CCIE Security V4 Technology Labs Section 1:System Hardening and Availability

Congestion Management

Last updated: May 3, 2013

Task

Load the starting configuration files for task 1.17.

On R3, create a QoS policy to match ICMP traffic coming from vlan 23 and mark it with a dscp of

AF12.

On R3, also create a policy that matches ICMP traffic coming from the Test PC on vlan 11 and mark

it with a dscp of AF23.

ICMP traffic leaving the F0/0 interface should have the following policy applied.

AF12 Traffic should be given 25% of the interface bandwidth.

AF23 Traffic should be given 15% of the interface bandwidth.

If any voice traffic is seen with a DSCP of EF, it should be priority queued and given 35%

bandwidth.

Remaining Traffic should be fair-queued.

Explanation and Verification

Congestion management can take the form of policing or shaping data so that it conforms to the

policy set forth in the network. A CCIE candidate should be able to do this, as wel as configure

basic QoS policies . This task does not require any policing, but other tasks have. This task simply

tests your know-how of basic QoS configurations.

Start by configuring the policy on R3 to match ICMP traffic from vlan 23.

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#access-list 101 permit icmp any any

R3(config)#class-map match-icmp

R3(config-cmap)#match access-g 101

R3(config-cmap)#policy-map mark-traffic

R3(config-pmap)#class match-icmp

R3(config-pmap-c)#set dscp af12

R3(config-pmap-c)#int f0/0.23

R3(config-subif)#service-policy input mark-traffic

R3(config-subif)#

Now configure the policy to mark traffic coming in vlan 11 from the test PC.

R3(config-subif)#exit

R3(config)#class-map match-test-pc

R3(config-cmap)#match access-group 101

R3(config-cmap)#policy-map mark-testpc

R3(config-pmap)#class match-test-pc

R3(config-pmap-c)#set dscp AF23

R3(config-pmap-c)#int f0/0.11

R3(config-subif)#service-policy input mark-testpc

R3(config-subif)#exit

R3(config)#

Create the queueing policy and apply it to the f0/0 interface. Understand that the policy cannot be

applied to a sub-interface.

R3(config)#class-map match-vlan23

R3(config-cmap)#match dscp AF12

R3(config-cmap)#exit

R3(config)#class-map match-vlan11

R3(config-cmap)#match dscp AF23

R3(config-cmap)#exit

R3(config)#class-map match-voice

R3(config-cmap)#match dscp ef

R3(config-cmap)#exit

R3(config)#policy-map QUEUE-OUT

R3(config-pmap)#class match-voice

R3(config-pmap-c)# priority percent 35

R3(config-pmap-c)#class match-vlan23

R3(config-pmap-c)#bandwidth percent 25

R3(config-pmap-c)#class match-vlan11

R3(config-pmap-c)#bandwidth percent 15

R3(config-pmap-c)#class class-default

R3(config-pmap-c)#fair-queue

R3(config-pmap-c)#interface f0/0

R3(config-if)#service-policy output QUEUE-OUT

R3(config-if)#

Verify the policy on each interface. You'll need to generate traffic from each respective vlan so that

the counters increment.

First we verify f0/0.23.

R3#show policy-map int f0/0.23

FastEthernet0/0.23

Service-policy input: mark-traffic

Class-map: match-icmp (match-all)

5 packets, 590 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 101

QoS Set

dscp af12

Packets marked 5

Class-map: class-default (match-any)

110 packets, 12100 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Next, verify f0/0.11.

R3#show policy-map int f0/0.11

FastEthernet0/0.11

Service-policy input: mark-testpc

Class-map: match-test-pc (match-all)

4 packets, 312 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 101

QoS Set

dscp af23

Packets marked 4

Class-map: class-default (match-any)

362 packets, 26728 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Now look at the queueing policy to ensure that each type of traffic gets its allocated bandwidth.

R3#show policy-map int f0/0

FastEthernet0/0

Service-policy output: QUEUE-OUT

queue stats for all priority classes:

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Class-map: match-voice (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: dscp ef (46)

Priority: 35% (35000 kbps), burst bytes 875000, b/w exceed drops: 0

Class-map: match-vlan23 (match-all)

10 packets, 1180 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: dscp af12 (12)

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 10/1180

bandwidth 25% (25000 kbps)

Class-map: match-vlan11 (match-all)

8 packets, 624 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: dscp af23 (22)

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 8/624

bandwidth 15% (15000 kbps)

Class-map: class-default (match-any)

207 packets, 22259 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0

(pkts output/bytes output) 207/23519

Fair-queue: per-flow queue limit 16

R3#

Also note that the class-default is being fair-queued.