This MIB module is for Access Control Lists(ACLs) configuration
of Quality of Service (QoS) as well as Security feature on the
Cisco Catalyst 5000/6000 series switch running CatOS. It also
provides QoS configuration and statistics information.
 
Configuration information available through this MIB includes
Security and QoS ACL configuration for IP, IPX and Layer 2 
traffic, QoS and Security configuration parameters. 

Statistics available through this MIB includes QoS statistics
for Layer 3 traffic. In addition, detailed, flow-specific
statistics are also available.

This MIB module is applied in conjunction with 
CISCO-QOS-POLICY-CONFIG-MIB. The configuration information 
available through this MIB takes effect throughout the device 
when the value of qosPrOperPolicySource object in 
CISCO-QOS-POLICY-CONFIG-MIB is 'local' or applies to a specific
interface when the value of qosPrIfOperPolicySource object
in CISCO-QOS-POLICY-CONFIG-MIB which associates with that 
interface is 'local' while the value of qosPrOperPolicySource is
not 'local'.

The following terms are used throughout this MIB: 

    ACE stands for Access Control Entry. An ACL consists of an 
    ordered set of ACEs. ACE is a filter which is used to 
    identify flows with certain characteristics. It includes
    fields such as ingress/egress ports, L2(layer 2) addresses,
    L3(layer 3) addresses, TCP/UDP port numbers, etc.

    QoS ACE and Security ACE are very similar to each other
    but the actions of the ACEs are different.  

    Security ACEs are compared to each packet, and each ACE
    specifies whether packets that match with it are either
    forwarded or dropped.

    ESP: Enscrypted Security Payload.

    QoS is the method which attempts to ensure that the network
    requirements of different applications can be met by giving
    preferential forwarding treatment to some traffic. It is
    usually consisted of these steps: classification, policing,
    output scheduling, marking and shaping. Classification 
    identifies the traffic. Policing checks if the traffic 
    conformed to a specified criteria. Output scheduling,
    marking and shaping control how the traffic is transmitted
    to the next hop. 

    A flow is a non-specific term for a microflow or an
    aggregate flow.

    Microflow is a single instance of an application to 
    application flow of packets which is identified by source
    address, source port, destination address, destination port
    and protocol id.

    Aggregate flow is a collection of microflows that are
    treated together as one for the purpose of QoS.

    DSCP (Differentiated Services Code Point) is the six most 
    significant bits of the ToS field in a IP packet header.

    DSCP Mutation: the previous hop(s) and the following hop(s)
    of a device may reside in a different QoS domain. A QoS
    domain refers to the set of QoS rules and conventions
    adopted by an administrative entity. For instance, a set
    of DSCP values may have a different meaning in different
    domains. DSCP mutation allows a DSCP set to be mutated or
    transformed in order to maintain semantic compatibility
    between adjacent domains. The mutation is done via mapping
    tables which maps the old DSCP value from one domain to a
    new DSCP value in the other domain. 

    IP precedence is the three most significant bits of the ToS 
    field in a IP packet header.
    
    Cos (Class of Service) is the three bits in the layer 2
    header that indicates user priority value assigned to this
    packet.

    Trust state is a parameter configured at a physical
    interface or an ACL to determine a DSCP value assigned to
    a packet for QoS purpose.

    In profile packet is a packet that does not cause the
    committed access rate of the packet's flow to be exceeded.

    Out of profile packet is a packet that cause the committed
    access rate of the packet's flow to be exceeded.

To accomplish classification, the user defines an ACL describing
the specification of a traffic flow then attaches this ACL to a 
physical interface or a vlan. When a packet arrives at an
interface, depending on the configured trust state at that
interface, it can either be matched against an ACL if the trust
state is not trusted or get a DSCP assigned and go directly to 
output scheduling. In the former case, when the packet matches 
an ACE in the attached ACL, the next step will be policing. At 
the end of classification process, a packet has a DSCP value 
assigned. In some platform (e.g. Catalyst 4000) that does not
support ACL configuration, classification is accomplished by
matching the Cos value of incoming packet. 

A packet can be policed at microflow or aggregate flow level.
Policing is done using the token bucket algorithm. 
At the end of policing process, if packet does not cause the
flow to exceed the normal rate, it will continue to the next
step. Otherwise, the packet is dropped or assigned a 'policed'
DSCP value. Some platforms support multi-rate policing.  When 
packet causes the flow to exceed the normal rate but not the
excess rate, it is assigned a 'policed' DSCP value. When packet
causes the flow to exceed excess rate, it is either dropped or
has a 'policed' DSCP value assigned. After policing process,
the next step is output scheduling.

Output scheduling is the process of assigning a packet to
a queue and a threshold according to the packet's Cos value.
To get its Cos value, a DSCP to Cos mapping will be performed.

This MIB also defines 'Security ACLs' which some devices support
as a mean to enforce security. Security ACLs, attached at an
ingress interface, are compared to each packet arriving at that
interface. If the packet matches an ACE in the ACLs, it is
either permitted to go through the device or blocked and
dropped or redirected to another interface.