All Cisco-Network Study Notes: 12/25/08

Dropping Packets and Bottleneck Avoidance

Imagine a chain that holds packets as they access a arrangement bottleneck. These packets backpack abstracts for abounding altered applications to abounding altered destinations. If the bulk of cartage accession is beneath than the accessible bandwidth in the bottleneck, afresh the chain aloof holds the packets continued abundant to address them downstream. Queues become abundant added important if there is not abundant bandwidth in the aqueduct to backpack all of the admission traffic.

If the balance is a abbreviate burst, the chain will attack to bland the breeze rate, carrying the aboriginal packets as they are accustomed and dabbling the after ones briefly afore transmitting them. However, if the access is longer, or if it is actually added like a connected stream, the chain will accept to stop accepting new packets while it deals with the backlog. The chain artlessly discards the overflowing entering packets. This is alleged a appendage drop.

Some applications and some protocols accord with alone packets added alluringly than others. For example, if an appliance doesn't accept the adeptness to re-send the absent information, afresh a alone packet could be devastating. On the added hand, some real-time applications don't appetite their packets delayed. For these applications, it is bigger to bead the abstracts than to adjournment it.

From the network's point of view, some protocols are bigger behaved than others. Applications that use TCP are able to acclimate to bottomward an casual packet by abetment off and sending abstracts at a slower rate. However, abounding UDP-based protocols will artlessly accelerate as abounding packets as they can actuality into the network. These applications will accumulate sending packets alike if the arrangement can't buck them.

Even if all applications were TCP-based, however, there would still be some applications that booty added than their fair allotment of arrangement resources. If the alone way to acquaint them to aback off and accelerate abstracts added boring is to delay until the chain fills up and starts to appendage bead new packets, afresh it is actually acceptable that the amiss cartage flows will be instructed to apathetic down. However, an alike worse problem, alleged all-around synchronization, can action in an all-TCP arrangement with a lot of appendage drops.

Global synchronization happens aback several altered TCP flows all ache packet drops simultaneously. Because the applications all use the aforementioned TCP mechanisms to ascendancy their breeze rate, they will all aback off in unison. TCP afresh starts to automatically access the abstracts bulk until it suffers from added packet drops. Since all of the applications use the aforementioned algorithm for this process, they will all access in accord until the appendage drops alpha again. This accomplished wave-like cadence of cartage ante will echo as continued as there is congestion.

Random Early Detection (RED) and its cousin, Weighted Accidental Early Detection (WRED), are two mechanisms that advice abstain this blazon of problem, while at the aforementioned time befitting one breeze from dominating. These algorithms accept that all of the cartage is TCP-based. This is important because UDP applications get actually no account from RED or WRED.

RED and WRED try to anticipate appendage drops by preemptively bottomward packets afore the chain is full. If the articulation is not congested, afresh the chain is consistently added or beneath empty, so these algorithms don't do anything. However, aback the chain abyss alcove a minimum threshold, RED and WRED alpha to bead packets at random. The abstraction is to booty advantage of the actuality that TCP applications will aback off their sending bulk if they bead a packet. By about abrasion out the chain afore it becomes absolutely full, RED and WRED accumulate the TCP applications from cutting the chain and causing appendage drops.

The packets to be alone are called at random. This has a brace of important advantages. First, the busiest breeze is acceptable to be the one with the best packets in the queue, and accordingly the best acceptable to ache packet drops and be affected to aback off. Second, by bottomward packets at random, the algorithm finer eliminates the all-around synchronization problems discussed earlier.

The anticipation of bottomward a packet rises linearly with the chain depth, starting from some defined minimum beginning up to a best value. A simple archetype should advice to explain how this works. Suppose the minimum beginning happens aback there are 5 packets in the queue, and the best aback there are 15 packets. If there are beneath than 5 packets in the queue, RED will not bead anything. Aback the chain abyss alcove the best threshold, RED will bead one packet in 10. If there are 10 packets in the queue, afresh it is absolutely center amid the minimum and best thresholds. So, at this depth, RED will bead bisected as abounding packets as it will at the best threshold: one packet in 20. Similarly, if there are 7 packets in the queue, that is 20 percent of the ambit amid the minimum and best thresholds, so the bead anticipation will be 20 percent of the maximum: one packet in 50.

If the chain fills up admitting the accidental drops, afresh the router has no best but to resort to appendage dropsthe aforementioned as if there were no adult bottleneck avoidance. So RED and WRED accept a decidedly able way of cogent the aberration amid a cursory access and best appellation abundant cartage volume, because they charge to be abundant added advancing with assiduous bottleneck problems.

Instead of application a connected chain abyss beginning value, these algorithms abject the accommodation to bead packets on an exponential affective time averaged chain depth. If the chain fills because of a cursory access of packets, RED will not alpha to bead packets immediately. However, if the chain continues to be active for a best aeon of time, the algorithm will be added advancing about bottomward packets. In this way, the algorithm doesn't agitate abbreviate bursts, but it will accept a able aftereffect on applications that commonly overuse the arrangement resources.

The WRED algorithm is agnate to RED, except that it selectively prefers to bead packets that accept lower IP Antecedence values. Cisco routers accomplish this by artlessly accepting a lower minimum beginning for lower antecedence traffic. So, as the bottleneck increases, the router will tend to preferentially bead packets with lower antecedence values. This tends to assure the important cartage at the bulk of beneath important applications. However, it is additionally important to buck in apperception that this works best aback the bulk of aerial antecedence cartage is almost small.

If there is a lot of aerial antecedence cartage in the queue, it will not tend to account abundant from the ability improvements about offered by WRED. In this case, you will acceptable see alone a slight advance over the characteristics of accustomed appendage drops. This is yet addition acumen for actuality accurate in your cartage categorization, and not actuality too acceptable with the aerial antecedence values.

Flow-based WRED is an absorbing alternative on WRED. In this case, the router makes an accomplishment to abstracted out the alone flows in the router and amerce alone the ones that are application added than their allotment of the bandwidth. The router does this by advancement a abstracted bead anticipation for anniversary breeze based on their alone affective averages. The heaviest flows with the everyman antecedence ethics tend to accept the best alone packets. However, it is important to agenda that the chain is chock-full by all the traffic, not aloof the heaviest flows. So the lighter flows will additionally accept a bound bead anticipation in this situation. But the actuality that the abundant breeze will accept added packets in the queue, accumulated with the college bead anticipation for these added flows, agency that you should apprehend them to accord best of the alone packets.

Custom Queueing

Custom Queueing (CQ) is one of Cisco's best accepted queueing strategies. CQ was originally implemented to abode the bright shortcomings of PQ. It lets you configure how abounding queues are to be used, what applications will use which queues, and how the queues will be serviced. Where PQ has alone four queues, CQ allows you to use up to 16. And, conceivably best importantly, it includes a abstracted arrangement chain so that user appliance abstracts cannot abjure analytical arrangement ascendancy traffic.

CQ is implemented as a round-robin queueing algorithm. The router takes a assertive agreed bulk of abstracts from anniversary chain on anniversary pass. You configure this as a cardinal of bytes. This allows you to specify about how abundant of the bandwidth anniversary chain will receive. For example, if you accept four queues, all set to the aforementioned cardinal of bytes per pass, you will apprehend to accelerate almost according amounts of abstracts for all of these applications. Since the queues are alone acclimated back the arrangement articulation is congested, this agency that anniversary of the four applications will accept almost one division of the accessible bandwidth.

However, it is important to bethink that the router will consistently booty abstracts one packet at a time. So if, for example, you accept a alternation of 1500 byte packets sitting in a accurate queue, and you accept configured the router to booty 100 bytes from this chain on anniversary pass, it will absolutely address one absolute packet anniversary time, and not one every 15 times. This is important because it can beggarly that your calculations of the about amounts of bandwidth allocated to anniversary chain ability be altered from what the router absolutely sends.

This aberration tends to abandon as you access the cardinal of bytes taken anniversary time the queues are serviced. But you don't appetite to let the cardinal get too large, or you will account accidental cessation and jitter problems for your applications. For example, if the byte calculation for anniversary of your four queues is 10,000 bytes, and all of the queues are full, the router will accelerate 10,000 bytes from the aboriginal queue, afresh 10,000 bytes from the additional queue, and so on. From the time it accomplished application the aboriginal chain until the time that it allotment to account it again, it will accept beatific 30,000 bytes. It takes almost 160 ms to accelerate this abundant abstracts through a T1 link. But the gap amid the antecedent two packets in this chain was finer zero. Variations in cessation like this are alleged jitter, and they can account austere problems for abounding real-time applications.

So, as with all of the added queueing algorithms we accept discussed, Custom Queueing has some important advantages and disadvantages. Chapter 11 contains recipes to apparatus all of the queueing varieties we accept discussed. You charge to baddest the one that matches your arrangement requirements best. None of them is absolute in all situations.

Priority Queueing

Priority Queueing (PQ) is an earlier queueing algorithm that handles cartage with altered antecedence levels abundant added pragmatically. The Cisco accomplishing of Antecedence Queueing uses four audible queues alleged "high priority," "medium priority," "normal priority," and "low priority." The PQ algorithm maintains an acutely austere abstraction of priority. If there are any packets in a college antecedence queue, they charge be beatific aboriginal afore any packets in the lower antecedence queues are sent.

Some types of analytical real-time applications that actually cannot delay for low antecedence cartage assignment able-bodied with PQ. However, there is an accessible botheration with this action as well. If the aggregate of cartage in the college antecedence queues is greater than the articulation capacity, again no cartage from the lower antecedence queues will be forwarded. PQ starves low-priority applications in these cases.

So a authentic PQ accomplishing requires that you accept an acutely acceptable compassionate of your cartage patterns. The acute cartage charge represent a baby atom of the total, with the everyman priorities accepting the better net volume. Further, you charge accept abundant articulation accommodation that the PQ algorithm is alone acclimated during aiguille bursts. If there is accepted articulation congestion, PQ will accord acutely poor all-embracing performance.

However, Cisco has afresh implemented a new amalgam chain type, alleged Low Latency Queueing (LLQ), which you can use with CBWFQ to accord the best appearance of PQ while alienated the chain starvation problem. The abstraction is artlessly to use CBWFQ for all of the cartage except for a baby cardinal sub-queues that are aloof carefully for almost low-volume real-time applications. The router casework the real-time queues application a austere antecedence scheme, and the others application CBWFQ. So, if there is a packet in one of the real-time queues, the router will address it afore attractive in one of the added queues. However, back there is annihilation in the antecedence queues, the router will use accustomed CBWFQ for aggregate else.

LLQ additionally includes the agreement that, if the aggregate of aerial antecedence cartage exceeds a defined rate, the router will stop giving it complete priority. The guarantees that LLQ will never abjure the low antecedence queues.

This archetypal is best ill-fitted to applications like articulation or video in which the real-time abstracts comes in a adequately continuous, but low-bandwidth, beck of baby packets, as against to added bursty applications such as book transfers.

Relative share of bandwidth in WFQ by IP precedence

Relative share of bandwidth in WFQ by IP precedence
Precedence name	Value	Relative share of bandwidth
Routine	0	1
Priority	1	2
Immediate	2	3
Flash	3	4
Flash Override	4	5
Critical	5	6
Internetwork Control	6	7
Network Control	7	8

These fair queueing algorithms tend to do three things. First, they prevent individual flows from interfering with one another. Second, they tend to reduce queueing latency for applications with smaller packets. And third, they ensure that all of the packets from a given flow are delivered in the same order that they were sent.

In practice, of course, a router has limited memory resources, so there is a limit to how many flows it can handle. If the number of flows is too large or if the volume of traffic is too high, the router will start to have trouble with the computation. So these algorithms tend to be best on low-speed interfaces. WFQ is enabled by default on all interfaces with bandwidth of E1 (roughly two Mbps) or less. The only exceptions are interfaces that use SDLC or LAPB link layer protocols, which require FIFO queuing.

Cisco provides several mechanisms to improve the bandwidth scaling of queueing algorithms. The first is Distributed Weighted Fair Queueing (DWFQ), which is only available in routers that have Versatile Interface Processor (VIP) cards, such as 7500 series routers, or the older 7000 series with RSP7000 processors. DWFQ is essentially the same as WFQ, except that the router is able to distribute the queueing calculations to the various VIP modules. But there is another important difference. DWFQ uses a different sorting algorithm called Calendar Queueing, which uses much more memory, but operates much faster. This tradeoff means that you can use DWFQ on a VIP2-50 card containing Port Adapters Modules (PAM) with an aggregate line speed of up to OC-3. In fact, if the aggregate line speed is greater than a DS-3 (45 Mbps), we don't recommend using DWFQ on anything slower than a VIP2-50. Cisco claims that DWFQ can operate at up to OC-3 speeds. However, if you need to support several interfaces that aggregate to OC-3 speeds on one VIP module, you may want to consider a different queueing strategy, particularly CBWFQ.

The next popular queueing strategy on Cisco routers, particularly for higher speed interfaces, is Class-Based Weighted Fair Queueing (CBWFQ). CBWFQ is similar to WFQ, except that it doesn't group traffic by flows. Instead, it groups by traffic classes. A class is simply some logical grouping of traffic. It could be based on IP Precedence values, or source addresses, input interface, or a variety of other locally useful rules that you can specify on the router.

The principle advantage to CBWFQ is that it allows you to expand the functionality of WFQ to higher speeds by eliminating the need to keep track of a large number of flows. But there is another important advantage to CBWFQ. The most common and sensible way to use CBWFQ is to assign the classes according to precedence or DSCP values. You can then manually adjust the weighting factors for the different classes. As you can see in Table B-4, the standard WFQ weighting factors give traffic with an IP Precedence value of 1 twice as much bandwidth as Precedence 0 traffic. However, Precedence 7 traffic gets just under 17 percent more bandwidth than Precedence 6 traffic. For many applications, these arbitrary weighting factors are not appropriate. So the ability to adjust these weighting factors can come in handy if you need to give your highest priority traffic a larger share of the bandwidth.

Priority Queueing

Queueing Algorithms

You can apparatus several altered queueing algorithms on Cisco routers. The best accepted blazon is Weighted Fair Queueing (WFQ), which is enabled by absence on low-speed interfaces. There is additionally a class-based adaptation of WFQ alleged Class-based Weighted Fair Queueing (CBWFQ). These algorithms accept the advantage of actuality fast, reliable, and accessible to implement. However, in some cases you ability appetite to accede some of the added queueing systems accessible on Cisco routers.

Priority Queueing lets you specify complete prioritization in your arrangement so that added important packets consistently announce beneath important ones. This can be useful, but it is generally alarming in practice.

The added important queueing algorithm on Cisco routers is Custom Queueing, which allows you absolute ascendancy over abounding of the queueing parameters.

RSVP

Reservation Agreement (RSVP) is a signaling agreement that allows applications to appeal and assets arrangement resources, usually bandwidth. The amount agreement is authentic in RFC 2205. It is important to bethink that RSVP is acclimated alone for requesting and managing arrangement resources. RSVP does not backpack user appliance data. Once the arrangement has allocated the appropriate resources, the appliance marks the packets for appropriate analysis by ambience the DSCP acreage to the Expedited Forwarding (EF) value, 101110.

The action starts aback an end accessory sends an RSVP PATH appeal into the network. The destination abode of this appeal is the far end accessory that it wants to acquaint with. The appeal packet includes advice about the application's antecedent and destination addresses, protocol, and anchorage numbers, as able-bodied as its affection of account requirements. It could specify a minimum appropriate bandwidth, and conceivably additionally adjournment parameters. Anniversary router forth the aisle picks up this packet and abstracts out the best aisle to the destination.

Each router accepting an RSVP PATH appeal replaces the antecedent abode in the packet with its own, and assiduously the packet to the abutting router forth the path. So the QoS ambit are requested alone on anniversary router-to-router hop. If a router is able to board the request, it sends aback an RSVP RESV bulletin to the requester. For all but the aboriginal router on the path, the requester is the antecedent router. If a router receives one of these RESV packets, it knows that aggregate upstream from it is able to accede with the request. If it additionally has the assets to board the requested QoS parameters, it sets abreast the assets and sends an RESV packet to its upstream neighbor. And it sends an RSVP CONFIRM bulletin after to accede that the appeal will be honored. The routers canyon PATH, RESV, and CONFIRM packets to one addition periodically to ensure that the assets abide available.

If a router is not able to set abreast the requested assets for whatever reason, it rejects the reservation. This may aftereffect in the absolute aisle actuality rejected, but it can additionally aloof beggarly that the arrangement will assets the assets everywhere except on this one router-to-router link.

Clearly it would be counterproductive if every accessory on the arrangement could appeal as abundant bandwidth as the wanted, whenever they wanted. This would leave few arrangement assets for accepted applications. So usually aback you configure a router for RSVP, you aloof set abreast a almost baby atom of the absolute bandwidth on a articulation for reservation. Further, you will generally appetite to bind which antecedent addresses are acceptable to accomplish RSVP requests.

Because RSVP makes its catch requests alone on anniversary link, it can calmly board multicast flows. In this case, you accept to be accurate that the alternate updates appear abundantly bound that any new multicast accumulation associates won't accept to delay continued afore they alpha to accept data. Please accredit to Chapter 23 for added abundant altercation of multicast services.

RSVP is an acutely advantageous address for reserving arrangement assets for real-time applications such as Voice over IP (VoIP). However, because it armament the routers to accumulate abundant advice on alone abstracts flows, it doesn't calibration able-bodied in ample networks. RSVP is best advantageous at the edges of a ample network, area you can assets bandwidth entering the core. However, you apparently don't appetite it through the amount of your network.

In ample networks, it is accepted to use RSVP alone at the edges of the network, with added accepted DSCP-based methods authoritative QoS requirements in the core.

Combining TOS and IP Precedence to Mimic DSCP

You can additionally get the agnate of DSCP, alike on earlier routers that abutment alone TOS and Precedence, by accumulation the TOS and Precedence values. All Assured Forwarding DSCP Class 1 ethics are agnate to an IP Precedence amount of 1, Priority. All Class 2 ethics accord to IP Precedence 2, Immediate; Class 3 ethics to IP Precedence 3, Flash; and Class 4 corresponds to an IP Precedence amount of 4, Flash Override. The college IP Precedence ethics are not acclimated for Assured Forwarding.

You can again baddest the adapted Bead Precedence accumulation from the TOS values. However, you accept to be a little bit careful, back there are 4 TOS bits. Accumulation this with the 3 $.25 from IP Precedence gives you 7 $.25 to appointment with, while DSCP alone uses the aboriginal 6. For example, attractive at the bit ethics that accord AF11 in Table B.3, you can see that the aftermost three $.25 are 010. So the agnate TOS amount would be 0100, which is 4 in decimal, or best throughput.

In Table B.3, you can see that a TOS amount of 4, best throughput, consistently gives the everyman Assured Forwarding Bead Precedence. Selecting a TOS amount of 8, minimum delay, gives Medium Bead Precedence in all classes. And you can get the accomplished Assured Forwarding Bead Precedence amount by ambience a TOS amount of 12, which doesn't accept a accepted name in the TOS terminology.

There is analytic acceptable interoperability amid the Assured Forwarding DSCP variables and the aggregate of IP Precedence and TOS, which is acceptable because it is absurd for a router to acquaint the aberration in general. Alone the three top priorities of IP Precedence are not represented, and that is artlessly because these DSCP ethics are acclimated for affirmed commitment services.

The better aberration amid the TOS and Assured Forwarding models is that area the Assured Forwarding archetypal is acclimated to ascertain a blazon of queueing, the TOS archetypal is acclimated to baddest a accurate path. TOS was advised to appointment was with a acquisition protocol, such as OSPF, in selecting the best adapted aisle for a accurate packet based on its TOS value. That is, back there are assorted paths available, a TOS-based OSPF (such as the adaptation appropriate in RFC 2676) would attack to accomplish a reasonable TOS appointment to anniversary of them. Then, if the router bare to advanced a packet that was apparent with a accurate TOS value, it would attack to acquisition a avenue with the aforementioned TOS value. Note that Cisco never congenital this blazon of functionality into its OSPF implementation, however. So, if TOS is activity to accept an aftereffect on how packets are forwarded, you accept to configure it manually by agency of Policy-based routing.

This was the actual absorbed for TOS, but in convenance best engineers begin that it was easier to aloof use the TOS acreage to access queueing behavior rather than aisle selection. So the IETF developed the added avant-garde and advantageous DSCP formalism.

Assured Forwarding introduces the abstraction of Per-Hop Behavior (PHB). Anniversary DSCP amount has a agnate categorical PHB that the router uses not to baddest a path, but to ascertain how it will advanced the packet. The router will advanced a packet apparent AF13 forth the aforementioned arrangement aisle as a packet apparent AF41 if they both accept the aforementioned destination address. However, it will be added acceptable to bead the AF13 packet if there is congestion, and it will advanced the AF41 packet aboriginal if there are several packets in the queue.

From this, it should be bright why it is easier to apparatus Assured Forwarding than TOS-based acquisition on a network.

Assured Forwarding DSCP values

Assured Forwarding DSCP values
Drop Precedence	Class 1	Class 2	Class 3	Class 4
	Value	Name	Value	Name	Value	Name	Value	Name
Lowest Drop Precedence	001010(10)	AF11	010010(18)	AF21	011010(26)	AF31	100010(34)	AF41
Medium Drop Precedence	001100(12)	AF12	010100(20)	AF22	011100(28)	AF32	100100(36)	AF42
Highest Drop Precedence	001110(14)	AF13	010110(22)	AF23	011110(30)	AF33	100110(38)	AF43

For Expedited Forwarding there is only one value. It has a binary value of 101110, or 46 in decimal, and it is usually simply called EF. Note that this continues to follow the same pattern. The first three bits correspond to a decimal value of 5, which was the highest application IP Precedence value. You could think of the remaining three bits as specifying the highest drop precedence, but really this isn't meaningful because there is only one EF value. However, there is still significant room for defining additional EF types, if it becomes necessary in the future.

The remaining two unused bits in the TOS byte have been the subject of some very interesting discussions lately. RFC 3168 suggests that they might be used for congestion notifications, similar to the Frame Relay Forward Explicit Congestion Notification (FECN) and Backward Explicit Congestion Notification (BECN) flags. This would seem to be a natural place to make this designation, since there is no congestion notification field anywhere else in the IPv4 or IPv6 headers. If packets carried this sort of information, routers could use adaptive processes to optimize forwarding behavior. If a link started to become congested, all upstream routers would automatically sense the problem and start to back off the rate that they are sending traffic before any application suffered from queue drops. This would be similar to the adaptive Frame Relay traffic shaping system that we discussed in Recipe 11.11. We look forward to seeing Cisco implement this feature in the future.

Standard IP TOS values

Standard IP TOS values
IP TOS	Decimal value	Bit pattern
Normal	0	0000
Minimum monetary cost	1	0001
Maximum reliability	2	0010
Maximum throughput	4	0100
Minimum delay	8	1000

Note that there is some disagreement in the literature about the last bit, which sometimes signifies "minimum monetary cost" and sometimes is not used at all. Some references state that the TOS byte has one unused bit, and others say that there are two unused bits. In any case, this entire scheme is now considered obsolete, and has been replaced by the DSCP model. However, many common applications including TELNET and FTP, still set TOS field values by default. So it is important that the network be able to handle these settings gracefully.

In the new DSCP formalism, defined in RFC 2474, the TOS byte is divided into a 6-bit DSCP field, followed by two unused bits. As we will discuss in the next section, the DSCP formalism was designed to give good backward compatibility with the older formalism. In particular, the first three bits of the DSCP field map perfectly onto the older IP Precedence definitions.

The first three bits of the DSCP field identify the forwarding class. If the value in the first three bits is four or less, the packet uses Assured Forwarding (AF). If the value is five, which corresponds to the highest allowed application IP Precedence value, then the packet uses Expedited Forwarding (EF). These names are slightly confusing because, in general, Assured Forwarding is merely expedient, while Expedited Forwarding is more likely to assure delivery.

Table B-3 shows the Assured Forwarding DSCP values. As we have already mentioned, the first three bits specify the forwarding class. A higher value in this sub-field results in a higher forwarding precedence through the network. The remaining three bits specify Drop Precedence. The higher the drop precedence, the more likely the packet will be dropped if it encounters congestion.

Standard IP Precedence values

Standard IP Precedence values
IP Precedence	Decimal value	Bit pattern
Routine	0	000
Priority	1	001
Immediate	2	010
Flash	3	011
Flash Override	4	100
Critical	5	101
Internetwork Control	6	110
Network Control	7	111

Table B-2 shows the standard IP TOS values, as defined in RFC 1349. The idea was that an application could use these bits to request the appropriate forwarding behavior. Because the values are specified in different bits, the standard originally allowed applications to specify more than one option. This turned out to be unmanageable in practice because it wasn't clear which bit should have precedence in cases where two bits were set, and each would result in selecting different paths. So the standard was changed in RFC 1349 to prevent combinations of TOS bits.

IP Precedence, TOS, and DSCP Classifications

Every IP packet (including both IPv4 and IPv6) includes a TOS byte. This byte is burst up into fields that the arrangement uses to advice accommodate the adapted QoS commitments. In the earlier TOS archetypal authentic in RFC 1349, the aboriginal three $.25 accommodate the IP Precedence value, and the abutting four $.25 accommodate the TOS value.

We agenda in casual that it is accessible to get abashed amid the altered uses of "TOS". Sometimes it refers to the absolute byte, and sometimes to aloof the 4 $.25 that alarm forwarding behavior. To advice abate the confusion, we will alarm the 4-bit acreage the TOS field, and the absolute byte the TOS byte.

Table B-1 shows the accepted IP Precedence values. It is important to agenda that accustomed appliance cartage is not acceptable to use IP Precedence ethics 6 or 7. These are carefully aloof for arrangement purposes like keepalive packets and acquisition protocols. The arrangement charge consistently accord these packets college antecedence than any appliance packets. This is because no appliance will assignment if the arrangement loses its cartography information.

Authentication Proxy

Problem

You appetite the router to alone accredit and accredit alone users as they acceptance belted resources.

Solution

To accredit an IOS-based affidavit proxy, use the afterward commands:

Router1#configure terminal

Enter agreement commands, one per line. End with CNTL/Z.

Router1(config)#aaa new-model

Router1(config)#aaa allotment auth-proxy absence local

Router1(config)#ip auth-proxy auth-proxy-banner http

Router1(config)#ip auth-proxy name HTTPPROXY http

Router1(config)#ip acceptance auth-proxy-banner http

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip auth-proxy HTTPPROXY

Router1(config-if)#ip http server

Router1(config)#ip http affidavit local

Router1(config)#end

Router1#

Discussion

Cisco affidavit proxy is an intercepting proxy that requires users to accredit afore actuality accustomed to acceptance assets abaft the proxy. Because it operates as an intercepting proxy, it agency that adjustment of the router is vital, back it can alone accredit sessions that axle the router. Generally, this agency that the proxy charge be placed at a arrangement asphyxiate point, such as the articulation to the Internet, for instance.

Since Cisco affidavit proxy is advised to act as an intercepting proxy, there is no charge for end users to configure their browsers to point to the proxy server. The router will automatically ambush all sessions and force the end users to accredit afore they can acceptance assets abaft the proxy. The aboriginal time a user attempts to acceptance a web armpit the router will present them with an affidavit screen. After the user submits his actual username and countersign afresh he is chargeless to cream as normal.

General uses for affidavit proxies are Internet cafes, accessible wireless acceptance providers, and organizations that ambition to ascendancy acceptance to the Internet. In all instances, users will be affected to accredit afore they'll be accustomed to cream above the proxy. This allows an alignment to deeply ascendancy arrangement access. In addition, affidavit proxies can be acclimated to defended Intranet servers that don't accept the adequacy to accomplish affidavit themselves.

To appearance the accepted proxy cache, use the afterward appearance command:

Router1#show ip auth-proxy accumulation

Authentication Proxy Cache

Client Name ijbrown, Client IP 172.25.1.52, Port 4224, abeyance 60, Time Actual 53, accompaniment ESTAB

Router1#

In this example, we can see that one user, ijbrown, has been accurate auspiciously and is currently active. We can additionally see that the absence cessation timer is set to 60 minutes, and that our user currently has 53 account actual until he'll be affected to accredit again.

To manually force all users to accredit again, use the afterward bright command:

Router1#clear ip auth-proxy accumulation *

Router1#

You can appearance the affidavit proxy's agreement by application the afterward appearance command:

Router1#show ip auth-proxy agreement

Authentication all-around accumulation time is 60 minutes

Authentication all-around complete time is 0 minutes

Authentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration

Auth-proxy name HTTPPROXY

http account not defined inactivity-timer 60 minutes

Router1#

For our example, we acclimated bounded authentication, which is acceptable for a baby aggregation or installation; however, for beyond organizations you can additionally configure the affidavit server to use either RADIUS or TACACS to accredit users.

To configure an affidavit proxy server with TACACS support, use the afterward set of commands:

Router1#configure terminal

Enter agreement commands, one per line. End with CNTL/Z.

Router1(config)#aaa new-model

Router1(config)#aaa allotment auth-proxy absence accumulation tacacs

Router1(config)#tacacs-server host 172.25.5.5

Router1(config)#tacacs-server key cisco

Router1(config)#ip http server

Router1(config)#ip http affidavit aaa

Router1(config)#ip auth-proxy name TESTPROXY http

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip auth-proxy TESTPROXY

Router1(config-if)#end

Router1#

In this example, affidavit will be performed by the TACACS server. Please see Chapter 4 for added advice on TACACS.

Login Countersign Retry Lockout

Problem

You appetite to anticipate hackers from application animal force login attacks on your routers.

Solution

To accredit bounded user annual locking, use the afterward set of commands:

Router1#configure terminal

Enter agreement commands, one per line. End with CNTL/Z.

Router1(config)#username kwiley countersign test123

Router1(config)#aaa new-model

Router1(config)#aaa affidavit login local_auth local

Router1(config)#aaa bounded affidavit attempts max-fail 6

Router1(config)#line vty 0 4

Router1(config-line)#login affidavit local_auth

Router1(config-line)#end

Router1#

This command can advance to a abnegation of annual bearings if a hacker is able to lock out all configured usernames.

Discussion

By default, the router will acquiesce an absolute cardinal of login attempts for routers configured with bounded authentication. It will bead the login affair afterwards three bootless attempts, but you can advance to login afresh anon by starting a new session. With this in mind, a hacker can use a animal force advance to actuate your passwords.

Beginning with IOS Version 12.3(14)T, Cisco alien a affection that banned the cardinal of bootless login attempts for routers configured to use bounded authentication. Once the cardinal of bootless attempts is exceeded, again the user ID is bound until an ambassador unlocks it. Once an annual is bound the router will silently avoid added attempts to accretion admission with the bound user ID so there is no acumen amid a bound annual and a bootless attempt.

Once you beat the configured cardinal of bootless login attempts, the router locks your user ID and sends a arrangement log message:

Sep 14 10:41:28.319 EDT: %AAA-5-USER_LOCKED: User kwiley bound out on affidavit failure

Here, the router bound out user ID kwiley due to an exceeded cardinal of login attempts. You can appearance all currently bound user IDs with the afterward command:

Router1#show aaa bounded user lockout

Local-user Lock time

kwiley 10:41:28 EDT Thu Sep 14 2006

Router1#

Once bound out, alone an ambassador with a college advantage akin again the bound user ID, can alleviate you. In the afterward archetype we alleviate user ID kwiley:

Router1#clear aaa bounded user lockout username kwiley

You can additionally alleviate all currently bound users by application the keyword all:

Router1#clear aaa bounded user lockout all

Finally, you can bright the accepted cardinal of bootless login attempts for a user by application the afterward command:

Router1#clear aaa bounded user fail-attempts user ijbrown

Intrusion Detection and Prevention

Problem

You want to use the built-in Intrusion Detection software on the router to deal with deliberate attacks on your network.

Solution

There are two versions to this feature. Prior to IOS Version 12.3(8)T, it was called IDS and implemented using the ip audit set of commands:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip audit notify log
Router1(config)#ip audit info action alarm drop reset
Router1(config)#ip audit attack action alarm drop reset
Router1(config)#ip audit smtp spam 10
Router1(config)#ip audit signature 1107 disable
Router1(config)#ip audit signature 2004 disable
Router1(config)#ip audit name COOKBOOK info list 21 action alarm drop reset
Router1(config)#ip audit name COOKBOOK attack list 21 action alarm drop reset
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip audit COOKBOOK in
Router1(config-if)#exit
Router1(config)#end
Router1#

In IOS Version 12.3(8)T and later, Cisco significantly updated the feature and changed its name to IPS. It is now implemented by using the ip ips set of commands:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip ips name EDITION2 list 21
Router1(config)#ip ips signature 4050 disable
Router1(config)#ip ips fail closed
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip ips EDITION2 in
Router1(config-if)#exit
Router1(config)#end
Router1#

Discussion

Cisco's Intrusion Detection System (IDS) was significantly enhanced from IOS Version 12.3 to 12.4, leading to a name change to Intrusion Prevention System (IPS). Both features are similar in that they work based on a set of pre-built "signatures," which describe different kinds of known deliberate intrusion attempts. As we indicated in the Introduction to this chapter, Cisco divides these signatures into several different categories. In terms of the signature implementation, Atomic signatures describe single-packet attacks, while Compound signatures cover several packets. And functionally, Cisco divides the signatures into Info signatures related to attempts to gather information about your network, while Attack signatures identify attempts to either gain access or to deny service to your network.

Both the IDS and IPS versions of this feature center around the ip audit set of commands. And both offer three possible actions in response to a detected threat:

Alarm: Sends a notification to your network management system. There are a few different options available for doing this. Alarms can be sent by Syslog. Alternatively, prior to IOS Version 12.3(14)T, you could send alarms using Post Office Protocol (POP). However, this option has since been deprecated and we do not recommend using it, even if you are still running an IOS version that supports it.
Drop: Instructs the router to simply drop any offending packets. This response is only appropriate for certain types of attacks, particularly those that use nonsession-based protocols such as UDP.
Reset: When you configure a reset a session in response to matching a particular signature, it forwards the packet on to the destination, but with the TCP RST flag set to force the end device to immediately drop the session.

It is important to note that you can (and probably should) apply all three of these options to most rules. This way you will always receive notification that the system has detected a problem, and the router will always attempt to deal with the problem in the most effective way: resetting the session if possible, and dropping the packet if there is no session to reset.

Intrusion detection

The first example shows how to enable IDS in an older router. You can apply the ip audit command either inbound or outbound to an interface. In general, it is best to apply it inbound to the first interface at the edge of the network, because this is where you expect to receive attacks from. Applying a rule outbound to an interface is useful, however, in situations when it is possible that the hacker is coordinating the attack via two or more points of entry.

First you need to define your IDS rules with the ip audit name command. The minimal version of this command just creates a named rule and assigns it to either info or attack type signatures:

Router1(config)#ip audit name COOKBOOK info

You can then assign this rule to an interface as follows:

Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip audit COOKBOOK in

The example in the Solution section is somewhat more complicated, however. When we created the audit rule in the example, we did three important things:

Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip audit name COOKBOOK info list 21 action alarm drop reset
Router1(config)#ip audit name COOKBOOK attack list 21 action alarm drop reset

First, this rule includes both info and attack type signatures. This is because we want to give this router the best possible protection that we can. Second, we have set the action for both types of signatures as a combination of all three possible actions, as we recommended earlier. Third, we have created an access-list that exempts one device from being included in any IDS tests. This option always uses a Standard ACL. Any addresses that are permitted by such an access-list are subjected to the audit rule. Packets with a source addresses that are denied by the access-list are excluded from any of the IDS tests.

We have specified that the notification method send alarms to the Syslog server using the ip audit notify command:

Router1(config)#ip audit notify log

Note that the Syslog server that will actually receive these messages is defined using the logging command. Please refer to Chapter 18 for more information about configuring Syslog.

Next we modified the default behavior for both info and attack signatures using the action keyword:

Router1(config)#ip audit info action alarm drop reset
Router1(config)#ip audit attack action alarm drop reset

In both cases, the default is to simply send an alarm when a packet or set of packets matches a signature. Recall that we also specified all three of these options on the ip audit name command, so they aren't technically required here as well. However, it is useful to redefine the default behavior in case you have several different rules that you want to apply to different interfaces.

The ip audit smtp spam command is actually not very useful, but we've set it anyway:

Router1(config)#ip audit smtp spam 10

The IDS feature includes a very primitive anti-spam feature. This particular command sets a parameter for this feature, defining the maximum allowed number of recipients for a single email message. The default value is 250. We have set a more reasonable maximum of 10. However, this is not a very meaningful way of categorizing spam in the first place. A more thorough spam filtering system is available with the CSC-SSM module on the ASA5500 series devices.

And, finally, we have disabled two of the rules, because they interfered with the functioning of the network:

Router1(config)#ip audit signature 1107 disable
Router1(config)#ip audit signature 2004 disable

Before we disabled the first of these rules we were getting the following messages:

Nov 12 00:06:16.193: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 Address Seen -
from 192.168.100.1 to 224.0.0.10

The observant reader will note that the multicast address listed here, 224.0.0.10, is the standard EIGRP multicast address. Because we are using an RFC 1918 address on this interface, this rule is rejecting EIGRP packets from the neighboring routers. Clearly this is not the desired behavior, so we disabled the rule specified in the log message.

This allowed EIGRP to work properly, but then we started to commonly see a different log message:

Nov 12 00:08:53.932: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP Echo Request - from 192.168.100.1 to 192.168.99.1

This message says that a device has been prevented from sending ICMP Echo Request packets across the interface. These are, of course, normal PING packets, which we require for network management reasons. This is why we have disabled this rule as well.

You should carefully examine your logs after implementing this feature, disabling any rules that are not relevant to your particular network. But you should carefully consider each message. For example, we also found this message in our router's IDS log:

Nov 12 00:14:19.310: %IDS-4-UDP_TFTP_PASSWD_SIG: Sig:4100:Tftp Passwd File - from 192.168.100.205 to 192.168.99.1

This indicates that somebody has attempted to use the TFTP protocol to download a Unix-style password file from the host at 192.168.99.1. This is not an acceptable thing to do, so we should pay a visit to the device with address 192.168.100.205 as soon as possible.

Intrusion prevention

The second example in the Solution section of this recipe shows how to configure the Intrusion Prevention feature in a router running IOS Version 12.3(8)T or higher. This new version of the feature works in a very similar way to the old one. First you must create a named rule:

Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip ips name EDITION2 list 21

Here we have created a new rule called EDITION2 and applied the same access-list to it as we discussed earlier, so that any packets from the IP address 192.168.100.205 are excluded from consideration in any IPS rules.

You apply this rule to an interface in the same way also:

Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip ips EDITION2 in

When we applied this rule, we started seeing the following message in the log:

000147: Sep 12 21:01:11.906 EDT: %IPS-4-SIGNATURE: Sig:4050 Subsig:0 Sev:3 UDP Bomb [172.25.1.1:123 -> 10.1.1.3:123]
000148: Sep 12 21:01:12.178 EDT: %IPS-4-SIGNATURE: Sig:4050 Subsig:0 Sev:3 UDP Bomb [172.25.1.1:123 -> 172.25.1.101:123]

On closer investigation, it was determined that this message was a false alarm, so we have disabled the rule:

Router1(config)#ip ips signature 4050 disable

Up until here, the configuration of the IPS feature looks exactly the same as that for the older IDS feature. However, the ip ips signature command includes some other extremely useful options. For example, we may not have wanted to fully actually disable this rule, but rather exclude certain IP addresses from consideration just by this one rule:

Router1(config)#access-list 22 deny 172.25.1.1
Router1(config)#access-list 22 permit any
Router1(config)#ip ips signature 4050 list 22

We then continued to see this message, which shows that the rule is still working:

000265: Sep 12 21:41:35.630 EDT: %IPS-4-SIGNATURE: Sig:4050 Subsig:0 Sev:3 UDP Bomb [172.25.1.53:138 -> 172.25.1.255:138]

This is a much more flexible approach to the problem of false alarms.

Another great improvement in the new feature is the ability to specify what happens if the IPS engine is unable to process a packet. By default, the router will simply pass the packets normally. If you prefer, though, you can specify that the router should reject all packets if IPS stops working for any reason:

Router1(config)#ip ips fail closed

This is particularly relevant if the processing is done by a separate hardware module, such as the NM-CIDS modules, which are designed for use with 2600, 2800, 3600, 3700, and 3800 series routers. If this module suffers a failure of some kind, the default behavior is to simply pass all packets normally. In a high-security environment, however, you may prefer to disable all traffic when this happens. This is a tradeoff, of course, as losing all connectivity may be worse than losing the IPS feature.

You can see a useful summary of the current IPS configuration with the show ips configuration command:

Router1#show ip ips configuration
Configured SDF Locations: none
Builtin signatures are enabled and loaded
Last successful SDF load time: 20:54:51 EDT Sep 12 2006
IPS fail closed is enabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is disabled
Total Active Signatures: 132
Total Inactive Signatures: 0
Signature 4050:0 list  22
Signature 1107:0 disable
IPS Rule Configuration
IPS name EDITION2
  acl list 21
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is EDITION2
  acl list 21
Outgoing IPS rule is not set
Router1#

Another useful command is show ip ips statistics, which shows information on the IPS feature:

Router1#show ip ips statistics
Signature statistics [process switch:fast switch]
signature 4050:0 packets checked: [0:85]
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never

Router1#

This output shows, for example, that Signature number 4050, sub-rule 0 has checked 85 packets by using fast switching, and none using process switching. This indicates that this rule is not only being used, but is using the most efficient packet switching method.

Inspecting Applications on Different Port Numbers

Problem

You want to use Application Layer inspection rules for an application running on a nonstandard port.

Solution

To enable Port to Application Mapping (PAM), use the ip port-map command:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip port-map http port tcp 8000
Router1(config)#end                          
Router1#

Discussion

When configuring CBAC-supported applications, is it sometimes useful to be able to map nonstandard ports to the applications themselves. For example, CBAC supports the inspection of HTTP packets; however, by default the router will assume that all HTTP servers use TCP port 80. In the next example, we've configured CBAC to inspect HTTP sessions:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip inspect name HTTPACCESS http
Router1(config)#end                            
Router1#

What happens if someone decides to run their HTTP server on a nonstandard port such as 8000? The answer is that CBAC will not recognize the session as an HTTP session and will not inspect the session. By using Port-to-Application Mapping (PAM) you can map port 8000 to an HTTP application, and CBAC will then handle it accordingly.

In the Solutions section, we mapped port 8000 to application HTTP using PAM. If we show the PAM configuration afterwards we'll see that port 8000 is now mapped accordingly:

Router1#show ip port-map http
Default mapping:  http           tcp port 80                         system defined
Default mapping:  http           tcp port 8000                       user defined

Router1#

The problem with performing a generic port mapping like this one is that CBAC will now handle all traffic destined for TCP port 8000 as HTTP traffic. This might not be the most appropriate way to handle applications running on nonstandard ports. PAM also allows you to define the scope of the application mapping by the use of a simple ACL. By using an ACL to define scope, you can specifically define which servers are using which nonstandard ports.

In our next example, we configure PAM to use port 8080 for HTTP traffic, but only on server 10.1.2.14. This allows CBAC to inspect only packets destined for port 8080 on server 10.1.2.14 using its HTTP rules:

Router1#configure terminal  
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 22 permit host 10.1.2.14
Router1(config)#ip port-map http port 8080 list 22  
Router1(config)#end                                
Router1#

So now when we view the PAM configuration, we see that ports 80 and 8000 are mapped to HTTP, as well as the host(s) in ACL 22 using port 8080:

Router1#show ip port-map http
Default mapping:  http          tcp port 80                         system defined
Default mapping:  http          tcp port 8000                       user defined
Host specific:    http          tcp port 8080           in list 22  user defined

Router1#

Table 27-4 shows some of the common CBAC supported protocols that are eligble to use with PAM.

Table 27-4. Cisco-defined port mapping
Application name	Well known port number	Description
cuseeme	7648	CU-SeeMe Protocol
exec	512	Remote Process execution
ftp	21	File Transfer Protocol
h323	1720	H.323 Protocol
http	80	Hypertext Transfer Protocol
login	513	Remote Login
msrpc	135	Microsoft's Remote Procedure Call
netshow	1755	Microsoft's Netshow
real-audio-video	7070	RealAudio and RealVideo
sccp	2000	Skinny Client Control Protocol
smtp	25	Simple Mail Transfer Protocol
sql-net	1521	SQL-NET
streamworks	1558	Streamworks Protocol
sunrpc	111	Sun Remote Procedure Call
tftp	69	Trivial File Transfer Protocol
vdolive	7000	VDOLive Protocol

For a complete and up-to-date list of applications supported by PAM, use the following command. Keep in mind that Cisco continually adds newly supported applications:

Router1(config)#ip port-map ?
 802-11-iapp          IEEE 802.11 WLANs WG IAPP
 WORD                 User defined application name. Use prefix 'user-'
 ace-svr              ACE Server/Propagation
 aol                  America-Online
 appleqtc             Apple QuickTime
 bgp                  Border Gateway Protocol
 bliff                Bliff mail notification
 bootpc               Bootstrap Protocol Client
 bootps               Bootstrap Protocol Server
 cddbp                CD Database Protocol
 cifs                 CIFS
 cisco-fna            Cisco FNATIVE
 cisco-net-mgmt       cisco-net-mgmt
 cisco-svcs           cisco license/perf/GDP/X.25/ident svcs
 cisco-sys            Cisco SYSMAINT
 cisco-tdp            Cisco TDP
 cisco-tna            Cisco TNATIVE
 citrix               Citrix IMA/ADMIN/RTMP
 citriximaclient      Citrix IMA Client
 clp                  Cisco Line Protocol
 creativepartnr       Creative Partnr
 creativeserver       Creative Server
 cuseeme              CUSeeMe Protocol
 daytime              Daytime (RFC 867)
 dbase                dBASE Unix
 dbcontrol_agent      Oracle dbControl Agent po
 ddns-v3              Dynamic DNS Version 3
 dhcp-failover        DHCP Failover
 discard              Discard port
 dns                  Domain Name Server
 dnsix                DNSIX Securit Attribute Token Map
 echo                 Echo port
 entrust-svc-handler  Entrust KM/Admin Service Handler
 entrust-svcs         Entrust sps/aaas/aams
 exec                 Remote Process Execution
 fcip-port            FCIP
 finger               Finger
 ftp                  File Transfer Protocol
 ftps                 FTP over TLS/SSL
 gdoi                 GDOI
 giop                 Oracle GIOP/SSL
 gopher               Gopher
 gtpv0                GPRS Tunneling Protocol Version 0
 gtpv1                GPRS Tunneling Protocol Version 1
 h323                 H.323 Protocol (e.g., MS NetMeeting, Inte
 h323callsigalt       h323 Call Signal Alternate
 h323gatestat         h323gatestat
 hp-alarm-mgr         HP Performance data alarm manager
 hp-collector         HP Performance data collector
 hp-managed-node      HP Performance data managed node
 hsrp                 Hot Standby Router Protocol
 http                 Hypertext Transfer Protocol
 https                Secure Hypertext Transfer Protocol
 ica                  ica (Citrix)
 icabrowser           icabrowser (Citrix)
 ident                Authentication Service
 igmpv3lite           IGMP over UDP for SSM
 imap                 Internet Message Access Protocol
 imap3                Interactive Mail Access Protocol 3
 imaps                IMAP over TLS/SSL
 ipass                IPASS
 ipsec-msft           Microsoft IPsec NAT-T
 ipx                  IPX
 irc                  Internet Relay Chat Protocol
 irc-serv             IRC-SERV
 ircs                 IRC over TLS/SSL
 ircu                 IRCU
 isakmp               ISAKMP
 iscsi                iSCSI
 iscsi-target         iSCSI port
 kazaa                KAZAA
 kerberos             Kerberos
 kermit               kermit
 l2tp                 L2TP/L2F
 ldap                 Lightweight Directory Access Protocol
 ldap-admin           LDAP admin server port
 ldaps                LDAP over TLS/SSL
 login                Remote login
 lotusmtap            Lotus Mail Tracking Agent Protocol
 lotusnote            Lotus Note
 mgcp                 Media Gateway Control Protocol
 microsoft-ds         Microsoft-DS
 ms-cluster-net       MS Cluster Net
 ms-dotnetster        Microsoft .NETster Port
 ms-sna               Microsoft SNA Server/Base
 ms-sql               Microsoft SQL
 ms-sql-m             Microsoft SQL Monitor
 msexch-routing       Microsoft Exchange Routing
 msrpc                Microsoft Remote Procedure Call
 mysql                MySQL
 n2h2server           N2H2 Filter Service Port
 ncp-tcp              NCP (Novell)
 net8-cman            Oracle Net8 Cman/Admin
 netbios-dgm          NETBIOS Datagram Service
 netbios-ns           NETBIOS Name Service
 netbios-ssn          NETBIOS Session Service
 netshow              Microsoft NetShow
 netstat              Variant of systat
 nfs                  Network File System
 nntp                 Network News Transport Protocol
 ntp                  Network Time Protocol
 oem-agent            OEM Agent (Oracle)
 oracle               Oracle
 oracle-em-vp         Oracle EM/VP
 oraclenames          Oracle Names
 orasrv               Oracle SQL*Net v1/v2
 pcanywheredata       pcANYWHEREdata
 pcanywherestat       pcANYWHEREstat
 pop3                 Post Office Protocol - Version 3
 pop3s                POP3 over TLS/SSL
 pptp                 PPTP
 pwdgen               Password  Generator Protocol
 qmtp-tcp             Quick Mail Transfer Protocol
 r-winsock            remote-winsock
 radius               RADIUS & Accounting
 rdb-dbs-disp         Oracle RDB
 realmedia            RealNetwork's Realmedia Protocol
 realsecure           ISS Real Secure Console Service Port
 router               Local Routing Process
 rsvd-tcp             RSVD
 rsvp-encap           RSVP ENCAPSULATION-1/2
 rsvp_tunnel          RSVP Tunnel
 rtc-pm-port          Oracle RTC-PM port
 rtelnet              Remote Telnet Service
 rtsp                 Real Time Streaming Protocol
 send-tcp             SEND
 shell                Remote command
 sip                  Session Initiation Protocol
 sip-tls              SIP-TLS
 skinny               Skinny Client Control Protocol
 sms                  SMS RCINFO/XFER/CHAT
 smtp                 Simple Mail Transfer Protocol
 snmp                 Simple Network Management Protocol
 snmptrap             SNMP Trap
 socks                Socks
 sql-net              SQL-NET
 sqlserv              SQL Services
 sqlsrv               SQL Service
 ssh                  SSH Remote Login Protocol
 sshell               SSLshell
 ssp                  State Sync Protocol
 streamworks          StreamWorks Protocol
 stun                 cisco STUN
 sunrpc               SUN Remote Procedure Call
 syslog               SysLog Service
 syslog-conn          Reliable Syslog Service
 tacacs               Login Host Protocol (TACACS)
 tacacs-ds            TACACS-Database Service
 tarantella           Tarantella
 telnet               Telnet
 telnets              Telnet over TLS/SSL
 tftp                 Trivial File Transfer Protocol
 time                 Time
 timed                Time server
 tr-rsrb              cisco RSRB
 ttc                  Oracle TTC/SSL
 uucp                 UUCPD/UUCP-RLOGIN
 vdolive              VDOLive Protocol
 vqp                  VQP
 webster              Network Disctionary
 who                  Who's service
 wins                 Microsoft WINS
 x11                  X Window System
 xdmcp                XDM Control Protocol

Router1(config)#

Stopping Denial of Service Attacks

Problem

You want to mitigate Denial of Service attacks by throttling half-open TCP connections.

Solution

You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:

Router1#configure terminal
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#

Discussion

This feature allows the router to take an active role in managing the TCP session initiation between a client and server. In the normal TCP call setup procedure, a client device sends a TCP SYN packet to start the session. The server then responds with a SYN-ACK, and the client's next packet simply has the ACK flag set. Then the Layer 7 application information can start to flow. A relatively common denial of service attack involves sending large numbers of SYN packets, but never actually starting the session. This can fill up the server's connection table with these so-called "half-open" TCP sessions, and eventually prevents any legitimate sessions from starting.

However, when you enable the TCP Intercept feature, the router doesn't forward the initial SYN packet to the server. Instead, it responds directly to the client with a SYN-ACK packet, as if it were the server. If the client is legitimate and begins the TCP session, then the router quickly opens a session to the server, knits the two ends of the connection together, and steps into its more usual role of simply forwarding packets.

If the number of half-open sessions exceeds certain configurable thresholds, the router can protect the server by going into aggressive mode. In this mode, the router does three things:

It reduces the retransmission timeout from one second to 0.5 seconds, so that the TCP SYN-ACK packets are sent more frequently. This ensures that any legitimately half-open sessions are given an opportunity to respond.
It reduces the maximum time that it will maintain a half-open session from the default 30 seconds to 15 seconds. Again, there are many reasons why a client might be legitimately slow to respond, but if the server is under attack, then reducing these timers can help to clear out the sessions that aren't legitimate.
And, most importantly, with each new connection attempt, the router will delete one half-open session from its table. By default, it will delete the oldest session, but you can instead configure it to drop a random entry from the table.

In the configuration example, the first two lines enable the TCP Intercept feature:

Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109

Here we have defined an ACL that specifies that we are only interested in packets with a destination IP address of 192.168.99.2, which is the server that we intend to protect. You could just as easily create an ACL that would protect a range of addresses. For example, if we wanted to protect all of the devices on the 192.168.99.0/24 subnet, we could have used the following access-list:

Router1(config)#access-list 109 permit ip any 192.168.99.0 0.0.0.255

We don't recommend using a permit ip any any type access-list here because that would force the router to intercept all TCP sessions passing through it, regardless of source or destination. This could cause performance problems on your network.

Then the command ip tcp intercept list enables the TCP intercept feature for the addresses specified in the access-list. Note that this is a global configuration command. It is not specific to an interface. This is useful because one common way to launch this type of attack is to send TCP SYN packets simultaneously from compromised computers throughout the network. If you have several interfaces on your router, you won't in principle know where to expect the packets to originate. It also means that you can protect servers on several different segments with a single command.

The remaining commands in the example simply configure the thresholds for aggressive mode. By default, the router allows 1,100 half-open sessions before going into aggressive mode. Configure this value using the ip tcp intercept max-incomplete high command. In the example, we have set a very low value for demonstration purposes:

Router1(config)#ip tcp intercept max-incomplete high 10

When we deliberately initiate a series of half-open sessions, we see this log message:

Nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count (10/10) 1 min 0

A short time later, the attack ended, and the router went back into its normal mode:

Nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min 11

We will explain the conditions for returning to the normal mode in a moment:

In addition to the total number of half-open sessions, you can also set thresholds on the number of TCP sessions initiated per minute:

Router1(config)#ip tcp intercept one-minute high 15

In this case, we have set the rather low threshold value of 15 for demonstration purposes. In practice, you would almost certainly want to use much higher numbers than these because these thresholds define the total number of connection attempts, whether successful or not. So setting this value too low will mean that your server will not be able to accept very many legitimate sessions.

The conditions for returning to normal mode are defined by these two commands:

Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10

The first command sets the low-water mark for the total number of half-open sessions, while the second command sets the low-water mark for the number of session-initiation attempts per minute. The router will not return to normal mode until both of these conditions are true. The default value for both of these thresholds is 900.

In production networks, we recommend initially leaving the thresholds at their default values and establishing a baseline for what is normal. Setting your thresholds too high could be of minimal benefit, while consuming large amounts of router memory. And using thresholds that are too low could be functionally the same as the denial of service attack you are trying to defend against.

The TCP Intercept feature also allows you to monitor for inactivity on the TCP sessions that it helped to initiate. By default, the router will allow a TCP session to be inactive for 24 hours (86,400 seconds). However, you can change this using the ip tcp intercept connection-timeout command, which accepts an argument in seconds. Here we set a maximum value of one hour:

Router1(config)#ip tcp intercept connection-timeout 3600

When this time is exceeded, the router will force a disconnection on this session.

As we mentioned earlier, by default the aggressive mode of the TCP Intercept feature will drop the oldest half-open connection each time it receives a new connection attempt. However, you can instead configure it to drop a randomly selected connection out of the table:

Router1(config)#ip tcp intercept drop-mode random

The theory behind this is that the attack might be very short lived. In this case, the oldest entries in the table are probably the only ones that are not associated with the attack, so you might prefer to drop a random session instead.

You can configure how long the router will watch a session, waiting for it to complete the TCP session initiation. By default, it waits 30 seconds, but you can change this value with the following command, which specifies this timeout value in seconds:

Router1(config)#ip tcp intercept watch-timeout 15

And one final option allows you to set whether the router actively intercepts and responds to TCP SYN packets, or instead allows these packets to pass through normally, but watches the session to ensure that it connects properly. By default the router will completely protect the server by taking over all responsibility for setting up the session. You can configure it to let the server handle the call, and only step in if there is a problem by configuring watch mode:

Router1(config)#ip tcp intercept mode watch

This is useful in situations when your router is watching a large number of servers or the server is configured to safely handle large numbers of half-open sessions. In such situations, you can save resources on your router by using watch mode.

There are two commands for monitoring the TCP Intercept feature. The first looks at the entire connection table:

Router1#show tcp intercept connections
Incomplete:
Client                Server                State    Create   Timeout  Mode
192.168.100.201:3304  192.168.99.2:23       SYNRCVD  00:00:11 00:00:07 I
192.168.100.201:3305  192.168.99.2:23       SYNRCVD  00:00:08 00:00:02 I
192.168.100.201:3300  192.168.99.2:23       SYNRCVD  00:00:18 00:00:04 I
192.168.100.201:3301  192.168.99.2:23       SYNRCVD  00:00:16 00:00:06 I
192.168.100.201:3302  192.168.99.2:23       SYNRCVD  00:00:15 00:00:07 I
192.168.100.201:3303  192.168.99.2:23       SYNRCVD  00:00:13 00:00:01 I
192.168.100.201:3297  192.168.99.2:23       SYNRCVD  00:00:23 00:00:07 I
192.168.100.201:3298  192.168.99.2:23       SYNRCVD  00:00:21 00:00:09 I
192.168.100.201:3299  192.168.99.2:23       SYNRCVD  00:00:20 00:00:10 I

Established:
Client                Server                State    Create   Timeout  Mode
192.168.100.1:26643   192.168.99.2:23       ESTAB    00:00:04 23:59:56 I
Router1#

You will notice that there are usually very few sessions listed as Established at the end of this display. This is because the router only includes those sessions that have been established but for which it has not yet completely stepped out of the picture. This command output is useful for looking at who is attacking your servers. In this case, it looks like there is somebody attacking our server from the IP address 192.168.100.201. However, if you are using higher thresholds, this output is awkward to use.

Another command that is particularly useful with higher threshold values looks at the gross statistics:

Router1#show tcp intercept statistics
Intercepting new connections using access-list 109
9 incomplete, 1 established connections (total 10)
8 connection requests per minute
Router1#

In this case, you can see that there are nine incomplete sessions and one established. This output also shows the number of connection attempts per minute.

Using Context-Based Access-Lists

Problem

You want to use your router as a Firewall to perform advanced filtering functionality.

Solution

The following example shows how to configure the router to perform stateful inspection of TCP or UDP packets:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 166 deny   ip any any
Router1(config)#access-list 167 permit tcp any any eq telnet
Router1(config)#ip inspect name Telnet tcp
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 166 in
Router1(config-if)#ip access-group 167 out
Router1(config-if)#ip inspect Telnet out
Router1(config-if)#exit
Router1(config)#end
Router1#

Cisco's Firewall IOS feature set must be installed on a router before you can configure Context-Based Access-Lists.

Discussion

Context-Based Access Control (CBAC) has been available as part of the IOS Firewall feature set since 11.2(P). CBAC does a stateful inspection of TCP and UDP packets to manage sessions as they pass through the router. It uses this state information to dynamically modify existing extended ACLs to control the active sessions. CBAC can also monitor and manage sessions based on application type and can identify, terminate, or log suspicious activity.

