Tuesday, June 26, 2012

Cisco 3750 QoS Overview


Cisco 3750 QoS Overview

With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. You can differentiate the traffic using QoS labels. The two most commonly used QoS labels in the Layer 3 IP header are the IP precedence field and the DSCP field. The QoS label in the Layer 2 frame header is called Class of Service (CoS). Catalyst switch QoS tools can provide the preferential treatment based on either Layer 3 QoS labels or Layer 2 QoS labels. This document provides various examples that can give you an idea of the Layer 2 and Layer 3 QoS labels usage in Cisco Catalyst switches.


Cisco Catalyst 3750 Switch without QoS

QoS is disabled by default on the Catalyst 3750 Switches. While QoS is disabled, all frames/packets are passed-through the switch unaltered. For example, if a frame with CoS 5 and the packet inside the frame with DSCP EF enters the switch, the CoS and DSCP labels are not changed. The traffic leaves with the same CoS and DSCP values as it enters. All the traffic, which includes voice, are delivered on the best effort basis.


Cisco Catalyst 3750 Switch QoS Features

After the QoS is enabled on the 3750 Switch, there are few ingress and egress QoS features enabled by default.


This is a summary of points based on the diagram:
  • Ingress QoS features such as classification, marking and policing can be configured per port basis.
  • Input map tables and ingress queueing can be configured globally. These cannot be configured per port basis.
  • SRR for ingress queue can be configured globally.
  • Stack ring bandwidth depends on the stack cabling. If the stack is connected at full bandwidth, you receive 32Gbps bandwidth. This bandwidth is shared by all the switches in the stack.
  • Output map tables and egress queues are configured globally. You can have two sets of queue configurations and you can apply any one of the queue set configurations to a port.
  • SRR for egress queue can be configured on per port basis. 


    Default Ingress QoS Configuration
    In summary, the CoS and DSCP values of the frame enter the switch set to 0 by default if the QoS is enabled on the switch.


    Classification and Marking


    The configuration based on the incoming CoS/DSCP value is achieved in three different ways:
    • Port based configuration using the mls qos interface based commands
    • MQC based configuration using class-map and policy-map
    • VLAN based configuration
    You can use either one of these three methods. You cannot use more than one method in a port. For example, you have configured the mls qos trust cos command on a port. When you configure the port with the service-policy input <policy-map-name> command, it removes the mls qos trust cos command automatically.


    Congestion Management and Avoidance

    Congestion management and avoidance is a three step process. The steps are queueing, dropping and scheduling. Queueing places the packets into the different software queues based on the QoS labels. The Cisco Catalyst 3750 Switch has two ingress queues. After the traffic is classified and marked with QoS labels, you can assign the traffic into two different queues based on the QoS labels.

    Weighted tail drop (WTD) is used to manage the queue lengths and to provide drop precedences for different traffic classifications.

    Both the ingress and egress queues are serviced by SRR, which controls the rate at which packets are sent. On the ingress queues, SRR sends packets to the stack ring. SRR can operate in two modes called shaped and shared. For ingress queues, sharing is the default mode, and it is the only mode supported. In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it.

    Egress QoS Features

    Congestion management and avoidance are the egress QoS features supported by Cisco Catalyst 3750 Switches. Congestion management and avoidance is a three step process. The steps are queueing, dropping and scheduling.
    Queueing places the packets into the different software queues based on the QoS labels. The Cisco Catalyst 3750 Switch has 4 egress queues, 3 threshold per queue. After the traffic is classified and marked with QoS labels, you can assign the traffic into four different queues based on the QoS labels.
    Each queue can be configured with buffer size, reserved threshold, threshold levels, and maximum threshold. Weighted tail drop (WTD) is used to manage the queue lengths and to provide drop precedences for different traffic classifications. Ingress queue parameters are configured globally. Ingress queue parameters are not per port basis. However, egress queue parameters are configured per port basis. Even then the configuration is per port. You cannot configure each port differently. You can configure each port in two different ways. This is called a queue set. You can configure a maximum of two different queue sets in global configuration. Then, you can apply either one of these two sets on the interface.
    Both the ingress and egress queues are serviced by SRR, which controls the rate at which packets are sent. On the ingress queues, SRR sends packets to the stack ring. SRR can operate in two modes called shaped and shared. For ingress queues, sharing is the default mode, and it is the only mode supported. In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. In shaped mode, the egress queues are guaranteed a percentage of the bandwidth, and they are rate-limited to that amount. Shaped traffic does not use more than the allocated bandwidth even if the link is idle. Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. Queue 1 can be configured as the priority queue.

    http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml 




     




Ethernet Ring Protection Switching

Ethernet Ring Protection Switching, or ERPS,

Is an effort at ITU-T under G.8032 Recommendation to provide sub-50ms protection and recovery switching for Ethernet traffic in a ring topology and at the same time ensuring that there are no loops formed at the Ethernet layer. G.8032v1 supported a single ring topology and G.8032v2 supports multiple rings/ladder topology.

http://en.wikipedia.org/wiki/Ethernet_Ring_Protection_Switching 

 

FDB -  filtering databases

Whenever the position of the block in a ring changes due to a failure or the recovery of a failure, all ring nodes should remove all learned MAC addresses from their filtering databases (FDBs). This action, called an FDB flush, guarantees FDB consistency for a new topology. 

etrij.etri.re.kr/Cyber/servlet/GetFile?fileid=SPF-1254363266935 

http://bitwisertraining.com/8021DSTD/M1L2P1.htm 

Wednesday, June 13, 2012

Configuring Cisco Easy VPN Remote Access on Cisco 877

Below is the basic configuration for remote access using Cisco VPN software. 

crypto isakmp enable
crypto logging session

crypto isakmp policy 10
encr 3des           
hash md5            
authentication pre-share
group 2               
lifetime 3600         
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90

crypto isakmp client configuration group remote-vpn
key nopassword                                   
dns 192.168.2.1                            
domain cisco877.local                           
max-users 10                                    
max-logins 10                                   
pool remote-pool
acl 150 ! this is split tunneling control                                                                       
save-password                                 

crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
crypto ipsec security-association idle-time 3600       

crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI-SET
reverse-route
exit

crypto map remotemap local-address dialer0
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local

ip local pool remote-pool 192.168.3.210 192.168.3.220

no access-list 150
access-list 150 rem *** ACL split tunnel ***
access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

no access-list 101
access-list 101 remark *** ACL nonat ***
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 ! for hub site initiated traffic
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source list 101 interface Dialer0 overload

interface dialer0
crypto map remotemap

Refence:
vpn ipsec Cisco 877 <-> iphone
Cisco 877 as a VPN server
Easy VPN Server
How to configure Cisco IOS Easy VPN (server and client mode)
Configuration Examples and TechNotes
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example


Wednesday, June 6, 2012

Max-reserved-bandwidth command

Max-reserved-bandwidth command does not have any effect on queuing system
whatsoever. The newer IOS's do not even check policy-maps total reservation parameters against max-reserved-bandwidth settings. The newest IOS's even notify you of this fact, as if to change the documentation error.

CBWFQ max-reserved-bandwidth


Real time chat between Cisco routers

Real time chat between Cisco routers