Cisco IOS

Dropping Packets and Congestion Avoidance Imagine a queue that holds packets as they enter a network bottleneck. These packets carry data for many different applications to many different destinations. If the amount of ... [full story]

Custom Queueing Custom Queueing (CQ) is one of Cisco's most popular queueing strategies. CQ was originally implemented to address the clear shortcomings of PQ. It lets you configure how many queues are to be used, what applications will use which queues, ... [full story]

Priority Queueing Priority Queueing (PQ) is an older queueing algorithm that handles traffic with different precedence levels much more pragmatically. The Cisco implementation of Priority Queueing uses four distinct queues called "high priority," "medium priority," "normal priority," and "low priority." The ... [full story]

Relative share of bandwidth in WFQ by IP precedence Precedence name Value Relative share of bandwidth Routine 0 1 Priority 1 2 Immediate 2 3 Flash 3 4 Flash Override 4 5 Critical 5 6 Internetwork Control 6 7 Network Control 7 8 These fair queueing algorithms tend to do three things. First, they prevent individual flows from interfering with one another. Second, they tend to reduce ... [full story]

Weighted Fair Queueing A flow is loosely defined as the stream of packets associated with a single session of a single application. The common IP implementations of Fair Queueing (FQ) and WFQ assume that two packets are part of the same ... [full story]

Queueing Algorithms You can implement several different queueing algorithms on Cisco routers. The most common type is Weighted Fair Queueing (WFQ), which is enabled by default on low-speed interfaces. There is also a class-based version of WFQ called Class-based Weighted Fair ... [full story]

RSVP Reservation Protocol (RSVP) is a signaling protocol that allows applications to request and reserve network resources, usually bandwidth. The core protocol is defined in RFC 2205. It is important to remember that RSVP is used only for requesting and managing ... [full story]

Combining TOS and IP Precedence to Mimic DSCP You can also get the equivalent of DSCP, even on older routers that support only TOS and Precedence, by combining the TOS and Precedence values. All Assured Forwarding DSCP Class 1 values are ... [full story]

Assured Forwarding DSCP values Drop Precedence Class 1 Class 2 Class 3 Class 4           Value Name Value Name Value Name Value Name Lowest Drop Precedence 001010(10) AF11 010010(18) AF21 011010(26) AF31 100010(34) AF41 Medium Drop Precedence 001100(12) AF12 010100(20) AF22 011100(28) AF32 100100(36) AF42 Highest Drop Precedence 001110(14) AF13 010110(22) AF23 011110(30) AF33 100110(38) AF43 For Expedited Forwarding there is only one value. It has a binary value of 101110, or 46 in decimal, and it is usually simply called ... [full story]

Standard IP TOS values IP TOS Decimal value Bit pattern Normal 0 0000 Minimum monetary cost 1 0001 Maximum reliability 2 0010 Maximum throughput 4 0100 Minimum delay 8 1000 Note that there is some disagreement in the literature about the last bit, which sometimes signifies "minimum monetary cost" and sometimes is not used at all. Some references ... [full story]

Standard IP Precedence values IP Precedence Decimal value Bit pattern Routine 0 000 Priority 1 001 Immediate 2 010 Flash 3 011 Flash Override 4 100 Critical 5 101 Internetwork Control 6 110 Network Control 7 111 Table B-2 shows the standard IP TOS values, as defined in RFC 1349. The idea was that an application could use these bits to request the appropriate forwarding behavior. Because ... [full story]

IP Precedence, TOS, and DSCP Classifications Every IP packet (including both IPv4 and IPv6) includes a TOS byte. This byte is broken up into fields that the network uses to help provide the appropriate QoS commitments. In the older TOS model ... [full story]

Expect Expect is another scripting language that helps solve a different type of problem. Where Perl's strength is in pattern matching, Expect provides a way to automate interactive applications. We usually use Expect to imitate user sessions on a router to ... [full story]

Perl According to the Perl web site, "Perl is a high-level programming language with an eclectic heritage written by Larry Wall and a cast of thousands. It derives from the ubiquitous C programming language and, to a lesser extent, from sed, ... [full story]

