CCIE - EI: 4.0 Security and Services Pt. 1 📝

2022-04-29 · Topic: CCIE-EI

This is a summary of the notes I’ve written for CCIE-EI - CCIE - EI: 4.0 Security and Services Pt. 1. In other words, this only contains what I felt the need to write down and is not meant as a complete study resource. Please see the study resources I’ve used or related blogs for more coherent writeups.

4.0 - Infrastructure Security and Services Pt. 1

4.1 Device Security on Cisco IOS XE

Control plane policing and protection

CoPP - Control-plane Policing
Used to protect routers from DoS attacks through applying policing to control-plane traffic/punted traffic.

class-map {}
 match {}

policy-map {}
 class {}
  drop
! or
  police {}

control-plane
 service-policy input {}

This is a foot-gun if I’ve ever seen one…

CPPr - Control-plane Protection
CoPP that allows you to target different CPU-bound traffic differently.

The different types of classes that can be targeted:

  • Host, all traffic destined to the local router.
  • Transit, punted traffic/ICMP redirects etc.
  • CEF-Exception, other traffic not handled by CEF

CoPP and CPPr can be used in tandem, where CoPP policy will be applied before CPPr policy.

control-plane host
 service-policy input {}
control-plane transit 
 service-policy input {}
control-plane cef-exception
 service-policy input {}

AAA

Legacy local auth/authz

Documentation for this is found under “user security configuration”

Requires an enable password to be set(unless privilege is set on user or line). If the privilege is set on the line, this value will determine which privilege level authenticated users get on login.

13 levels of authorization can be configured. Where 0(no-access),1(user mode) and 15(privilege) is reserved.

Local command-to-privilege mappings is configured with:

privilege {mode} level {n} {command}

Local authorization can be used with tacacs, but I’m not sure why you would.

Local RBAC

Local RBAC is a better way to handle local authorization. Up to 15 views can be configured on a router.

A role consists of a group of commands and can either be assigned to users or manually switched to. AAA must be enabled for local RBAC to work.

  1. aaa new-model
  2. Configure views
  3. Assign views
! View is exclusive unless inclusive is defined
parser veiw {name} [inclusive] 
view> secret {}
view> command {mode} {include|exclude|include-exclude} {command} 
! include-exclude includes for this view and exclude from others

user {username} view {view-name} secret {....}
!or
enable view {view-name}

AAA New-model

Note: Some of the syntax in the docs is out of date.

Authentication
  • TACACS+, per-command authorization + accounting
  • RADIUS, better suited to service authentication
aaa new-model

{radius|tacacs} server {name}
 address ipv{4|6} {addr}
 key {}
aaa group server {radius|tacacs} {name}
 server name {name}
 server name {name}

aaa authentication {login|enable} {default|list-name} {methods}

line> aaa authentication {list-name}

The default authentication list applies everywhere another list isn’t configured.

Banners can also be configured with aaa authentication {banner|fail-message}

Login enhancements

Refuses connections for x amount of seconds when n amount of attempts is done with in y seconds. This reduces the chance of brute-force/dictionary attacks being successfull.

login blocked-for {x seconds} attempts {n} within {y seconds}
Authorization

AuthZ methods supported:

  • TACACS+, aaa authorization ... group tacacs
  • RADIUS,aaa authorization ... group tacacs
  • if-authenticated, aaa authorization ... if-authenticated
  • local
  • none

TACACS+ & RADIUS User + Attributes is stored on the “security-server” and is sent to the device on login.

Accounting
aaa accounting {default|{name}} {methods}

Local logging/archive

archive 
archive> log-config
archive> path {proto}{path}
archive-log-cfg> logging-enable
archive-log-cfg> notify syslog

show archive log config all

4.2 Network Security

4.2.a Switch security features

VACL, PACL

VLAN ACL config

access-list {n} permit ... 
vlan access-map {name} [pri]
 match {}
 action {}

vlan filter {name} vlan-list {}

mac access-group {name} {in|out}`

access-group {name} {in|out}`

Storm control

Rate limiting on the port level based on bw%, pps or bps. Only packets of the violating traffic-type is blocked by default, the rest passes as usual. Alternatively the switch can be configured to send traps or err-disable the port through storm-control action {}. Hardware rate limiter only works on <1k pps. Traffic is evaluated per-second and can have different tresholds for “rising” and “falling”.

storm-control {type} level {|pps|bps} {rising}[falling-treshold]
storm-control action {shutdown|trap}! 

DHCP Snooping, DHCP option 82

DHCP snooping establishes “trusted” and “untrusted” ports.

For untrusted ports the switch does the following:

  1. Filter all server specific messages
  2. Verifies any release or decline messages against the DHCP snooping binding table.
  3. Compares MAC address in dhcp request and ethernet source.
ip dhcp snooping vlan {range}
if> ip dhcp snooping trust 

! Static binding
ip dhcp snooping binding {MAC} vlan {vlan} {ip} interface {int} expiry {seconds}

! Verify client ID against mac-address 
ip dhcp snooping verify mac-address {}

ip dhcp snooping limit rate {mps}

! Configure option 82 insertion
ip dhcp snooping {} information option [format ...]

A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

ip dhcp snooping information option allow-untrusted on the aggregate switch when the access-switch inserts option 82. The binding table will not be built correctly if the port is configured as trusted(ip dhcp relay information trusted). Configuring a port as trusted is only necessary if the relaying device sets opt. 82 but doesn’t set a giaddr.

Opt 82 is only supported on switches with DHCP snooping enabled.

Remote ID option is the MAC address and the circuit ID is the port id.

The default opt 82 forwarding behaviour is to Replace the existing relay agent information

IP Source Guard

Blocks traffic from addresses that cannot be verified in the DHCP binding table. For static hosts the same can be achieved through IP Device tracking database. Static bindings can be added outside of the dhcp snooping database for non-routed switchports.

tracking enables ipsg based on ip device tracking, mac-check enables filtring based on mac address for static hosts. The filter specified is active for all vlans when applied on trunks.

ip verify source [tracking] [mac-check]
ip source binding {mac} vlan {} {ip} int {}

! Maximum must be set for ip tracking based ipsg to work.
int> ip device tracking maximum {}

! Verification
show ip verify source [int ...]
show ip device-tracking [all | int {}| ip {}] 

Dynamic ARP Inspection

Only works on ingress, relies on dhcp snooping table

  • Verifies arp contents
  • Intrecepts all ARP requests on untrusted ports
  • Drops invalid ARPs(mismatch between ARP address and ethrnet fram address)

DAI can be enabled with the following keywords:

  • src-mac - Check ethernet header source against sender mac in ARP message
  • dst-mac - Check destination mac in ethernet header against target MAC in ARP message.
  • ip - Check destination IP in ARP message against invalid IPs(broadcast etc.)
ip arp inspection validate {}

! Add static entries
arp access-list {name}
 permit ip host {ip} mac host {mac}

ip arp inspection filter {name} vlan {range} [static]
! Note the static keyword affects how denies are handled,
! this will result in implicitly denied traffic being dropping 

! Add trusted port
int> ip arp inspection trust

! Rate limit arp, 15 packets/s is the default
int> ip arp inspection limit {n}

! Verify
show arp access-list {name}
show ip arp inspection *

For ratelimiting on etherchannels spanning stacked switches, the max rate will apply per chassis.

Private VLAN

vlan {n}
 private-vlan primary

vlan {n}
 private-vlan secondary

vlan {n}
 private-vlan secondary

Router security features

IPv6 Traffic Filters

ipv6 traffic-filter {}

IPv4 Access Control Lists

ACLs can be standard or extended and numbered or named. Standard ACLs allow matching based on source, while extended allows matching on source - destination.

