Congestion Avoidance

  • Tail Drop
    • Default for all queues.
      • When queue full, new packets trying to enter the tail of queue are denied admission.
    • Tail drop treats all packets equally.
      • No classification is performed.
    • Tail drop can result in global TCP synchronization.
      • Simultaneous drops.
      • Looks like shark tooth.
      • Slow start by all senders at same time until they gradually begin going up again at same time. Then restart process.
  • Random Early Detection
    • Selectively drop flows from queue before buffer is 100% full.
    • Goal is to send individual senders into slow start, not all senders at once.
    • Result is more even traffic.
  • WRED adds weighting to Random Early Detection.
    • Higher weight means less likely to be dropped.
    • Configured as ‘random-detect’
      • Can be combined with other queueing mechanisms.

Configuration Example:

  • Create new Class-map

Create new Policy-map and add Class-map ‘SQL’ to the it.

And above we’re adding a bandwidth guarantee and then specifying ‘random-detect’ for WRED.

Note- A bandwidth command is required to enable random-detect.

Congestion Management

  • FIFO Queueing
    • Simplest and easiest to configure.
      • Only parameter is queue-depth
    • Configuration
      • Disable Previous queueing strategy
        • ‘no fair-queue’
      • Define queue depth
        • ‘hold-queue out
    • Typically used as part of other solutions.
      • CBWFQ/HQF
    • Similar to ‘best effort’ traffic.
  • Fair Queueing
    • Known as max-min scheduling.
    • Services multiple requests for a shared resource.
      • 1. Share resource equally
      • 2. Take excessive amounts
      • 3. Share excess equally among unsatisfied requests.
    • ‘Try and treat all traffic the same’.
  • Weighted Fair Queueing
    • Max-min scheduling but not equal.
      • Allocate bandwidth per flow proportional to weight metric.
    • Flow is defined dynamically.
      • Src/Dst IP + Src/Dst Port + ToS Byte
    • Weight is IP Precedence + 1.


  • ‘fair queue <CDT> <Queues>’
  • ‘hold-queue out <max buffers>’
  • CDT
    • Congestive Discard Threshold
      • Individual queue size threshold.
    • If number of flows > number of queues…
      • Flow collision occurs and queues are shared.


  • Allows defining of custom flows
    • Class definition using MQC Syntax
    • ‘bandwidth‘ keyword defines class’ ‘weight’
  • Bandwidth is shared proportionally to weight
    • Relative sharing, not absolute reservation.

NOTE – Bandwidth does not work on subinterfaces.

  • Every queue in Hierarchical QoS Framework (HQF) is FIFO
    • Includes ‘class-default’
    • Buffer-limit with ‘queue-limit’ command.
      • Global buffer limit with hold-queue out.
    • Can be turned into Fair-Queue
      • Command ‘fair-queue <FLOWS>
      • All flows are equal, no weighting.
      • Queue limit per flow is 1/4* queue-limit.
  • Reservations
    • Absolute with ‘bandwidth [Kbps]’
    • Relative with ‘bandwidth percent [%]
      • Percent of interface ‘bandwidth’ setting
    • All bandwidths must sum to interface ‘bandwidth’
  • Class-Default
    • Always guaranteed at least 1% of interface BW
      • max-reserved-bandwidth now deprecated.

Low Latency Queue (LLQ) in HQF:

  • Priority Queue
    • Only one per Hierarchical QoS Framework (HQF) configuration.
      • Designated with ‘priority [x]’
      • Always emptied
    • Optionally policed to X Kbps only in times of congestion.
      • Congestion defined as having TX-Ring full.
    • Multiple classes can have priority
      • Share single queue but could be policed differently.
  • Remaining Bandwidth
    • Commonly used with LLQ
    • Bandwidth remaining after LLQ allocations.
    • Command ‘bandwidth remaining x’
    • Calculated as Interface_BW – LLQ_BW

