Policy on Aaron's Worthless Words

Stubby Post - Set DF to 0 with a Route-map

Fri, 20 Aug 2010 00:00:00 +0000

We ran into an issue the other day where an application was setting the DF bit in IP packets to 1. We thought it may be causing problems, so we looked at setting up a route-map to set the DF bit to 0. It turned out to be a different application problem, but it was a good exercise in looking at what you can do with route-maps and policies.

I set up a lab in GNS3 to replicate and do some captures. It’s a really simple setup. R1 connected to R2 connected to R3.

ROUTE Notes - PBR and IP SLA

Thu, 24 Jun 2010 00:00:00 +0000

Feel free to correct.

Study Questions

What’s the most primitive way to get traffic destined to a single host to use a different path than your dynamic IGP dictates?

Use a static route.

What’s the most primitive way to get traffic sourced from a single host to use a different path than your dynamic IGP dictates?

Use policy-based routing (PBR).

What’s the most primitive way to get traffic sourced from a single host and destined for another host to use a different path than your dynamic IGP dictates?

Use PBR.

Stubby Post - Time-based ACLs and Policy-maps

Wed, 28 Apr 2010 00:00:00 +0000

Certain divisions of the company tend to shoot themselves in the foot by kicking off large file transfers during business hours, so I had a thought that maybe we could use time-based ACLs to do some QoSing for those guys. I fired up GNS3 with a 3600 running 12.4(25b) with some virtual PCs on it’s Ethernet interfaces.

time-range BUSINESSHOURS
 periodic daily 8:00 to 17:00
!
ip access-list extended PINGS
 permit icmp any any time-range BUSINESSHOURS
!
class-map match-all PINGS
 match access-group name PINGS
!
policy-map PM-F0/0-OUT
 class PINGS

First, I set the router’s time to outside of the time range and sent some pings over.

NBAR and HTTP Data Conversations

Mon, 08 Mar 2010 00:00:00 +0000

I’m still working on the ONT test and doing labs, so I marked up a lab for me to work. I’m using the same setup as I did last time. The two routers are 3640s running 12.4(25b).

Part of the lab was to identify HTTP traffic coming into F0/0 and mark it as CS3. That’s pretty easy, right? Of course, the lab I made up was a little more complicated, but the point comes clear with a simpler example.

QoS Pre-classify and Class-map Order

Sat, 06 Mar 2010 00:00:00 +0000

I’m still studying for the ONT test, so I did some labs tonight. One of them was to demonstrate the qos pre-classify command for tunnel interfaces. When you have a packet sent over a GRE tunnel, the ToS field gets copied to the GRE packet, but there’s no way to see the original packet’s higher-level headers on the way out the interface. This can be a problem if your service policy needs to see protocol, port, IPs, etc. The fix for that is to enable qos pre-classify on the tunnel interface and cyrpto map; doing so will provide a copy of the original packet to the physical interface to classify the packet thoroughly.

ONT Notes - AutoQoS

Wed, 10 Feb 2010 00:00:00 +0000

AutoQoS benefits
- Automates QoS for most deployments
- Protects business-critical apps to maximize availability
- Simplifies QoS deployments
- Reduces configuration errors
- Cheaper, faster, and simpler deployments
- Follows DiffServ
- Allows complete control over QoS configs
- Allows modification of auto-generated configs
AutoQoS phases of evolution
- AutoQoS VOIP - Early version that configures the basics without discovery
- AutoQoS for Enterprise - Second version that only runs on routers and uses two-step process
  - Autodiscovery using NBAR
  - Generation of class maps
AutoQoS key elements
- Application classification
- Policy generation
- Configuration
- Monitoring and reporting
- Consistency
Interfaces that you can configure AutoQoS on
- Serial ifs with PPP and HDLC
- FR point-to-point subifs (NOT multipoint)
- ATM point-to-point subifs
- FR-to-ATM links
Prerequsites
- No Qos policy already configured on if
- CEF enabled on if
- Correct bandwidth configured on if
- IP address on low-speed if
Configuring AutoQoS Enterprise on a router (NOT a switch)
- auto qos discovery - begins discovery process
- auto qos - generates and applies MQC-based policies
Configuring AutoQoS VOIP
- auto qos voip [ trust | cisco-phone ]
Verifying AutoQoS on router
- show auto discovery qos - get autodiscovery results
- show auto qos - examine configuration generated
  - Number of classes
  - Classification options
  - Marking options
  - Queuing mechanisms
  - Other QoS mechanisms
  - If, subif, PVC where policy is applied
- show policy-map interface - look at if stats
Verify AutoQoS VOIP
- show auto qos
- show policy-map interface
- show mls qos maps - shows CoS to DSCP mappings
Possible issues with AutoQoS
- Too many traffic classes - manually consolidate some
- Configuration doesn’t change - rerun AutoQoS
- Configuration may not fit your situation - fine-tune it by hand
Fine-tuning AutoQoS
- Use QPM
- CLI
- copy policy into editor, change, reapply
AutoQoS can match on characteristics besides ACLs and NBAR
- match input interface
- match cos
- match ip precedence
- match ip dscp
- match ip rtp

ONT Notes - Pre-classify and End-to-end QoS

Thu, 04 Feb 2010 00:00:00 +0000

VPNs (Didn’t ISCW cover this?)
- Provide
  - Confidentiality
  - Integrity
  - Authentication
- Types
  - Remote-access
    - Client-initiated
    - NAS-initiated
  - Site-to-site
    - LAN-to-LAN
    - Extranet
L3 Tunneling protocols
- GRE
- IPSec
Pre-classify allows traffic to be classified before being sent across a tunnel or crypto-ed.
- qos pre-classify
- Provides a view into the original IP headers
- To classify on pre-tunnel header, apply the policy to the tunnel interface WITHOUT pre-classify.
- To classify on post-tunnel header, apply the policy to the physical interface WITHOUT pre-classify.
- To classify on pre-tunnel header, apply the policy to the physical interface WITH pre-classify.
SLA - agreement with provider to guarantee QoS mechanisms across their network based on your markings.
- Assures availability, loss, throughput, delay, and jitter.
End-to-end QoS
- To be effective, each hop in the path must have QoS configured similarly.
- Necessary in three locations
  - Campus - within the customer network
  - The edges - customer facing the provider, provider facing customer
  - On the provider network
QoS tasks
- Campus access switches
  - Speed/duplex settings
  - Classification
  - Trust
  - Phone/access switch configs
  - Multiple queues on switch ports, including priority for VOIP
- Campus distribution
  - L3 policing and marking
  - Multiple queues on switch ports, including priority for VOIP
  - WRED
- WAN edge
  - SLA definitions
  - LLQ
  - LFI
  - WRED
  - Shaping
- Provider cloud
  - Capacity planning
  - PHB
  - LLQ
  - WRED
Enterprise campus QoS implementation
- Implement multiple queues to avoid congestion
- Assign VOIP and video to highest priority queue
- Esablish trust boundaries
- Use policing to rate-limit excess traffic
- Use hardware QoS when possible
Control Plane Policing (CoPP)
- Applies QoS policy to traffic destined for the router
  - Routing protocols
  - Management protocols
- Can be used to avoid DOS attacks
- Applied to control-plane in global config

ONT Notes - Congestion Avoidance, Policing, Shaping, and Link Efficiency

Wed, 03 Feb 2010 00:00:00 +0000

Tail drop drawbacks
- TCP synchronization - Dropping TCP packets from different flows can cause them all to window down and back up again at the same time in cycles.
- TCP starvation - Non-TCP or aggressive flows can starve everyone else out when TCP throttles back.
- No differentiated drop - Tail drop doesn’t care who you are, so you get dropped if the queue is full.
RED - Random Early Detection
- Avoids tail drop by randomly dropping packets from the queue before it gets full
- Only dropped TCP flows slow down instead of everyone who has sent a packet since the queue filled
- Queues are smaller.
- Link utilization is more efficient
- Configured with
  - Minimum threshold - start dropping when the queue is this size
  - Maximum threshold - if the queue is this big, start tail dropping
  - Mark probability denominator (MPD) - 1/MPD is the ratio of packets to drop when between the thresholds
WRED - Weighted RED
- Based on IP precedence or DSCP values
- Less-important packets are dropped more aggressively than important packets
- Applied to an interface, VC or a class within a policy map
CBWRED - Class based WRED
- Configured with CBWFQ
Policing
- Limits subrate bandwidth (give you 100kbps on a T1)
- Limits traffic of certain applications
- Any traffic that exceeds police is dropped or re-classified; it’s a hard limit
- Inbound or outbound
Shaping
- Sets a limit but buffers any in excess
- Requires memory to store the buffer
- Buffers = delay and/or jitter
- Outbound only
- Can respond to network signals like BECNs and FECNs
Token and bucket
- The queue is a bucket; if a byte of data needs to be sent, it needs a token.
- If there are enough tokens, the traffic is considered conforming.
- If there aren’t enough tokens, the traffic is considered exceeding, which triggers the drop (policing), re-classify (policing), or buffer (shaping).
Frame relay traffic shaping (FRTS)
- Only controls frame relay traffic
- Applied on subif or DLCI
- Support fragmentation and interleaving
- Reacts to FECNs and BECNs
Compression
- Removed redundancy and patterns in data
- Less data = less latency
- Hardware compression or hardware-assisted compression does not involve the main CPU
- Software compression does
- Payload compression
- Header compression
Link fragmentation and interleaving
- Small data might be waiting for larger data pieces to finish sending
- Chunks data into smaller fragments so they don’t have to wait
- Interleaving shuffles flows in the Tx queue