Ont on Aaron's Worthless Words

ONT - Epic WIN!

Thu, 08 Apr 2010 00:00:00 +0000

Two down, two to go. After much groaning and moaning, I’ve finally passed my ONT test. The path to this point has been full of road blocks and covered in potholes, but I finally managed to power through it. Thank $deity.

If you remember, I’ve had quite a time with finding a testing center that’s convenient (or open for that matter), so I took the test at yet another center to see what they offer. The facility was great; it was very quiet and clean, and the people were wonderfully friendly, which is a new concept to me. Usually, the people don’t care about testers, but, being a center for inmates at state prisons (yes, prisoners), they do nothing but vocational and professional testing there. That’s a lot better than the facilities who give their own students priority or who make money on training instead of testing. The center is just over 2 hours away, but I think this place may be the best so far. I’ll have to see what the future holds, though.

ONT - Epic Fail Part 3

Fri, 26 Mar 2010 00:00:00 +0000

It’s not what you think.

I was talking with a buddy online last night, and he made a good point. If you keep putting off taking a test, you’ll never make any progress. I took that to heart, went online, and scheduled another sitting of ONT for today at 3pm at the closest center. I took the day off, too, so I could get some tax stuff done and get over to the center and back before dinner. I got some really good rest last night for sure, too, and had some very productive study time before heading off for my day’s adventures.

ONT - Epic Fail Part 2

Fri, 19 Mar 2010 00:00:00 +0000

I took the ONT again today. The stench of failure is upon me for a second time, and I’m beginning to think I’m not the god-like person that everyone thinks I am. I went into the test very confidently. I did extra time on my weak points from the last attempt and knew it inside and out. I put hours and hours of lab time in and got other books and online materials involved. I was absolutely convinced that I would blow this thing away, but, alas, it was not to be.

NBAR and HTTP Data Conversations

Mon, 08 Mar 2010 00:00:00 +0000

I’m still working on the ONT test and doing labs, so I marked up a lab for me to work. I’m using the same setup as I did last time. The two routers are 3640s running 12.4(25b).

Part of the lab was to identify HTTP traffic coming into F0/0 and mark it as CS3. That’s pretty easy, right? Of course, the lab I made up was a little more complicated, but the point comes clear with a simpler example.

QoS Pre-classify and Class-map Order

Sat, 06 Mar 2010 00:00:00 +0000

I’m still studying for the ONT test, so I did some labs tonight. One of them was to demonstrate the qos pre-classify command for tunnel interfaces. When you have a packet sent over a GRE tunnel, the ToS field gets copied to the GRE packet, but there’s no way to see the original packet’s higher-level headers on the way out the interface. This can be a problem if your service policy needs to see protocol, port, IPs, etc. The fix for that is to enable qos pre-classify on the tunnel interface and cyrpto map; doing so will provide a copy of the original packet to the physical interface to classify the packet thoroughly.

ONT - Epic Fail

Tue, 16 Feb 2010 00:00:00 +0000

I failed the ONT test today. It was an utter lack of subject matter knowledge that did me in from the beginning. When the first three questions mention things that I’ve never even heard, it’s going to be a long test. I’ll take blame on it for sure, but the test was a lot darker than I imagined it would be.

I heard from a couple people that the ONT test was the easiest of the 4 CCNP test. I must say today’s test was a LOT harder than the ISCW test I took back in December. Most of the questions were fair, but there were a few that were down-right evil or unanswerable. Without giving too much away, there were some matching questions that had multiple items with multiple answers, rendering the answer to a guess. I even ran into a CLI question about the WLC, which surely wasn’t mentioned anywhere I studied, and I don’t have a spare sitting around on which to test. The icing, though, was the number of questions about FRTS; I know I need to understand it, but the magical question dice landed on that topic way too many times in my opinion.

ONT Notes - WLAN Management

Sat, 13 Feb 2010 00:00:00 +0000

Elements of Cisco Unified Wireless Network

Client devices - Cisco compatible extensions on WLAN clients
Mobility platform - allows configuration of LWAPs through WLCs
Network unification - integration into the rest of the network with WLCs doing RF management, IPS, etc.
World-class network management - centralized management through WCS
Unified advanced services - supports advanced technologies and threat detection

WLAN Implementation

Autonomous and LWAP

Category	Autonomous	LWAP
Access Point	Autonomous APs	LWAPs
Control	Individual configurations	Configuration through WLCs
Dependency	Independent operations	Dependent on WLC
Management	CiscoWorks WLSE and WDS	WCS
Redundancy	Through APs	Through WLCs

Wireless LAN Services Engine (WLSE)

ONT Notes - 802.1x and Encryption on LWAPs

Fri, 12 Feb 2010 00:00:00 +0000

Traditional WLAN weaknesses
- SSID for security
- Vulnerable to rogue APs
- MAC filtering for security
- WEP
WEP weaknesses
- Disribution of static keys is not scalable
- WEP keys can be cracked easily
- Vulnerable to dictionary attacks
- No protection against rogue APs
Benefits of 802.1x
- Centralized authentication through Radius via AAA
- Mutual authentication between client and auth server
- Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
- Automatic dynamic WEP keys
- Roaming
Requirements of 802.1x
- EAP-capable client (supplicant)
- 802.1x-capable AP (authenticator)
- EAP-capable auth server

Table 1. Characteristics of the EAP variants

ONT Notes - QoS On Wireless Networks

Thu, 11 Feb 2010 00:00:00 +0000

Wireless LANs (WLANs)
- Extensions to wired LANs
- Carrier sense multiple access collision avoidance (CSMA/CA) as media access method
- Uses distributed coordinated function (DCF) for collision avoidance
- DCF is based on RF carrier sense, inter-frame spacing (IFS), and random wait timers
Wifi QoS standards
- 802.11e
  - IEEE standard
  - 0-7 priority levels
- Wifi Multimedia (WMM)
  - Four access categories
    - Platinum (voice) - 6 or 7 802.11e
    - Gold (video) - 4 or 5 802.11e
    - Silver (BE) - 0 or 3 802.11e
    - Bronze (Background) - 1 or 2 802.11e
- WMM and 802.11e replace DCF with EDCF
Cisco Split-MAC
- Splits functions between Lightweight access points (LWAPs) and WLAN controllers (WLCs)
- LWAPs handle real-time functions
  - Beacon generation
  - Probe transmission and response
  - Power management
  - 802.11e/WMM scheduling and queuing
  - Packet buffering
  - Encryption/decryption
  - Control frame/message processing
- WLCs handle non-real-time functions
  - Association/disassociation/reassociation
  - 802.11e/WMM resource reservation
  - 802.1x EAP
  - Key management
  - Authentication
  - Fragmentation
  - Ethernet-WLAN bridging
End-to-end QoS
- Step 1: WLC copies DSCP from switch to outer DSCP and outer 802.1p and sends to LWAP over LWAPP tunnel
- Step 2: LWAP copies outer DSCP from WLC to 802.11e/WMM field and sent to client
- Step 3: LWAP copies 802.11e/WMM value from the client to outer DSCP and sends it to WLC
- Step 4: WLC copies outer DSCP from WLAP to 802.1p (CoS) fields and sends it to the switch
Web interface (do you even need to know this?)
- Controller>QoS Profiles
  - Per-User Bandwidth Contracts - set avg data rate, burst data rate, avg real-time rate, and burst real-time rate
  - Over the Air QoS
    - Maximum RF usage per AP (%)
    - Queue Depth - queue size before dropping packets
    - Wired QoS Protocol - 802.1p or None
- Controller>WLANs>Edit
  - For each WLAN ID, set the QoS value: plat, gold, silver, bronze
  - WMM Policy
    - Disabled - 802.11e/WMM QoS requests are ignored
    - Allowed - 802.11e/WMM QoS requests are sent
    - Required - 802.11e/WMM QoS requests are required

ONT Notes - AutoQoS

Wed, 10 Feb 2010 00:00:00 +0000

AutoQoS benefits
- Automates QoS for most deployments
- Protects business-critical apps to maximize availability
- Simplifies QoS deployments
- Reduces configuration errors
- Cheaper, faster, and simpler deployments
- Follows DiffServ
- Allows complete control over QoS configs
- Allows modification of auto-generated configs
AutoQoS phases of evolution
- AutoQoS VOIP - Early version that configures the basics without discovery
- AutoQoS for Enterprise - Second version that only runs on routers and uses two-step process
  - Autodiscovery using NBAR
  - Generation of class maps
AutoQoS key elements
- Application classification
- Policy generation
- Configuration
- Monitoring and reporting
- Consistency
Interfaces that you can configure AutoQoS on
- Serial ifs with PPP and HDLC
- FR point-to-point subifs (NOT multipoint)
- ATM point-to-point subifs
- FR-to-ATM links
Prerequsites
- No Qos policy already configured on if
- CEF enabled on if
- Correct bandwidth configured on if
- IP address on low-speed if
Configuring AutoQoS Enterprise on a router (NOT a switch)
- auto qos discovery - begins discovery process
- auto qos - generates and applies MQC-based policies
Configuring AutoQoS VOIP
- auto qos voip [ trust | cisco-phone ]
Verifying AutoQoS on router
- show auto discovery qos - get autodiscovery results
- show auto qos - examine configuration generated
  - Number of classes
  - Classification options
  - Marking options
  - Queuing mechanisms
  - Other QoS mechanisms
  - If, subif, PVC where policy is applied
- show policy-map interface - look at if stats
Verify AutoQoS VOIP
- show auto qos
- show policy-map interface
- show mls qos maps - shows CoS to DSCP mappings
Possible issues with AutoQoS
- Too many traffic classes - manually consolidate some
- Configuration doesn’t change - rerun AutoQoS
- Configuration may not fit your situation - fine-tune it by hand
Fine-tuning AutoQoS
- Use QPM
- CLI
- copy policy into editor, change, reapply
AutoQoS can match on characteristics besides ACLs and NBAR
- match input interface
- match cos
- match ip precedence
- match ip dscp
- match ip rtp

ONT Notes - Pre-classify and End-to-end QoS

Thu, 04 Feb 2010 00:00:00 +0000

VPNs (Didn’t ISCW cover this?)
- Provide
  - Confidentiality
  - Integrity
  - Authentication
- Types
  - Remote-access
    - Client-initiated
    - NAS-initiated
  - Site-to-site
    - LAN-to-LAN
    - Extranet
L3 Tunneling protocols
- GRE
- IPSec
Pre-classify allows traffic to be classified before being sent across a tunnel or crypto-ed.
- qos pre-classify
- Provides a view into the original IP headers
- To classify on pre-tunnel header, apply the policy to the tunnel interface WITHOUT pre-classify.
- To classify on post-tunnel header, apply the policy to the physical interface WITHOUT pre-classify.
- To classify on pre-tunnel header, apply the policy to the physical interface WITH pre-classify.
SLA - agreement with provider to guarantee QoS mechanisms across their network based on your markings.
- Assures availability, loss, throughput, delay, and jitter.
End-to-end QoS
- To be effective, each hop in the path must have QoS configured similarly.
- Necessary in three locations
  - Campus - within the customer network
  - The edges - customer facing the provider, provider facing customer
  - On the provider network
QoS tasks
- Campus access switches
  - Speed/duplex settings
  - Classification
  - Trust
  - Phone/access switch configs
  - Multiple queues on switch ports, including priority for VOIP
- Campus distribution
  - L3 policing and marking
  - Multiple queues on switch ports, including priority for VOIP
  - WRED
- WAN edge
  - SLA definitions
  - LLQ
  - LFI
  - WRED
  - Shaping
- Provider cloud
  - Capacity planning
  - PHB
  - LLQ
  - WRED
Enterprise campus QoS implementation
- Implement multiple queues to avoid congestion
- Assign VOIP and video to highest priority queue
- Esablish trust boundaries
- Use policing to rate-limit excess traffic
- Use hardware QoS when possible
Control Plane Policing (CoPP)
- Applies QoS policy to traffic destined for the router
  - Routing protocols
  - Management protocols
- Can be used to avoid DOS attacks
- Applied to control-plane in global config

ONT Notes - Congestion Avoidance, Policing, Shaping, and Link Efficiency

Wed, 03 Feb 2010 00:00:00 +0000

Tail drop drawbacks
- TCP synchronization - Dropping TCP packets from different flows can cause them all to window down and back up again at the same time in cycles.
- TCP starvation - Non-TCP or aggressive flows can starve everyone else out when TCP throttles back.
- No differentiated drop - Tail drop doesn’t care who you are, so you get dropped if the queue is full.
RED - Random Early Detection
- Avoids tail drop by randomly dropping packets from the queue before it gets full
- Only dropped TCP flows slow down instead of everyone who has sent a packet since the queue filled
- Queues are smaller.
- Link utilization is more efficient
- Configured with
  - Minimum threshold - start dropping when the queue is this size
  - Maximum threshold - if the queue is this big, start tail dropping
  - Mark probability denominator (MPD) - 1/MPD is the ratio of packets to drop when between the thresholds
WRED - Weighted RED
- Based on IP precedence or DSCP values
- Less-important packets are dropped more aggressively than important packets
- Applied to an interface, VC or a class within a policy map
CBWRED - Class based WRED
- Configured with CBWFQ
Policing
- Limits subrate bandwidth (give you 100kbps on a T1)
- Limits traffic of certain applications
- Any traffic that exceeds police is dropped or re-classified; it’s a hard limit
- Inbound or outbound
Shaping
- Sets a limit but buffers any in excess
- Requires memory to store the buffer
- Buffers = delay and/or jitter
- Outbound only
- Can respond to network signals like BECNs and FECNs
Token and bucket
- The queue is a bucket; if a byte of data needs to be sent, it needs a token.
- If there are enough tokens, the traffic is considered conforming.
- If there aren’t enough tokens, the traffic is considered exceeding, which triggers the drop (policing), re-classify (policing), or buffer (shaping).
Frame relay traffic shaping (FRTS)
- Only controls frame relay traffic
- Applied on subif or DLCI
- Support fragmentation and interleaving
- Reacts to FECNs and BECNs
Compression
- Removed redundancy and patterns in data
- Less data = less latency
- Hardware compression or hardware-assisted compression does not involve the main CPU
- Software compression does
- Payload compression
- Header compression
Link fragmentation and interleaving
- Small data might be waiting for larger data pieces to finish sending
- Chunks data into smaller fragments so they don’t have to wait
- Interleaving shuffles flows in the Tx queue

