Chainring Circus

The five elements of a Cisco wireless network read like an add right of some glossy, it’s here because there might be a question on the test:
Client devices — laptops, phones and
Mobility platform — Composed of lightweight access points (LWAP), wireless lan controller (WLC) and the wireless control system (WCS)
Network unification — WLCs allow for integration into the wired network
Network management — WCS for control and monitoring
Unified advanced services — Catch-all for marketing

There are two types of Cisco wireless implementations, Autonomous and Lightweight. As a networker who has worked on both, LWAP is the way to go. Management is much easier, mobility groups are your friend and because LWAPP is tunnels wireless interactions across the network to the WCS/WLC it makes it much easier to deploy in a split layer environment, L2 and L3 around campus depending upon location and need.

Autonomous APs — Each AP has its own configuration and operates independently. Configuration can be controlled through CiscoWorks WLSE.

LWAPs — Configuration, monitoring and security is centrally controlled through the WLC/WCS. This is the more scalable solution.

Wireless Lan Solution Engine (WLSE)

Provides basic management of autonomous APs:
• Configuration
• Fault and policy monitoring
• Reporting
• Firmware upgrades
• Radio management

Wireless Control System (WCS)

Provides advanced management of LWAPs:
• Location services
• “Self healing” — If you have a WCS you know what this means.
• Failover between WLCs
• Monitoring
• Configuration
• Firmware upgrades

Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) was the first implementation of wireless encryption, it has several weaknesses and should not be used. Weaknesses include:
• Weak encryption that has been broken
• Vulnerable to dictionary attacks
• Client trusts AP allowing for a rogue access point
• Keys must be manually distributed

802.1x Extensible Authentication Protocols (EAP)
EAP was originally developed for wired port access control and was adopted for wireless access control. The pieces for an EAP implementation require a client wireless card and supplicant, authentication server and access point that are all EAP capable. A wireless client can only transmit EAP traffic until it is authenticated, the RADIUS server authenticates the client and the client authenticates the server in a challenge and response. EAP was originally defined in RFC 2284, which was made obsolete by RFC 3748 and defined for wireless LANs in RFC 4017.

EAP Features:
• RADIUS authentication server
• Can use multiple encryption algorithms
• Dynamic WEP keys
• Encrypted passwords
• Centralized control

Cisco Lightweight Extensible Authentication Protocol (LEAP)
• Fast and secure roaming
• Single sign-on with various backends, AD, LDAP
• Widely supported; MS, MAC and Linux clients

Extensible Authentication Protocol – Flexible Authentication via Secure Tunneling (EAP-FAST)
• EAP-FAST is nonproprietary, defined in RFC 4851
• Mutual authentication of server and client by using the TLS handshake protocol
• Immune to man in the middle attacks
• Ability to use multiple password authentication backends
• Computationally efficient
• Does not require certificates

EAP-FAST consists of three phases:
1. Phase 0 — Client is dynamically provisioned with a Protected Access Credential (PAC) which can also be installed manually, so this phase is considered optional.
2. Phase 1 — Server and client use PAC to authenticate each other and establish a secure tunnel.
3. Phase 2 — Client sends credentials through tunnel for authentication.

Exensible Authentication Protocol – Transport Layer Security (EAP-TLS)
EAP-TLS was originally defined in RFC 2716 but was redefined by RFC 5216 in March of 2008, TLS enhancements were defined in RFC 4507. Uses public key infrastructure (PKI) meaning that both client and server need a certificate for authentication and the certificates must be issued by a certification authority (CA). Client is the supplicant, authenticator is the AP and the authentication server is the RADIUS server.

EAP-TLS Authentication Process:
1. Client associates to AP which restricts traffic to only EAP traffic.
2. AP requests identity which it then passes to the RADIUS server.
3. Client validates certificate and responds with EAP with it’s own certificate which starts cryptographic negotiations.
4. After the RADIUS server validates the client certificate it responds with the cryptographic specifications for the session.

Protected EAP (PEAP)
PEAP only requires the authentication server to have a certificate.

PEAP has two phases:
• Phase 1 – The client authenticates the server using the CA to verify its certificate and an encrypted TLS tunnel is created with the client.
• Phase 2 – Client is authenticated using industry supported authentication.

PEAP has two authentication implementations:
• Generic Token Card (GTC) (PEAP-GTC ) for client authentication using Novell or LDAP.
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2 (PEAP-MSCHAPv2) for MS single sign-on.

WPA
WPA with TKIP can now be broken in a minute. It is not recommended for use, however it is still on the test. WPA with TKIP encryption was developed as an interim standard, created to maintain backward compatibility with hardware that had supported WEP. WPA performs authentication using either 802.1x/EAP or with preshared keys prior to the key management phase. WPA uses Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) and per-packet keying (PPK) in an attempt to make it more secure.

802.11i or WPA2
802.11i is known more commonly as WPA2 and refers to the approved implementation of members of the Wi-Fi Alliance. It provides stronger encryption, AES rather than the weaker RC4 used by WEP and WPA. As a result it commonly required a hardware upgrade.

Keys WPA2 facts from the ONT book:
• Uses 802.1x for authentication
• Uses similar method of key distribution and renewal as WPA
• Supports Proactive Key Caching (PKC)
• Has Intrusion Detection System (IDS)

WPA/WPA2 provide two modes of operation:
• Personal mode — Authentication is performed using PSK
• Enterprise mode — 802.1x/EAP and AAA/Radius server is used for authentication

I will end with this quote, I wish I could find the reference but it is probably from the ONT book:

Some people mistakenly think that if the AP is configured not to broadcast its SSID, they have a secure wireless LAN; that is not true. When a legitimate wireless client with the correct SSID attempts to associate with its AP, the SSID is exchanged over the air unencrypted; that means that an illegitimate user can easily capture and use the SSID.

Additional resources:
NetCraftsmen Examining 802.1x and EAP
IEEE 802.1x Standard Document
TLS Deployment Guide
EAP, RFC 2284, RFC 3748
EAP Wireless, RFC 4017
EAP-FAST, RFC 4851
EAP-TLS, RFC 2716, RFC 5216
TLS Enhancements, RFC 4507

Note
Where to begin? For each chapter from the ONT book I read that chapter, read the same topics in the QoS Exam Certification Guide, begin to take notes and then decide what feels lacking in my understanding. From that gut feeling I begin to branch out, starting with Cisco documentation, then trustworthy sources on the net.

WLAN QoS has morphed on me. ONT covers split-mac, WMM and implementation with coverage of 802.11e nearly non-existent. Not only that, but the portions of 802.11 covered in the book are narrow. For instance 802.11 defines two channel access mechanisms, distributed coordination function (DCF) which is covered, but point coordination function (PCF) is not even mentioned. As a result, I’m just going to fill in what makes sense to me as I believe having a basic understanding of WLAN QoS and wireless in general is the purpose of the wireless section anyway.

Definitions:
• 802.11e — QoS extensions for WLANs.
• Wi-Fi Multimedia (WMM) — A subset of 802.11e with four access categories; voice, video, best effort and background. The WCS breaks them out as platinum, gold, silver and bronze.
• Contention Window — CWmin and CWmax — Define the the range of the contention window, the back off timer in CSMA/CA. A client with a voice CWmin waits less time to send than a client in the best effort access category that has a larger CWmin.
• Arbitrary Inter-Frame Space Number (AIFSN) — Controls the idle time, after which a client may transmit.
• Transmission Opportunity (TXOP) — The time interval, start and maximum duration, a client holds the channel and is able to send data.

802.11 Basics
Wired clients use carrier sense multiple access with collision detection (CSMA/CD) to determine whether they can transmit, however, one of its cousins is token ring which is rarely used today. In the same manner wireless access has two channel access mechanisms, distributed coordination function (DCF) and point coordination function (PCF). Like token ring, PCF is rarely used. DCF uses carriers sense multiple access with collision avoidance (CSMA/CA) which on it’s own provides best effort delivery.

Distributed Coordination Function (DCF) is composed of two main components:
1. Interframe spaces — SIFS, PIFS and DIFS control access to the channel.
2. Contention window — The random backoff timer.

Interframe spacing is a portion of the time a client or AP waits before sending frames on the channel. It is independent of the backoff time or contention window.
• Short Interframe Space (SIFS) — 802.11 management frames and those not expecting contention because they are port of a sequence of frames.
• Point Coordination Function Interframe Space (PIFS) — Used by an AP to decide when to send, shorter than DIFS giving the AP priority over data, but longer than SIFS giving flows priority. SIFS < PIFS < DIFS
• Distributed Coordination Function Interframe Space (DIFS) — When a client begins to send new data it waits DIFS, checking for a clear channel before sending.

WLAN QoS
802.11e and Wi-Fi multimedia (WMM) provide QoS for wireless networks. WMM was implemented by the Wif-Fi Alliance before 802.11e was ratified. I think of it as wireless QoS light as it implements a subset of 802.11e. 802.11e and WMM use Enhanced DCF (EDCF) to provide proportional back-off window sizes for each class.

802.11e

802.11e defines enhancements to 802.11 Medium Access Control (MAC) to provide QoS features by using features from both PCF and DCF in what is called Hybrid Coordination Function (HCF).
• 802.11e provides eight priority levels, 0 through 7.
• Different acknowledgement rules provide greater efficiency in being able to send data.
• Piggybacking allows data to be sent with poll requests and ACKs improving network performance.
• Allows for contention free bursts, clients and APs are able to send several frames without contention.

HCF has two modes of operation:
• Enhanced Distribution Coordinate Access (EDCA)
• HCF Controlled Channel Access (HCCA)

Enhanced Distribution Coordinate Access (EDCA) is an extension to DCF that uses contention based access while providing prioritized access to the channel.
EDCA has four key components:
• CWmin with higher priority assigned a shorter CWmin.
• CWmax
• TXOP limit specifies the maximum duration a client can transmit, makes channel access more efficient.
• Arbitration Inter-Frame Space (AIFS) specifies additional time between when a channel goes idle and the client starts to send. Each access class is assigned a different AIFS to further differentiate QoS.

HCF Controlled Channel Access (HCCA) is polling based and is uses a coordinator to centrally manage access.
• HCCA can poll clients during the contention period.
• Supports scheduling of packets based on traffic flow requirements.
• The coordinator has the highest priority access.

Wi-Fi Multimedia
802.11e priorities can be mapped to WMM access categories for backward compatibility:

The image below is my recreation of a figure out of the Wi-Fi Alliance documentation below. It explains the interaction between AIFSN, CWmin/CWmax and it’s affect on WMM. In essence a voice client waits less time before trying to retransmit than a lower access category and will therefore have a better chance at sending data, it is not a strict priority system. Click here for a better view of the image.

Split MAC Architecture
Centralizes wireless LAN configuration and control onto the wireless lan controller (WLC). Access points are lightweight and cannot act independently of a controller. The wireless LAN controller manages the access point configurations and firmware. The access points handle only real-time MAC functionality, leaving all the non-real-time MAC functionality to be processed by the wireless LAN controller.

WLC manages:
• Channel assignment
• Association, disassociation and reassociation
• 802.11e and WMM resource reservation
• Transmit power optimization
• Self-healing wireless coverage
• Dynamic client load balancing

LWAP manages:
• Transmission of beacon frames
• Probe transmission and response
• 802.11e and WMM scheduling and queuing
• Buffering frames for clients
• Monitoring each radio channel for noise and interference

Light weight access point protocol (LWAPP)
Light weight access point protocol (LWAPP) is used to communicate between the WLC and the APs. Wireless LAN client data packets are encapsulated in LWAPP between the access point and the wireless LAN controller. When a wireless LAN client sends a packet, it is received by the access point, decrypted if necessary, encapsulated with an LWAPP header and forwarded to the controller. At the controller, the LWAPP header is removed and the frame switched from the controller onto a vitrual LAN (VLAN) in the switching infrastructure.

There are two types of LWAPP traffic, control messages and client data.

LWAPP control messages:
• Used to configure the LAP and manage its operation.
• Authenticated and encrypted, the LAP is securely controlled by only the WLC.
• Classified automatically with a DSCP of CS6.
• Identified by UDP port 12223

LWAPP data:
• Packets to and from wireless clients associated with the LAP.
• The data is encapsulated within LWAPP but is not encrypted.
• The default classification for WLAN data traffic is best-effort.
• Identified by UPD port 12222

Additional Sources:
WMM from Wi-Fi.org
WLAN Tuning
Cisco Mobility Design Guide
LWAPP Traffic Study
WLC Deployment Guide
Intel QoS Paper
European Wireless Conference Paper

Click here for a better image.

You can download the initial configuration files here.

The only difference between this lab and CBWFQ is making it LLQ. I would not do these one after the other, intersperse another lab, or do CBWFQ and then change it to LLQ.

To prepare for this lab only turn on one 800K link between R1 and R2, and the link between R4 and R1 for traffic generation. If you want traffic to make it around the lab then configure to your hearts content.

On R1:

• Create access lists web, control and print.
• Create class maps web, control and print.
• Put http, ftp, pop3 and smtp in the web class map.
• Put ntp, ssh, telnet and x11 in control.
• Put 9100 in print..
• Create the policy map cbwfq and give these bandwidth percentages; web: 30%, control: 20%, print: 10%.
• Make the control group the priority queue.
• Apply the configuration to S0/0.
• Confirm the configuration and debug it.

Here are the protocols for which traffic is generated from our traffic generation configuration file:

Answer is below:

R1 Configuration for CBWFQ:

Confirm the configuration:

Debug the configuration:

Click here for a better image.

You can download the initial configuration files here.

To prepare for this lab only turn on one 800K link between R1 and R2, and the link between R4 and R1 for traffic generation. If you want traffic to make it around the lab then configure to your hearts content.

On R1:

• Create access lists web, control and print.
• Create class maps web, control and print.
• Put http, ftp, pop3 and smtp in the web class map.
• Put ntp, ssh, telnet and x11 in control.
• Put 9100 in print..
• Create the policy map cbwfq and give these bandwidth percentages; web: 30%, control: 20%, print: 10%.
• Apply the configuration to S0/0.
• Confirm the configuration and debug it.

Here are the protocols for which traffic is generated from our traffic generation configuration file:

Answer is below:

R1 Configuration for CBWFQ:

Confirm the configuration:

Debug the configuration:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/cbwfq.html

Click here for a better image.

You can download the initial configuration files here.

To prepare for this lab only turn on one 800K link between R1 and R2, and the link between R4 and R1 for traffic generation. If you want traffic to make it around the lab then configure to your hearts content.

On R1:

• Use priority list number 4.
• Set smtp and pop3 with a high priority.
• Set ssh and X11 with medium priority.
• Set http, ftp and ntp as low priority.
• Set telnet as normal priority.
• Set the default priority as low.
• Apply the configuration to S0/0.
• Confirm the configuration and debug it.

Here are the protocols for which traffic is generated from our traffic generation configuration file:

Answer is below:

R1 Configuration for PQ:

Confirm the configuration:

Debug the configuration:

Auto QoS has two versions AutoQoS VOIP for switches and routers which was developed first to deploy QoS without the need for QoS experience. The second is AutoQoS Enterprise, is for routers only and requires a two step deployment process.

There are five key elements of QoS design and deployment.

1. Application Classification
2. Policy Generation
3. Configuration
4. Monitoring
5. Consistency

AutoQos VOIP
Oriented to make VOIP traffic work well (duh).
Follows Cisco best practices for QoS tools for VOIP.

AutoQoS requirements:
Requires CEF be enabled first.
Cannot be used on an interface with a previous service policy command configured.
Bandwidth command should be configured with the correct bandwidth, AutoQoS VOIP relies upon this setting.
Supports only point-to-point subinterfaces on Frame Relay interfaces.

Commands to implement AutoQoS VOIP:
(config)#int s1/0
(config-if)#auto qos voip

Command to remove AutoQoS VOIP:
(config)# no auto qos voip
Unless you have made local changes, then you will have to remove it manually.

Confirmation commands for AutoQoS VOIP:
(config)# show auto qos
Shows configuration generated by autoqos voip, will not show changes made to the QoS configuration.
(config)# show auto qos int s1/0
Shows the policy map on the interface
(config)# show run
Shows config as it is, with local changes to the policy.

When connecting to a trusted switch or router, use the command:
(config-if)# auto qos voip trust
This router implicitly trusts the DSCP marking sent on this interface.

When the possibility exists to connect to a phone:
(config-if)# auto qos voip cisco-phone
The switch will then use CDPv2 to check if it is a Cisco phone on the other end the trust boundary is extended.

AutoQoS Enterprise
Designed to expand the use of QoS from voice to include video, and data without an in-depth knowledge of QoS, PPP, frame relay, ATM and LFI. AutoQoS Enterprise uses a two step deployment process, the first being auto-discovery or data collection, the second step is AutoQoS template generation and installation.

AutoQoS Enterprise addresses five key elements of QoS design and deployment.

1. Application Classification — Uses NBAR and CDPv2 to classify traffic.
2. Policy Generation — AutoQoS Enterprise generates
3. Configuration — Easily configured.
4. Monitoring
5. Consistency

Auto-Discovery
Started with the command:
(config-if)# auto discovery qos [trust]

In trust mode auto-discovery trusts the DSCP values in the IP header and uses it to classify packets, collect bandwidth statistics, calculate traffic average and traffic peak rate, then passes the data to the template module.

In untrust mode auto-discovery uses NBAR to detect application on the network to collect data and perform statistical analysis.

To show the data that has been collected:
# show auto discovery qos [interface [interface type]]

AutoQoS template generation and installation
The second stage uses the discovery results to generate class and policy map templates.

The class-map templates generated are used to classify applications and map them to classes for DiffServ PHB. AutoQoS Enterprise can define as many as 10 classes, which are designed to accommodate various enterprise applications.

Below is the table of classes and their PHB from the Cisco document “AutoQoS for the Enterprise.”

The policy-map templates define interface queuing and minimum bandwidth. The templates created depend on the type of interface and bandwidth configured on the interface, which is why it is so important to define bandwidth correctly. Networkers can tune the policy-map if needed.

To show the auto qos class and policy maps:
# show auto qos [interface [interface type]]
# show policy-map interface [interface type]

AutoQoS Issues:
AutoQoS may not work well for corner cases.
Creates too many traffic classes.
Does not adapt to changes in the network.

Diagnosing AutoQoS:
show auto qos
Class map match and set commands show how the traffic is marked.
Policy map priority and bandwidth show queue type and bandwidth guarantee.

Some common statements:
! Where does the traffic originate.
match input interface int
! Layer 2 CoS values.
match cos cos-value
! Layer 3 IP precedence
match ip precedence ip-prec-value
! Layer 3 IP DSCP
match ip dscp ip-dscp-value
! RTP port value
match ip rtp port-number port-range

References used besides ONT and the QoS Exam Certification Guide:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/ft_aqose.html#wp1050762

http://www.cisco.com/en/US/technologies/tk543/tk879/technologies_white_paper0900aecd800a8561.html

https://www.cisco.com/en/US/technologies/tk543/tk879/technologies_white_paper0900aecd800a8561_ps6613_Products_White_Paper.html

Qos Pre-Classify
The point of the qos pre-classify command is to be able to read and manipulate the IP header of a packet going through a VPN. The problem is that when a packet enters a VPN it is encrypted, header and all. After this command is applied, the router makes a copy of the original IP header so that you can perform QoS manipulation at egress on an interface.

Actually if the ToS byte (DSCP, ECN or IP Precedence) is the only portion of the header that needs manipulation you don’t need qos pre-qualify, however, if you need access to source or destination ip address or port numbers then you need the qos pre-qualify command.

This is better stated on page 231 of the QoS Exam Certification Guide:
Packets entering a router interface, not yet in a VPN tunnel, can be processed with ingress QoS features on that interface just like always.

Packets exiting a router interface, after encapsulation and encryption by that router into a VPN tunnel, cannot be processed with egress QoS features on that interface just like always. The Egress QoS features can only examine the post-encapsulation IP header.

That is why qos pre-classify makes a copy of the original IP header. The command qos pre-classify turns on pre-classification and is restricted to tunnel interfaces, virtual templates, and crypto maps, it is not available on any other interface type.

Applying a QoS policy to a physical interface causes that policy to affect all tunnel interfaces on that physical interface. Applying a service policy to a tunnel interface affects that particular tunnel only and does not affect other tunnel interfaces on the same physical interface.

The configuration below only applies qos pre-classify to the tunnel interface:

From page 195 of the ONT book:

• To classify packets based on the pre-tunnel header, apply the QoS policy to the tunnel interface without QoS pre-classify.
• To classify packets based on the post-tunnel header, apply the QoS policy to the physical interface without QoS pre-classify.
• To classify packets based on the pre-tunnel header, apply the QoS policy to the physical interface and enable QoS pre-classify.

Generic Routing Encapsulation (GRE)
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, including routing protocols, multicast packets and non-IP traffic. GRE tunnels create a virtual point-to-point link between Cisco routers at remote points over an IP internetwork. GRE itself does not provide data confidentiality using encryption.

IPSec Authentication Header (IPSec AH)
IPSec Authentication Header (IPSec AH) is a security protocol that provides authentication and optional replay-detection services. Transport mode is applicable only to host implementations and provides protection for upper layer protocols, in addition to selected IP header fields. AH can be used either by itself or with Encryption Service Payload (ESP).

Tunnel mode AH may be employed in either hosts or security gateways. When AH is implemented in a security gateway to protect transit traffic tunnel mode must be used.

IPSec AH is documented in RFC 2402.

Click here for a better image.

IPSec Encapsulating Security Payload (ESP)
IPSec Encapsulating Security Payload (ESP) is documented in RFC 2406.

The ESP header is inserted after the IP header and before the upper layer protocol header for transport mode or before an encapsulated IP header in tunnel mode.

Click here for a better image.

Tunnel mode in both IPSec ESP and IPSec AH the original packet header ToS byte is copied to the encapsulating IP packet header ToS byte and is available for QoS purposes. In transport mode, the entire original IP header is available for QoS processing in both.

End-to-End QoS
This may sound rudimentary, but in order to reap the benefits of QoS, it must be deployed consistently throughout an AS. At the access layer trust must be set appropriately, the correct queues on created on switch ports with priority queuing for VOIP. At the distribution layer you should employ layer 3 policing and marking, have the correct queues created, priority queuing for VOIP and use WRED in data queues. At the AS edge you should employ classification and marking, WRED, LLQ and LFI.

Now that service providers offer layer 3 hand-off it is more important to coordinate QoS setting with you provider. Layer 3 allows them more flexibility in in how they handle traffic. Typical service provider SLAs include up to five traffic classes, ranging from real-time to best effort.

These are the guidelines for implementing QoS in an AS taken from page 189 of ONT book:

• Classify and mark as close to the source as possible.
• Police traffic as close to the source as possible.
• Establish proper trust boundaries.
• Classify and mark real-time voice and video as high-priority traffic.
• Use multiple queues on transmit interfaces.
• Try to perform hardware-based rather software-based QoS.

Control Plane Policing
The control plane of a Cisco router includes the data plane, management plane and service plane. Control plane policing allows you to build QoS filters to protect the router against DoS attacks.

Documentation referenced in this post:
CCNP ONT Official Exam Certification Guide
Cisco QoS Exam Certification Guide, Second Edition

Quality of Service Options on GRE Tunnel Interfaces, Document ID: 10106
RFC 2402
RFC 2406

For both of those people who read my blog regularly, hi mom, I want to say that I have not really been slacking. I have been typing up flashcards for the iPhone. I downloaded a number of flashcard apps for the iPhone to figure out which one I liked and decided on Flashcards Deluxe. It has the most intuitive user interface and it allowed me to easily download my own flashcards without having to join some portal. Unfortunately it is not cheap, but I am willing to pay for a quality application.

This actually plays toward my longterm goal of trying for my CCIE. Greg Ferro over at Etherealmind had a post about how he uses Mental Case for his flash cards, but Mental Case did not fit my work flow. I made paper 3×5 cards for BSCI and BCMSN but wanted something that would work long term, and quite frankly 1,000 paper flashcards just doesn’t seem reasonable down the stretch. So this is my attempt to not have to redo flashcards in the future.

I have been reticent about posting these flashcards because they are taken straight from the book. I decided to share them because there is only six months left to take these tests and no one will care except those who have purchased the books and are getting ready for this version of the CCNP. If anyone from Cisco Press has a problem please contact me and I will remove them.

To add these flashcards to your phone, in Flashcards Deluxe choose to add a private deck, choose Deck Code and point it to http://chainringcircus.org/files/ont-chx-description.csv then you can download the cards and study. If you prefer to try before you buy, Flashcards Deluxe Light is free but only allows four flashcards, in that case download test.csv.

I have not used all of the cards yet so there may be some formatting changes. I will post another entry any time I add new sets or make changes to the current sets.

Hope this helps and good luck studying.

There are three main quality of service concepts: congestion avoidance, traffic shaping and policing, and link efficiency mechanisms.

Congestion Avoidance:

Tail Drop
Tail drop causes problems with the network because it is not “smart” in how it deals with dropping traffic. Once the hardware and software queues become full it just starts dropping packets regardless of application, destination or need.

Global synchronization and TCP starvation are the result of tail drop.

• TCP Global Synchronization — When tail drop occurs all TCP based applications go into slow start, bandwidth use drops and queues clear. Once the queues clear flows increase their TCP send window until they start to receive dropped packets again. It results in waves peak utilization coupled with sudden drops in utilization, resulting in waves of traffic.
• TCP Starvation — TCP tries to work well in the network by backing off on bandwidth when packets are dropped, called slow start, but UDP does not. As a result when TCP traffic slows to deal with dropped traffic, UDP traffic does not slow, resulting in queues being filled by UDP packets, starving TCP of bandwidth.

Random Early Detection (RED)
Statistically RED drops more packets from aggressive flows than from slower flows and only flows who have packets dropped slow down, avoiding global synchronization.

RED measures the average queue depth to decide whether or not to drop packets because the average queue depth changes more slowly than the actual depth.

RED has three configuration parameters: minimum threshold, maximum threshold, and mark probability denominator (MPD).

Once the depth reaches the minimum threshold packets begin to be dropped and once it exceeds the maximum threshold there is effectively tail drop. Everything in between is governed by the mark probability denominator.

The mark probability denominator sets the maximum percentage of packets discarded by RED. IOS calculates the maximum percentage using the formula 1/MPD. For instance, an MPD of 10 yields a calculated value of 1/10, meaning the maximum discard rate is 10 percent.

The following table is from page 425 of the QoS Exam Certification Guide and shows how the minimum threshold, maximum threshold and queue depth all interact.

Weighted Random Early Detection
WRED behaves the same as RED, except that WRED differentiates between IP precedence or DSCP value. The ONT book and the QoS Exam book both cover the same example of WRED, just in different levels of detail. Personally if you understand the concepts from the chart above with the min and max thresholds, the following charts will explain everything. When an interface starts to become congested, WRED discards lower priority traffic with a higher probability. By default in IOS lower precedence flows have smaller minimum thresholds and will therefore begin dropping packets before higher precedence flows. As the queue passes a threshold, for instance 22 packets for packets with a precedence of 1, then packets with precedence 0 and 1 will be dropped.

The tables below are taken from pages 430 and 431 of the QoS Exam Certification Guide.

This table is for IP Precedence based WRED defaults.

This table is for IOS DSCP-Based WRED defaults.

