Security QoS and security QoS policies

Overview

When a security zone, security profile, and policies are configured for security sessions on the 7705 SAR, data packets entering and leaving the zone are extracted, if required, from the datapath to the CSM for examination. QoS is applied on these packets to control the amount of traffic being extracted to the CSM. For information about requirements for packet extraction to the CSM, see the ‟Security Session Creation” in the 7705 SAR Router Configuration Guide.

QoS for firewall-extracted packets to the CSM

When security parameters are configured, data packets entering or leaving a zone are extracted from the datapath to the CSM for examination. Application Level Gateway (ALG) TFTP/FTP or strict TCP data packets that are extracted are placed into access or network security data queues. These access and network security queues are able to control the rate of traffic scheduled through these queues by using security queue QoS policies (see Security queue QoS policies for information).

Non-ALG and non-strict TCP datapath traffic that is extracted from the datapath for CSM security examination is extracted into a security control queue that has one queue per security zone.

In order to limit the aggregate datapath traffic being extracted to the CSM via the access/network security queues and all the security control queues (one per zone), a security-aggregate-rate shaper can be configured, which defaults to a rate of 50 Mb/s. For information about configuring the security-aggregate-rate shaper, see the 7705 SAR Interface Configuration Guide, ‟Adapter Card Commands”.

Firewall traffic that is permitted through the firewall will be forwarded across the data path using datapath traffic management.

Multi-chassis firewall QoS

In a multi-chassis configuration, the slave router has the same security configuration as the master. When the slave router receives datapath packets that are entering or leaving a security zone, the data packets are extracted into the same access or network data queues and security control queues that exist on the master. However, the data packets that are extracted must be processed by the master firewall security engine. The slave sends these extracted data packets to the master over the multi-chassis link (MCL).

The access queues, network data queues, and security control queues used on the slave have QoS configurations that control the traffic rate from the slave to the master. These QoS configurations on the slave, specifically security queue QoS policies and the aggregate shaping rate, should be configured identically on the master. For information, see Security queue QoS policies and also refer to the 7705 SAR Interface Configuration Guide, ‟Adapter card commands” for information about configuring the security-aggregate-rate command.

The extracted data packets that the master receives from the slave are stored in a multi-chassis firewall queue for extraction to the CSM on the master. In order to limit the rate of datapath traffic being extracted and sent to the master CSM, this extraction queue is rate-limited to 80 Mb/s. In addition, this extraction queue, along with the security control queues and the access/network security queues, are rate-limited by the security-aggregate-rate command. These QoS settings and configurations make it possible to control the datapath traffic being extracted on the master and slave for firewall security processing.

Security queue QoS policies

For ALG TFTP/FTP or strict TCP traffic that egresses one security zone and ingresses a different security zone, every packet must be forwarded to the CSM for processing. To control this traffic to the CSM, the packets are extracted from the data path and queued into either network security data queues or access security data queues. These queues each contain two further queues: expedited (EXP) queues and best-effort (BE) queues. On the 7705 SAR-8 Shelf V2 and 7705 SAR-18, expedited and best-effort queues are created per adapter card.

For further details about zone configuration and firewall session creation, see the 7705 SAR Router Configuration Guide, ‟Configuring Security Parameters”.

Packet queuing with DSCP

By default, packets are assigned to the EXP and BE queues as follows:

For the base router context, packets are assigned to the EXP and BE queues based on the DSCP marking in the packet IP header.
For the VPRN or IPSec context, packets are assigned to the EXP and BE queues based on the EXP or DSCP marking of the outer tunnel. The EXP marking is used for Layer 3 MPLS VPRNs, and the DSCP marking is used for IPSec or Layer 3 GRE VPRNs.

However, it is possible to queue packets based on the inner (customer) IP header DSCP marking by using the command config>qos>network>ingress>ler-use-dscp. This is useful where customers have policed bandwidth at the PE and want to differentiate their own network packets on the access PEs. By enabling the ler-use-dscp command, the following occurs for encrypted VPRN, IPSec, and NGE packets:

packets will be queued in the encryption queues based on the outer tunnel MPLS EXP or IPSec/GRE DSCP marking
after decryption, for either firewall datapath queues or the regular datapath queues, the packets will be queued based on the inner (customer) IP header DSCP marking

For more information, see ler-use-dscp in the Network QoS Policy Command Reference chapter.

Basic configuration

This section contains the following topics related to creating security queue policies:

A basic security queue policy must conform to the following rules:

Each security queue policy must have a unique policy ID.
Default values can be modified but parameters cannot be deleted.

Note: Queue 1 is always best effort and queue 2 is always expedited.

Creating a security data queue QoS policy

Configuring a security data queue QoS policy is optional. If no security queue QoS policy is explicitly defined, the default security queue QoS parameters are applied.

To create a new security queue policy, define the following:

a security queue policy identifier – the system does not dynamically assign an identifier
a description – a brief description of the policy

Use the following CLI syntax to configure a security queue QoS policy:

CLI syntax:

config>qos#
    security-queue policy-id
        description description-string
        queue queue-id 
            cbs size
            high-prio-only percent
            mbs size
            rate pir [cir]

Example:

*A:ALU-1#
config>qos>security-queue "SecurityQueue 2" create
config>qos>security-queue$ description "Test1"
config>qos>security-queue$ queue 1
config>qos>security-queue>queue$ cbs 112
config>qos>security-queue>queue$ high-prio-only 25
config>qos>security-queue>queue$ mbs 300 kilobytes
config>qos>security-queue>queue$ rate pir max cir max
config>qos>security-queue>queue$ exit
config>qos>security-queue$ queue 2
config>qos>security-queue>queue$c bs 40
config>qos>security-queue>queue$ mbs 5000
config>qos>security-queue>queue$ rate pir 400000 cir 35000
config>qos>security-queue>queue$ exit
config>qos>security-queue$ exit
*A:ALU-1#

The following output shows the configuration for SecurityQueue 2:

*A:ALU-1>config>qos# info
#--------------------------------------------------
echo "QoS Policy Configuration"
#--------------------------------------------------
        ‟SecurityQueue 2” create
            description "Test1"
            queue 1 best-effort
                rate max cir max
                mbs 300 kilobytes
                cbs 112
                high-prio-only 25
            exit
            queue 2 expedite
                rate 400000 cir 35000
                mbs 5000 kilobytes
                cbs 40
            exit
        exit
#--------------------------------------------------

Default security queue policy parameter values

The following table displays the default security queue policy parameter values.

Table 1. Security queue parameter defaults
Parameter	Default values–Best Effort	Default values–Expedited
CBS	10 kB	40 kB
High-prio-only	10	n/a
MBS	5000 kB	5000 kB
PIR	400000 kB	400000 kB
CIR	1500 kB	35000 kB

Service management tasks

This section describes the following service management tasks:

Deleting QoS policies

Use the following CLI syntax to delete a security queue QoS policy:

CLI syntax:

config>qos# no security-queue policy-id

Example:

config>qos# no security-queue SecurityQueue 2

Copying and overwriting QoS policies

You can copy an existing security queue QoS policy, rename it with a new policy ID value, or overwrite an existing policy ID. The overwrite option must be specified or an error occurs if the destination policy ID exists.

Use the following syntax to overwrite an existing security queue QoS policy.

CLI syntax:

config>qos# copy security-queue source-policy-id dest-policy-id [overwrite]

Example:

*A:ALU-1>config>qos# copy security-queue SecurityQueue1 SecurityQueue2 overwrite
config>qos# exit
*A:ALU-2#

Editing QoS policies

You can change existing policies and entries in the CLI. The changes are applied immediately to all queues where this policy is applied. To prevent configuration errors, copy the policy to a work area, make the edits, and then write over the original policy.

Security queue QoS policy command reference

Command hierarchies

Configuration commands

config
    - qos
        - security-queue policy-id [create] 
        - no security-queue policy-id 
            - description description-string
            - no description
            - [no] queue queue-id
                - cbs {size-in-kbytes | default}
                - no cbs 
                - high-prio-only {percent | default}
                - no high-prio-only 
                - mbs {size {bytes | kbytes} | default}
                - no mbs 
                - rate pir [cir cir]
                - no rate

Operational commands

config
    - qos
        - copy security-queue src-pol dst-pol [overwrite]

Show commands

show
    - qos
        - security-queue [policy-id] [association | detail]

Command descriptions

Configuration commands

Security queue QoS policy commands

Security queue QoS policy commands

security-queue

Syntax

security-queue policy-id [create]

no security-queue policy-id

Context

config>qos

Description

This command configures a security queue policy for traffic being extracted from the datapath to the CSM for firewall processing. When a security queue policy is created, two queues are created automatically for the extracted traffic: queue 1 for best-effort traffic and queue 2 for expedited traffic. The queue number and type for these two queues is not configurable.

The no form of this command removes the security queue policy.

Default

n/a

Parameters

policy-id

the number of the policy being referenced. Policy 1 is reserved for the default security queue policy; it cannot be modified.

Values: 1 to 65535

create: keyword used to create a security queue policy

description

Syntax

description description-string

no description

Context

config>qos>security-queue

Description

This command configures a description for the security queue policy being referenced.

The no form of this command removes the description.

Default

n/a

Parameters

description-string: a text string describing the entity. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (such as #, $, or spaces), the entire string must be enclosed within double quotes.

queue

Syntax

[no] queue queue-id

Context

config>qos>security-queue

Description

This command enables the context to configure parameters related to the queue type for the traffic extracted from the datapath to the CSM. When the security queue policy is created, a set of queues is automatically created: queue 1 for best-effort traffic and queue 2 for expedited traffic. When the best-effort and expedited queues are created, default values are assigned to their information rate parameters.

The no form of this command removes the queue-id from the security queue policy.

