Hi Georg,

if I already know the voice subnets, can I create an ACL to match on them instead of matching on DSCP EF and CS3?

what are the ACL that matches DSCP EF and CS3?

thanks,

Haitham Jneid

Hello,

the below access list provide the matches (x.x.x.x y.y.y.y would be your voice subnet):

access-list 101 permit ip x.x.x.x y.y.y.y any dscp ef
access-list 102 permit ip x.x.x.x y.y.y.y any dscp cs3
access-list 102 permit ip x.x.x.x y.y.y.y any dscp af31

class-map match-all Voice
 match ip address 101
class-map match-any Signaling
 match ip address102

policy-map WAN-EDGE
 class Voice
  priority percent 33
 class Signaling
  bandwidth percent 5
 class class-default
  fair-queue
  random-detect dscp-based

Dear All,

Appreciate your valuable answers and feedback.

I need someone to answer my questions please.

1. ASR920 will receive the voice and signaling packets marked with DSCP by default? eventhough am not doing any classification/marking on the access layer where my iphones are connected?. if yes, I will use the ACLs mentioned earlier to match on EF, CS3 and af31.

2. if I have 1g WAN Link, how much bandwidth/percent should I assign for voice class and for signaling class. also I have corporate subnets, + one guest subnet.

3. do I have to apply the policy on the wan link in both direction? IN and OUT.?

thanks,

Haitham Jneid

#1 By default, routers will accept packets with ToS markings and often just ignore them.  Whether your traffic will have ToS markings depends on both the source sending the packets and the in between network devices.  (NB: VoIP equipment will often set ToS.)

#2 Depends on how much VoIP traffic you have.  Also depends what VoIP codecs are being used.  (Some codecs are CBR others VBR, the latter needs additional bandwidth beyond it's average consumption.  Different codecs also use different amounts of bandwidth to support a VoIP call.)  You want to insure enough bandwidth that VoIP packets aren't dropped and that VoIP bearer packets are not delayed.  (NB: Cisco recommends not to assign more than 1/3 of your bandwidth to LLQ, i.e. if that's insufficient for your LLQ bandwidth needs, you may need more physical bandwidth.)

#3 Depends on what you're trying to accomplish.  Ingress and egress policies often serve different purposes. You can manage egress queues.  Also keep in mind, one side's egress is often another side's ingress.

Hi Joseph,

I really appreciate your support.

so if for whatever reason the router is receiving voice and signaling packets without DSCP value, how can I create ACLs that matches on them? what are the port numbers used by EF, CS3 and AF31? of if you can paste the ACL here.

you said that cisco recommend that no more than 1/3 of your BW should be assigned to LLQ. so if I assigned 1/3 for LLQ and voice traffic face disruption then I have to rollback and tell them to increase physical bandwidth????

I just need to prioritize voice traffic because my WAN link is 1G and LAN side speed is 20G. I don't want some users doing download to saturate the link BW. so is it enough to apply the policy on the WAN interface in egress direction??

thanks,

Haitham Jneid

so if for whatever reason the router is receiving voice and signaling packets without DSCP value, how can I create ACLs that matches on them? what are the port numbers used by EF, CS3 and AF31? of if you can paste the ACL here.

Could be your VoIP devices need to be configured to generate ToS markings.

As to port numbers, that depends on your VoIP devices.

you said that cisco recommend that no more than 1/3 of your BW should be assigned to LLQ. so if I assigned 1/3 for LLQ and voice traffic face disruption then I have to rollback and tell them to increase physical bandwidth????

In my experience, up to half appears to work okay, so if you hit a limit at 1/3, you can bump it up some, but you should then to look for acquiring more bandwidth (or use a codec that uses less bandwidth).

I just need to prioritize voice traffic because my WAN link is 1G and LAN side speed is 20G. I don't want some users doing download to saturate the link BW. so is it enough to apply the policy on the WAN interface in egress direction??

If users are doing downloads that can saturate your bandwidth, you want to manage that too, but totally effective ingress bandwidth management is practically impossible to achieve.

Hi Joseph,

Cisco IPhones by default assign TOS marking for voice and signaling packets rights??

let say I have the following configuration to be applied on my WAN link (1G) in outside direction.

may you please instruct me what bandwidth to assign to the classes which I marked with exclamation mark?? also should I use the priority level command or the priority percent?

the below access list provide the matches (x.x.x.x y.y.y.y would be your voice subnet):

access-list 101 permit ip x.x.x.x y.y.y.y any dscp ef
access-list 102 permit ip x.x.x.x y.y.y.y any dscp cs3
access-list 102 permit ip x.x.x.x y.y.y.y any dscp af31
access-list 103 permit ip a.a.a.a b.b.b.b any !!!!corporate subnet!!!!
access-list 104 permit ip c.c.c.c d.d.d.d any !!!!Guest subnet!!!!

class-map match-all Voice
 match ip address 101
class-map match-any Signaling
 match ip address102
class-map match-all Corporate
 match ip address 103
class-map match-all Guest
 match ip address 104

policy-map WAN-EDGE
 class Voice
  priority percent 33
 class Signaling
  bandwidth percent 5
 class Corporate
 ????
 class Guest
 ????
 class class-default
 ????

Appreciate your valuable support.

thanks,

Haitham Jneid

Cisco IPhones by default assign TOS marking for voice and signaling packets rights??

Laugh, I don't know.  The companies I work with, that have VoIP, have telecom teams that configure the phones.

If your prime consideration is protecting VoIP, I would eliminate the Corporate and Guest classes and just let such traffic join the other traffic in class-default using FQ.

I'm unfamiliar with priority-level, I think it allows two levels for LLQ.  Priority percent should do the job.

if I already know the voice subnets, can I create an ACL to match on them instead of matching on DSCP EF and CS3?

Well, yes and no.  You can match just the VoIP subnets, but then if you don't also include DSCP markings (like in Georg's post), or other attribute testing, you would not be able to distinguish between VoIP bearer traffic and VoIP signalling traffic.  (BTW, you could allow the two traffic types in the same LLQ class.)

what are the ACL that matches DSCP EF and CS3?

They would be similar to what Georg posted, i.e. something like:

permit IP any any dscp EF

If you had multiple subnets, you could use ACEs like Georg's or something like:

ip access-list extended VoIP_subnets
 permit IP any <subnet1 IP> <subnet1 mask>
 permit IP any <subnet2 IP> <subnet2 mask>
 .
 .
 permit IP any <subnetN IP> <subnetN mask>

class-map match-all Voice
 match ip dscp ef
 match access-group name VoIP_subnets
class-map match-all Signaling
 match ip dscp cs3 af31
 match access-group name VoIP_subnets

I generally recommend WRED not be used unless you're a QoS expert.  I especially recommend it not be mixed with FQ unless you're using the FRED variant.

I would also recommend bandwidth be defined for the class-default class.

For 20g to gig, you may need to increase queue limits.