QoS for AToM

April 16, 2010 at 12:48 am | Posted in MPLS, QoS | Leave a comment

Topology

Add R5 as a P router between R1 & R2 in the previous lab, so that we can monitor packets based on MPLS EXP bits.

R3 —— R1 —— R5 —— R2 —— R4

Configuration

 

R3#

class-map TELNET
 match protocol telnet

class-map ICMP
 match protocol icmp

class-map ANY
 match any
policy-map SET_COS

class TELNET
 set cos 5

class ICMP
 set cos 1

class ANY
 set cos 2

interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 34.0.0.3 255.255.255.0
 service-policy output SET_COS

R1#
class-map COS7
 match cos 7
class-map COS6
 match cos 6
class-map COS5
 match cos 5
class-map COS4
 match cos 4
class-map COS3
 match cos 3
class-map COS2
 match cos 2
class-map COS1
 match cos 1
class-map COS0
 match cos 0

policy-map ETHERNET_OVER_MPLS

class COS7
 set mpls experimental 7
class COS6
 set mpls experimental 6
class COS5
 set mpls experimental 5
class COS4
 set mpls experimental 4
class COS3
 set mpls experimental 3
class COS2
 set mpls experimental 2
class COS1
 set mpls experimental 1
class COS0
 set mpls experimental 0

!
interface FastEthernet0/1.100
 description Connect to R3 via VLAN 100
 encapsulation dot1Q 100
 service-policy input ETHERNET_OVER_MPLS
 no cdp enable
 xconnect 2.2.2.2 1000 pw-class AToM
R5#
no class-map match-all EXP7
no class-map match-all EXP6
no class-map match-all EXP5
no class-map match-all EXP4
no class-map match-all EXP3
no class-map match-all EXP2
no class-map match-all EXP1
no class-map match-all EXP0

class-map match-all EXP7
  match mpls experimental topmost 7
class-map match-all EXP6
  match mpls experimental topmost 6
class-map match-all EXP5
  match mpls experimental topmost 5
class-map match-all EXP4
  match mpls experimental topmost 4
class-map match-all EXP3
  match mpls experimental topmost 3
class-map match-all EXP2
  match mpls experimental topmost 2
class-map match-all EXP1
  match mpls experimental topmost 1
class-map match-all EXP0
  match mpls experimental topmost 0
no policy-map EXP_COUNTERS

policy-map EXP_COUNTERS
class EXP7
class EXP6
class EXP5
class EXP4
class EXP3
class EXP2
class EXP1
class EXP0
class class-default
int fa0/0
 service-policy input EXP_COUNTERS
 service-policy output EXP_COUNTERS

Verification

 
Rack1R3#ping 34.0.0.4 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 8/32/84 ms
Rack1R3#telnet 34.0.0.4
Trying 34.0.0.4 … Open

Rack1R4>
Rack1R4>
Rack1R4>
Rack1R4>exit

[Connection to 34.0.0.4 closed by foreign host]
Rack1R3#telnet 34.0.0.4 80
Trying 34.0.0.4, 80 …
% Connection refused by remote host

Rack1R3#telnet 34.0.0.4 80
Trying 34.0.0.4, 80 …
% Connection refused by remote host

Rack1R3#
Rack1R3#
Rack1R3#sh policy-map interface
 FastEthernet0/0.100

  Service-policy output: SET_COS

    Class-map: TELNET (match-all)
      21 packets, 1350 bytes

      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol telnet
      QoS Set
        cos 5
          Packets marked 21

    Class-map: ICMP (match-all)
      100 packets, 11800 bytes

      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol icmp
      QoS Set
        cos 1
          Packets marked 100

    Class-map: ANY (match-all)
      2 packets, 128 bytes

      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      QoS Set
        cos 2
          Packets marked 2

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Rack1R1#sh policy-map interface