CBAC provides much greater security than a regular filtering ACL because it uses features similar to those found in dedicated Firewalls. In fact, the IOS Firewall feature set, including CBAC, makes an excellent firewall for small or cost-conscious organizations. Although it is not suitable for every application, CBAC's stateful inspection does provide better security than simple packet filtering firewalls.

CBAC works by inspecting active sessions and dynamically creating temporary ACL entries to allow the return traffic through. In our example, we configured the router with an inbound ACL that denies all IP packets, which would normally prevent the router from accepting any inbound IP traffic on this interface. However, when somebody on the inside of the network initiates an outbound connection through this port, CBAC creates a temporary ACL that allows the device on the outside to respond.

We can demonstrate this by initiating an outbound Telnet session through this interface and then viewing the inbound ACL:

Router1#show ip access-list 166
Extended IP access list 166
   permit tcp host 10.2.2.2 eq telnet host 172.25.1.1 eq 1379 (22 matches)
   deny ip any any (456 matches)
Router1#

Notice that the original ACL now contains a new entry to allow the return data of the Telnet session that we originated. Notice also that this temporary ACL entry includes the exact source and destination IP addresses and port numbers. This ensures that our Telnet session works normally, but it prevents all other possible IP addresses from connecting to the client device's source port. In fact, CBAC even prevents the external server from connecting to internal device's source port by using a new session because it maintains specific session information such as source and destination port numbers and TCP sequence numbers. This temporary ACL entry will terminate when the session ends, leaving only the static deny all entry that we originally configured in ACL number 166.

This configuration will block all inbound connection attempts. A common and very simple technique used by hackers as a prelude to attacking an Internet site is to perform a port scan. This essentially means systematically trying to start an inbound session on each port in a large range. If there is any response at all, the attacker knows that there is something listening, which presents a useful starting point for breaking in. However, because this CBAC configuration blocks all unsolicited connection attempts, regardless of the port, this scanning technique reveals nothing useful. This is usually enough to deter all but the most sophisticated hackers.

In fact, the only effective way to get a packet past the ACL configuration shown in this recipe is to send a packet with the right source and destination addresses and port numbers, as well as the right TCP sequence number. This technique is called a hijack attack, and it is almost impossible to prevent. Attackers using this technique generally are able to get a single packet past the firewall. In some cases, an attacker can use this single packet to cause mischief. Fortunately for us, hijack attacks are extremely difficult to execute. But it is important to be aware of the limitations of any security measure.

The show ip inspect sessions command lets you view information about all of the sessions that CBAC is currently watching:

Router1#show ip inspect sessions
Established Sessions
Session 821061C0 (172.25.1.1:1379)=>(10.2.2.2:23) tcp SIS_OPEN
Router1#

The example shows how to inspect generic TCP sessions. However, one of CBAC's greatest strengths is its ability to identify application specific behavior and adjust its ACL entries accordingly. Table 27-2 displays the various applications that CBAC is able to monitor.

Table 27-2. CBAC Application support keywords
Keyword	Application protocol
cuseeme	CU-SeeMe Protocol
fragment	IP Fragmented packets
ftp	File Transfer Protocol
h323	H.323 Protocol
http	HTTP (Java blocking)
netshow	Microsoft's NetShow
rcmd	Unix R-commands
realaudio	RealAudio
rpc	Sun RPC
rtsp	Microsoft's RPC
smtp	Simple Mail Transfer Protocol
sqlnet	SQL*Net
streamworks	StreamWorks
tcp	Generic TCP
tftp	Trivial File Transfer Protocol
udp	Generic UDP
vdolive	VDOLive

Just because an application is not listed in this table doesn't mean that CBAC will not manage its sessions. In fact, the Telnet example in this recipe used generic TCP inspection. Unless your application does something unusual in its session setup and negotiation sequences, the generic inspection should work well. For example, standard HTTP also uses standard TCP session rules. The only reason why there is a special HTTP option for CBAC is to handle Java.

Let's take a look at an application that doesn't use standard TCP ports to build connections, passive FTP. As we indicated in Recipe 19.12, passive FTP is difficult to secure because the server can choose to use a large number of ports for its data session. The result is that both the source and destination ports are determined dynamically when the session is established. Recipe 19.12 showed a way to filter this traffic statically, but with the unfortunate side effect of leaving open some 64,000 other ports. With CBAC this is not necessary since the router can watch the FTP control session and determine the server's data port. This allows it to open only the required port:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 155 permit tcp any any eq ftp
Router1(config)#access-list 155 deny ip any any         
Router1(config)#ip inspect name TEST ftp
Router1(config)#interface Serial0/0
Router1(config-subif)#ip access-group 155 in
Router1(config-subif)#ip inspect TEST in
Router1(config-subif)#exit
Router1(config)#end
Router1#

In this example, the ftp keyword invokes FTP inspection instead of the generic TCP inspection that we showed in the previous example. Also, notice that the first line of our ACL includes the ftp keyword, which permits only the FTP control session. This is necessary so that CBAC will permit the control part of the application to pass.

Now we can connect to the FTP server using a web browser. Looking at the ACL shows the new entries that CBAC has created for us:

Router1#show ip access-list 155
Extended IP access list 155
   permit tcp host 172.20.1.2 eq 11252 host 172.25.1.3 eq 49155 (1415 matches)
   permit tcp any any eq ftp (151 matches)
   deny ip any any (3829 matches)
Router1#

As you can see, CBAC monitored the FTP control session and opened the specific FTP data ports for the passive FTP data connection. You can tell that this is a passive FTP session from the high port numbers.

CBAC inspection can also handle normal FTP. CBAC FTP inspection blocks third-party connections, allowing only "safe" FTP data ports (102465535). CBAC monitors the FTP control session, and will not open a data port if the client authentication fails.

Although we haven't shown an example for UDP, CBAC can also handle UDP-based applications in a similar fashion to TCP. When you send a UDP packet out through the interface, CBAC knows to expect an appropriate response. UDP is difficult to handle because it is not session oriented. But CBAC handles UDP traffic well, offering application support for TFTP in particular that is rarely seen in commercial Firewalls.

The TFTP server uses the well-known UDP port 69. The client sends an initial packet to the server on this well-known port. But then the server opens a new arbitrary port greater than 1023 for the duration of the TFTP session. A standard packet filter would have to permit all UDP ports above 1023 to let TFTP work. CBAC gets around this problem by monitoring the TFTP session to determine which UDP port to open.

CBAC has a several settings you can adjust to improve the overall performance and security of the router. We include some of the most important options in Table 27-3.

Table 27-3. Recommended CBAC settings
Setting	Description	Default	Recommended
TCP idle-time	Length of time CBAC will continue to permit an idle TCP session.	1 hour	30 minutes
UDP idle-time	Length of time CBAC will continue to permit an idle UDP "session."	30 seconds	20 seconds
Finwait-time	Length of time CBAC will continue to permit a TCP session after the exchange of FIN packets.	5 seconds	1 second
Synwait-time	Length of time that CBAC will wait after receiving a SYN packet without completing the session establishment.	30 seconds	15 seconds

The following set of commands configures the timer settings of CBAC shown in Table 27-3:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip inspect tcp idle-time 1800
Router1(config)#ip inspect udp idle-time 20
Router1(config)#ip inspect tcp finwait-time 1
Router1(config)#ip inspect tcp synwait-time 15
Router1(config)#end
Router1#

You can view the CBAC configuration settings with the show ip inspect config command:

Router1#show ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 15 sec -- tcp finwait-time is 1 sec
tcp idle-time is 1800 sec -- udp idle-time is 20 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name Telnet
   tcp alert is on audit-trail is off timeout 1800

Router1#

CBAC also provides a method of logging managed sessions, by enabling audit trails. You can enable an audit trail on a particular CBAC inspection command with the audit-trail keyword:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip inspect name Telnet tcp audit-trail on
Router1(config)#end
Router1#

When you enable CBAC audit trails, the router will create a log entry after each session terminates. This log entry includes detailed information about the connection. Here a sample audit trail log that the router recorded after we terminated a Telnet session:

Feb  8 14:37:24: %FW-6-SESS_AUDIT_TRAIL: tcp session initiator (172.25.1.1:1402) sent 59 bytes -- responder (10.2.2.2:23) sent 1299

For more information on logging, please see Chapter 18.

Relative share of bandwidth in WFQ by IP precedence

Priority Queueing

Assured Forwarding DSCP values

Standard IP TOS values

Standard IP Precedence values

Intrusion Detection and Prevention

Problem

Solution

Discussion

Intrusion detection

Intrusion prevention

See Also

Inspecting Applications on Different Port Numbers

Problem

Solution

Discussion

Table 27-4. Cisco-defined port mapping

See Also

Stopping Denial of Service Attacks

Problem

Solution

Discussion

Using Context-Based Access-Lists

Problem

Solution

Discussion

Table 27-2. CBAC Application support keywords

Table 27-3. Recommended CBAC settings

See Also