CCRG-4-1-2 (1)

Solution/Services: QoSRelated: N/AEnabling QoS on L2/L3 Switches • Enable QoS on L2/L3 switchesmls qosMonitoring QoSshow policy-map interface <interface>show mls qos input-queueshow mls qos interface <interface> statisticsshow mls qos interface <interface> buffersshow mls qos interface <interface> queuingshow mls qos queue-setshow frame-relay fragment Configuration Reference Guide | [Q] 401

Solution/Services: QoSRelated: N/AClassification using ACLs • Classify all HTTP traffic using Extended ACL • Mark classified traffic using DSCP AF11ip access-list extended RHG-ACL-DATA-BRONZEpermit tcp any any eq wwwclass-map match-all RHG-CLASS-DATA-BRONZEmatch access-group name RHG-ACL-DATA-BRONZEpolicy-map RHG-POLclass RHG-CLASS-DATA-BRONZE set ip dscp af11Classification using NBAR • Classify all Microsoft RDP traffic (TCP/3389) and FTP using NBAR • Mark classified traffic using DSCP AF21ip nbar port-map custom-01 tcp 3389class-map match-any RHG-CLASS-DATA-SILVERmatch protocol ftpmatch protocol custom-01policy-map RHG-POLclass RHG-CLASS-DATA-SILVER set ip dscp af21 Configuration Reference Guide | [Q] 402

Classification using DSCP • Classify any traffic that is marked with DSCP EFclass-map match-all RHG-CLASS-VOICE-RTPmatch ip dscp ef Configuration Reference Guide | [Q] 403

FRTS and FRF.12 • Configure Frame Relay Traffic Shaping (FRTS) to shape WAN connection to 768kbps for all traffic (Voice, Data) in QoS policy • Configure Frame Relay Fragmentation based on the PVC speed 768kbps. (PVC Speed/10ms)/8 = 960 bytesclass-map match-all RHG-CLASS-VOICE-RTPmatch ip dscp efclass-map match-any RHG-CLASS-VOICE-CONTROLmatch ip dscp af31match ip dscp cs3policy-map RHG-POLICYclass RHG-CLASS-VOICE-RTP priority percent 33class RHG-CLASS-VOICE-CONTROL bandwidth percent 5class class-default bandwidth percent 25 random-detectpolicy-map RHG-POLICY-FRTSclass class-default shape average 729600 7296 0 service-policy RHG-POLICYmap-class frame-relay RHG-CLASS-FRTS-768frame-relay fragment 960service-policy output RHG-POLICY-FRTSinterface Serial0/0/0bandwidth 768ip address 10.1.2.1 255.255.255.0encapsulation frame-relayframe-relay class RHG-CLASS-FRTS-768frame-relay map ip 10.1.2.2 101 broadcastshow frame-relay fragment Configuration Reference Guide | [Q] 404

LFI • Configure LFI on PPP Multilink interfaceinterface Multilink1ip address 10.1.2.1 255.255.255.0ppp multilinkppp multilink interleaveppp multilink fragment delay 10ppp multilink group 1interface Serial0/0/0bandwidth 768no ip addressencapsulation pppppp multilinkppp multilink group 1Compression using cRTP • Recommended for slow-speed WAN connections • Enable RTP Compression (cRTP) for Voice RTP traffic (DSCP EF) • QoS policy applied outbound on WAN facing interfaceclass-map match-all RHG-CLASS-VOICE-RTPmatch ip dscp efpolicy-map RHG-POLICYclass RHG-CLASS-VOICE-RTP compress header ip rtpinterface Multilink1ip address 10.1.2.1 255.255.255.0service-policy output RHG-POLICY Configuration Reference Guide | [Q] 405

Max Reserve Bandwidth • Change default max-reserve bandwidth percentage from 75% to 100% when using CBWFQclass-map match-any RHG-CLASS-VOICE-CONTROLmatch ip dscp af31match ip dscp cs3policy-map RHG-POLICYclass RHG-CLASS-VOICE-CONTROL bandwidth percent 5interface Multilink1ip address 10.1.2.1 255.255.255.0max-reserved-bandwidth 100service-policy output RHG-POLICYQoS Pre-Classification on IPSec VPN • Provide QoS across VPN for Voice. • The outbound physical interface sees only a single flow and doesn't see the actual flows. • ACL defines what traffic will be classified for QoS for transit over the VPN tunnel. • QoS policy will enable LLQ for Voice RTP traffic (defined in ACL 100) for 50kbps. WFQ will be enabled for all other unspecified traffic. QoS policy is applied under the physical interface where the VPN tunnel is terminated from. • Note: Partial VPN configuration shown using a Tunnel interface.>> SITE1 (On Left) <<access-list 100 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 range 16384 20000access-list 100 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 range 53000 56000class-map voicematch access-group 100policy-map qos-policy class voice priority 50 class class-default fair-queue Configuration Reference Guide | [Q] 406

interface ethernet0/0description WAN interfaceip address 1.1.1.1 255.255.255.0ip service policy output qos-policyinterface Tunnel 0ip address 10.1.1.1 255.255.255.252qos pre-classifytunnel mode ipsec ipv4tunnel source ethernet0/0tunnel destination 2.2.2.2tunnel protection ipsec profile vpn Configuration Reference Guide | [Q] 407

Solution/Services: QoSRelated:Policing using MQC • Police (or rate limit) ICMP traffic to 64kbps on the WAN interface. • Any ICMP traffic that is exceeded should be droppedip access-list extended RHG-ACL-ICMPpermit icmp any anyclass-map match-any RHG-CLASS-ICMPmatch access-group name RHG-ACL-ICMPpolicy-map RHG-POLclass CLASS-ICMP police 64000 8000 exceed-action dropinterface GigabitEthernet1/0/1ip address 1.1.1.1 255.255.255.0service-policy input RHG-POL Configuration Reference Guide | [Q] 408

Policing using MQC (Bi-Directional) • Rate limit an interface/switchport to 500kbps for upload and download speedspolicy-map RHG-POL-POLICEclass class-default police rate 500000 conform-action transmit exceed-action dropinterface FastEthernet0/0 service-policy input RHG-POL-POLICE service-policy output RHG-POL-POLICE>>Speakeasy Speed Tests:<<Download Speed: 488 kbps (61 KB/sec transfer rate) ; inputUpload Speed: 431 kbps (53.9 KB/sec transfer rate) ; output>> Monitor Command(s):<<show policy-map interface fastEthernet 0/0CAR • Legacy command to use. Recommended to use policing under MQC • Using CAR, rate limit all ICMP traffic to 2Mbps with some bursting allowedaccess-list 101 permit icmp any anyinterface POS4/0rate-limit input access-group 101 2000000 512000 786000 conform-action transmit exceed-action drop Configuration Reference Guide | [Q] 409

OC-3 Shaping • Applied on OC-3 interface with no sub-interfaces configured • Traffic shape to OC-3 connection speed (155Mbps)policy-map RHG-OC3-TS-POLICY class class-default police cir 149760000 bc 74880 be 74880 conform-action transmit exceed-action dropControl Plane Policing (CoPP) • Rate limit ICMP control plane traffic to 1.5kbps • Do not rate limit ICMP traffic to the control plane if source IP is 192.168.10.10 • All other control plane traffic not specified will be rate limited to 1.2Mbps with bursts up to ~4KB • Apply policy to Control Plane interfaceip access-list extended coppacl-monremark ICMP rate limiting on control-planedeny icmp host 192.168.10.10 anypermit icmp any any ttl-exceededpermit icmp any any port-unreachablepermit icmp any any echo-replypermit icmp any any echoclass-map match-all coppclass-monmatch access-group name coppacl-monpolicy-map copp-policy class coppclass-mon police 1500 1500 conform-action transmit exceed-action drop class class-default police 125000 3906 3906 conform-action transmit exceed-action dropcontrol-plane service-policy input copp-policy Configuration Reference Guide | [Q] 410

Solution/Services: QoSRelated:AutoQoS for IP Phone+Desktop Ports • Configure Auto-QoS on switch ports with connected Cisco IP Phones and Desktops • Data VLAN = 100 • Voice VLAN = 200mls qosinterface FastEthernet0/7switchport access vlan 100switchport mode accessswitchport voice vlan 200auto qos voip cisco-phoneAutoQoS for Uplink/Downlink Ports • Configure Auto-QoS on uplink/downlink switch portsmls qosinterface GigabitEthernet0/1switchport trunk encapsulation dot1qswitchport trunk allowed vlan 100,200switchport mode trunkauto qos voip trust Configuration Reference Guide | [Q] 411

LLQ • Configure LLQ for Voice RTP traffic (marked using DSCP EF) to 33% of the interface’s bandwidth. • The value after the “priority” syntax can be based on a bandwidth value (kbps) or a percentage value from the total bandwidth. • After the bandwidth or percent value you can add a burst value in bytes. If you don’t add this value, it will be calculated automatically. • LLQ can only be applied \"outbound\" to an interface.class-map match-all RHG-CLASS-VOICE-RTPmatch ip dscp efpolicy-map RHG-POLICYclass RHG-CLASS-VOICE-RTP priority percent 33interface Multilink1service-policy output RHG-POLICYCBWFQ • Configure CBWFQ for Voice Control traffic (marked with DSCP AF31 or CS3) to 5% of the interface’s bandwidthclass-map match-any RHG-CLASS-VOICE-CONTROLmatch ip dscp af31match ip dscp cs3policy-map RHG-POLICYclass RHG-CLASS-VOICE-CONTROL bandwidth percent 5interface Multilink1service-policy output RHG-POLICYWRED • Enable WRED for Congestion Avoidance under the default class for any traffic not matched in the QoS policypolicy-map RHG-POLICYclass class-default random-detect Configuration Reference Guide | [Q] 412

WRED (DSCP-Based) • Enable WRED (DSCP based) for Congestion Avoidance for all FTP trafficclass-map match-all RHG-CLASS-DATA-GOLDmatch protocol ftppolicy-map RHG-POLICYclass RHG-CLASS-DATA-GOLD random-detect dscp-based Configuration Reference Guide | [Q] 413

Solution/Services: Administration/SystemRelated: AAABasic RADIUS Configuration • Enable RADIUS for user authentication (e.g. Telnet/SSH) • All RADIUS communication will be sourced from the FastEthernet0/0 interface • RADIUS server is 192.168.10.10 and shared key is cisco123 • If RADIUS server is not available, use local user databaseaaa new-modelaaa authentication login default group radius localaaa authorization exec default localip radius source-interface FastEthernet0/0radius-server host 192.168.10.10 auth-port 1812 acct-port 1813 key cisco123 Configuration Reference Guide | [R] 414

Solution/Services: Security: Cisco IOS FirewallsRelated: N/A • Stateful Firewall configuration using Reflexive ACL (rACL) • Specify traffic that will be inspected as Stateful traffic to be allowed back inip reflexive-list timeout 120ip access-list extended egress-aclpermit icmp any any reflect reflexive-aclpermit tcp any any reflect reflexive-aclpermit udp any any reflect reflexive-aclpermit gre any anypermit esp any any • Specify inbound ACL policy for any traffic that originates from the outside into our networkip access-list extended ingress-acldeny ip 10.0.0.0 0.255.255.255 anydeny ip 172.16.0.0 0.15.255.255 anydeny ip 192.168.0.0 0.0.255.255 anypermit tcp any host 1.1.1.10 eq smtppermit tcp any host 1.1.1.10 eq 443permit tcp any host 1.1.1.10 eq wwwpermit icmp any any echo-replypermit udp any host 1.1.1.1 eq isakmppermit udp any host 1.1.1.1 eq 4500permit esp any host 1.1.1.1permit udp host 6.7.7.8 any eq snmppermit tcp any eq ftp-data anyevaluate reflexive-acldeny ip any any log Configuration Reference Guide | [R] 415