Classification and Marking

  • Layer 2 Markings
    • Frame-Relay DE bit (1 bit)
    • MPLS EXP bits (3 bits)
    • 802.1Q CoS bits (3 bits)
  • IPv4 and IPv6 ToS Byte
    • IP precedence (3 bits)
    • DSCP (6 bits)
  • IP Precedence
    • 7 – Network
    • 6 – Internet
    • 5 – Critical
    • 4 – Flash-Override
    • 3 – Flash
    • 2 – Immediate
    • 1 – Priority
    • 0 – Routine
  • DSCP
    • Default
      • Best Effort
      • DSCP value 0
    • Expedited Forwarding (EF)
      • Priority
      • DSCP Value 46
    • Assured Forwarding (AF)
      • Bandwidth Guaranteed
      • Four Classes
        • AFxy where x = 1-4
        • Higher is more preferred
      • Three drop precedences
        • AFxy where y = 1-3
        • Higher means higher drop precedence
      • DSCP value (xxxyy0)
    • Class Selectors
      • Backwards compatible with IP Precedence
    • Seven classes
      • CSx where x = 1-7
      • Higher is more preferred.
  • Configuring Classification
    • MQC Classification Options
      • Match any vs. match all
      • Access-lists
      • DSCP/IP Precedence
      • NBAR
      • Source Interface
      • Source/Destination MAC address
    • Can combine multiple matches in one class.
  • Configuring Marking
    • Marking can be configured both input and output.
    • Specifically implemented with:
      • MQC/HQF policy
      • Legacy rate-limit (policer)
      • PBR

Hierarchical Queueing Framework

  • Hierarchical Queueing Framework (HQF)
  • Queueing
    • Occurs when packets are delayed by router.
    • Simplified in Ethernet Switches
      • Hardware Queues only
    • Could be hierarchical
      • PVC-Queue (Frame-Relay)
        • Interface Queue (software queue)
          • Hareware queue (TX-Ring)
    • Fancy queueing methods apply to software queue.
      • How traffic is processed when waiting for TxR
  • Modular Quality of Service Command line reference
    • Allows multiple QoS methods per interface per direction.
      • Old QoS methods did not do this.
    • Previously CBWFQ
    • Now HQF
      • Hierarchical queueing framework
        • 12.4 and higher.


  • Define traffic classes
    • ‘class map’
    • Define traffic match criteria
  • Define traffic policy
    • ‘policy-map’
    • Define actions
  • Apply Policy
    • ‘service-policy [in/out]on interface.
  • MQC Verification
    • ‘show class-map’
    • ‘show run class-map’
    • ‘show policy-map’
    • ‘show run policy-map’
    • ‘show policy-map interface’

Define Traffic Classes w/ Class Map:

Class Map with a match statement

Policy Map:

The first statement we’re creating a policy map that will reference the class map we created.

Then the question mark shows all the options we have here for QoS mechanisms. Bandwidth is used for reserving a certain minimum amount of bandwidth for this type of flow. The flow can use more than what is set but if there’s high contention, then the flow will always have at least this minimum set.

In this scenario we will set a policer.

The Policer is set to 8000 bps. The conform action, ie. what to do when under 8000 bps, is set to transmit. The exceed-action, ie. what to do when over 8000 bps, is set to drop.

The last step is applying to an interface with the service-policy input command. Input or output means apply inbound or outbound on the interface.

Now on a neighboring router we’re going to send pings to this interface with a high repeat count. On the console of the neighboring router it shows that traffic is being stopped after a certain amount hits.

On R1 a ‘show policy-map interface’ shows the conformed and exceeded packets.

QoS Overview

  • Provide different priority to different applications.
    • Different service levels for different types or ‘classes’ of traffic flows.
  • Cause:
    • Resource contention
      • Multiple flows using same link.
      • Same or multiple applications
      • Each app has its own requirements.
    • Contention results in queuing.
      • Packets may be delayed or dropped.
      • Effective flow throughput decreases.
      • Delay or Jitter may exceed threshold.
  • Best Solution
    • Don’t over provision
  • Next Best
    • QoS
      • Congestion is controlled.
      • Delay/Loss/Jitter/Throughput are controlled.
      • Only alleviates temporary congestion.
  • QoS Models
    • Integrated Services
      • RFC 1633
      • Connection-oriented model.
      • Every flow has an explicit reservation end-to-end.
      • Does not scale well because network must maintain too much state.
      • Best use case is MPLS TE
    • Differentiated Services
      • RFC 2475
      • Connectionless model
      • Traffic is grouped into classes.
      • QoS behavior is defined by traffic’s class.
      • Called Per-Hop-Behavior (PHB)
      • Focus for CCIE


