QoS → IPIngress Policies
Quality of Service (QoS) is a set of technologies and mechanisms used to manage traffic prioritization, often but not exclusively used in scenarios of network congestion. A full explanation of QoS is beyond the scope of this documentation, as the concepts are often as complex as the implementation of them on various network operating systems, along with chip-specific capabilities and limitations.
An IngressPolicy is used to map an incoming packet to a particular Queue. It operates in 3 stages, each of which is explained in more detail below:
ForwardingClass tagForwardingClass, map the packet to a particular QueueIn addition, the IngressPolicy also determines the parameters of the Queue, such as Committed Burst Size (CBS), Maximum Burst Size (MBS), and PFC1 parameters.
Mapping a forwarding class to a queue
Currently, EDA does not support mapping a forwarding class to a Queue on ingress, even though it can be configured through the forwardingClassToQueueMapping property: this property is ignored.
While advanced routers like the Nokia 7750 SR have dedicated queues for ingressing and egressing traffic, in the datacenter there is often only one queue being used. This queue is either a Virtual Output Queue (VOQ) before the packet crosses the forwarding fabric, or an Egress Queue (EGQ) after the packet has crossed the forwarding fabric. The technical reason for this, as well as their benefits and drawbacks, are beyond the scope of this article.
Traffic streams can be prioritized by looking at certain packet headers. Currently supported headers include:
Each classifier will map a packet to a ForwardingClass and drop probability or "color". The lower the drop probability, the less likely a packet is to be dropped while in the queue. When the queue is full, all new incoming packets are discarded regardless of drop probability. This mechanism is known as color marking and requires policers (on ingress) or slope policies (on egress) to be active on the node to be effective.
When using the ipEntry classifier, you can optionally rewrite the DSCP value. This can be useful to re-assess priorities, or it can be used to ignore priority bits altogether when packets ingress the network.
The dot1pPolicyEntry creates a classifier that inspects the Priority Code Point (PCP) bits of a VLAN tag in an ethernet header. Based on the PCP bits, the packet is assigned a particular ForwardingClass. The PCP field is 3 bits long, and therefore has values ranging from 0 to 7 (inclusive).
The dscpPolicyEntry creates a classifier that inspects the Differentiated Services Code Point (DSCP) bits in an IP header. The DSCP field is 6 bits long, and therefore has values ranging from 0 to 63 (inclusive).
Policers count bits per second, and can recolor packets (re-assign drop probabilities) if the packets that are counted by this policer exceed a certain bandwidth. That's a lot to unpack: let's break it down:
IngressPolicy determines which combination of ForwardingClass and traffic types (unicast, multicast, ...) are policed by a certain policer.exceedAction.violateAction.What about pre-coloring?
Policers rely on a two-rate token-based system, where each packet drains a number of tokens from one, two, or zero buckets (depending on pre-coloring done by the classifiers) that are continuously being refilled. There are a lot of nuances to this mechanism and there are subtle implementation differences between operating systems and even hardware platforms. For an in-depth overview of policers, refer to the OS-specific user documentation.
When a packet has been classified (assigned a forwarding class) and colored (assigned a drop probability or 'color') and has not been dropped by the violate-action of the policer, the router performs a forwarding lookup that determines the egress port for the packet. Depending on the hardware platform, the packet is enqueued in a VOQ (Virtual Output Queue) or EGQ (Egress Queue).
If there is room in the Queue, the packet is added to the queue. If there is no room left in the Queue, the packet is dropped.
Slope policies drop a certain percentage of incoming packets when a packet enters the queue. The percentage is based on the occupancy of the Queue and the configuration of the slope policy of the EgressPolicy, and is discussed in more detail in the EgressPolicy documentation article.
ForwardingClass#Most QoS mechanisms either assign a ForwardingClass to a packet, or take an action based on the assigned ForwardingClass. These must exist as a resource if the IngressPolicy refers to them.
Deployment of a ForwardingClass
Both the IngressPolicy and EgressPolicy resources refer to a ForwardingClass by name, and therefore this name must exist on the node. Only the EgressPolicy configures these, which means that a (default) EgressPolicy must always be configured that maps all referenced ForwardingClasses to a queue, even if it is not used.
Queue#The IngressPolicy defines the classification of packets, and assigns them to a particular Queue for further processing, in addition to configuring the Queues themselves. The Queue resources referenced by the policy must exist as resources before the IngressPolicy can be configured.
