Monitoring QoS Traffic Class Drops

Terry Slattery
Principal Architect

This week I was part of a panel at the Satellite 2010 conference in Washington, DC.  Our panel was titled “Securing Your Network: Protecting your Operations, Content and Assets.”  Your first thought upon seeing the session title was probably “encryption.”  While encrypting the data being transmitted prevents eavesdropping, it doesn’t protect the satellite infrastructure.  A lot of satellite data is now IP-based packet data.  Routers and switches connect the endpoints to the satellite link.  The satellite modems themselves are often connected into the routing and switching infrastructure.  Everything is running IP.  Protecting bandwidth for mission-critical applications is as important as protecting customer data from eavesdropping.  That’s what my focus was: making sure that the infrastructure is handling data the way it should.

The first part of my presentation was about segregating user traffic – making sure that customer A’s data stream is not seen by customer B.  Either 802.1q VLANs at Layer 2 or MPLS at Layer 3 is often used to segregate user traffic.  This was about alternatives to encryption for protecting user data.

My other talking point was about network management, since you need to watch the network to make sure that it remains secure and that it is properly transporting customer data.  One of the major factors is  good QoS design and implementation.  One customer’s data, say internet radio or large file downloads, could adversely affect another customer’s critical data (e.g., voice).  Without an NMS providing visibility into the network’s operation, how would you know that the QoS implementation is working?  You could use the CLI to check, but I doubt that you would do it very often.

In the first figure below, a congested link (aren’t all satellite links congested?) is properly prioritizing the data.  The low priority packets are being dropped and fewer packets are being dropped in higher priority queues, with the high priority queue not dropping anything.  The high priority queue is typically the Express Forwarding (EF) queue, handling real-time traffic like VoIP.


In the next figure, the real-time traffic class is dropping packets too.  Perhaps the real-time queue was under-provisioned, or maybe the real-time traffic load increased beyond the original design parameters.  For example, you could have configured the link to handle four concurrent G.711 calls with policing enforced to reserve bandwidth for the data applications.  G.711 uses about 90K-100Kbps per call, or nearly 400Kbps of voice traffic for four concurrent calls.  If the number of calls increases, possibly due to additional staff at the site, the link is now under-provisioned and will start dropping packets.


Only by monitoring the individual traffic classes will you know what is happening and whether important network traffic is being dropped.  That would be important to you if the service level agreement contains penalties for poor performance of important applications.

Another thing to keep in mind is that you may need to periodically examine the high priority traffic to make sure that there isn’t any undesirable traffic running in the high priority queues.  I was working on a case last year in which voice traffic over a satellite link was being prioritized.  When we examined the traffic in detail, we found that a big chunk of it was voice that was running to/from a free IP voice site on the Internet.  The business-critical voice traffic was being overwhelmed by people who were running non-business-critical voice applications.  A simple ACL was all it took to classify the business-critical voice separately from the non-business-critical voice.

What are your high utilization links doing?



Re-posted with Permission 

NetCraftsmen would like to acknowledge Infoblox for their permission to re-post this article which originally appeared in the Applied Infrastructure blog under


Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.