AM

Hi there,

Yes I understand it supports QoS similar to other models, I am looking for a best practice or recommendation. If you require more information, then please let me know what you need. This is a single peer session between two routers.

SSH will be marked locally using "ip ssh dscp x"

Thank you for the tip off regarding other services using SSH, although it won't be relevant in this instance as the switch will be marking it's own SSH traffic.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Ashley Hare

‎05-16-2016 09:24 AM

... I am looking for a best practice or recommendation.

Again, "Recommended" would be to guarantee enough bandwidth for your BGP service needs.

If you require more information, then please let me know what you need.

Unfortunately, that would be a lot of asking.  Basically, all the information needed to ascertain your BGP service needs, and additionally, information to ascertain whether they can be met.

Fortunately, as BGP rides on top of TCP, you might only need to guarantee some bandwidth to allow the session to function.

0 Helpful

Go to solution
Carlos Villagran
Cisco Employee
Cisco Employee

‎05-16-2016 08:02 AM

Hi!

If the signaling/control traffic is CRITICAL I would suggest going for LLQ and provide TCP messages sourced by peers addresses with a bandwidth reservation of 720 kbps. 

Something like that. It will be able to send signaling messages at max speed of 0.22 ms. 

Remember you can always match protocol BGP since QoS can provide NBAR capabilities so you can split BGP traffic from other type of TCP traffic.

Hope it helps, best regards!

JC

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card