05-28-2013 03:24 PM - edited 03-04-2019 08:02 PM
Hope this is the correct forum. I've seen lots of post on this subject, but I'm still uncertain which way to go.
We've lost our Cisco Admin.
I need to apply QoS for VoIP traffic.
What I know about our typical setup as follows.
QoS maps for DSCP
Rate limit on internet port to match cable provider UP/Down
(in this case 8Mb down 756K up)
The traffic needing QoS is marked with DSCP 46 and DSCP 26
We've alloted 50% to DSCP 46 and 5% of remaining to DSCP 26.
Is this enough to offer guidance?
Routers are 891W ISR.
Internet is connected to FA 1
Config begins ------------------------------------------------- Config edited-Required by company ---- hopefully not over edited.
hostname Cisco891W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone EST -5
clock summer-time summer recurring
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint
enrollment selfsigned
subject-name
revocation-check none
rsakeypair
!
ip source-route
no ip gratuitous-arps
!
!
no ip bootp server
no ip domain lookup
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name in2out cuseeme timeout 3600
ip inspect name in2out ftp timeout 3600
ip inspect name in2out rcmd timeout 3600
ip inspect name in2out realaudio timeout 3600
ip inspect name in2out tftp timeout 30
ip inspect name in2out udp timeout 15
ip inspect name in2out tcp timeout 3600
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
crypto ipsec transform-set RTP-TRANSFORM esp-3des esp-sha-hmac
crypto ipsec transform-set medium esp-des esp-md5-hmac
!
crypto map RTPCLIENT 5 ipsec-isakmp
set peer x.x.10.30
set transform-set RTP-TRANSFORM
match address host
crypto map RTPCLIENT 10 ipsec-isakmp
set peer x.x.20.30
set transform-set RTP-TRANSFORM
match address Host
crypto map RTPCLIENT 98 ipsec-isakmp
set peer x.x.30.30
set transform-set medium
set pfs group2
match address Host
crypto map RTPCLIENT 100 ipsec-isakmp
set peer x.x.40.30
set transform-set RTP-TRANSFORM
match address Host
!
interface Loopback1
no ip address
!
!
interface Tunnel1
ip address 10.9.113.2 255.255.255.252
ip mtu 1440
no ip route-cache cef
ip tcp adjust-mss 1360
tunnel source 10.10.10.230
tunnel destination x.x.10.30
crypto map RTPCLIENT
!
!
interface Tunnel2
ip address 10.5.113.2 255.255.255.252
ip mtu 1440
ip tcp adjust-mss 1360
tunnel source 10.10.10.230
tunnel destination x.x.20.30
crypto map RTPCLIENT
!
!
interface Tunnel100
ip address 10.10.113.30 255.255.255.252
ip mtu 1006
no ip route-cache cef
tunnel source 10.10.10.230
tunnel destination x.x.40.30
crypto map RTPCLIENT
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description to Internet
ip address 10.10.10.230 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map RTPCLIENT
no shutdown
!
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
!
interface wlan-ap0
ip unnumbered Vlan1
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
!
!
interface Vlan1
description to local LAN
ip address 172.22.113.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
encapsulation slip
!
router eigrp 100
network 10.1.113.0 0.0.0.3
network 10.5.113.0 0.0.0.3
network 10.9.113.0 0.0.0.3
network 172.22.113.0 0.0.0.255
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
ip nat inside source route-map NAT interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0
end
05-28-2013 03:26 PM
Internet is on FA 8
05-29-2013 07:59 AM
I only recommend shaping outbound to conform your provider CIR.
The following should take care of this:
policy-map QOS_VPN
class class-default
shape average 7600000 30400
interface FA8
service-policy outbound QOS_VPN
the inbound CIR should be handled by your provider. Policing inbound provides no benefit as packets have already arrived to the router from the internet. I highly doubt the provider will allow for excess bandwidth anyways..
As far as QoS for VoIP, don't waste your time on internet bound traffic. As soon as the packet leaves your router, it is best effort until it reaches the remote office where more than likely there isn't any congestion. If you mark the packets at the source (ingress switchport), the markings will be preserved end-to-end.
Regards,
Edison
Note: values used above were reflected on 8Mbps (ingress traffic). Please use Joseph's value for the shape average on 756Kbps egress traffic.
05-29-2013 10:30 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
QoS maps for DSCPRate limit on internet port to match cable provider UP/Down
(in this case 8Mb down 756K up)
The traffic needing QoS is marked with DSCP 46 and DSCP 26
We've alloted 50% to DSCP 46 and 5% of remaining to DSCP 26.
Is this enough to offer guidance?
Enough guidance? Maybe.
If you're using your Internet bandwidth for anything beyond your tunnels, then QoS may be ineffective.
As you show three tunnels, if their aggregate can exceed the receiver's bandwidth, you need to configure QoS for that too.
First what you want to do is shape for your uplink bandwidth. Assuming your 756K is for L2, you may need to shape 5 to 15% slower when shaping L3.
Although Edison mentions the Internet doesn't support QoS, what your principle bottleneck is likely to be is your uplink bandwidth. So, not only do we want to shape for it, but to support VoIP, we should prioritize VoIP traffic that's shaped.
Perhaps something like:
class-map match-any LLQ
match dscp 46
class-map match-any Signalling
match dscp 26
policy-map SampleQoS
class LLQ
priority percent 50
class Signaling
bandwidth remaining 5
class class-default
fair-queue
policy-map ShapeFor756K
class class-default
shape average 650000
policy-map SampleQoS
int tunnel #
qos pre-classify
int fa 8
service-policy output ShapeFor756K
Note: BTW, signally might be okay in class-default's FQ. As it's bandwidth needs are light, I've sometimes just dropped it into LLQ too.
05-30-2013 10:30 AM
I'm close to your suggestions.
I used the command bandwidth instead of shape.
The ISP states the upload is 1.5Mb. Bandwidth tests are much lower, average 750k.
'Sh policy-map Voice fa 8' shows packet matches. Does that mean it's aplying or just matching.
And yes we're trying QoS because we want the router to prioritize the Voice traffic and drop other traffic instead of the ISP deciding what to drop.
Bandwidth utilized as:
These are cable modem network so fa8 handles all traffic, VPN, Tunnels and Internet browsing. This is a media/advertising business. So they like to copy files across the VPNs. Files are few 100k and can be as large as 20MB.
Observed behavoir. Calls are static, but don't drop.
With the current QoS in place, ping test are little better, about 1/3 the dropped pings as when QoS is not applied. However no difference in voice is noted if QoS is applied or not.
05-30-2013 03:49 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Bandwidth command doesn't limit bandwidth. You need shape if your physical interface has more bandwidth than what's available downstream.
Packet matches, alone, just means the packet match the class criteria. What you need to prioritize your VoIP when more than your uplink bandwidth is offered (again why you need to shape).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide