Skip to content

Network Ninja

The Long Road to Cisco

  • Home
  • About
  • Legal Disclaimer
  • Archives
Less
More
Trim
Untrim
« Older
Home
Loading
Newer »

Tag Archive for 'VoIP'

Enhanced Interior Gateway Routing Protocol – Optional Configuration Commands for EIGRP – Load Balancing in EIGRP

Published
by
Deon Botha
on September 1, 2008
in BSCI, BSCI Notes, Certification, Cisco Systems and Load Balancing
. 0 Comments

EIGRP automatically load balances across equal-cost path links. You can also configure load balancing proportionally across unequal-cost paths using the variance command.

When variance  anything other than 1, the EIGRP process multiplies the metric of the best path is multiplied by the variance. All paths to the same destination that have metrics less than this products are now included in load balancing. The amount of traffic sent over each link is proportional to the metric for the path.  Alternatively paths with a feasible distance (FD) lower than that of the product (total) are used for load balancing.

The command is as follows:

Router(config)#router eigrp autonomous-system-number
Router(config-router)#network network-number
Router(config-router)#variance multiplier

The multiplier is a whole number between 1-128. The default is 1 which is equal cost path load balancing.

Take note:
-A Variance of two or three will do in most cases. Using higher values could cause EIGRP to start activating old 28.8 modems to load-balance with DS1s.
-Variance should be used with caution with delay-sensitive traffic. A DS1 link takes 8ms to transmit a 1500 B packet while a 256-kbps link takes 47ms. VoIP traffic, if shared over two links would see the difference as 39ms jitter.

To show this in an example for the EIGRP Process in the network from Router A to Router D

EIRGP Metric Topology

What you are looking at has been used before in my notes and comes from the CCNP Book referenced at the bottom of the post. The metric for the top half (Router A-B-C-D) is 4,869,120 and the bottom half (Router  A-E-D) is 6,024,000. If one configured unequal-cost path load balancing on Route B

Router(config)#router eigrp 1
Router(config-router)#network network-number
Router(config-router)#variance 2

The end result is as that because the clockwise metric is about 5 bar (5,000,000), a variance of 2 will balance with paths less than 10 bar (10,000,000). So the resulting unequal cost path load balancing will be that for every 6 packets sent Router A-B-C-D (clockwise), 5 packets will be sent Router A-E-D (anticlockwise).

Only paths that are in the topology table as FDs are eligible to be included in the variance command.

Software Study Resources:

The Command Memorizer was originally developed by a CCIE Candidate (David Bombal) for his own use and is now available to anyone who wants to use it.Command Memorizer helped him pass the CCIE Lab on the first attempt, and although I am not a CCIE candidate “officially” I have fiddling with it and finding it useful to test my command line retention and overall progress towards CCIE readiness as I do my current CCNP.

The proof will be in the pudding as the Command Memorizer boasts 1000s of commands and hundreds of scenarios to test command line knowledge and retention. It has a section for EIGRP and I also like knowing where I am on my long road to Cisco.

Like most study aids / study tools this tool / aid has a specific focus. The Command Memorizer only works when used in conjunction with theoretical backing because you need to know what a command does and how it relates to the technology area. IOW You need to make the connection before you can start drilling actual commands repetitively to get them to start flowing and become second nature.

For a disclosure statement on my relationship with Configure Terminal.

Cisco Press Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

Network Community Online

Published
by
Deon Botha
on July 20, 2008
in Asides and Off-Topic
. 1 Comment

This post is kind-of off-topic but I feel it’s needed at this point. At the end of this month Network Ninja will have been online for 4 months, it’s hopefully going to be a double anniversary as it will hopefully also mark my first active step towards becoming a full fledged Cisco CCNP Certified bloke.

As to why I have been very quiet as of late when it comes to BCMSN topics I am booked in on Monday morning (tomorrow) for the BCMSN exam at 8:30am GMT+2 and I have been reading and re-reading my own notes (fixing spelling and typos while doing this). Hopefully I bring back good news otherwise its going to be a close call otherwise I am just going to make another booking and get back to the drawing board, I am at the moment looking at my own study limits to see what kind of time I need to give myself to make notes, study and get the material from my short term to long term memory, I feel prepared and feel good about this but with me and my horror history with exams who knows (I’m not a glass half full, glass half empty kind of person… There is no stupid glass, it’s a figment of your imagination).

Combined with all of the above I think its also time to say Thank You/Dankie/Ke a leboga/Ngiyabonga to all the online Cisco Networkers and people I have made contact with along the way that I have received active and passive support from (blog posts that helped me understand something, exhanged emails, twitters, IMs, skype, etc) in the last 4 months.

Thanks to blindhog.net – Josh Horton is the man behind Blindhog and his site is dedicated to helping people learn Cisco, Linux and VOIP technologies with the help of video tutorials. He has a good series of video-torials on GNS3 over at his blog head on over at check them out.

Tip of the hat to www.bitbucketblog.com – Is a blog by a CCIE member busy with his CCIE Security. Bitbucketblog has some good write ups and prep notes. Alot of the CCIE stuff still goes over my head but it’s valuable stuff none the less. Head on over and check it out!

Shout out to Baby, You can Route My World! – A fellow lamb to the CCNP slaughter Aragoen Celtdra is busy with the routing track of the CCNP while I am doing the Switching track. Aragoen is excellent at taking the core of the material and condensing it into great bullet form study sheets. If you don’t like my long winded notes head on over to his bog and give his notes a squiz.

A Networkers Blog – A CCIE blog full of tidbits and interesting posts. Well worth visiting.

Richard Bannister’s CCIE Blog – The CCIE notes and study blog of Richard Bannister, the blog showcases the trials and tribulations of a studying CCIE and what it takes on a weekly basis to study. Richard posts on his study schedule on a weekly basis, what he has covered and his thoughts on the weeks content.

The Life of a CCIE Training Advisor – The blog of Mike a training advisor over at IPexpert and Proctor Labs, really nice guy whose job it is to  help the CCIE community at large get Blended Learning Solutions. Get in touch with Mike for some training material, labs etc. I’m sure he can help you out.

CCIE Pilot – The blog of Mar Apuhin a studying CCIE Routing and Switching that is in the last days before LAB. Head on over there and send your words of encouragement.

CCIE Pursuit Blog – A great blog filled to the brim with posts relating to things concerning CCIE study and all things CCIE.

Colin McNamara – The blog of Colin McNamara covering “Technical reviews and articles from a CCIE with extensive experience in designing and implementing converged enterprise networks”.

Arden Packeer – The blog of Arden Packeer a CCIE based in OZ. His blog description is almost like my blog name (never noticed that until I was writing this up). Arden has a pet project going called ccieMagazine head on over there and show some support.

Etherealmind – The blog of Greg Ferro a CCIE his blog covers not only CCIE topics and is well worth following; Greg has a really cool Network Dictionary and also a great style of posting.

Last but not least thanks goes to JP for the things that you pass on and have organized, really appreciate it.

That all having been said after tomorrow I will hopefully be charting a course for the next 4 months to be able to keep on track with my initial plans for my studies.

Switch Security Layer-2 Attacks – Two

Published
by
Deon Botha
on May 27, 2008
in ACL, BCMSN, Certification, Cisco Systems, Concepts and Constructs, Switch Spoofing, Trunk, VACL, VLAN and VLAN Hopping
. 0 Comments

VLAN-Attack

VLAN Hopping

VLAN Hopping is a network attack whereby an end-device sends packets to/or collects packets from a VLAN that should not be accessible to that end-device. This is done by tagging the invasive traffic with a specific VLAN ID (VID) or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be done by switch spoofing or double tagging.

In a Switch spoofing attack the attacker configures an end-device to spoof itself as a switch (this can be a linux pc). The attack emulates Inter-Switch Link (ISL) or 802.1Q signaling along with Dynamic Trunk Protocol (DTP). This is signaling to attempt to establishing a trunk connection with the company switch.

Any switch port configured with DTP auto, upon receipt of a DTP packet generated by the attacking device, will become a trunk port and then accept traffic destined for any VLAN supported on any trunk on that link. The attacker can then send/collect packets from/to any VLAN.

Double Tagging is another method of VLAN Hopping, this is when a workstation generates frames for two 802.1Q headers, this causes the switch to forward the frames onto a VLAN that would normally be inaccessible to the attacker through legitimate means.

The first switch to encounter the double tagged 802.1Q frame strips the first header frame (native VLAN), and forwards the frame out a trunk link, the second switch then forwards the frame according to the other 802.1Q frame header. Should the tag not match the native VLAN of the attacker, the frame will go untagged and flooded to only the original frame.

Best Practices to Mitigate VLAN Hopping

  • Configure all unused ports as access ports so that trunking cannot be negotiated across those links.
  • Place all unused ports in the shutdown state and associate them with a VLAN designed for only unused ports, carrying no user data traffic (that means not the Native VLAN either).
  • When establishing a trunk link, purposefully configure arguments so that:
    • The native VLAN will be different form any data VLANs
    • Trunking is set up as “on” rather than as negotiated.
    • The specific VLAN range will be carried on the trunk

Configuration
To Mitigate against VLAN hopping attacks the following is the config. First select a range of interfaces:
switch#configure terminal
switch(config)#interface range gigabitethernet 0/1-48

Now configure the ports as access ports this in turn will turn off DTP

switch(config-if)#switchport mode access

Assign the ports to an unused VLAN (not the Native VLAN)

switch(config-if)#switchport access vlan vlan-id

NB the above commands will not work in VoIP (voice) networks. Cisco IP Phones use trunks (DTP).

VLAN Access Control Lists

There are three kinds of ACLs:

  • Router Access Control Lists (RACLs)supported in the TCAM hardware on Cisco Multi-layer switches (MLS). Can be applied to any router interface, such as a switch virtual interface (SVI) or Layer 3 routed port.
  • Port Access Control List (PACL)filters traffic at the port level. PACLs can be applied on a Layer-2 switch port, trunk port, or EtherChannel port.
  • Vlan Access Control Lists (VACLs)(a.k.a VLAN Access Maps) supported on software on Cisco MLS.

Cisco Catalyst switches support four ACL lookups per packet*:

  • ingress (1) and egress (2) security lookup
  • ingress (3) and egress (4) Quality of Service (QoS) look-up

This following section all went over my head or just about and I have no idea whether this works or not or is correct or not for more information.

There are cases where certain Access Control Entries (ACEs) must be combined in each ACLs due to limitations of TCAM hardware. The merge process is also responsible for other functions like expanding ACEs due to a lack of Layer 4 Operations Pointers (L4Op Pointers) or Logical Operational Units (LOUs).

Cisco catalyst Switches use two features to perform a merge

  • order independent algorithm merge
  • order dependant algorithm merge

Order Independent Merge (OIM) is based on Binary Decision Diagrams(BDD), ACLs are merged from a series of oder-dependant actions to a set of order-independent masks and patterns. The resulting ACE can be very large, and processor and memory intensive.

Order Dependant Merge (ODM) is not bit-based. The computation is much faster and is less processor intensive.

RACLs are supported in hardware through IP standard and IP extended ACSs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline, whether ACLs are configured or not. With RACLs access list statistics and logging are not supported.

*You can get some switches with two security lookups and 1 QoS lookup in each direction (6 total).

Configuring VACLs

VACLs apply to all traffic on a VLAN. VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs and VLAN access-maps.

VACLs follow route-map conventions, in which map sequences are check in order (top-down).

Each VLAN access map can consist of one or more map sequence, each sequence with a match clause and an action clause. The match clause specifices IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taked when a match occurs. When a flow matches a permit ACL entry, the assciated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If aflow does not match any ACL entry and at least on ACL is configured for that packet, the packet is denied.

Three VACL actions are permitted:

  • Permit (with capture, Catalyst 6500 only)
  • Redirect (Catalyst 6500 only)
  • Deny (with logging, Catalyst 6500 only)

Two features are supported on Catalyst 6500 only:

VACL Capturewhere Forwarded packets are captured on the capture port. The capture option is only permit ACEs. The capture port can be an IDS port or an Ethernet port. The capture port must be an egress VLAN for layer-3 switched traffic.

VACL Redirect where matching packets are redirected to specific ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where a VACL is applied.

Define a VLAN Access MAP

switch#configure terminal
switch(config)#vlan access-map map-name seq# insert to/delete from

Configure the match clause in a VLAN access map sequence

switch(config-access-map)#match options

Configure actions

switch(config-access-map)#action options

Apply the VACL to VLANs

switch(config)#vlan filter map-name vlan-list list

Verify configuration

switch(config)#show vlan access-map map-name

Source for this Config document Section

Private VLANs

Internet Service Providers (ISP) often have devices from multiple clients, in addition to their own servers resident on a single demilitarized zone(DMZ) segment of VLAN. Cisco Catalyst 6500/4500 switches Private Virtual Local Area Networks (PVLAN) to keep some switch ports shared and some switch ports isolated, even if the ports exist in the same VLAN. The 2950 and 3550 support “protected ports”, which are functionally the same on a per-switch basis.

Traditionally ISPs used one VLAN per customer, with each VLAN having its own subnet. A layer 3 device the provides interconnectivity between VLANs and Internet destinations. Problems with this method:

  • Supporting a VLAN per customer may require a high number of interfaces on ISP network devices.
  • Spanning Tree becomes more complicated with many VLAN iterations.
  • Network address space must be divided into many subnets, which wastes space and increases management complexity.
  • Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.

PVLANs provide Layer-2 isolation between ports within the same VLAN, thereby eliminating the need for VLAN and IP subnet per customer.

A Port in a PVLAN can be one of three types:

  • Isolated: port has complete Layer-2 separation from other ports within the same PVLAN, except for promiscuous ports; blocks all traffic to isolated ports except from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  • Promiscuous: ports can communicate with all ports within the PVLAN. The default Gateway (DG) is probably be hosted as a promiscuous port.
  • Community: ports communicate among themselves and their promiscuous ports. These interfaces are isolated at Layer-2 from all other interfaces in other communities, or in isolated ports within their PVLAN.

Trunks carry all VLAN traffic so isolated, promiscuous and community PVLAN traffic may enter and leave a switch through trunks

PVLAN ports are associated with a set of supporting VLANs that are used to create the PVLAN structure.

  • As a Primary VLAN: carrying traffic from promiscuous ports to isolated, community and other promiscuous ports in the same primary VLAN.
  • As an Isolated VLAN: carrying traffic from isolated ports to a promiscuous port.
  • As a Community VLAN: carrying traffic between secondary VLANs. You can extend PVLANs across multiple devices by trunking primary, isolated, and community VLANs to other devices that support PVLANs.

A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated VLAN or many community VLANs.

Configuring

Step 1: Set VTP Mode to Transparent

switch#configure terminal
switch(config)#vtp mode transparent

You may also want to check VTP version, password and domain while you are at VTP configuration

Step 2: Create the secondary VLANs (Isolated and community VLANs are secondary VLANs)

switch#configure terminal
switch(config)#vlan 102
switch(config-vlan)#private-vlan isolated
switch(config-vlan)#end
switch#show vlan private-vlan type

Step 3: Create the primary VLAN

switch#configure terminal
switch(config)#vlan 100
switch(config-vlan)#private-vlan primary
switch(config-vlan)#end
switch#show vlan private-vlan type

Step 4: Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN

switch#configure terminal
switch(config)#vlan 100
switch(config-vlan)#private-vlan association add 102
switch(config-vlan)#end
switch#show vlan private-vlan type

When associating secondary VLANs with primary VLANs use these best practices:

  • Make sure that the VLAN IDs contain only one isolated VLAN ID (VID)
  • Use the remove keyword with the secondary VID to clear association; there can only be one association.
  • Use the no keyword to clear all association from the primary VLAN.
  • Do not allow the command to take effect until you exit VLAN configuration submode.

Step 5: Configure an interface as an isolated or community port.

switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#switchport mode private-vlan host
switch(config-if)#end
switch#show interfaces gigabitethernet 0/1 switchport

Step 6: Associate the isolated port or community port with the primary/secondary VLAN pair

switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#switchport private-vlan mapping 100 102
switch(config-if)#end
switch#show interfaces gigabitethernet 0/1 switchport

Step 7: Configure an interface as a promiscuous port

switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#switchport mode private-vlan promiscuous
switch(config-if)#end
switch#show interfaces gigabitethernet 0/1 switchport

Step 8: Map the promiscuous port to the primary/secondary VLAN pair

switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#switchport private-vlan host-association mapping 100 102
switch(config-if)#end
switch#show interfaces gigabitethernet 0/1 switchport

Step 9: Permit Routing of Secondary VLAN Ingress Traffic

switch#configure terminal
switch(config)#interface vlan 100
switch(config-if)#private-vlan mapping add 102
switch(config-if)#end
switch#show interfaces private-vlan mapping

The sources for this config section include this Cisco 4500 document and this document. Finally CCIE Blog gave me a some insight and hint as to WTF the difference between the host and promiscious ports on the interface config was.

Definition

Logical Operation Unit (LOU) are hardware registers used to store {operator, operand} tuplesfor Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers specified in an IP extended ACL, VACL, or QoS ACL. These tuples are called Layer 4 Operations (L4Op).

Source

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

References I want to rememeber:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, VLAN Access Lists (page. 413-414). Indianapolis: Cisco Press.

QoS and Voice Traffic

Published
by
Deon Botha
on May 22, 2008
in AutoQoS, BCMSN, Certification, Cisco Systems, CoS, Concepts and Constructs, NBAR, QoS and Trunk
. 0 Comments

Definitions

ingress: arrives/come in/enter

egress: leaving/exit/to go

Its the new words of the day so its going to be used alot

Introduction

Regardless of the speed of individual switches (slower/older vs. faster/newer switches) or links (10/100), speed mismatches (ingress 1000/egress 100), many-to-one switching fabrics(multiple access layer switches into a distribution layer switch), and aggregation (multiple devices communicating through a single connection or to a single device or server) may cause a device to experience congestion, which can result in latency that result in dropped packets.

If and inevitably when congestion occurs (I have heard of enterprise pay-rolls that cause certain amounts of congestion on a network at the end of each month) and congestion management features are not in place (QoS, load balancing on servers, etc) then some packets will be dropped, causing retransmission (TCP) that inevitably increase overall network load and if voice and video are on the network (UDP) the inevitable will be angry employees. QoS can to an extent mitigate latency caused by congestion.

QoS is implemented by classifying and marking traffic at one device while allowing other devices to prioritize or to queue the traffic according to those marks applied to individual frames or packets.

LAN-Based Classification and Marking of Traffic

Classification and marking of traffic is the process of identifying traffic for prioritization as that traffic moves across the network. Traffic is classified by examining information at various layers of the Open Systems Interconnection (OSI) model. IP traffic can be classified according to any values configurable in an access control list (ACL) or any of these layers:

  • Layer-2 parameters: MAC Address, Multiprotocol Label Switching (MPLS), ATM Cell Loss Priority (CLP) bit, Frame Relay discard eligible (DE) bit, ingress interface
  • Layer-3 parameters: IP precedence, DiffServ Code Point (DSCP), QoS group, IP Address, ingress interface
  • Layer-4 parameters: TCP or User Datagram Protocol (UDP) ports, ingress interface
  • Layer-7 parameters: Application signature, ingress interface

QoS marks (values) establish priority levels (priority classes of service) for network traffic as it is processed by each switch (Access, Distribution, or Core). Once traffic is marked with a QoS value, then QoS policies on switches and interfaces will handle traffic accordingly at the frame and packet level. As a result of classification and marking, traffic will be prioritized accordingly at each switch to ensure that delay-sensitive traffic receives priority processing (voice, video) while non-delay sensitive data traffic waits it’s turn as each switch manages congestion, delay, and bandwidth allocation.

Layer-2 Qos

QoS layer-2 classification occurs by examining information in the Ethernet or 802.1Q header (trunking), like destination MAC Address, Virtual Local Area Network (VLAN) ID. QoS layer-2 markings occur in the priority field of the 802.1q header (LAN layer-2 headers have no place for this so 802.1Q encapsulation must occur). The priority field is 3 bits long (a.k.a 802.1p User Priority or class of Service (CoS) value).

The 3-bit Priority field can carry a value of 1 to 7; 1 is associated with delay tolerant traffic like TCP/IP traffic. Voice traffic receiving a higher priority for Call Signalling receiving a 3 value and Voice bearer traffic 5 value.

As a result of Layer-2 Classifications and marking, these QoS operations can occur:

  • Input queue scheduling: when a frame enters a port, it can be assigned to one of a number of port-based queues before being scheduled for switching to an egress port. Typically, multiple queues are used where traffic requires different levels of service.
  • Policing: is the process of inspecting a frame to see if it has exceeded a predefined rate of traffic within a certain time frame that is typically a fixed number internal to a switch. If a frame is determined to be in excess of the predefined rate limit, it can either be dropped, or the CoS value be marked down.
  • Output Queue Scheduling: is where the switch will place the frame into an appropriate egress queue for switching. The switch will perform buffer management on this queue by ensuring that the buffer does not overflow.

Layer-3 QoS

QoS layer-3 classification occurs by examining information of the header values such as destination IP address or protocol. Qos Layer-3 markings occurs in the Type of Service (ToS) byte in the IP header. The first three bits of the ToS byte are occupied by IP precedence, which correlates to three CoS bits carried in the Layer-2 header.

The ToS byte can also be used for DSCP marking that allows prioritization hop by hop as packets are processed on each switch and interface.

Trust Boundaries

In QoS campus implementations, trust boundaries are defined/created where existing QoS values that are attached to frames and packets are to be accepted or altered. These “trusts” are established by configuring trust levels on the ports of key peripheral network devices where QoS policies will be enforced (trusted) as traffic makes its way into/onto the network. At this entry point traffic will be allowed or not allowed to retain its original QoS markings or will be ascribed new markings (best practice is to mark traffic as close to the source as possible).

In practice this means that if you have a network with a Desktop/Notebook attached to a Cisco IP Phone attached to a Catalyst Switch attached to a Cisco Router the trust boundary can be set at the Cisco IP Phone. Where the IP Phone attaches priority values which are then trusted.

Otherwise if there is a Desktop/Notebook with Softphone attached to a Catalyst Switch attached to a Router the trust boundary can be set to the Desktop/Notebook. Where the softphone attaches priority values which are then trusted.

Configuration IP Phone Attachment

This goes hand in hand with how to configure VLANs first off we create a VLAN

switch#configure terminal
switch(config)#vlan 10 name 001-WORK-STATION
switch(config)#vlan 100 name 001-IP-PHONE

Now we need to assign the Data and Voice VLAN to a interface

switch(config)#interface gigabitethernet 0/1
switch(config-if)#switchport voice vlan 100
switch(config-if)#switchport access vlan 10

Now we need to setup trust as they arrive at the switch port

switch(config-if)#mls qos trust cos

Finally set the trust conditional to a Cisco IP Phone being attached

switch(config-if)#mls qos trust device cisco-phone

Auto QoS

Cisco AutoQoS gives the ability to deploy QoS features for converged IP Telephony and allow for telephony networks to be deployed quicker and efficiently than if it had to be done manually. Cisco AutoQoS generates traffic classes and policy map command-line (CLI) templates across platforms that are the same where doing things manually might not have the same congruence. Cisco AutoQoS simplifies and automates the QoS CLI (MQC) definition of traffic classes and the creation and configuration of traffic policies.

AutoQos can be beneficial in these scenarios:

  1. SMB that deploy IP Telephony quickly but lack experience and staffing to deploy IP QoS Services.
  2. Large enterprises that need to deploy Cisco Systems Telephony solutions on a large scale, while reducing costs, complexity, and time frame for deployment, and ensuring that the appropriate QoS for voice applications is being set in a consistent fashion.
  3. International enterprises or service providers requiring QoS for VoIP where little expertise exists in different regions of the world and where provisioning QoS remotely and across different time-zones is difficult.
  4. Service providers requiring a template-driven approach to deliver managed services and QoS for voice traffic of customer premises devices.

Cisco AutoQoS simplifies and shortens the deployment cycle in the following ways:

  • Application classification: By leveraging intelligent classification on routers Cisco network-based application recognition (NBAR) provides stateful and deep packet inspection. Cisco AutoQos uses Cisco Discovery Protocol (CDP) for voice packets to ensure that end-device attached to the Local Area Network (LAN) is really an Cisco IP Phones (keep in mind that CDP is Cisco Proprietary).
  • Policy Generation: Cisco AutoQos evaluates the network environment and generates the initial policy. This feature automatically generates interface configurations, policy maps, class maps, and Access Control Lists (ACL).
  • Configurations: Using one command, Cisco AutoQoS configures the port to prioritize voice traffic without affecting other network traffic, while still offering the flexibility to adjust QoS settings for unique network requirements. Cisco AutoQoS will automatically detect Cisco IP Phones and enable QoS settings, in turn it will also disable QoS settings to prevent malicious activity when a Cisco IP Phone is relocated or moved.
  • Monitoring and reporting: Cisco AutoQoS provides visibility into the Class of Service (CoS) deployed via system logging and Simple Network Management Protocol (SNMP) traps, with notification of abnormal events(VoIP packet drops).
  • Consistency: Cisco AutoQoS configurations are consistent among router and switch platforms. This level of consistency ensures seamless QoS operation and interoperability within the network.

Cisco Catalyst Switch Configuration – Cat OS

To configure the global QoS settings

Console> (enable) set qos autoqos
.........
All ingress and egress QoS scheduling parameters configured on all ports. CoS to DSCP, DSCP to CoS. Precedence to DSCP and policed dscp maps configured.
Global QoS configured, port specific autoqos recommended:
set port qos <mod/port> autoqos trust <cos/dscp>
set port qos <mod/port> autoqos voip <ciscoipphone/ciscosoftphone>

To configure Cisco AutoQoS settings and the trusted boundary features on/for Cisco IP Phones, CDP V.2 or later needs to be enabled on a port. If the trusted boundary feature is enabled. You will receive a syslog warning message if CDP is not running or CDP V.1 is running.

CDP need not be enabled if you do not use the ciscoipphone QoS configuraiton.
Console> (enable) set port qos 4/1 autoqos voip ciscoipphone
Warning: CDP is disabled or CDP version 1 is in use. Ensure that CDP version 2 is enabled globally, and also ensure that CDP is enabled on the port(s) you wish to configure autoqos on.
Port 4/1 ingress QoS configures for ciscoipphone.
It is recommended to execute the "set qos autoquos" gloval command if not executed previously.
Console> (enable)

To configure the port-specific QoS macro that handles all inbound QoS configurations that are specific to a particular port. This should only be used when the port connects to other known switches or servers because the port tursts all inbound traffic marked.
Console> (enable) set port qos 4/1 autoqos voip code/dscp

Cisco Catalyst Switch Configuration – Cisco IOS

When Cisco AutoQos in enabled on the first interface, QoS is globally enabled. This would be like configuring this command

switch#configure terminal
switch(config)msl qos

To in turn enable QoS on an interface use this command that tells the switch that the interface is connected to a trusted router/switch and that the VoIP classifications in the ingress packet should be trusted:

switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#auto qos voip trust

OR that the interface is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the IP Phone is detected; this enabled CDP to detect the IP Phones absence or presence.

switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#auto qos voip cisco-phone
To check config use the following command
switch#show auto qos interface-id

Cisco AutoQoS Automation

Cisco AutoQoS automates several things when configured. It enforces trust boundaries on Cisco Catalyst switches access ports, uplinks and downlinks. Enables Catalyst strict priority queuing (PQ) (a.k.a expedited queuing) with weighted round-robin (WRR) scheduling for voice and data traffic. It configures queue admission criteria and finally modifies queue sizes and weights as needed.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Planning Voice on a Data Network

Published
by
Deon Botha
on May 21, 2008
in BCMSN, Certification, Cisco Systems and VoIP
. 0 Comments

There are numerous benefits to packet switched telephony:

  • More efficient use of bandwidth and kit: Traditional telephony networks use a 64-kbps (For argument lets say 1B Channel on a ISDN line) channel for every voice call. Packet telephony shares bandwidth among multiple logical connections and offloads traffic volumes from existing voice switches.
  • Lower costs for telephony network transmissions: A substantial amount of equipment is needed to combine 64-kbps (ISDN) channels into a high-speed link for transport across a network (Lets say an ISDN PRI). Packet telephony statistically multiplexes voice traffic alongside data traffic. This consolidation represents substantial savings on CAPEX and OPEX.
  • Consolidated voice and data network expenses: Data networks functioning separately from voice networks become major traffic carriers. The underlying voice networks can be converted to utilize the packet-switched architecture to create a single integrated communications network with a common switching and transmission system. The benefit is CAPEX and OPEX savings.
  • Increased revenues from new services: Packet telephony enables new integrated services, such as broadcast-quality audio, unified messaging, and real-time voice and data collaboration. These services increase employees productivity and profit margins well above those of basic voice services. In addition, these services enable companies and service providers to differentiate themselves and improve their market position.
  • Greater innovation in services: Unified communications use the IP infrastructure to consolidate communications methods that were previously independent (Fax, voicemail, email, wireline telephone, cellular phone, and the web). The IP Infrastructure provides users with a common method to access messages and initiate real-time communications – independent of time, location, or device.
  • Adding to new communications devices :P acket technology can reach devices that are largely inaccessible to the time-division multiplexing (TDM) infrastructures of today (pcs, wireless devices, household appliances, PDAs). Access to these devices enable companies and service providers to increase the volume of communications they deliver, the breadth of service they offer, and the number of subscribers they serve. Packet technology, therefore, enables companies to market new devices, including videophones, multimedia terminals, and advanced IP Phones.
  • Flexible new pricing structures: Companies and services providers with packet-switched networks can transform their service and pricing models. Because network bandwidth can be dynamically allocated, network usage no longer needs to be measured in minutes or distance. Dynamic allocation gives service providers the flexibility to meet the needs of their customers in ways that bring them the greatest benefits.

The basic components for voice on a IP network are as follows:

  • IP Phones: The end-device on desks
  • Gatekeeper: Provides Connection Admission Control (CAC), bandwidth control and management and address translation.
  • Gateway: Provides translation between voice over Internet Protocol (VoIP) and non-VoIP networks, such as the public switched telephone network (PSTN). It provides physical access for local analog and digital devices (telephones, fax machines, and PBXs)
  • Multipoint Control Unit: Provides real-time connectivity for participants in multiple locations to attend the same videoconference or meeting.
  • Call Agent: Provides call control for IP Phones, CAC, bandwidth control and management, and address translation.
  • Application Server: Provides services such as voicemail, unified messaging, and Cisco CallManager Attendant Console.
  • Videoconference Station: Provides access for end-users participation in videoconferencing. This station has a video camera and a microphone. The user can view video streams and hear the audio that originates from the remote user station.

There are other components not listed here like voice applications, interactive voice response (IVR) systems, and softphones that meet the specific needs of enterprise.

Voice and Data Traffic Characteristics

Voice traffic has extremely stringent QoS requirements (because it is extremely delay sensitive). Voice traffic generates a smooth demand on bandwidth and has minimal impact on other traffic (60 – 120 bytes), as long as voice traffic is managed. Because of the resulting time sensitive nature User Datagram Protocol (UDP) is used to package voice packets; TCP retransmit capabilities have no value (because if it needs to be retransmitted then there is delay in the actual conversation occuring NOW).

For voice quality, delay should be no more than 150ms (one-way) and less than 1% packet loss. A typical voice call requires 17 – 106 kbps of guaranteed priority bandwidth, plus additional 150bps per call for voice-control traffic. Multiplying this out for the maximum calls expected during busiest times the overall bandwidth requirements for voice traffic can be calculated.

Because Data traffic is not as delay sensitive and can tolearate high drop rates the restransmit capabilities of TCP has become important, as a result many applications use by default TCP.

In networks, important business critical applications are ussually easy to identify. Most applications can be identified based on TCP or UDP port numbers (HTTP, HTTPS, FTP, TELNET, SQL, ETC). Some application use dynamic port numbers that, to some extent, make classification more difficult. Cisco IOS software supports network-based application recognition (NBAR), which can be used to recognize dynamic port applications.

VoIP Call Flow

As I mentioned in a previous post (see HSRP Accross Trunk Links) and some other places its best practice to setup voice and data on separate VLANs (I did in my own network). This is done so that QoS can be applied to prioritize the VoIP traffic as it traverses the network. If this is not done then voice and data traffic contend for available traffic without consideration for other devices (one or the other is going to suffer).

A major component of designing a successful IP Telephony network is bandwidth provisioning. The bandwidth requirement is calculated by adding the total required bandwidth for voice, video and data together; the sum should not be more than 75% of the link total.

For a traffic perspective IP Telephony consists of two types of traffic:

  1. Voice Carrier Stream consists of Real-Time Transport Protocol (RTP) packets that contain actual voice samples.
  2. Call Control Signaling that contains packets belonging to one of several protocols used to set up, maintain, tear down, or redirect calls. Depending on the end-point this could be H.323 or Media Gateway Control Protocol (MGCP)

Auxiliary VLANs

Some Cisco Catalyst switches offer a unique feature called “Auxiliary VLAN“. This feature allows one to overlay a voice topology over an existing data network. One can segment phones into a separate logical network, even though the data and voice network are physically the same.

The auxiliary VLAN feature places the phones into their own VLANs without any end-user configuration. Additionally VLAN assignment can be maintained even if the phone is moved.

How this works is that when a phone is plugged into the switch (whichever port), the phone will request a DHCP address, and the phone is placed in a VLAN automatically. With phones in their own VLANs administrators can troubleshoot and identify problems easily. This also makes enforcement of QoS and security policies easier.

QoS

QoS is the application of features and functionality required to actively manage and satisfy the networking requirements of applications that are sensitive to loss, delay and delay variations (jitter). QoS allows preference to be given to critical application flows for the available bandwidth.

Cisco IOS implementations allows for QoS to provid these features:

  • Priority access to resources: QoS allows administrators to control which traffic it allows to access specific network resources such as bandwidth, kit, and WAN links.
  • Efficient management of network resources: If network management and accounting tools indicate that specific traffic is experiencing latency, jitter, and packet loss, then QoS tools can be used to adjust how traffic is handled.
  • Tailored service: The control provided by QoS enables Internet Service Providers to offer carefully tailored grades of service to their customers.
  • Coexistance of mission-citical applications: QoS technologies ensure that mission-critical applications receive priority access to network resources while providing adequate processing for applications that are not delay sensitive.

High Availability

Traditional Telephony networks strive to provide 99.999 (5.25 minutes) of downtime a year. This is less downtime than most data networks. To provide the same experience this means choosing hardware and software with a low mean time between failure (MTBF) or installing redundant links and hardware.

Availability is when a user wants to make a call the network is able to respond to that need. Efforts to ensure availability would include proactive management to predict failure and taking steps to correct problems in design of the network as it grows. When the converged network goes down things downtime can be minutes, hours or days. This is unacceptable in a converged network where downtime means no phone calls. Providing for uninterpretable power supplies (UPS), lighting arrestors and other means to ensure availability at all costs.

High Availability encompases many areas of a network. In a fully redundant network these components need to be duplicated:

  • Servers and call managers,
  • Acces layer devices (layer-2 switches)
  • Distribution layer devices (routers or Layer-3 switches)
  • Core layer devices (layer-3 switches)
  • Interconnections (WAN links, PSTN Gateways, ISP links)
  • Power supplies and UPSs

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Multilayer Switching Network

Published
by
Deon Botha
on April 4, 2008
in BCMSN, Certification, Cisco Systems, Concepts and Constructs and Enterprise Architecture
. 2 Comments

Multilayer Switching Network

Network Diagram

The diagram above shows the exact same network as the layer-3 design except with a few noteworthy changes where two of the layer-2 switches having been replaced with multilayer switches.

Why use this design

Multilayer Switching is hardware based switching and routing platform integrated into a chassis that would do everything a standard switch and router would do, in many cases frame and packet forwarding is done by the same hardware Application-specific integrated circuit (ASIC) and other specialized circuitry improving performance, reducing power consumptions and in turn costing less*.

With the previous layer-3 design one of the problems was high latency compared to the layer-2 design which has potential bridging loop problems. This MLS model has low latency with added hardware-based forwarding (“caching”), high-performance switching, high-speed scalability (huge filter tables), QoS and Security making it the best of both models.

NOTE: *hardware gives switches greater scalability, wire-speed performance, low latency, low cost, and high port density.

Why this design works

This design could be used to offload the following from central routers or a distribution router or to combine routing and switching functions at the distribution areas of the network:

  • Wire-speed communication (the theoretical maximum speed of the medium)
  • Lower Latency (lag)
  • Multiple switching paths (redundancy suppose? someone?);
  • Segmenting broadcast and failure domains;
  • Updating of the Management Information Base (MIB) statistics;
  • Destination-specific frame forwarding based on layer-2 information;
  • Forwarding paths based on layer-3 information;
  • Validation of layer-2 frame and layer-3 packet via checksum;
  • Verification of expiration and updates;
  • Application of network policy and security;
  • Optimal path determination (based on MAC source/destination, IP source/destination, Protocol, Port);
  • QoS (auto QoS);
  • VoIP (inline power);

This type of switch is more expensive than a layer-2 switch yet still not as expensive as a Router, the cost is definitely not considered cheap. Placement of this device within a network must be considered carefully otherwise the expense incurred would lead to a waste.

Why this design doesn’t work

The problem with single chassis devices is single point of failure. If there is a problem on the device (breakdown) or network problem (routing table) everything connected to the MLS goes down this means placing redundant devices and planning them carefully which increases costs. As I mentioned these devices are not exactly “cheap” therefore planning redundancy (multiple devices) becomes an expensive exercise.

Switches in a flat network are interconnected to provide inter-vlan routing functions. These redundant paths will create bridging loops thus running STP is imperative.

Because a MLS is all that and a bag of chips it may be way over the top to replace a router with one of these unless there is a really good reason or a really good discount involved.

Some Basics

Catalyst Switches (3560, 4500, 6500), can forward frames based on Layer-3 and Layer-4 information contained in packets. This is the basics of MLS. Cisco Catalyst switches have gone through two basic generations first being the route caching and then topology based.

Route caching required a route processor (RP) and a switch engine (SE). The RP processed the first packet of a flow of traffic to determine destination. The SE in turn listens for this first packet and destination then creates an entry in the MLS cache. The SE forward all subsequent similar entries based on this cache entry. This is known by Netflow LAN switching, Flow-based or demand-based switching and, “route once, switch many”.

Topology based uses specialized hardware. Layer-3 routing information builds and pre-populates a single database with the entire network topology. This database is then consulted so that packets can be forwarded at high rates. This is known as Cisco Express Forwarding (CEF) where a process running on the switch downloads routing table databases into the Forwarding Information Base (FIB).

Devices in this design

A Router is a layer-3 device that is used to interconnect network segments or broadcast domains. Routers must be configured to work and don’t work out the box. Each interface on a router segments collision and broadcast domains for devices on that network attached to that interface.

A Switch is a layer-2 device that is used to interconnect network components (workstations, servers, printers, other hubs, switches, routers, etc). Out the box a switch creates a single broadcast domain but can create multiple broadcast domains (VLANs). Each port on a switch is a separate collision domain.

A Multilayer Switch is a layer-2, layer-3, layer-3 device that is used to interconnect network components (workstations, servers, printers, other hubs, switches, routers, etc). Out the box this switch is like a layer-2 switch.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

References I want to remember:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, Multilayer Switching with CEF (pages. 296–299). Indianapolis: Cisco Press.

Search

About

You are currently browsing the Network Ninja weblog archives for 'voip' tag.

Latest

RSS
  • Digital Growth with your Job
  • Open Shortest Path First – OSPF Fundamentals – Scenario
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 13
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 12
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 11
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 10
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 9
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 8
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 7
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 6

Archives

  • June 2009
  • April 2009
  • March 2009
  • February 2009
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008

Categories

  • 802.11 (7)
  • 802.1Q (1)
  • 802.1X (1)
  • AAA (1)
  • Access Point (7)
  • ACL (4)
  • Addressing (3)
  • Asides (31)
  • auto-summary (3)
  • AutoQoS (1)
  • Bandwidth (2)
  • BCMSN (55)
  • BDR (2)
  • BGP (1)
  • BPDU Filtering (1)
  • BPDU Guard (2)
  • BPDU Root Guard (1)
  • BSCI (67)
  • BSCI Notes (18)
  • BSCI Questions (48)
  • Business (1)
  • Cabling and Equiptment (3)
  • CAM (1)
  • CCDA (1)
  • CDP (1)
  • CEF (1)
  • Certification (123)
  • CIDR (2)
  • CIR (2)
  • Cisco Systems (144)
  • Concepts and Constructs (76)
  • CoS (1)
  • Cost (3)
  • DAI (1)
  • DDNS (1)
  • Debug (2)
  • DHCP Snooping (1)
  • DHCP Spoofing (1)
  • DR (3)
  • DUAL (1)
  • Dynamic ARP Inspection (1)
  • ECNM (5)
  • EIGRP (5)
  • Enterprise Architecture (7)
  • EtherChannel (1)
  • GLBP (1)
  • Hello Timer (2)
  • Hold Timer (2)
  • Hot Standby Router Protocol (1)
  • HSRP (1)
  • IGRP (1)
  • IIN (2)
  • Inter-Vlan Routing (1)
  • Interconnection Technologies (2)
  • IP Source Guard (1)
  • IS-IS (1)
  • ISL (1)
  • LACP (1)
  • Link State Advertisements (2)
  • Load Balancing (2)
  • Loop Guard (1)
  • MAC Address Flooding (1)
  • MLS (1)
  • MSTP (1)
  • NBAR (1)
  • NBMA (1)
  • Off-Topic (12)
  • OSPF (18)
  • PAgP (1)
  • passive-interface (1)
  • PoE (1)
  • Port Security (1)
  • Priority (2)
  • Proxy ARP (1)
  • PVC (1)
  • QoS (2)
  • RIP (1)
  • RIPv2 (1)
  • Root Guard (1)
  • RSTP (1)
  • Show (6)
  • Software (1)
  • SONA (2)
  • SSH (2)
  • STP (5)
  • Stub Router (3)
  • summary-address (1)
  • Support (4)
  • Switch Spoofing (1)
  • TCAM (1)
  • Telnet (2)
  • Troubleshooting (1)
  • Trunk (6)
  • Unidirectional Link Detection (1)
  • VACL (3)
  • VC (1)
  • Vine (20)
  • VLAN (11)
  • VLAN Hopping (1)
  • VLSM (1)
  • VoIP (1)
  • VRRP (1)
  • VTP (4)
  • VTY (1)
  • Wireless (7)

Styled with Sawchuk

Powered by WordPressabc and K21.0-RC7

Entries Feed and Comments Feed

52 queries. 2.5010 seconds.