CCIE Security V4 Technology Labs  Section 1:

System Hardening and Availability


Congestion Management
Last updated: May 3, 2013

Task
Load the starting configuration files for task 1.17.
On R3, create a QoS policy to match ICMP traffic coming from vlan 23 and mark it with a dscp of
AF12.
On R3, also create a policy that matches ICMP traffic coming from the Test PC on vlan 11 and mark
it with a dscp of AF23.
ICMP traffic leaving the F0/0 interface should have the following policy applied.
AF12 Traffic should be given 25% of the interface bandwidth.
AF23 Traffic should be given 15% of the interface bandwidth.
If any voice traffic is seen with a DSCP of EF, it should be priority queued and given 35%
bandwidth.
Remaining Traffic should be fair-queued.

Explanation and Verification

Congestion management can take the form of policing or shaping data so that it conforms to the
policy set forth in the network. A CCIE candidate should be able to do this, as wel as configure
basic QoS policies . This task does not require any policing, but other tasks have. This task simply
tests your know-how of basic QoS configurations.

Start by configuring the policy on R3 to match ICMP traffic from vlan 23.
 R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#access-list 101 permit icmp any any
R3(config)#class-map match-icmp
R3(config-cmap)#match access-g 101
R3(config-cmap)#policy-map mark-traffic
R3(config-pmap)#class match-icmp
R3(config-pmap-c)#set dscp af12
R3(config-pmap-c)#int f0/0.23
R3(config-subif)#service-policy input mark-traffic
R3(config-subif)#

Now configure the policy to mark traffic coming in vlan 11 from the test PC.

R3(config-subif)#exit
R3(config)#class-map match-test-pc
R3(config-cmap)#match access-group 101
R3(config-cmap)#policy-map mark-testpc
R3(config-pmap)#class match-test-pc
R3(config-pmap-c)#set dscp AF23
R3(config-pmap-c)#int f0/0.11
R3(config-subif)#service-policy input mark-testpc
R3(config-subif)#exit
R3(config)#

Create the queueing policy and apply it to the f0/0 interface. Understand that the policy cannot be
applied to a sub-interface.
 R3(config)#class-map match-vlan23
R3(config-cmap)#match dscp AF12
R3(config-cmap)#exit
R3(config)#class-map match-vlan11
R3(config-cmap)#match dscp AF23
R3(config-cmap)#exit
R3(config)#class-map match-voice
R3(config-cmap)#match dscp ef
R3(config-cmap)#exit
R3(config)#policy-map QUEUE-OUT
R3(config-pmap)#class match-voice
R3(config-pmap-c)# priority percent 35
R3(config-pmap-c)#class match-vlan23
R3(config-pmap-c)#bandwidth percent 25
R3(config-pmap-c)#class match-vlan11
R3(config-pmap-c)#bandwidth percent 15
R3(config-pmap-c)#class class-default
R3(config-pmap-c)#fair-queue
R3(config-pmap-c)#interface f0/0
R3(config-if)#service-policy output QUEUE-OUT
R3(config-if)#

Verify the policy on each interface. You'll need to generate traffic from each respective vlan so that
the counters increment.

First we verify f0/0.23.

R3#show policy-map int f0/0.23

FastEthernet0/0.23

Service-policy input: mark-traffic

Class-map: match-icmp (match-all)

5 packets, 590 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
QoS Set
dscp af12
Packets marked 5

Class-map: class-default (match-any)

110 packets, 12100 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Next, verify f0/0.11.

R3#show policy-map int f0/0.11

FastEthernet0/0.11

Service-policy input: mark-testpc

Class-map: match-test-pc (match-all)

4 packets, 312 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
QoS Set
dscp af23
Packets marked 4

Class-map: class-default (match-any)

362 packets, 26728 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

Now look at the queueing policy to ensure that each type of traffic gets its allocated bandwidth.

R3#show policy-map int f0/0

FastEthernet0/0

Service-policy output: QUEUE-OUT

queue stats for all priority classes:

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: match-voice (match-all)

0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp ef (46)
Priority: 35% (35000 kbps), burst bytes 875000, b/w exceed drops: 0

Class-map: match-vlan23 (match-all)

10 packets, 1180 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp af12 (12)
Queueing
 queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 10/1180
bandwidth 25% (25000 kbps)

Class-map: match-vlan11 (match-all)

8 packets, 624 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp af23 (22)
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 8/624
bandwidth 15% (15000 kbps)

Class-map: class-default (match-any)

207 packets, 22259 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 207/23519
Fair-queue: per-flow queue limit 16
R3#

Also note that the class-default is being fair-queued.