Thursday, March 31, 2011

QoS Hierarchical Class-Based Weighted Fair Queuing Cisco Router Configuration Example

HCBWFQ QoS Configuration Example on a Cisco Router:

This is an example of a QoS policy where the connection to the service provider is Ethernet and the contracted bandwidth is 20 Mbps. This requires the use of a parent policy which then references a subordinate (child) policy.

class-map match-any VOICE
match dscp ef
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp af31 cs3
class-map match-any DATA
match ip dscp af21
class-map match-any SCAVENGER
match ip dscp af11 cs1
class-map match-any NETWORK-CRITICAL
match ip dscp cs6 cs2
class-map match-any BGP-ROUTING
match protocol bgp

policy-map MARK-BGP
set dscp cs6

policy-map WAN
class VOICE
priority percent 10
priority percent 23
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
bandwidth percent 5
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25

policy-map WAN-INTERFACE-G0/0
class class-default
shape average 20000000
service-policy WAN

interface GigabitEthernet0/0
service-policy output WAN-INTERFACE-G0/0

IPv6 Quick Facts

- Successor of IPv4
- 128-bit long addresses
- Customer usually gets a /64 subnet
- Not need for NAT anymore
- No Broadcasts
- No ARP
- Stateless Address Configuration without DHCP
- Improved Multicast
- Easy IP Renumbering
- Minimum MTU Size is 1280
- Mobile IPv6
- Mandatory IPsec support
- Extension Headers
- Jumbograms up to 4 GiB

To get a good idea of how many more IPs there are with IPv6 vs IPv4 imagine that if the IPv4 address space was the size of a golf ball then the IPv6 address space would be the size of the Sun!

Cisco Router EIGRP Configuration Example

This example configures EIGRP between a Cisco Router and Cisco LAN Distribution or Core Switch.

BGP routes are redistributed into EIGRP with a default metric (only bandwdith and delay used for metric calculation).

Cisco Router:

router eigrp 100
default-metric 100000 100 255 1 1500
redistribute bgp 65511
passive-interface default
no passive-interface Port-channel1
eigrp router-id (loopback0)
no auto-summary

Cisco Switch:

router eigrp 100
passive-interface default
no passive-interface TenGigabitEthernet1/1/1
no passive-interface TenGigabitEthernet2/1/1
no passive-interface Port-channel1
eigrp router-id (loopback0)
no auto-summary

Cisco Router BGP Configuration Example

You will need to use BGP to connect to most MPLS carriers or if you have two Internet providers and want to multi-home.

(Note: private ASN range is 64512 to 65534)

In this example eBGP is configured to the provider (, eigrp is redistributed into BGP, and iBGP is configured between to 2 customer routers ( and .242).

router bgp 65511
no synchronization
bgp router-id (loopback0)
bgp log-neighbor-changes
network (propagate default route)
network mask (advertise customer to provider network)
redistribute eigrp 100 (redistribute eigrp into BGP)
neighbor remote-as 65511
neighbor update-source Loopback0
neighbor next-hop-self
neighbor remote-as 65401
no auto-summary

Configure Layer 3 port-channel (EtherChannel) between Cisco Router and Switch


interface Port-channel1
ip address
interface GigabitEthernet0/0/0
no ip address
channel-group 1
no shutdown
interface GigabitEthernet0/0/1
no ip address
channel-group 1
no shutdown


interface Port-channel1
no switchport
ip address
interface GigabitEthernet1/0/3
no switchport
no ip address
channel-group 1 mode on
no shutdown
interface GigabitEthernet2/0/3
no switchport
no ip address
channel-group 1 mode on
no shutdown

Configure AAA Tacacs+ Authentication on Cisco Router

enable secret network1engineer
service password-encryption
username admin password network1engineer

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable

tacacs-server host
tacacs-server key gheigeiegih

ip tacacs source-interface Loopback0

Configure NTP on Cisco Router

Configure NTP to synchronize to a local NTP server in the network. The local server then references an outside source. One of the outside sources I use is

ntp server
ntp source Loopback0
clock timezone PST -8
clock summer-time PDT recurring
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

Cisco Anyconnect VPN Premium vs Essentials Licensing Explained

I recently contacted Cisco to ask a few questions about the differences between the Anyconnect Premium License vs the Essentials License.

The main thing that the Essentials License does not offer is clientless access and Cisco Secure Desktop.

Here is the detailed info:

I found out that you CAN still web deploy the client with the Essentials License. So if someone connects to your outside ASA interface via a web browser they will be able to download the client.