Chapter 4

"Do I Know This Already" Quiz

Classification and Marking Concepts Questions

1.	Which of the following tools can be used to classify packets generated on behalf of an application that uses static well-known TCP port numbers? CB Marking ECN NBAR Pre-classify
Answer:	A, C CB Marking can match well known port numbers easily, using an IP ACL. NBAR can match well known ports directly.
2.	Which of the following tools can be used to classify packets generated on behalf of an application that dynamically allocates the TCP ports numbers used by the application? CB Marking ECN NBAR Pre-classify
Answer:	C NBAR can look at the application layer messages, noting which TCP and UDP port numbers the application dynamically assigns in each case.
3.	Which of the following header fields are part of the IEEE 802.1Q header? DE User Priority QoS DSCP ToS
Answer:	B
4.	Imagine a PC, connected to an IP phone via an Ethernet cable, with the IP phone connected to a 2950 switch. The switch is cabled to an access router, which in turn has Frame Relay connectivity to the central site. Assuming trunking issued between the IP phone and the switch, where is the recommended trust boundary for data coming from the PC towards the central site? PC Phone Switch Access router Frame Relay cloud
Answer:	B

Classification and Marking Tools Questions

5.	Imagine a router configuration with several class-map commands, with a policy map referring to the service classes defined in the class-map commands. The policy map has been enabled for incoming packets on interface Fa0/1. What command would you look for in order to tell if Class Based Marking was in use, as opposed to some other MQC command? match match-all priority mark set
Answer:	E
6.	Examine the following example of commands typed in configuration mode in order to create a class map. Assuming that the class fred command was used inside a policy map, and the policy map was enabled on an interface, which of the following would be true in regards to packets classified by the class map? Router(config)#class-map fred Router(config)#match ip dscp ef Router(config)#match ip dscp af31 Matches packets with both DSCP EF or AF31 Matches packets with either DSCP EF or AF31 Matches all packets that are neither EF or AF31 Matches no packets Matches packets with precedence values of 3 and 5
Answer:	D Each class-map has an optional parameter of match-all (default) or match-any. With the default of match-all, both match commands in the class-map must match, and a packet can't have both DSCP EF and AF31.
7.	Examine the following configuration snippet, and assume that all commands related to the class-map and all interface commands are shown. Which of the following answer best explains why the show command shows that class barney is not matching any packets? class-map dino match protocol rtp audio ! policy-map barney class dino set ip dscp ef ! interface fastethernet0/0 ip address 1.1.1.1 255.255.255.0 service-policy input barney There is no RTP audio traffic currently in the network You cannot enable CB Marking as an input function The show command only works when the mls enable counters interface subcommand is used The ip cef global command is required . The show policy-map interface fa0/0 command lists configuration information, but not packet counters
Answer:	D The match protocol command means that NBAR is used to match the packets. In order to use NBAR, CEF must be enabled globally.
8.	Assume that a router is configured correctly so that voice payload packets are marked with DSCP value EF. Which of the following commands could have been used inside the policy-map to cause CB Marking to set that value? set ip dscp ef set ip dscp 46 set dscp ef set dscp 46 All of the above None of the above
Answer:	E The keyword ef can be used inside the set command, or the decimal value can be usedin this case, decimal 46. Also, the IP keyword is optional as of IOS 12.2T, so the first four answers are all syntactically correct and also mark the packet with DSCP EF.

Classification Issues when Using VPNs Questions

9.	Router A is the endpoint of an IPSEC VPN tunnel. Packets entering router A before being encrypted into the tunnel have been marked with meaningful DSCP values. What causes router A to copy the ToS byte from the original packet into the new VPN IP header? It works automatically, without any commands required The ip cef global command is needed The mls qos global command is needed The qos pre-classify global command is needed The qos pre-classify command is needed on the IPSEC crypto map
Answer:	A
10.	Router A is the endpoint of an IPSEC VPN tunnel. Packets entering router A on interface fa 0/0 will be encrypted and then forwarded to a central site out interface S0/0. You want to enable CB Marking on egress packets on the serial0/0 interface, but you want to look at the fields in the IP, TCP, and UDP headers of the original packet, before encryption. What must be done to allow your policy map to work? It works automatically, without any commands required The ip cef global command is needed The mls qos global command is needed The qos pre-classify global command is needed The qos pre-classify command is needed on the IPSEC crypto map
Answer:	E

Q&A

1.	Describe the difference between classification and marking.
Answer:	Classification processes packet headers, or possibly other information, to differentiate between multiple packets. Marking changes a field inside the frame or packet header.
2.	Describe, in general, how a queuing feature could take advantage of the work performed by a classification and marking feature.
Answer:	Queuing features can perform their own classification function to place different packets into different queues. After a classification and marking tool has marked a packet, the queuing feature can look for the marked value when classifying packets.
3.	Characterize what must be true before the CoS field may be useful for marking packets.
Answer:	CoS only exists in 802.1P/Q headers and ISL headers. In turn, these headers are used only on Ethernet links that use trunking. Therefore, the CoS field can only be marked or reacted to for Ethernet frames that cross an 802.1Q or ISL trunk.
4.	Most other QoS tools, besides classification and marking tools, also have a classification feature. Describe the advantage of classification, in terms of overall QoS design and policies, and explain why classification and marking is useful, in spite of the fact that other tools also classify the traffic.
Answer:	Classification and marking, near the ingress edge of a network, can reduce the amount of work required for classification by other QoS tools. In particular, many QoS tools can classify based on marked fields without using an ACL, which reduces overhead for each QoS tool. By marking packets near the ingress edge, QoS policies can be more consistently applied. In addition, configurations for most other QoS tools become simpler, which can reduce configuration errors in the network.
5.	Which of the following classification and marking tools can classify based on the contents of an HTTP URL: class-based marking (CB Marking), QoS Pre-classification, network-based application recognition (NBAR), or cos-to-dscp maps?
Answer:	NBAR actually performs the classification based on HTTP header contents. CB Marking is the only tool that marks based on NBAR's match of the URL string.
6.	Describe the differences between IP extended ACLs as compared with NBAR for matching TCP and UDP port numbers.
Answer:	You can use both tools to match packet based on well-known port numbers. However, some higher-layer protocols allocate dynamic port numbers, making the use of extended ACLs difficult at best. NBAR can look further into the packet contents to identify what dynamic ports are currently in use by certain protocols, and match packets using those dynamic ports.
7.	Which of the following QoS marking fields are carried inside an 802.1Q header: QoS, CoS, DE, ToS byte, User Priority, ToS bits, CLP, Precedence, QoS Group, DSCP, MPLS Experimental, or DS?
Answer:	CoS and User Priority. CoS is the more general name, with User Priority specifically referring to the 3-bit field in the 802.1P header.
8.	Which of the following QoS marking fields are carried inside an IP header: QoS, CoS, DE, ToS byte, User Priority, ToS bits, CLP, Precedence, QoS Group, DSCP, or MPLS Experimental?
Answer:	ToS byte, ToS bits, Precedence, DSCP.
9.	Which of the following QoS marking fields are never marked inside a frame that exits a router: QoS, CoS, DE, ToS byte, User Priority, ToS bits, CLP, Precedence, QoS Group, DSCP, MPLS Experimental, or DS?
Answer:	QoS Group is only used for internal purposes in GSR and 7500 series routers.
10.	Describe the goal of marking near the edge of a network in light of the meaning of the term "trust boundary."
Answer:	Good QoS design calls for classification and marking, based on well-defined QoS policies, as near to the ingress edge of the network as possible. However, packets marked in devices near the edge of the network may be able to be re-marked by devices whose administrators cannot be trusted. A packet can be marked by the end-user PC, for instance, but the end user can configure the value to be marked. An IP Phone, however, can mark packets, and the marked values cannot be overridden by the user of the phone. Therefore, the goal of marking near the edge must be tempered against the fact that some devices can be reconfigured for QoS by those outside the group responsible for QoS.
11.	What configuration command lists the classification details when configuring CB Marking? What configuration mode must you use to configure the command? What commands must you issue to place the configuration mode user into that mode?
Answer:	The match command defines the details of what must be matched to classify a packet. The command is a subcommand under the class-map global configuration command.
12.	What configuration command lists the marking details when configuring CB Marking? What configuration mode must you use to configure the command? What commands must you issue to place the configuration mode user into that mode?
Answer:	The set command defines what value to mark in the frame or packet header once a packet is classified. The command is a subcommand under the class command, which is a subcommand under the policy-map global configuration command.
13.	What configuration command enables CB Marking? What configuration mode must you use to configure the command? What commands must you issue to place the configuration mode user into that mode?
Answer:	The service-policy command enables CB Marking for either input or output packets on an interface. The command refers to the policy map, which in turn refers to the class maps. The command is a subcommand under the interface global configuration command.
14.	Describe how you can mark multiple DSCP values with a single class map. How many can you match with a single command?
Answer:	The match ip dscp command allows for up to 8 DSCP values to be listed, so a single command can match 8 values. If you want to match more in a single class map, you could use multiple match ip dscp commands, with the match-any option configured on the class-map command.
15.	What configuration command lets you match RTP audio without also matching RTP video traffic?
Answer:	The match protocol rtp audio command.
16.	Describe the process by which NBAR can be updated to support new protocols, without upgrading IOS.
Answer:	Cisco builds Packet Descriptor Language Modules (PDLMs). These PDLMs define new protocols to NBAR. By downloading a copy of these from Cisco, and putting the PDLM in Flash memory, and reloading the router, NBAR knows how to identify new protocols, without requiring an updated IOS image.
17.	What CB Marking command implies that a policy map requires NBAR in order to match packets?
Answer:	The match protocol command means that the policy map will use NBAR for matching the packets.
18.	What command enables NBAR on an interface for incoming packets? For outgoing packets?
Answer:	The ip nbar protocol-discovery command enables NBAR for packets in each direction.
19.	Describe the reason why you might see multiple set commands inside a single service class in a policy map, and give one example.
Answer:	Multiple set commands means that the CB Marking policy is marking more than one header field. That may be useful when later devices might look at different marked fields. For example, a router fastethernet interface might have a policy-map that marks DSCP EF in the IP header, while marking CoS 5 in the Ethernet 802.1p header.
20.	Imagine you are supposed to update a router configuration. The current configuration includes a class-map that refers to ACL 101, which has 23 ACL clauses (separate access-list commands). How could you easily create a new class map that matches the traffic denied by the ACL?
Answer:	You could create a class map, with a match not access-group 101 command in it. This command matches all packets not permitted by ACL 101in other words, packets denied by the ACL.
21.	A router is configred to create a VPN tunnel. Explain the required steps you must take to cause a router to copy the ToS byte of the original packet into the ToS byte of the new IP header used to encapsulate the packet.
Answer:	No additional overt action is requiredCisco IOS automatically copies the ToS byte into the newly-created IP header.
22.	A router is configred to create a VPN tunnel, with unencrypted packets entering interface Fa0/0, and the encrypted packets going over a link to the internet (S0/0). Assuming as many defaults as possible were taken, could a policy map for packets entering the router's FA0/0 interface examine the packet headers as originally created by the end user device? Why?
Answer:	The packet will not have been processed by the VPN feature of the router yet, so all the original packet headers will be available for matching.
23.	A router is configred to create a VPN tunnel, with unencrypted packets entering interface Fa0/0, and the encrypted packets going over a link to the internet (S0/0). Assuming as many defaults as possible were taken, could a policy map for packets exiting the router's S0/0 interface examine the packet headers as originally created by the end user device? Why or why not?
Answer:	The original packet headers will not be available for matching, because the router will have already encapsulated, and probably encrypted, those headers.
24.	A router is configred to create a VPN tunnel, with unencrypted packets entering interface Fa0/0, and the encrypted packets going over a link to the Internet (S0/0). Assuming the qos pre-classify command was configured correctly, could a policy map for packets entering the router's FA0/0 interface examine the packet headers as originally created by the end user device? Why or why not?
Answer:	The packet headers will be available for matching, because the qos pre-classify command tells the router to keep a copy of the headers available for the purpose of performing QoS features.
25.	Name the three configuration areas in which you might use the qos pre-classify command in order to enable pre-classification.
Answer:	Under a tunnel interface, under a crypto map, and under a virtual-template interface.