12-19-2013 06:49 PM - edited 03-04-2019 09:54 PM
I have a Cisco 871 router with Advanced Security and have setup QoS, since I can't match dcsp I have used an ACL with my phone network (attached to this router is a Cisco SF300 running as a Layer 3 switch handling the VLANs).
class-map match-any voice-traffic
match access-group name voice-traffic
!
!
policy-map voice-policy
class voice-traffic
priority 1000
class class-default
fair-queue
policy-map shaper
class class-default
shape average 3000000 30000 0
service-policy voice-policy
ip access-list extended voice-traffic
permit ip 10.10.51.0 0.0.0.255 any
interface FastEthernet4
ip address 111.111.111.111 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ipsec
service-policy output shaper
Here's the sh policy-map interface
FastEthernet4
Service-policy output: shaper
Class-map: class-default (match-any)
1750843 packets, 335256512 bytes
5 minute offered rate 20000 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
3000000/3000000 3750 30000 0 10 3750
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 1750769 335180439 99458 90434169 no
Service-policy : voice-policy
Class-map: voice-traffic (match-any)
2 packets, 124 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name voice-traffic
2 packets, 124 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 136
Bandwidth 1000 (kbps) Burst 25000 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: class-default (match-any)
1750842 packets, 335256442 bytes
5 minute offered rate 20000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 128
(total queued/total drops/no-buffer drops) 0/59/0
There should be WAY more packets than 2
12-19-2013 08:10 PM
Hi Christie,
I see you are using a crypto map on your Fa4 interface. Did you configure the qos pre-classify in the crypto map? If not, the service-policy can only see the packets after being IPsec-encapsulated, not recognizing the private IP addresses anymore.
Best regards,
Peter
12-19-2013 08:29 PM
Not sure if it matters but the phone traffic is not going over the VPN tunnel.
I checked anyways and I do not have the feature to add qos pre-classify to my crypto map. I am on version 12.4(15)
12-19-2013 09:30 PM
Hi Christie,
Oh, I see. Okay.
The second thing to check is the NAT - again, I see that the Fa4 is a NAT-outside interface. According to the following document:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
the queueing is done as the very last step in the inside-to-outside direction, meaning that the service-policy will again see packets after they have been NATted - so again, the ACL in the corresponding class-map does not apply.
Solution here can get more complicated because you may be performing N:1 NAT (i.e. PAT) and so the global address is not indicative of the VoIP traffic anymore.
I wonder - what IOS feature set are you running? Can you post the output that shows when you enter a class-map and enter the match ? and set ? commands and question marks? I would like to see what other choices we have on your IOS.
Best regards,
Peter
12-20-2013 05:05 AM
Advanced Security -
c870-advsecurityk9-mz.124-15.T7.bin
Here's the match?
access-group Access group
any Any packets
class-map Class map
cos IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
discard-class Discard behavior identifier
flow Flow based QoS parameters
fr-de Match on Frame-relay DE bit
fr-dlci Match on fr-dlci
input-interface Select an input interface to match
ip IP specific values
mpls Multi Protocol Label Switching specific values
not Negate this match result
packet Layer 3 Packet length
precedence Match Precedence in IP(v4) and IPv6 packets
protocol Protocol
qos-group Qos-group
source-address Source address
vlan VLANs to match
Set is not recognized under class-map.
Thanks
12-20-2013 02:28 PM
Hi Christie,
Of course, set is in the policy-map... Aaargh, how could I have missed that?
Anyway, in your first post, you indicated you can not match DSCP. Why? Do you believe your IP phone is not generating DSCP-marked packets? That would be the easiest thing here, as the DSCP marking is easily recognizable.
Best regards,
Peter
12-20-2013 03:08 PM
I dont have the option for set under the policy-map
I can't match DSCP on the router, it's not an option in advanced security, only advanced IP.
12-20-2013 03:14 PM
Christie,
The set option is available in a class section of a policy-map. Try entering a policy-map and enter either an existing class or enter the class-default class and try the set command there.
But is the Advanced Security IOS really so limited? The DSCP should be available in a class-map using match ip dscp command. Is is truly unavailable?
Best regards,
Peter
12-20-2013 03:18 PM
It appears that way, I believe the feature information says the advanced IP has more QoS options.
Here is what I see under class under policy-map when I do a ?
bandwidth Bandwidth
compression Activate Compression
drop Drop all packets
exit Exit from class action configuration mode
log Log IPv4 and ARP packets
netflow-sampler NetFlow action
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
service-policy Configure Flow Next
set Set QoS values
shape Traffic Shaping
and this is set ?
atm-clp Set ATM CLP bit to 1
cos Set IEEE 802.1Q/ISL class of service/user priority
discard-class Discard behavior identifier
fr-de Set FR DE bit to 1
ip Set IP specific values
mpls Set MPLS specific values
precedence Set precedence in IP(v4) and IPv6 packets
qos-group Set QoS Group
12-21-2013 12:12 AM
Christie,
I apologize for being so insistent, but can you perhaps enter a class-map again and try the match ip ? command? At my router, it produces this (though admittedly, I do not run AdvSec):
R1(config-cmap)# match ip ?
dscp Match IP DSCP (DiffServ CodePoints)
precedence Match IP precedence
rtp Match RTP port nos
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide