The switch has functions you can use to provide appropriate QoS levels to traffic for each customer, application, or packet. These functions include port-based shapers, DiffServ access or core port settings, and ingress port-rate limiting or policing. The switch also provides access control list (ACL)-based filters. You do not need to use filters to provide QoS; however, filters aid in prioritizing customer traffic. Filters also provide protection by blocking unwanted traffic.
Port rate limiting or policing apply at ingress; shapers apply at egress. ACL-based filters apply at ingress and egress.
The switch supports two ingress filter groups, where each type can hold both Security and QoS actions in both Primary Bank and Secondary Bank ranges.
Filters help you provide QoS by permitting or dropping traffic based on the parameters you configure. You can use filters to mark packets for specific treatment.
Typically, filters act as firewalls or are used for Layer 3 redirection. In more advanced cases, traffic filters can identify Layer 3 and Layer 4 traffic streams. The filters cause the streams to be re-marked and classified to attain a specific QoS level at both Layer 2 (802.1p) and Layer 3 (DSCP).
Traffic filtering is a key QoS feature. The switch, by default, determines incoming packet 802.1p or DiffServ markings, and forwards traffic based on their assigned QoS levels. However, situations exist where the markings are incorrect, or the originating user application does not have 802.1p or DiffServ marking capabilities. Also, you can give a higher priority to select users (executive class). In these situations, use filters to prioritize specific traffic streams.
You can use filters to assign QoS levels to devices and applications. To help you decide whether to use a filter, key questions include:
Does the user or application have the ability to mark QoS information on data packets?
Is the traffic source trusted? Are the QoS levels configured appropriately for each data source?
Users can maliciously configure QoS levels on their devices to take advantage of higher priority levels.
Do you want to prioritize traffic streams?
This decision-making process is outlined in the following figure.
Configure filters through the use of Access Control Lists (ACL) and Access Control Entries (ACE), which are implemented in hardware. An ACL can include both security and QoS type ACEs.
The following steps summarize the filter configuration process:
Determine your desired match fields.
Create an ACL.
Create an ACE within the ACL.
Configure the desired precedence, traffic type, and action.
You determine the traffic type by creating an ingress or egress ACL.
Modify the parameters for the ACE.