|
0:00:12
|
In our next QoS section here, we're going to look at
|
|
0:00:15
|
how the classification works in the module of the quality of service
|
|
0:00:18
|
specifically on the command line and some of the differences
|
|
0:00:22
|
between the different IOS versions whether we're running
|
|
0:00:25
|
IOS that is before the hierarchical queuing framework or afterwards
|
|
0:00:31
|
where as I mentioned as of 12.4 20 T all of the ISRs
|
|
0:00:35
|
and all of the lower level platforms that don't do hardware based queuing
|
|
0:00:39
|
will be using the new hierarchical queuing framework.
|
|
0:00:44
|
Now specifically in my topology here Routers 4, 5 and 6 are
|
|
0:00:49
|
running 12.4 24 T advanced enterprise services so they will
|
|
0:00:53
|
have the new classification and QoS where routers 1, 2 and 3
|
|
0:00:58
|
are running 12.4 mainline so when we look at the options
|
|
0:01:03
|
under the class map and the options under the policy map
|
|
0:01:07
|
there are going to be some minor differences between them.
|
|
0:01:11
|
So in general, you'll see that the newer the IOS version and the
|
|
0:01:14
|
higher the platform the more options that it is going to
|
|
0:01:17
|
have for classification especially when we look at the network
|
|
0:01:21
|
based application recognition or Nbar feature.
|
|
0:01:27
|
Now as I mentioned, the MQC is always going to be
|
|
0:01:31
|
a three-step process which the first of is going to be
|
|
0:01:35
|
to define the class map.
|
|
0:01:39
|
Just like an access list or a route map
|
|
0:01:42
|
the class map's name is going to be case sensitive.
|
|
0:01:47
|
In general, I would recommend that you use all upper case
|
|
0:01:51
|
for the class map names and the policy map names
|
|
0:01:55
|
because then when you look at the configuration, you know
|
|
0:01:58
|
what is the difference between a keyword in the IOS versus
|
|
0:02:03
|
something that you manually defined.
|
|
0:02:07
|
So you saw previously any time I was using an access list
|
|
0:02:10
|
or a prefix list or a route map, I generally use all
|
|
0:02:13
|
upper case for that because all of the keywords in IOS
|
|
0:02:16
|
are all in lower case.
|
|
0:02:18
|
So simply when you look at the show run in config
|
|
0:02:21
|
it's going to give you a little bit more visibility as to something that
|
|
0:02:24
|
you manually changed versus something that is a default
|
|
0:02:28
|
option in the IOS.
|
|
0:02:34
|
So once we specify the class map keyword
|
|
0:02:36
|
we can either define its name or say whether we're doing a
|
|
0:02:39
|
logical And versus a logical Or match.
|
|
0:02:44
|
The different types of class maps we'll look at this later when
|
|
0:02:47
|
we get to the zone based policy firewall in QoS.
|
|
0:02:51
|
Mainly these are not going to be related directly to QoS.
|
|
0:02:56
|
So the class map type inspect that's going to be for the
|
|
0:02:59
|
firewall filtering where in our case we're using just the
|
|
0:03:02
|
regular class maps that are going to be for quality of service.
|
|
0:03:07
|
So I'll say class map XYZ
|
|
0:03:11
|
hit enter
|
|
0:03:12
|
if look at now the show run section class map
|
|
0:03:18
|
we can see that the default match is match all.
|
|
0:03:24
|
So now any time I have multiple match criterias
|
|
0:03:26
|
like match access group 1, match protocol OSPF
|
|
0:03:32
|
it means that all of the criteria has to be true
|
|
0:03:34
|
in order for the class to be true.
|
|
0:03:39
|
So there's some cases where a match all class doesn't make
|
|
0:03:42
|
any sense and it would be more appropriate to use
|
|
0:03:45
|
a match any.
|
|
0:03:47
|
So for example if I'm trying to match my control plane protocols
|
|
0:03:50
|
like OSPF, EIGRP, BGP, PIM version 2
|
|
0:03:56
|
it doesn't make sense that if packet would be both
|
|
0:03:58
|
BGP and OSPF at the same time
|
|
0:04:01
|
so in that case we would want to say match any
|
|
0:04:05
|
not match all.
|
|
0:04:08
|
But if we're doing just one classification, then it's not
|
|
0:04:10
|
really going to matter which one we're using whether it's
|
|
0:04:13
|
match all or match any.
|
|
0:04:18
|
So once we define the class's name, then mainly we're going to
|
|
0:04:22
|
say match. We could give it a description just like an access
|
|
0:04:25
|
list that's going to be just for our own purposes for documentation
|
|
0:04:30
|
but the vast majority of the work is going to be with the match keyword.
|
|
0:04:35
|
So first we can say match access group which would either be
|
|
0:04:38
|
a standard or extended access list
|
|
0:04:40
|
so anything that we can classify in an ACL
|
|
0:04:45
|
so things like the source address, destination address, the protocol
|
|
0:04:49
|
number whether it's TCP, UDP, OSPF, EIGRP, PIM
|
|
0:04:53
|
etc.
|
|
0:04:55
|
the protocol flags like the SYN packet versus the
|
|
0:04:59
|
acknowledgement or the reset in TCP
|
|
0:05:02
|
the UDP and TCP port numbers
|
|
0:05:05
|
and then also time ranges that can be tied to the
|
|
0:05:08
|
ACLs, then they could be used for the quality of service.