ACLs are applied as:

  • Terminal line - access-class {n} {in|out}
  • IP interface - access-group {n} {in|out}

Unicast Reverse Path Forwarding

Modes:

  • Strict - Verify route exists and packets arrive at expected interface
  • Loose - Verify route exists in table

Requires CEF. All ECMP routes are considered best. The URPF check is done after the input ACL is evaluated. URPF should be applied on “downstream” interfaces and only on border routers. Beware of asymmetric routing when using strict-mode.

The ACL option allows you to choose which traffic should be inspected(allowed). uRPF only allows numbered ACLs.

int> ip verify unicast source reachable-via {any(loose) | rx(strict)} [ACL] [allow-self-ping] [allow-default]
show ip traffic 	# Statistics
show ip cef interface 	# Shows whether urpf is enabled

IPv6 infrastructure security features

RA Guard

Similiar to ip dhcp snooping trust, but with option to define policy.

ipv6 nd raguard policy {name}
policy> device-role {}
policy> [additional filters]
policy> trusted-port ! Disables all policy

int> ipv6 nd raguard attach-policy {name}

DHCP Guard

Very similar to IPv4 DHCP snooping.

Only “server” type messages are inspected, all client messages are allowed. Not supported on Etherchannel interfaces.

ip dhcp guard policy {name}
policy> device-role {server|client}
policy> match server access-list {} ! Whitelist servers and relays
policy> match reply prefix-list {} ! Whitelist prefixes in replies
policy> preference {min|max}

int> ipv6 dhcp guard attach-policy {}

Binding table

Common binding table used with the IPv6 FHRP security features.

The table contains:

  • Interface ID
  • MAC addr
  • VLAN
  • IPv6 addr

The binding table can be populated with:

  • ND Inspection
  • RA Guard
  • DHCPv6 guard
  • Static bindings
ipv6 snoopign policy {}
policy> security-level glean 

show ipv6 snooping

IPv6 glean is used when information is missing in the binding-table by querying DHCP or using ND.

Device tracking

Tracks whether a device is active or not for the purpose of immediately updating the binding table. Device tracking relies on other first-hop security features to populate the binding table.

ipv6 neighbor tracking [retry-interval value]

ND Inspection/Snooping

Neighbor Discovery inspection creates a binding-table for IPv6-MAC mappings and drops any ND messages which doesn’t match the binding for the port.

ND inspection does not drop spoofed traffic, only spoofed ND messages.

ipv6 nd inspection policy {name}
policy> drop-unsecure
policy> sec-level minimum {} ! For CGA addresses
policy> device-role {host | monitor | router}
policy> tracking ! Override default tracking
policy> trusted-port ! Disables all policy

int> ipv6 nd inspection [attach-policy] [policy {}] vlan P{

! Static binding
ipv6 neighbor binding {vlan} {ipv6} int {int} {mac}

show ipv6 snooping...

Source Guard

Denies traffic based on information in the IPv6 binding table

ipv6 source-guard policy {name}
policy> permit link-local
policy> deny global-autoconfig

int> ipv6 source-guard attach policy {name}

Prefix guard A part of source guard that validates that the prefixes used makes sense topologically. Prefix guard gets information from:

  1. Glean in RA
  2. Glean in DHCP
  3. Static config
ipv6 source-guard policy {name}
policy> validate-prefix

int> ipv6 source-guard attach policy {name}

IEEE 802.1X Port-Based Authentication

dot1x pae authenticator
authentication host-mode {mode}
authentication open
mab

! Enables the switch to initiate auth opon link up
authentication port-control auto 
! State can be forced through the following
authentication port-control {force-authorized | force-unauthorized}

! Max auth sessions per int can be set globally 
access-session limit profile 

! Allow authenticated devices to move between ports on a switch.
authentication mac-move permit

! Allow new mac-addresses on port
authentication violation replace
! Configure violation behaviour
authentication vialoation [ protect(drop packets) | \
restrict(cpu drop and message) | shutdown(err-disable) ]

!! Verification/show
show authentication sessons [int ...]

Phased implementation:

  • Phase 1 - Monitor mode, Open authentication
authentication open

Open authenticaion in DNAC

  • Phase 2 - Low-Impact, Monitor mode + ACL and dACL from ISE
authentication open
ip access-group {name} in

ACL restricts traffic to the must-haves and a permit any dACL once authenticated. Easy Connect on the DNAC

  • Phase 2 - Closed mode, Closed authentication, no traffic until authenticated
no authentication open
authentication periodic
authentication timer reuthenticate server

Preferred for VLAN based enforcement(and SDA) due to the client not getting an IP before authentication.

Device roles, port states

Device roles

  • Supplicant, agent on client
  • Authenticator, the device being connected to.
  • Authentication Server, identitiy server/ISE

Port states

  • Unauthorized - STP, CDP, Dot1x
  • Authorized - Anything

Authentication process

  1. EAPOL-START
  2. EAP-Request/ID
  3. EAP-Response/ID -> RADIUS Access-Request
  4. RADIUS Access-Request -> EAP-Request/OTP
  5. EAP-Response/OTP -> RADIUS Access-Request
  6. RADIUS Access-Accept -> EAP-Success

authentication port-control auto must be enabled for MAB to work on non dot1x devices, MAB will not start unless EAP is initiated and times out.

Host modes

  • Single host mode, single mac address allowed.
  • multi host mode, first mac address must authenticate but others are allowed.
  • multi domain auth mode, a single mac address is allowed in the voice and data vlan.
  • multi auth mode, single phone allowed, multiple users are allowed to authenticate in the data vlan.

The DNAC provisions multi-auth mode by default and is considered the “most normal”. Multi-auth mode only supports having a single data vlan. authentication host-mode [single-host|multi-host|multi-domain|multi-auth]

4.3 System Management

Device management

Console and VTY

line con 0
line vty 0 15

SSH, SCP

crypto key gen rsa mod 4096
line> transport input ssh

RESTCONF, NETCONF

Both require privilege level 15 or equivalent.

! Enable restconf
ip http secure-server
restconf

! Enable netconf
netconf-yang

SNMP

Simple Network Management Protocol, consists of SNMP-Agents(devices monitored) and SNMP-Managers(Monitoring server). The SNMP managers uses SMIs describing the tree structure of MIBs to be polled on SNMP-agents. MIB-I, MIB-II and RMON are notable standardized MIBs. All messages except traps/informs and responses are initiated by the SNMP-Manager.

Traps and Informs are both used to send notifications to the SNMP manager. Traps are single messages sent to the SNMP manager without being confirmed, Informs are equal to Traps but require confirmation from the SNMP manager. Traps are preferred unless it is crucial that every notification is received, this is due to the network and memory overhead caused by enabling informs.

Transport:

  • UDP/161 - All manager->agent traffic
  • UDP/162 - All notifications(manager bound)

Versions:

  • SNMPv1 - Simple password auth
  • SNMPv2 - Improved authentication(not used)
  • SNMPv2c - Simple password auth, introduced getBulk and Inform
  • SNMPv3c - Introduced integrity checks, authentication(SHA, MD5) and encryption(DES, AES)

Messages:

  • Get
  • GetNext
  • GetBulk (v2+ only)
  • Set
  • Response
  • Trap
  • Inform (v2+ only)

v2c

access-list 33 permit 192.168.1.0 0.0.0.255
snmp-server community {name} {mode} [ACL, permit source]

! Enable notifications.
snmp-server host {host} {traps | informs} community
snmp-server enable traps {service}

! Notification parameters
snmp-server trap-source {int}
snmp-server informs {...}


! Information for identification
snmp-server location {}
snmp-server contact {}
snmp-server chassis-id {}

! Allow shutdown through SET command
snmp-server system-shutdown

v3

Everything is readonly if views aren’t specified

! Configure view
snmp-server view {name} {MIB} {included|excluded}

! Server-group
snmp-server group {name} v3 {auth | noauth | priv} [read {view}] [write {view}] [notify {view}] [ACL]

! Authentication
snmp-server user {name} {group} v3 auth {md5|sha} {pass} priv {aes|des} {pass}

! Enable notifications.
snmp-server host {host} {traps | informs} community
snmp-server enable traps {service}

Logging

Local logging, syslog, debugs, conditional debugs

Logging levels:

  • 0 Emergencies
  • 1 Alerts
  • 2 Critical
  • 3 Errors
  • 4 Warnings
  • 5 Notifications
  • 6 Information
  • 7 Debugging

Local logging

! Set treshold for logs sent to console
logging console level {} 
! Disable console logging
no logging console 

! Logs stored in RAM
logging buffered {size} {level}

Debugging

debug condition {condition}
debug {sevice}
un all ! Stop all debugs

Syslog configuration

logging host {}
logging source-interface {}
logging trap {level} ! level for syslog server

! Generate SNMP trap for level
logging snmp-trap {level} 

Timestamps

!! Configure clock/date appropriately
clock timezone {timezone}
clock summertime {} recurring {} 
ntp....

!! Enable timestamps
service timestamps debug [datetime|uptime] [localtime]
service timestamps log [datetime|uptime] [localtime]

4.4 Quality of Service

End to end L3 QoS using MQC

Three parts of MQC configuration:

  1. Classification with class-map
  2. Define policy which maps classes to policies with policy-map
  3. Apply a defined policy on interfaces with service-policy

Presedence values(IPP) is the legacy way of marking packets. The IPP value set in the 3 highest bits of the ToS field:

  • 0 - Routine
  • 1 - Priority
  • 2 - Immediate
  • 3 - Flash
  • 4 - Flash Override
  • 5 - Critical
  • 6 - Internetwork control
  • 7 - Network control

General rules for classification and marking:

  1. Classification happens on ingress.
  2. Marking is done on egress.
  3. All marking/classification must makes sense for the interface type.

DiffServ

A redefinition of the ToS field to DiffServ field. DS uses 6b for marking and 2 bits for ECN.

Expedited forwarding

EF marked packets should be given queueing priority but should be policed heavily as to not starve other queues.

Class selector PHB Backwards compatible with IPP, using only the 3 highest bits for marking.

  • CS0 - Default/Routine
  • CS1 - Priority
  • CS2 - Immediate
  • CS3 - Flash
  • CS4 - Flash override
  • CS5 - Critical
  • CS6 - Internetwork control
  • CS7 - Network control

Higher values should be given better queuing treatment.

Assured Forwarding PHB

Named AF{queue}{drop-priority}, highest queue number is better, lowest drop priority is better. Queue is 1-4 while drop-priority is 1-3 AF21 queues worse than AF41. AF33 drops before AF22.

The three first bits decide the queueing class, the following two bits decide the drop-preference. Queuing class hence maps to IPP values for backwards compatability.

CoS and DSCP Mapping

Achieved through creating an inbound and an outbound policy-map that sets the relevant value based on medium. E.g. a policy-map that converts cos to dscp inbound and a policy-map that converts dscp to cos outbound.

The traffic must be dot1q encapsulated for to be able to set CoS values.

Classification

Classification can be done based on:

  • NBAR
  • IP ACL
  • Existing markings

Rules for matching logic

  • Up to 4 COS/IPP values or 8 DSCP values can be matched in a single match statement.
  • AND logic is used by default if multiple match statements exist in a class-map. Can be overriden by specifying match-any on the class-map.
  • Match statements referring to another class-map results in a match if the referenced class-map returns a match.
class-map [match-any] {name}
 match protocol {name}
 match access-group {name} 
 match ip dscp {value}
 match ip precedence {value}
 match cos {value}
 match class {name}

Inspection fails when tunneling/encryption is in use outbound. Marking/policing based on the values in the copied header is still possible. When inspection for outbound traffic is neccessary qos pre-classify can be used to do the inspection before encapsulation happens.

The qos pre-classify must be entered on the tunnel interface for GRE tunnels tunnels

Network Based Application Recognition (NBAR)

Used for matching upper-layer protocols.

Defining custom protocols:

ip nbar custom {name} [offset [format value ]] [variable field-name field-length ] [source | destination ] [tcp | udp ] [range start end | port-number ]

Protcol discovery:

int> ip nbar protocol-discovery {}
show ip nbar protocol-discovery...

Marking using IP Precedence, DSCP, CoS

  • Marking with MQC requires CEF.
  • Policy maps work based on “first-match” logic.
  • Multiple values can be set for a single class.
  • All packets not matched by a specific class is considered to be in the “class-default”.
policy-map {name}
 class {name} 
  set ip precedence|dhcp|cos {value}
 class default

show policy-map {name} ! View settings
show policy-map interface {} ! View matching/marking statistics

Class of Service is used for marking ethernet frames on dot1q trunks. The 3 highest bits in the tag field are used for QoS.

Cisco recommends using a max of 4-5 different values for marking.

Policing, shaping

Shaping

Using a shaping queue to delay outbound packets as a means to not exceed a CIR. Shaping only takes affect when traffic exceeds the traffic/contract(shaped rate) and is logically performed before CBWFQ/LLQ software queuing.

Intefaces must adhere to a physical clock-rate. To shape to a lower rate than line-rate the router alternates between sending and not sending to achieve the desired average.

Tc - The static length of time the shaper uses when sending. TC=Bc/shaping rate Bc - Commited burst, the number of bits sent per Tc Be - Excess burst, the number of bits that can be bursted

Token bucket model:

A token generator generates Bc tokens every Tc and puts it in the bucket. Each token is 1 bit and the router can send bits until the bucket is empty. If a Be is set this value is added to the capacity of the bucket.

Shaping is configured by setting the shaping rate, the Tc can only be controlled by defining the Bc. The default values if only rate is configured: Be=Bc, Tc=25ms

Bc + Be tokens are refilled when “peak” is used instead of average.

Adaptive shaping adjusts parameters based on observed bandwidth/throughput. Configured in addition to regular average/peak shaping.

policy> shape [average | peak] {rate} [[Bc] [Be]]
policy> shape average {percent} {bc} ms {be} ms
! Note subinterfaces do not adopt the bandwidth from the physical interface.

policy> shape adaptive {min rate}

Policing

Dropping/re-mark packets to avoid exceeding CIR inbound or outbound.

Be is implemented as a “spill-over” bucket in single-rate, three-color. Be is implemented as a separate bucket bucket with it’s own token-generator in dual-rate, three-color. The differece from single-rate is that sustained bursting is allowed in dual-rate. Packets are conforming when tokens are drawn from both buckets and exceeding when drawing only from the PIR/Be bucket.

Actions can be set for conforming, exceeding or violating packets.

Available actions:

  • drop
  • set-{dscp|prec}-transmit
  • transmit

The default Bc value if not configured is whatever can be sent in 0.25 seconds with the policing rate. If policing is configured by percentage you must configure Bc and Be as milliseconds.

! Single rate, two-color 
policy> police cir {bps} bc {bc} 
policy-police> conform-action {} 
policy-police> exceed-action {}

! Single rate, three-color - Identified by three actions
policy> police cir {bps} bc {bc} be {be} 
policy-police> conform-action {} 
policy-police> exceed-action {}
policy-police> violate-action {}

! Dual rate, three-color - Identified by the "pir"
policy> police cir {bps} bc {bc} pir {} be {be} 
policy-police> conform-action {} 
policy-police> exceed-action {}
policy-police> violate-action {}

Congestion management and avoidance

Hardware-queue

Hardware queue/TX-ring is always FIFO and will be “shrinked” when software queueing is in use, this allows for more control over queuing.

int> tx-ring-limit {}

LLQ

Priority queueing, always queued before other queues. The bandwidth specified is policed, hence not starving other queues. Configured with priority, does not allow remaining percent.

When a priority queue is configured, the “percent” calculation of other queues subtracts the bandwidth allotted to the priority queue.

Multiple classes can be configured with priority, this results in all being put in the same FIFO priority queue.

Class based Weighted fair Queueing(CBWFQ)

Guarantees a configured amount of bandwidth for a class/queue, configured with bandwidth. Bandwidth for queues not actively used are re-allocated to other queues.

Tail-drop or WRED can be configured per queue. WFQ is available for scheduling inside of the default class.

Each class in the policy-map maps to a queue in MQC with a maximum of 64 queues(including the default class).

policy> bandwidth {{kbps} | percent {} | remaining percent {}}
policy> queue-limit {} ! Max length of queue

WRED

Dropping a few packets to reduce the TCP MSS in the hope of reducing packet drops.

Can be configured for physical interfaces with FIFO queueing or CBWFQ queues(non LLQ). All other queueing is disabled when WRED is configured on a physical interface. Does not seem to be an option on physical interfaces in IOS-XE 16.12.

Configured with:

  • Minimum percentage
  • Maximum percentage
  • Mark Probability Denominator(MPD)
  • Traffic profiles
  • Exponential-weighing-constant {exp}, should not be changed.

When the average queue depth is above the minumum the amount of packets scales linearly until it reaches the maximum percentage. The MPD defines the maximum discard percentage at the “max percentage” end of the scale. Drop percentage is calculated as 1/MPD.

Traffic profiles define the min-percentage, max-percentage and MPD for a class/queue.

The exponential-weighing-constant defines how much priorty recent traffic should be given in the average calculation. Higher value = higher weight on newer traffic.

policy> random-detect ! Enables WRED with IPP
policy> random-detect dscp-based ! Enables DSCP based WRED
policy> random-detect dscp {dscp-val} {min} {max} {mpd}

HQF/HQoS

A hierarchy of policy-maps, packets enter the “top” and traverses the tree.

In a policy-map you can apply another policy-map with the service-policy command.

Differences between HQoS and regular MQC:

  • Default class queuing is now based on flows instead of IPP
  • FIFO as default for the default class and CBWFQ with shaping.
  • Unused bandwidth is assigned to the default class
  • 1% bandwidth must be reserved for the default class
  • Oversubscription on a physical interface(policy-map defined on subinterfaces) dynamically balances the bandwidth on the logical interfaces.
  • Queueing on a child-class adopts the bandwidth of a parent shaping rate.

Sub-rate Ethernet Link Not sure what this is supposed to mean to be honest. Shouldn’t it just be an implicit part of shaping and policing?

Troubleshooting

This excerpt from the CCIE RSv5 OCG Volume 2 summarizes my feelings about QoS. “Even networks with properly configured QoS can run into problems that are, at least indirectly, caused by QoS.”

!! QoS
show class-map
show policy-map 
show policy-map interface

! IP SLA can be used for verification

! NBAR for protocol identification
int> ip nbar-discovery
show ip nbar protocol-discovery

Study resources

The BGP Section of the INE CCIE Enterprise infrastructure learning track is a good starting-point. Though I wouldn’t rely on it as my only study source.

Books used, ranked by most value for time spent:

The CCIE Enterprise Infrastructure Foundation book by Narbik Kocharians hasn’t been released at the time of writing this, but i suspect it will also be a very good resource for the EI.

I have also used the IOS XE 16.2.x configuration guide extensively.

Various links I’ve found useful:


Got feedback or a question?
Feel free to contact me at hello@torbjorn.dev