3Com 4400 QOS Configuration:

By David Auclair (d.auclair@utoronto.ca), New College IT Disclaimer You will not hold the author of this document responsible if you break your network either as a direct or indirect result of following this guide. Introduction Please read the entire guide before starting! With many newer switch models being layer-4, they gain the ability to understand IP and TCP/UDP. Depending on the particular vendors implementation, the switch may also be able to prioritize or drop certain protocols based on their TCP or UDP port. These may be Quality of Service (QOS) oriented, or they may be Access Control List (ACL) oriented. In the 3Com 4400 series, the switch has the ability to prioritize or drop, as well as throttle based on TCP or UDP port (as defined in the QOS profile). It is important to note that the switch only has control of the traffic entering the port (from the PC). Breakdown of components There are five components that constitute the QOS profile: classifier, profile, serviceLevel, trafficQueue, trafficShape classifier o The classifier is essentially a filter used to define a certain type of traffic. For example, you can create a classifier that applies to TCP port 135. serviceLevel o The service levels define the importance of traffic. serviceLevel assigns packets to a trafficQueue with a priorities ranging from zero through seven. There is also a special serviceLevel: Drop. Any traffic assigned the serviceLevel of 1 (Drop) will be dropped as it enters the port. Note that it can only apply QOS to traffic entering the port, not the traffic exiting the port. o You can define your own serviceLevels that include DSCP tags. trafficQueue o This is not editable. Queue priorities range from low (zero) to high (seven). The priority queue is determined by the serviceLevel. trafficShape o Its possible to create an Egress Rate limit with 1Mbps granularity. You can apply only one traffic shaper per profile. It seems that traffic in excess of the rate limit can be assigned to a different service level. The only way to achieve a hard-cutoff is to drop traffic in excess of the limit. Please note that dropping excess traffic will result in serious network performance issues due to high packet loss and retransmission. profile o The profile is where it all comes together. A profile is a collection of classifiers with individual service levels, and optionally a traffic shaper. Each port has one and only one profile. If youve got different VLANs with different types of

traffic, it is recommended to create one profile per VLAN and apply the profile to the same ports that the VLAN applies to. There is no way to have a profile automatically apply to an entire VLAN, but it may be possible to assign a profile to a 802.1x user class. Also note that profiles should not be applied to uplink or server ports (unless you are really, really sure about what youre doing). Procedure The Layer 4 features of the 3Com 4400 series are only accessible through the console interface (i.e., ssh/telnet). Once at the console enter the trafficManagement branch, then the qos branch. 1. The first step is to create your classifiers. Enter the classifier branch, and type create. It will ask for the following fields: Classifier number Classifier name Classifier type (ipAddr, ipProtocol, ipPort, dscp, etherType) o ipAddr options include: source, destination, either (it will accept subnets also) o ipProtocol as defined in http://www.iana.org/assignments/protocol-numbers o ipPort options include: tcp, udp, either, udpSrc, udpDest, tcpSrc, tcpDest o dscp can be used to classify based on QOS tags embedded within the packets o etherType as defined in http://www.iana.org/assignments/ethernet-numbers [As well as parameters specific to the classifier type] Examples of things you can classify include: DHCP Server Responses [ipPort, udpSrc(67)] Windows RPC [ipPort, tcp(135)] Windows CIFS [ipPort, tcp(445)] NetBIOS Name Service [ipPort, udp(137)] NetBIOS Datagram [ipPort, udp(138)] NetBIOS Session [ipPort, tcp(139)] Before proceeding to the next step, type summary, and take note of the classifier numbers. 2. The next step is to create a traffic profile. Exit the classifier branch (type quit), then enter the profile branch. Create a new profile. It will ask for the following fields: Profile Number (take note of the profile number) Profile Name Then add your classifiers to your profile. You will need to repeat the following for each classifier. Start by typing addClassifier. It will ask for the following fields: Profile number (enter the profile number you just created) Classifier number (enter one of the classifier numbers that you created) Service level (Enter 1 for Drop, 2 for Best Efforts, 3+ for critical services) 3. The last step is to add ports to your profile. Start by typing assign, it will ask the following: Ports (you can enter ranges, i.e. 1:1-48,2:1-48)(do NOT include your uplink or server ports!) Profile number (enter the profile number you just created)

Deployment If youre deploying the same configuration to a large number of switches, you may want to make a script that you can cut & paste into your console. For instance, part of the initialization script we use is as follows:
trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement trafficmanagement qos qos qos qos qos qos qos qos qos qos qos qos qos qos classifier create 101 DHCPS ipPort udpSrc 67 classifier create 102 TCP135 ipPort tcp 135 classifier create 103 TCP445 ipPort tcp 445 classifier create 104 UDP137 ipPort udp 137 classifier create 105 UDP138 ipPort udp 138 classifier create 106 TCP139 ipPort tcp 139 profile create 11 ResNet profile addClassifier 11 1 2 profile addClassifier 11 101 1 profile addClassifier 11 102 1 profile addClassifier 11 103 1 profile addClassifier 11 104 1 profile addClassifier 11 105 1 profile addClassifier 11 106 1

Once youve created your own script and cut & pasted it into the console, your QOS profile will be complete. Now you need to assign it to ports (yes, you can assign it to ports as part of the script, but typically the stack configuration changes from stack-to-stack). Again, do NOT assign your profile to the uplink or server port(s). The above example will block rogue DHCP servers (while allowing your legitimate DHCP server, as long as you do NOT assign your profile to the uplink or server port(s)). It will also completely block Windows file sharing, which is the most common infection vector for worms. Now that you understand QOS on the 3Com 4400, and understand what the above script does, feel free to modify it and use it for your own networks!