May 10, 2014

How to configure QoS on Switch

Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped. Implementing quality of service (QoS) enables you to control bandwidth allocation to different services available in your network by classifying, policing, marking, and queuing packets. Before implementing QoS, it is crucial that you understand what traffic you are looking at and see how it flows through the network, end to end. Important on the wired side (switch):

■ Do not forget to enable QoS globally: mls qos
■ On trunks, trust Layer 2 QoS: mls qos trust cos
■ On nontrunks, trust Layer 3 QoS: mls qos trust dscp■ Tune default CoS-to-DSCP or DSCP-to-CoS mappings where necessary: mls qos map cos-dscp or mls qos map dscp-cos 
 




image

■ Configure a QoS policy (optional).
■ Classify traffic into classes (class-map)
■ Configure the policy for each class (policy-map)
■ Attach the policy to the interface(s).
 
 
! Configure qos on Switch !
--------------------------------------------------------------------
mls qos
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos map dscp-cos 24 to 3
mls qos map dscp-cos 46 to 5

do sh mls qos map
 Cos-dscp map:
 cos : 0  1  2   3   4   5   6   7
-----------------------------------------
dscp: 0  8  16  24  32  46   48  56

--------------------------------------------------------------------
 
 
 
Important for voice implementations:
  • Create a QoS policy giving priority to voice (RTP) and call control (SCCP) traffic, and apply that profile to the desired interfaces.
  • Be sure that RTP packets have the proper QoS markings and that other protocols are not using the same QoS markings.
  • Enable Differentiated Services Code Point (DSCP) preservation on the Cisco IOS switch and/or use a QoS policy to set DSCP to EF for RTP traffic (UDP port range 16384–32767) on the Cisco IOS router.
 

How to configure NTP In Wireless Lab

In CCIE Wireless Lab, we need to synchronize time with NTP for Switch/WLC/Autonomous AP
LAP cannot join WLC if the time is not current.


What is NTP?

Network Time Protocol (NTP) is a protocol designed to time-synchronize. NTP runs over UDP port 123. Proper time synchronization is crucial when setting up a Unified Wireless Network. In addition, proper time synchronization will help you correlating log files.

NTP uses the concept of a “stratum” to describe how many NTP “hops” away a machine is from an authoritative time source. A “stratum 1” time server typically has a radio or atomic clock directly attached, a “stratum 2” time server receives its time through NTP from a “stratum 1” time server, and so on. A machine running NTP will automatically choose as its time source the machine with the lowest stratum number that it is configured to communicate with through NTP.

The communications between machines running NTP (known as associations) are usually statically configured; each machine is given the IP address of all machines with which it should form associations.

Simple Network Time Protocol (SNTP) is a simplified, client-only version of NTP that is used on autonomous access points. SNTP can only receive the time from NTP servers; it cannot be used to provide time services to other systems. SNTP typically provides time within 100 milliseconds of the accurate time, but it does not provide the complex filtering and statistical mechanisms of NTP.


Example for Basic NTPCommands
-------------------------------------------------------------------
! Configure NTP on the Switch !
Switch(config)# clock timezone UTC 0
Switch(config)# ntp server 192.168.129.13 
  

! Configure NTP on the WLC !
(WLC) > config time ntp server 1 192..168.129.13
              config time ntp server

(WLC) > config time ntp server 3600


! Configure SNTP on the Autonomous AP !
AP(config) > sntp server 192.168.129.13

! show commands on Switch !
show clock
show ntp sta

! show commands on WLC !
show time
-------------------------------------------------------------------


Unified, Managing the System Date and Time: www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_gettingstarted.html#wp1144340

Autonomous, Configuring SNTP: www.cisco.com/en/US/partner/docs/wireless/access_point/12.4.25d.JA/Configuration/guide/scg12.4.25d.JA-chap5-admin.html#wp1036274

How to configure and remove EtherChannel

What is Ether Channel?

An EtherChannel provides a fault-tolerant, high-speed link between switches, routers, and servers. You can use an EtherChannel to increase the bandwidth and provide fault tolerance anywhere in the network where bottlenecks are likely to occur. EtherChannels provide automatic recovery for the loss of a link by redistributing the load across the remaining links. All links that are part of the channel share the same Layer 2 (MAC) address and Layer 3 (IP) address, and as such, individual link status changes are transparent to the network applications and its users.


How many types for EtherChannel?

There are two types EtherChannels: layer 2 etherchannel and layer 3 etherchannel

For Layer 2 EtherChannels:
  • Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with different native VLANs cannot form an EtherChannel.
  • If you configure an EtherChannel from trunk ports, verify that the trunking mode (ISL or 802.1Q) is the same on all the trunks. Inconsistent trunk modes on EtherChannel ports can have unexpected results.
  • An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when Port Aggregation Protocol (PAgP) is set to the auto or desirable mode.
  • Ports with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured. Setting different spanning-tree path costs does not, by itself, make ports incompatible for the formation of an EtherChannel.
For Layer 3 EtherChannels, assign the Layer 3 address to the port-channel logical interface, not to the physical ports in the channel. 

In CCIE Wireless Lab, we need Layer 2 EtherChannel.


How config, remove, and show EtherChannel

Step 1: Creating a Port Channel

  switch# configure terminal  
  switch (config)# interface port-channel 1 
 
  To remove the port channel:
  switch(config)# no interface port-channel channel-number 
 

Step 2: Adding a Port to a Port channel
  
  switch# configure terminal 
  switch (config)# interface ethernet 1/4 
  switch(config-if)# switchport trunk encapsulation dot1q
  switch(config-if)# switchport mode trunk  
  switch(config-if)# channel-group 1 mode on
 
  To remove the port from the channel group: 
  switch(config)# no channel-group
  
Step 3: Show

  switch# show etherchannel summarys
  switch# show etherchannel load-balance



http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swethchl.html
 
Catalyst 3560-E Switch Software Configuration Guide, 12.2(55)SE: www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swethchl.html

 

May 9, 2014

Hot to use wIPS to protect DoS Attack, such as Assocication Flood and Authentication Flood in WLC/AP

The solution for this issue is quite simple: Set submode to "wips"






if you use CLI, this will like this:

config ap mode local/h-reap submode wips L1262-1


For the furhter information about WIPS between WLC and WCS.
You can check this link
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113027-wips-00.html