VOIP QoS VPN examples

bdedek · ‎09-26-2005

Hi,

Could someone please post a location for some good examples on how to configure a site-to-site vpn using IOS routers, that provides for QoS / prioritization for Voice traffic. I have seen some in the past, but I am curious if new enhancements have been made in this area. We have 15-20 remote sites that I would like to look at deploying voice over my vpns. We have been running our vpn network for 2 to 3 years now and it works very well. We have deployed IPSEC protected GRE tunnels with EIGRP dynamic routing with ISDN failover. I am not sure what type of QoS I need to look at. Shaping vs Queueing etc? I know there has to be many companies that are deploying voice over vpns, and would like to get some feedback/pitfalls that people have experienced. Thank you.

spremkumar · ‎09-26-2005

hi

from my personal exp voice traffic has to be taken care with uttermost priority followed by other business oriented applications like sap,oracle,jde etc.,then comes your mailing ,FTP traffics between your locations.

And again your internet browsing traffic which mite come to the central site and go to the outside world if its like hub n spoke kinda setup.

if u take an example of following traffic pattern in your network would suggest to take a look which can give your some clarity on how to go about the qos configs.

1 VOIP place your voice in LLQ (strict priority)

2 SAP or Oracel or JDE can be put in CBWFQ with guranteed B/W.Allocate the b/w accordingly based on the b/w available in your links .

3 for mailing and ftp you can again give some minimum level of b/w gurantee ,you can again put them in CBWFQ.

4 for internet you can still put them under cbwfq or else u can classify them as default class which will use the remaining b/w in ur links (means the remaining avl b/w in ur link after being alloted to the active classes)

again for configuring qos with GRE or IPSEC you should make sure that your boxes supports the following command without which your configs wont take effect.

CLI : qos pre-classify

this has to be keyed in under the interface tunnel config and also under the crypto map.

i dont think that you can check out the same policy in the isdn backups too coz the avl b/w will be less in case of the isdn.

also check wht kinda voip equipments you are using out there ?

what kinda of l2 switches and also the type of routers to get your nodes connected ..

shaping basically uses the buffer and avoids unecessary droppage in the traffic.

it stores up them in buffers when the link is heavily choked or used upto its capacity and passes or transmits them once its free to pass it on.

Again in queueing u got to have both s/w and h/w in which you can configure the s/w queues and not desirable to change the h/w queues.

in queuing again you can configure different queue sizes and different kinda priorities.

based on trafifc pattern avl and desing plan you can make use of different queues.

regds

tommalley · ‎11-08-2005

We are using the Dynamic Multipoint VPN solution that Cisco offers. Here is a sample config from one of our Cisco 831 routers with the pre-classify qos command.

!

class-map match-all VOICE

match ip dscp ef

class-map match-any CALL-SETUP

match ip dscp af31

match ip dscp cs3

!

policy-map 11q-branch

class CALL-SETUP

bandwidth percent 2

class VOICE

priority 128

class class-default

fair-queue

random-detect

policy-map shaper

class class-default

shape average 512000

service-policy 11q-branch

!

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key ******** address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set vpnremote-transform-set esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile vpnremote-profile

set transform-set vpnremote-transform-set

!

interface Tunnel0

bandwidth 1000

ip address 192.168.101.2 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication *******

ip nhrp map multicast dynamic

ip nhrp map 192.168.101.253 66.234.234.234

ip nhrp map multicast 64.234.234.234

ip nhrp network-id 100000

ip nhrp holdtime 300

ip nhrp nhs 192.168.101.253

ip nhrp registration no-unique

no ip route-cache cef

ip route-cache flow

no ip mroute-cache

delay 1000

qos pre-classify

tunnel source Ethernet1

tunnel mode gre multipoint

tunnel key ********

tunnel protection ipsec profile vpnremote-profile

interface Ethernet0

description Inside Remote Office Interface

ip address 192.168.10.17 255.255.255.240

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 542

no cdp enable

hold-queue 100 out

!

interface Ethernet1

description Public Remote Office Interface

ip address dhcp client-id Ethernet1

ip access-group 105 in

no ip proxy-arp

ip nat outside

ip inspect remote-cbac out

ip virtual-reassembly

service-policy output shaper

no ip route-cache cef

ip route-cache flow

ip tcp adjust-mss 542

duplex auto

no cdp enable

!

router eigrp 100

network 192.168.10.16 0.0.0.15

network 192.168.101.0

no auto-summary

spremkumar · ‎11-10-2005

Hi

from your configs i see that your doing nesting of policies and i did refer some of the links related to qos with DMVPN which proves to be good enough to be deployed.

have you gone thru this link earlier if not do go thru the same ..

http://www.cisco.com/warp/public/707/dmvpn-qos.html

also revert whether you have got any issues with this config in ur boxes ??

regds

tommalley · ‎11-22-2005

Yes, I followed the links regarding dmvpn and qos. But we found that the nested QoS works better as a template for most of our broadband users. We are coming across one issue with the config regarding download speed. PCs behind the 831 are seeing a drop in download speed (- 500k) versus running the PC directly into the broadband modem.

mlinsemier · ‎11-30-2005

"ip tcp adjust-mss 542" is the culprit of your speed issues.

I ran into this same issue almost 6 months ago. The whole issue that I have is that there multiple documents on Cisco's site that all give examples of how to deploy Teleworkers differently. Networkers 2004 QoS / Telewoker documenations state that setting the ip tcp adjust-mss 542 is mandatory for good voice quality. Newer DMVPN documentation show configs without these. I have also seen a config floating around that was supposed to be from Cisco employee deployed routers that have completely different configs. There is no consistancy.

I myself am fighting the Telewoker battle now for about 1 1/2 years. What I would pay for consistant documentation from Cisco on this matter.

Matt

peter.rowe · ‎03-03-2006

More likely the cause of speed issue is the "IP INSPECT HTTP" command. Remove it and your download problems will vanish!