  • Classification and Marking
    • In order for DiffServ to work, traffic must be placed into correct classes.
      • ‘classifications’
    • Traffic classification normally occurs at network ingress edge.
      • Typically a manual process we must enforce.
    • Classification can be encoded inside packet itself.
      • Known as packet’s ‘marking’.
  • Classification Types:
    • Classification and marking can happen at multiple places.
    • Layer 2 Class of Service (CoS)
      • 802.1q Ethernet Header
    • Layer 3 IP Type of Service (ToS)
      • IP Precedence and Differentiated Services Code Point (DSCP)
    • Layer 4
      • TCP and UDP Ports
    • Upper Layers
      • Network Based Application Recognition (NBAR)
      • Deep Packet Inspection (DPI)
  • QoS Tools:
    • Used to implement QoS Models
      • Many tools rely on correct QoS classification and marking
    • Different Tools for
      • Network Edge
      • Network Core
    • Tools fall into three main categories.
      • Admission Control
      • Congestion Management
      • Congestion Avoidance
  • Admission Control
    • Used to enforce traffic marking or traffic rate
    • 2 main types:
      • Traffic Policing
      • Traffic Shaping
  • Traffic Policing
    • Used to limit inbound and outbound traffic flows
      • Traffic that exceeds the rate can be dropped, marked, or re-marked.
      • Typically applied on ingress edge.
    • Example use case
      • PE connects to CE with GigE port
      • Circuit is provisioned at 250Mbps
      • PE applies inbound policer at port level
        • If traffic <=250Mbps, transmit
        • If traffic > 250Mbps, drop
  • Traffic Shaping
    • Used to normalize outbound traffic flows
      • Smooth out traffic bursts
      • Prepares traffic for ingress policing
      • Delay and Queue exceeding traffic
    • Example use case
      • PE connects to CE with GigE port
      • Circuit is provisioned at 250Mbps
      • CE applies outbound shaper at port level
        • If traffic <= 250Mbps, transmit
        • If traffic >250Mbps, queue for later transmission
  • Congestion Management Techniques
    • Used to deal with congestion once it occurs
      • ie. Queueing
    • Queueing Types
      • First in First out (FIFO)
      • Weighted Fair Queueing (WFQ)
      • Priority Queueing (PQ)/Low Latency Queueing (LLQ)
    • Example use case
      • CE to PE link is experiencing packet loss
      • Apply LLQ to give VoIP low delay
      • Apply WFQ to guarantee 50% BW for SQL
      • All other traffic gets best effort FIFO.
  • Congestion Avoidance Techniques
    • Stop congestion before it occurs
      • Packet drop strategy
    • Drop strategy types
      • Weighted Random Early Detection (WRED)
      • Tail Drop
    • Example Use Case
      • CE to PE link is experiencing packet loss
      • Apply WRED to selectively drop low priority flows.
      • Senders go into slow start
      • Congestion management is offloaded to end host TCP stack.

IPv6 First Hop Security

  • First hop
    • Segment between end host and default gateway.
  • Security
    • Prevent against internal threats at access layer
  • Both IPv4/6 have vulnerable control plane at access-layer.
    • IPv4
      • ARP
      • DHCP
    • IPv6
      • Neighbor Discovery (icmpv6)
      • Duplicate Address Detection (DAD)
      • SLAAC
      • DHCPv6
  • ICMPv6 ND
    • Replaces ARP in v4
    • ICMPv6 ND uses 4 messages instead of 2 (like arp request/reply)
      • NS – Neighbor Solicitation
        • ask for neighbor info
      • NA – Neighbor Advertisement
        • Advertise yourself to other neighbors
      • RS – Router solicitation
        • Ask info about local routers
      • RA – Router Advertisement
        • Advertise yourself as an active router
  • Router Advertisement Guard
    • Hosts dynamically discover default gateway based on NDP RA messages.
      • Prevents router spoofing on segment.
      • Prevents prefix spoofing on segment
      • Policy can be applied at VLAN or port level.
      • Says on interface level what’s on the other end
        • ie. Proper router or host.
  • DHCPv6 Guard
    • DHCPv6 does not assign default-router like IPv4.
      • Default router is learned through SLAAC from RA.
    • Similar in scope to DHCP Snooping.
    • Prevents DHCPv6 server spoofing.
    • Policy can be applied at VLAN or port level.
  • IPv6 Snooping:
    • IPv6 to MAC resolution achieved through Neighbor Discovery NS/NA messages.
      • Similar to dynamic arp inspection.
    • Inspects DHCPv6 and NDP messages.
      • Performs binding table through v6 neighbor tracking.
      • Prevents host spoofing on segment.
      • Optionally enables basic RA Guard and DHCPv6 Guard
      • Optionally can inspect data packets to perform neighbor binding.
    • Manual bindings can be completed.
    • Policy can be applied at VLAN or port level.
  • IPv6 Source-Guard
    • Similar in scope to IPv4 Source Guard
      • Relies on v6 snooping to create v6 neighbor binding table.
      • Creates automatic v6 PACL to filter sources based on neighbor binding table.

IOS Device Security

  • Standard Access-lists
    • Matches on source IP address only
  • Extended Access-lists
    • match on ip protocol #
    • Source and destination address
    • protocol options
      • tcp/udp ports
      • icmp type code
      • tcp state (established keyword)
    • Packet markings
      • DSCP/IPP
    • Non-initial fragments (fragments keyword)
  • Access-list Logging
    • Log can be generated on match.
      • Log vs. log-input
      • generated as syslog level ‘informational’
      • Causes packets to be process switched.
    • Logging rate-limiting
      • ‘ip access-list logging interval
      • ‘ip access-list log-update threshold’
      • ‘logging rate-limit’
    • ACL Syslog Correlation Tags
      • ‘log [cookie]’
      • ‘ip access-list logging hash-generation’
  • Applying IPv4 ACL
    • Traffic Filtering
      • ‘ip access-group’
    • Traffic Classification
      • ‘match access-group’
    • Route Filtering
      • ‘distribute-list or route-map’
    • VTY line/username access-control
      • ‘access-class in/out’

Topology Subnets:


Access-list Examples:

  • On R1 we’ll permit who is allowed to telnet/SSH to the box.
Access-list for host SW2

We’re creating an access list and associating it to the VTY lines with ‘access-class’. Can connect successfully from R2, but when trying from R3 I get the following message:

  • Now we can get more specific with an extended ACL:

The above will be applied to the interface instead of the VTY lines denying only port 23 from anybody.

A ‘show access-list’ will confirm the matches of the ACL.

Time Based ACL:

  • Used to activate ACL entry based on clock
  • Defined as time-range <name>
    • Absolute
      • one specific time
    • Periodic
      • One or more recurring times.
  • Potential Applications:
    • Time based traffic filter
    • Time based QoS
  • Above is an example of a time based ACL. If the IOS device clock shows between 09:00 and 17:00, then telnet will not be available inbound on the Gig0/0 interface of R1.

Unicast Reverse Path Forwarding:

  • Used to simplify Bogon/martian filters
    • Addresses that are invalid on the internet.
  • Ingress traffic has source checked against CEF table.
  • Packets without correct reverse route are dropped.
  • Can be both Strict and Loose
    • Strict means reverse route must be via ingress interface.
    • Loose means reverse route can be via any interface.

URPF can be turned on under the interface. At the end you can specify an ACL that is an exception to the RPF rule.

Private VLANs

  • Allows for layer 2 isolation between ports within same VLAN.
    • Expansion of protected port feature.
    • Allows isolation across multiple switches.
  • Allows for additional granular control within same VLAN.
    • requires ‘sub-vlan’ within ‘main’ vlan.
  • Main VLAN
    • Known as primary vlan
  • Sub-VLAN
    • Known as secondary vlans
    • 2 types
      • Community
      • Isolated
  • Ports
    • Promiscuous ports
      • Connect to router.
    • Host ports
      • Connect to end hosts
      • Either isolated or community ports
  • Primary VLAN
    • Carries traffic from promiscuous to host ports.
  • Isolated VLAN
    • Carries traffic from host ports to promiscuous ports.
  • Community VLAN
    • Carries traffic between community host ports and to the promiscuous port
  • VTP 1 and 2
    • Cannot advertise extended VLANs
      • Private VLANs are extended VLANs
      • Implies that Private VLAN config must be manually synced.
  • VTP 3
    • Private and extended can be advertised.

In the topology above we’re running a primary VLAN of 500, a community private VLAN of 501, and an isolated VLAN 502. H1-2 are in 501 and 502 is in H3. R1 will be connected to our promiscuous port acting as a gateway.

R1 –
H1 –
H2 –
H3 –

All configurations will occur on SW1.

Community VLAN Creation:

Isolated VLAN Creation:

Primary VLAN Creation:

Note mapping Sub-VLANs to Primary VLAN

Host port & VLAN Association:

Mode Private VLAN Host and Primary to Secondary mapping (Community)
Mode Private VLAN Host and Primary to Secondary mapping (Isolated)

Assign Promiscuous:

After these configurations are in place, the two hosts in community VLAN 501 will be able to communicate with each other and the gateway at Pings will fail going from H1 or H2 to the isolated VLAN member H3. H3 will only be able to communicate with the gateway.


