QoS
QoS FQ QoS
Priority queuing QoS custom queuing QoS
bandwidth reservation
GTS FRTS RSVP CAR IPT
Priority
Access-list Named
access-list Time access-list
Anti-spoofing ACL
Priority queuing While traffic with priority high exists, it must
be treated first |
!define ACL for telnet for
example access-list 101 permit tcp
any any eq telnet priority-list 1 protocol ip
high list 101 !Or Priorit-list 1 protocol ip
high tcp 23 !Or, If priority is by physical interface : Priority-list 1 inteface
eth0 high !Then apply the priority to
Ethernet 0 for example Interface ethernet0 priority-group 1 ! !other commands: priority-list 1 default low Priority-list 1 queue-limit
20 30 60 90 (max paquets in queue) |
Custom queuing You will be able to manage
how many bytes to take from each queue. |
access-list 101 permit tcp
any any eq telnet queue-list 1 protocol ip 5
list 101 [1: list number; 5:
queue number] Or queue-list 5 protocol ip
tcp 23 If by physical interface
then: queue-list 6 interface
ethernet 0 7 [6: list number; 7:
queue number] queue-list 1 queue 5 limit
16 : limit the size of queue 5 to 16 queue-list 1 queue 5
byte-count 1300 : take from liste
1 from queue 5 1300 bytes Then apply to interface : ! Interface ethernet0 custom-queue-list 1 ! other commands: priority-list 1 default low Priority-list 1 queue-limit
20 30 60 90 (max paquets in queue) |
Bandwidth reservation (from cisco discussion forum) |
1- classify your traffic
using classes: interface serial |
In this example, we shape
all the traffic to the line speed (16M), reserve 4M for DB, limit camera
traffic to 256K and apply fair queue to the remaining. |
access-list 195 permit ip
100.0.0.0 0.255.255.255 any access-list 100 permit ip
host 172.24.1.1 10.0.0.0 0.255.255.255 ! class-map All-Traffic match any ! class-map match-all
Camera_traffic match access-group 100 ! class-map match-all
DB_traffic match access-group 195 ! policy-map G01-Policy class All-Traffic shape average 16000000 service-policy outbound-Policy ! policy-map outbound-policy class DB_traffic bandwidth 4096 class Camera_traffic police cir 256000 class class-default fair-queue ! interface
GigabitEthernet0/1 service-policy output G01-Policy |
Generic Traffic Shaping (GTS) Limit traffic bursts. It is
important to understand that this is not a policing scheme, just a shaping
mechanism. Ethernet 0 is configured to
limit FTP traffic to 2 Mbps, and Ethernet 1 is configured to limit all output
to 7 Mbps. Apply it to the outside
interface. |
access-list 100 permit tcp any any eq ftp access-list 100 permit tcp any any eq ftp-data ! interface Ethernet0 traffic-shape group 100
2000000 250000 250000 ! interface Ethernet1 traffic-shape rate 7000000 875000 755000 |
FRTS (Frame relay traffic shaping) FRTS-enabled routers use
received Backward Explicit Congestion Notification (BECN) information as
input to manage the outbound traffic. |
interface serial 0 encapsulation frame-relay frame-relay traffic-shaping ! interface serial 0.1
point-to-point ip address 192.168.100.5 255.255.255.252 frame-relay interface-dlci 100 frame-relay class 128kb ! interface serial 0.2
point-to-point ip address 192.168.100.9
255.255.255.252 frame-relay interface-dlci 200 frame-relay class 512kb ! !CIR 128k Peak 256K ! map-class frame-relay 128kb frame-relay traffic-rate 128000 256000 frame-relay adaptive-shaping becn ! map-class frame-relay 512kb frame-relay traffic-rate 512000
1024000 frame-relay adaptive-shaping becn |
RSVP |
interface Serial0 no ip address encapsulation frame-relay frame-relay lmi-type ansi ! The
physical interface uses all the bandwidth ip rsvp bandwidth 1158 1158 ip rsvp signalling dscp 0 ! interface Serial0.1
point-to-point ip address 192.168.1.150
255.255.255.252 frame-relay interface-dlci
100 !RSVP uses
500 kbps. the largest reservable bandwidth that a flow can reserve is 250
kbps ip rsvp bandwidth 500 250 ! To control
which RSVP neighbors make requests, you use the ip rsvp neighbor access-list-number
command. ip rsvp neighbor 50 ! access-list 50 permit
192.168.1.1 |
CAR (Committed access rate) The difference between CAR
and traffic shaping is that CAR is a policing scheme. CAR sets maximum limits