Class-Based Weighted Random Early Detection (CBWRED)
CBWRED is configured by applying WRED to CBWFQ. Remember, by default CBWFQ performs tail drop by default. By default WRED is based on IP precedence as seen in the chart above, it has eight profiles pre-defined. To me it is a joy to be able to look at the following configuration and understand it’s meaning. This is how to configure CBWRED from page 159 in the ONT book. Notice that they are just configuring the defaults from IOS as seen in the chart above. By tying it all together the configuration makes more sense.

And the same configuration using DSCP.

To verify configuration use the show policy-map interface command.

Traffic Policing and Shaping

Providers commonly police traffic while subscribers commonly shape traffic.

Policing restricts the amount of bandwidth into or out of an interface. Traffic policing discards or re-marks excess packets so that the overall rate defined is not exceeded. Whenever the physical clock rate exceeds the traffic contract, policing may be needed, called subrate access. Policing protects a network from being overrun by traffic.

• Limit the rate of traffic to less than what an interface can support, subrate access.
• Rate limit traffic classes.
• Re-mark traffic to a lower class.

Traffic shaping applies only to outbound traffic. Traffic shaping buffers excess packets in a queue that are then sent at the shaping rate, introducing variable delay and jitter.

• Shape traffic to match provider policing rate.
• Slow traffic to a congested destination.
• Send separate traffic classes at different rates.

Shaping Terminology from page 346 of the QoS Exam Certification Guide.

• Tc — Committed time interval, measured in milliseconds over which the committed burst (Bc) can be sent.
  Tc = Bc/CIR or Tc = Bc/Shaped Rate
• Bc — Committed burst size, measured in bits. The amount of traffic that can be sent over time Tc. Commonly defined in the traffic contract.
  Bc = Tc * CIR or Bc = Tc * Shaped Rate
• CIR — Committed information rate, in bits per second, defined in the traffic contract.
• Shaped Rate — The rate in bits per second configured. This can be equal to or greater than the CIR.
• Be — Excess burst size, in bits. The number of bits greater than Bc that can be sent after a period of inactivity.

CIR (bits per second) = Bc (bits) / Tc (second)

Link Efficiency Mechanisms

The bandwidth gained by compression must be more important than the delay added by compression processing or you should not use compression.

Layer 2 Payload Compression

• Performed on a link by link basis.
• Compresses the entire layer 2 payload.
• Increases processing delay due to computation.
• Decreases serialization delay because packets are smaller.
• Increases available bandwidth because packets are smaller.
• Can be performed in both hardware and software, software compression is not recommended.

Header Compression
Generally headers of the packets in a single flow are identical, therefore instead of sending the same header over and over, an index that refers to that entire header is sent instead. On the receiving end, the index is referenced and the real header is married back with the packet to be forwarded.

• Performed on a link by link basis.
• Header compression is not CPU intensive.
• The payload is not compressed, only the headers.
• Can be used with TCP or RTP.
• Best when dealing with small packets because proportionally the header takes up a larger percentage of the packet.
• RTP header compression is good for voice because voice uses smaller packets.

Header Compression Configuration
To configure header compression, the interface command ip tcp header-compression must be configured on both ends of a link.

Confirm that header compression is active:

Link Fragmentation and Interleaving (LFI)
LFI tries to lower delay by attacking the problem of serialization delay.
Serialization delay is the time required to send a frame over a physical link. This is not trivial on slower clocked physical interfaces such as 56k links.

LFI reduces serialization delay by making sure large packets do not delay smaller packets. It fragments large packets and interleaves smaller packets between the fragments of the large packets being sent.

The following process for how LFI works is taken from page 477 of the QoS Exam Certification Guide, please note the differentiation between the use of the word packet and frame because it makes a difference in this description.

• The router fragments the packet into smaller pieces.
• The router adds the appropriate data-link headers and trailers, including any headers specifically needed for fragmentation support.
• The length of the resulting frames (including data-link headers/trailers) does not exceed the fragmentation size configured.
• The router adds these frames to the appropriate queue.