09-26-2005 11:21 AM - edited 02-21-2020 12:25 AM
Hi,
Could someone please post a location for some good examples on how to configure a site-to-site vpn using IOS routers, that provides for QoS / prioritization for Voice traffic. I have seen some in the past, but I am curious if new enhancements have been made in this area. We have 15-20 remote sites that I would like to look at deploying voice over my vpns. We have been running our vpn network for 2 to 3 years now and it works very well. We have deployed IPSEC protected GRE tunnels with EIGRP dynamic routing with ISDN failover. I am not sure what type of QoS I need to look at. Shaping vs Queueing etc? I know there has to be many companies that are deploying voice over vpns, and would like to get some feedback/pitfalls that people have experienced. Thank you.
09-26-2005 11:02 PM
hi
from my personal exp voice traffic has to be taken care with uttermost priority followed by other business oriented applications like sap,oracle,jde etc.,then comes your mailing ,FTP traffics between your locations.
And again your internet browsing traffic which mite come to the central site and go to the outside world if its like hub n spoke kinda setup.
if u take an example of following traffic pattern in your network would suggest to take a look which can give your some clarity on how to go about the qos configs.
1 VOIP place your voice in LLQ (strict priority)
2 SAP or Oracel or JDE can be put in CBWFQ with guranteed B/W.Allocate the b/w accordingly based on the b/w available in your links .
3 for mailing and ftp you can again give some minimum level of b/w gurantee ,you can again put them in CBWFQ.
4 for internet you can still put them under cbwfq or else u can classify them as default class which will use the remaining b/w in ur links (means the remaining avl b/w in ur link after being alloted to the active classes)
again for configuring qos with GRE or IPSEC you should make sure that your boxes supports the following command without which your configs wont take effect.
CLI : qos pre-classify
this has to be keyed in under the interface tunnel config and also under the crypto map.
i dont think that you can check out the same policy in the isdn backups too coz the avl b/w will be less in case of the isdn.
also check wht kinda voip equipments you are using out there ?
what kinda of l2 switches and also the type of routers to get your nodes connected ..
shaping basically uses the buffer and avoids unecessary droppage in the traffic.
it stores up them in buffers when the link is heavily choked or used upto its capacity and passes or transmits them once its free to pass it on.
Again in queueing u got to have both s/w and h/w in which you can configure the s/w queues and not desirable to change the h/w queues.
in queuing again you can configure different queue sizes and different kinda priorities.
based on trafifc pattern avl and desing plan you can make use of different queues.
regds
11-08-2005 05:14 AM
We are using the Dynamic Multipoint VPN solution that Cisco offers. Here is a sample config from one of our Cisco 831 routers with the pre-classify qos command.
!
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
!
!
policy-map 11q-branch
class CALL-SETUP
bandwidth percent 2
class VOICE
priority 128
class class-default
fair-queue
random-detect
policy-map shaper
class class-default
shape average 512000
service-policy 11q-branch
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpnremote-transform-set esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpnremote-profile
set transform-set vpnremote-transform-set
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.101.2 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication *******
ip nhrp map multicast dynamic
ip nhrp map 192.168.101.253 66.234.234.234
ip nhrp map multicast 64.234.234.234
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 192.168.101.253
ip nhrp registration no-unique
no ip route-cache cef
ip route-cache flow
no ip mroute-cache
delay 1000
qos pre-classify
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key ********
tunnel protection ipsec profile vpnremote-profile
interface Ethernet0
description Inside Remote Office Interface
ip address 192.168.10.17 255.255.255.240
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 542
no cdp enable
hold-queue 100 out
!
interface Ethernet1
description Public Remote Office Interface
ip address dhcp client-id Ethernet1
ip access-group 105 in
no ip proxy-arp
ip nat outside
ip inspect remote-cbac out
ip virtual-reassembly
service-policy output shaper
no ip route-cache cef
ip route-cache flow
ip tcp adjust-mss 542
duplex auto
no cdp enable
!
router eigrp 100
network 192.168.10.16 0.0.0.15
network 192.168.101.0
no auto-summary
11-10-2005 07:52 AM
Hi
from your configs i see that your doing nesting of policies and i did refer some of the links related to qos with DMVPN which proves to be good enough to be deployed.
have you gone thru this link earlier if not do go thru the same ..
http://www.cisco.com/warp/public/707/dmvpn-qos.html
also revert whether you have got any issues with this config in ur boxes ??
regds
11-22-2005 06:17 AM
Yes, I followed the links regarding dmvpn and qos. But we found that the nested QoS works better as a template for most of our broadband users. We are coming across one issue with the config regarding download speed. PCs behind the 831 are seeing a drop in download speed (- 500k) versus running the PC directly into the broadband modem.
11-30-2005 09:14 AM
"ip tcp adjust-mss 542" is the culprit of your speed issues.
I ran into this same issue almost 6 months ago. The whole issue that I have is that there multiple documents on Cisco's site that all give examples of how to deploy Teleworkers differently. Networkers 2004 QoS / Telewoker documenations state that setting the ip tcp adjust-mss 542 is mandatory for good voice quality. Newer DMVPN documentation show configs without these. I have also seen a config floating around that was supposed to be from Cisco employee deployed routers that have completely different configs. There is no consistancy.
I myself am fighting the Telewoker battle now for about 1 1/2 years. What I would pay for consistant documentation from Cisco on this matter.
Matt
03-03-2006 03:00 PM
More likely the cause of speed issue is the "IP INSPECT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide