Solved: VOIP switchport config best practices

jeremy.garman · ‎01-03-2014

Hi there. I've got a Cisco infrastructure, but a non-Cisco VOIP platform (Mitel 3300). I've been experiencing some call quality issues lately, so I was reviewing port configs on the access switches at three of my corporate sites. These switchport configs were setup before I joined the company, and seem to have been setup by different people at different times and with different intentions (ie. wildly varying config).

The access switches at each site tend to be Catalyst 3750 POE, but the switchport config can vary:

eg. Site A:

interface FastEthernet1/0/10

description typical VOIP switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 111

switchport mode trunk

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust cos

auto qos voip trust

spanning-tree portfast trunk

end

eg. Site B:

interface FastEthernet3/0/10

description typical VOIP switchport

switchport access vlan 122

switchport mode access

switchport voice vlan 120

spanning-tree portfast

end

eg. Site C:

interface GigabitEthernet1/0/10

description typical VOIP switchport

switchport mode access

switchport port-security maximum 5

switchport port-security

switchport port-security violation restrict

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust cos

macro description USERS

auto qos trust

storm-control broadcast level 70.00

spanning-tree portfast

end

Most of the end user work areas have a single LAN drop, and we connect the Mitel VOIP phone to that, and connect the user's PC/laptop to the phone's PC port. Also, between all corporate sites, there is a 50 Mbps TLS service, provided by our ISP/telco, and we have a separate Mitel 330 VOIP switch at each site.

What is the best config, given my requirements and above, for my Cat 3750 POE switchports in order to best concurrently support data and VOIP traffic? Are any of the above examples good enough?

Thanks so much in advance,

- Jeremy

Collin Clark · ‎01-04-2014

Hi Jeremy,

Site A config is setup to trunk and has QoS configured. Site B config is setup as access ports, but no QoS. Site C is setup as access ports, has QoS enabled and has port security configured. Site C also uses a macro for the port config. The macro helps with config consistency (locally only). Here is what I would suggest:

description DATA/VOICE/WIFI

switchport trunk encapsulation dot1q

switchport trunk native vlan 111

switchport mode trunk

mls qos trust cos

auto qos voip trust

spanning-tree portfast trunk

If you would like more security on your ports you can add the following commands

description DATA/VOICE/WIFI

switchport trunk allowed vlan [data and voice vlan numbers]

switchport port-security maximum 2

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

storm-control broadcast level pps 1k

storm-control multicast level pps 2k

storm-control action trap

ip dhcp snooping limit rate 15

Note that when you run the auto qos command, it will add additional commands to each ports config. Here's an example of some that might be added.

load-interval 30

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

queue-set 2

priority-queue out

Hope it helps

View solution in original post

Collin Clark · ‎01-04-2014

Hi Jeremy,

Site A config is setup to trunk and has QoS configured. Site B config is setup as access ports, but no QoS. Site C is setup as access ports, has QoS enabled and has port security configured. Site C also uses a macro for the port config. The macro helps with config consistency (locally only). Here is what I would suggest:

description DATA/VOICE/WIFI

switchport trunk encapsulation dot1q

switchport trunk native vlan 111

switchport mode trunk

mls qos trust cos

auto qos voip trust

spanning-tree portfast trunk

If you would like more security on your ports you can add the following commands

description DATA/VOICE/WIFI

switchport trunk allowed vlan [data and voice vlan numbers]

switchport port-security maximum 2

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

storm-control broadcast level pps 1k

storm-control multicast level pps 2k

storm-control action trap

ip dhcp snooping limit rate 15

Note that when you run the auto qos command, it will add additional commands to each ports config. Here's an example of some that might be added.

load-interval 30

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

queue-set 2

priority-queue out

Hope it helps

jeremy.garman · ‎01-06-2014

That's great Collin, thanks so much for your recommendations. I will try to implement that port config across all VOIP ports to ensure consistency throughout. Thanks again!!

ajc · ‎10-02-2014

Hi collins, I found you note helpful. However, I was wondering why did you configure the storm-control level pps = 1 k and 2k respectively. Is that a best practices from Cisco?

thanks

Joseph W. Doherty · ‎01-04-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

A common issue with 3750s, they don't provide a lot of egress buffers, and so when QoS is enabled on them, performance might actually worsen without careful tuning of QoS parameters. I.e., what you might first try is disabling QoS on all your 3750s.

The 3750X is documented as "... 3750-X has 2MB for each set of 24 downlink ports and 2MB for uplinks." Unknown if similar for earlier 3750 series, but if you're seeing egress drops on an non-uplink port, you might try moving the link to an "uplink" port.

Assuming your LAN links are either FE or gig, your 50 Mbps inter-site links would appear to be a potential (early) bottleneck. I would first insure you're not losing packets across it (especially if the physical hand-offs are more than the "allowed" rate) or if there's congestion, prioritize the treatment for VoIP.

If you were going to do QoS, considering how different your three examples are, you'll want to define and implement a consistent QoS policy.

jeremy.garman · ‎01-06-2014

Thanks Joseph! I had no idea the 3750 had this potential limitation! I'll certainly bear that in mind. Given the nature of the symptoms that I've been seeing, I totally agree that the WAN link is likely the first place to start to regulate QoS. Thanks so much for your help!