10-12-2012 07:34 AM - edited 03-04-2019 05:50 PM
Good Day: Customer has three 881 routers. FE0 connects to their WAN, FE4 connects to their LANs. Two VLANs are configured on FE4. Class-maps and Policy-map created to detect voice traffic:
===================
class-map match-any VoIP-RTP-Trust
match ip dscp ef
class-map match-any VoIP-Control-Trust
match ip dscp cs5
match ip dscp af31
!
!
policy-map VoIP-Trust
class VoIP-RTP-Trust
priority percent 70
class VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
===================
Policy map applied to FE0 and FE4:
===================
interface FastEthernet0
description ** WAN
switchport access vlan 20
duplex full
speed 10
service-policy output VoIP-Trust
interface FastEthernet4
description ** To LAN
no ip address
duplex auto
speed auto
service-policy output VoIP-Trust
!
interface FastEthernet4.10
description ** DATA
encapsulation dot1Q 10
ip address x.x.x.x y.y.y.y
ip helper-address x.x.x.x
!
interface FastEthernet4.100
description ** VOICE
encapsulation dot1Q 100
ip address x.x.x.x y.y.y.y
!
===================
Policy map not working on FE0 (only shows traffic in class-default), but working fine on FE4 (detecting voice packets):
===================
rtr-key#sh policy-map int
FastEthernet0
Service-policy output: VoIP-Trust
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: VoIP-RTP-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 70% (7000 kbps), burst bytes 175000, b/w exceed drops: 0
Class-map: VoIP-Control-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs5 (40)
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 5% (500 kbps)
Class-map: class-default (match-any)
15744801 packets, 1038173964 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 15744801/1038173964
Fair-queue: per-flow queue limit 16
FastEthernet4
Service-policy output: VoIP-Trust
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 3006/655308
Class-map: VoIP-RTP-Trust (match-any)
3006 packets, 655308 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
3006 packets, 655308 bytes
5 minute rate 0 bps
Priority: 70% (70000 kbps), burst bytes 1750000, b/w exceed drops: 0
Class-map: VoIP-Control-Trust (match-any)
2984 packets, 1068438 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs5 (40)
4 packets, 408 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
2980 packets, 1068030 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 2984/1068438
bandwidth 5% (5000 kbps)
Class-map: class-default (match-any)
779609832 packets, 304290447160 bytes
5 minute offered rate 549000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 779546599/304956945492
Fair-queue: per-flow queue limit 16
========================
Attempted to apply policy-map to int vlan 20, but received error "Configuration failed!"
Is there a way to apply this policy to FE0 and have it work? I know that ports FE0-FE3 are, so-to-speak, "special", and perhaps that's one of the limitations of those ports.
Thank you.
10-12-2012 08:08 AM
Hi Dear,
You should need a L3 port to configure the service policy over WAN...but if there is no availability of L3 port as u said..then I think you should use the L3 interface to do that....
10-12-2012 08:09 AM
My first thought is that the switch that these phones are connected to aren't trusting the marking that the phone is doing (they do mark their own?)
A test that you could do is create another policy specifying traffic from the voice subnet. Then set the tag that you want:
ip access-list ext InVoice
permit ip
class-map match-all InVoice
match access-group name InVoice
policy-map InVoice
class InVoice
set dscp ef
interface FastEthernet4.100
service-policy input InVoice
You should start seeing matches on your outbound policy map...hopefully...
HTH,
John
*** Please rate useful posts ****
10-13-2012 06:10 AM
There's no reason to apply the policy to fe4. I'm sure your LAN can handle whatever this router is able to forward.
Sent from Cisco Technical Support iPad App
10-14-2012 02:05 AM
You can also use the access-list so, u can match the traffic--
for example,
ip access-list extended 101 permit ip any any dscp ef
ip access-list extended 101 permit ip any any dscp af41
ip access-list extended 101 permit ip any any dscp af31
ip access-list extended 101 permit ip any any dscp cs5
And put it under lan interface as out...
ip access-group 101 out....and check the hits of the traffic..
Regards,
Amit Kumar
******Please rate helpful posts********
10-15-2012 07:42 AM
I thank everyone for their input. Here is where I am now:
I agree with Jeff that a policy-map is not needed for the LAN side of the router, so I removed it.
I created an access list as John and Amit suggested:
===========================================
ip access-list extended TestVoice
permit ip any any dscp ef
permit ip any any
===========================================
When I applied the ACL to outbound traffic on interface VLAN20 (which is tied to FE0, the port used for WAN):
===========================================
interface FastEthernet0
description ** Metro-E connection (WIN)
switchport access vlan 20
service-policy output VoIP-Trust
interface Vlan20
description ** WAN
ip address x.x.x.x y.y.y.y
ip access-group TestVoice out
===========================================
No voice packets were being matched:
===========================================
Extended IP access list TestVoice
10 permit ip any any dscp ef
20 permit ip any any (131901 matches)
===========================================
After that I inspected the config of the Ethernet switch at that site, and discovered that the ports were not configured to trust the DSCP markings of the traffic. After I configured the switchports to trust the DSCP markings, I saw voice packet matches in the ACL:
===========================================
Extended IP access list TestVoice
10 permit ip any any dscp ef (160156 matches)
20 permit ip any any (262996 matches)
===========================================
However, I still saw no matches for voice traffic on the policy map:
===================
FastEthernet0
Service-policy output: VoIP-Trust
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: VoIP-RTP-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 70% (70000 kbps), burst bytes 1750000, b/w exceed drops: 0
Class-map: VoIP-Control-Trust (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs5 (40)
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 5% (5000 kbps)
Class-map: class-default (match-any)
137091 packets, 9689142 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 137091/9689142
Fair-queue: per-flow queue limit 16
===================
Perhaps policy-maps only work on routed interfaces? If that's the case, I may be able to change the router config so that routed port FE4 faces to the WAN, configure one non-routed port carry the voice traffic from the switch, and configure another non-routed port to carry data traffic from the switch.
Any other ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide