22.0 Queuing:
Cisco IOS support for queuing include the following:
1.
Weighted fair queuing (WFQ) - This is an automatic prioritization
method. FWQ ensures that bandwidth is shared fairly between the
conversations. Low volume traffic such as Telnet is given priority
over high volume traffic such as file transfers.
WFQ is the default
queuing method for physical interfaces of 2.048 Mbps or less.
The following command enables Weighted Fair Queuing on a router
interface and sets the congestive discard threshold to 64.
Router(config-if)# fair-queue 64
Congestive-discard-threshold
is the number of messages creating a congestion threshold. For example,
setting a congestive-threshold of 64 results in the maximum number
of packets in a conversation held in a queue to 64, after which
packets are discarded.
2. Priority Queuing: Priority queuing
allows more accurate control over different types of traffic. Priority
queuing is used when traffic of certain type, such as mission critical
traffic, must have certain bandwidth allocated. The queue with higher
priority is always processed first. If the high queue is always
filled, other queues will not be processed.
Priority list is a set of rules that assigns packets to different
priority queues. For example, the command that assigns all IP traffic
to a medium priority queue for priority list2:
R(config)#
priority-list 2 protocol ip medium
You apply the priority-list
with priority-group command. The command to apply the priority-list
to an interface is:
R(config-if)# priority-group 2
Note that
2 is the priority-list defined earlier.
3. Custom Queuing:
Custom queuing allows certain bandwidth be allocated to all types
of traffic. This ensures that all types of traffic get a fair share
of the bandwidth. This also eliminates one of the potential problems
with priority queuing, where higher priority queue is always filled
and lower priority queue never get processed.
Some instances where queuing is recommended include:
1.
Where the interactive traffic suffer resulting in noticeable performance
degradation.
2. Where some traffic need to be assigned higher
priority due to its nature.
3. When you want to assign specific
bandwidth allotments to different traffic flows, depending on its
importance.
If you find a link to be congested for most part
of a day, the capacity of the link need to be increased. Otherwise,
prioritizing the traffic may only result in denying the legitimate
service to your customer. Also, if you find the capacity of a WAN
link utilization less than about 70 percent, the WAN link may be
considered to be OK and not overloaded. But, you may need to plan
for future expansion.
23.0 NAT:
When you are configuring NAT, NAT should be enabled on at least
one inside and one outside interface. The command for enabling NAT
on inside interface is:
R(config-if)# ip nat inside
The command
for enabling NAT on the outside interface is:
R(config-if)# ip
nat outside
Remember to enter into appropriate configuration
modes before entering the commands. Usually, the inside NAT will
be configured on an Ethernet interface, whereas the outside NAT
is configured on a serial interface.
The command
ip nat
inside source static <local ip> <global ip>
configures
address translation for static NAT.
The command
ip nat
inside source list <access-list-number> pool <name>
is
used to map the access-list to the IP NAT pool during the configuration
of Dynamic NAT.
The following two statements are true about 'ip nat inside source'
command:
1. Translates the source of IP packets that are traveling
from inside to outside.
2. Translates the destination of the
IP packets that are traveling from outside to inside
The
following two statements are true about 'ip nat outside source':
1. Translates the source of the IP packets that are traveling from
outside to inside
2. Translates the destination of the
IP packets that are traveling from inside to outside.
It
is important to note that the packet actual source and destination
addresses are completely isolated from inside to outside.
24. IP Unnumbered:
The following are true about 'ip unnumbered' interface configuration
command:
1. This command conserves IP addresses, as it would
be using one of the already configured IP addresses.
2. The
address of the specified interface is used as the source address
of the IP packet.
3. This command can only be used in point-to-point
networks.
4. Using loop back interface for 'ip unnumbered'
command is ideal. Since loop back interface is a virtual interface,
it will never go down.
25.0 Load Distribution:
TCP load distribution allows the hosts inside the interface to
share load. Mail server (or a web server) is an example where this
type of load sharing may be required.
The following steps
brief the commands that may be required to configure TCP load distribution:
1. Define standard IP access-list
2. Define an
IP NAT pool for the real hosts as below:
ip nat pool <pool-name> <start-ip> <end-ip>
{netmask <net-mask> | prefix-length <prefix-length>} type
rotary
Note the option 'type rotary'. This option enables the
load sharing between the real hosts.
3. Map the access-list
and the real hosts pool by using the command:
ip nat inside destination
list <access-list-number> pool <pool-name>
4. Finally,
enable NAT on the appropriate interface by using the command:
ip nat {inside | outside}
26.0 AAA:
AAA stands for Authentication, Authorization, and Accounting.
Authentication: Authentication is used to determine whether
a user is allowed access to network at all. The primary purpose
of authentication is to prevent intruders from getting access to
the network.
Authorization: The purpose of authorization
is to determine the extent to which a user is allowed access to
the network resources. Authorization helps in limiting the resources
of a network only to authorized individuals, allowing various levels
of accessibility to network resources.
Accounting: Accounting
is basically to keep track of network resource usage. The usage
statistics may include such things as number of hours of usage,
kilobits of data transferred etc. It will also be useful to trace
the activities of a user at a later date for troubleshooting or
investigative purposes.
The command that enables aaa on a router is:
Router(config)#
aaa new-model
This is the first command that is given for configuring
AAA on a router.
The correct syntax for AAA authentication for use on serial interfaces
running PPP (Point to Point Protocol) is:
R(config)# aaa
authentication ppp {default | <list-name> <method1> [method2]
[method3]..}
For example, to use tacacs+ first and then no authentication
(if error is returned in first case), use the command:
R(config)#
aaa authentication ppp default tacacs+ none
Alternately,
we can use the list-name, say mylist as below:
R(config)# aaa
authentication ppp mylist tacacs+ none
List-name is useful
when you need to configure the line authentication by calling the
list-name.
The following three protocols are supported for security verification
between the Access server and the Security server:
1. TACACS+,
2. RADIUS
3. Kerberos V
27. Miscellaneous: