Posts Tagged ‘CCIE in Security’

Manual RSVP Reservations

February 8th, 2012   by Daniel

In this example, we will assume that we have a host device, acting as the sender, with IP address 192.168.100.202 and a second host, acting as the receiver, with IP address 192.168.9.100. The first host is connected to FastEthernet0/0 Router1:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 192.168.100.21 255.255.255.0
Router1(config-if)#ip rsvp bandwidth 128 56
Router1(config-if)#exit
Router1(config)#interface Serial0/0
Router1(config-if)#no ip address
Router1(config-if)#encapsulation frame-relay
Router1(config-if)#fair-queue 64 256 37
Router1(config-if)#ip rsvp bandwidth
Router1(config-if)#exit
Router1(config)#interface Serial0/0.1 point-to-point
Router1(config-subif)#ip address 192.168.55.9 255.255.255.252
Router1(config-subif)#frame-relay interface-dlci 904
Router1(config-fr-dlci)#ip rsvp bandwidth 128 56
Router1(config-subif)#exit
Router1(config)#ip rsvp sender 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.100.202 FastEthernet0/0 55 1
Router1(config)#end
Router1#

The second host is connected to the Ethernet0/0 interface on Router4, which is several hops away:

Router4# configure terminal
Router4(config)#interface Ethernet0/0
Router4(config-if)#ip address 192.168.9.3 255.255.255.0
Router4(config-if)#ip rsvp bandwidth 128 56
Router4(config-if)#exit
Router4(config)#interface Serial0/0
Router4(config-if)#no ip address
Router4(config-if)#encapsulation frame-relay
Router4(config-if)#fair-queue 64 256 37
Router4(config-if)#ip rsvp bandwidth
Router4(config-if)#exit
Router4(config)#interface Serial0/0.1 point-to-point
Router4(config-subif)#ip address 192.168.56.5 255.255.255.252
Router4(config-subif)#frame-relay interface-dlci 107
Router4(config-fr-dlci)#ip rsvp bandwidth 128 56
Router4(config-subif)#exit
Router4(config)#ip rsvp reservation 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.9.100 Ethernet0/0 FF RATE 55 1
Router4(config)#end
Router4#

It is worthwhile to review how RSVP works before looking at the mechanics of this recipe. A host that wants to send a data stream to a particular destination address or multicast group first makes an RSVP request to its first-hop router. This request asks for a particular set of QoS parameters, such as application bandwidth requirements, and specifies the destination IP address. Each router decides whether it can meet the requirement, accepting or rejecting the reservation. They then make the same request of the next hop router along the path to the destination. Once all of the routers between the source and destination have reserved the appropriate resources, the original host can begin transmitting application data, using the reserved resources along the entire data path.

The method is identical for unicast and multicast reservation requests, with each router relaying the request to a downstream peer until all of the destinations have been reached. Note that RSVP is inherently unidirectional. That is, it requests resources for sending data from a particular source to a particular destination or multicast group. If you want to reserve network resources to support a two-way unicast application, both the sender and the receiver must separately initiate requests.

RESV and PATH messages

There are two general message types in RSVP, PATH, and RESV. The initial request begins with a PATH message. The PATH message describes the specific flow that will use this reservation. So it includes the source and destination IP addresses, as well as the IP Protocol, such as TCP or UDP, and any port numbers. The PATH message also includes the requested average bit rate and burst size.

The PATH message is received by an upstream router, or perhaps the ultimate destination. If it is received by an intermediate router, this router must analyze the request and decide whether it can honor it. Ultimately, if the request is accepted, the router will create a new PATH message, requesting the same resource reservation from the next upstream router, but specifying itself as the source.

PATH messages always flow from the requester toward the destination.

RESV messages flow the opposite direction. The RESV CONFIRM messages describe the actual detailed bit rate and delay characteristics required to fulfill the PATH request. If an upstream router doesn't have the necessary resource to fulfill the request, it responds with an RESV ERROR message.

In Cisco router configuration, you can configure static PATH requests by using the ip rsvp sender and sender-host commands. And you can make static reservations, which will be described to upstream routers in RESV messages, using the ip rsvp reserveration and reservation-host commands. We will describe all of these commands below.

Two service types

There are two distinct types of service that a host can specify in an RSVP request. The first is called Controlled Load Service, which is specified in RFC 2211, and the second, called either Guaranteed Quality of Service or, more accurately, Guaranteed Bit Rate Service, is specified in RFC 2212.

Controlled Load Service, in a nutshell, means that the network behaves as if each segment were completely unloaded and therefore uncongested, but with bandwidth limited to the requested amount. Cisco routers implement this type of service by isolating the different flows and employing queuing mechanisms that mimic this type of response.

Guaranteed Bit Rate Service is somewhat more complicated. This service means that the network will mathematically guarantee the worst-case end-to-end queuing delay. There are two things to note about this description, however. First, it only guarantees the worst-case latency, not the average latency. The second is that, despite this, it is possible to make an estimate of the jitter, as this is governed by the worst-case latency. As long as the worst-case latency is small, then the jitter can be effectively minimized by employing small amounts of buffering on the end devices.

Controlled Load Service is well suited to many TCP applications, which tend to behave well until they encounter congestion and dropped packets. Conversely, Guaranteed Bit Rate Service tends to be a better choice for real-time voice and video applications.

The examples

Everything we have described so far implies that the source and destination host devices or applications are making the RSVP requests. However, this is not necessarily the case. In fact, many applications that require this type of QoS support do not have RSVP capabilities. So, in this recipe, we show how to configure the routers themselves to initiate requests on behalf of the hosts.

That recipe also contains information about the basic RSVP configurations used on the routers between Router1 and Router4 (which we have mysteriously decided to call Router2 and Router3).

The ip rsvp sender command tells the router to act as if it is periodically receiving RSVP PATH requests from the specified source device:

Router1(config)#ip rsvp sender 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.100.202 FastEthernet0/0 55 1

You use this command as a proxy for a real device that is unable to send real RSVP PATH requests. So it includes all of the information that appears in a PATH request packet.

The first several arguments of this command specify the IP flow that will be using this reservation. The first two arguments specify the source and destination IP addresses, respectively. Then we have stipulated that it will use the UDP protocol with source and destination ports both equal to 1300.

The next two arguments, 192.168.100.202 and FastEthernet0/0, specify the previous-hop IP address and interface, respectively. Because we put this command on the first hop router, they may seem redundant, but actually we could put this command anywhere in the network to simulate an upstream source device.

The last two arguments request an average bit rate of 55 kbps and a burst of 1 kbyte.

Then, on the other router, we have configured a corresponding command that simulates a device sending RSVP RESV messages back toward the source:

Router4(config)#ip rsvp reservation 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.9.100 Ethernet0/0 FF RATE 55 1

Many of the arguments of this command are identical to what we saw a moment ago for the sender command. We specified the same IP addresses and UDP port numbers to define the flow. And the last two arguments just duplicate the average bit rate and burst size from the previous discussion.

The differences are where the sender command specified the previous-hop IP address and interface, here we specify the next-hop IP address and interface. Then we have two new keywords, FF and RATE.

The FF keyword indicates that this is a Fixed Filter style reservation. There are three available styles of reservation. Fixed Filter means that this reservation is for a particular flow specification only. No other applications or sessions are permitted to use it. We could have instead specified either SE or WF.

SE indicates that the router will use a Shared Explicit filter for the reservation. This means that the receiving device is specifying a list of source devices and indicating that they may all share the same reservation.

And WF means that the reservation can be shared by a Wildcard Filter. This effectively means that any source can take part in this reservation.

Finally, the RATE keyword in the ip rsvp reservation command tells the network to use Guaranteed Bit Rate service type. The other option here is LOAD, which indicates a Controlled Load service type. The receiver makes this service type request, which is why it only appears in the ip rsvp reservation command, and not in the ip rsvp sender command.

There are several useful commands for looking at the RSVP reservations. You can look at the current status of any PATH and RESV messages passing through your network with the show ip rsvp sender and show ip rsvp reservation commands. These commands give the full details on every such RSVP exchange, whether it originates with a static command on the router, as in this recipe, or a dynamically generate request from a real host:

Router1#show ip rsvp sender
To              From            Pro DPort Sport Prev Hop        I/F      BPS
192.168.9.100   192.168.100.202 UDP 1300  1300  192.168.100.202 Fa0/0    55K
Router1#show ip rsvp reservation
To            From          Pro DPort Sport Next Hop      I/F      Fi Serv BPS
192.168.9.100 192.168.100.202 UDP 1300  1300  192.168.55.10 Se0/0.1  FF RATE 55K


Router1#


So if we go to another router in the path and enter these commands again, we see the same information:


Router2#show ip rsvp sender


To              From            Pro DPort Sport Prev Hop        I/F      BPS


192.168.9.100   192.168.100.202 UDP 1300  1300  192.168.55.9    Se0/0.1  55K


Router2#show ip rsvp reservation


To            From          Pro DPort Sport Next Hop      I/F      Fi Serv BPS


192.168.9.100 192.168.100.202 UDP 1300  1300  192.168.101.7 Fa0/0    FF RATE 55K




Router2#


Post in CCIE R&S | No Comments »


Tags: ,,




Manual RSVP Reservations


February 6th, 2012   by Daniel


In this example, we will assume that we have a host device, acting as the sender, with IP address 192.168.100.202 and a second host, acting as the receiver, with IP address 192.168.9.100. The first host is connected to FastEthernet0/0 Router1:


Router1#configure terminal


Enter configuration commands, one per line.  End with CNTL/Z.


Router1(config)#interface FastEthernet0/0


Router1(config-if)#ip address 192.168.100.21 255.255.255.0


Router1(config-if)#ip rsvp bandwidth 128 56


Router1(config-if)#exit


Router1(config)#interface Serial0/0


Router1(config-if)#no ip address


Router1(config-if)#encapsulation frame-relay


Router1(config-if)#fair-queue 64 256 37


Router1(config-if)#ip rsvp bandwidth


Router1(config-if)#exit


Router1(config)#interface Serial0/0.1 point-to-point


Router1(config-subif)#ip address 192.168.55.9 255.255.255.252


Router1(config-subif)#frame-relay interface-dlci 904


Router1(config-fr-dlci)#ip rsvp bandwidth 128 56


Router1(config-subif)#exit


Router1(config)#ip rsvp sender 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.100.202 FastEthernet0/0 55 1


Router1(config)#end


Router1#


The second host is connected to the Ethernet0/0 interface on Router4, which is several hops away:


Router4# configure terminal


Router4(config)#interface Ethernet0/0


Router4(config-if)#ip address 192.168.9.3 255.255.255.0


Router4(config-if)#ip rsvp bandwidth 128 56


Router4(config-if)#exit


Router4(config)#interface Serial0/0


Router4(config-if)#no ip address


Router4(config-if)#encapsulation frame-relay


Router4(config-if)#fair-queue 64 256 37


Router4(config-if)#ip rsvp bandwidth


Router4(config-if)#exit


Router4(config)#interface Serial0/0.1 point-to-point


Router4(config-subif)#ip address 192.168.56.5 255.255.255.252


Router4(config-subif)#frame-relay interface-dlci 107


Router4(config-fr-dlci)#ip rsvp bandwidth 128 56


Router4(config-subif)#exit


Router4(config)#ip rsvp reservation 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.9.100 Ethernet0/0 FF RATE 55 1


Router4(config)#end


Router4#


It is worthwhile to review how RSVP works before looking at the mechanics of this recipe. A host that wants to send a data stream to a particular destination address or multicast group first makes an RSVP request to its first-hop router. This request asks for a particular set of QoS parameters, such as application bandwidth requirements, and specifies the destination IP address. Each router decides whether it can meet the requirement, accepting or rejecting the reservation. They then make the same request of the next hop router along the path to the destination. Once all of the routers between the source and destination have reserved the appropriate resources, the original host can begin transmitting application data, using the reserved resources along the entire data path.


