This MIB module is for Access Control Lists(ACLs) configuration
of Quality of Service (QoS) as well as Security feature on the
Cisco Catalyst 5000/6000 series switch running CatOS. It also
provides QoS configuration and statistics information.
Configuration information available through this MIB includes
Security and QoS ACL configuration for IP, IPX and Layer 2
traffic, QoS and Security configuration parameters.
Statistics available through this MIB includes QoS statistics
for Layer 3 traffic. In addition, detailed, flow-specific
statistics are also available.
This MIB module is applied in conjunction with
CISCO-QOS-POLICY-CONFIG-MIB. The configuration information
available through this MIB takes effect throughout the device
when the value of qosPrOperPolicySource object in
CISCO-QOS-POLICY-CONFIG-MIB is 'local' or applies to a specific
interface when the value of qosPrIfOperPolicySource object
in CISCO-QOS-POLICY-CONFIG-MIB which associates with that
interface is 'local' while the value of qosPrOperPolicySource is
The following terms are used throughout this MIB:
ACE stands for Access Control Entry. An ACL consists of an
ordered set of ACEs. ACE is a filter which is used to
identify flows with certain characteristics. It includes
fields such as ingress/egress ports, L2(layer 2) addresses,
L3(layer 3) addresses, TCP/UDP port numbers, etc.
QoS ACE and Security ACE are very similar to each other
but the actions of the ACEs are different.
Security ACEs are compared to each packet, and each ACE
specifies whether packets that match with it are either
forwarded or dropped.
ESP: Enscrypted Security Payload.
QoS is the method which attempts to ensure that the network
requirements of different applications can be met by giving
preferential forwarding treatment to some traffic. It is
usually consisted of these steps: classification, policing,
output scheduling, marking and shaping. Classification
identifies the traffic. Policing checks if the traffic
conformed to a specified criteria. Output scheduling,
marking and shaping control how the traffic is transmitted
to the next hop.
A flow is a non-specific term for a microflow or an
Microflow is a single instance of an application to
application flow of packets which is identified by source
address, source port, destination address, destination port
and protocol id.
Aggregate flow is a collection of microflows that are
treated together as one for the purpose of QoS.
DSCP (Differentiated Services Code Point) is the six most
significant bits of the ToS field in a IP packet header.
DSCP Mutation: the previous hop(s) and the following hop(s)
of a device may reside in a different QoS domain. A QoS
domain refers to the set of QoS rules and conventions
adopted by an administrative entity. For instance, a set
of DSCP values may have a different meaning in different
domains. DSCP mutation allows a DSCP set to be mutated or
transformed in order to maintain semantic compatibility
between adjacent domains. The mutation is done via mapping
tables which maps the old DSCP value from one domain to a
new DSCP value in the other domain.
IP precedence is the three most significant bits of the ToS
field in a IP packet header.
Cos (Class of Service) is the three bits in the layer 2
header that indicates user priority value assigned to this
Trust state is a parameter configured at a physical
interface or an ACL to determine a DSCP value assigned to
a packet for QoS purpose.
In profile packet is a packet that does not cause the
committed access rate of the packet's flow to be exceeded.
Out of profile packet is a packet that cause the committed
access rate of the packet's flow to be exceeded.
To accomplish classification, the user defines an ACL describing
the specification of a traffic flow then attaches this ACL to a
physical interface or a vlan. When a packet arrives at an
interface, depending on the configured trust state at that
interface, it can either be matched against an ACL if the trust
state is not trusted or get a DSCP assigned and go directly to
output scheduling. In the former case, when the packet matches
an ACE in the attached ACL, the next step will be policing. At
the end of classification process, a packet has a DSCP value
assigned. In some platform (e.g. Catalyst 4000) that does not
support ACL configuration, classification is accomplished by
matching the Cos value of incoming packet.
A packet can be policed at microflow or aggregate flow level.
Policing is done using the token bucket algorithm.
At the end of policing process, if packet does not cause the
flow to exceed the normal rate, it will continue to the next
step. Otherwise, the packet is dropped or assigned a 'policed'
DSCP value. Some platforms support multi-rate policing. When
packet causes the flow to exceed the normal rate but not the
excess rate, it is assigned a 'policed' DSCP value. When packet
causes the flow to exceed excess rate, it is either dropped or
has a 'policed' DSCP value assigned. After policing process,
the next step is output scheduling.
Output scheduling is the process of assigning a packet to
a queue and a threshold according to the packet's Cos value.
To get its Cos value, a DSCP to Cos mapping will be performed.
This MIB also defines 'Security ACLs' which some devices support
as a mean to enforce security. Security ACLs, attached at an
ingress interface, are compared to each packet arriving at that
interface. If the packet matches an ACE in the ACLs, it is
either permitted to go through the device or blocked and
dropped or redirected to another interface.