The IngressPolicy has no references to any EDA resources other than the ones specified in Dependencies.
apiVersion: qos.eda.nokia.com/v2
kind: IngressPolicy
metadata:
name: my-ingress-policy
namespace: eda
spec:
classifier:
entries:
- dscpPolicyEntry:
dropProbabilityLevel: Low
dscpValues:
- value: 0
forwardingClass: fc0
type: Auto
- dscpPolicyEntry:
dropProbabilityLevel: Low
dscpValues:
- value: 26
forwardingClass: fc3
type: Auto
- dscpPolicyEntry:
dropProbabilityLevel: Low
dscpValues:
- value: 48
forwardingClass: fc6
type: Auto
forwardingClassToQueueMapping:
- forwardingClasses:
- fc3
queue: pfc-3
queueManagement:
- pfcReservedBufferPercent: 10
queues:
- maximumBurstSizeBytes: 1024000
pfcPauseFramePriority: 3
queue: pfc-3
cat << 'EOF' | kubectl apply -f -
apiVersion: qos.eda.nokia.com/v2
kind: IngressPolicy
metadata:
name: my-ingress-policy
namespace: eda
spec:
classifier:
entries:
- dscpPolicyEntry:
dropProbabilityLevel: Low
dscpValues:
- value: 0
forwardingClass: fc0
type: Auto
- dscpPolicyEntry:
dropProbabilityLevel: Low
dscpValues:
- value: 26
forwardingClass: fc3
type: Auto
- dscpPolicyEntry:
dropProbabilityLevel: Low
dscpValues:
- value: 48
forwardingClass: fc6
type: Auto
forwardingClassToQueueMapping:
- forwardingClasses:
- fc3
queue: pfc-3
queueManagement:
- pfcReservedBufferPercent: 10
queues:
- maximumBurstSizeBytes: 1024000
pfcPauseFramePriority: 3
queue: pfc-3
EOF
To browse the Custom Resource Definition go to crd.eda.dev.
IngressPolicy
SPEC
IngressPolicySpec defines the desired state of IngressPolicy
Classifier manages the configuration of traffic classification policies in a network. It includes various entry types like IPv4, IPv6, Dot1p, and DSCP policies. Each entry specifies how traffic should be classified and what actions should be taken on the matched packets.
Specifies the list of filter entries, in order. A classifier containing multiple entry types may result in multiple classifiers being created on the target node. IPV4 and IPV6 entries will create multifield classifier policies.
A Dot1p policy entry - only a single Dot1p entry is allowed per classifier resource.
In addition to creating a Dot1p PCP value to Forwarding Class mapping, this will map the PCP values directly to the PFC queue specified in the Forwarding Class to Queue mapping.
Assign matching packets to the specified drop probability level.
Reference to a ForwardingClass resource to which the value is mapped.
A DSCP policy entry - only a single DSCP entry is allowed per classifier resource.
Assign matching packets to the specified drop probability level.
Reference to a ForwardingClass resource to which the value is mapped.
An IPv4 or IPv6 multifield classifier entry.
An action to take on the matched packets.
Assign matching packets to the specified drop probability level.
Rewrite actions associated with packets that match the classifier entry.
Reference to a ForwardingClass resource to which the value is mapped.
Destination port to match by name.
Destination port to match by numerical value.
Operator to use when matching destinationPort, either Equals, GreaterOrEquals, or LessOrEquals.
Range of destination ports to match, in the format n-m, e.g. 100-200, The start and end of the range must be port numbers.
Destination prefix to match.
Match DSCP values.
Match the first fragment only.
Match any fragment.
Match a specific ICMP code, as a number between 0-255, e.g. 0.
Match a specific ICMP type by name, e.g. dest-unreachable.
Match a specific ICMP type by number.
Match a specific IP protocol name (specified in the type field of the IP header).
Match a specific IP protocol number (specified in the type field of the IP header).
Source port to match by name.
Source port to match by numerical value.
Operator to use when matching sourcePort, either Equals, GreaterOrEquals, or LessOrEquals.
Range of source ports to match, in the format n-m, e.g. 100-200. The start and end of the range must be port numbers.
Source prefix to match.
Match TCP flags, usable with !, &, | and the flags RST, SYN, and ACK.
Type of the entry which can be IPV4, IPV6, Dot1pPolicy, DSCPPolicy, or Auto.
Ordered list of policers where the first policer is evaluated first before proceeding to the next.
Maximum CIR bucket depth in bytes.
The committed information rate (CIR) of the policer, defined in kilobits (1024 bits) per second.
The committed information rate (CIR) of the policer, defined as a percentage of the Interface speed on which it is applied.
The list of forwarding classes with traffic to be sent to the policer. Unless specified all traffic is matched for this policer.
Maximum PIR bucket depth in bytes.
Minimum interface speed (kbps) to calculate PeakRate and CommittedRate for devices where configuration is not supported in percentage.
The peak information rate (PIR) of the policer, defined in kilobits (1024 bits) per second.
The peak information rate (PIR) of the policer, defined as a percentage of the Interface speed on which it is applied.
Queue management policy for egress queues.
Percentage of the linecard buffer reserved for accomodating incoming traffic while upstream node reacts to generated PFC-pause frames. Note: this percentage must be common across all EgressPolicies and QueuesSets used on the same linecard.
List of queues.
Committed Burst Size in bytes.
Maximum amount of shared buffer memory available to the queue in bytes.
PFC off threshold.
PFC on threshold.
PFC priorities indicated in generated pfc-pause-frame if congestion occurs in a given pfc-queue.
Reference to a Queue resource.
STATUS
IngressPolicyStatus defines the observed state of IngressPolicy
Priority-based Flow Control or PFC is a mechanism (IEEE 802.1Qbb) that enables a network element to signal to one of their neighbors to stop sending traffic for a particular priority. ↩