RE: QOS | Fragments
From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Sun May 20 2007 - 21:02:55 ART
Hi,
for question A
"...Filtering fragments adds an additional layer of protection against a DoS
attack that uses only noninitial fragments (such as FO > 0). Using a deny
statement for noninitial fragments at the beginning of the ACL denies all
noninitial fragments from accessing the router. Under rare circumstances, a
valid session might require fragmentation and therefore be filtered if a
deny fragment statement exists in the ACL..."
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00
801a1a55.shtml
http://www.cisco.com/warp/public/105/acl_wp.html
Also the virtual-reassembly feature for this question can help
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t
/123t_8/gt_vfrag.htm
for question B
A.
policy-map XYZ
class class-default
bandwidth 128
shape average 512000
B.
policy-map ONE
class class-default
bandwidth 128
policy-map TWO
class class-default
shape average 512000
service-policy ONE
So for question A
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_
c/fqcprt4/qcfcbshp.htm#wp1003845
You are configuring class-based weighted fair queueing (CBWFQ) inside GTS.
CBWFQ allows you to specify the exact amount of bandwidth to be allocated for
a specific class of traffic (128 in your case). Taking into account available
bandwidth on the interface, Traffic shaping allows you to control the traffic
going out an interface in order to match its transmission to the speed of the
remote, target interface and to ensure that the traffic conforms to policies
contracted for it.
For question B2
Hierarchical MCQ
http://www.cisco.com/warp/public/105/policevsshape.html#minimumvsmaximum
A hierarchical policy uses two service policies � a parent policy to apply a
QoS mechanism to a traffic aggregate and a child policy to apply a QoS
mechanism to a flow or subset of the aggregate. Logical interfaces, such as
subinterfaces and tunnel interfaces, require a hierarchical policy with the
traffic-limiting feature at the parent level and queuing at lower levels. The
traffic-limiting feature reduces the output rate and (presumably) creates
congestion in other words you are creating a Q for 512000 as the Target Bit
Rate and at policy-map TWO you are reserving from there 128 Kilo Bits per
second
R1(config-pmap)#policy-map ONE
R1(config-pmap)#class class-default
R1(config-pmap-c)#bandwidth 128
R1(config-pmap-c)#
R1(config-pmap-c)#policy-map TWO
R1(config-pmap)#class class-default
R1(config-pmap-c)#shape average 512000
R1(config-pmap-c)#service-policy ONE
R1(config-pmap-c)#exit
R1(config-pmap)#int f0/0
R1(config-if)#ser out TWO
R1(config-if)#policy-map ONE
R1(config-pmap)#class class-default
R1(config-pmap-c)#bandwidth 540
I/f shape Class class-default requested bandwidth 540 (kbps) Only 512 (kbps)
available
HTH
thanks,
Victor Cappuccio.-
- CCSI# 31452
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012
-----Original Message-----
From: nobody@groupstudy.com on behalf of Mohammed Khasawneh
Sent: Sun 5/20/2007 11:17
To: ccielab@groupstudy.com
Subject: QOS | Fragments
Hi all
I have two questions
first is its possible deny all the fragments packets ( initial and
non-initial
fragments ) to a specific ( web server ) using ACL ?
second what is the different between these two configuration :
A.
policy-map XYZ
class class-default
bandwidth 128
shape average 512000
B.
policy-map ONE
class class-default
bandwidth 128
policy-map TWO
class class-default
shape average 512000
service-policy ONE
Regards
Khasawneh
This archive was generated by hypermail 2.1.4
: Fri Jun 01 2007 - 06:55:21 ART