https://www.tunnelsup.com/cisco-asa-to-juniper-ssg-command-reference-cheat-sheet/
Wednesday, 23 September 2020
QOS
IntServ - RSVP - hardcore reserves bandwidth even not in use
DiffServ - distinguishes between different type of traffic and gives priority
FIFO - first in first out - no priority unless we enable QoS
Quality of Service is a collection of tools
Classification
Recognising a certain type of traffic
Marking
Assign a marking based on the classification. (DSCP marking is modern one)
Policing and shaping
Sets a speed limit
Policing drops traffic over the limit. If its TCP traffic it will try again.
Shaping sets a speed limit but it puts it in a buffer until bandwidth is available
Congestion management = Queuing
Big data packets come in and queue up. Lets say a voice packet comes in next, without qos it will have to wait to get out leading to bad call quality.
If we classify/marking taffic we can create queues for each type of traffic
Create a voice bucket and a "everything else" bucket into best effort bucket
If a bucket fills up and spills over the packets will be dropped.
The two most used queuing mechanisms used today
Class based weighted fair queuing
Low latency fair queuing
How much bandwidth does priority traffic get
Congestion avoidance on switch is weighted tail drop
Congestion avoidance is weighted RED. The thing with weighted RED is that there is only 1 bucket and when it fills up packets are dropped and everyone suffers.
RED sacrifices the needs of the few for the good of the many.
Link efficiency
Not as much of a big deal these days as WAN links are fast these days
On lower speed circuits, voice packets can get stuck behind big data packets so we are waiting for our chance to get across the WAN.
We should classify and mark traffic as close to the source as possible
To enable
#mls qos
To enable per vlan
#mls qos vlan-based
interface vlan 50
service-policy input test
exit
interface gig 1/0/7 (is a member of vlan 50)
mls qos vlan-based (take qos policy settings from vlan 50)
Port based classification options
L2 - CoS value, MAC ACL
L3 - IP precedence, DSCP value, L3 ACL
3 first bits to ToS (type of service) 8 possible values but two reserved by cisco.
DSCP has up to 63 values, this is the one that tends to be used.
Some times non IP based packets will arrive with a CoS value already. We can alter it below.
mls qos cos [0-7] (cisco reserved 6 or 7)
mls qos cos override
We can trust certain cos marking
CoS marking is L2 marking, gets stripped off when moving between routers, it gets set to 0.
Trust the cos value coming from cisco phones (two commands)
mls qos trust cos
mls qos trust device cisco phone
The switch uses cdp to know its attached to a phone.
We can say if you have cos value 3, set dscp vale 23. DSCP doesn't get stripped off when traversing routers.
Show all the mapping tables in the switch
sh mls qos maps
See just the cos to dscp mapping
sh mls qos maps cos-dscp
Best practice for mapping cos to dscp
mls qos map cos-dscp 0 8 16 24 32 46 48 56
Each value matches up to the 0-7 cos values
cos - dscp
0 - 0
1 - 8
2 - 16
3 - 24
4 - 32
5 - 46
6 - 48
7 - 56
sh mls qos maps cos-dscp
Dscp mutation
If it comes in with one dscp value change it to another
mls qos map dscp-mutation MUTATE 24 26 28 30 to 24
int gig 1/0/8
mls qos trust dscp
mls qos dscp-mutation MUTATE
If traffic comes in with any of dscp markings 24 26 28 30, change it to 24
Drop probability is not related to ip precedence
Lets say we have voice with priority 1 drop prob 2
And we have http with priority 2 drop prob 0
Voice traffic will be sent first, but if the buffer fills voice traffic will be dropped over http.
(match any of the protocols listed below)
class-map match-any EMAIL
match protocol pop3
match protocol imap
class-map VOICE
match protocol rtp
class-map BITTORRENT
match protocol bittorrent
sh class-map
policy-map QOS-MAP
class EMAIL
set dscp af13
bandwidth 512 (give at least 512 and more if its available)
random-detect dscp-based
random-detect ecn
class BITTORRENT
police 128000
service-policy output QOS-MAP
Lots of good info from Kevin Wallace on youtube
Voice and QOS
Often we find voice and data traffic are competing on the same vlan
voice traffic is competing with web browsing traffic for example
Its best practice to create a voice vlan / subnet to separate them.
Even with vlans voice and data will share the same uplinks/trunks
We need QoS here
There are two main types, ToS and DiffServ (DSCP),
You only use one or the other
ToS
IP header has ToS field 0-7
0 = default (data)
5 = voice (usually)
7 = highest
ToS value is set via the phone system. Phone's download their config from the TFTP server (phone system). Now they are tagging traffic with ToS value of 5. We then need to configure our network gear to use this value.
DiffServ
More recent / improved version of ToS. More values can be set.
DSCP
priority 0 - 63
voice is usually set to 46 (set on the phone system) same as above.
VLANs can also be given priority, this is why the voice vlan is best practice
CoS
0 - 7
Set to 5
Often physical ports on routers etc can be given priority also.
We can control QoS on our LAN but once we go outside we have no control. Some ISP's will provide MPLS connection which will read your QoS values. Usually at a higher cost than a regular MPLS link
ALG, can give high priority to voice protocols SIP RTP RTSP SKINNY etc.
DiffServ - distinguishes between different type of traffic and gives priority
FIFO - first in first out - no priority unless we enable QoS
Quality of Service is a collection of tools
Classification
Recognising a certain type of traffic
Marking
Assign a marking based on the classification. (DSCP marking is modern one)
Policing and shaping
Sets a speed limit
Policing drops traffic over the limit. If its TCP traffic it will try again.
Shaping sets a speed limit but it puts it in a buffer until bandwidth is available
Congestion management = Queuing
Big data packets come in and queue up. Lets say a voice packet comes in next, without qos it will have to wait to get out leading to bad call quality.
