dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1602
donnib
join:2014-03-19

donnib

Member

[Config] Traffic shape on Cisco

Hi,
I have read following thread »Traffic shaping question which i found quite useful but i still have some questions but first what i want to solve :

1. When bittorrent traffic is flowing thru the network ingoing/outgoing i want to make sure that SIP, HTTP, FTP, SSH is still possible without loss of packets (in this order).
2. When someone on the network downloads a big file thru HTTP/FTP i can still use the voip SIP and SSH.

I have read much about NBAR and i was thinking is this got better since the thread was written or is it still best to follow the guideline @nsox wrote on the above thread ?

/donnib
meta
join:2004-12-27
00000

meta

Member

Let me preface my answer by explaining: There is a difference between trusted endpoints sending traffic that should be properly respected, and UNtrusted endpoints generating scavenger traffic. There are alot of correct ways to address the scenario you are describing.

First things first: The trust boundry. Where do you draw the line between trusted and untrusted endpoints on your network? That is tricky and gray in alot of companies with bring-your-own-device and various policy/legal liability/etc issues at play.

Traditionally people decided NOT to trust the endpoint itself, which led to the rise of network-centric ingress traffic classification with technology like NBAR or ACL for packet marking.

That approach became more difficult as time went on, custom applications using non-standard protocols, protocol encryption and use of TCP/443, etc. requiring a deeper, more intensive infrastructure inspection (realtime man-in-the-middle for SSL/TLS crypto, wildcard certificate authority with publishing enterprise root CA to every endpoint, etc) making it a resource intensive path to go down today.

The alternative is to reject infrastructure responsibility for classification of traffic that it does not generate. Only the application, operating system, and TCP stack are close enough to the traffic that it can be used to properly identify WHICH process generated THAT specific flow to x.y.z.3 on TCP/443 and tag the frames properly.

But wait, what about abuse and junk traffic? What stops a stupid kiddiot from firing up bittorrent and tagging all his traffic DSCP EF to maximize voice disruption and piracy speed?

The catch is, IF you trust the endpoint to mark its traffic, you SHOULD authenticate and secure the endpoint. That means 802.1x on wired ports, and enterprise authentication of wireless devices, and endpoint security or group policy that prevents users from running abusive applications.

Taking one from the government, trust BUT VERIFY. On your internet edge / egress firewall and intrusion prevention appliance, profile the traffic passing by and LOOK for endpoints that violate policy, apply corporate policy and applicable laws, dont rely on the network to solve a management problem

So, the TL;DR version:

If you authenticate and secure endpoints, and monitor what they are doing, you can trust them to mark their own traffic with one uniform policy etc.

If you do NOT authenticate or secure endpoints, and believe them to be untrustworthy, less scalable infrastructure-based packet classification will be the best option available, but unable to differentiate between many protocols in use today.
donnib
join:2014-03-19

donnib

Member

Thank you very much for you response, i am although doing this in a Home environment so i hope that it get's easier since i am in better control of the traffic. I guess i have to think what's the best way to implement this.

I tried your trick to add some ACLs on my Vlan to see if i can group my traffic that goes IN into the Vlan meaning all the traffic that my local network produces in the direction of the internet (just to see what that is, i'll look at the inbound traffic later) although i did set the ACL group as IN on the VLAN i was seeing traffic going the other way in the logs, any explanation for that ?
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by donnib:

i am although doing this in a Home environment so i hope that it get's easier since i am in better control of the traffic. I guess i have to think what's the best way to implement this.

In some companies, you have to dedicate certain machines to only do specific functions. It is not an option to have single server or PC to do everything such as ability to access anything on the Internet while the machine is considered "Trusted".

Once you have those dedicated machines, you setup multiple security zones using some hardware-based firewall (i.e. Cisco ASA or Juniper SRX). In addition, the real "Trusted" machines have some software-based firewall to ensure no rouged applications running havoc. Further the software-based firewall may have antivirus feature that remove suspected "rouge" applications off the machine.

Depending on the company policy, the machines that have to have some "rouge" application (due to its nature of "critical business applications") ought to be put in "Untrusted" zone and is considered manageable business risk.
aryoba

aryoba to donnib

MVM

to donnib
At other companies, they put IPS instead of firewall to setup the multiple security zones. Their reasoning are of the following.
* All machines are within internal network
* The objective is about monitoring and controlling suspected rouge applications running on trusted TCP/UDP ports which firewall may not be suitable for the job

Different companies have combination of firewall and IPS module in place. Whichever the approach is, some baseline has to be clearly drawn to set your trust boundary. You can then implement some 802.1x and other necessary authentication and protection as meta See Profile mentioned.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to donnib

MVM

to donnib
I'll defer to meta See Profile and aryoba See Profile 's expertise of the "whys" of QOS design
as they have more experience than I could ever dream of...

As to the hows to do this, my 5-letter answer to your dilemma would be "CBWFQ."

I'll have to also find again this really good explanation of all the commands for each
of the types of QOS -- priority, bandwidth, police, shape, etc...

My 00000010bits

Regards
donnib
join:2014-03-19

1 edit

donnib

Member

So i have now following config :

ip access-list extended ACL_MATCH_DM500
 permit ip host 192.168.1.20 any
 deny   ip any any
ip access-list extended ACL_MATCH_DM800
 permit ip host 192.168.1.10 any
 deny   ip any any
ip access-list extended ACL_MATCH_NAS
 permit ip host 192.168.1.15 any
 deny   ip any any
 
class-map match-any HTTP
 match protocol http
class-map match-any DREAM_RECEIVER
 match access-group name ACL_MATCH_DM500
 match access-group name ACL_MATCH_DM800
class-map match-any NAS
 match access-group name ACL_MATCH_NAS
 
policy-map POLICY_CHILD_SHAPE_2M
 class NAS
  bandwidth percent 50
 class DREAM_RECEIVER
  bandwidth percent 10
 class HTTP
  bandwidth percent 19
 class class-default
  fair-queue
policy-map POLICY_PARENT_SHAPE_2M
 class class-default
  shape average 2000000
  service-policy POLICY_CHILD_SHAPE_2M
 

I have a Cisco 1801 with DSL line. PPPoA.

I have tried to add the service policy to the ATM0.1 interface as following :

pvc 0/101
service-policy output POLICY_PARENT_SHAPE_2M
 

But i get an error now and i don't know how to continue :

Weighted Fair Queueing feature is not supported with ubr configuration.
 

What is the reason for this ? Any ideas ? meta See Profile

--EDIT--

So i have found the reason for this. I apparently had to enable following :

vbr-nrt 2044 2044
 

But i can't get it to work anyway. My problem now seems to be that the data does not go into the buckets. Here is the stats of the ACL's

Extended IP access list ACL_MATCH_DM500
    10 permit ip host 192.168.1.20 any
    20 deny ip any any (77806 matches)
Extended IP access list ACL_MATCH_DM800
    30 permit ip host 192.168.1.10 any
    40 deny ip any any (79306 matches)
Extended IP access list ACL_MATCH_NAS
    10 permit ip host 192.168.1.15 any
    11 permit ip any host 192.168.1.15
    20 deny ip any any (22847 matches)
 

I think the problem is that i have misunderstood the concept of Input/Output on the ACL lines together with the flow of traffic thru the interfaces.

I have Internet -> ATM0 -> ATM0.1 -> Vlan1 -> Computers on NAT such as 192.168.1.15

I thought that traffic flowing from internet thru my network would be like this.

1. Traffic commes In in Atm0 then Out of Atm0 and In in ATM0.1 then Out of Atm0.1 and In into Vlan then the traffic is sent to the ip behind NAT.
2. If traffic comes from the internal network towards the internet then internal network In into Vlan then Out of Vlan1 and In into Atm0.1 then Out of Atm0.1 and In into Atm0 then out to the internet.

Since i am trying to Traffic Shape the traffic initiated from the internal network then i thought it was correct to use Out on the ATM0.1 but it seems not.

What am i misunderstanding ? Is there anywhere i can get an overview of this concept ?
meta
join:2004-12-27
00000

meta

Member

QOS is functionally broken on WIC-1ADSL (and its brethren) I posted various threads on DSLR regarding my attempts to make the interface "experience congestion" and thus engage the shaper to priority-queue certain packets.

Edit: link to old old thread about QOS on ADSL »Low Latency Queueing Problem With PPPOE(OA?)
aryoba
MVM
join:2002-08-22

aryoba

MVM

I don't think WIC-1ADSL works on 1801 router, though similar broken issue may apply.
donnib
join:2014-03-19

donnib

Member

When you and nosx say WIC-1ADSL is that the internal ADSL modem /module we are talking about ? I have no idea what's inside a Cisco 1801.

I tend to think it might be that the ATM0.1 does not know about the internal ips i am ACLing on because i use NAT. Is that the reason ? If so then should i apply the policy on Vlan instead ? Is that a good idea ?
donnib

donnib to meta

Member

to meta
That means it doesn't work ? You posted that in 2008, you would have thought Cisco fixed this by now, i am running the latest version of IOS.
meta
join:2004-12-27
00000

meta

Member

Not fixed, hardware limitations likely culprit. TAC's workaround was build a tunnel back to your main site (GRE that is) and put a shaper on the VTI at each end to apply prioritization to the packets going each way.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to donnib

MVM

to donnib
said by donnib:

I have a Cisco 1801 with DSL line. PPPoA.

So basically the 1801 _IS_ the DSL modem in your setup, correct?
said by donnib:

I think the problem is that i have misunderstood the concept of Input/Output on the ACL lines together with the flow of traffic thru the interfaces.

I usually refer to this guide in case of confusion

One possibility is to turn on logging and/or debugging on your ACLs and see what
actual IP addresses are hitting them.

My 00000010bits

Regards