HP Switch (ProVision) QoS Guide

Coming from a Cisco QoS background, I wanted to get a good grasp on HP QoS with the ProVision switches, but there isn’t much information out there (besides the Advanced Traffic Management Guide by HP).  This post should should consolidate some of that information, and is based on the the Advanced Traffic Management Guide, various vendor HP interopability guides, and talks with some of the guys over at HP Networking.

HP QoS Basics:

The 4 components of HP ProVision QoS are:

  1. Enable QoS
  2. Decide how many traffic queues you need
  3. Assign guaranteed minimum bandwidth (GMB)/traffic servicing per queue
  4. Classify traffic and assign to 802.1p priority

These four steps can be achieved with a single command (almost like an Auto QoS). This command enables QoS, the 8 queue model, GMB, and DSCP-to-802.1p mappings of the primary DSCP values.

HP(config)# qos type-of-service diff-services

Now that QoS has been enabled, we can look at how HP maps 802.1p priorities to each queue:

HP# show qos queue-config
Egress Queue Configuration

Queue      802.1p Priority
——-          ————
1                1
2                2
3                0
4                3
5                4
6                5
7                6
8                7

As you can see, traffic goes into queue 3 by default (802.1p – 0), background or scavenger traffic would be assigned to 802.1 priority 1 or 2, and more important traffic assigned to priorities 3-7.  Now that we know where the traffic is going, let’s look at the bandwidth assigned to each queue:

HP# show bandwidth output 1

Outbound Guaranteed Minimum Bandwidth %
Port   Q1   Q2   Q3  Q4   Q5   Q6   Q7   Q8
——   —    —    —    —    —    —    —    —
1         2      3     30   10   10   10    15   20

Traffic with priority 1 or 2 gets the least amount of guaranteed bandwidth at 2% and 3%.  Default traffic is guaranteed 30%, and we see that the upper queue’s (7 and 8) get 15% and 20% respectively.  Note that this is just guaranteed minimum bandwidth (GMB), not shaping or policing.  If the other queues are not full, traffic can burst above their guaranteed rate.  If the default values do not fit your network needs, the values can be changed on a port-by-port basis:

HP(config)# interface 1 bandwidth-min output 1 1 10 1 5 1 1 80

HP# show bandwidth output 1

Outbound Guaranteed Minimum Bandwidth %
Port   Q1   Q2   Q3  Q4   Q5   Q6   Q7   Q8
——   —    —    —    —    —    —    —    —
1         1     1     10     1      5      1     1      80

HP also does time-slicing per queue, depending on the assigned GMB.  For example, by default, traffic in queue 3 (GMB=30%) will be serviced at 30% of the time window before servicing the next queues packets.  With the modified GMB properties directly above, queue 8 would be serviced at 80% of the time before moving to the next queues.

There are also memory buffers assigned to each queue, but those are platform dependent and not publicly available (they are also not configurable).

Finally, we can view the default DSCP-to-802.1p Priority mappings:

HP# show qos dscp-map
DSCP -> 802.p priority mappings
NOTE: ‘qos type-of-service diff-services’ must be configured before DSCP is honored on inbound traffic.

DSCP CodePoint    DSCP Value    802.1p tag      DSCP Policy name
————————    —————–    ————–       ——————————–
000000                      0                         0                       cs0
000001                      1                         No-override
000010                      2                         No-override
000011                      3                         No-override
000100                      4                         No-override
000101                      5                         No-override
000110                      6                         No-override
000111                      7                         No-override
001000                      8                         1                        cs1
001001                      9                         No-override
001010                      10                       1                        af11
001011                      11                       No-override
001100                      12                       1                        af12
001101                      13                       No-override
001110                      14                       2                        af13
001111                      15                       No-override
010000                      16                       2                        cs2
010001                      17                       No-override
010010                      18                       0                        af21
010011                      19                       No-override
010100                      20                       0                        af22
010101                      21                       No-override
010110                      22                       3                        af23
010111                      23                       No-override
011000                      24                       3                        cs3
011001                      25                       No-override
011010                      26                       4                        af31
011011                      27                       No-override
011100                      28                       4                        af32
011101                      29                       No-override
011110                      30                       5                        af33
011111                      31                       No-override
100000                      32                       4                        cs4
100001                      33                       No-override
100010                      34                       6                        af41
100011                      35                       No-override
100100                      36                       6                        af42
100101                      37                       No-override
100110                      38                       7                        af43
100111                      39                       No-override
101000                      40                       5                        cs5
101001                      41                       No-override
101010                      42                       No-override
101011                      43                       No-override
101100                      44                       No-override
101101                      45                       No-override
101110                      46                       7                        ef
101111                      47                       No-override
110000                      48                       6                        cs6
110001                      49                       No-override
110010                      50                       No-override
110011                      51                       No-override
110100                      52                       No-override
110101                      53                       No-override
110110                      54                       No-override
110111                      55                       No-override
111000                      56                       7                        cs7
111001                      57                       No-override
111010                      58                       No-override
111011                      59                       No-override
111100                      60                       No-override
111101                      61                       No-override
111110                      62                       No-override
111111                      63                       No-override

As you can see, by default, EF traffic is assigned a priority of 7, placed in queue 8, and therefore given a GMB of 20%.

If your traffic comes into the switch with DSCP values, then verify the default DSCP-to-priority mapping meets your application’s needs.  If not, you can assign the DSCP value to a different priority with the following command:

HP(config)# qos dscp-map af31 priority 5

If your application traffic does not come into the switch with a DSCP value, then you will need to classify the traffic and assign it a priority.  This can be done based off MAC address, IP address, VLAN ID, L3 Protocol, and L4 ports.  I’m not going to go through how to classify traffic with an access-list in this post, maybe in the future!

Here are a couple other interesting facts/suggestions related to ProVision QoS:

Only Egress queuing can be enabled.  There is no ingress queuing.  Egress queuing is most important, and even according to Cisco’s Medianet QoS 4.0 document, ingress queuing is not a requirement in an QoS implementation.

If you do not need to classify traffic into 8 queues, using the 4 queue model will increase the memory buffer available to each queue.  By default, the 4 queue model also has a higher GMB for EF traffic, which means EF traffic is serviced more frequently.

There is not a “strict priority queue” (like Cisco’s “Priority Queue Out”).  If you purely want a “strict priority queue” and do not care about other traffic, you can change the GMB and assign 100% of the bandwidth to the highest queue.

Daniel, I just need to implement QoS for ShoreTel VoIP and I don’t care about all this other stuff, what do I need to do? Just use the switch command “qos type-of-service diff-services” and you are set!  ShoreTel classifies voice traffic as EF and call control as AF31.  If you want to guarantee more bandwidth to ShoreTel, then I would also use the 4 queue model.

Supported Switches:  This guide is based off the HP 2920, 3800, 5400, and 8200 series of switches.

Advertisements

Cisco CBAC Firewall – FW-4-ALERT_ON: getting aggressive

Had an issue recently were the CBAC firewall on a Cisco 1811 was slowing down/blocking internet traffic.  My inspect policy was doing basic inspection (tcp, icmp – not http,https). The log showed: %FW-4-ALERT_ON: getting aggressive, cound (501/500) current 1-min rate: 216.

Cisco explains this as the “router becomes aggressive when it has more half-open sessions than allowed.”  They recommend increasing the “ip inspect max-incomplete high 1000” and “ip inspect max-incomplete low 800”, linked here.

Unfortunately this did not resolve my problem, and I used “ip inspect one-minute high 2000” and “ip inspect one-minute low 1800” which brought everything back to normal.  If you want to increase all session thresholds in the hope of fixing your issue, here they are:

ip inspect max-incomplete high 5000
ip inspect max-incomplete low 4800
ip inspect one-minute high 5000
ip inspect one-minute low 4800
ip inspect udp idle-time 60
ip inspect tcp idle-time 43200
ip inspect tcp synwait-time 60
ip inspect tcp max-incomplete host 200 block-time 0

To get logging details, you can use “ip inspect audit-trail”