Fair queue

Fair queueing is enabled by default for physical interfaces whose bandwidth is less than or equal to 2.048 Mbps and that do not use the following: X.25, SDLC, LAPB, tunnels, Loopbacks, dialer, bridges, Virtual interfaces. WFQ provides traffic priority management that automatically sorts among individual traffic streams without requiring that you first define access lists.

Router(config-if)#fair-queue <1-4096> default=64

(The command sets the congestion threshold for high-volume traffic conversation queued)

Priority queuing  

While traffic with priority high exists, it must be treated first

!define ACL for telnet for example

access-list 101 permit tcp any any eq telnet

priority-list 1 protocol ip high list 101

!Or

Priorit-list 1 protocol ip high tcp 23

!Or, If priority is  by physical interface :

Priority-list 1 inteface eth0 high 

!Then apply the priority to Ethernet 0 for example

Interface ethernet0

  priority-group 1

!

!other commands:

priority-list 1 default low

Priority-list 1 queue-limit 20 30 60 90 (max paquets in queue)

Custom queuing

You will be able to manage how many bytes to take from each queue.

access-list 101 permit tcp any any eq telnet

queue-list 1 protocol ip 5 list 101  [1: list number; 5: queue number]

Or

queue-list 5 protocol ip tcp 23

If by physical interface then: 

queue-list 6 interface ethernet 0 7  [6: list number; 7: queue number]

queue-list 1 queue 5 limit 16 : limit the size of queue 5 to 16

queue-list 1 queue 5 byte-count 1300 : take from  liste 1 from queue 5 1300 bytes

Then apply to interface :

!

Interface ethernet0

  custom-queue-list 1

!

other commands:

priority-list 1 default low

Priority-list 1 queue-limit 20 30 60 90 (max paquets in queue)

Bandwidth reservation (from cisco discussion forum)

1- classify your traffic using classes:
class-map match-all webtraffic
match access-group 101

class-map match-all oracle-traffic
match access-group 102

2-create your access-list that contains or constraint the traffics defined above HTTP for web ,port and transport for oracle-traffic that oracle use ...
access-list 101....
access-list 102....

3-create a policy map to give a bandwidth and a priority to your traffic using policy-map
policy-map outbound-policy
class webtraffic (the classes you ve created before)
bandwidth 25 percent

class oracle-traffic
bandwidth 50 percent

(dont go over 75 percent of the total bandwidth)

4- apply the policy to the outgoing interface 

interface serial
service-policy output outbound-policy

In this example, we shape all the traffic to the line speed (16M), reserve 4M for DB, limit camera traffic to 256K and apply fair queue to the remaining.

access-list 195 permit ip 100.0.0.0 0.255.255.255 any

access-list 100 permit ip host 172.24.1.1  10.0.0.0  0.255.255.255

!

class-map All-Traffic

 match any

!

class-map match-all Camera_traffic

 match access-group 100

!

class-map match-all DB_traffic

 match access-group 195

!

policy-map G01-Policy

 class All-Traffic

   shape  average 16000000

   service-policy outbound-Policy

!

policy-map outbound-policy

 class DB_traffic

    bandwidth 4096

class Camera_traffic

    police cir 256000

 class class-default

     fair-queue

!

interface GigabitEthernet0/1

   service-policy output G01-Policy

Generic Traffic Shaping (GTS)

Limit traffic bursts. It is important to understand that this is not a policing scheme, just a shaping mechanism.

Ethernet 0 is configured to limit FTP traffic to 2 Mbps, and Ethernet 1 is configured to limit all output to 7 Mbps.

Apply it to the outside interface.

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

!

interface Ethernet0

traffic-shape group 100 2000000 250000 250000

!

interface Ethernet1

traffic-shape rate 7000000 875000 755000

FRTS (Frame relay traffic shaping)

FRTS-enabled routers use received Backward Explicit Congestion Notification (BECN) information as input to manage the outbound traffic.

interface serial 0

  encapsulation frame-relay

  frame-relay traffic-shaping

!

interface serial 0.1 point-to-point

  ip address 192.168.100.5 255.255.255.252

  frame-relay interface-dlci 100

  frame-relay class 128kb

!

interface serial 0.2 point-to-point

  ip address 192.168.100.9 255.255.255.252

  frame-relay interface-dlci 200

  frame-relay class 512kb

!

!CIR 128k Peak 256K

!

map-class frame-relay 128kb

  frame-relay traffic-rate 128000 256000

  frame-relay adaptive-shaping becn

!

map-class frame-relay 512kb

  frame-relay traffic-rate 512000 1024000

  frame-relay adaptive-shaping becn

RSVP

interface Serial0

no ip address

encapsulation frame-relay

frame-relay lmi-type ansi

! The physical interface uses all the bandwidth

ip rsvp bandwidth 1158 1158

ip rsvp signalling dscp 0

!

interface Serial0.1 point-to-point

ip address 192.168.1.150 255.255.255.252

frame-relay interface-dlci 100

!RSVP uses 500 kbps. the largest reservable bandwidth that a flow can reserve is 250 kbps

ip rsvp bandwidth 500 250

! To control which RSVP neighbors make requests, you use the ip rsvp neighbor access-list-number command.

ip rsvp neighbor 50

!

access-list 50 permit 192.168.1.1

CAR (Committed access rate)

The difference between CAR and traffic shaping is that CAR is a policing scheme. CAR sets maximum limits on traffic but does not shape traffic to a specified rate. CAR typically drops traffic that exceeds the rate; in contrast, traffic shaping delays traffic in a buffer to delay packets to shape the flow of traffic.

interface Hssi0/0/0

description 45Mbps Link with CAR

ip address 1.1.1.1 255.255.255.252

rate-limit input access-group 1 25000000 30000 30000 conform-action transmit  exceed-action drop

rate-limit output access-group 1  25000000 30000 30000 conform-action transmit  exceed-action drop

!

Access-list 1 permit 192.168.1.0 0.0.0.255

class-map match-all voice_traffic

 match access-group 120

!

policy-map LLQ

 class voice_traffic

  priority 200

 class class-default

  fair-queue

!

interface GigabitEthernet0/0

  description *** Connected to Internal Network ***

  service-policy output LLQ

!

interface GigabitEthernet0/1

 description *** Connected to External Network ***

 service-policy output LLQ

!

access-list 120 permit udp any any range 16383 32767

ACL

Explanation

access-list 101 deny tcp any host 10.1.1.1 eq 23

Or

access-list 101 deny tcp any host 10.1.1.1 eq telnet

Packet with any source address; destination must be 10.1.1.1, with a TCP header, with destination port 23.

access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 44.1.2.3 0.0.255.255

Packet with source in network 1.0.0.0 to any destination, using UDP with source port less than 1023.

access-list 101 deny icmp 33.1.2.0 0.0.0.255 44.1.2.3 0.0.255.255 echo

Packet with source in 33.1.2.0/24 to destinations

beginning 44.1, which are ICMP Echo Requests and Replies.

IP Access-list extended acls00

   Permit TCP any 192.168.1.0 0.0.0.255 established

!

Interface s0/0

  Ip access-group acls00 in

Permit incming TCP packets to access internal network only if they are related to an existing TCP connection (already established)

Named ACL

Router(config)#ip access-list extended barney

Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any

Router(config-ext-nacl)#deny udp host 10.1.1.1 0.0.0.128 255.255.255.127

Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255

Router(config-ext-nacl)#permit ip any any

This example denies Hypertext Transfer Protocol (HTTP) traffic on IP on Monday through Friday between the hours of 8:00 a.m. and 6:00 p.m. The example allows UDP traffic only on Saturday and Sunday from noon to 8:00 p.m

Switch(config)# time-range no-http

Switch(config-time-range)# periodic weekdays 8:00 to 18:00

!

 Switch(config)# time-range udp-yes

Switch(config-time-range)# periodic weekend 12:00 to 20:00

 !

 Switch(config)# ip access-list extended strict

Switch(config-ext-nacl)# deny tcp any any eq www time-range no-http

Switch(config-ext-nacl)# permit udp any any time-range udp-yes

!

 Switch(config-ext-nacl)# exit

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group strict in

To protect your router from IP spoofing

Ip access-list extended Inside-Acl

   permit ip  inside_subnets    wildcard_mask any

   deny ip any any log

exit

!

Ip access-list extended Outside-Acl

  deny ip other_interface_subnet   wildcard_mask any

  deny ip 127.0.0.0 0.255.255.255 any

  deny ip host 255.255.255.255 any

  deny ip host 0.0.0.0 any

  permit ip any any

interface FastEthernet0/0

 description INSIDE

 ip access-group Inside-Acl in

 exit

!

interface FastEthernet0/1

 description OUTSIDE

 ip access-group Outside-Acl in

 ip verify unicast reverse-path

 exit

If your router is an internet router

Ip access-list extended Inside-Acl

  deny ip inside_subnets    wildcard_mask 10.0.0.0         0.0.0.255

  deny ip inside_subnets    wildcard_mask 172.16.0.0      0.15.255.255

  deny ip inside_subnets    wildcard_mask 192.168.0.0    0.0.255.255

  permit ip inside_subnets  wildcard_mask any

  deny ip any any log

exit

!

Ip access-list extended Outside-Acl

  deny ip other_interfaces_subnets   wildcard_mask any

  deny ip 127.0.0.0 0.255.255.255 any

  deny ip host 255.255.255.255 any

  deny ip host 0.0.0.0 any

  deny ip 10.0.0.0         0.0.0.255           any

  deny ip 172.16.0.0      0.15.255.255   any

  deny ip 192.168.0.0    0.0.255.255    any

  permit ip any any

!

interface FastEthernet0/0

 description INSIDE

 ip access-group Inside-Acl in

 exit

!

interface FastEthernet0/1

 description OUTSIDE

 ip access-group Outside-Acl in

 ip verify unicast reverse-path

 exit