Thursday, March 31, 2011

QoS Hierarchical Class-Based Weighted Fair Queuing Cisco Router Configuration Example

HCBWFQ QoS Configuration Example on a Cisco Router:

This is an example of a QoS policy where the connection to the service provider is Ethernet and the contracted bandwidth is 20 Mbps. This requires the use of a parent policy which then references a subordinate (child) policy.

class-map match-any VOICE
match dscp ef
!
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
!
class-map match-any CRITICAL-DATA
match dscp af31 cs3
!
class-map match-any DATA
match ip dscp af21
!
class-map match-any SCAVENGER
match ip dscp af11 cs1
!
class-map match-any NETWORK-CRITICAL
match ip dscp cs6 cs2
!
class-map match-any BGP-ROUTING
match protocol bgp

policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6

policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect

policy-map WAN-INTERFACE-G0/0
class class-default
shape average 20000000
service-policy WAN

interface GigabitEthernet0/0
service-policy output WAN-INTERFACE-G0/0

IPv6 Quick Facts

- Successor of IPv4
- 128-bit long addresses
- Customer usually gets a /64 subnet
- Not need for NAT anymore
- No Broadcasts
- No ARP
- Stateless Address Configuration without DHCP
- Improved Multicast
- Easy IP Renumbering
- Minimum MTU Size is 1280
- Mobile IPv6
- Mandatory IPsec support
- Extension Headers
- Jumbograms up to 4 GiB

To get a good idea of how many more IPs there are with IPv6 vs IPv4 imagine that if the IPv4 address space was the size of a golf ball then the IPv6 address space would be the size of the Sun!

Cisco Router EIGRP Configuration Example

This example configures EIGRP between a Cisco Router and Cisco LAN Distribution or Core Switch.

BGP routes are redistributed into EIGRP with a default metric (only bandwdith and delay used for metric calculation).

Cisco Router:

router eigrp 100
default-metric 100000 100 255 1 1500
network 10.4.0.0 0.0.255.255
redistribute bgp 65511
passive-interface default
no passive-interface Port-channel1
eigrp router-id 10.4.128.241 (loopback0)
no auto-summary

Cisco Switch:

router eigrp 100
network 10.4.0.0 0.0.255.255
passive-interface default
no passive-interface TenGigabitEthernet1/1/1
no passive-interface TenGigabitEthernet2/1/1
no passive-interface Port-channel1
eigrp router-id 10.4.32.240 (loopback0)
no auto-summary

Cisco Router BGP Configuration Example

You will need to use BGP to connect to most MPLS carriers or if you have two Internet providers and want to multi-home.

(Note: private ASN range is 64512 to 65534)

In this example eBGP is configured to the provider (192.168.3.2), eigrp is redistributed into BGP, and iBGP is configured between to 2 customer routers (10.4.32.241 and .242).

router bgp 65511
no synchronization
bgp router-id 10.4.32.241 (loopback0)
bgp log-neighbor-changes
network 0.0.0.0 (propagate default route)
network 192.168.3.0 mask 255.255.255.252 (advertise customer to provider network)
redistribute eigrp 100 (redistribute eigrp into BGP)
neighbor 10.4.32.242 remote-as 65511
neighbor 10.4.32.242 update-source Loopback0
neighbor 10.4.32.242 next-hop-self
neighbor 192.168.3.2 remote-as 65401
no auto-summary

Configure Layer 3 port-channel (EtherChannel) between Cisco Router and Switch

Router:

interface Port-channel1
ip address 10.4.4.2 255.255.255.252
!
interface GigabitEthernet0/0/0
no ip address
channel-group 1
no shutdown
!
interface GigabitEthernet0/0/1
no ip address
channel-group 1
no shutdown

Switch:

interface Port-channel1
no switchport
ip address 10.4.4.1 255.255.255.252
!
interface GigabitEthernet1/0/3
no switchport
no ip address
channel-group 1 mode on
no shutdown
!
interface GigabitEthernet2/0/3
no switchport
no ip address
channel-group 1 mode on
no shutdown

Configure AAA Tacacs+ Authentication on Cisco Router

enable secret network1engineer
service password-encryption
username admin password network1engineer

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable

tacacs-server host 192.168.1.5
tacacs-server key gheigeiegih

ip tacacs source-interface Loopback0

Configure NTP on Cisco Router

Configure NTP to synchronize to a local NTP server in the network. The local server then references an outside source. One of the outside sources I use is pool.ntp.org.

ntp server 10.10.10.48
ntp source Loopback0
!
clock timezone PST -8
clock summer-time PDT recurring
!
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

Cisco Anyconnect VPN Premium vs Essentials Licensing Explained

I recently contacted Cisco to ask a few questions about the differences between the Anyconnect Premium License vs the Essentials License.

The main thing that the Essentials License does not offer is clientless access and Cisco Secure Desktop.

Here is the detailed info:

I found out that you CAN still web deploy the client with the Essentials License. So if someone connects to your outside ASA interface via a web browser they will be able to download the client.