Detections
Analytics

ARST-RT-000310 - The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.

Information

Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy.

Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Step 1: Configure the Arista router class-maps to match on DSCP Quality of Service values to identify four traffic-class into Class 0 (0-7, 16-38, 40-44, 46-48, 50-63) Class 1 (11) Class 2 (39) Class 3 (15, 49).

router(config)#qos map
qos map dscp 0 1 2 3 4 5 6 7 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 40 41 42 43 44 46 47 48 50 51 52 53 54 55 56 57 58 59 60 61 62 63 to traffic-class 0
qos map dscp 11 to traffic-class 1
qos map dscp 39 to traffic-class 2
qos map dscp 15 49 to traffic-class 3
!

Step 2: Configure the Arista router bandwidth and shape rates based on four queues defined by DSCP and the defined class-maps in accordance with the QoS GIG Technical Profile.

router(config)#interface Port-Channel33
router(config-if-po33)#description PO33->Distro1-QFX5200-32C-100G
 routerport trunk allowed vlan 2100-2102,4033
 routerport mode trunk
 routerport trunk group 4033
 qos trust dscp
 !
 tx-queue 0
 bandwidth percent 20
 !
 tx-queue 1
 bandwidth percent 40
 shape rate 40088888
 !
 tx-queue 2
 bandwidth percent 15
 shape rate 15022222
 !
 tx-queue 3
 bandwidth percent 25
 shape rate 25250000
!

Step 3: Configure the Arista router for queues 0 through 3 for Interface (Port-Channel33) as round robin, with voice strict-priority, and then allocate bandwidth for four queues: queue (0) 19.6%, queue (1) 39.6%, queue (2) 14.9%, and queue (3) 24.9%, allowing for control-plane and protocol management traffic. These configurations allow burst traffic levels and shape rates for maximum outbound traffic bandwidth per queue.

router#sh qos int po33
Port-Channel33:
 Trust Mode: DSCP
 Default COS: 0
 Default DSCP: 0
 Port shaping rate: enabled
 Tx Bandwidth Bandwidth Shape Rate Priority ECN/WRED
 Queue (percent) Guaranteed (units) (units)
 ----------------------------------------------------------------------------------------
 7 - - ( - ) - ( - ) SP D
 6 - - ( - ) - ( - ) SP D
 5 - - ( - ) - ( - ) SP D
 4 - - ( - ) - ( - ) SP D
 3 25 - ( - ) 24.9 (Gbps) SP D
 2 15 - ( - ) 14.9 (Gbps) RR D
 1 40 - ( - ) 39.6 (Gbps) RR D
 0 20 - ( - ) - ( - ) RR D

Legend:
RR -> Round Robin
SP -> Strict Priority
 - -> Not Applicable / Not Configured
 % -> Percentage of reference
ECN/WRED: L -> Queue Length ECN Enabled W -> WRED Enabled D -> Disabled

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|III, CCI|CCI-001095, Rule-ID|SV-256013r882381_rule, STIG-ID|ARST-RT-000310, Vuln-ID|V-256013

Plugin: Arista

Control ID: 9795e0d528679d420fe4f967e20afd4e2074fd7322a6a46d9158ffe50ef126e2