CCIE Pursuit Blog

February 3, 2008

How To Look Like A Jackass

Filed under: Cisco,IOS,QoS,Work — cciepursuit @ 7:42 pm
Tags: ,

I was asked by a member of our NOC to take a look at the QoS configuration on a router to see if there were any issues.  I logged in and took a look: 

r1#show policy-map
  Policy Map FAKE
    Class FAKE1
      Strict Priority
      Bandwidth 512 (kbps) Burst 12800 (Bytes)
    Class FAKE2
      Bandwidth 128 (kbps) Max Threshold 64 (packets)
    Class FAKE3
      Bandwidth 128 (kbps) Max Threshold 64 (packets)
    Class class-default

r1#sh policy-map s0/0

r1#

The policy map exists on the router but is not assigned to the interface.  I told the NOC:

“There’s the problem.  Tell the site engineer that he did not apply the service-policy to the interface.”

A few minutes later I got a call from the engineer who supports that site:

“Why did you tell the NOC that I didn’t have QoS running on router r1?”
“Because I saw that the policy is there, but it is not applied to interface.”
“Yes it is.”
“No it isn’t.”
“Yes.  It.  Is.”

At that point I logged into the router and rechecked.  To my surprise, the policy was there:

r1#sh policy-map int s0/0

 Serial0/0

  Service-policy output: FAKE

    Class-map: FAKE1 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol edonkey
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 512 (kbps) Burst 12800 (Bytes)
        (pkts matched/bytes matched) 0/0
        (total drops/bytes drops) 0/0

    Class-map: FAKE2 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol dns
      Queueing
        Output Queue: Conversation 265
        Bandwidth 128 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

—OUTPUT TRUNCATED—

My first thought was that he had changed the configuration, but there were no configuration changes made.  An IOS bug?

In cases like this I have learned that the most likely suspect is myself.  This proved to be no exception.  Those of you with a good eye have already spotted my mistake:

r1#sh policy-map ?
  WORD           policy-map name
  control-plane  Show Control Plane policy
  interface      Show Qos Policy Interface
  session        Show session Qos Policy
  |              Output modifiers
  <cr>

‘show policy-map s0/0’ and ‘show policy-map int s0/0′ are not the same command.  🙂

‘show policy-map s0/0 looks for a policy-map named ‘s0/0’, while ‘show policy-map int s0/0’ shows the (inbound and outbound) policies assigned to interface s0/0.

DOH!!!!

As soon as I explained my mistake the flood of jokes at my expense began:

“Do they have QoS on the CCIE lab?  Good luck with that.”
“Why don’t you just take $1500 and light it on fire?  It’ll save you time and travel.”
“Did you hear?  Cisco has an undocumented command.  It’s called “show policy-map interface”!”
“Help!  All of my routers have lost their QoS configuration!”

And so on….all fucking day long.  🙂

It’s all in good fun.  Just be aware that if you announce that you are pursuing the CCIE, every mistake you make is going to be analyzed because you are supposed to be a guru.  🙂
 

January 24, 2008

Internetwork Expert Blog: Three Flavors Of Traffic Shaping

The Internetwork Expert Blog has three posts covering different ways to configure traffic-shaping.  This is a topic that you must master for the lab.  You’ll need to be familiar with each of the different versions in case they eliminate one or more methods in the task.

Frame-Relay Traffic Shaping with GTS (Generic Traffic Shaping)

Legacy Frame-Relay Traffic Shaping

MQC-based Frame-Relay Traffic-Shaping

January 13, 2008

Internetwork Expert Volume II: Lab 4 – Section 7

 QoS – 7 Points

7.1 Congestion Avoidance

“…configure r1 to start dropping packets with an IP precedence of routine on this link when there are at least 15 packets in the queue.”

Sounds like WRED to me.

Configuring Weighted Random Early Detection

“routine” traffic is IP Prec 0:

r1(config-cmap)#match ip prec ?
  <0-7>           Enter up to 4 precedence values separated by white-spaces
  critical        Match packets with critical precedence (5)
  flash           Match packets with flash precedence (3)
  flash-override  Match packets with flash override precedence (4)
  immediate       Match packets with immediate precedence (2)
  internet        Match packets with internetwork control precedence (6)
  network         Match packets with network control precedence (7)
  priority        Match packets with priority precedence (1)
  routine         Match packets with routine precedence (0)

r1(config)#int fa0/0
r1(config-if)#random-detect ?
  dscp-based  Enable dscp based WRED on an inteface
  prec-based  Enable prec based WRED on an interface

r1(config-if)#random-detect prec-based

Now we have a few more options:

r1(config-if)#random-detect ?
  dscp                            parameters for each dscp value
  dscp-based                      Enable dscp based WRED on an inteface
  exponential-weighting-constant  weight for mean queue depth calculation
  flow                            enable flow based WRED
  prec-based                      Enable prec based WRED on an interface
  precedence                      parameters for each precedence value

r1(config-if)#random-detect precedence 0 15 ?
  <1-4096>  maximum threshold (number of packets)

Shit.  What is the standard queue size?  It’s easy enough to find:

r1(config-if)#do sh queueing int fa0/0
Interface FastEthernet0/0 queueing strategy: random early detection (WRED)
    Random-detect not active on the dialer
    Exp-weight-constant: 9 (1/512)
    Mean queue depth: 0

  class          Random drop      Tail drop    Minimum Maximum  Mark
                  pkts/bytes       pkts/bytes    thresh  thresh  prob
      0      0/0              0/0           20      40  1/10
      1      0/0              0/0           22      40  1/10
      2      0/0              0/0           24      40  1/10
      3      0/0              0/0           26      40  1/10
      4      0/0              0/0           28      40  1/10
      5      0/0              0/0           31      40  1/10
      6      0/0              0/0           33      40  1/10
      7      0/0              0/0           35      40  1/10
   rsvp      0/0              0/0           37      40  1/10

r1(config-if)#random-detect prec 0 15 40 ?
  <1-65535>  mark probability denominator
  <cr>

Let’s leave that at the default of 10.

r1#sh queueing int fa0/0
Interface FastEthernet0/0 queueing strategy: random early detection (WRED)
    Random-detect not active on the dialer
    Exp-weight-constant: 9 (1/512)
    Mean queue depth: 0

  class          Random drop      Tail drop    Minimum Maximum  Mark
                  pkts/bytes       pkts/bytes    thresh  thresh  prob
      0      0/0              0/0           15      40  1/10
      1      0/0              0/0           22      40  1/10
      2      0/0              0/0           24      40  1/10
      3      0/0              0/0           26      40  1/10
      4      0/0              0/0           28      40  1/10
      5      0/0              0/0           31      40  1/10
      6      0/0              0/0           33      40  1/10
      7      0/0              0/0           35      40  1/10
   rsvp      0/0              0/0           37      40  1/10

7.2 Congestion Avoidance

“…configure r5 so that all SMTP packets are guaranteed at least 1.5Mbps of the output queue on int fa0/1.”
“Do not use an access-list to accomplish this.”

The only twist on this task is whether to use LLQ or bandwidth.  “at least” screams ‘bandwidth’ to me.

r5(config-pmap-c)#bandwidth ?
  <8-2000000>  Kilo Bits per second <- Be careful
r5(config-pmap-c)#bandwidth 1500

class-map match-all SMTP
  match protocol smtp
!
policy-map SMTP
  class SMTP
   bandwidth 1500
!
interface FastEthernet0/1
 service-policy output SMTP

r5#sh policy-map int fa0/1
 FastEthernet0/1

  Service-policy output: SMTP

    Class-map: SMTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol smtp
      Queueing
        Output Queue: Conversation 265
        Bandwidth 1500 (kbps) Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: class-default (match-any)
      54 packets, 5570 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

7.3 Rate Limiting

“…configure r5 so that packets over 1250 bytes are limited to 2.5Mbps outbound on interface fa0/1.”

This is definitely policing.

r5(config-cmap)#match packet length ?
  max  Maximum length of packet
  min  Minimum length of packet

1250 or 1251….I chose 1251 (“over 1250”), but I would ask the proctor for clarification.

r5(config-pmap-c)#police ?
  <8000-2000000000>  Bits per second <- Be careful
  cir                Committed information rate

Ooops!!!  I didn’t notice the interface.  I already have an outbound policy on fa0/1:

interface FastEthernet0/1
 service-policy output SMTP

No problem.  I can just add this class to the existing policy-map (I should have read more carefully) rather than creating a new one.

class-map match-all POLICE_1250
  match packet length min 1251
!
policy-map SMTP
  class SMTP
   bandwidth 1500
  class POLICE_1250
   police 2500000

r5#sh policy-map int fa0/1
 FastEthernet0/1

  Service-policy output: SMTP

    Class-map: SMTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol smtp
      Queueing
        Output Queue: Conversation 265
        Bandwidth 1500 (kbps) Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: POLICE_1250 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: packet length min 1251
      police:
          cir 2500000 bps,
bc 78125 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      427 packets, 42622 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

December 10, 2007

Quick QoS Tip

If you use the same name for all of your (MQC) QoS elements (class-map, policy-map, service-policy, etc), then you can easily see all of these elements with the section filter:

r3(config-cmap)#do sh run | sec FROM_FTP
class-map match-all FROM_FTP_SERVER
 match access-group name FROM_FTP_SERVER
policy-map FROM_FTP_SERVER
 class FROM_FTP_SERVER
  bandwidth 256
 service-policy output FROM_FTP_SERVER
ip access-list extended FROM_FTP_SERVER
 permit tcp host 132.1.33.33 132.1.6.0 0.0.0.255 eq ftp

Internetwork Expert Volume II: Lab 2 – Section 8

Section 8 – QoS – 6 Points

8.1 was a basic QoS question that required you to “guarantee at least 256Kbps during times of congestion across the Frame Relay link [to and from an SMTP server]” 

Having just reviewed the QoS IEATC lessons, I knew that the question was asking for priority using the “bandwidth” command and not LLQ.  Easy enough, write an access-list to match traffic to and from the server on each router and configure QoS using the MQC.

One of the things to remember when using CBWFQ with Frame Relay is that you need to apply it on the interface level:

r3(config-subif)#service-policy out SMTP
CBWFQ : Not supported on subinterfaces

Also, you need to remove fair-queueing on the interface:

r3(config-if)#service-p out SMTP
Must remove fair-queue configuration first. 

I completed this task correctly…or at least I thought that I did. 

My answer:
r3
ip access-list extended TO_SMTP_SERVER
 permit tcp host 132.1.3.100 any eq smtp

r5
ip access-list extended FROM_SMTP_SERVER
 permit tcp host 132.1.3100any eq smtp

IE’s answer:
r3:
ip access-list extended SMTP_FROM_SERVER
 permit tcp host 132.1.3.100 eq smtp any

r5:
ip access-list extended SMTP_FROM_SERVER
 permit tcp anyhost 132.1.3.100 eq smtp

The users are behind r5’s e0/1 and the server is in VLAN3 on r3’s e0/0.  My simple screwup on r5 cost me some easy points.  I forgot to reverse my ACL on r5.  😦

8.2 – Policy routing.  Crap.  Another topic that I am pretty unfamiliar with.  A qucik visit to the DOC shows the following:

Configuring IP Routing Protocol-Independent Features

Enabling Policy Routing

I was able to figure out the solution from those documents.  Well, I almost figured it out.  I made a single mistake that cost me the points for this task and for 8.3 as well.

“Assume that this FTP server does not support PASV FTP connections.”