on traffic but does not shape traffic to a specified rate. CAR typically
drops traffic that exceeds the rate; in contrast, traffic shaping delays
traffic in a buffer to delay packets to shape the flow of traffic. |
interface Hssi0/0/0 description 45Mbps Link
with CAR ip address 1.1.1.1
255.255.255.252 rate-limit input
access-group 1 25000000 30000 30000
conform-action transmit
exceed-action drop rate-limit output
access-group 1 25000000 30000 30000 conform-action
transmit exceed-action drop ! Access-list 1 permit 192.168.1.0 0.0.0.255 |
class-map match-all
voice_traffic match access-group 120 ! policy-map LLQ class voice_traffic priority 200 class class-default fair-queue ! interface
GigabitEthernet0/0 description *** Connected to Internal
Network *** service-policy output LLQ ! interface
GigabitEthernet0/1 description *** Connected to External
Network *** service-policy output LLQ ! access-list 120 permit udp
any any range 16383 32767 |
ACL |
Explanation |
access-list 101 deny tcp
any host 10.1.1.1 eq 23 Or access-list 101 deny tcp
any host 10.1.1.1 eq telnet |
Packet with any source
address; destination must be 10.1.1.1, with a TCP header, with destination
port 23. |
access-list 101 deny udp
1.0.0.0 0.255.255.255 lt 1023 44.1.2.3 0.0.255.255 |
Packet with source in
network 1.0.0.0 to any destination, using UDP with source port less than
1023. |
access-list 101 deny icmp
33.1.2.0 0.0.0.255 44.1.2.3 0.0.255.255 echo |
Packet with source in
33.1.2.0/24 to destinations beginning 44.1, which are ICMP Echo Requests and
Replies. |
IP Access-list extended
acls00 Permit TCP any 192.168.1.0
0.0.0.255 established ! Interface s0/0 Ip access-group acls00 in |
Permit incming TCP packets
to access internal network only if they are related to an existing TCP
connection (already established) |
Named ACL |
Router(config)#ip
access-list extended barney Router(config-ext-nacl)#permit
tcp host 10.1.1.2 eq www any Router(config-ext-nacl)#deny
udp host 10.1.1.1 0.0.0.128 255.255.255.127 Router(config-ext-nacl)#deny
ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 Router(config-ext-nacl)#permit
ip any any |
This example denies Hypertext
Transfer Protocol (HTTP) traffic on IP on Monday through Friday between the
hours of 8:00 a.m. and 6:00 p.m. The example allows UDP traffic only on
Saturday and Sunday from noon to 8:00 p.m |
Switch(config)#
time-range no-http Switch(config-time-range)#
periodic weekdays 8:00 to 18:00 ! Switch(config)# time-range udp-yes Switch(config-time-range)#
periodic weekend 12:00 to 20:00 ! Switch(config)# ip access-list
extended strict Switch(config-ext-nacl)# deny
tcp any any eq www time-range no-http Switch(config-ext-nacl)# permit
udp any any time-range udp-yes ! Switch(config-ext-nacl)# exit Switch(config)#
interface gigabitethernet0/1 Switch(config-if)# ip
access-group strict in |
To protect your router from IP spoofing |
Ip access-list extended Inside-Acl permit ip inside_subnets wildcard_mask any deny ip any any log exit ! Ip access-list extended Outside-Acl deny ip other_interface_subnet wildcard_mask any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any permit ip any any interface FastEthernet0/0 description INSIDE ip access-group Inside-Acl in exit ! interface FastEthernet0/1 description OUTSIDE ip access-group Outside-Acl in ip verify
unicast reverse-path exit |
If your router is an internet router |
Ip access-list extended Inside-Acl deny ip inside_subnets wildcard_mask
10.0.0.0
0.0.0.255 deny ip inside_subnets wildcard_mask
172.16.0.0
0.15.255.255 deny ip inside_subnets wildcard_mask
192.168.0.0
0.0.255.255 permit ip inside_subnets wildcard_mask any deny ip any any log exit ! Ip access-list extended Outside-Acl deny ip other_interfaces_subnets wildcard_mask any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any deny ip 10.0.0.0
0.0.0.255
any deny ip 172.16.0.0
0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any ! interface FastEthernet0/0 description INSIDE ip access-group Inside-Acl in exit ! interface FastEthernet0/1 description OUTSIDE ip access-group Outside-Acl in ip verify
unicast reverse-path exit |