awa Network: August 2013

Saturday, August 31, 2013

JunOS Auto Log Out on Disconnect

Just another small feature but needed for secure Juniper device. What is it ? Log-out your session at connect from console port automatically, The session will be log-out immediately after disconnect.

set system ports console log-out-on-disconnect
set system ports console type vt100
set system ports auxiliary type vt100

Happy weekend :-)

Friday, August 30, 2013

Cisco IOS like TCPdump with Filter (Packet Capture)

Yesterday, I have posted about internal packet capture in Cisco IOS (=tcpdump) and simple example. Now please find the example with more various traffic and filter.

The scenario is simple, generate two kind of traffic, UDP use traceroute and ICMP use ping. Then create filter to pass (permit) UDP and drop (deny) ICMP use access-list extended.

Hope this is usefull for you ;-)

#### Preconfig for test IOS packet capture, read here

#### Step by step IOS packet capture with filter

#### Define a capture buffer
IOS-1# monitor capture buffer PACKET size 512 max-size 1024 circular

#### Create filter with access-list and attach to capture buffer
#### Permit UDP (traceroute), deny ICMP (ping)
IOS-1# conf t
IOS-1(config)# access-list 100 permit udp any any
IOS-1(config)# access-list 100 deny ip any any
IOS-1(config)# exit
IOS-1# monitor capture buffer PACKET filter access-list 100

#### Define a capture point
IOS-1# monitor capture point ip cef Vlan11_CAP Vlan11 both

#### Create associate capture point with capture buffer
IOS-1# monitor capture point associate Vlan11_CAP PACKET

#### Enable the capture point for start capture packet data
IOS-1# monitor capture point start Vlan11_CAP

#### Disable the capture point for stop capture packet data
IOS-1# monitor capture point stop Vlan11_CAP

#### Verify and test

#### The summary view of capture point
IOS-1# show monitor capture point Vlan11_CAP
Status Information for Capture Point Vlan11_CAP
IPv4 CEF
Switch Path: IPv4 CEF , Capture Buffer: PACKET
Status : Active

Configuration:
monitor capture point ip cef Vlan11_CAP Vlan11 both

#### Generate traffic ICMP from other side
IOS-2# ping 172.16.12.1 source 172.16.12.2 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/8 ms

#### The summary view of capture buffer, packet couter 0
IOS-1# show monitor capture buffer PACKET parameters
Capture buffer PACKET (circular buffer)
Buffer Size : 524288 bytes,Max Element Size : 1024 bytes,Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : Vlan11_CAP, Status : Active
Configuration:
monitor capture buffer PACKET size 512 max-size 1024 circular
monitor capture point associate Vlan11_CAP PACKET
monitor capture buffer PACKET filter access-list 100

#### Generate traffic UDP from other side
IOS-2# traceroute 172.16.12.1

Type escape sequence to abort.
Tracing the route to 172.16.12.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.12.1 0 msec 0 msec *

#### The summary view of capture buffer, packet counter 6
IOS-1# show monitor capture buffer PACKET parameters
Capture buffer PACKET (circular buffer)
Buffer Size : 524288 bytes,Max Element Size : 1024 bytes,Packets : 6
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : Vlan11_CAP, Status : Active
Configuration:
monitor capture buffer PACKET size 512 max-size 1024 circular
monitor capture point associate Vlan11_CAP PACKET
monitor capture buffer PACKET filter access-list 100

#### Information captured packets
IOS-1# show monitor capture buffer PACKET
10:10:54.271 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

10:10:57.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

10:11:00.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

10:11:03.287 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

10:11:06.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

10:11:09.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

#### Show the dump packets
IOS-1# show monitor capture buffer PACKET dump
10:10:54.271 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460000 0000FE11 L.....E..F....~.
AAF183E0: 0495AC10 0C02FFFF FFFFC4F2 00350032 ..,.......Dr.5.2
AAF183F0: 00000003 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......

10:10:57.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460001 0000FE11 L.....E..F....~.
AAF183E0: 0494AC10 0C02FFFF FFFFC4F2 00350032 ..,.......Dr.5.2
AAF183F0: 00000003 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......

10:11:00.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460002 0000FE11 L.....E..F....~.
AAF183E0: 0493AC10 0C02FFFF FFFFC4F2 00350032 ..,.......Dr.5.2
AAF183F0: 00000003 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......

10:11:03.287 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460000 0000FE11 L.....E..F....~.
AAF183E0: 0495AC10 0C02FFFF FFFFD796 00350032 ..,.......W..5.2
AAF183F0: 00000004 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......

10:11:06.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460001 0000FE11 L.....E..F....~.
AAF183E0: 0494AC10 0C02FFFF FFFFD796 00350032 ..,.......W..5.2
AAF183F0: 00000004 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......

10:11:09.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460002 0000FE11 L.....E..F....~.
AAF183E0: 0493AC10 0C02FFFF FFFFD796 00350032 ..,.......W..5.2
AAF183F0: 00000004 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......

Thursday, August 29, 2013

Cisco IOS Packet Capture (=tcpdump =sniffing)

This is great news for us. The new feature from Cisco IOS release 12.4(20)T or later. Internal packet capture like popular application in linux Tcpdump or Sniffing, Cisco called Embedded Packet Capture (EPC) or Mini Protocol Analyzer (MPA). This facility thats allows to capture packet flowing to, through and from IOS device and to analyze them offline or export to analysis later by a tool such as Wireshark. This feature is very usefull for troubleshooting by gathering packet.

Please follow for step by step

#### Preconfig for test IOS packet capture

IOS-1# show vlan id 11

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
11 VLAN0011 active Fa0/0

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
11 enet 100011 1500 - - - - - 0 0

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

IOS-1# show run interface FastEthernet0/0
Building configuration...

Current configuration : 137 bytes
!
interface FastEthernet0/0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode trunk
duplex auto
end

IOS-1# show run interface vlan 11
Building configuration...

Current configuration : 62 bytes
!
interface Vlan11
ip address 172.16.12.1 255.255.255.0
end

IOS-2# show run interface vlan 11
Building configuration...

Current configuration : 62 bytes
!
interface Vlan11
ip address 172.16.12.2 255.255.255.0
end

#### Step by step IOS packet capture

#### Define a capture buffer
IOS-1# monitor capture buffer PACKET size 512 max-size 1024 circular

#### Define a capture point
IOS-1# monitor capture point ip cef Vlan11_CAP Vlan11 both

#### Create associate capture point with capture buffer
IOS-1# monitor capture point associate Vlan11_CAP PACKET

#### Enable the capture point for start capture packet data
IOS-1# monitor capture point start Vlan11_CAP

#### Disable the capture point for stop capture packet data
IOS-1# monitor capture point stop Vlan11_CAP

#### Verify and test

#### The summary view of capture point
IOS-1# show monitor capture point all
Status Information for Capture Point Vlan11_CAP
IPv4 CEF
Switch Path: IPv4 CEF , Capture Buffer: PACKET
Status : Active

Configuration:
monitor capture point ip cef Vlan11_CAP Vlan11 both

#### The summary view of capture buffer
#### Before start
IOS-1# show monitor capture buffer all parameters
Capture buffer PACKET (circular buffer)
Buffer Size : 524288 bytes, Max Element Size : 1024 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : Vlan11_CAP, Status : Inactive
Configuration:
monitor capture buffer PACKET size 512 max-size 1024 circular
monitor capture point associate Vlan11_CAP PACKET

#### After start
IOS-1# show monitor capture buffer all parameters
Capture buffer PACKET (circular buffer)
Buffer Size : 524288 bytes, Max Element Size : 1024 bytes, Packets : 3
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : Vlan11_CAP, Status : Active
Configuration:
monitor capture buffer PACKET size 512 max-size 1024 circular
monitor capture point associate Vlan11_CAP PACKET

#### Generate traffic ping from other side
IOS-2# ping 172.16.12.1 source 172.16.12.2 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.2
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 4/6/8 ms

#### Information captured packets
IOS-1# show monitor capture buffer PACKET
09:31:23.299 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

09:31:23.303 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

09:31:23.311 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

#### Show the dump packets
IOS-1# show monitor capture buffer PACKET dump
09:31:23.299 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AD39BE70: AABBCC80 0700AABB CC800800 08004500 *;L...*;L.....E.
AD39BE80: 006404B5 0000FE01 47C0AC10 0C02AC10 .d.5..~.G@,...,.
AD39BE90: 0C010800 6BF90004 00000000 00000009 ....ky..........
AD39BEA0: 1244ABCD ABCDABCD ABCDABCD ABCDABCD .D+M+M+M+M+M+M+M
AD39BEB0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BEC0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BED0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BEE0: ABCD00 +M.

09:31:23.303 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AD39BE70: AABBCC80 0700AABB CC800800 08004500 *;L...*;L.....E.
AD39BE80: 006404B6 0000FE01 47BFAC10 0C02AC10 .d.6..~.G?,...,.
AD39BE90: 0C010800 6BF00004 00010000 00000009 ....kp..........
AD39BEA0: 124CABCD ABCDABCD ABCDABCD ABCDABCD .L+M+M+M+M+M+M+M
AD39BEB0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BEC0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BED0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BEE0: ABCD00 +M.

09:31:23.311 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None

AD39BE70: AABBCC80 0700AABB CC800800 08004500 *;L...*;L.....E.
AD39BE80: 006404B7 0000FE01 47BEAC10 0C02AC10 .d.7..~.G>,...,.
AD39BE90: 0C010800 6BE70004 00020000 00000009 ....kg..........
AD39BEA0: 1254ABCD ABCDABCD ABCDABCD ABCDABCD .T+M+M+M+M+M+M+M
AD39BEB0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BEC0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BED0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
AD39BEE0: ABCD00 +M.

#### Save buffer to log file .pcap
IOS-1# monitor capture buffer PACKET export ftp://172.16.12.10//IOS_Vlan11.pcap
Writing /IOS_Vlan11.pcap % Export of Capture Buffer failed

Unfortunately I can't export capture buffer, due to ftp server isn't working, Next time I will fix ftp server.

Wednesday, August 28, 2013

QoS Best Practices

This section is not last discuss about QoS, but the summary of Classification part, even actually there is one section is part of classification, that is QoS Policy Propagation via BGP, but I will explain later.

Previous days ago, I posted about Classification Overview. Please find the Best Practices of QoS here

For enterprise networks define traffic classes example: voice, videoconferencing, bulk data & mission-critical data
Do classify and mark traffic as close to the source as possible
Networks must provide secure, predictable, measurable and sometimes guaranteed services
Achieve the required QoS by managing the delay, delay variation (jitter), bandwidth and packet-loss parameters on a network
Use Cisco NBAR to discover the application (traffic type) on the network

Tuesday, August 27, 2013

Hide a Logging Console with Message Discriminator (MD)

If you are Network Integrator, usually config Cisco IOS with console cable. By default some of notice, warning and error will be appear in your console session. You can skip all message to appear in console session with 'no logging console', but it is not recommended, because you will skip all error message, some of them needed to be known soon.

Please follow me to hide a logging console based on message

#### This message will be appear after end configure terminal or Ctrl+Z

IOS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS(config)# exit
IOS#
*Aug 27 02:26:09.335: %SYS-5-CONFIG_I: Configured from console by console
IOS#

#### Define message discriminator (MD), CONFIGT is MD name, 5 is severity, CONFIG_I is message

logging discriminator CONFIGT severity drops 5 msg-body drops CONFIG_I

#### Hide to appear in console session

logging console discriminator CONFIGT

#### Test

IOS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS(config)#
IOS(config)# do who
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00

Interface User Mode Idle Peer Address

IOS(config)# exit
IOS#

Yes, it's work.

Etherchannel L2 Free Error Loops

The Etherchannel is an aggregated set of several physical interface as a single logical interface. The purpose of Etherchannel is to provide greater capacity than a single avaibility physical interface. The creation of danger to avoid is forwarding loops, due to two interface or more connect to same device. The Spanning Tree Protocol (STP) should be avoid forwarding loops, but some condition for example channeling ports aren't consistent, intermittent physical layer can be reason of forwarding loops.

To avoid forwarding loops, this is best practices to config Etherchannel L2.

#### Shutdown all member interface, use interface range to easy config several interface

IOS-A(config-if)# interface range FastEthernet1/0-1
IOS-A(config-if-range)# shutdown

#### Switch interface to layer 2

IOS-A(config-if-range)# switchport

#### Define trunk encapsulation, dot1q or isl

IOS-A(config-if-range)# switchport trunk encapsulation dot1q

#### Enable mode trunk

IOS-A(config-if-range)# switchport mode trunk

#### Add vlan member to interface

IOS-A(config-if-range)# switchport trunk allowed vlan 11,13,15

#### Create port-channel interface and mode active, for other side is passive

IOS-A(config-if-range)# channel-group 1 mode active

#### Enable interface

IOS-A(config-if-range)# no shutdown

#### Verify

IOS-A# show ip interface brief

IOS-A# show etherchannel summary

Monday, August 26, 2013

Etherchannel L2 Down during Add Vlan

This is also notice, warning for you. The good network engineers should be know about it. During configure 'switchport trunk allowed vlan add'. Add new vlan should be in port-channel logical interface, don't add new vlan in physical interface, even add vlan in all member physical interface of port-channel. Please more attention, if etherchannel interface has been operational (live network). Do some verify before add vlan to live etherchannel interface, ask to your partner as second verification if needed.

Please follow this example.

#### Define etherchannel interface as pre-configure (IOS-1, IOS-2 are same config)

IOS-1# show run interface Ethernet1/0
Building configuration...

Current configuration : 187 bytes
!
interface Ethernet1/0
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11-14,16,18
switchport mode trunk
duplex auto
channel-group 1 mode active
end

IOS-1# show run interface Ethernet1/1
Building configuration...

Current configuration : 187 bytes
!
interface Ethernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11-14,16,18
switchport mode trunk
duplex auto
channel-group 1 mode active
end

IOS-1# show run interface port-channel1
Building configuration...

Current configuration : 147 bytes
!
interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11-14,16,18
switchport mode trunk
end

IOS-1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator

M - not in use, no aggregation due to minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
d - default port

w - waiting to be aggregated
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Et1/0(P) Et1/1(P)

#### Add new vlan in port-channel interface

IOS-1(config)# interface port-channel1
IOS-1(config-if)# switchport trunk allowed vlan add 19

IOS-1(config-if)# do show run interface port-channel1
Building configuration...

Current configuration : 150 bytes
!
interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11-14,16,18,19
switchport mode trunk
end

IOS-1(config-if)# do show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator

M - not in use, no aggregation due to minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
d - default port

w - waiting to be aggregated
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Et1/0(P) Et1/1(P)

#### Add new vlan in both physical interface

IOS-1(config)# interface port-channel1
IOS-1(config-if)# switchport trunk allowed vlan remove 19

IOS-1(config-if)# interface range Ethernet1/0-1
IOS-1(config-if-range)# switchport trunk allowed vlan add 19

IOS-1(config-if-range)# do show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator

M - not in use, no aggregation due to minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
d - default port

w - waiting to be aggregated
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SD) LACP Et1/0(I) Et1/1(I)

#### Add new vlan in one physical interface

(*revision note: another of IOS version will be effect other status, port-channel will be up with single physical interface after down for a few second. The point is port-channel will be down for a while or permanent if add vlan in one physical interface.)

IOS-1(config)# interface range Ethernet1/0-1
IOS-1(config-if-range)# switchport trunk allowed vlan remove 19

IOS-1(config-if-range)# interface Ethernet1/0
IOS-1(config-if)# switchport trunk allowed vlan add 19

IOS-1(config-if)# do show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator

M - not in use, no aggregation due to minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
d - default port

w - waiting to be aggregated
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SD) LACP Et1/0(I) Et1/1(I)

Be Carefull with Switchport Trunk Allowed Vlan 'add'

This is notice, warning for you. The good network engineers should be know about it. To configure trunk allowed vlan. Why ? if you're wrong or forget to put 'add' command, your network will be down. You can check with question mark (?) 'add' is mean add VLANs to the current list. If you write vlan-number without 'add' before, is mean vlan-number will be replace to the current list. Be carefull ..!

Please follow this example.

#### Define Interface to Trunk

IOS# show run interface Ethernet0/0
Building configuration...

Current configuration : 57 bytes
!
interface Ethernet0/0
no ip address
duplex auto
end

IOS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS(config)# interface Ethernet0/0
IOS(config-if)# switchport
IOS(config-if)# switchport trunk encapsulation dot1q

#### Add VLANs to Trunk with 'add'

IOS(config-if)# switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list

IOS(config-if)# switchport trunk allowed vlan add 11,12,13
IOS(config-if)# switchport trunk allowed vlan add 14,16,18
IOS(config-if)# do show run interface Ethernet0/0
Building configuration...

Current configuration : 135 bytes
!
interface Ethernet0/0
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11-14,16,18
duplex auto
end

#### Add VLANs to Trunk without 'add', this mean replace

IOS(config-if)# switchport trunk allowed vlan 19
IOS(config-if)# do show run interface Ethernet0/0
Building configuration...

Current configuration : 126 bytes
!
interface Ethernet0/0
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 19
duplex auto
end

Sunday, August 25, 2013

QoS for Virtual Private Networks (VPN)

Still discuss with QoS Classification part. When the packets cross virtual private network (VPN), that is encapsulated by encryption headers. The QoS are unable to examine and correctly classify packets. Not just the VPN are unable to examine, the tunnel is also. The VPN is actually simillar with tunnel feature.

#### Configuring with 'qos pre-classify'

#### VPN for GRE and IPIP, applied on the tunnel interface, making QoS a configuration option on a per-tunnel basis
IOS(config)# interface tunnel0
IOS(config-if)# qos pre-classify

#### VPN for L2F and L2TP, applied on the virtual template interface, L2TP identical VPDN so QoS can be configured on a per-VPDN tunnel basis
IOS(config)# interface virtual-template1
IOS(config-if)# qos pre-classify

#### VPN for IPSec, applied on crpto map, QoS on the interface carrying the crypto map are able to classify packets before ecryption
IOS(config)# crypto map secured-partner-1
IOS(config-crypto-map)# qos pre-classify

#### Verify QoS for VPNs

IOS# show interfaces
...
Queuing Strategy: fifo (QOS pre-classification)
...

IOS# show crypto map
...
QoS pre-classification
...

Thursday, August 22, 2013

QoS Classification Overview

I want to flashback to definition of QoS Classification. Classification is important in QoS part. Classification is classify traffic or packet into specific group, categorize a packet into classes and make it accessible for QoS handling on the network. You can partition traffic into multiple priority levels (classes). The classes can perform to traffic policers, such as the traffic policing feature, the rate-limiting feature of commited access rate (CAR) and traffic shapers. And also You can use classification to mark certain packets for IP Precedence or DSCP. In Cisco IOS to look at and check traffic flow inside the router you can enable Network-Based Application Recognition (NBAR).

Several other example of traffic classification

Wednesday, August 21, 2013

QoS Class-Based Packet Marking

Next discuss about Class-Based Packet Marking. To perform it, you must either configure an IP Precedence value or an IP differentiated services code point (DSCP) value.

Here is the compare values for IP precedence and Differentiated Services Code Point (DSCP).

## IP precedence=CoS ## DSCP ## Comment
## 0=routine ## 0 ## Best effort
## 1=priority ## 8 ##
## 2=immediate ## 16 ##
## 3=Flash ## 24 ##
## 4=FlashOver ## 32 ##
## 5=critical ## 40 ##
## 6=internet ## 48 ##
## 7=network ## 56 ##

#### Define class-name (class-map)

IOS(config)# class-map SSH-Class
IOS(config-cmap)# match protocol ssh

#### Define IP Precedence policy-name (policy-map)

IOS(config)# policy-map SSH-Prec-1
IOS(config-pmap)# class SSH-Class
IOS(config-pmap-c)# set ip precedence 1

#### Define IP DSCP policy-name (policy-map)

IOS(config)# policy-map SSH-DSCP-8
IOS(config-pmap)# class SSH-Class
IOS(config-pmap-c)# set ip dscp 8

#### Apply Traffic Policy to interface (service-policy)

IOS(config-if)#
service-policy input SSH-Prec-1
service-policy output SSH-DSCP-8

#### Verify Traffic Policy

IOS#show class-map
Class Map match-any class-default (id 0)
Match any

Class Map match-all SSH-Class (id 1)
Match protocol ssh

IOS#show policy-map
Policy Map SSH-Prec-1
Class SSH-Class
set ip precedence 1
Policy Map SSH-DSCP-8
Class SSH-Class
set ip dscp cs1

IOS#show policy-map interface
FastEthernet1/1

Service-policy input: SSH-Prec-1

Class-map: SSH-Class (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ssh
QoS Set
precedence 1
Packets marked 0

Class-map: class-default (match-any)
8 packets, 788 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

Service-policy output: SSH-DSCP-8

Class-map: SSH-Class (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ssh
QoS Set
dscp cs1
Packets marked 0

Class-map: class-default (match-any)
3 packets, 272 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

awa Network