If we classify/marking taffic we can create queues for each type of traffic
Create a voice bucket and a "everything else" bucket into best effort bucket
If a bucket fills up and spills over the packets will be dropped.
The two most used queuing mechanisms used today
Class based weighted fair queuing
Low latency fair queuing
How much bandwidth does priority traffic get
Congestion avoidance on switch is weighted tail drop
Congestion avoidance is weighted RED. The thing with weighted RED is that there is only 1 bucket and when it fills up packets are dropped and everyone suffers.
RED sacrifices the needs of the few for the good of the many.
Link efficiency
Not as much of a big deal these days as WAN links are fast these days
On lower speed circuits, voice packets can get stuck behind big data packets so we are waiting for our chance to get across the WAN.
We should classify and mark traffic as close to the source as possible
To enable
#mls qos
To enable per vlan
#mls qos vlan-based
interface vlan 50
service-policy input test
exit
interface gig 1/0/7 (is a member of vlan 50)
mls qos vlan-based (take qos policy settings from vlan 50)
Port based classification options
L2 - CoS value, MAC ACL
L3 - IP precedence, DSCP value, L3 ACL
3 first bits to ToS (type of service) 8 possible values but two reserved by cisco.
DSCP has up to 63 values, this is the one that tends to be used.
Some times non IP based packets will arrive with a CoS value already. We can alter it below.
mls qos cos [0-7] (cisco reserved 6 or 7)
mls qos cos override
We can trust certain cos marking
CoS marking is L2 marking, gets stripped off when moving between routers, it gets set to 0.
Trust the cos value coming from cisco phones (two commands)
mls qos trust cos
mls qos trust device cisco phone
The switch uses cdp to know its attached to a phone.
We can say if you have cos value 3, set dscp vale 23. DSCP doesn't get stripped off when traversing routers.
Show all the mapping tables in the switch
sh mls qos maps
See just the cos to dscp mapping
sh mls qos maps cos-dscp
Best practice for mapping cos to dscp
mls qos map cos-dscp 0 8 16 24 32 46 48 56
Each value matches up to the 0-7 cos values
cos - dscp
0 - 0
1 - 8
2 - 16
3 - 24
4 - 32
5 - 46
6 - 48
7 - 56
sh mls qos maps cos-dscp
Dscp mutation
If it comes in with one dscp value change it to another
mls qos map dscp-mutation MUTATE 24 26 28 30 to 24
int gig 1/0/8
mls qos trust dscp
mls qos dscp-mutation MUTATE
If traffic comes in with any of dscp markings 24 26 28 30, change it to 24
Drop probability is not related to ip precedence
Lets say we have voice with priority 1 drop prob 2
And we have http with priority 2 drop prob 0
Voice traffic will be sent first, but if the buffer fills voice traffic will be dropped over http.
(match any of the protocols listed below)
class-map match-any EMAIL
match protocol pop3
match protocol imap
class-map VOICE
match protocol rtp
class-map BITTORRENT
match protocol bittorrent
sh class-map
policy-map QOS-MAP
class EMAIL
set dscp af13
bandwidth 512 (give at least 512 and more if its available)
random-detect dscp-based
random-detect ecn
class BITTORRENT
police 128000
service-policy output QOS-MAP
Lots of good info from Kevin Wallace on youtube
Voice and QOS
Often we find voice and data traffic are competing on the same vlan
voice traffic is competing with web browsing traffic for example
Its best practice to create a voice vlan / subnet to separate them.
Even with vlans voice and data will share the same uplinks/trunks
We need QoS here
There are two main types, ToS and DiffServ (DSCP),
You only use one or the other
ToS
IP header has ToS field 0-7
0 = default (data)
5 = voice (usually)
7 = highest
ToS value is set via the phone system. Phone's download their config from the TFTP server (phone system). Now they are tagging traffic with ToS value of 5. We then need to configure our network gear to use this value.
DiffServ
More recent / improved version of ToS. More values can be set.
DSCP
priority 0 - 63
voice is usually set to 46 (set on the phone system) same as above.
VLANs can also be given priority, this is why the voice vlan is best practice
CoS
0 - 7
Set to 5
Often physical ports on routers etc can be given priority also.
We can control QoS on our LAN but once we go outside we have no control. Some ISP's will provide MPLS connection which will read your QoS values. Usually at a higher cost than a regular MPLS link
ALG, can give high priority to voice protocols SIP RTP RTSP SKINNY etc.
Latency and jitter
Latency is the route trip time
Jitter is the change in interval so if we have 10ms and 12ms then jitter is 2
Even 200ms phones will work if jitter is low/steady.
Industry wants below 150ms.
If we are below 100ms then voice must work.
70ms or below is good.
Thursday, 10 September 2020
cisco asdm not working
Most issues with ASDM are java related. Its best to run ASDM on windows with java updated.
Check for and kill any java/asdm processes that are running
Update the JRE to the latest and try again
If its still not working there are some things you can check:
- Add the IP of the ASA to the java security exclusions list
- Check if ASDM is running on a different port (sh run | i http server)
- Is the ASDM image configured (sh run | i asdm)
- Is the image configured on disk (sh disk | i asdm)
- Do we have "http server enable"
- Do we have something similar to "http 192.168.1.0 255.255.255.0 INSIDE"
- 192.168.1.0/24 is the network (or host) where we are launching the ASDM from
- Do we have "aaa authentication http console LOCAL"
Tuesday, 8 September 2020
login access text
UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorised permission to access, read information from or configure
this device. Unauthorised attempts and actions to access or use this
system may result in civil and/or criminal penalties. All activities
performed on this device are logged and monitored.
Subscribe to:
Posts (Atom)