Connecting the world…


Cisco DHCP server & VRF

I had some issues while configuring some VRF’s on a Cisco router and using that router as a DHCP server. First of all the router wasn’t binding any DHCP request. The DHCP server configuration is defined below.

ip dhcp pool guest
vrf vrf-guest

The configuration of the DHCP server is very straightforward. Exception is the use of the VRF interface to bind the DHCP server to. With this configuration the DHCP server isn’t working, because no IP addresses are bind to clients.

The magic to get DHCP working is found in the command ip dhcp use vrf connected. More information about the command can be found here or here.

The second issue is about configuring some IP address exclusions for the configured pool. This can be done via the command ip dhcp excluded-address vrf <vrf-name> <first ip-address> <last ip-address> (info). Depending on the IOS version used, this command isn’t available in CLI. I had this issue with the CIsco 2811 I was using, so I tried to ip dhcp class command. I added the following to the configuration of the DHCP server.

ip dhcp class dhcp_class_unsecure
remark limit IP addresses
ip dhcp pool unsecure
vrf unsecure
class dhcp_class_unsecure
address range

This isn’t exactly the same as configuring IP exclusions, because the ip dhcp class command is used to group clients on specific characteristics. Clients that match these characteristics are assigned an IP address from the specific class. In my situation the use of the ip dhcp class command fixed the problem.

CB-WFQ Bandwidth Allocation

When configuring Quality of Service with CB-WFQ I am always puzzling to get the correct classes. When configuring CB-WFQ it is important to remember that the router does not allow the class queues to consume more than 75% of the total interface bandwidth. The remaining 25% are used for the default class as well as all non-IP packets, like routing protocols.

A quick example shows the problem. I have a router with a 10 Mbps Ethernet interface. I will add a service-policy to this interface and create a priority queue for voice traffic of 8 Mbps.

First I created the class-map and the policy-map:

class-map match-all VOIP
match ip dscp ef
policy-map policy-cbwfq
class VOIP
priority 8192

Next I try to apply the policy-map to the interface, but I receive an error-message like shown below:

Router(config)#int fa 0/0
Router(config-if)#service-policy output policy-cbwfq
I/f FastEthernet0/0 class VOIP requested bandwidth 8192 (kbps), available only 7500 (kbps)

The error message clearly tells me that I can use only 75% of the bandwidth for class queues. The router automatically adds a fair-queue configuration to the interface as a fallback.

fair-queue 64 256 256

You can increase the amount of bandwidth for reservation of class queues with the command max-reserved bandwidth. This gives you the opportunity to increase the reserved bandwidth to 90%.

Router(config-if)#no fair-queue
Router(config-if)#max-reserved-bandwidth 90
Router(config-if)#service-policy output policy-cbwfq

The service-policy is now accepted by the router.

Router#sh policy-map interface fa0/0 output

Service-policy output: policy-cbwfq

Class-map: VOIP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
Strict Priority
Output Queue: Conversation 264
Bandwidth 8192 (kbps) Burst 204800 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0

Class-map: class-default (match-any)
23 packets, 2252 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

A useful with more information (difference between bandwidth percent and bandwidth remaining percent) can be found here.

Cisco ASA: DNS reply filtering

Today I was asked to block access to multiple websites and the only device capable of doing this was the firewall. This customer is using a Cisco ASA firewall, which supports basic URL filtering. This customers wanted to block HTTP and HTTPS websites. HTTPS websites use a SSL tunnel from the end device to the end server, so the firewall isn’t capable of inspecting the SSL traffic. Instead of using URL inspection, I configured DNS inspection.

The ASA inspects the DNS request from the internal DNS server or end device to the external DNS server. I use regular expressions to match the FQDN of a website. Below is an example configuration of blocking access to the website (and applications using a DNS entry to this website)

regex “\.logmein\.com”
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex
policy-map type inspect dns PM-DNS-inspect
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
service-policy global_policy global

A problem with this approach could be the DNS cache on the internal DNS server. This is domain name is queried before configuring the inspection, the domain will be available until the DNS cache from the DNS server expires. In urgent situation you can maybe clear the DNS cache yourself.

If a DNS reply is matched the ASA generates a syslog message, like shown below.

08-28-2009 15:33:31 Local4.Warning %ASA-4-410003: DNS Classification: Dropped DNS request (id 22251) from inside:DNS-SERVER/59256 to outside:UPSTREAM-DNS/53; matched Class 23: match domain-name regex class DomainBlockList