4.7 Describe basic QoS concepts

4.7.a Marking

Marking is when a packet or frame is modified in the relevant QoS field.

  • For IP packets that is usually the outdated 3 bit IPP (IP Precedence) field or the 6 bit DSCP (Differentiates Services Code Point).
  • For Ethernet frames over trunks only the 802.1Q Header has a 3 bit field called the Class of Server (CoS) or Priorty Code Point (PCP). Therefore Ethernet based QoS can only be done over trunks.

Marking is recommended by Cisco and the RFCs to be as close to the source of the packet as possible. Marking a packet can be CPU intensive and too much packet marking can reduce device performance.

4.7.b Device trust

As any user can potentially mark packets it is important to define a trust zone and a trust boundary. If the end user connects to a Cisco IP Phone the trust boundary ends after the phone as the phone will mark voice packets with the AF code point and voice signaling packets with IPP compatible CS3 code point.

4.7.c Prioritization

Due to this difference in the nature of traffic in a network, some traffic needs to be prioritized above other to keep bandwidth, jitter, delay and loss within certain ranges.

When using congestion management queues in order to keep jitter and delay within the required parameters a Low Latency Que (LLQ). This reduces the negative effect that Round Robin scheduling has on jitter and delay as the LLQ is processed before another queues.

4.7.c. [i] Voice

Cisco recommends the following for voice:

  • Delay (one way): 150ms or less
  • Jitter: 30ms or less
  • Loss: 1% or less

4.7.c. [ii] Video

Cisco recommends the following for video:

  • Bandwidth: 384Kbps to 20+ Mbps
  • Delay (one-way): 200 – 400 ms
  • Jitter: 30-50ms
  • Loss: 0.1% – 1%

4.7.c. [iii] Data

Data has much stringent requirements for bandwidth, jitter, delay and loss. However business critical applications can be assigned a minimum bandwidth requirement using a queue.

4.7.d Shaping

A traffic shaper slows traffic down by queuing traffic and then re-transmitting it at a reduced rate.  Shapers are useful when the speed of the interface is faster than the CIR bandwidth supplied by an ISP or carrier.

Keep in mind shaping can increase the jitter because the interface will only be transmitting for a reduced amount of time. For example if the shaping bandwidth is 200 Mbps and the interface speed is 1Gbps the interface will transmit for 200ms and be idle for 800ms. Giving a jitter time of up to 800ms.

To reduce this the shaper needs to be configured with a reduced Tc. The recommended Tc for voice and video is 10ms.

4.7.e Policing

Traffic policing is when traffic is measured over a period of time and the average is taken, if traffic exceeds the policing rate it is marked or discarded.

Marked traffic may be forwarded in the case that the service provider is not experiencing congestion or dropped if it is.

As the traffic measured is an average, burst in traffic are allowed.

4.7.f Congestion management

Congestion management is when traffic exceeds the line rate of the interface, this traffic is then placed into queues and sent when the interface is not busy. Queuing systems may use a single FIFO (First In, First Out) or multiple queues that utilize a LLQ.

Class-Based Weighted Fair Queuing allows the allocation of a minimum amount of bandwidth to each class and is a popular choice on routers.

4.6 Configure and verify single-homed branch connectivity using eBGP IPv4 (limited to peering and route advertisement using Network command only)

Screenshot_2018-03-18_00-37-46.png

To configure eBGP:

hostname ENT1

!
interface Ethernet0/0
 ip address 1.0.0.1 255.0.0.0
!
interface Ethernet0/1
 ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/2
 ip address 192.168.0.1 255.255.255.0
!
router bgp 2000
 bgp log-neighbor-changes
 network 172.16.0.0 mask 255.255.255.0
 network 192.168.0.0
 neighbor 1.9.9.9 remote-as 1
!

On ISP:

hostname ISP
!
interface Ethernet0/0
 ip address 1.9.9.9 255.0.0.0
!
router bgp 1
 bgp log-neighbor-changes
 neighbor 1.0.0.1 remote-as 2000
!


To verify:

ISP#show ip route 192.168.0.0 255.255.255.0 longer-prefixes 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 a - application route
 + - replicated route, % - next hop override

Gateway of last resort is not set

B 192.168.0.0/24 [20/0] via 1.0.0.1, 00:06:53
ISP#show ip bgp 
BGP table version is 3, local router ID is 1.9.9.9
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
 r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
 x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
 *> 172.16.0.0/24 1.0.0.1 0 0 2000 i
 *> 192.168.0.0 1.0.0.1 0 0 2000 i


ENT1#show ip route 192.168.0.0 255.255.255.0 longer-prefixes 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 a - application route
 + - replicated route, % - next hop override

Gateway of last resort is not set

192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, Ethernet0/2
L 192.168.0.1/32 is directly connected, Ethernet0/2
ENT1#show ip bgp
BGP table version is 3, local router ID is 192.168.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
 r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
 x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
 *> 172.16.0.0/24 0.0.0.0 0 32768 i
 *> 192.168.0.0 0.0.0.0 0 32768 i

4.5 Describe WAN access connectivity options

  • 4.5.a MPLS

I couldn’t find a concisce definition¬† from the text books:

Multiprotocol Label Switching (MPLS) is a type of data-carrying technique for high-performance telecommunications networks. MPLS directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS can encapsulate packets of various network protocols, hence its name “multiprotocol”. MPLS supports a range of access technologies, including T1/E1, ATM, Frame Relay, and DSL. -Wikipedia.org

  • 4.5.b Metro Ethernet

Metro Ethernet is a layer 2 service that acts like ethernet links between busineses. There are many Metre Ethernet configuration options:

  • Ethernet Line Service (Point-to-point): Two customer premise equipment (CPE) devices can exchange Ethernet frames, similar to a leased line.
  • Ethernet Lan Service (Full mesh): Acts like a LAN, in that all devices can send frames to each other.
  • Ethernet Tree Service (Hub-and-spoke): A central side can communicate to all nodes, but individual nodes can not communicate directly.
  • 4.5.c Broadband PPPoE

Broadband Ethernet like Australia’s NBN fibre to the node – provide a high speed internet connection using Ethernet technologies.

  • 4.5.d Internet VPN (DMVPN, site-to-site VPN, client VPN)

VPNs allow for secure traffic over insecure lines (such as the internet), VPNs have the following security features:

  1. Confidentiality – All data is encrypted and can not be read if intercepted
  2. Authentication – There is a guarantee that the client/server on the other end isn’t a hijacker or imposter
  3. Data integrity – All data sent as it is encrpyted is therefore verifed to be non-corrupted or tampered

VPNs also overcome the data playback vulnerability which stops someone from capturing authentication data and replaying it.

Site to site VPNs can be constructed with GRE tunnels and IPsec.\

Multi-site or multi-client VPNs can use Cisco’s Dynamic Multipoint VPN (DMVPN) which allows sites to communicate with other and the hub – creating a virtual LAN.

Note: Open Source protocols like OpenVPN can also be configured to do this. I currently use OpenVPN with OSPF (quagga) to route between my Digital Ocean droplet and my home’s LAN.

 

4.3 Configure, verify, and troubleshoot GRE tunnel connectivity

Screenshot_2018-03-17_21-57-45.png

To configure a GRE tunnel (modify accordingly):

!
interface Tunnel0
 ip address 192.168.0.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 1.0.0.2
!
interface Ethernet0/0
 ip address 1.0.0.1 255.255.255.0
!
router ospf 1
 network 192.168.0.0 0.0.0.255 area 0
!

To verify a GRE tunnel:

Router#show ip int bri
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 1.0.0.2 YES manual up up 
Ethernet0/1 unassigned YES unset administratively down down 
Ethernet0/2 unassigned YES unset administratively down down 
Ethernet0/3 unassigned YES unset administratively down down 
Serial1/0 unassigned YES unset administratively down down 
Serial1/1 unassigned YES unset administratively down down 
Serial1/2 unassigned YES unset administratively down down 
Serial1/3 unassigned YES unset administratively down down 
Tunnel0 192.168.0.2 YES manual up up 
Router#show int tunnel 0
Tunnel0 is up, line protocol is up 
 Hardware is Tunnel
 Internet address is 192.168.0.2/24
 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation TUNNEL, loopback not set
 Keepalive not set
 Tunnel linestate evaluation up
 Tunnel source 1.0.0.2 (Ethernet0/0), destination 1.0.0.1
 Tunnel Subblocks:
 src-track:
 Tunnel0 source tracking subblock associated with Ethernet0/0
 Set of tunnels with source Ethernet0/0, 1 member (includes iterators), on interface 
 Tunnel protocol/transport GRE/IP
 Key disabled, sequencing disabled
 Checksumming of packets disabled
 Tunnel TTL 255, Fast tunneling enabled
 Tunnel transport MTU 1476 bytes
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Last input 00:00:09, output 00:00:09, output hang never
 Last clearing of "show interface" counters 00:02:40
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
 13 packets input, 1296 bytes, 0 no buffer
 Received 0 broadcasts (0 IP multicasts)
 0 runts, 0 giants, 0 throttles 
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 16 packets output, 1636 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 unknown protocol drops
 0 output buffer failures, 0 output buffers swapped out
Router#show ip route 192.168.0.0
Routing entry for 192.168.0.0/24, 2 known subnets
 Attached (2 connections)
 Variably subnetted with 2 masks
C 192.168.0.0/24 is directly connected, Tunnel0
L 192.168.0.2/32 is directly connected, Tunnel0
Router#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.0.1 0 FULL/ - 00:00:31 192.168.0.1 Tunnel0

 

4.2 Configure, verify, and troubleshoot PPPoE client-side interfaces using local authentication

PPPoE constructs a virtual dialler interface to create a PPPoE session. This is similar to PPP over serial except that the frames are encapsulated in Ethernet frames.

When diagnosing problems with PPPoE keep in mind that the dialler interface and the physical interface are separate configuration.

See Chapter 15 in the CCNA R&S 200-105 Official Cert guide.

To configure PPPoE on the client:

!
interface Ethernet0/0
 mac-address 0200.0000.0011
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer2
 mtu 1492
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 ppp chap hostname clinetworking
 ppp chap password 0 cisco
!

To configure a server (for lab work):

username clinetworking password 0 cisco
!
bba-group pppoe WOGroup
virtual-template 1
! 
interface Ethernet0/0
 mac-address 0200.0000.0022
 no ip address
 pppoe enable group WOGroup
!
interface Virtual-Template1
 ip address 10.1.3.1 255.255.255.0
 peer default ip address pool WOPool
 ppp authentication chap callin
!
ip local pool WOPool 10.1.3.2 10.1.3.254
ip forward-protocol nd
!

 

To troubleshoot PPPoE use the following commands:

Router#show pppoe session 
 1 client session

Uniq ID PPPoE RemMAC Port VT VA StateSID LocMAC VA-st Type
 N/A 2 0200.0000.0022 Et0/0 Di2 Vi2 UP 
 0200.0000.0011 UP 
Router#show int dial
Router#show int dialer 2
Dialer2 is up, line protocol is up (spoofing)
 Hardware is Unknown
 Internet address is 10.1.3.3/32
 MTU 1492 bytes, BW 56 Kbit/sec, DLY 20000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation PPP, LCP Closed, loopback not set
 Keepalive set (10 sec)
 DTR is pulsed for 1 seconds on reset
 Interface is bound to Vi2
 Last input never, output never, output hang never
 Last clearing of "show interface" counters 00:19:52
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
 37 packets input, 3150 bytes
 199 packets output, 5430 bytes
Bound to:
Virtual-Access2 is up, line protocol is up 
 Hardware is Virtual Access interface
 MTU 1492 bytes, BW 56 Kbit/sec, DLY 20000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation PPP, LCP Open
 Stopped: CDPCP
 Open: IPCP
 PPPoE vaccess, cloned from Dialer2
 Vaccess status 0x44, loopback not set
 Keepalive set (10 sec)
 Interface is bound to Di2 (Encapsulation PPP)
 Last input 00:00:07, output never, output hang never
 Last clearing of "show interface" counters 00:13:51
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
 193 packets input, 4910 bytes, 0 no buffer
 Received 0 broadcasts (0 IP multicasts)
 0 runts, 0 giants, 0 throttles 
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 188 packets output, 4653 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 unknown protocol drops
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
Router#show int e0/0
Ethernet0/0 is up, line protocol is up 
 Hardware is AmdP2, address is 0200.0000.0011 (bia aabb.cc00.0100)
 MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Keepalive set (10 sec)
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:00:40, output 00:00:01, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
 285 packets input, 28727 bytes, 0 no buffer
 Received 65 broadcasts (0 IP multicasts)
 0 runts, 0 giants, 0 throttles 
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 input packets with dribble condition detected
 402 packets output, 40605 bytes, 0 underruns
 0 output errors, 0 collisions, 1 interface resets
 13 unknown protocol drops
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out

4.1 Configure and verify PPP and MLPPP on WAN interfaces using local authentication

Screenshot_2018-03-11_21-45-44.png

To configure PPP:

R1:

interface Serial1/0
 ip address 10.0.0.1 255.255.255.0
 encapsulation ppp
 ppp authentication pap
 ppp pap sent-username R1 password 0 cisco
 serial restart-delay 0
!
username R2 password ccna

R2:

interface Serial1/0
 ip address 10.0.0.2 255.255.255.0
 encapsulation ppp
 ppp authentication pap
 ppp pap sent-username R2 password 0 ccna
 serial restart-delay 0
!
username R1 password 0 cisco

Notice how the username config must match the other router.

To configure Multilink PPP:

Remove the ip address command, and configure the multilink interface first. I also found you need to remove the “ppp authentication pap” command on S1/0:

R1/R2 config is identical (besides auth):

interface Multilink1
 ip address 10.0.0.2 255.255.255.0
 ppp multilink
 ppp multilink group 1
!
interface Serial1/0
 no ip address
 encapsulation ppp
 ppp pap sent-username R2 password 0 ccna
 ppp multilink
 ppp multilink group 1
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 encapsulation ppp
 ppp pap sent-username R2 password 0 ccna
 ppp multilink
 ppp multilink group 1
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 encapsulation ppp
 ppp pap sent-username R2 password 0 ccna
 ppp multilink
 ppp multilink group 1
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 encapsulation ppp
 ppp pap sent-username R2 password 0 ccna
 ppp multilink
 ppp multilink group 1
 serial restart-delay0

!

To verify the status of the link:

Screenshot_2018-03-11_22-13-01

Screenshot_2018-03-11_22-11-50Screenshot_2018-03-11_22-11-30

Screenshot_2018-03-11_22-13-56.png