Active FTP vs. Passive FTP

I’ll have to review passive versus active FTP.  Basically, active FTP uses ports 20 (data port) and 21 (command port) while passive FTP uses port 20.  Even with this understanding I would have lost the points because I assumed that “tcp eq ftp” meant ports 20 and 21.  It turns out that it only means port 21 (command port).  You need to add an additional line (tcp eq ftp-data) to the ACL to filter the data port (20).

My answer:
ip access-list extended FROM_FTP_SERVER
 permit tcp host 132.1.33.33 132.1.6.0 0.0.0.255 eq ftp

IE’s answer:
ip access-list extended FROM_FTP_SERVER
 permit tcp host 132.1.33.33 132.1.6.0 0.0.0.255 eq ftp
 permit tcp host 132.1.33.33 132.1.6.0 0.0.0.255 eq ftp-data

This mistake made me lose points for 8.2 and for 8.3 (an easy QoS task) because they both rely on that ACL.

So I ended up 0 for 6 on the section that I thought that I had the best chance to ace.  😦

October 25, 2007

LFU 6: Traffic Shaping Won’t Start By Itself

Frame Relay traffic-shaping tasks can be a real pain in the ass.  Make sure that you don’t skip the simple steps when tackling a complicated FRTS task. 

In this scenario I want to create a simple Frame Relay map-class and apply it to DLCI 102 on interface s1/0.  Here’s my configuration:

map-class frame-relay MYFRAMEMAP
 frame-relay tc 100
 frame-relay cir 128000
!
interface Serial1/0
 ip address 10.1.1.1 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 10.1.1.2 102 broadcast
 frame-relay interface-dlci 102
  class MYFRAMEMAP
 no frame-relay inverse-arp

Done, right?  I go to verify my traffic-shaping and get nothing, nada, zilch:

r1#sh traffic
   <-note: no output
r1#

I try a few more commands:

r1#sh traffic queue
  <-note: no output
r1#

r1#sh traffic stat
                  Acc. Queue Packets   Bytes     Packets   Bytes     Shaping
I/F               List Depth                     Delayed   Delayed   Active

Finally I stumble across the problem:

r1#sh traffic s1/0
Traffic shaping not configured on Serial1/0 dumbass!!!

Okay, so IOS didn’t actually say “dumbass”, but I know that it wanted to.  🙂

Of course I didn’t do “sh traffic s1/0” right away.  No, it took tons of swearing, adding and removing configurations, and making sure that Frame Relay was set up right before I discovered that I had not actually TURNED FRAME RELAY TRAFFIC SHAPING ON!!! 

Quick fix:

r1(config)#int s1/0
r1(config-if)#frame traffic
r1(config-if)#do sh traffic

Interface   Se1/0
       Access Target    Byte   Sustain   Excess    Interval  Increment Adapt
VC     List   Rate      Limit  bits/int  bits/int  (ms)      (bytes)   Active
103           56000     875    7000      0         125       875       –
102           128000    2000   128000    0         125       2000      – <-booyah!!!

Don’t shoot yourself in the foot after mastering the fine art of FRTS.  Be sure to turn “frame-relay traffic-shaping” on for your interface.

October 22, 2007

How To Show Map-Class

One of my Friday morning rituals is to read through the GroupStudy archive for the week before.  I generally just skim the subjects and open the threads that look interesting.  Since I was doing a bunch of Frame Relay QoS labs this week, the following posting was very timely:

Hi,

How can I see a map-class configured on my router?  There is no command such as “show map-class”.

Thanks,
Navid

Try “show run map-class:

Rack1R1#sh run map-class
Building configuration…

Current configuration:
!
map-class frame-relay test
 frame-relay cir 56000
end

For FRTS using map class use show “frame-relay pvc xxx (dlci)” to see the FRTS info.  Also try “show traffic-shape”

Hope it helps.

-BQ

I ended up using this command a lot over the weekend.  You can use “show run map-class” to see all of the map-classes configured on a box, or use “show run map-class [type]” or “show run map-class [type] [name]” to filter your results:

To see all configured map-classes:
r1#sh run map-class
Building configuration…

Current configuration:
!
map-class frame-relay MAPCLASS1
 frame-relay tc 10
 frame-relay cir 56000
 frame-relay bc 560
 frame-relay be 80
!
map-class frame-relay MAPCLASS2
 frame-relay cir 512000
 frame-relay bc 51200
 frame-relay mincir 500000
 frame-relay ip rtp priority 16384 16383 256
!
map-class dialer MAPCLASS3
 dialer fast-idle 10
 dialer isdn speed 56 spc
end

To see all map-classes of a type (frame, atm, dialer):
r1#sh run map-class dialer
Building configuration…

Current configuration:
!
map-class dialer MAPCLASS3
 dialer fast-idle 10
 dialer isdn speed 56 spc
end
To see a specific map-class:
r1#sh run map-class frame MAPCLASS2
Building configuration…

Current configuration:
!
map-class frame-relay MAPCLASS2
 frame-relay cir 512000
 frame-relay bc 51200
 frame-relay mincir 500000
 frame-relay ip rtp priority 16384 16383 256
end

October 14, 2007

My Router Is A Smart-Ass

I was doing some QoS labs today and was messing with the values in the “traffic-shape rate” command to see how they affected each other when my router told me something I’ve heard millions of times before (but usually from animate objects):

r1(config-if)#traffic-shape rate 10000 800
less than 1000 bits in an interval doesn’t make sense

Internetwork Expert: Free Catalyst QoS vSeminar Now Posted

Internetwork Expert already has this Wednesday’s free Catalyst QoS vSeminar posted on their site as a class-on-demand.  You can view it here.

Here is a brief description:

This seminar explores the principles and practice of implementing layer 2 and layer 3 Quality of Service on Cisco Catalyst IOS, and will last about an hour. Using a structured logical approach we will show you how to plan, implement, verify, and troubleshoot an end-to-end QoS design in Ethernet based LANs and Metro-Ethernet based WANs. This seminar also includes hands-on examples using the Catalyst 3550 and 3560 platforms as we will walk you step-by-step through advanced QoS scenarios live on the command line interface.

I tuned in on Wednesday for this class.  The class had a rocky start.  There were over 500 students connected and the initial voice quality was choppy.  Many jokes were made about Internetwork Expert suffering QoS problems.  🙂  The class restarted an hour later and was very good.  I had to take off halfway through, so it’s a good thing that it is now posted so I can catch the rest of it.  It’s also nice to have a class-on-demand version as I can pause and rewind the class so that I can lab along with it and review concepts.

October 10, 2007

Internetwork Expert: Free Catalyst QoS vSeminar Tonight

Just a quick reminder: Internetwork Expert will be presenting another free vSeminar tonight:

This message is just a friendly reminder that Brian Dennis and I (Brian McGahan) will be running a free CCIE Catalyst QoS seminar today starting at 3pm Pacific time via our online classroom.

This seminar explores the principles and practice of implementing layer 2 and layer 3 Quality of Service on Cisco Catalyst IOS, and will last about an hour. Using a structured logical approach we will show you how to plan, implement, verify, and troubleshoot an end-to-end QoS design in Ethernet based LANs and Metro-Ethernet based WANs. This seminar also includes hands-on examples using the Catalyst 3550 and 3560 platforms as we will walk you step-by-step through advanced QoS scenarios live on the command line interface.

If are interested in attending use the following URL anytime after 2pm Pacific time today:  http://classroom.internetworkexpert.com/p95576427

Prior to this we recommend running a connectivity test to the server to ensure that you have the correct version of Flash installed.  This test can be performed from the following URL:
http://classroom.internetworkxpert.com/common/help/en/support/meeting_test.htm

For those of you unable to attend this seminar will be available in recorded Class-on-Demand format on our website in the near future.

We hope to see you there!

Thanks,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_internetworkexpert_dot_com

Internetwork Expert, Inc.
http://www.InternetworkExpert .com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

« Previous Page

Blog at WordPress.com.