ONT Notes - Queuing

Sun, 24 Jan 2010 00:00:00 +0000

Here are some more notes from my studies. Of course, no one cares about them but me, but it’s my blog. I’m sure someone will find it useful. Please help to correct dumbass mistakes.

Congestion
- Speed mismatch - traffic leaves a lower-bandwidth interface than the one it came in on
- Aggregation problem - lots of links with one egress of equal bandwidth
- Confluence problem - a bunch of traffic needs to egress out of the same interface
Queuing

ONT Notes – Classification, Marking, and NBAR

Fri, 22 Jan 2010 00:00:00 +0000

Here’s another set of notes from my ONT studies. I’m sure someone will find it useful. Please help to correct dumbass mistakes.

Classification is done with traffic desriptors
- Ingress interface
- CoS value on ISL or 802.1P frames
- Source/destination IP address
- IP Precedence or DSCP value
- MPLS EXP
- Application type
Layer 3 QoS
- Type of Service (ToS) is 8-bit field.
- First 3 bits of ToS are the IP precedence.
- First 6 bits of ToS are the DSCP value.
- Last 2 bits of ToS are explicit congestion notification (ECN).
Layer 2 QoS

ONT Notes - Intro to QoS

Thu, 21 Jan 2010 00:00:00 +0000

I’ll try to keep it a little shorter this time.

Major issues for converged enterprise networks

Available bandwidth: competition among applications
- Fixes
  - Increase bandwidth: More power!
  - Properly queue based on classification and marking: QoS
  - Compress: cRTP, TCP header compression, etc.
Delay: Lead time to get a packet to the destination
- Types of delay
  - Processing delay: routing, switch delay
  - Queuing delay: how long a frame stays in an output queue
  - Serialization delay: how long to put the frame on the wire
  - Propagation delay: the time to cross the physical medium
Jitter (delay variation): Variation is the delay
- Different delays mean different arrival times
- De-jitter buffers save up packets to reduce jitter (like the old CD writers)
- Fixes
  - More bandwidth
  - Prioritize sensitive data and forward first
  - Remark (reclassify) packets based on sensitivity
  - Enable L2 payload compression: make sure compression delay isn’t worse than the jitter
  - Use header compression
Packet loss: Packets are lost in the network somewhere
- Fixes
  - More bandwidth
  - Increase buffers space: more room for the queue on the interface
  - Provide guaranteed bandwidth: Queuing and QoS
  - Congestion avoidance
    - Random Early Detection (RED) and weighted RED (WRED) drop packets before the queue is full
    - Selective dropping is better than FIFO or LIFO dropping

QoS History

ONT Notes - VOIP Networks

Sun, 10 Jan 2010 00:00:00 +0000

Here are some of the notes I’ve been taking while reading over the ONT book. I hope it benefits somebody. Feel free to correct any stupid mistakes as a paraphrase to avoid a lawsuit.

There’s way too much info here. I’ll refine the process a little better for the next topics.

Benefits of Packet Telephony Networks

More efficient use of bandwidth and equipment - Packet telephony networks don’t dedicate channels or a static bandwidth to a call; it’s just another network application.
Consolidate network expense - The common infrastructure (IP-based networks) keeps you from having to support another distinct network for voice like in traditional PBX implementations.
Improved employee productivity - The phone can be used for more than just phone calls by utilizing the XML interface to run applications or provide content from the network.
Access to new communications devices - IP phones can communicate with computers, network gear, PDAs, etc., and not just the PBX.

Packet Telephony Components