11-08-2012 06:16 AM - edited 03-04-2019 06:04 PM
Hi All,
Its good to be here again and I'll specially want to thank all contributors to this forum.
Below is a sample configuration of my Router. I am trying to do QOS on the IPSEC VPN tunnel so that voice traffic can be given priority over other traffics (I am using non cisco IP phones).
I want to know if this config is ok and working because I have not noticed any improvement in voice quality, if not ok pls can someone give me a better suggestion? (I used SDM for the QOS configuration). Below the show run is a sho policy map output.
Building configuration...
Current configuration : 4867 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone utc 1
!
crypto pki trustpoint TP-self-signed-3885639516
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3885639516
revocation-check none
rsakeypair TP-self-signed-3885639516
!
!
ip cef
!
!
ip domain name masters
ip name-server 4.2.2.2
!
multilink bundle-name authenticated
password encryption aes
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key 6 B^ address 4.7.8.74
!
!
crypto ipsec transform-set ME-VPN esp-aes 256 esp-md5-hmac
!
crypto map VPN-TO-PH 10 ipsec-isakmp
description SET PEER TO PH IP ADDRESS
set peer 4.7.8.74
set transform-set ME-VPN
match address VPN-TRAFFIC
!
archive
log config
hidekeys
!
!
!
class-map match-any SDM-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any P2P
match protocol bittorrent
class-map match-any SDM-Signaling-1
match dscp cs3
match dscp af31
class-map match-any SDM-Routing-1
match dscp cs6
class-map match-any SDM-Voice-1
match dscp ef
class-map match-any SDM-Management-1
match dscp cs2
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
priority percent 33
class SDM-Signaling-1
bandwidth percent 5
class SDM-Routing-1
bandwidth percent 5
class SDM-Management-1
bandwidth percent 5
class SDM-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map P2P
class P2P
drop
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
service-policy input P2P
!
interface FastEthernet1
ip address 4.7.8.130 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-TO-PH
service-policy output SDM-QoS-Policy-1
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 4.7.8.129
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map LAT interface FastEthernet1 overload
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 100 remark EXCLUDED FROM NAT
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark
!
!
!
route-map LAT permit 1
match ip address 100
end
Lagos#sho policy-map int f1
FastEthernet1
Service-policy output: SDM-QoS-Policy-1
Class-map: SDM-Voice-1 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 33 (%)
Bandwidth 33000 (kbps) Burst 825000 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: SDM-Signaling-1 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp cs3 (24)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 265
Bandwidth 5 (%)
Bandwidth 5000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: SDM-Routing-1 (match-any)
442 packets, 37367 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp cs6 (48)
442 packets, 37367 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 266
Bandwidth 5 (%)
Bandwidth 5000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 411/31965
(depth/total drops/no-buffer drops) 0/0/0
Class-map: SDM-Management-1 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp cs2 (16)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 267
Bandwidth 5 (%)
Bandwidth 5000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: SDM-Transactional-1 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp af21 (18)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp af22 (20)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp af23 (22)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 268
Bandwidth 5 (%)
Bandwidth 5000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
2820661 packets, 548265388 bytes
5 minute offered rate 185000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
exponential weight: 9
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 2820573/548172293 0/0 0/0 20 40 1/10
1 6/360 0/0 0/0 22 40 1/10
2 0/0 0/0 0/0 24 40 1/10
3 0/0 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 0/0 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10
Thanks.
Tom
11-08-2012 06:24 AM
Tom,
Under the crypto map, try adding "qos pre-classify" and see if that helps.
HTH,
John
11-08-2012 06:50 AM
Hi John,
I added "qos pre-classify" as you suggested but haven't noticed any change (improvement).
Here is sho policy map int f1 output, as you can see I am still having 0 packets/0 bytes under SDM-Q0S-Policy-1 (I dont know how to interprete this anyway but my point is that I haven't noticed any improvement in voice traffic).
Lagos#sho policy-map int f1
FastEthernet1
Service-policy output: SDM-QoS-Policy-1
Class-map: SDM-Voice-1 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 33 (%)
Bandwidth 33000 (kbps) Burst 825000 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Thanks for you contribution.
Tom
11-08-2012 07:56 AM
What type of switch do you have your router connected to, and are you trusting your markings? They could be getting overwritten. Do you have a specific subnet associated to your phone traffic? If so, you could match on an acl instead of the dscp marking. Suppose you have 192.168.10.0/24 associated to all phones. You could do something like:
access-list 10 permit 192.168.10.0 0.0.0.255
class-map match-any SDM-Voice-1
match access-group 10
Then keep the config for your policy map the way that it is. This would reclassify the traffic for you by subnet instead of doing it by markings.
You'll want to remove the "match dscp ef" line from the current class-map if you're going to use the acl instead. You have it matching any right now, so in theory it will still work, but it just makes it cleaner.
HTH,
John
11-08-2012 09:52 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Have you confirmed your input stream has correct ToS markings? Reason I ask, you're only matching on CS6 and default.
Re: other suggestions, unless end-to-end corresponds with port bandwidth, you might need to shape your tunnel traffic.
11-09-2012 05:43 AM
I believe QOS pre- classify needs to be on the interface the crypto map is applied to.
Sent from Cisco Technical Support iPad App
11-09-2012 05:46 AM
Jeff,
You can actually do it under either one:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfvpn.html#wp1005317
Tunnel interfaces use it under the interface (GRE), but IPSec tunnels use the crypto map.
John
11-09-2012 10:13 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Pre-classify is normally only needed if you want to examine IP header info against the tunneled packets. As ToS is generally copied to the tunneled packet, pre-classify shouldn't be needed if your only examining the ToS value.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide