But they didn’t teach me that in WOBC! – Comments in configs

There are a few things that are in WIN-T that are not explained in school. You either find yourself figuring it out or being told by another Warrant. This article is focusing specifically on PM provided configurations and using QoS.

How many of you have noticed that there are configurations available for all your equipment in TXT format? How many of you use them to blow in configurations when replacing gear from your spares? How many of you have read all the comments?

I spent a few years as a Team Lead for the FORSCOM Mission Command Assessment Team and had the privilege of serving as a Guest OC/T at both NTC and JRTC.  During my encounters with my fellow Warrants, I spent time going over configurations of the routers, switches and ASAs of both enclaves and discovered that many did not know how to configure QoS, how our system policy routes, how the PEP functions, and what OSPF cost to use when switching between transmission mediums.

Here are some comments (i.e. not blown in from a copy/paste operation) from a JNN NT2R configuration document:

! AAA authentication and authorization must be configured for SCP to work
! tacacs-server host <ip address>
! crypto key generate rsa -- use 1024 and not default of 512
!Apply service policy input to Management Vlan 322 and Vlan 333
!Apply service policy input to Voice Vlan 358
! Apply NIPRSerial service policy output to all serial links
! Adjust the above line for the link type--LOS=100--TRC170=200--TRC85/93=400--FDMA=1000--Smart-t=1025--TDMA=1050
! Adjust the above line to the actual link bandwidth in kbs

You can see what information is given here. Some of the code tells you how to connect to the hub TACACS (or if you’re lucky, your own) server. One you’re all familiar with to generate crypto keys. The others tell you what interface to apply a QoS policy to and my favorite, the last which tells you to set the actual bandwidth on the serial interface (FDMA modem bandwidth, HCLOS bandwidth, etc) as well as what was mentioned in a previous article, what OSPF cost to use on the link.

More examples are found in the ST2R configuration but my favorite is the access lists:

!WAN Side access list used to identify TCP traffic destined for local LAN
ip access-list extended wan_side_ACCEL
remark vlan 322
remark permit tcp any <VLAN 322_Network_Address_and_Inverse_Subnet_Mask>
 permit tcp any 22.XXX.19.128 0.0.0.63
remark vlan 324
remark permit tcp any <VLAN 324_Network_Address_and_Inverse_Subnet_Mask>
permit tcp any 22.XXX.19.120 0.0.0.7

remark vlan 333
remark permit tcp any <VLAN 333_Network_Address_and_Inverse_Subnet_Mask>
permit tcp any 22.XXX.19.96 0.0.0.15
remark vlan 358
remark permit tcp any <VLAN 358_Network_Address_and_Inverse_Subnet_Mask>
permit tcp any 22.XXX.17.0 0.0.0.127
remark vlan 59
remark permit tcp any <VLAN 59_Network_Address_and_Inverse_Subnet_Mask>
permit tcp any 22.XXX.16.0 0.0.0.255
remark permit tcp any <DCGS_Network_Address_and_Inverse_Subnet_Mask>
permit tcp any 22.XXX.19.64 0.0.0.31
remark permit tcp any <BCCS_Network_Address_and_Inverse_Subnet_Mask>
 permit tcp any 22.XXX.20.64 0.0.0.63
remark vlan 70
remark permit tcp any <VLAN 70_Network_Address_and_Inverse_Subnet_Mask>
remark vlan 71
remark permit tcp any <VLAN 71_Network_Address_and_Inverse_Subnet_Mask>
remark vlan 73
remark permit tcp any <VLAN 73_Network_Address_and_Inverse_Subnet_Mask>

You notice that there is nothing entered for VLANs 70,71, and 73. That is for the Net Tech to do. There’s more in the access-lists for QoS and there are more ways to skin a cat.

In the txt document for the QOS categories, they instruct you to configure by IP of the host or network and know that this is all blank from the get-go! You have to do this for it to work at all:

ip access-list extended CPOFData
remark This access list allows CPOF hosts to have I Low Latency Data precedence
remark permit ip any host <Host IP addr>
remark permit ip host <Host IP addr> any
remark permit ip <server range><inverse mask> any
remark permit ip any <server range><inverse mask>

You can get more granular since you know that one box can be using several protocols that require different treatment. CPoF co-motion ports, mIRC, web browsing and Ventrilo are great examples and besides you may be running Ventrilo on several machines and want to be able to add it to any box without changing QoS configuration in the router each time…

When you get the itch to tweak your QOS so you don’t have to turn of NIPR during a CUB (my personal pet peeve), try this instead of using IPs:

ip access-list extended CPOFData
permit tcp any any eq 2261
permit tcp any any eq 2262
permit udp any any eq 2261
permit udp any any eq 2261

ip access-list extended Streaming-FO   ! For Ventrilo
remark This access list allows certain hosts to have FO Streaming precedence
permit tcp any any eq 3784
permit udp any any eq 3784

Figure out what ports and protocols your systems are using and ask your local FSR for a copy of the current WIN-T QOS configuration guide for your lot of WIN-T.  Here’s a hint: go into the contexts of your ASA and print out the configurations. They show all the allowed ports.

The only router I found that did not need configurations was the AES router in the STT unless we needed to adjust the bandwidth statement on the tunnel interface due to a smaller TDMA mesh (less than 5 Msps), but I can write more about QoS, shaping and NetFlow in another submission to the Signal Chief.

Thanks to CW3 James Hilyard for the default router configuration examples. What I had was a few years old.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>