Rich's Blog » Networking

Traffic Shaping and Policing in Cisco IOS

Rich Kreider — Mon, 30 Jan 2012 20:42:32 +0000

I needed to setup bandwidth shaping on a router recently for testing purposes and decided on the below configuration on my Cisco router. I know this drops packets and I don’t really care; this is a guest network and it isn’t mission critical.

policy-map POLICY_GUEST_OUT
 class CLASS_GUEST_OUT
  shape average 1000000
policy-map POLICY_GUEST_IN
 class CLASS_GUEST_IN
  police 1000000 1000 1000 conform-action transmit  exceed-action set-qos-transmit 4 violate-action drop

class-map match-all CLASS_GUEST_IN
 match any
class-map match-any CLASS_GUEST_OUT
 match any

interface GigabitEthernet0/1.102
 encapsulation dot1Q 102
 service-policy input POLICY_GUEST_IN
 service-policy output POLICY_GUEST_OUT

Confirming things are working:

ciscorouter# sh policy-map interface
 GigabitEthernet0/1.102

  Service-policy input: POLICY_GUEST_IN

    Class-map: CLASS_GUEST_IN (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      police:
          cir 1000000 bps, bc 1000 bytes, be 1000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          set-qos-transmit 4
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

  Service-policy output: POLICY_GUEST_OUT

    Class-map: CLASS_GUEST_OUT (match-any)
      3284 packets, 2742876 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/28/0
      (pkts output/bytes output) 3161/2741698
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

References:

Cisco AP Detailed Client Info

Rich Kreider — Wed, 30 Nov 2011 19:04:37 +0000

Trying to figure out what some of these mean…

You can use show dot11 assoc to find clients associated to the AP then you can use show dot11 assoc xxxx.xxxx.xxxx to show detailed information for a specific client or even use ‘all-clients’ to show all clients detailed information that are associated to the Access Point.

Here’s the output from show dot11 all-clients

Address           : 0023.68b1.b06a     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Device            : unknown            Software Version : NONE
CCX Version       : NONE               Client MFP       : Off

State             : Assoc              Parent           : self
SSID              : PENNTECQ
VLAN              : 101
Hops to Infra     : 1                  Association Id   : 28
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot 11h
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz
Signal Strength   : -75  dBm           Connected for    : 299 seconds
Signal to Noise   : 21  dB            Activity Timeout : 16 seconds
Power-save        : On                 Last Activity    : 44 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 225                Packets Output   : 68
Bytes Input       : 11342              Bytes Output     : 5154
Duplicates Rcvd   : 34                 Data Retries     : 45
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0

I need to find out what “Capability : WMM ShortHdr ShortSlot 11h” means and available options. These clients are connecting at lower speeds when they do not have “WMM” in the Capability column.

Set Date/Time on Cisco Router

Rich Kreider — Mon, 14 Nov 2011 09:45:55 +0000

Manually Configure

router# clock set 10:10:00 November 14 2011

Set the Timezone

router(config)# clock timezone EST -5 0

Configure and Use Network Time Protocol (NTP)

router# ntp server tock.usno.navy.mil prefer

[stextbox id="info" big="true"]Note that router default timezone is UTC. You should set the timezone accordingly and set the correct offset.[/stextbox]

Cisco IOS VPN Server with MS IAS User Authentication against Active Directory

Rich Kreider — Wed, 09 Nov 2011 00:13:56 +0000

This is how I have successfully configured a Cisco 2921 Integrated Services Router as a VPN server for remote users…

! [SNIP]
!
aaa new-model
!
!
aaa authentication login VPN_UserAuth group radius
aaa authentication login CLI_UserAuth local
aaa authentication login userauthen group radius
aaa authorization network VPN_GroupAuth local
!
! [SNIP]
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group group1
 key secretp4ssw0rd
 pool group1pool
 acl 101
 save-password
crypto isakmp profile vpn1-ra
   match identity group group1
   client authentication list VPN_UserAuth
   isakmp authorization list VPN_GroupAuth
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
!
crypto ipsec profile test-vti1
 set transform-set VTI-TS
!
!
! [SNIP]
interface Virtual-Template3 type tunnel
 ip unnumbered GigabitEthernet0/0
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile test-vti1
!
ip local pool group1pool 172.18.1.1 172.18.1.25
!
! [SNIP]
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.18.1.0 0.0.0.255
!
! [SNIP]
ip radius source-interface GigabitEthernet0/1
radius-server host 10.0.0.10 key remoteauth

Cisco IOS IPSec VPN NAT Woes…

Rich Kreider — Tue, 08 Nov 2011 09:01:53 +0000

Oi… this is complicated for me.

I’m trying to setup IPSec VPN on a Cisco 2900 series router. I set it up previously using the MS IAS for radius authentication/authorization and using local group authentication in this post.

Now, I connect to the router with my VPN client OK but I can’t communicate with the remote LAN (Router-side inside network) for some reason… I don’t even see the ACLs incrementing for the ACL specified in the VPN configuration!

Through googling, I found this information:

! Doesn't work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload

So, I incorporated that and also split-tunneling and have this:

!NEW
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!OLD
!ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any

route-map nonat permit 10
match ip address 100

interface GigabitEthernet0/0
!OLD
!ip policy route-map nonat

If I show access-list, I do not see access-list 100 incrementing!

Why is this happening? =(