|
|
0:05:13
|
So you could theoretically do some sort of time based QoS
|
|
0:05:16
|
where during the day your voice is prioritized and then
|
|
0:05:19
|
after hours you have a different QoS policy that applies.
|
|
0:05:23
|
So essentially anything you can match in an access list
|
|
0:05:25
|
you can then apply it to the QoS.
|
|
0:05:30
|
Match any would be just an explicit match for
|
|
0:05:35
|
anything regardless of what the Layer 2 or Layer 3 protocol is.
|
|
0:05:39
|
Match class map is going to be for doing nested matches.
|
|
0:05:45
|
Class of service is the Layer 2 class of service again, either in
|
|
0:05:50
|
the dot1q or the ISL header.
|
|
0:05:54
|
So this is only going to be used for trunking encapsulations
|
|
0:05:57
|
this is not part of the normal Ethernet header.
|
|
0:06:03
|
Destination address this would be the Mac address.
|
|
0:06:07
|
Now a case that you may need to use this is that if you have
|
|
0:06:11
|
multiple Ethernet sub interfaces and you're trying
|
|
0:06:15
|
to classify traffic that is going out one sub interface versus
|
|
0:06:18
|
another, since the router does not assign different queues
|
|
0:06:24
|
to Ethernet sub interfaces, the way that you could classify
|
|
0:06:28
|
one link versus the other would be to match the destination Mac address.
|
|
0:06:34
|
So for example, let's say that we have Router 1
|
|
0:06:39
|
that has two sub interfaces.
|
|
0:06:45
|
It has Fast Ethernet 0/0.10
|
|
0:06:48
|
and Fast Ethernet 0/0.20
|
|
0:06:52
|
where the .10 interface is used to encapsulate VLAN 10 traffic
|
|
0:06:56
|
and the .20 is going to be for VLAN 20
|
|
0:07:02
|
but we know underneath that this is going to be one physical
|
|
0:07:04
|
link that is going out to a Layer 2 switch
|
|
0:07:07
|
where we have Fast Ethernet 0/0 that's really going to whatever our
|
|
0:07:12
|
Layer 2 device is.
|
|
0:07:16
|
So from a logical Layer 3 perspective
|
|
0:07:18
|
we may be going on VLAN 10 we may be going out to Router 2
|
|
0:07:23
|
on VLAN 20, we may be going out to Router 3
|
|
0:07:29
|
so if I want to classify traffic that is going just this direction to
|
|
0:07:32
|
Router 2 and not to Router 2
|
|
0:07:36
|
the problem is that generally the traffic is not going to the
|
|
0:07:40
|
Router itself, it is going past the router to some final destination
|
|
0:07:46
|
where the Layer 3 routing device they're used just to transit
|
|
0:07:49
|
they're not the actual destination of the packet.
|
|
0:07:51
|
So if I were to match an access list and say match the IP address of Router 2
|
|
0:07:58
|
that's not going to give me the correct classification I want
|
|
0:08:01
|
because it's unlikely that the packets are actually going to Router 2
|
|
0:08:05
|
maybe they're going to some web server or some FTP server
|
|
0:08:10
|
that I don't want to have to account for every single possible
|
|
0:08:13
|
Layer 3 destination.
|
|
0:08:18
|
Now one thing that is common about packets going out the
|
|
0:08:21
|
VLAN 10 interface versus the VLAN 20
|
|
0:08:25
|
is that if they're going to Router 2, they're always
|
|
0:08:28
|
going to go to the Layer 2 destination of Router 2
|
|
0:08:34
|
So if Router 2 has a Mac address AAA versus
|
|
0:08:37
|
Router 3's Mac address BBB
|
|
0:08:40
|
we can match this on the class map, then even though
|
|
0:08:43
|
we're applying the actual policy to the main Ethernet interface
|
|
0:08:48
|
technically it would classify traffic going out one sub
|
|
0:08:51
|
interface versus another. Now another useful application of
|
|
0:08:56
|
this if the traffic was coming from a particular source Mac address
|
|
0:09:01
|
we could say match source address that would be in the reverse direction
|
|
0:09:07
|
this is also useful on the LAN if we have a server that
|
|
0:09:11
|
maybe has multiple IP addresses assigned to it
|
|
0:09:15
|
but it has the same Layer 2 address
|
|
0:09:17
|
let's say like it's used for shared web hosting
|
|
0:09:20
|
then we could say as traffic is going to the web server, classify the traffic
|
|
0:09:24
|
based on the Mac address as opposed to Layer 3
|
|
0:09:27
|
then it's going to cache all traffic flows going to them
|
|
0:09:30
|
as opposed to classifying them based on the individual
|
|
0:09:33
|
Layer 3 addresses.
|
|
0:09:35
|
Next we have the DSCP and the IP precedence values
|
|
0:09:40
|
which as I mentioned you do not have to memorize what these are.
|
|
0:09:43
|
If we say match dscp or match ip dscp
|
|
0:09:50
|
we can see what the defaults are for the assured forwarding
|
|
0:09:53
|
versus the class selector, then default which is zero
|
|
0:09:58
|
and then expedited forwarding which is decimal 46
|
|
0:10:06
|
so generally, EF is going to be for your voice or video traffic
|
|
0:10:12
|
where the other type of traffic flows like your voice signaling
|
|
0:10:14
|
or your web traffic or FTP traffic those are going to get
|
|
0:10:18
|
in assured forwarding
|
|
0:10:20
|
where again, AF 4
|
|
0:10:24
|
is going to be higher than AF 1, so 41, 42 and 43
|
|
0:10:30
|
those are better than 11, 12 and 13
|
|
0:10:35
|
but for the drop precedence, a lower value is better.
|
|
0:10:41
|
So out of these different values, actually AF 41 is the best
|
|
0:10:45
|
followed by AF 42 followed by AF 43
|
|
0:10:49
|
We can also see that the class selector values CS 1
|
|
0:10:53
|
through CS 7 these are overlapping with the
|
|
0:10:56
|
IP precedences and we can see this in binary that
|
|
0:11:00
|
001, 010, 011
|
|
0:11:06
|
since these are relating to the precedence
|
|
0:11:08
|
this is telling us just based on this output that precedence
|
|
0:11:11
|
is the top three most significant bits
|
|
0:11:16
|
where DSCP is the six most significant bits.
|
|
0:11:22
|
So when we actually look at the type of service value
|
|
0:11:25
|
there are an additional two bits after that because the TOS
|
|
0:11:29
|
is one byte where precedence is only three bits and DSCP
|
|
0:11:34
|
is only six bits.
|
|
0:11:39
|
Now the reason that you may want to know this is that if
|
|
0:11:42
|
you are setting or matching the type of service bit
|
|
0:11:46
|
in things like an extended ping or trace route
|
|
0:11:50
|
or you could specify when the router generates telnet
|
|
0:11:54
|
packets what is the type of service that it uses to
|
|
0:11:58
|
generate this so we'll see there's different types of
|
|
0:12:01
|
applications that we can use on the router itself
|
|
0:12:04
|
to make sure that our QoS policies are working properly.
|
|
0:12:09
|
So if I were using DSCP EF to classify some traffic
|
|
0:12:13
|
and I want to make sure the service policy is actually getting
|
|
0:12:15
|
hits, one thing I could do on Router 4 would be to
|
|
0:12:19
|
say the IP telnet type of service has a value that
|
|
0:12:24
|
is equal to EF, but the key is that this 101110
|
|
0:12:31
|
this is not the full byte.
|
|
0:12:33
|
So it's actually going to have two trailing zeros after it
|
|
0:12:37
|
if I were then to say 10111000
|
|
0:12:42
|
this in hex is B8
|
|
0:12:47
|
so therefore if I said the IP telnet type of service is B8
|
|
0:12:52
|
this would means the router locally generates its telnet as
|
|
0:12:55
|
DSCP EF, so we'll see when we actually try to test these
|
|
0:12:59
|
flows the final verification is to look at the show policy
|
|
0:13:02
|
map interface and make sure that there are packets being
|
|
0:13:06
|
matched on the particular class.
|
|
0:13:10
|
Now the difference between saying match dscp and match precedence
|
|
0:13:14
|
versus match ip dscp or ip precedence
|
|
0:13:18
|
as you can see here it says match it in the IP version 4
|
|
0:13:21
|
and the IP version 6 packet where if we said to match
|
|
0:13:26
|
IP precedence, that's going to be just in version 4
|
|
0:13:31
|
Now again, we would be able to see this if we were
|
|
0:13:33
|
trying to apply some QoS to IP version 6 traffic
|
|
0:13:38
|
if we look at the show policy map interface and there's no
|
|
0:13:42
|
packets being hit on the counter for that particular class
|
|
0:13:45
|
then we know that it's not applied properly.
|
|
0:13:49
|
It could be that the classification is not right, it could be that the
|
|
0:13:52
|
policy is applied on the wrong interface, but regardless we
|
|
0:13:55
|
should see that the packet counter is going to go up.
|
|
0:13:57
|
Then we see we have Layer 2 markings we could say
|
|
0:14:00
|
match the MPLS experimental bits
|
|
0:14:03
|
again if we say class map XYZ
|
|
0:14:06
|
match mpls experimental
|
|
0:14:11
|
so those are going to be values 0 through 7
|
|
0:14:14
|
similar to the IP precedence.
|
|
0:14:18
|
We can match the frame relay discard eligibility which
|
|
0:14:21
|
is just going to be one bit so either it's on or off.
|
|
0:14:26
|
We can match the incoming frame relay dlci
|
|
0:14:29
|
so if we have a multipoint WAN interface
|
|
0:14:33
|
like in the case of Router 5 here
|
|
0:14:36
|
where it has multiple Layer 2 circuits that are going to Routers
|
|
0:14:40
|
4, 1, 3 and 2
|
|
0:14:43
|
I could say match the traffic that's coming in from Router 4
|
|
0:14:46
|
as opposed to coming in from Router 1
|
|
0:14:49
|
because I want to do the classification based on the
|
|
0:14:51
|
Layer 2 circuit number. The QoS group is going to be
|
|
0:14:55
|
a locally significant value that is generally
|
|
0:14:58
|
used for MPLS
|
|
0:15:00
|
as kind of a placeholder where we are moving packets
|
|
0:15:03
|
between interfaces and we'll talk a little bit about
|
|
0:15:05
|
that later how we could apply QoS onto MPLS
|
|
0:15:09
|
by using the MPLS experimental bits and the QoS group as kind of a placeholder.
|
|
0:15:17
|
Ok, then lastly we have the match protocol
|
|
0:15:19
|
which is going to be for the network based application recognition.
|
|
0:15:26
|
Now again, depending on the individual version that we have
|
|
0:15:29
|
generally the higher level platforms and the newer versions are going to
|
|
0:15:32
|
have more protocol support in Nbar.
|
|
0:15:38
|
You'll also see that some of these support more specific
|
|
0:15:42
|
inspections for the individual application for example
|
|
0:15:45
|
if I were to say match protocol http
|
|
0:15:48
|
that's going to say a couple different things.
|
|
0:15:51
|
It means that the traffic has to be TCP at port 80
|
|
0:15:55
|
but then it also has to have the correct protocol
|
|
0:15:58
|
formatting for actual http transfers.
|
|
0:16:02
|
So if I were just to telnet to port 80, that's not going to be
|
|
0:16:06
|
properly classified.
|
|
0:16:09
|
But then we could go into more detail and say maybe
|
|
0:16:12
|
I want to match the MIME type or some of the headers
|
|
0:16:15
|
inside the actual http application
|
|
0:16:18
|
to figure out where's the traffic going to like is it
|
|
0:16:22
|
going to www.cisco.com or the URL
|
|
0:16:27
|
to figure out after we match the host what's the subdirectory
|
|
0:16:31
|
structure that it's actually trying to query on the web server.
|
|
0:16:35
|
So most of this advanced type of matches you really don't
|
|
0:16:38
|
need to be an expert in this for the routing and
|
|
0:16:40
|
switching lab exam. What I would know though
|
|
0:16:43
|
is where to reference this in the documentation.
|
|
0:16:48
|
So if we were to go to the main documentation page
|
|
0:16:50
|
this would be under products
|
|
0:16:53
|
IOS
|
|
0:16:54
|
regular IOS
|
|
0:16:56
|
12.4, 12.4 T
|
|
0:17:01
|
configuration guides
|
|
0:17:06
|
QoS
|
|
0:17:10
|
then classification
|
|
0:17:11
|
classifying network traffic using Nbar.
|
|
0:17:15
|
So you can see some of the advanced matches like
|
|
0:17:18
|
classification of http traffic by the URL
|
|
0:17:21
|
you'll see some examples that they're doing in here
|
|
0:17:23
|
that within the scope of the lab exam, you pretty much could
|
|
0:17:27
|
copy and paste their examples and then just change it around
|
|
0:17:29
|
for whatever the particular question is asking
|
|
0:17:32
|
so towards the end there should be some
|
|
0:17:39
|
let's see, let's search for match protocol http
|
|
0:17:43
|
URL, so here's an example. It says /latest/whatsnew.html
|
|
0:17:52
|
but the key here is that this is different between matching the
|
|
0:17:55
|
host versus the URL, so the URL is going to be
|
|
0:17:58
|
anything after the DNS name so if I wanted to match
|
|
0:18:04
|
any traffic going to cisco.com I would say match protocol http host
|
|
0:18:09
|
www.cisco.com or *.cisco.com
|
|
0:18:14
|
which would match anything in the -- to the left of .cisco.com
|
|
0:18:20
|
so again, you can get pretty detailed as to the particular
|
|
0:18:24
|
classification you're doing, but in general I wouldn't expect that they
|
|
0:18:28
|
would want you to be an expert on that type of stuff.
|
|
0:18:32
|
Another feature that is useful here with the network based
|
|
0:18:35
|
application recognition is at the link level
|
|
0:18:39
|
if we say ip nbar protocol
|
|
0:18:45
|
ip nbar protocol discovery
|
|
0:18:48
|
this is used to keep statistics of what type of traffic
|
|
0:18:52
|
is entering and exiting the interface.
|
|
0:18:56
|
When you're initially trying to design your QoS policy
|
|
0:18:59
|
and you're trying to figure out what are the end users
|
|
0:19:01
|
actually sending into the network.
|
|
0:19:04
|
So in this particular case, this was applied on Router 4's
|
|
0:19:08
|
Fast Ethernet 0/0
|
|
0:19:10
|
which if we look at the topology this is the link that's going
|
|
0:19:13
|
to BB3
|
|
0:19:17
|
So now on Router 4 if we look at the show ip nbar
|
|
0:19:22
|
protocol discovery
|
|
0:19:27
|
it says that we are receiving RIP in on the interface and
|
|
0:19:31
|
we are sending RIP outbound, so this is going to sort this
|
|
0:19:34
|
by the protocol that has the most number of flows
|
|
0:19:39
|
or the most number of packets and bytes
|
|
0:19:41
|
then if there's a tie between them, it's going to sort them alphabetically.
|
|
0:19:46
|
So eventually if we run this for a while, we'll see that we're
|
|
0:19:48
|
running BGP with backbone 2 we're running RIP with backbone 2
|
|
0:19:53
|
If we were to apply this on the inbound interfaces
|
|
0:19:57
|
to the rest of the topology ip nbar protocol discovery
|
|
0:20:02
|
then we show ip nbar
|
|
0:20:06
|
protocol discovery let's say for interface Fast Ethernet 0/1
|
|
0:20:11
|
we see that we're running EIGRP on those interfaces
|
|
0:20:16
|
so it's not going to tell you specifically where the traffic
|
|
0:20:19
|
flow is going to, but it can be useful just when you're
|
|
0:20:22
|
trying to collect statistics to see what are the actual
|
|
0:20:25
|
end users sending into the network.
|
|
0:20:28
|
So then you would also know are they using the
|
|
0:20:31
|
the peer-to-peer file sharing applications like bit torrent
|
|
0:20:34
|
or some of the legacy ones like Kazaa version 2
|
|
0:20:38
|
or Fast Tracker Gnutella
|
|
0:20:42
|
can be a good way as opposed to doing NetFlow
|
|
0:20:45
|
where in NetFlow you would need your external collection station
|
|
0:20:48
|
to actually sort through the statistics where Nbar protocol
|
|
0:20:52
|
discovery is just going to be local on the router.
|
|
0:20:55
|
Another feature for Nbar in global config if we
|
|
0:20:58
|
look at the IP Nbar port map
|
|
0:21:02
|
this is how the router associates the match protocol
|
|
0:21:06
|
with a specific TCP or UDP port.
|
|
0:21:11
|
And additionally we can specify custom protocol matches
|
|
0:21:17
|
let's say for example that I have a question that says
|
|
0:21:19
|
I need to match UDP traffic with a port of 12345
|
|
0:21:24
|
but I don't want to use an access list.
|
|
0:21:28
|
What I could do instead is say ip nbar port map
|
|
0:21:34
|
for custom protocol number 1
|
|
0:21:37
|
this is going to be UDP port 12345
|
|
0:21:40
|
so now under class map when I say match protocol custom-01
|
|
0:21:45
|
it's going to classify based on that particular UDP port.
|
|
0:21:53
|
This can also be useful to figure out what are some of the default
|
|
0:21:56
|
TCP and UDP port numbers for the applications.
|
|
0:22:00
|
If we were to look at the show ip nbar port map
|
|
0:22:07
|
so we see what are the default for bit torrents
|
|
0:22:11
|
the bit torrent protocol or the bit torrent port numbers for TCP
|
|
0:22:17
|
then things like H323 so this is going to be for our voice signaling.
|
|
0:22:22
|
It says it uses both UDP and TCP
|
|
0:22:25
|
where commonly this is going to be TCP 1720
|
|
0:22:29
|
but really it depends on the individual implementation.
|
|
0:22:34
|
We see that http is port 80 which means it would not
|
|
0:22:38
|
match servers that are running on any non-standard ports.
|
|
0:22:43
|
So if I have a web server that's running on 80 and 8080
|
|
0:22:51
|
I could say ip nbar port map
|
|
0:22:54
|
for http
|
|
0:22:58
|
I want this to be TCP 80 and 8080
|
|
0:23:03
|
Now if we show ip nbar port map
|
|
0:23:08
|
it should be associated with both of those.
|
|
0:23:13
|
So depending on the individual protocol match that you're doing
|
|
0:23:17
|
sometimes it's looking at just the Layer 3 information
|
|
0:23:22
|
like if I say match protocol EIGRP
|
|
0:23:25
|
it's simply looking for IP protocol number 88
|
|
0:23:29
|
but if I say match protocol http
|
|
0:23:32
|
it's looking for TCP port 80, but then also the actual application format.
|
|
0:23:39
|
And we'll see the difference between this when we actually go to
|
|
0:23:42
|
test the classification. If we were to do a telnet at port 80
|
|
0:23:47
|
that's not necessarily going to match the match protocol http
|
|
0:23:51
|
but if we do an actual web transfer like we download an
|
|
0:23:54
|
IOS file over http, then we should see that getting classified
|
|
0:24:00
|
in the different policies, so let's take a look at an
|
|
0:24:02
|
example of this and if we were to go down to
|
|
0:24:07
|
Router 5
|
|
0:24:08
|
I'm going to classify traffic as it goes out Fast Ethernet 0/0
|
|
0:24:13
|
towards the link to Switch 2
|
|
0:24:17
|
So on Switch 2 I'm going to run the web service
|
|
0:24:22
|
we'll say IP HTTP server
|
|
0:24:26
|
then from someone behind Router 5 let's say on Router 4
|
|
0:24:30
|
I'm going to tell it to download Switch 2's IOS image over the
|
|
0:24:35
|
HTTP interface.
|
|
0:24:37
|
So on Router 5 let's go to global config we'll say
|
|
0:24:42
|
class map HTTP
|
|
0:24:45
|
is match protocol http
|
|
0:24:51
|
so again, this is going to be our first step, we defined the class map.
|
|
0:24:55
|
Next step is to define the policy map.
|
|
0:25:00
|
Now you'll see sometimes the IOS is going to hang when you say
|
|
0:25:03
|
match protocol. This just means that it is initializing the Nbar process.
|
|
0:25:11
|
So next we define the policy map.
|
|
0:25:15
|
Just like the class map this is going to be case sensitive.
|
|
0:25:17
|
The different types are going to be for other implementations like
|
|
0:25:20
|
the zone based policy firewall.
|
|
0:25:25
|
I'll say this policy map is to Switch 2
|
|
0:25:32
|
From here we're either going to give it a description just for
|
|
0:25:34
|
documentation purposes or reference the previously defined classes.
|
|
0:25:41
|
Now we can see there is going to be class-default
|
|
0:25:44
|
for all of the policies which is going to be a catchall for
|
|
0:25:47
|
anything I do not manually define.
|
|
0:25:50
|
So in this case, the only thing that I'm defining
|
|
0:25:52
|
is the class map http
|
|
0:25:57
|
Now at this point I'm not actually going to do any
|
|
0:25:59
|
QoS mechanisms. I'll wait until we talk about what are the
|
|
0:26:02
|
differences that we can do, things like the bandwidth
|
|
0:26:06
|
reservation versus low latency queuing versus policing and
|
|
0:26:10
|
shaping. We'll see that some versions also support NetFlow
|
|
0:26:15
|
sampling which allows you to do class based sampling
|
|
0:26:20
|
as opposed to just at the interface level.
|
|
0:26:26
|
So here I'm just going to leave this blank.
|
|
0:26:28
|
Essentially it means that we're using this just to
|
|
0:26:30
|
classify traffic, but we're not actually doing anything to it.
|
|
0:26:35
|
So it's going to use a default first in first out queue.
|
|
0:26:42
|
Then lastly at the interface level which in this case is
|
|
0:26:46
|
Fast Ethernet 0/0
|
|
0:26:49
|
we'll say service policy output
|
|
0:26:53
|
is TO_Switch 2
|
|
0:26:56
|
Now you'll see if you type the name in wrong
|
|
0:26:59
|
it does know which ones were or were not created
|
|
0:27:04
|
so there's no way you could actually accidentally apply a
|
|
0:27:07
|
policy that you didn't actually define.
|
|
0:27:09
|
So now on Router 5 let's look at the show policy map
|
|
0:27:13
|
interface where just the show policy map on its own
|
|
0:27:17
|
is going to show us just the configuration of the policy.
|
|
0:27:20
|
A lot of the times this isn't really going to give us any information
|
|
0:27:23
|
that's useful, so mainly we're going to look at show policy map interface.
|
|
0:27:31
|
So it says on Fast Ethernet 0/0 I have the policy that is named
|
|
0:27:35
|
TO_Switch 2 this is applied as an output policy.
|
|
0:27:41
|
Now we'll see when we get into the actual queuing mechanisms
|
|
0:27:44
|
there are some that can be applied only as output features
|
|
0:27:48
|
and not as input because there's a difference between
|
|
0:27:53
|
admission control versus queuing.
|
|
0:27:56
|
Where generally the term queuing is referring to output only features
|
|
0:28:02
|
like the low latency queuing or the bandwidth reservation or
|
|
0:28:06
|
random early detection where inbound features
|
|
0:28:10
|
would only be classification like the match command or the
|
|
0:28:14
|
set command or policing.
|
|
0:28:21
|
So we'll see within the scope of the lab exam part of the question
|
|
0:28:25
|
interpretation would be to figure out what is the direction that
|
|
0:28:28
|
we want to apply the policy in whether it's out the interface
|
|
0:28:32
|
or in on the interface that's going to give us some information
|
|
0:28:35
|
as to what particular QoS mechanism we can use.
|
|
0:28:38
|
So if the policy is going to be applied inbound, it would imply that
|
|
0:28:43
|
we cannot do shaping or we could not do a bandwidth reservation.
|
|
0:28:48
|
So what I want to know now is based on this show policy map
|
|
0:28:51
|
interface output, can I actually get packet hits on this counter
|
|
0:28:56
|
to see if the match protocol http is actually working?
|
|
0:28:59
|
Now we can see that packets are being matched by the
|
|
0:29:03
|
class-default which is everything else
|
|
0:29:06
|
so if I were to go to Router 4 and let's say I ping Switch 2's address
|
|
0:29:12
|
which its loopback is 150.28.8.8
|
|
0:29:19
|
and I'll set this to a high repeat count with a timeout of zero.
|
|
0:29:25
|
We should see on Router 5's output for class default
|
|
0:29:29
|
that there's a bunch of packets that are matching
|
|
0:29:35
|
class default.
|
|
0:29:36
|
So this is where everything else is being left over.
|
|
0:29:46
|
Now next step I'm going to go to Switch 2
|
|
0:29:48
|
and turn the web service on, so simply ip http server
|
|
0:29:55
|
Additionally I'm going to set the http path
|
|
0:29:58
|
to be the base file system on flash
|
|
0:30:04
|
and the reason I'm going to do this is now I can
|
|
0:30:08
|
tell Router 4 to download this particular image
|
|
0:30:14
|
so we can use the actual web transfer in order to test the QoS
|
|
0:30:18
|
policy that we're defining.
|
|
0:30:22
|
Now in order to do that, I need to make sure that the
|
|
0:30:24
|
person doing the transfer is at privilege level 15
|
|
0:30:27
|
the actual user
|
|
0:30:29
|
because the web interface you have to have enable mode
|
|
0:30:32
|
access in order to get to it.
|
|
0:30:36
|
So I'm going to specify just a user name we'll say
|
|
0:30:39
|
user name cisco password cisco
|
|
0:30:43
|
and user name cisco has a privilege level by default
|
|
0:30:46
|
of 15
|
|
0:30:52
|
so now from Router 4
|
|
0:30:55
|
we should be able to telnet to this address
|
|
0:30:59
|
the loopback of Switch 2
|
|
0:31:05
|
but connect to it at port 80
|
|
0:31:09
|
so we can see the connection is open. I type some garbage
|
|
0:31:14
|
characters in there and I get the http error code back in.
|
|
0:31:18
|
so return call 400 means that there's something that's wrong with
|
|
0:31:20
|
the formatting.
|
|
0:31:22
|
So if I knew the actual raw syntax for http
|
|
0:31:26
|
you would be able to type that in and actually download the
|
|
0:31:28
|
web pages or get a file or post a file,
|
|
0:31:33
|
but now if we look on Router 5 and look at the show policy map interface
|
|
0:31:39
|
we can see that there are no matches for the web
|
|
0:31:42
|
traffic going out the interface.
|
|
0:31:48
|
So what this is showing us is that the router's not
|
|
0:31:50
|
only classifying based on just the Layer 3 and Layer 4 header
|
|
0:31:55
|
because the packet was IP and it was TCP port 80
|
|
0:32:00
|
but it still didn't match the classifier.
|
|
0:32:02
|
So it means it's actually looking into the application level
|
|
0:32:06
|
to figure out are you actually using the syntax that is
|
|
0:32:09
|
specific to the Http protocol.
|
|
0:32:15
|
Now the way that I can further verify this would be to
|
|
0:32:18
|
take the IOS image from Switch 2
|
|
0:32:21
|
and on Router 4 tell it to copy this from http
|
|
0:32:28
|
so we have the user cisco password cisco
|
|
0:32:31
|
at the address 150.28.8.8
|
|
0:32:38
|
this file name and I'm just going to copy it to null.
|
|
0:32:41
|
So I'm going to download the file, then I'm not going to actually
|
|
0:32:44
|
save it anywhere.
|
|
0:32:47
|
Now we'll see in this case the actual transfer is going to be
|
|
0:32:49
|
really really slow because the link that Router 4 is
|
|
0:32:52
|
using to get there is basically this 64 k link that's
|
|
0:32:57
|
going over to Router 5
|
|
0:32:59
|
so if there was a LAN interface between them, then we see the
|
|
0:33:02
|
transfer would be faster, but that's not really
|
|
0:33:05
|
what we care about.
|
|
0:33:06
|
What I do want to see is when I go to Router 5 and look
|
|
0:33:09
|
at the show policy map interface, we see now packets are being
|
|
0:33:13
|
matched by the http policy.
|
|
0:33:19
|
So this technique you'll see it's used a lot in the
|
|
0:33:21
|
Volume 1 workbook. It's one way that you can
|
|
0:33:24
|
get the router to generate traffic locally
|
|
0:33:27
|
to figure out are your different policies actually working.
|
|
0:33:33
|
So let's say that we had Router 5 configured
|
|
0:33:36
|
with weighted fair queuing out on the interface
|
|
0:33:41
|
if I were to do a transfer request from Router 4
|
|
0:33:44
|
to Switch 2, but then also from Router 1 to Switch 2
|
|
0:33:50
|
when I look at the resulting weighted fair queuing
|
|
0:33:53
|
for Router 1 and Router 4 I would see that their bandwidth
|
|
0:33:57
|
is going to be split equally along the interface.
|
|
0:34:00
|
And I can see this from the show policy map interface
|
|
0:34:03
|
on Router 5
|
|
0:34:10
|
or if we were to look at the actual throughput that Router 1
|
|
0:34:13
|
and Router 4 are getting like we could time the transfer and
|
|
0:34:16
|
then figure out how long did it actually take to get it
|
|
0:34:19
|
with the file size and then we can infer from that what was the
|
|
0:34:22
|
actual utilization of the link.
|
|
0:34:29
|
Now this level of verification this is not going to be required by
|
|
0:34:32
|
the lab exam. This is more just for your own purposes
|
|
0:34:36
|
if you have the routers to test the QoS, but you don't
|
|
0:34:39
|
have any actual end applications to do so, so ideally the best way to do
|
|
0:34:45
|
this would be if you had an actual web server and then
|
|
0:34:50
|
clients that you could send requests to
|
|
0:34:56
|
but we can see based on the router itself, you can tell it
|
|
0:34:59
|
to generate these different application fees.
|
|
0:35:02
|
Another way to do this would be with the
|
|
0:35:05
|
IP SLA feature. If I were to say ip sla 1
|
|
0:35:12
|
and I want to generate UDP echoes or UDP jitter
|
|
0:35:18
|
or Voice over IP which is also going to be for UDP.
|
|
0:35:24
|
We could send these into the low latency queue
|
|
0:35:27
|
and then measure what is the end to end delay
|
|
0:35:31
|
based on doing the prioritization or not doing the prioritization
|
|
0:35:34
|
or TCP connect that would be just to any random port number that we define
|
|
0:35:41
|
versus http this would be can I actually connect to the server
|
|
0:35:47
|
and then get a particular URL?
|
|
0:35:51
|
So if I have the router's web interface which generally should
|
|
0:35:56
|
have either index.htm or index.html
|
|
0:36:01
|
I could configure it to get that and then see if packets
|
|
0:36:04
|
are matched on the classifier.
|
|
0:36:07
|
There's a question here, "What's the difference between the UDP
|
|
0:36:10
|
echo and the ICMP echo?"
|
|
0:36:13
|
They're basically the same thing except one is using
|
|
0:36:17
|
ICMP as the Layer 3 protocol, one is using UDP.
|
|
0:36:21
|
Now this is actually part of the service udp small servers
|
|
0:36:30
|
where one of these services is the UDP echo
|
|
0:36:36
|
which I believe is called
|
|
0:36:43
|
let's see I'm not sure if it's called echo actually
|
|
0:36:50
|
and this would be documented under...
|
|
0:36:57
|
I want to say this is IP services so actually let's look at the command
|
|
0:37:00
|
reference. We are going to talk about this feature when we get into
|
|
0:37:04
|
the IP services later this week, but let's go to IP -- let's see if this is
|
|
0:37:11
|
under application services. It's either under addressing or application services.
|
|
0:37:19
|
This is under service
|
|
0:37:24
|
ok, so it's not in application let's see if it's under addressing.
|
|
0:37:31
|
No, it's not under addressing. It may be then -- it could be network
|
|
0:37:35
|
management. Let me do this, let me just search for it.
|
|
0:37:38
|
Actually no, what I could do if this were the actual lab exam
|
|
0:37:42
|
and I'm looking for this command, but I don't know where it is
|
|
0:37:46
|
I could go to the master index and then work back from there.
|
|
0:37:48
|
So if I go to the main -- let me go back to the main documentation.
|
|
0:37:55
|
Products -> IOS-> Regular IOS->12.4-> 12.4 T
|
|
0:38:03
|
then to release and general information
|
|
0:38:07
|
master index for commands.
|
|
0:38:12
|
And then this is under the service command.
|
|
0:38:20
|
So there are TCP small servers
|
|
0:38:25
|
and UDP small servers, so this is under configuration fundamentals
|
|
0:38:29
|
which is CF.
|
|
0:38:32
|
Normally these are off by default, but if we look at the
|
|
0:38:39
|
documentation, it says, 'To enable UDP servers such as Echo...'
|
|
0:38:43
|
it says specifically that this enables discard which is port 9
|
|
0:38:48
|
Echo which is port 7 and the character generator which is
|
|
0:38:52
|
port 19
|
|
0:38:55
|
so there's an actual protocol that is UDP echo
|
|
0:38:58
|
that you just send a character out and then you get the character as
|
|
0:39:02
|
returned back into you.
|
|
0:39:04
|
So it's essentially doing the exact same thing as ICMP echo and
|
|
0:39:08
|
echo reply. It's just using a different Layer 4
|
|
0:39:13
|
protocol number.
|
|
0:39:15
|
So instead of using ICMP, you're using UDP
|
|
0:39:19
|
but the router itself can be set to generate these with the
|
|
0:39:23
|
IP SLA and the reason why is that the router is going to
|
|
0:39:28
|
queue the UDP traffic differently than the ICMP.
|
|
0:39:34
|
So if I'm trying to figure out what is my end to end delay
|
|
0:39:37
|
for voice, voice is usually going to be UDP traffic
|
|
0:39:42
|
that is using the real time protocol header
|
|
0:39:45
|
that is somewhere in the port range that is 16384
|
|
0:39:51
|
to 32767 and I'll come back to this and talk about this when
|
|
0:39:55
|
we get to low latency queuing, but it's going to use a really big
|
|
0:39:59
|
port range, but the key is since it's UDP traffic
|
|
0:40:03
|
when the router's queue is classifying it, it's going to treat it
|
|
0:40:06
|
differently than ICMP.
|
|
0:40:08
|
So if I want to measure what is my delay for voice
|
|
0:40:12
|
I'm not going to get a good measurement if I look at the
|
|
0:40:14
|
ICMP measurement versus the UDP measurement.
|
|
0:40:18
|
So again, the key point being here with the module of the quality
|
|
0:40:21
|
of service is that the syntax is going to be the same between
|
|
0:40:25
|
all the platforms whether they're the router's IOS
|
|
0:40:28
|
or the Catalyst IOS and we have all these different
|
|
0:40:32
|
types of classification so we can match access lists
|
|
0:40:35
|
the Layer 2 or Layer 3 markings like the frame relay
|
|
0:40:38
|
discard eligibility, the Layer 2 class of service, IP precedence,
|
|
0:40:43
|
IP DSCP and then NBAR for the network based application recognition.
|
|
0:40:49
|
Additionally if we were to look at this on the Catalyst IOS
|
|
0:40:53
|
so let's say we go to Switch 1 which is a 3560 that's running
|
|
0:40:59
|
12.2 46 advanced enterprise services.
|
|
0:41:03
|
If I were to say class map X
|
|
0:41:06
|
match
|
|
0:41:09
|
you see there's much less available in the Catalyst IOS
|
|
0:41:12
|
versus the routers.
|
|
0:41:15
|
If I say match protocol, it's not really doing
|
|
0:41:18
|
Nbar, it's more just looking at the Layer 3 protocol
|
|
0:41:23
|
number which is encoded in the Layer 2 header as the
|
|
0:41:27
|
Ether type.
|
|
0:41:28
|
So I can tell the difference between IP or IPv6
|
|
0:41:32
|
but I can't say match protocol bit torrent or match protocol
|
|
0:41:37
|
EIGRP. We'll also see inside of the policy maps the
|
|
0:41:42
|
Catalyst IOS has many fewer actions that we can actually apply
|
|
0:41:46
|
onto the classes of traffic
|
|
0:41:49
|
where the router has tons of different QoS that we can do
|
|
0:41:52
|
the bandwidth reservations, low latency queuing, fair queuing,
|
|
0:41:57
|
random early detection. There's not that many that we're going to have
|
|
0:42:00
|
available to us in the Catalyst IOS.
|