Default

n/a

Parameters

queue-id

specifies the ID for the queue type being referenced

Values: 1 for best effort queue

Values: 2 for expedited queue

cbs

Syntax

cbs {size-in-kbytes | default}

no cbs

Context

config>qos>security-queue>queue

Description

This command overrides the default committed buffer space (CBS) reserved for the specified queue. The value is configured in kilobytes.

The no form of this command returns the CBS to the default value for the queue type.

Parameters

size-in-kbytes

specifies the committed buffer space for the queue

Values: 1 to 131072 | default

Default

10 kB for best effort

40 kB for expedite

high-prio-only

Syntax

high-prio-only {percent | default}

no high-prio-only

Context

config>qos>security-queue>queue

Description

This command configures the percentage of the queue used exclusively by high-priority packets. The specified value overrides the default value for the queue type.

The no form of this command restores the default high-priority reserved size for the queue type.

Parameters

percent

the percentage reserved for high priority traffic on the queue

Values: 1 to 100 | default

Default

10 for best effort

10 for expedite

mbs

Syntax

mbs {size {bytes | kilobytes} | default}

no mbs

Context

config>qos>security-queue>queue

Description

This command sets the maximum burst size (MBS) value for buffers of a specified queue. The value is configured either in bytes or in kilobytes and overrides the default MBS value.

The no form of this command returns the MBS to the default value for the queue type.

Parameters

size

specifies the maximum burst size for the queue, either in bytes or kilobytes

Values: 0 to 131072000 | default

Default

5000 kB for best effort

5000 kB for expedite

bytes: configures the maximum burst size for the queue in bytes

kilobytes: configures the maximum burst size for the queue in kilobytes

rate

Syntax

rate pir [cir cir]

no rate

Context

config>qos>security-queue>queue

Description

This command sets the peak information rate (PIR) value and optional committed information rate (CIR) for a specified queue. The values are configured in kilobytes and override the default PIR and CIR values.

The no form of this command returns the PIR and CIR to their default values for the queue type, assigned when the security queue policy for firewall traffic was created.

Parameters

pir

specifies the peak information rate for the queue, in kilobytes per second

Values: 1 to 100000000 | max

Default

400000 for best effort

400000 for expedite

cir

specifies the committed information rate for the queue, in kilobytes per second

Values: 0 to 100000000 | max

Default

15000 for best effort

35000 for expedite

Operational commands

copy

Syntax

copy security-queue src-pol dst-pol [overwrite]

Context

config>qos

Description

This command copies existing policy entries for a security queue QoS policy to another security queue policy. This command is a configuration-level maintenance tool used to create new policies using existing policies. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.

Default

n/a

Parameters

src-pol: the source policy ID that the copy command will attempt to copy from

dst-pol: the destination policy ID to which the command will copy the policy

overwrite: specifies that the existing destination policy is to be replaced. Everything in the existing destination policy will be overwritten with the contents of the source policy. If overwrite is not specified for an existing policy ID, an error will occur.

Show commands

Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration.

security-queue

Syntax

security-queue [policy-id] [association | detail]

Context

show>qos

Description

This command displays security queue information.

Parameters

policy-id

specifies the ID of the security queue policy

Values: 1 to 65535

association: displays information about the security queue policy associations

detail: displays detailed information about the security queue policy

Output

The following output is an example of security policy information, and Security policy field descriptions describes the fields.

Output example

*A:7705custDoc:Sar18>show>qos# security-queue detail
===============================================================================
QoS Security Queue Policy
===============================================================================
Security Queue Policy Id (1)                        
-------------------------------------------------------------------------------
Policy-id     :1 
Description   :Default Security Queue policy


-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/1 (Network Ingress)
MDA              :1/1 (Access Ingress)
MDA              :1/3 (Network Ingress)
MDA              :1/3 (Access Ingress)
MDA              :1/4 (Network Ingress)
MDA              :1/4 (Access Ingress)
MDA              :1/5 (Network Ingress)
MDA              :1/5 (Access Ingress)
MDA              :1/6 (Network Ingress)
MDA              :1/6 (Access Ingress)

-------------------------------------------------------------------------------
Security Queue Policy Id(2)
-------------------------------------------------------------------------------
Policy-id     :2 
Description   :Description for Security Queue Policy id #2

-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/2 (Access Ingress)

-------------------------------------------------------------------------------
Security Queue Policy Id(3)
-------------------------------------------------------------------------------
Policy-id     :3 
Description   :Description for Security Queue Policy id #3

-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/2 (Network Ingress)
===============================================================================
*A:7705custDoc:Sar18>show>qos#

Table 2. Security policy field descriptions
Label	Description
QoS Security Queue Policy
Policy-id	The ID that uniquely identifies the security queue policy
Description	A text string that helps identify the security queue policy’s context in the configuration file
Q	The security queue identifier, either 1 or 2
CIR	The committed information rate for the security queue
PIR	The peak information rate for the security queue
CBS	The committed buffer space for the security queue
MBS	The maximum burst size for the security queue
HiPrio	The percentage of the queue used exclusively by high-priority packets
Associations
MDA	The adapter card slot number indicating the direction of traffic to which the security queue applies