Michael McNamara https://blog.michaelfmcnamara.com technology, networking, virtualization and IP telephony Sat, 30 Oct 2021 14:26:00 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.2 Quality of Service and Traffic Shaping on Cisco Routers https://blog.michaelfmcnamara.com/2016/07/quality-of-service-and-traffic-shaping-on-cisco-routers/ Sat, 23 Jul 2016 12:30:46 +0000 https://blog.michaelfmcnamara.com/?p=5807 You have 1Gbps access with 100Mbps port on our WAN link… are you sure you have your router configured properly?

A year ago I was asked to investigate why VoIP calls were experiencing poor audio quality across an AT&T AVPN (Ethernet to MPLS) WAN link. After some research and examining the router configuration and logs I realized that the router had never been configured properly to support the 1Gbps access and 100Mbps port. While the router was physically connecting to the AT&T Cisco ONS via 1Gbps, AT&T was only allowing 100Mbps worth of traffic to pass through that connection. In this specific case traffic shaping wasn’t setup to properly limit the amount of traffic through the interface. I also found some occasions in the router logs where the BGP session was flapping due to BFD packets being lost between our router and AT&T’s router, again because QoS and traffic shaping hadn’t been setup properly on the Cisco router and the traffic was bursting well past the 100Mbps allocated from AT&T and that traffic was being dropped by AT&T.

The solution was to chain multiple policies together, first the traffic shaping policy and then the QoS policy. Here’s an example configuration I use on an AT&T AVPN 1Gbps Access with 100Mbps Port with 4 CoS queues assigned at 20% RT, 60/30/10. You need to shape the traffic to 100Mbps and then apply the QoS policies once you’ve shaped the traffic.

class-map match-any COS1
  description REAL-TIME VOICE
  match precedence 5
class-map match-any COS2
  description STREAMING VIDEO
  match precedence 4 6 7
class-map match-any COS3
  description CALL SIGNALLING
  match precedence 2 3
class-map match-any COS4
  description BEST EFFORT
  match precedence 0 1

policy-map QOSPOLICY
  description ATT Profile 113 20%RT/60/30/10
  class COS1
    priority 20000
  class COS2
    bandwidth remaining percent 60
  class COS3
    bandwidth remaining percent 30
  class class-default
    fair-queue

policy-map SHAPEPOLICY
  class class-default
    shape average 100000000
    service-policy QOSPOLICY

interface GigabitEthernet0/1
  bandwidth 100000
  ip address 10.x.x.x 255.255.255.252
  service-policy output SHAPEPOLICY

With this configuration in place the BFD keepalives stopped tripping false positives on the BGP session and VoIP packets were no longer getting starved for the bandwidth they needed.

Cheers!

You might also want to read these other posts...

  1. BGP Soft Reset – Cisco IOS
  2. Traffic Filters and ACLs for the Ethernet Routing Switch 5000
  3. Internet Service Providers – Source Route Filtering

]]> ERS 8600 Access Policy https://blog.michaelfmcnamara.com/2008/01/ers-8600-access-policy/ https://blog.michaelfmcnamara.com/2008/01/ers-8600-access-policy/#comments Sat, 12 Jan 2008 13:00:00 +0000 http://maddog.mlhs.org/blog/2008/01/ers-8600-access-policy/ Protecting your network switches from un-authorized access should be high on everyone’s list these days. It’s clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.

In the example below I’m allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.

ERS-8610:5# config sys access-policy policy 10 create
ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24
ERS-8610:5# config sys access-policy policy 10 service ftp enable
ERS-8610:5# config sys access-policy policy 10 service http enable
ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable
ERS-8610:5# config sys access-policy policy 10 service ssh enable
ERS-8610:5# config sys access-policy policy 10 service telnet enable
ERS-8610:5# config sys access-policy policy 10 service tftp enable
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c
ERS-8610:5# config sys access-policy policy 10 enable

Just don’t forget to enable the access policy;

ERS-8610:5# config sys access-policy enable true

You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.

Cheers!

You might also want to read these other posts...

  1. How to restrict SNMP community strings on the ERS8600
  2. ERS 8600 Users and Passwords
  3. Ethernet Routing Switch 8600 Log files

]]> https://blog.michaelfmcnamara.com/2008/01/ers-8600-access-policy/feed/ 17