CISCO-CATOS-ACL-QOS-MIB

This MIB module is for Access Control Lists(ACLs) configuration of Quality of Service (QoS) as well as Security feature on the Cisco Catalyst 5000/6000 series switch running CatOS. It also provides QoS configuration and statistics information. Configuration information available through this MIB includes Security and QoS ACL configuration for IP, IPX and Layer 2 traffic, QoS and Security configuration parameters. Statistics available through this MIB includes QoS statistics for Layer 3 traffic. In addition, detailed, flow-specific statistics are also available. This MIB module is applied in conjunction with CISCO-QOS-POLICY-CONFIG-MIB. The configuration information available through this MIB takes effect throughout the device when the value of qosPrOperPolicySource object in CISCO-QOS-POLICY-CONFIG-MIB is 'local' or applies to a specific interface when the value of qosPrIfOperPolicySource object in CISCO-QOS-POLICY-CONFIG-MIB which associates with that interface is 'local' while the value of qosPrOperPolicySource is not 'local'. The following terms are used throughout this MIB: ACE stands for Access Control Entry. An ACL consists of an ordered set of ACEs. ACE is a filter which is used to identify flows with certain characteristics. It includes fields such as ingress/egress ports, L2(layer 2) addresses, L3(layer 3) addresses, TCP/UDP port numbers, etc. QoS ACE and Security ACE are very similar to each other but the actions of the ACEs are different. Security ACEs are compared to each packet, and each ACE specifies whether packets that match with it are either forwarded or dropped. ESP: Enscrypted Security Payload. QoS is the method which attempts to ensure that the network requirements of different applications can be met by giving preferential forwarding treatment to some traffic. It is usually consisted of these steps: classification, policing, output scheduling, marking and shaping. Classification identifies the traffic. Policing checks if the traffic conformed to a specified criteria. Output scheduling, marking and shaping control how the traffic is transmitted to the next hop. A flow is a non-specific term for a microflow or an aggregate flow. Microflow is a single instance of an application to application flow of packets which is identified by source address, source port, destination address, destination port and protocol id. Aggregate flow is a collection of microflows that are treated together as one for the purpose of QoS. DSCP (Differentiated Services Code Point) is the six most significant bits of the ToS field in a IP packet header. DSCP Mutation: the previous hop(s) and the following hop(s) of a device may reside in a different QoS domain. A QoS domain refers to the set of QoS rules and conventions adopted by an administrative entity. For instance, a set of DSCP values may have a different meaning in different domains. DSCP mutation allows a DSCP set to be mutated or transformed in order to maintain semantic compatibility between adjacent domains. The mutation is done via mapping tables which maps the old DSCP value from one domain to a new DSCP value in the other domain. IP precedence is the three most significant bits of the ToS field in a IP packet header. Cos (Class of Service) is the three bits in the layer 2 header that indicates user priority value assigned to this packet. Trust state is a parameter configured at a physical interface or an ACL to determine a DSCP value assigned to a packet for QoS purpose. In profile packet is a packet that does not cause the committed access rate of the packet's flow to be exceeded. Out of profile packet is a packet that cause the committed access rate of the packet's flow to be exceeded. To accomplish classification, the user defines an ACL describing the specification of a traffic flow then attaches this ACL to a physical interface or a vlan. When a packet arrives at an interface, depending on the configured trust state at that interface, it can either be matched against an ACL if the trust state is not trusted or get a DSCP assigned and go directly to output scheduling. In the former case, when the packet matches an ACE in the attached ACL, the next step will be policing. At the end of classification process, a packet has a DSCP value assigned. In some platform (e.g. Catalyst 4000) that does not support ACL configuration, classification is accomplished by matching the Cos value of incoming packet. A packet can be policed at microflow or aggregate flow level. Policing is done using the token bucket algorithm. At the end of policing process, if packet does not cause the flow to exceed the normal rate, it will continue to the next step. Otherwise, the packet is dropped or assigned a 'policed' DSCP value. Some platforms support multi-rate policing. When packet causes the flow to exceed the normal rate but not the excess rate, it is assigned a 'policed' DSCP value. When packet causes the flow to exceed excess rate, it is either dropped or has a 'policed' DSCP value assigned. After policing process, the next step is output scheduling. Output scheduling is the process of assigning a packet to a queue and a threshold according to the packet's Cos value. To get its Cos value, a DSCP to Cos mapping will be performed. This MIB also defines 'Security ACLs' which some devices support as a mean to enforce security. Security ACLs, attached at an ingress interface, are compared to each packet arriving at that interface. If the packet matches an ACE in the ACLs, it is either permitted to go through the device or blocked and dropped or redirected to another interface.

MIB content (373 objects)

Informations

Organization
Cisco Systems Inc.
Contact info
Cisco Systems Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-wbu@cisco.com

Revisions

2006-07-15 00:00
Add 'include' enumeration value for caqSecurityAction. Add caqQosL3StatsRateGroup, caqQosL3StatsPeakGroup, caqAggPolicerOctetsRateGroup, caqAggPolicerPacketsRateGroup, caqAggPolicerOctetsPeakGroup, caqAggPolicerPacketsPeakGroup, caqQosPortRateGroup, caqQosPortPeakGroup, caqSecurityActionDnldAceGroup.
2005-07-26 00:00
Add 'matchEapoudp' and 'matchUrlRedirect' enum value for caqIpProtocolMatchCriteria object.
2004-05-26 00:00
Add the following groups to support ACL hit count configuration and statistics: caqAclFeatureGroup caqAclHitCountGroup Add the following groups to support additional matching criteria for MAC ACE and MAC packet classify feature on VLAN: caqMacAceExtGroup. caqMacPktClassifyVlanGroup.
2003-11-26 00:00
Add the following objects to support group name for source and destination fields in caqIpAceTable: caqIpAceSrcGroup caqIpAceDestGroup.
2003-10-28 00:00
Add caqIfSecurityAclConfigGroup to support port ACL.
2003-09-30 00:00
Add the dhcpSnooping bit for caqSecurityRateLimitFeatures object. Fix a typo in the DESCRIPTION clause for caqSecurityAction object.
2003-07-01 00:00
Deprecate caqSecurityRedirectPortList object and add caqSecurityRedirect2kPortList to support up to 2048 bridge ports.
2003-03-05 00:00
Add the following objects and tables: caqClassifierMapDirection, caqIpAceSecurityId, caqDscpRewriteEnabled, caqAggPolicerOctets, caqAggPolicerNRExceedOctets, caqAggPolicerERExceedOctets, caqDscpMutationMapTable, caqVlanMutationIdMapTable, caqQosDefaultActionTable.
2002-10-10 00:00
Add the caqLoggingGroup, caqArpInspGroup and caqSecurityRateLimitGroup to support security ACL logging, security ACL features rate limit and ARP Inspection device configuration.
2002-01-17 00:00
Add the caqIfTrustDeviceGroup and caqQosExcessBurstGroup to support Qos information on excess burst size and trusted device configuration.
2001-10-18 00:00
Add the caqPbfObjects group and modify the caqSecurityActionTable to support policy based forwarding.
2001-02-15 00:00
Add the following objects: caqAggPolicerName, caqAggPolicerPackets, caqAggPolicerNRExceedPackets, caqAggPolicerERExceedPackets.
2001-02-07 00:00
Initial version of this MIB module.