Authentication Proxy Problem You want the router to separately authenticate and authorize individual users as they access restricted resources. Solution To enable an IOS-based authentication proxy, use the following commands:Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa ... [full story]

Login Password Retry Lockout Problem You want to prevent hackers from using brute force login attacks on your routers. Solution To enable local user account locking, use the following set of commands:Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. ... [full story]

Intrusion Detection and Prevention Problem You want to use the built-in Intrusion Detection software on the router to deal with deliberate attacks on your network. Solution There are two versions to this feature. Prior to IOS Version 12.3(8)T, it was called IDS and implemented ... [full story]

Inspecting Applications on Different Port Numbers Problem You want to use Application Layer inspection rules for an application running on a nonstandard port. Solution To enable Port to Application Mapping (PAM), use the ip port-map command:Router1#configure terminal Enter configuration commands, one per line. ... [full story]

Stopping Denial of Service Attacks Problem You want to mitigate Denial of Service attacks by throttling half-open TCP connections. Solution You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:Router1#configure terminal Router1(config)#access-list 109 permit ... [full story]

Transparent Cisco IOS Firewall Problem You want to use a router as a Layer 2 Firewall. Solution To enable a transparent Firewall, start by enabling Integrated Routing and Bridging (IRB) between to interfaces:Router1#configure terminal Enter configuration commands, one per line. End ... [full story]

Using Context-Based Access-Lists Problem You want to use your router as a Firewall to perform advanced filtering functionality. Solution The following example shows how to configure the router to perform stateful inspection of TCP or UDP packets:Router1#configure terminal Enter configuration commands, one per line. ... [full story]

Using AutoSecure Problem You want to secure your router without having to read the whole book. Solution To automatically secure the router, use the following command:Router2#auto secure --- ... [full story]

Your Service Provider Doesn't Do What You Want Problem As an MPLS customer, you want to implement a feature like multicast or a particular PE-CE routing protocol that your service provider doesn't support. Solution Some service providers support only a limited range of MPLS ... [full story]

Multicast Over MPLS Problem You want to pass customer multicast traffic through an MPLS network. Solution For this recipe, we must configure Multicast capabilities on all of the different types of routers: C, CE, P, and PE. First, the C and CE routers, which ... [full story]

MPLS Traffic Engineering with Autoroute Problem You want to use the Autoroute feature to automatically maintain traffic-engineered paths through your MPLS network. Solution This recipe uses Cisco's Autoroute feature for managing Traffic Engineering (TE) with OSPF in an MPLS network. For this method, we ... [full story]

QoS over MPLS Problem You want to use the Quality of Service (QoS) features of MPLS. Solution For this example, we will take a relatively simple view that the PE router will trust the CE router's DSCP/IP Precedence settings and map them to the ... [full story]

PE-CE Communication via BGP Problem You want to use BGP to exchange routing information between CE and PE routers. Solution Once again, this problem is similar to the RIP, OSPF, and EIGRP examples in Recipes 26.5, 26.6, and 26.7. First we have to enable ... [full story]

PE-CE Communication via EIGRP Problem You want to use EIGRP to exchange routing information between your CE and PE routers. Solution The solution to this problem is similar to the RIP solution in Recipe 26.5 and the OSPF solution in Recipe 26.6. First we ... [full story]

PE-CE Communication via OSPF Problem You want to use OSPF to exchange routing information between the CE and PE routers. Solution You can use OSPF to exchange customer routing information between the CE and PE routers at each site. For this example, we will ... [full story]

PE-CE Communication via RIP Problem You want to use RIP to exchange routing information between the CE and PE routers. Solution You can use RIP to exchange customer routing information between the CE and PE routers at each site. The advantage to doing this ... [full story]

Configuring MPLS over ATM Problem You want to run MPLS over an ATM network. Solution There are really two solutions to this problem, depending on the capabilities of your ATM switches. The first and conceptually simpler solution is to configure your ATM switch to ... [full story]

Configuring Basic MPLS CE Routers Problem You want to configure the "customer" CE routers for MPLS. Solution CE routers do not require any special software or configuration to work with an MPLS carrier. You just need to ensure that there are appropriate routing table ... [full story]