CoPP best practices

2018-06-21

Introduction

    Four logical groups of ip traffic (network device representation):

  • data plane packets - end-station to other end-station transit traffic;
  • control plane packets - end-station to receive, those which handled by route processor (ARP, BGP, OSPF, etc);
  • management plane packets - almost the same as control plane (Telnet, Secure Shell (SSH), TFTP, SNMP, FTP, NTP);
  • services plane packets - data plane packets that require high-touch handling (GRE encapsulation, QoS, MPLS VPNs, and SSL/IPsec encryption/decryption, etc.), also exception IP - IPv4 with IP header options, TTL expires, unreachable destinations packets and Non-IP - Layer 2 keepalives, ISIS, CDP, PPP Link Control Protocol;


    Some important features of Cisco Network Foundation Protection (NFP) for Cisco IOS and Cisco IOS XR software security:

  • interface ACL (iACL) - the most common approach to controlling all ingress/egress packets on interface;
  • receive ACL (rACL) - designed for a Cisco 7500/12000 routers, instear to apply to a specific interface, with iACL does, it applied once to the receive path of the router;
  • Control Plane Policing (CoPP) - like rACLs applied to receiving path of the route processor, but not only to receive destination IP packets also exceptions IP packets and non-IP packets. CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction (packets also can be rate-limited);
  • Local Packet Transport Services (LPTS) - automated version of CoPP for Cisco IOS XR.

CoPP description

Construction and deployment

    The class-map command defined a traffic class. If packets are not met any class criteria they are marked as default-class packets. If more than one match statements included inside class it evaluated as match-all or match-any.

    The policy-map command associate class to QoS policy(s). result a service policy created

Read Comments

Remote Site Connectivity

2018-06-15

Discussion

Layer 2 MPLS VPN

    With a Layer 2 MPLS VPN, the MPLS network allows customer edge (CE) routers at different sites to form routing protocol neighborships with one another as if they were Layer 2 adjacent. Therefore, you can think of a Layer 2 MPLS VPN as a logical Layer 2 switch.

Layer 3 MPLS VPN

    With a Layer 3 MPLS VPN, a service provider’s provider edge (PE) router (also known as an Edge Label Switch Router [ELSR] ) establishes a peering relationship with a CE router, as seen in Figure 2-2 . Routes learned from the CE router are then sent to the remote PE router in the MPLS cloud (typically using multiprotocol BGP [MP-BGP] ), where they are sent out to the remote CE router.

Dynamic Multipoint VPN (DMVPN)

    DMVPN allows a VPN tunnel to be dynamically created and torn down between two remote sites on an as-needed basis. Multipoint GRE, Next Hop Resolution Protocol (NHRP), and IPsec are required to support a DMVPN topology.

Multipoint GRE

    The scalability offered by DMVPN is made possible, in part, by multipoint GRE (mGRE) , which allows a router to support multiple GRE tunnels on a single GRE interface.

    Some of mGRE’s characteristics are as follows:

  • Like traditional GRE, mGRE can transport a wide variety of protocols (for example, IP unicast, multicast, and broadcast).
  • In a hub-and-spoke topology, a hub router can have a single mGRE interface, and multiple tunnels can use that single interface.
  • An interface configured for mGRE is able to dynamically form a GRE tunnel by using Next Hop Resolution Protocol (NHRP) to discover the IP address of the device at the far end of the tunnel
Read Comments

TS Performance

2018-05-08

Switch targets

    Cisco Catalyst switches similar components for troubleshooting:

  • ports
  • forwarding logic - a process which make a hardware based on different tables in the data plane
  • backplane - a physically tire which connect switch ports
  • control plane - a CPU and memory which responsible to run operating system and building forwarding decisions tables.

    Normally the control plane does not participate in the frame-forwarding process. But, the forwarding logic bield in the control plane. As result case of impact of packets rate can overload the control plane of the switch.

Port errors

    When troubleshooting a suspected Cisco Catalyst switch issue, a good first step is to check port statistics. For example, examining port statistics can let a troubleshooter know whether an excessive number of frames are being dropped. If a TCP application is running slowly, the reason might be that TCP flows are going into TCP slow start , which causes the window size, and therefore the bandwidth efficiency, of TCP flows to be reduced. A common reason that a TCP flow enters slow start is packet drops

Read Comments

TS and Maintain Toolkit

2018-04-20

Recovery tools

    To increase a survivability of our network globally all nodes configuration and operating systems should be backed up remote storages. A backup configuration and images storage server have to be able to run one or more services, such as TFTP, FTP, HTTP, or SCP server.

To backing up a router configuration to an FTP server:

# copy startup-config ftp://pass:login@10.0.0.1

    To avoid typing credentials each time we can specify it once to a specific service:

(config)# ip ftp username cisco
(config)# ip ftp password cisco
(config)# ip http client username cisco
(config)# ip http client password cisco

    Cisco archive feature can automate a configuration backuping. A configuration can be backed up at a certain interval and each time we use write-memory or copy running-config startup-config commands.

(config)# archive
(config)# path ftp://10.0.0
                        
Read Comments