10-12-2012 07:34 AM - edited 03-04-2019 05:50 PM
Good Day: Customer has three 881 routers. FE0 connects to their WAN, FE4 connects to their LANs. Two VLANs are configured on FE4. Class-maps and Policy-map created to detect voice traffic:
===================
class-map match-any VoIP-RTP-Trust
match ip dscp ef
class-map match-any VoIP-Control-Trust
match ip dscp cs5
match ip dscp af31
!
!
policy-map VoIP-Trust
class VoIP-RTP-Trust
priority percent 70
class VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
===================
Policy map applied to FE0 and FE4:
===================
interface FastEthernet0
description ** WAN
switchport access vlan 20
duplex full
speed 10
service-policy output VoIP-Trust
interface FastEthernet4
description ** To LAN
no ip address
duplex auto
speed auto
service-policy output VoIP-Trust
!
interface FastEthernet4.10
description ** DATA
encapsulation dot1Q 10
ip address x.x.x.x y.y.y.y
ip helper-address x.x.x.x
!
interface FastEthernet4.100
description ** VOICE
encapsulation dot1Q 100
ip address x.x.x.x y.y.y.y
!
===================
Policy map not working on FE0 (only shows traffic in class-default), but working fine on FE4 (detecting voice packets):
===================
rtr-key#sh policy-map int
FastEthernet0
Service-policy output: VoIP-Trust
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: VoIP-RTP-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 70% (7000 kbps), burst bytes 175000, b/w exceed drops: 0
Class-map: VoIP-Control-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs5 (40)
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 5% (500 kbps)
Class-map: class-default (match-any)
15744801 packets, 1038173964 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 15744801/1038173964
Fair-queue: per-flow queue limit 16
FastEthernet4
Service-policy output: VoIP-Trust
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 3006/655308
Class-map: VoIP-RTP-Trust (match-any)
3006 packets, 655308 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
3006 packets, 655308 bytes
5 minute rate 0 bps
Priority: 70% (70000 kbps), burst bytes 1750000, b/w exceed drops: 0
Class-map: VoIP-Control-Trust (match-any)
2984 packets, 1068438 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs5 (40)
4 packets, 408 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
2980 packets, 1068030 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 2984/1068438
bandwidth 5% (5000 kbps)
Class-map: class-default (match-any)
779609832 packets, 304290447160 bytes
5 minute offered rate 549000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 779546599/304956945492
Fair-queue: per-flow queue limit 16
========================
Attempted to apply policy-map to int vlan 20, but received error "Configuration failed!"
Is there a way to apply this policy to FE0 and have it work? I know that ports FE0-FE3 are, so-to-speak, "special", and perhaps that's one of the limitations of those ports.
Thank you.
10-12-2012 08:08 AM
Hi Dear,
You should need a L3 port to configure the service policy over WAN...but if there is no availability of L3 port as u said..then I think you should use the L3 interface to do that....
10-12-2012 08:09 AM
My first thought is that the switch that these phones are connected to aren't trusting the marking that the phone is doing (they do mark their own?)
A test that you could do is create another policy specifying traffic from the voice subnet. Then set the tag that you want:
ip access-list ext InVoice
permit ip
class-map match-all InVoice
match access-group name InVoice
policy-map InVoice
class InVoice
set dscp ef
interface FastEthernet4.100
service-policy input InVoice
You should start seeing matches on your outbound policy map...hopefully...
HTH,
John
*** Please rate useful posts ****
10-13-2012 06:10 AM
There's no reason to apply the policy to fe4. I'm sure your LAN can handle whatever this router is able to forward.
Sent from Cisco Technical Support iPad App
10-14-2012 02:05 AM
You can also use the access-list so, u can match the traffic--
for example,
ip access-list extended 101 permit ip any any dscp ef
ip access-list extended 101 permit ip any any dscp af41
ip access-list extended 101 permit ip any any dscp af31
ip access-list extended 101 permit ip any any dscp cs5
And put it under lan interface as out...
ip access-group 101 out....and check the hits of the traffic..
Regards,
Amit Kumar
******Please rate helpful posts********
10-15-2012 07:42 AM
I thank everyone for their input. Here is where I am now:
I agree with Jeff that a policy-map is not needed for the LAN side of the router, so I removed it.
I created an access list as John and Amit suggested:
===========================================
ip access-list extended TestVoice
permit ip any any dscp ef
permit ip any any
===========================================
When I applied the ACL to outbound traffic on interface VLAN20 (which is tied to FE0, the port used for WAN):
===========================================
interface FastEthernet0
description ** Metro-E connection (WIN)
switchport access vlan 20
service-policy output VoIP-Trust
interface Vlan20
description ** WAN
ip address x.x.x.x y.y.y.y
ip access-group TestVoice out
===========================================
No voice packets were being matched:
===========================================
Extended IP access list TestVoice
10 permit ip any any dscp ef
20 permit ip any any (131901 matches)
===========================================
After that I inspected the config of the Ethernet switch at that site, and discovered that the ports were not configured to trust the DSCP markings of the traffic. After I configured the switchports to trust the DSCP markings, I saw voice packet matches in the ACL:
===========================================
Extended IP access list TestVoice
10 permit ip any any dscp ef (160156 matches)
20 permit ip any any (262996 matches)
===========================================
However, I still saw no matches for voice traffic on the policy map:
===================
FastEthernet0
Service-policy output: VoIP-Trust
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: VoIP-RTP-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 70% (70000 kbps), burst bytes 1750000, b/w exceed drops: 0
Class-map: VoIP-Control-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs5 (40)
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 5% (5000 kbps)
Class-map: class-default (match-any)
137091 packets, 9689142 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 137091/9689142
Fair-queue: per-flow queue limit 16
===================
Perhaps policy-maps only work on routed interfaces? If that's the case, I may be able to change the router config so that routed port FE4 faces to the WAN, configure one non-routed port carry the voice traffic from the switch, and configure another non-routed port to carry data traffic from the switch.
Any other ideas?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: