From: Tim (ccie2be@nyc.rr.com)
Date: Tue Sep 13 2005 - 19:20:26 GMT-3
Steve,
I'm not 100% sure what you're actually asking but let me see if I can
straighten these issues out.
RE: cef - if you check the nbar requirements (or pre-requisites) on the
doc-CD, you'll see that cef is a requirement for nbar.
CEF is not required for acl's.
Your 2 acl entries:
ip access-list 101 permit tcp any any eq 80
ip access-list 101 permit tcp any any eq www
say the exact same thing. The port for www = 80 by default unless there's a
way to change that which there probably is but I'm not sure it's applicable
to acl's. So, you should either the first acl entry or the 2nd entry - you
don't need both.
You don't need to enable nbar protocol discovery to use nbar.
This may have been true at some point (Wendall Odom said it was required in
his first QoS book) but it is definitely not needed now if you using any
recent release of IOS.
Now, was my prior post clear to you about the difference between using nbar
to match traffic or using an acl?
If not, let me know.
Tim
_____
From: stephen skinner [mailto:stephenski@gmail.com]
Sent: Tuesday, September 13, 2005 4:57 PM
To: Tim
Cc: Chris Lewis (chrlewis); kumara.shunmugam@wipro.com;
andrew.m.edwards@boeing.com; ccielab@groupstudy.com
Subject: Re: QoS- Policing Method
ok
i will take this on a bit ,
lets say i have a router with CEF enabled .
i have had to do this for something else.
i have read various posts which give two answer`s
i have two acl`s
ip access-list 101 permit tcp any any eq 80
ip access-list 101 permit tcp any any eq www
also i have
ip nbar-protocol discovery
now i have read that is i have CEF and the second access list configired
then i have NBAR running
i have also read that
i need to have the nbar protocol discovery aswell as the second acl and CEF
then i have configured NBAR
also i have read that if i have CEF and the first ACL i have nbar configured
i believe that if you have the second ACL and CEF and the ip nbar procotcol
discovery ,then only then you have nbar configured
can you confirm which is which . because i would like to know once and for
all when the requirment is match all web traffic coming in on int X . what
would be the my best option
many thanks in advanced
steve
On 9/13/05, Tim <ccie2be@nyc.rr.com> wrote:
Chris,
I'm not sure even Wendall Odom would accept that moniker. And, even if it
were true at the moment, by next week, it might not be given how quickly
things have been changing.
Kumara, I also had that same question as you not all that long ago. That
was when I learned about the difference between using nbar and an acl to
classify traffic. I think this discussion included Simon Hart and maybe
Chris as well.
To make sure you get this right in the lab, you have to think very carefully
about the task requirements before using one approach or the other.
Consider this:
____________
| |
Web client --- | |
| router | int s0
Web server --- | |
|___________|
Now, let's say the requirement is limit web requests into int s0.
If you used nbar to classify the web traffic, you would lose points. Is it
obvious to you why that is?
IF so, you understand the subtle but extremely important difference between
using an acl to classify traffic and using nbar.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chris Lewis (chrlewis)
Sent: Tuesday, September 13, 2005 9:36 AM
To: kumara.shunmugam@wipro.com; andrew.m.edwards@boeing.com;
ccielab@groupstudy.com
Subject: RE: QoS- Policing Method
I don't know that I can accept that moniker, however......
I am generally against best practices type recommendations of any type
for the lab exam. The proctors are just too good at presenting the
exceptions to any general rules. In the real world, it is of course a
different matter, best practice recommendations for design are valid and
Cisco provides a lot of those (most complete are the SRNDs on CCO).
For the purposes of this endeavor, the only course I am aware of is to
understand how each protocol you want to classify works, understand what
each command does, and then you are in a position to classify any
oddball combination thrown at you in the exam.
As another example, if you want to look at what has already been said on
this topic, a Google search like the following lists a whole bunch.
ftp ftp-data passive active match protocol site: groupstudy.com
If there is a specific question to which you do not get an answer,
please post again and I'll do my best to answer.
Cheers
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
kumara.shunmugam@wipro.com <mailto:kumara.shunmugam@wipro.com>
Sent: Tuesday, September 13, 2005 12:55 AM
To: Chris Lewis (chrlewis); andrew.m.edwards@boeing.com;
ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
Subject: RE: QoS- Policing Method
Thanks Chris & Edwards
The actual question was in the book is very clear about the direction.
It's the client traffic going to the specified servers from a VLAN. Yes,
it is "service-policy output" command that needed here. However, as you
pointed out , it is always important to classify the traffic correctly
in the Lab. I think if we have any clarification about the traffic
direction, we could ask proctor ...
What you say.. ? or do we have any best practices document for ACL
filtering specific to each protocols (example , ftp,ftp-data,ntp etc). I
think as a Qos master, Chris should able to provide us some tips..
-----Original Message-----
From: Chris Lewis (chrlewis) [mailto:chrlewis@cisco.com]
Sent: Monday, September 12, 2005 6:13 PM
To: Edwards, Andrew M; Kumara Guru Shunmugam L (WI01 - Services);
ccielab@groupstudy.com
Subject: RE: QoS- Policing Method
Good points,
My comments is related to the choice of ACLs or NBAR. If you are asked
to limit the E0 interface overall, I would take that to mean both
inbound and outbound traffic (although checking with the proctor would
not be a bad idea). You have to apply the service-policy in or out, but
either way you want to to catch inbound and outbound traffic of the type
you're interested in.
With the ACLs you have, you are only matching on the destination ports
of the protocols you are interested in, take access-list 106 as an
example.
access-list 106 permit tcp any any eq www
This matches any source address/port, but only port 80 destination, to
catch traffic the other way, include a second line for www as below:
access-list 106 permit tcp any any eq www Access-list 106 permit tcp any
eq www any
This way you catch traffic passing the other direction that is part of
http and it counts towards the target rate specified for the interface
overall.
NBAR catches both directions by default, which may or may be what you
want for other questions.
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf Of
Edwards, Andrew M
Sent: Monday, September 12, 2005 7:10 PM
To: kumara.shunmugam@wipro.com; ccielab@groupstudy.com
<mailto:ccielab@groupstudy.com>
Subject: RE: QoS- Policing Method
Kumara,
Here has been my experience with any QoS task. From my own experience
in the lab, I don't believe I have been asked to do anything
unreasonable within the QoS or security framework.
What I have noticed however is that I have not been very successful with
these topics.
The only commonality I have found is that both require you to correctly
classify the traffic. For myself, I believe this has been my problem
with these two areas. Thus, I have spent a great deal of time thinking
of ways to actually classify a given traffic set into a class with
either the MQC's multitude of options, or ACLs.
I highly suggest to any CCIE candidate that you really understand and
learn how to classify traffic and then verify you actually classified it
correctly.
IOW, you might not want to rely only on an ACL, but instead use NBAR...
Or maybe both 8)
Further, I would ask you this, "What does the word "mail" include?" Is
it just SMTP, POP3, etc...
Just my 2 cents.
Andy
-----Original Message-----
From: kumara.shunmugam@wipro.com [mailto: kumara.shunmugam@wipro.com
<mailto:kumara.shunmugam@wipro.com> ]
Sent: Monday, September 12, 2005 12:09 AM
To: ccielab@groupstudy.com
Subject: QoS- Policing Method
Hi Guys
I have a requirement as specified below. I have also included my
answer,Kindly verify the answer and provide me your feedback
1. Limit the E0 interface traffic (overall) to 115.2Kbps (Bc=12000,
be=32000),
The interface traffic less than 115.2K should have the precedence set to
4 and all other traffic greater than 115.2Kbps should be dropped
2. Limit the mail (smtp,pop3) traffic in E0 to 56Kbps (Bc=8000,
be=24000), The
Mail traffic less than 56K should have the precedence set to 4 and all
other traffic greater than 56Kbps should have the precedence set to 0
3. Similarly, Limit the HTTP traffic in E0 to 72Kbps (Bc=8000,
be=24000), The
web traffic less than 72K should have the precedence set to 4 and all
other traffic greater than 72Kbps should be dropped
I have used the MQC method to achieve the results....Is it OK ?
class-map match-all mail
match access-group 105
class-map match-all web
match access-group 106
!
!
policy-map child
class mail
police cir 56000 bc 8000 be 24000
conform-action set-prec-transmit 4
exceed-action set-prec-transmit 0
class web
police cir 72000 bc 8000 be 24000
conform-action set-prec-transmit 4
exceed-action drop
policy-map parent
class class-default
police cir 115000 bc 12000 be 32000
conform-action set-prec-transmit 4
exceed-action drop
service-policy child
access-list 105 permit tcp any any eq smtp access-list 105 permit tcp
any any eq pop3 access-list 106 permit tcp any any eq www
Please confirm/
Confidentiality Notice
The information contained in this electronic message and any attachments
to this message are intended for the exclusive use of the addressee(s)
and may contain confidential or privileged information. If you are not
the intended recipient, please notify the sender at Wipro or
Mailadmin@wipro.com immediately and destroy all copies of this message
and any attachments.
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3