Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
0
Helpful
4
Replies

QoS Tagging SG220-26P Small Business Switch

Go to solution
Martijn de Loos
Level 1
Level 1

‎06-29-2017 04:48 PM - edited ‎03-18-2019 12:17 PM

Hi,

I have been struggling with an issue for the past 2 days and can't figure out what is going on.

We are using VoIP phones with an on-premise PBX. Our core switch connected to our Cisco ASA firewall is a Cisco Small Business SG220-26P switch. We have three VLANs: 210, 212 and 216. 216 is our Voice VLAN. In the GUI of the switch VLAN 216 has been configured as voice vlan with CoS 5 and DSCP 46. Outbound packets receive their appropriate tagging when we do a sniff with Wireshark.

However, inbound VoIP traffic coming from the internet, through the ASA going back to the PBX is not tagged. All we see is CoS 0 or Best Effort. The ASA itself is if I remember correctly not capable of QoS tagging. So what I did on the ASA is create a policy map that gives priority to all traffic over ports TCP/5060, TCP/5061 and UDP/10000-20000 which are all used for SIP phone traffic.

I then created an ACL/ACE on the SG220 switch for those same SIP ports, bound it to a policy map and applied that policy map against the trunk switchport connected to the ASA. On the switch, the action for matching traffic is "Set Queue to value 4". When I look at the QoS>>Queue to CoS and QoS>>Queue to DSCP, Queue value 4 translates to CoS 5 and DSCP 46. However, inbound matching traffic coming from the ASA is still not tagged by the switch and I have no clue why. I need some guidance on this. Here's my full switch config.
FYI: switchport 22 is connected to the PBX and it is being mirrored to switchport 13 so we can sniff the packets with Wireshark.

Switch
v1.1.2.1
CLI v1.0
@
!
!
!
hostname "CoreSW"
management vlan ip-address 192.168.210.254 mask 255.255.255.0
no management vlan ip dhcp client
ip default-gateway 192.168.210.1
ip domain name aboutstaffing.local
clock timezone DFL -7 minutes 0
username ***
username ***
!
!

vlan 210
name "DataLAN"
vlan 212
name "TenantsLAN"
vlan 216
name "VOIP"
voice vlan id 216
voice vlan oui-table add 00:E0:BB 3COM
voice vlan oui-table add 00:03:6B Cisco
voice vlan oui-table add 00:E0:75 Veritel
voice vlan oui-table add 00:D0:1E Pingtel
voice vlan oui-table add 00:01:E3 Siemens
voice vlan oui-table add 00:60:B9 NEC/Philips
voice vlan oui-table add 00:0F:E2 H3C
voice vlan oui-table add 00:09:6E Avaya
management-vlan vlan 210
!
!
!
!
spanning-tree mst configuration
name "B0:7D:47:32:3C:2D"
!
!
!
!
!
!
snmp-server location "Office"
snmp-server contact "Admin"
!
!
!
ip ssh server
ip access-list extended "VOIP"
sequence 1 permit tcp any any any 5060
sequence 2 permit udp any any any 5060
sequence 3 permit udp any any any 10000-20000
sequence 4 permit tcp any any any 5061
sequence 5 permit udp any any any 5061
qos advanced
priority-queue out num-of-queues 6
qos map cos-queue 0 to 1
qos map cos-queue 2 to 2
qos map cos-queue 3 4 to 3
qos map cos-queue 6 7 to 4
qos map dscp-queue 8 9 10 11 12 13 14 15 to 1
qos map dscp-queue 16 17 18 19 20 21 22 23 to 2
qos map dscp-queue 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 to 3
qos map dscp-queue 40 41 42 43 44 45 47 to 4
qos map queue-dscp 4 to 46
class-map "VOIP" match-any
match access-group "VOIP"
policy-map "VOIP Policy"
class "VOIP"
set queue 4
!
!
!
!
management access-list SSH
sequence 1 permit service ssh
management access-list Telnet
sequence 2 permit service telnet
!
interface gi1
switchport trunk native vlan 212
switchport trunk allowed vlan add 216
!
interface gi2
switchport trunk native vlan 212
switchport trunk allowed vlan add 216
!
interface gi3
switchport trunk native vlan 212
switchport trunk allowed vlan add 216
!
interface gi4
switchport trunk native vlan 212
switchport trunk allowed vlan add 216
!
interface gi5
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi6
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi7
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi8
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi9
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi10
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi11
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi12
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi13
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi14
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi15
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi16
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi17
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi18
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi19
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi20
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi21
switchport trunk native vlan 210
switchport trunk allowed vlan add 216
!
interface gi22
switchport mode access
switchport access vlan 216
!
interface gi23
switchport trunk native vlan 210
switchport trunk allowed vlan add 212,216
!
interface gi24
service-policy input VOIP Policy
switchport trunk allowed vlan add 210,212,216
!
interface gi25
!
interface gi26
!
monitor session 1 source interfaces gi22 rx
monitor session 1 source interfaces gi22 tx
monitor session 1 destination interface gi13
!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to Martijn de Loos

‎07-02-2017 05:28 AM

Martijn, 

so the thing you have to remember is that you have a 10Mbit voice link. I am assuming your LAN has fast ethernet at least end to end, so the 10Mbit link that you have connected to your ASA will always be the bottleneck or at least will show contention first.

depening on if you use video call across your link, reserve around .5mbps per video enabled call and 80kbps for a voice only call using g711, so if you aloow 10 calls simult. reserve 800kbps priotiy traffic.

So If I were you, only worry about what leaves your ASA and onto the WAN, police that, so mark your traffic from the LAN into the ASA and police on the egress ASA if.

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-29-2017 05:58 PM

Martijn,

why do you require a LAN policy map on these SIP and RTP port?  You mention there are no relevant Cos settings on inbound voice related traffic coming from the internet, setting that straight on your ASA and switch, seems somewhat trivial.

Bedankt

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Martijn de Loos
Level 1
Level 1
In response to Dennis Mink

‎06-29-2017 07:04 PM

Hi Dennis,

VoIP is not really my thing and I am still somewhat new to it.
The issue is that the office has only a 10MBit up and down link and it happened often in the past that one of the users was downloading a large file and phone users were experiencing garbled phone calls. So I have been given the task to solve that. If you say that what I am doing is trivial, could you then advice me on how to do this differently? How can I apply QoS on inbound traffic especially for the VoIP VLAN?
Would the ACL policy on the ASA be enough? That policy is giving priority to all SIP traffic from any source to any destination.

Thanks.

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to Martijn de Loos

‎07-02-2017 05:28 AM

Martijn, 

so the thing you have to remember is that you have a 10Mbit voice link. I am assuming your LAN has fast ethernet at least end to end, so the 10Mbit link that you have connected to your ASA will always be the bottleneck or at least will show contention first.

depening on if you use video call across your link, reserve around .5mbps per video enabled call and 80kbps for a voice only call using g711, so if you aloow 10 calls simult. reserve 800kbps priotiy traffic.

So If I were you, only worry about what leaves your ASA and onto the WAN, police that, so mark your traffic from the LAN into the ASA and police on the egress ASA if.

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Martijn de Loos
Level 1
Level 1
In response to Dennis Mink

‎07-01-2017 07:50 PM

What would be the best way to do this?

0 Helpful
Customers Also Viewed These Support Documents