Monthly Archives: January 2014

6.4.a Implement and troubleshoot IP SLA

ip sla monitor using nbar and wireshark…

first the simple network (the asa is for another project, this is about ip sla, 6.4a for the ccie written)…

ip_sla_w_asa

prove connectivity…

R1#ping 100.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/35/56 ms

ciscoasa(config)# sh xlate
1 in use, 2 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
ICMP PAT from inside:10.1.1.1/2 to outside:100.1.1.2/51441 flags ri idle 0:00:03 timeout 0:00:30

ciscoasa(config-cmap)# sh run policy-map | i icmp
inspect icmp

put nbar on the router interfaces:

R1(config)#int f0/0
R1(config-if)#ip nbar protocol-discovery

R2#sh ip nbar protocol-discovery protocol http

FastEthernet0/0
Input                    Output
—–                    ——
Protocol                 Packet Count             Packet Count
Byte Count               Byte Count
5min Bit Rate (bps)      5min Bit Rate (bps)
5min Max Bit Rate (bps)  5min Max Bit Rate (bps)
———————— ———————— ————————
http                     0                        0

use ip sla monitor to send http traffic:

R1(config)#do sh run | b ip sla
ip sla monitor 5
type http operation get url http://100.1.1.1
ip sla monitor schedule 5 life forever start-time now

prove it’s being generated:

R1(config)#do sh ip nbar proto proto http

FastEthernet0/0
Input                    Output
—–                    ——
Protocol                 Packet Count             Packet Count
Byte Count               Byte Count
5min Bit Rate (bps)      5min Bit Rate (bps)
5min Max Bit Rate (bps)  5min Max Bit Rate (bps)
———————— ———————— ————————
http                     14                       10
4492                     624
0                        0
2000                     0

capture it with wireshark:

http_asa

very nice…

add other kinds of traffic (tip of the hat to rene at http://gns3vault.com/Labs/all/)

! ICMP Echo
ip sla monitor 1
type echo protocol ipIcmpEcho 100.1.1.1
timeout 0
frequency 5
ip sla monitor schedule 1 start-time now life forever

! DNS Request
ip sla monitor 2
type dns target-addr www.cisco.com name-server 100.1.1.1
timeout 0
frequency 9
ip sla monitor schedule 2 start-time now life forever

! G711 conversation
ip sla monitor 3
type jitter dest-ipaddr 100.1.1.1 dest-port 16384 codec g711ulaw codec-numpackets 50 codec-size 160 codec-interval 20
timeout 0
frequency 1
ip sla monitor schedule 3 start-time now life forever

! G729 conversation
ip sla monitor 4
type jitter dest-ipaddr 100.1.1.1 dest-port 16385 codec g729a codec-numpackets 50 codec-size 20 codec-interval 20
timeout 0
frequency 1
ip sla monitor schedule 4 start-time now life forever

! HTTP GET Traffic
ip sla monitor 5
type http operation get url http://100.1.1.1
frequency 60
ip sla monitor schedule 5 start-time now life forever

! TCPConnect to Telnet
ip sla monitor 6
type tcpConnect dest-ipaddr 100.1.1.1 dest-port 23 control disable
timeout 1000
frequency 2
ip sla monitor schedule 6 life forever start-time now

! TCPConnect to HTTPS
ip sla monitor 7
type tcpConnect dest-ipaddr 100.1.1.1 dest-port 443 control disable
timeout 1000
frequency 3
ip sla monitor schedule 7 life forever start-time now

! TCPConnect to FTP
ip sla monitor 8
type tcpConnect dest-ipaddr 100.1.1.1 dest-port 21 control disable
timeout 1000
frequency 1
ip sla monitor schedule 8 life forever start-time now

! TCPConnect to SSH
ip sla monitor 9
type tcpConnect dest-ipaddr 100.1.1.1 dest-port 22 control disable
timeout 1000
frequency 2
ip sla monitor schedule 9 life forever start-time now

!voip-rtp
ip sla mon 10
voip rtp 100.1.1.1 source-

6.2b, MQC classification, nbar, marking…

a simple network using ospf… on r3 we will classify and mark http and icmp traffic destined for r1 using MQC with NBAR…

click below on qos_mqc… it is a zip with only the ip addressing set up… the host is actually a vm adapter that will need to be adjusted per your system…

qos_mqc

6.2.b qos

r3(config-if)#do sh ip route | b Gate
Gateway of last resort is not set

O    192.168.12.0/24 [110/2] via 192.168.23.2, 01:05:04, FastEthernet1/0
10.0.0.0/24 is subnetted, 1 subnets
O       10.1.1.0 [110/2] via 192.168.34.4, 01:05:04, FastEthernet0/0
C    192.168.23.0/24 is directly connected, FastEthernet1/0
C    192.168.34.0/24 is directly connected, FastEthernet0/0

the 10 network connects  the host hanging off router 4…

first we’ll classify the traffic using two class maps and NBAR (network based application recognition) This is accomplished simply using the match protocol command and choosing from the list…

r3(config-cmap)#match protocol ?
aarp              AppleTalk ARP
appletalk         AppleTalk
arp               IP ARP
bgp               Border Gateway Protocol

etc…

we’ll match on icmp and http:

(ICMP and HTTP are the names of the class-maps)

class-map match-all ICMP
match protocol icmp
match access-group 1
class-map match-all HTTP
match protocol http
match access-group 1

we want to target traffic from the host network using access-list 1, therefore access-group 1 in the class-map…

r3#sh access-list
Standard IP access list 1
10 permit 10.1.1.0, wildcard bits 0.0.0.255
20 permit any

then we want to mark the traffic using a policy-map

(ICMP-WEB is the name of the policy-map)

policy-map ICMP-WEB
class HTTP
set dscp af21
class ICMP
set dscp af23

note that i’ve classified both protocols the same, however ICMP is more likely to be dropped because it has a higher drop probability…

then i place the service-policy on the interface that is receiving the host network traffic…

r3(config)#do sh run int f0/0
Building configuration…

Current configuration : 128 bytes
!
interface FastEthernet0/0
ip address 192.168.34.3 255.255.255.

service-policy input ICMP-WEB

before we begin generating traffic, we’ll check on the policy-map interface:

sh policy-map int

the counters are clear; send http:

r1-web

send icmp:

r1-ping

and now we’ll check our work:

r3-policy-map-after

note traffic not assigned gets shipped as class-default…

 

3.7.e Implement and troubleshoot scalability

3.7.e (iii) Aggregation, AS set

this simple network illustrates aggregation in bgp, and the use of as_set…

first the difference between as_set and as_sequence…

  • AS_SEQUENCE.  This is the ordered list of AS’s that were used in the path to reach the destination.
  • AS_SET.  This is an unordered list of AS’s that were used in the path to reach the destination.as_set

r1 and r3 each have two loopbacks and are advertising the networks:

R1(config-router)#do sh run | b router
router bgp 100
bgp log-neighbor-changes
network 172.16.1.0 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
neighbor 192.168.12.2 remote-as 200

R3(config-router)#do sh run | b router
router bgp 300
bgp log-neighbor-changes
network 172.16.3.0 mask 255.255.255.0
network 172.16.4.0 mask 255.255.255.0
neighbor 192.168.23.2 remote-as 200

r2 will perform the aggregation, but first we’ll look at r4’s bgp table

R4(config-router)#do sh ip bgp | b Network
Network          Next Hop            Metric LocPrf Weight Path
*>  172.16.1.0/24    192.168.24.2                           0 200 100 i
*>  172.16.2.0/24    192.168.24.2                           0 200 100 i
*>  172.16.3.0/24    192.168.24.2                           0 200 300 i
*>  172.16.4.0/24    192.168.24.2                           0 200 300 i

R2(config-router)#do sh run | b router
router bgp 200
bgp log-neighbor-changes
neighbor 192.168.12.1 remote-as 100
neighbor 192.168.23.3 remote-as 300
neighbor 192.168.24.4 remote-as 400

r2 performs aggregation with:

R2(config-router)#aggregate-address 172.16.1.0 255.255.248.0

R4(config-router)#do sh ip bgp | b Net
Network          Next Hop            Metric LocPrf Weight Path
*>  172.16.0.0/21    192.168.24.2             0             0 200 i
*>  172.16.1.0/24    192.168.24.2                           0 200 100 i
*>  172.16.2.0/24    192.168.24.2                           0 200 100 i
*>  172.16.3.0/24    192.168.24.2                           0 200 300 i
*>  172.16.4.0/24    192.168.24.2                           0 200 300 i

without further filtering by r2, r4 gets the aggregate, and the other networks…

R2(config-router)#aggregate-address 172.16.1.0 255.255.248.0 summary-only

R4(config-router)#do sh ip bgp | b Net
Network          Next Hop            Metric LocPrf Weight Path
*>  172.16.0.0/21    192.168.24.2             0             0 200 i

R2(config-router)#do sh ip bgp | b Net
Network          Next Hop            Metric LocPrf Weight Path
*>  172.16.0.0/21    0.0.0.0                            32768 i
 s>  172.16.1.0/24    192.168.12.1             0             0 100 i
 s>  172.16.2.0/24    192.168.12.1             0             0 100 i
s>  172.16.3.0/24    192.168.23.3             0             0 300 i
s>  172.16.4.0/24    192.168.23.3             0             0 300 i

if we add the as-set statement, then path information will be preserved…

router bgp 200
aggregate-address 172.16.0.0 255.255.248.0 as-set summary-only

R4(config-router)#do sh ip bgp | b Net
Network          Next Hop            Metric LocPrf Weight Path
*>  172.16.0.0/21    192.168.24.2             0             0 200 {100,300}i

6.2b classification

match-any (logical OR)  match-all (default, uses logical AND)

r3(config-cmap)#match ?
access-group         Access group (match defined acl)
any                  Any packets
class-map            Class map
cos                  IEEE 802.1Q/ISL class of service/user priority values
destination-address  Destination address
discard-class        Discard behavior identifier
dscp                 Match DSCP in IP(v4) and IPv6 packets
fr-de                Match on Frame-relay DE bit
fr-dlci              Match on fr-dlci
input-interface      Select an input interface to match
ip                   IP specific values
mpls                 Multi Protocol Label Switching specific values
not                  Negate this match result
packet               Layer 3 Packet length
precedence           Match Precedence in IP(v4) and IPv6 packets
protocol             Protocol (uses NBAR)
qos-group            Qos-group
source-address       Source address