The method is identical for unicast and multicast reservation requests, with each router relaying the request to a downstream peer until all of the destinations have been reached. Note that RSVP is inherently unidirectional. That is, it requests resources for sending data from a particular source to a particular destination or multicast group. If you want to reserve network resources to support a two-way unicast application, both the sender and the receiver must separately initiate requests.


RESV and PATH messages


There are two general message types in RSVP, PATH, and RESV. The initial request begins with a PATH message. The PATH message describes the specific flow that will use this reservation. So it includes the source and destination IP addresses, as well as the IP Protocol, such as TCP or UDP, and any port numbers. The PATH message also includes the requested average bit rate and burst size.


The PATH message is received by an upstream router, or perhaps the ultimate destination. If it is received by an intermediate router, this router must analyze the request and decide whether it can honor it. Ultimately, if the request is accepted, the router will create a new PATH message, requesting the same resource reservation from the next upstream router, but specifying itself as the source.


PATH messages always flow from the requester toward the destination.


RESV messages flow the opposite direction. The RESV CONFIRM messages describe the actual detailed bit rate and delay characteristics required to fulfill the PATH request. If an upstream router doesn't have the necessary resource to fulfill the request, it responds with an RESV ERROR message.


In Cisco router configuration, you can configure static PATH requests by using the ip rsvp sender and sender-host commands. And you can make static reservations, which will be described to upstream routers in RESV messages, using the ip rsvp reserveration and reservation-host commands. We will describe all of these commands below.


Two service types


There are two distinct types of service that a host can specify in an RSVP request. The first is called Controlled Load Service, which is specified in RFC 2211, and the second, called either Guaranteed Quality of Service or, more accurately, Guaranteed Bit Rate Service, is specified in RFC 2212.


Controlled Load Service, in a nutshell, means that the network behaves as if each segment were completely unloaded and therefore uncongested, but with bandwidth limited to the requested amount. Cisco routers implement this type of service by isolating the different flows and employing queuing mechanisms that mimic this type of response.


Guaranteed Bit Rate Service is somewhat more complicated. This service means that the network will mathematically guarantee the worst-case end-to-end queuing delay. There are two things to note about this description, however. First, it only guarantees the worst-case latency, not the average latency. The second is that, despite this, it is possible to make an estimate of the jitter, as this is governed by the worst-case latency. As long as the worst-case latency is small, then the jitter can be effectively minimized by employing small amounts of buffering on the end devices.


Controlled Load Service is well suited to many TCP applications, which tend to behave well until they encounter congestion and dropped packets. Conversely, Guaranteed Bit Rate Service tends to be a better choice for real-time voice and video applications.


The examples


Everything we have described so far implies that the source and destination host devices or applications are making the RSVP requests. However, this is not necessarily the case. In fact, many applications that require this type of QoS support do not have RSVP capabilities. So, in this recipe, we show how to configure the routers themselves to initiate requests on behalf of the hosts.


That recipe also contains information about the basic RSVP configurations used on the routers between Router1 and Router4 (which we have mysteriously decided to call Router2 and Router3).


The ip rsvp sender command tells the router to act as if it is periodically receiving RSVP PATH requests from the specified source device:


Router1(config)#ip rsvp sender 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.100.202 FastEthernet0/0 55 1


You use this command as a proxy for a real device that is unable to send real RSVP PATH requests. So it includes all of the information that appears in a PATH request packet.


The first several arguments of this command specify the IP flow that will be using this reservation. The first two arguments specify the source and destination IP addresses, respectively. Then we have stipulated that it will use the UDP protocol with source and destination ports both equal to 1300.


The next two arguments, 192.168.100.202 and FastEthernet0/0, specify the previous-hop IP address and interface, respectively. Because we put this command on the first hop router, they may seem redundant, but actually we could put this command anywhere in the network to simulate an upstream source device.


The last two arguments request an average bit rate of 55 kbps and a burst of 1 kbyte.