  • If there were another member of the isolated VLAN, it would still not be able to communicate with H3.
  • Troubleshooting commands:
    • show interface gig0/0 switchport’
    • ‘show vlan private-vlan’
    • show vlan private-vlan type’

IPv4 First Hop Security

  • DHCP Snooping
    • Prevents DHCP server spoofing and exhaustion attack.
    • Enforces DHCP server role on ports.
      • Only trusted ports may respond to DHCP Discovers.
        • ie. Trusted ports are connected to DHCP server.
    • Maintains IP, MAC, and port binding.
      • Could be used for security enforcement.
    • Three main commands
      • ‘ip dhcp snooping’
      • ‘ip dhcp snooping VLAN x’
      • ‘ip dhcp snooping trust <interface>’
  • Caveats
    • Don’t forget to trust port to server.
      • Trust trunks as well as access port to DHCP.
    • DHCP snooping inserts information option
      • Adds empty giaddr field which IOS rejects.
    • Information option insertion could be disabled.
      • ‘no ip dhcp snooping information-option’
      • Alternative is configure server to trust empty giaddr.

In the image above we have a host, switch and DHCP server. DHCP server is handing out addresses in the network for VLAN 10, which our host is sitting in acting as a DHCP client. With DHCP snooping on, the configuration for our switch is as follows:

In global config we’re enabling DHCP snooping in vlan 10 and removing option 82 from the scenario. In addition we’re setting Gig0/1 as our trusted port that can receive DHCP requests.

When I shut/no shut the host interface, the host tries to get another IP address from our server and on the switch we see it’s checking it’s snoop binding entries to make sure this is okay.

Dynamic ARP Inspection (DAI)

  • Prevents ARP poisoning attack.
  • Inspects ARP requests/responses
    • ‘ip arp inspection VLAN X’
    • ‘ip arp inspection trust (port command)’
  • Enforces IP to MAC bindings based on DHCP snooping database

In global config we add arp inspection for VLAN 10 and allow our DHCP Server connecting interface to be trusted. Then we go into our host and manually change the MAC address of our interface and try pinging from our host to the DHCP server. In the switch we’ll see messages similar to this:

And of course the ping fails.

  • IP Source Guard
    • Prevents IP address spoofing
    • Uses DHCP snooping database to filter IPs on the port dynamically.
      • ‘ip verify source’ – interface command
    • MAC address filtering could be enforced as well.
      • Requires port-security enabled on interface.
      • Additional parameter ip verify source port-security.
    • Static IP to MAC mapping on a VLAN.
      • ‘ip source binding’ – global config command.

Notice it’s an interface level command on our untrusted port.

Dynamic ARP inspection WITHOUT DHCP:

  • If DHCP is not used static ARP mappings can be configured.
    • Takes precedence over dynamic ARP entries.
    • Configured using ARP inspection ACL.
      • ‘arp access-list x’
      • ‘permit ip host <ip> mac host <mac-address>
    • Applied to a VLAN
      • ‘ip arp inspection filter <NAME> VLAN y
arp access list
arp inspection filter referencing arp access-list

Port Traffic Control

  • Port-Security
    • Used to limit access based on MAC address
    • Violation modes
      • Shutdown (default)
        • Send port to err-disabled
      • Protect
        • Violators cannot send traffic in
      • Restrict
        • Violators cannot send traffic in
        • Switch sends syslog/snmp trap
    • Can be applied to trunk and access, not dynamic.
    • Secure MAC addresses
      • can only belong to one port
      • Static
      • Learned (dynamic)
      • Sticky
    • Trunk Ports
      • Support per-vlan limits (default unlimited)
      • Port limit is aggregate across all VLANs.
    • Keep in mind FHRP when using port-security
    • Avoid using ‘protected’ mode on trunks.
      • Disables MAC learning once limit is reached for any VLAN.
    • Consider multiple MACs for IP phones.
  • Port Protection
    • Protected ports cannot exchange L2 frames.
    • Used to prevent devices on same VLAN from communicating at layer 3.
      • Switchport protected
      • Limited to one switch.
    • Ex. prevent compromised web server from launching DoS at other hosts within same VLAN.
    • Unknown unicast and multicast packets are allowed.
      • Could be disabled explicitly.
  • Static CAM Entries
    • Points to a fixed port.
    • Can be used for null routing.
  • Storm Control
    • Limits amount of Broadcast/Multicast/Unicast traffic allowed in port.
      • Ingress rate limiting only
    • ‘storm-control <xcast> level
      • Level is percent of interface speed, not bandwidth.