Solved: QoS on 871

sphughes · ‎10-01-2010

I recently got pulled into supporting some remote networks that are using satellite as their WAN connection. They use this WAN connection to provide VOIP, CompanyTraffic and Guest Traffic. I need to setup QoS on a new router to prioritize the traffic. Since the satellite connection has such limited bandwidth, we are seeing very choppy voice when too much traffic is being used.

I thought I had things setup properly, but I don't seem to be matching any traffic. All VOIP traffic will be coming from a Cisco ATA with the IP 10.10.100.9. All CompanyTraffic will be on the network 192.168.220.0/24 and all Guest traffic will be the rest of the 10.10.100.0/24 subnet.

Here are the relevant parts of my config:

ip access-list extended CompanyTraffic

permit tcp 192.168.220.0 0.0.0.255 any

permit udp 192.168.220.0 0.0.0.255 any

permit icmp 192.168.220.0 0.0.0.255 any

permit tcp any 192.168.220.0 0.0.0.255

permit udp any 192.168.220.0 0.0.0.255

permit icmp any 192.168.220.0 0.0.0.255

ip access-list extended VoIP

permit udp host 10.10.100.9 any

permit tcp host 10.10.100.9 any

permit icmp host 10.10.100.9 any

class-map match-all CompanyTraffic

description CompanyTraffic Traffic

match access-group name CompanyTraffic

class-map match-all VoIP

description VoIP Traffic

match access-group name VoIP

!

policy-map QoS

class VoIP

priority percent 20

class CompanyTraffic

bandwidth remaining percent 80

class class-default

fair-queue

policy-map shaper

class class-default

shape average 200000 2000 0

service-policy QoS

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

bandwidth 768

ip address x.x.x.x 255.255.255.252

ip access-group 104 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect ROCK out

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map VPN_TO_Company

service-policy output shaper

The problem is that when I do a "show policy-map interface FastEthernet4" I don't get any matches on the class-map VoIP or CompanyTraffic, see below:

Service-policy output: shaper

    Class-map: class-default (match-any)
      48633 packets, 11506561 bytes
      5 minute offered rate 13000 bps, drop rate 0 bps
      Match: any
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval Increment
             Rate           Limit bits/int bits/int (ms)      (bytes)
           200000/200000    250    2000      0         10        250

        Adapt Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         48624     11507529 11109     4224047   no

Service-policy : QoS

        Class-map: VoIP (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name VoIP
          Queueing
            Strict Priority
            Output Queue: Conversation 40
            Bandwidth 20 (%)
            Bandwidth 40 (kbps) Burst 1000 (Bytes)
            (pkts matched/bytes matched) 0/0
            (total drops/bytes drops) 0/0

        Class-map: CompanyTraffic (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name CompanyTraffic
          Queueing
            Output Queue: Conversation 41
            Bandwidth remaining 80 (%)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

        Class-map: class-default (match-any)
          48633 packets, 11506561 bytes
          5 minute offered rate 13000 bps, drop rate 0 bps
          Match: any
          Queueing
            Flow Based Fair Queueing
            Maximum Number of Hashed Queues 32
        (total queued/total drops/no-buffer drops) 0/0/0

Any ideas where my problem lies? I suspect a problem with my ACL and will probably slap my forehead when I find it, but right now it has me stumped.

Thanks in advance.

Giuseppe Larosa · ‎10-04-2010

Hello Sphughes,

yes but I would suggest also a divide and conquer approach:

because tunneling protocols like IPSec and GRE make a copy of carried packet TOS/DSCP byte on external header I would mark traffic on internal LAN using the class-maps that invoke ACLs and then I would use a policy map that uses class maps that match on TOS value for example on external interface.

In this way you can also verify that given N packets in marking class inbound you see N packets in outbound class and you have a method to check what the router is doing.

This approach should work with the correct image.

In my case even with the approach described above ( internal marking of TOS on internal LAN + matching on TOS on WAN link) I could see no matches on class maps and so I decided to move to 12.4T because I had a different router in another branch that was working with 12.4T

For me the change of IOS worked well

Hope to help

Giuseppe

View solution in original post

Gregory Camp · ‎10-01-2010

Try adding qos pre-classify under your crypto map.

sphughes · ‎10-02-2010

I don't seem to have that option under either the crypto map or under the

interface.

If it helps, only the CompanyTraffic is going over the VPN, VOIP and Guest traffic go straight out.

Also, Ver is 12.3(8r)YI4

Any help is very much appreciated!

sphughes · ‎10-04-2010

Bump.

any help out there?

Giuseppe Larosa · ‎10-04-2010

Hello Sphughes,

I had a similar problem on a 877 and I solved it by using an IOS image in 12.4T.

I would suggest you to move to a 12.4T image.

Hope to help

Giuseppe

sphughes · ‎10-04-2010

Thanks. This unit is remote, so that is a little problematic, but not totally impossible. Were you seeing the same thing with no matches on the policy-map?

Giuseppe Larosa · ‎10-04-2010

Hello Sphughes,

yes but I would suggest also a divide and conquer approach:

because tunneling protocols like IPSec and GRE make a copy of carried packet TOS/DSCP byte on external header I would mark traffic on internal LAN using the class-maps that invoke ACLs and then I would use a policy map that uses class maps that match on TOS value for example on external interface.

In this way you can also verify that given N packets in marking class inbound you see N packets in outbound class and you have a method to check what the router is doing.

This approach should work with the correct image.

In my case even with the approach described above ( internal marking of TOS on internal LAN + matching on TOS on WAN link) I could see no matches on class maps and so I decided to move to 12.4T because I had a different router in another branch that was working with 12.4T

For me the change of IOS worked well

Hope to help

Giuseppe

sphughes · ‎10-05-2010

Yes, this worked. After some struggle, of course. I ended up creating a class and policy that simply set precedence on the traffic and attached it to the input of the LAN interface and then created a second class and policy that prioritized the traffic.

Thanks a lot to all that helped!

Gregory Camp · ‎10-04-2010

Here is the problem. You are matching on ACLs in your egress policy-map, but you also have a VPN
crypto map applied. This means that you will classify based on the post encrypted packet no the preencrypted one. The fix for this is to configure qos pre-classify. In your case, it is apparently not supported for whatever reason, so you could mark on ingress then match those markings on egress.