Then, on the other router, we have configured a corresponding command that simulates a device sending RSVP RESV messages back toward the source:


Router4(config)#ip rsvp reservation 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.9.100 Ethernet0/0 FF RATE 55 1


Many of the arguments of this command are identical to what we saw a moment ago for the sender command. We specified the same IP addresses and UDP port numbers to define the flow. And the last two arguments just duplicate the average bit rate and burst size from the previous discussion.


The differences are where the sender command specified the previous-hop IP address and interface, here we specify the next-hop IP address and interface. Then we have two new keywords, FF and RATE.


The FF keyword indicates that this is a Fixed Filter style reservation. There are three available styles of reservation. Fixed Filter means that this reservation is for a particular flow specification only. No other applications or sessions are permitted to use it. We could have instead specified either SE or WF.


SE indicates that the router will use a Shared Explicit filter for the reservation. This means that the receiving device is specifying a list of source devices and indicating that they may all share the same reservation.


And WF means that the reservation can be shared by a Wildcard Filter. This effectively means that any source can take part in this reservation.


Finally, the RATE keyword in the ip rsvp reservation command tells the network to use Guaranteed Bit Rate service type. The other option here is LOAD, which indicates a Controlled Load service type. The receiver makes this service type request, which is why it only appears in the ip rsvp reservation command, and not in the ip rsvp sender command.


There are several useful commands for looking at the RSVP reservations. You can look at the current status of any PATH and RESV messages passing through your network with the show ip rsvp sender and show ip rsvp reservation commands. These commands give the full details on every such RSVP exchange, whether it originates with a static command on the router, as in this recipe, or a dynamically generate request from a real host:


Router1#show ip rsvp sender


To              From            Pro DPort Sport Prev Hop        I/F      BPS


192.168.9.100   192.168.100.202 UDP 1300  1300  192.168.100.202 Fa0/0    55K


Router1#show ip rsvp reservation


To            From          Pro DPort Sport Next Hop      I/F      Fi Serv BPS


192.168.9.100 192.168.100.202 UDP 1300  1300  192.168.55.10 Se0/0.1  FF RATE 55K




Router1#


So if we go to another router in the path and enter these commands again, we see the same information:


Router2#show ip rsvp sender


To              From            Pro DPort Sport Prev Hop        I/F      BPS


192.168.9.100   192.168.100.202 UDP 1300  1300  192.168.55.9    Se0/0.1  55K


Router2#show ip rsvp reservation


To            From          Pro DPort Sport Next Hop      I/F      Fi Serv BPS


192.168.9.100 192.168.100.202 UDP 1300  1300  192.168.101.7 Fa0/0    FF RATE 55K




Router2#


Post in CCIE Labs | No Comments »


Tags: ,,




option to get CCIE Certification


January 17th, 2012   by Daniel


Recommended CCIE  Teaching  also, the  precise strategy to get CCIE Certification CCIE Training


There just isn't a  need to have a further  qualified  instruction  or course certificates to  qualify. The CCIE Stability  training  consists of a  authored  examination to qualify and then the  lab examination.  You will  be  suggested to acquire in the  minimum 3-5 many years of  employment  skills  before than seeking this certification.


The examination for your CCIE  Security is of two-hour  size with several  possibilities. This  consists of hundred  issues,  which is able to cover matters equivalent to software  program protocols,  working  methods,  safety technologies,  protection protocols, and Cisco  security  purposes. The test  supplies are  furnished for the spot therefore you  are not authorized to usher in  external reference  supplies.


Network engineers possessing a CCIE certificates are  thought  of because the  specialist within the community  engineering discipline and the masters of CISCO  goods. The CCIE has brought  revolution inside of the  local community  field concerning technically  tricky  assignments and  opportunities with all  the necessary  instruments and methodologies. There is a  method which updates and  reorganizes the instruments to supply  top quality  support. You will  find  a variety of modes of CCIE  Coaching  like  authored  examination preparing and  effectivity centered lab. This  can help to  reinforce the  performance and  ordinary within the  marketplace. CISCO has launched this certification coverage in 1993  with a watch to differentiate the highest analysts in the relaxation.


To be able to be certified,  very first  created  examination will need to be handed  immediately after which has to cross the lab examination. CISCO by any means  situations tries to  apply 100  %  diverse CCIE  Training  processes for  greater functionality. There are a selection of  techniques for that CCIE  certification. The  1st action for certification may be  to pass a two hrs lasting  personal computer dependent  typically MCQ oriented  authored  examination. For this exam  vital  payments need to be  accomplished by means of on the web. This examination is  connected with  test vouchers and promotional codes. The authenticity  in the voucher  supplying  firm ought to be  clearly  known  with the  candidates. The promotional code needs to be  accessed the right  way and in the event of  fraudulent vouchers as well  as promotional codes shouldn't appropriate  and CISCO won't repay the value. The candidates have to  wait five days for your  created  examination following  payment and so they can't sit for your very same  exam for the  following 100 eighty days just in  case of recertification.


Which has a view to have certified and  eligible for your CCIE  Exercise  some aspects are  to become remembered  appropriately. Right after passing the  created  examination the candidates have got  a a lot of 18 months time for  attempting  the lab test. In  case the period of time exceeds then  the authenticity within  the  created  exam can be invalid. For  the to start with  timer utilized to acquire CCIE certification the  published  exam is available inside the form of Beta examination with  discounts  for sale. During the Beta interval the  candidates can sit only when  for the test. The  results will come within  six to 8 weeks soon  after the examination is over.


The following  phase for that CCIE  certification is the Lab exam. The  shortlisted candidates of the  prepared  exam can entirely  apply for the fingers-on lab  test. Even  though there are lots of  authored  examination centers of CISCO but Lab exam facilities  are confined. It is an  8 hour fingers-on useful  primarily based  largely examination whereby the ability of  troubleshooting and configuring local  community  predominantly  dependent  dilemmas  and computer software are checked. For that scheduling  of Lab examination the shortlisted candidates of your  earlier  authored  test should  existing the identification amount as well as passing rating as well as date of passing.


The cost for Lab examination  needs to be cleared  previously than ninety days of this  scheduled examination. With out the  payment the reservation might be  cancelled. Following passing  the Lab exam blended with the  developed  examination the candidates can  utilize for the CCIE  certification. By contemplating most of the  points  related considering the  outlined  steps, one can get  the CISCO certification in hand and be  experienced  for your CCIE  Coaching.


Post in CCIE R&S | Comments Closed


Tags: ,,




Environment the DSCP or TOS Discipline


January 6th, 2012   by Daniel


The answer to this concern relies on the type of targeted traffic distinctions you choose to produce, at the same time the model of IOS you will be running inside of your routers.


There must be something that defines the various types of targeted visitors that you simply wish to prioritize. Usually, the easier the distinctions are to help make, the better. It's because every one of the checks just take router sources and introduce processing delays. The most common policies for distinguishing in between page views kinds make use of the packet's input interface and effortless IP header information these types of as TCP port numbers. The following examples show ways to set an IP Precedence value of instantaneous (2) for all FTP regulate site traffic that arrives via the serial0/0 interface, and an IP Precedence of concern (one) for all FTP knowledge targeted visitors. This distinction is feasible merely because FTP manage targeted visitors employs TCP port 21, and FTP information makes use of port 20.


The new strategy for configuring this uses class maps. Cisco initial launched this attribute in IOS Model twelve.0(five)T. This process 1st defines a class-map that specifies how the router will discover this type of site traffic. It then defines a policy-map that actually makes the adjustments to the packet's TOS subject:


Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit any eq ftp any

Router(config)#access-list 101 permit any any eq ftp

Router(config)#access-list 102 permit any eq ftp-data any

Router(config)#access-list 102 permit any any eq ftp-data

Router(config)#class-map match-all ser00-ftpcontrol

Router(config-cmap)#description branch ftp control traffic

Router(config-cmap)#match input-interface serial0/0

Router(config-cmap)#match access-group 101

Router(config-cmap)#exit

Router(config)#class-map match-all ser00-ftpdata

Router(config-cmap)#description branch ftp data traffic

Router(config-cmap)#match input-interface serial0/0

Router(config-cmap)#match access-group 102

Router(config-cmap)#exit

Router(config)#policy-map serialftppolicy

Router(config-pmap)#description branch ftp traffic policy

Router(config-pmap)#class ser00-ftpcontrol

Router(config-pmap-c)#set ip precedence immediate

Router(config-pmap-c)#exit

Router(config-pmap)#class ser00-ftpdata

Router(config-pmap-c)#set ip precedence priority

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#interface serial0/0

Router(config-if)#ip route-cache policy

Router(config-if)#service-policy input serialftppolicy

Router(config-if)#exit

Router(config)#end

Router#


For earlier IOS variations, where by class-maps happen to be not for sale, you have got to use policy-based routing to change the TOS subject in the packet. Applying this coverage to the interface tells the router to implement this coverage to test all incoming packets on this interface and rewrite those that match the route map:Router#configure terminal


Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit any eq ftp any

Router(config)#access-list 101 permit any any eq ftp

Router(config)#access-list 102 permit any eq ftp-data any

Router(config)#access-list 102 permit any any eq ftp-data

Router(config)#route-map serialftp-rtmap permit 10

Router(config-route-map)#match ip address 101

Router(config-route-map)#set ip precedence immediate

Router(config-route-map)#exit

Router(config)#route-map serialftp-rtmap permit 20

Router(config-route-map)#match ip address 102

Router(config-route-map)#set ip precedence priority

Router(config-route-map)#exit

Router(config)#interface serial0/0

Router(config-if)#ip policy route-map serialftp-rtmap

Router(config-if)#ip route-cache policy

Router(config-if)#exit

Router(config)#end

Router#


Just before you can easily tag a packet for extraordinary cure, you've got to get an incredibly very clear thought of what different kinds of website traffic really need wonderful treatment, combined with precisely what sort of exclusive therapy they're going to must have. While in the case in point, now we have made a decision to give a extraordinary priority to FTP customers obtained on the exact serial interface. We demonstrate find out how to do this using each the aged and new configuration techniques.

This may seem to get a considerably artificial example. Right after all, why would you treatment about tagging inbound traffic you have currently obtained from a low-speed interface? Seriously, one of several most critical concepts for applying QoS in the network is that it's best to invariably tag the packet as early as you can, preferably at the edges of the network. Then, since it passes from the network, each and every router only must take a look at the tag, and doesn't have to do any supplemental classification. In this instance, we'd make sure which the FTP site traffic returning in the other gouvernement is tagged because of the initially router that receives it. Therefore the outbound site visitors has currently been tagged, and this is a waste of router assets to reclassify the outbound packets.


Quite a few organizations in fact just take this concept of marking with the edges a person stage additional, and remark each individual received packet. This can help to make certain that people aren't requesting special QoS privileges which they aren't allowed to have. Regardless, you need to be watchful of this given that it can every so often disrupt respectable markings. For example, a real-time software might use RSVP to order bandwidth with the network. It's very important the packets for this software have the suitable Expedited Forwarding (EF) DSCP marking or the network won't deal with them the right way. Nevertheless, you also really don't choose to let other non-real-time apps from this very same source have the exact EF priority stage. So, when you are going to configure your routers to remark all incoming packets at the edges, be sure that you realize what incoming markings are authentic.


In that circumstance, the routers are jogging DLSw to bridge SNA site traffic by means of an IP network. And so the routers by themselves really build the IP packets. This makes an additional problem seeing that there exists no incoming interface. To ensure that recipe employs nearby policy-based routing. The very fact the router results in the packets also presents it an essential gain simply because it doesn't have to consider any DLSw packets which may just happen to go through.


The benefits of your newer class-map approach are not noticeable within this case in point, but one of the many first major benefits seems if you'd like to use the greater contemporary DSCP tagging scheme. As the more mature policy-based routing way doesn't right assist DSCP, you have got to pretend it by setting both the IP Precedence together with the TOS individually as follows.


Router(config)#route-map serialftp-rtmap permit 10

Router(config-route-map)#match ip address 115

Router(config-route-map)#set ip precedence immediate

Router(config-route-map)#set ip tos max-throughput


In this case, the packet will wind up with an IP Precedence value of immediate, or 2 (010 in binary), and TOS of max-throughput, or 4 (0100 in binary).


Doing the same thing with the class-map method is much more direct:


Router(config)#policy-map serialftppolicy

Router(config-pmap)#class serialftpclass

Router(config-pmap-c)#set ip dscp af21


Class-maps can even be advantageous later on on this chapter after we discuss class-based weighted reasonable queuing and class-based targeted traffic shaping.

It is important to note that all the way through this complete illustration, we have only set a particular value into your packet's TOS or DSCP area. This, by itself, doesn't have an effect on how the packet is forwarded by way of the network. To accomplish that, it's essential to be certain that as each and every router inside the network forwards these marked packets, the interface queues will react appropriately to this data.


Lastly, we must always notice that as this recipe reveals two practical methods of marking packets, by using Dedicated Accessibility Price (Auto) elements. Automobile tends to get a little more effective on higher speed interfaces.


Post in CCIE Security | Comments Closed


Tags: ,,




A Guide On How To Cross The CCIE Security Examination


November 18th, 2011   by Daniel


The CCIE safety exam or the Cisco Certified Internetwork  Skilled security exam is a kind of certification that IT professionals  aspire to go with a purpose to attain a stage of  experience in merchandise made by Cisco programs which is an IT enterprise that makes Web protocol or IP networking systems for private, public and enterprise organizations.  So as to become a Cisco Licensed Internetwork Professional in safety, one should endure CCIE Security coaching to turn out to be familiarized with the various functions and safety protocols of each Cisco product and easy methods to troubleshoot, function and keep them.


Acquiring the CCIE Security accreditation is taken into account to be one of the most subtle network safety credentials in the IT business and provides successful examinees  a possibility to deal with some of the most sophisticated and high paying jobs  in the IT security community. The status that the certification brings with it is looked upon extremely by safety experts the world over because not only should the candidate move a theoretical examination concerning safety methods however should additionally prove  their mettle to the examiners in a laboratory environment utilizing gear that's truly used in the area utilizing conditions that they may encounter on the job as a security expert.


In order to prepare for the CCIE safety examination, the candidate is really useful to have at the very least three to 5 years of experience in the area before making an attempt to take a shot at CCIE certification.  This is to ensure that the candidate has enough expertise in actual-world eventualities as a way to grasp your complete spectrum of security points available. There are no official circumstances which might be wanted with a purpose to get CCIE certification, the aspiring candidate simply needs to move the written and the lab examination to get CISCO licensed in security.  Because the exam is taken into account to be one of the hardest exams to pass in the IT business, it's imperative but not required for candidates to bear coaching programs like CCIE in Security coaching modules being provided by lots of third celebration evaluation institutions to assist candidates grasp the necessary data and understand how to achieve success in the exam.


The candidate can also take advantage of the reading checklist of materials which might be listed within the CISCO web site with a view to gain sufficient data on their very own concerning the theoretical aspect of the exam.  Alternatively, they can also browse for overview books and other online sources that function hyperlinks to subjects lined within the blueprint really useful by CISCO methods for study. As a way to ensure that the candidate has covered all subjects in the CCIE Security Training, he must at all times discuss with the written exam blueprint which is a group of topics for examine really helpful by CISCO in an effort to cross the CCIE security exam.  This blueprint may be downloaded online at the CISCO website.


Solely when the candidate efficiently hurdles the written CCIE security exam can he have the ability to take step 2 of the CCIE certification process, which is the CCIE lab exam.  This exam lasts for about eight hours and is more intensive within the sense that it is a practical examination designed to test your data in getting a secured community up and running within a prescribed time limit.  In an effort to put together for this exam, candidates should possess practical knowledge on all safety features of each CISCO networking product.  There are lots of accessible review courses supplied that tackles all the essential abilities needed in order to hurdle this exam.


Post in CCIE Security | Comments Closed


Tags: ,