Security QoS and Security QoS Policies

This chapter provides information on security QoS used to control firewall traffic that is extracted to the CSM for examination. It also provides information about configuring security queue QoS policies using the command line interface.

Topics in this chapter include:

Security QoS and Security QoS Policy Overview

When a security zone, security profile, and policies are configured for security sessions on the 7705 SAR, data packets entering and leaving the zone are extracted, if required, from the datapath to the CSM for examination. QoS is applied on these packets to control the amount of traffic being extracted to the CSM. For information about requirements for packet extraction to the CSM, refer to ‟Security Session Creation” in the 7705 SAR Router Configuration Guide.

QoS for Firewall-Extracted Packets to the CSM

When security parameters are configured, data packets entering or leaving a zone are extracted from the datapath to the CSM for examination. Application Level Gateway (ALG) TFTP/FTP or strict TCP data packets that are extracted are placed into access or network security data queues. These access and network security queues are able to control the rate of traffic scheduled through these queues by using security queue QoS policies (see Security Queue QoS Policies for information).

Non-ALG and non-strict TCP datapath traffic that is extracted from the datapath for CSM security examination is extracted into a security control queue that has one queue per security zone.

In order to limit the aggregate datapath traffic being extracted to the CSM via the access/network security queues and all the security control queues (one per zone), a security-aggregate-rate shaper can be configured, which defaults to a rate of 50 Mb/s. For information about configuring the security-aggregate-rate shaper, refer to the 7705 SAR Interface Configuration Guide, ‟Adapter Card Commands”.

Firewall traffic that is permitted through the firewall will be forwarded across the data path using datapath traffic management.

Multi-Chassis Firewall QoS

In a multi-chassis configuration, the slave router has the same security configuration as the master. When the slave router receives datapath packets that are entering or leaving a security zone, the data packets are extracted into the same access or network data queues and security control queues that exist on the master. However, the data packets that are extracted must be processed by the master firewall security engine. The slave sends these extracted data packets to the master over the multi-chassis link (MCL).

The access queues, network data queues, and security control queues used on the slave have QoS configurations that control the traffic rate from the slave to the master. These QoS configurations on the slave, specifically security queue QoS policies and the aggregate shaping rate, should be configured identically on the master. For information, see Security Queue QoS Policies and also refer to the 7705 SAR Interface Configuration Guide, ‟Adapter Card Commands” for information on configuring the security-aggregate-rate command.

The extracted data packets that the master receives from the slave are stored in a multi-chassis firewall queue for extraction to the CSM on the master. In order to limit the rate of datapath traffic being extracted and sent to the master CSM, this extraction queue is rate-limited to 80 Mb/s. In addition, this extraction queue, along with the security control queues and the access/network security queues, are rate-limited by the security-aggregate-rate command. These QoS settings and configurations make it possible to control the datapath traffic being extracted on the master and slave for firewall security processing.

Security Queue QoS Policies

For ALG TFTP/FTP or strict TCP traffic that egresses one security zone and ingresses a different security zone, every packet must be forwarded to the CSM for processing. To control this traffic to the CSM, the packets are extracted from the data path and queued into either network security data queues or access security data queues. These queues each contain two further queues: expedited (EXP) queues and best-effort (BE) queues. On the 7705 SAR-8 Shelf V2 and 7705 SAR-18, expedited and best-effort queues are created per adapter card.

For further details about zone configuration and firewall session creation, refer to the 7705 SAR Router Configuration Guide, ‟Configuring Security Parameters”.

Packet Queuing with DSCP

By default, packets are assigned to the EXP and BE queues as follows.

  • For the base router context, packets are assigned to the EXP and BE queues based on the DSCP marking in the packet IP header.

  • For the VPRN or IPSec context, packets are assigned to the EXP and BE queues based on the EXP or DSCP marking of the outer tunnel. The EXP marking is used for Layer 3 MPLS VPRNs, and the DSCP marking is used for IPSec or Layer 3 GRE VPRNs.

However, it is possible to queue packets based on the inner (customer) IP header DSCP marking by using the command config>qos>network>ingress>ler-use-dscp. This is useful where customers have policed bandwidth at the PE and wish to differentiate their own network packets on the access PEs. By enabling the ler-use-dscp command, the following occurs for encrypted VPRN, IPSec, and NGE packets:

  • packets will be queued in the encryption queues based on the outer tunnel MPLS EXP or IPSec/GRE DSCP marking

  • after decryption, for either firewall datapath queues or the regular datapath queues, the packets will be queued based on the inner (customer) IP header DSCP marking

For more information, see ler-use-dscp in the Network QoS Policy Command Reference chapter.

Basic Configuration

This section contains the following topics related to creating security queue policies:

A basic security queue policy must conform to the following rules.

  • Each security queue policy must have a unique policy ID.

  • Default values can be modified but parameters cannot be deleted.

Note: Queue 1 is always best effort and queue 2 is always expedited.

Creating a Security Data Queue QoS Policy

Configuring a security data queue QoS policy is optional. If no security queue QoS policy is explicitly defined, the default security queue QoS parameters are applied.

To create a new security queue policy, define the following:

  • a security queue policy identifier — the system does not dynamically assign an identifier

  • a description — a brief description of the policy

Use the following CLI syntax to configure a security queue QoS policy:

CLI Syntax:
config>qos#
    security-queue policy-id
        description description-string
        queue queue-id 
            cbs size
            high-prio-only percent
            mbs size
            rate pir [cir]
Example:
*A:ALU-1#
config>qos>security-queue "SecurityQueue 2" create
config>qos>security-queue$ description "Test1"
config>qos>security-queue$ queue 1
config>qos>security-queue>queue$ cbs 112
config>qos>security-queue>queue$ high-prio-only 25
config>qos>security-queue>queue$ mbs 300 kilobytes
config>qos>security-queue>queue$ rate pir max cir max
config>qos>security-queue>queue$ exit
config>qos>security-queue$ queue 2
config>qos>security-queue>queue$c bs 40
config>qos>security-queue>queue$ mbs 5000
config>qos>security-queue>queue$ rate pir 400000 cir 35000
config>qos>security-queue>queue$ exit
config>qos>security-queue$ exit
*A:ALU-1#

The following output shows the configuration for SecurityQueue 2:

*A:ALU-1>config>qos# info
#--------------------------------------------------
echo "QoS Policy Configuration"
#--------------------------------------------------
        ‟SecurityQueue 2” create
            description "Test1"
            queue 1 best-effort
                rate max cir max
                mbs 300 kilobytes
                cbs 112
                high-prio-only 25
            exit
            queue 2 expedite
                rate 400000 cir 35000
                mbs 5000 kilobytes
                cbs 40
            exit
        exit
#-------------------------------------------------- 

Default Security Queue Policy Parameter Values

Security Queue Parameter Defaults displays the default security queue policy parameter values.

Table 1. Security Queue Parameter Defaults

Parameter

Default Values–Best Effort

Default Values–Expedited

CBS

10 kbytes

40 kbytes

High-prio-only

10

n/a

MBS

5000 kbytes

5000 kbytes

PIR

400000 kbytes

400000 kbytes

CIR

1500 kbytes

35000 kbytes

Service Management Tasks

This section describes the following service management tasks:

Deleting QoS Policies

Use the following CLI syntax to delete a security queue QoS policy:

CLI Syntax:
config>qos# no security-queue policy-id
Example:
config>qos# no security-queue SecurityQueue 2

Copying and Overwriting QoS Policies

You can copy an existing security queue QoS policy, rename it with a new policy ID value, or overwrite an existing policy ID. The overwrite option must be specified or an error occurs if the destination policy ID exists.

Use the following syntax to overwrite an existing security queue QoS policy.

CLI Syntax:
config>qos# copy security-queue source-policy-id dest-policy-id [overwrite]
Example:
*A:ALU-1>config>qos# copy security-queue SecurityQueue1 SecurityQueue2 overwrite
config>qos# exit
*A:ALU-2#

Editing QoS Policies

You can change existing policies and entries in the CLI. The changes are applied immediately to all queues where this policy is applied. To prevent configuration errors, copy the policy to a work area, make the edits, and then write over the original policy.

Security Queue QoS Policy Command Reference

Command Hierarchies

Operational Commands

config
    - qos
        - copy security-queue src-pol dst-pol [overwrite] 

Show Commands

show
    - qos
        - security-queue [policy-id] [association | detail]

Command Descriptions

Configuration Commands

Security Queue QoS Policy Commands
security-queue
Syntax

security-queue policy-id [create]

no security-queue policy-id

Context

config>qos

Description

This command configures a security queue policy for traffic being extracted from the datapath to the CSM for firewall processing. When a security queue policy is created, two queues are created automatically for the extracted traffic: queue 1 for best-effort traffic and queue 2 for expedited traffic. The queue number and type for these two queues is not configurable.

The no form of this command removes the security queue policy.

Default

n/a

Parameters
policy-id

the number of the policy being referenced. Policy 1 is reserved for the default security queue policy; it cannot be modified.

Values

1 to 65535

create

keyword used to create a security queue policy

description
Syntax

description description-string

no description

Context

config>qos>security-queue

Description

This command configures a description for the security queue policy being referenced.

The no form of this command removes the description.

Default

n/a

Parameters
description-string

a text string describing the entity. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (such as #, $, or spaces), the entire string must be enclosed within double quotes.

queue
Syntax

[no] queue queue-id

Context

config>qos>security-queue

Description

This command enables the context to configure parameters related to the queue type for the traffic extracted from the datapath to the CSM. When the security queue policy is created, a set of queues is automatically created: queue 1 for best-effort traffic and queue 2 for expedited traffic. When the best-effort and expedited queues are created, default values are assigned to their information rate parameters.

The no form of this command removes the queue-id from the security queue policy.

Default

n/a

Parameters
queue-id

specifies the ID for the queue type being referenced

Values

1 for best effort queue

Values

2 for expedited queue

cbs
Syntax

cbs {size-in-kbytes | default}

no cbs

Context

config>qos>security-queue>queue

Description

This command overrides the default Committed Buffer Space (CBS) reserved for the specified queue. The value is configured in kilobytes.

The no form of this command returns the CBS to the default value for the queue type.

Parameters
size-in-kbytes

specifies the committed buffer space for the queue

Values

1 to 131072 | default

Default

10 kbytes for best effort

40 kbytes for expedite

high-prio-only
Syntax

high-prio-only {percent | default}

no high-prio-only

Context

config>qos>security-queue>queue

Description

This command configures the percentage of the queue used exclusively by high-priority packets. The specified value overrides the default value for the queue type.

The no form of this command restores the default high-priority reserved size for the queue type.

Parameters
percent

the percentage reserved for high priority traffic on the queue

Values

1 to 100 | default

Default

10 for best effort

10 for expedite

mbs
Syntax

mbs {size {bytes | kilobytes} | default}

no mbs

Context

config>qos>security-queue>queue

Description

This command sets the Maximum Burst Size (MBS) value for buffers of a specified queue. The value is configured either in bytes or in kilobytes and overrides the default MBS value.

The no form of this command returns the MBS to the default value for the queue type.

Parameters
size

specifies the maximum burst size for the queue, either in bytes or kilobytes

Values

0 to 131072000 | default

Default

5000 kbytes for best effort

5000 kbytes for expedite

bytes

configures the maximum burst size for the queue in bytes

kilobytes

configures the maximum burst size for the queue in kilobytes

rate
Syntax

rate pir [cir cir]

no rate

Context

config>qos>security-queue>queue

Description

This command sets the Peak Information Rate (PIR) value and optional Committed Information Rate (CIR) for a specified queue. The values are configured in kilobytes and override the default PIR and CIR values.

The no form of this command returns the PIR and CIR to their default values for the queue type, assigned when the security queue policy for firewall traffic was created.

Parameters
pir

specifies the peak information rate for the queue, in kilobytes per second

Values

1 to 100000000 | max

Default

400000 for best effort

400000 for expedite

cir

specifies the committed information rate for the queue, in kilobytes per second

Values

0 to 100000000 | max

Default

15000 for best effort

35000 for expedite

Operational Commands

copy
Syntax

copy security-queue src-pol dst-pol [overwrite]

Context

config>qos

Description

This command copies existing policy entries for a security queue QoS policy to another security queue policy. This command is a configuration-level maintenance tool used to create new policies using existing policies. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.

Default

n/a

Parameters
src-pol

the source policy ID that the copy command will attempt to copy from

dst-pol

the destination policy ID to which the command will copy the policy

overwrite

specifies that the existing destination policy is to be replaced. Everything in the existing destination policy will be overwritten with the contents of the source policy. If overwrite is not specified for an existing policy ID, an error will occur.

Show Commands

Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration.
security-queue
Syntax

security-queue [policy-id] [association | detail]

Context

show>qos

Description

This command displays security queue information.

Parameters
policy-id

specifies the ID of the security queue policy

Values

1 to 65535

association

displays information about the security queue policy associations

detail

displays detailed information about the security queue policy

Output

The following output is an example of security policy information, and Security Policy Field Descriptions describes the fields.

Output Example
*A:7705custDoc:Sar18>show>qos# security-queue detail
===============================================================================
QoS Security Queue Policy
===============================================================================
Security Queue Policy Id (1)                        
-------------------------------------------------------------------------------
Policy-id     :1 
Description   :Default Security Queue policy


-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/1 (Network Ingress)
MDA              :1/1 (Access Ingress)
MDA              :1/3 (Network Ingress)
MDA              :1/3 (Access Ingress)
MDA              :1/4 (Network Ingress)
MDA              :1/4 (Access Ingress)
MDA              :1/5 (Network Ingress)
MDA              :1/5 (Access Ingress)
MDA              :1/6 (Network Ingress)
MDA              :1/6 (Access Ingress)
-------------------------------------------------------------------------------
Security Queue Policy Id(2)
-------------------------------------------------------------------------------
Policy-id     :2 
Description   :Description for Security Queue Policy id #2

-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/2 (Access Ingress)

-------------------------------------------------------------------------------
Security Queue Policy Id(3)
-------------------------------------------------------------------------------
Policy-id     :3 
Description   :Description for Security Queue Policy id #3

-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/2 (Network Ingress)
===============================================================================
*A:7705custDoc:Sar18>show>qos#
Table 2. Security Policy Field Descriptions

Label

Description

QoS Security Queue Policy

Policy-id

The ID that uniquely identifies the security queue policy

Description

A text string that helps identify the security queue policy’s context in the configuration file

Q

The security queue identifier, either 1 or 2

CIR

The committed information rate for the security queue

PIR

The peak information rate for the security queue

CBS

The committed buffer space for the security queue

MBS

The maximum burst size for the security queue

HiPrio

The percentage of the queue used exclusively by high-priority packets

Associations

MDA

The adapter card slot number indicating the direction of traffic to which the security queue applies