Rich's Blog » cisco

Traffic Shaping and Policing in Cisco IOS

Rich Kreider — Mon, 30 Jan 2012 20:42:32 +0000

I needed to setup bandwidth shaping on a router recently for testing purposes and decided on the below configuration on my Cisco router. I know this drops packets and I don’t really care; this is a guest network and it isn’t mission critical.

policy-map POLICY_GUEST_OUT
 class CLASS_GUEST_OUT
  shape average 1000000
policy-map POLICY_GUEST_IN
 class CLASS_GUEST_IN
  police 1000000 1000 1000 conform-action transmit  exceed-action set-qos-transmit 4 violate-action drop

class-map match-all CLASS_GUEST_IN
 match any
class-map match-any CLASS_GUEST_OUT
 match any

interface GigabitEthernet0/1.102
 encapsulation dot1Q 102
 service-policy input POLICY_GUEST_IN
 service-policy output POLICY_GUEST_OUT

Confirming things are working:

ciscorouter# sh policy-map interface
 GigabitEthernet0/1.102

  Service-policy input: POLICY_GUEST_IN

    Class-map: CLASS_GUEST_IN (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      police:
          cir 1000000 bps, bc 1000 bytes, be 1000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          set-qos-transmit 4
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

  Service-policy output: POLICY_GUEST_OUT

    Class-map: CLASS_GUEST_OUT (match-any)
      3284 packets, 2742876 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/28/0
      (pkts output/bytes output) 3161/2741698
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

References:

Cisco AP Detailed Client Info

Rich Kreider — Wed, 30 Nov 2011 19:04:37 +0000

Trying to figure out what some of these mean…

You can use show dot11 assoc to find clients associated to the AP then you can use show dot11 assoc xxxx.xxxx.xxxx to show detailed information for a specific client or even use ‘all-clients’ to show all clients detailed information that are associated to the Access Point.

Here’s the output from show dot11 all-clients

Address           : 0023.68b1.b06a     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Device            : unknown            Software Version : NONE
CCX Version       : NONE               Client MFP       : Off

State             : Assoc              Parent           : self
SSID              : PENNTECQ
VLAN              : 101
Hops to Infra     : 1                  Association Id   : 28
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot 11h
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz
Signal Strength   : -75  dBm           Connected for    : 299 seconds
Signal to Noise   : 21  dB            Activity Timeout : 16 seconds
Power-save        : On                 Last Activity    : 44 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 225                Packets Output   : 68
Bytes Input       : 11342              Bytes Output     : 5154
Duplicates Rcvd   : 34                 Data Retries     : 45
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0

I need to find out what “Capability : WMM ShortHdr ShortSlot 11h” means and available options. These clients are connecting at lower speeds when they do not have “WMM” in the Capability column.

Set Date/Time on Cisco Router

Rich Kreider — Mon, 14 Nov 2011 09:45:55 +0000

Manually Configure

router# clock set 10:10:00 November 14 2011

Set the Timezone

router(config)# clock timezone EST -5 0

Configure and Use Network Time Protocol (NTP)

router# ntp server tock.usno.navy.mil prefer

[stextbox id="info" big="true"]Note that router default timezone is UTC. You should set the timezone accordingly and set the correct offset.[/stextbox]

Cisco IOS IPSec VPN NAT Woes…

Rich Kreider — Tue, 08 Nov 2011 09:01:53 +0000

Oi… this is complicated for me.

I’m trying to setup IPSec VPN on a Cisco 2900 series router. I set it up previously using the MS IAS for radius authentication/authorization and using local group authentication in this post.

Now, I connect to the router with my VPN client OK but I can’t communicate with the remote LAN (Router-side inside network) for some reason… I don’t even see the ACLs incrementing for the ACL specified in the VPN configuration!

Through googling, I found this information:

! Doesn't work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload

So, I incorporated that and also split-tunneling and have this:

!NEW
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!OLD
!ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any

route-map nonat permit 10
match ip address 100

interface GigabitEthernet0/0
!OLD
!ip policy route-map nonat

If I show access-list, I do not see access-list 100 incrementing!

Why is this happening? =(

Cisco IOS Port Forwarding

Rich Kreider — Sat, 05 Nov 2011 23:52:36 +0000

So I recently replaced a Cisco ASA with a Cisco 2900 series router and needed to port forward SMTP, HTTP/HTTPS to an internal address from a global outside address.

This is the method I used that worked. For some reason, when I tried to apply it via the route-map, it kept giving me a “duplicate IP address” warning on the actual server and on the router. I am confused by that, but the following did work for me.

access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
ip nat pool MAILSERVER 10.10.0.14 10.10.0.14 netmask 255.255.255.0 type rotary
ip nat inside destination list 100 pool MAILSERVER

The following did NOT work for me and I’m *not* sure why… can someone shed light?

routerA(config)#ip nat inside source static tcp 74.219.241.254 10.10.0.14 25 route-map lan2wan

Here’s part of the config (that should be relevant…)

interface GigabitEthernet0/0
 description Time Warner Cable 15x2
 ip address 74.219.241.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
end
access-list 10 permit 10.10.0.0 0.0.0.255
ip nat inside source route-map lan2wan interface GigabitEthernet0/0 overload
route-map lan2wan permit 10
match ip address 10