 FastEthernet0/1.100

  Service-policy input: ETHERNET_OVER_MPLS

    Class-map: COS7 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  7
      QoS Set
        mpls experimental imposition 7
           Packets marked 0

    Class-map: COS6 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  6
      QoS Set
        mpls experimental imposition 6
           Packets marked 0

    Class-map: COS5 (match-all)
      21 packets, 1350 bytes

      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  5
      QoS Set
        mpls experimental imposition 5
           Packets marked 21

    Class-map: COS4 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  4
      QoS Set
        mpls experimental imposition 4
           Packets marked 0

    Class-map: COS3 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  3
      QoS Set
        mpls experimental imposition 3
           Packets marked 0
    Class-map: COS2 (match-all)
      2 packets, 128 bytes

      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  2
      QoS Set
        mpls experimental imposition 2
           Packets marked 2

    Class-map: COS1 (match-all)
      100 packets, 11800 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  1
      QoS Set
        mpls experimental imposition 1
           Packets marked 100

    Class-map: COS0 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: cos  0
      QoS Set
        mpls experimental imposition 0

           Packets marked 0

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
Rack1R5#sh policy-map interface fa0/0 input

 FastEthernet0/0

  Service-policy input: EXP_COUNTERS

    Class-map: EXP7 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps
      Match: mpls experimental topmost 7

    Class-map: EXP6 (match-all) ! ROUTING(?) & CONTROL TRAFFIC
      36 packets, 2780 bytes

      5 minute offered rate 0 bps
      Match: mpls experimental topmost 6

    Class-map: EXP5 (match-all) ! Telnet
      21 packets, 1518 bytes

      5 minute offered rate 0 bps
      Match: mpls experimental topmost 5

    Class-map: EXP4 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps

      Match: mpls experimental topmost 4

    Class-map: EXP3 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps
      Match: mpls experimental topmost 3

    Class-map: EXP2 (match-all) ! TCP PORT 80 generated via telnet 34.0.0.4 80
      2 packets, 144 bytes

      5 minute offered rate 0 bps
      Match: mpls experimental topmost 2

    Class-map: EXP1 (match-all) ! Pings
      100 packets, 12600 bytes

      5 minute offered rate 0 bps
      Match: mpls experimental topmost 1

    Class-map: EXP0 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps
      Match: mpls experimental topmost 0
    Class-map: class-default (match-any) ! Plain IP TRAFFIC (not MPLS)
      8 packets, 528 bytes

      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Reference

http://fengnet.com/book/IOS_MPLS/ch13lev1sec6.html

Switchport operational mode on a port with an IP Phone connected

October 26, 2008 at 1:36 am | Posted in QoS, Switching | Leave a comment

What is the default switchport mode when you connect an IP Phone to a Cisco switch? It should be trunk, isn’t it. Otherwise, how it can carry two VLAN, one for Voice, and one for Data.

The “show interface switchport” output seems to show the contrary.

SW2 (fa0/1) -------- IP Phone --------- BB1 (simulating a PC)

Rack1SW2#sh cdp nei | in Phone
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
SEP0002B9BBCCF9     Fas 0/1               160            H P      IP Phone 7Port 1
BB1#sh cdp nei | in Phone
SEP0002B9BBCCF9     Eth 0              173          H        IP Phone  Port 2

Rack1SW2#sh arp         
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.2                0   00e0.1e67.f6fe  ARPA   Vlan10
Internet  10.0.0.1                -   0014.a86b.df46  ARPA   Vlan10
Internet  20.0.0.1                -   0014.a86b.df47  ARPA   Vlan20
Internet  20.0.0.2                0   0002.b9ac.1af9  ARPA   Vlan20

Rack1SW2#sh run int fa0/1
Building configuration...

Current configuration : 86 bytes
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport voice vlan 20
end

Rack1SW2#sb
Interface              IP-Address      OK? Method Status                Protocol
Vlan8                  155.1.8.8       YES NVRAM  up                    up     
Vlan10                 10.0.0.1        YES manual up                    up     
Vlan20                 20.0.0.1        YES manual up                    up   

Rack1SW2#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Rack1SW2#ping 20.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

Rack1SW2#sh int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 20 (VLAN0020)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Catalyst QoS: VLAN Access-map for IP traffic filtering

September 12, 2008 at 3:31 pm | Posted in QoS, Switching | Leave a comment

Task: Configuring VLAN access-map to only allow Telnet and Ping and routing (OSPF) traffic within VLAN145.

If the default action of the VLAN access-map is dropping, then we need to explicitly permit ARP frames as well, otherwise, two PC hosts within the VLAN145 won’t be able to ARP for each other MAC address, and the connectivity between them will fail.

Configuration

access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any eq telnet any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit ospf any any

!
mac access-list extended ARP
 permit any any 0x806 0x0
!
vlan access-map VLAN145_FILTER 10
 action forward
 match ip address 100
vlan access-map VLAN145_FILTER 15
 action forward
 match mac address ARP
vlan access-map VLAN145_FILTER 20
 action drop
!
vlan filter VLAN145_FILTER vlan-list 145

Catalyst QoS – Using Hierarchical Policy-Maps for Policing Markdown on 3560

September 12, 2008 at 11:44 am | Posted in QoS, Switching | Leave a comment

Configuration

SW2#
class-map match-all IP_TRAFFIC
 match access-group 100
class-map match-all INPUT_INTERFACES
 match input-interface  FastEthernet0/13 - FastEthernet0/15
!
!
policy-map POLICE_32K
 class INPUT_INTERFACES
  police 32000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_64K
 class INPUT_INTERFACES
  police 64000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_VLAN200
 class IP_TRAFFIC
  set ip precedence 5
  service-policy POLICE_64K
policy-map POLICE_VLAN100
 class IP_TRAFFIC
  set ip precedence 4
  service-policy POLICE_32K

mls qos map policed-dscp  32 to 24
mls qos map policed-dscp  40 to 32
mls qos

interface range fa0/13-15
 mls qos vlan-based

interface Vlan100
 service-policy input POLICE_VLAN100
!
interface Vlan200
 service-policy input POLICE_VLAN200

Verification
SW1#ping 200.0.0.4 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 200.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/9 ms

SW2#sh mls qos interface fa0/4 statistics
FastEthernet0/4 (All statistics are in packets)

  dscp: incoming 
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0            0 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           18            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :          82            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  dscp: outgoing
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0            0 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           18            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :          82            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  cos: incoming 
-------------------------------

  0 -  4 :         102            0            0            0            0 
  5 -  7 :           0            0            0 
  cos: outgoing
-------------------------------

  0 -  4 :           0            0            0            0           18 
  5 -  7 :          82            0            0 
Policer: Inprofile:            0 OutofProfile:            0 

SW2#clear mls qos int statistic

SW1#ping 100.0.0.4 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 100.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/9 ms

SW2#sh mls qos interface fa0/4 statistics          
FastEthernet0/4 (All statistics are in packets)

  dscp: incoming 
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0           26 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           74            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :           0            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  dscp: outgoing
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0           26 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           74            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :           0            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  cos: incoming 
-------------------------------

  0 -  4 :         109            0            0            0            0 
  5 -  7 :           0            0            0 
  cos: outgoing
-------------------------------

  0 -  4 :           0            0            0           26           74 
  5 -  7 :           0            0            0 
Policer: Inprofile:            0 OutofProfile:            0

SW2#show mls qos maps policed-dscp 
   Policed-dscp map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9 
     ---------------------------------------
      0 :    00 01 02 03 04 05 06 07 08 09 
      1 :    10 11 12 13 14 15 16 17 18 19 
      2 :    20 21 22 23 24 25 26 27 28 29 
      3 :    30 31 24 33 34 35 36 37 38 39 
      4 :    32 41 42 43 44 45 46 47 48 49 
      5 :    50 51 52 53 54 55 56 57 58 59 
      6 :    60 61 62 63

Doc CD Navigation

  • Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)S
  • Configuring QoS
  • Configuring Standard QoS
    • Configuring a QoS Policy
      • Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
    • Configuring DSCP Maps
      • Configuring the Policed-DSCP Map

Catalyst QoS – Per port, Per VLAN classification

September 11, 2008 at 5:26 pm | Posted in QoS, Switching | 1 Comment

Configure SW3 to mark traffic comming to the trunk interface Fa0/16 fromm VLAN201 to IP Precedence 1, and from VLAN 202 to IP Precedence 2.

Topology:

VLAN201          VLAN201
  |                 |
  |                 |
  |                 |
SW2 ------------- SW3
  |                 |
  |		    |
  |		    |
VLAN202          VLAN202

Configuration

SW3#

!
class-map match-all VLAN202
match vlan  202
class-map match-all VLAN201
match vlan  201
!
!
policy-map MARK_PREC
 class VLAN201
  set ip precedence 1
 class VLAN202
  set ip precedence 2

!

Note that within a class-map, match VLAN has to be followed by a match class-map (nested configuration). See the wrong configuration example without match class-map (above) and the error message when the service policy is applied onto the interface:

SW3(config)#int fa0/16
SW3(config-if)#service-policy input MARK_PREC
QoS: match class-map must follow match vlan in class-map VLAN201.
QoS: Policy map MARK_PREC failed vlan check
Service Policy attachment failed
*Mar  1 05:45:32.418: %QM-4-MATCH_NOT_SUPPORTED: Match type is not supported in classmap VLAN201
SW3(config)#class-map match-all VLAN202
SW3(config-cmap)#match vlan  202
SW3(config-cmap)#match class-map IP_TRAFFIC
SW3(config)#class-map match-all VLAN201
SW3(config-cmap)#match vlan  201
SW3(config-cmap)#match class-map IP_TRAFFIC
SW3(config-cmap)#int fa0/16
SW3(config-if)#service-policy input MARK_PREC

Verification

SW3(config)#int vlan 201
SW3(config-if)#ip accounting precedence input
SW3#
SW3#
SW3#sh int vlan 201 precedence
Vlan201
  Input
    (none)

SW2#ping 201.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

SW3#sh int vlan 201 precedence
Vlan201
  Input
    Precedence 0:  5 packets, 590 bytes
SW3#sh mls qos
QoS is disabled

SW3#c
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#mls qos
QoS: ensure flow-control on all interfaces are OFF for proper operation.
SW3(config)#
SW3#
SW3#

SW3#sh mls qos
QoS is enabled

SW2#ping 201.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

SW3#sh int vlan 201 precedence
Vlan201
  Input
    Precedence 0:  5 packets, 590 bytes
    Precedence 1:  5 packets, 590 bytes

SW2#ping 202.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

SW3#sh int vlan 202 precedence
Vlan202
  Input
    Precedence 2:  5 packets, 590 bytes

Alternatively on a C3550 we can use “mls qos monitor dscp” on physical interface to count number of packets with a particular IP Precendence or DSCP values.

SW3#c
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int fa0/16
SW3(config-if)#mls qos
SW3(config-if)#mls qos mo
SW3(config-if)#mls qos monitor ?
  bytes    Collect byte statistics
  dscp     Collect DSCP statistics
  packets  Collect packet statistics

SW3(config-if)#mls qos monitor ds
SW3(config-if)#mls qos monitor dscp ?
  <0-63>  DSCP values separated by spaces (up to 8 values total)

SW3(config-if)#mls qos monitor dscp 0 ?
  <0-63>  DSCP values separated by spaces (up to 8 values total)
  <cr>

SW3(config-if)#mls qos monitor dscp 0 8 16
SW3(config-if)#
SW3#
SW3#
SW3#
SW3#
SW3#
SW3#
*Mar  1 06:00:28.574: %SYS-5-CONFIG_I: Configured from console by console
SW3#c
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int fa0/16
SW3(config-if)#mls qos monitor packets
QoS: This command is only applicable on a master port.
 On a 24 ports switch:
  -port 1 controls interface 1 to 12
  -port 13 controls interface 13 to 24
 On a 48 ports switch:
  -port 25 controls interface 25 to 36
  -port 37 controls interface 37 to 48
SW3(config-if)#
SW3(config-if)#
SW3(config-if)#int fa0/13
SW3(config-if)#mls qos monitor packets
SW3(config-if)#

SW2#ping 201.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
SW2#ping 202.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

SW3#sh mls qos int fa0/16 statistics
FastEthernet0/16
Ingress
  dscp: incoming   no_change  classified policed    dropped (in pkts)
    0 : 14         4          0          0          0        
    8 : 0          0          5          0          0        
    16: 0          0          5          0          0        
Others: 0          0          0          0          0        
Egress
  dscp: incoming   no_change  classified policed    dropped (in pkts)
    0 : 5             n/a       n/a      0          0        
    8 : 5             n/a       n/a      0          0        
    16: 5             n/a       n/a      0          0        
Others: 69            n/a       n/a      0          0         

SW3#

Using CAR to mitigate SMURF attack

September 8, 2008 at 3:31 pm | Posted in QoS, Security | Leave a comment

Configuration (Modular QoS)

R4#

access-list 100 permit icmp any any echo-reply

class-map match-all SMURF_TRAFFIC
match access-group 100
!
!
policy-map SMURF_MITIGATION
class SMURF_TRAFFIC
police cir 64000 bc 8000 be 4000

interface Serial0/1
service-policy input SMURF_MITIGATION

interface Serial0/0.1 point-to-point
service-policy input SMURF_MITIGATION

Verification

R4#sh policy-map interface s0/1
Serial0/1

Service-policy input: SMURF_MITIGATION

Class-map: SMURF_TRAFFIC (match-all)
1860 packets, 2597440 bytes
30 second offered rate 61000 bps, drop rate 4000 bps
Match: access-group 100
police:
cir 64000 bps, bc 8000 bytes
conformed 1699 packets, 2355296 bytes; actions:
transmit
exceeded 161 packets, 242144 bytes; actions:
drop
conformed 54000 bps, exceed 4000 bps

Class-map: class-default (match-any)
72 packets, 6084 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any

Configuration (Legacy QoS)

R4#
access-list 100 permit icmp any any echo-reply
interface Serial0/0.1 point-to-point
rate-limit input access-group 100 64000 8000 12000 conform-action transmit exceed-action drop
!
interface Serial0/1
rate-limit input access-group 100 64000 8000 12000 conform-action transmit exceed-action drop

Verification

R4#sh access-list 100
Extended IP access list 100
10 permit icmp any any echo-reply (278 matches)

R4#sh interface s0/1 rate-limit
Serial0/1
Input
matches: access-group 100
params:  64000 bps, 8000 limit, 12000 extended limit
conformed 130 packets, 195520 bytes; action: transmit
exceeded 12 packets, 18048 bytes; action: drop
last packet: 324ms ago, current burst: 3776 bytes
last cleared 00:01:10 ago, conformed 22000 bps, exceeded 2000 bps

Doc CD Navigation

There’s not a dedicated “configuration guide” or “command reference” specific for this.

Smurf attack is a general term describing one type of DoS attacks. The perpetrator launches many ICMP directed broadcast pings to many “proxy attacking networks” with spoof source address of the victim. The victim then is under a storm of return echo-reply traffic from “proxy attacking networks”.

To prevents the network from “attacking” other networks, or better said, taking part in a Smurf attack, we should disable directed broadcast, and drop packets with spoofed source IP (no ip unicast)

interface s0/1
 ip verify unicast reverse-path
interface e0/0
 no ip directed-broadcast

To minimize the effect of Smurf attack, just rate limit the Echo-Reply traffic (MQC and Legacy configuration at the top of this post).

For additional info, below is a security white paper

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

General Smurf attack description can be found outside Cisco website, e.g. wikipedia

http://en.wikipedia.org/wiki/Smurf_attack

The Smurf attack is a way of generating a lot of computer network traffic to a victim host. That is, it is a type of denial-of-service attack. Specifically, it floods a target system via spoofed broadcast ping messages.

In such an attack, a perpetrator sends a large amount of ICMP echo requests (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.[1]

In the late 1990s, many IP networks would participate in Smurf attacks (that is, they would respond to pings to broadcast addresses). Today, thanks largely to the ease with which administrators can make a network immune to this abuse, very few networks remain vulnerable to Smurf attacks.[2]

The fix is twofold:

  • Configure individual hosts and routers not to respond to ping requests to broadcast addresses,[1] and
  • Configure routers not to forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default, but in that year, the standard was changed to require the default to be not to forward.[3]

Another proposed solution, to fix this as well as other problems, is network ingress filtering which rejects the attacking packets on the basis of the forged source address.[4

NBAR confusion – usage of “match protocol http url”

September 5, 2008 at 5:04 pm | Posted in Blogroll, QoS, Security | 2 Comments

Doing IE WB1, Section Security – Task Using NBAR to Filter Traffic. I am confused by the solution guide . The tasks is to drop HTTP IMAGE requests from Client to Server.

HTTP Client ------- R4 ------- Server HTTP
                       S0/1

Solution creates a policy that match images using match http url, but the policy is applied INBOUND on the WAN interfaces (S0/1) ! I believe that this policy should be applied OUTBOUND to stop HTTP Requests.

However, that is not my main concern. I used to believe that “match protocol http url” can only be used to match HTTP REQUESTS, and not to match HTTP RESPONSES (IMAGE data) from server. To match IMAGE data themselves, I thought that  match MIME type should be used. But it seems I may be WRONG!

“match protocol http url” seems to be able to match HTTP RESPONSE from Servers as well.

I tried snipping (using Wireshark) a real HTTP session. I could see the reference to URL in the GET request, but I do not see any reference to that URL in the data response from the server!

Below is config and verification to show that both HTTP requests for Images and Image return data can be matched by using “match protocol http url”.

Configuration:

R4#

class-map match-any IMAGES
 match protocol http url "*.gif"
 match protocol http url "*.jpeg|*.jpg"
!
!
! HTTP_REQUEST policy is my additional config for matching illustration policy-map HTTP_REQUEST  class IMAGES

policy-map DROP_IMAGES
 class IMAGES
   drop

interface Serial0/1
 service-policy input DROP_IMAGES
 service-policy output HTTP_REQUEST

Verification:

Try to generate HTTP get request from inside (R1) to outside 150.1.5.5 (HTTP Server)

R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)

R4#sh policy-map interface s0/1
 Serial0/1 

  Service-policy input: DROP_IMAGES

    Class-map: IMAGES (match-any)
      8 packets, 1657 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.gif"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.jpeg|*.jpg"
        8 packets, 1657 bytes
        5 minute rate 0 bps
      drop

    Class-map: class-default (match-any)
      18 packets, 1530 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

  Service-policy output: HTTP_REQUEST

    Class-map: IMAGES (match-any)
      5 packets, 708 bytes
      5 minute offered rate 0 bps
      Match: protocol http url "*.gif"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.jpeg|*.jpg"
        5 packets, 708 bytes
        5 minute rate 0 bps

    Class-map: class-default (match-any)
      27 packets, 1936 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
Wireshark view of HTTP GET request

Wireshark view of HTTP GET request

Wireshark view of return IMAGE DATA

Wireshark view of return IMAGE DATA

Create a free website or blog at WordPress.com.
Entries and comments feeds.