[c-nsp] Restricting access to QOS
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Jul 31 07:15:25 EDT 2006
mb2 at os.datafx.com.au <> wrote on Monday, July 31, 2006 12:59 PM:
> We have "standard" GOLD,SILVER,BRONZE + default QOS on our MPLS links
> - How do you restrict a client from classifying there egress traffic
> as GOLD(When they haven't paid for GOLD access)?
you *always* have to do some form of admission control on the edge.
Admission control basically makes sure the customer doesn't exceed the
contract with you, and re-colors out-of-contract traffic. So a possible
policy-map on ingress for a customer only buying $CIR bps of silver
traffic could be
policy-map from-customer
class SILVER
police $CIR ... conform-action transmit exceed-action
set-dscp-transmit <recolor>
class class-default
set ip dscp 0
So if this customer sends you "GOLD" traffic, it falls through to
class-default and is re-colored. Generally, we recommend to re-color
out-of-contract traffic within a class (SILVER, in the above example),
to a different DSCP/Precendece value which has a higher drop proability
within the core. Out-of-class re-coloring (for example to class-default)
can produce undesired results in certain scenarios, but I also saw this
in several deployments. out-of-contract voice traffic is generally
dropped.
Customers not buying any QoS only have a "set ip dscp 0" class-default
inbound policy-map.
Hope this helps..
oli
More information about the cisco-nsp
mailing list