cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
5
Replies

QoS over VPN

knevynnnn
Level 1
Level 1

Hope this is the correct forum. I've seen lots of post on this subject, but I'm still uncertain which way to go.

We've lost our Cisco Admin.

I need to apply QoS for VoIP traffic.

What I know about our typical setup as follows.

QoS maps for DSCP

Rate limit on internet port to match cable provider UP/Down

(in this case 8Mb down 756K up)

The traffic needing QoS is marked with DSCP 46 and DSCP 26

We've alloted 50% to DSCP 46 and 5% of remaining to DSCP 26.

Is this enough to offer guidance?

Routers are 891W ISR.

Internet is connected to FA 1

Config begins ------------------------------------------------- Config edited-Required by company ---- hopefully not over edited.

hostname Cisco891W

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization console

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone EST -5

clock summer-time summer recurring

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint

enrollment selfsigned

subject-name

revocation-check none

rsakeypair

!

ip source-route

no ip gratuitous-arps

!

!

no ip bootp server

no ip domain lookup

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name in2out cuseeme timeout 3600

ip inspect name in2out ftp timeout 3600

ip inspect name in2out rcmd timeout 3600

ip inspect name in2out realaudio timeout 3600

ip inspect name in2out tftp timeout 30

ip inspect name in2out udp timeout 15

ip inspect name in2out tcp timeout 3600

!

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

group 2

crypto ipsec transform-set RTP-TRANSFORM esp-3des esp-sha-hmac

crypto ipsec transform-set medium esp-des esp-md5-hmac

!

crypto map RTPCLIENT 5 ipsec-isakmp

set peer x.x.10.30

set transform-set RTP-TRANSFORM

match address host

crypto map RTPCLIENT 10 ipsec-isakmp

set peer x.x.20.30

set transform-set RTP-TRANSFORM

match address Host

crypto map RTPCLIENT 98 ipsec-isakmp

set peer x.x.30.30

set transform-set medium

set pfs group2

match address Host

crypto map RTPCLIENT 100 ipsec-isakmp

set peer x.x.40.30

set transform-set RTP-TRANSFORM

match address Host

!

interface Loopback1

no ip address

!

!

interface Tunnel1

ip address 10.9.113.2 255.255.255.252

ip mtu 1440

no ip route-cache cef

ip tcp adjust-mss 1360

tunnel source 10.10.10.230

tunnel destination x.x.10.30

crypto map RTPCLIENT

!

!

interface Tunnel2

ip address 10.5.113.2 255.255.255.252

ip mtu 1440

ip tcp adjust-mss 1360

tunnel source 10.10.10.230

tunnel destination x.x.20.30

crypto map RTPCLIENT

!

!

interface Tunnel100

ip address 10.10.113.30 255.255.255.252

ip mtu 1006

no ip route-cache cef

tunnel source 10.10.10.230

tunnel destination x.x.40.30

crypto map RTPCLIENT

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description to Internet

ip address 10.10.10.230 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

crypto map RTPCLIENT

no shutdown

!

!

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

!

!

interface wlan-ap0

ip unnumbered Vlan1

arp timeout 0

!

!

interface Wlan-GigabitEthernet0

!

!

interface Vlan1

description to local LAN

ip address 172.22.113.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

encapsulation slip

!

router eigrp 100

network 10.1.113.0 0.0.0.3

network 10.5.113.0 0.0.0.3

network 10.9.113.0 0.0.0.3

network 172.22.113.0 0.0.0.255

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

!

ip nat inside source route-map NAT interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0

end

5 Replies 5

knevynnnn
Level 1
Level 1

Internet is on FA 8

Edison Ortiz
Hall of Fame
Hall of Fame

I only recommend shaping outbound to conform your provider CIR.

The following should take care of this:

policy-map QOS_VPN

class class-default

  shape average 7600000 30400

interface FA8

service-policy outbound QOS_VPN

the inbound CIR should be handled by your provider. Policing inbound provides no benefit as packets have already arrived to the router from the internet. I highly doubt the provider will allow for excess bandwidth anyways..

As far as QoS for VoIP, don't waste your time on internet bound traffic. As soon as the packet leaves your router, it is best effort until it reaches the remote office where more than likely there isn't any congestion. If you mark the packets at the source (ingress switchport), the markings will be preserved end-to-end.

Regards,

Edison

Note: values used above were reflected on 8Mbps (ingress traffic). Please use Joseph's value for the shape average on 756Kbps egress traffic.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

QoS maps for DSCP

Rate limit on internet port to match cable provider UP/Down

(in this case 8Mb down 756K up)

The traffic needing QoS is marked with DSCP 46 and DSCP 26

We've alloted 50% to DSCP 46 and 5% of remaining to DSCP 26.

Is this enough to offer guidance?

Enough guidance?  Maybe.

If you're using your Internet bandwidth for anything beyond your tunnels, then QoS may be ineffective.

As you show three tunnels, if their aggregate can exceed the receiver's bandwidth, you need to configure QoS for that too.

First what you want to do is shape for your uplink bandwidth.  Assuming your 756K is for L2, you may need to shape 5 to 15% slower when shaping L3.

Although Edison mentions the Internet doesn't support QoS, what your principle bottleneck is likely to be is your uplink bandwidth.  So, not only do we want to shape for it, but to support VoIP, we should prioritize VoIP traffic that's shaped.

Perhaps something like:

class-map match-any LLQ

match dscp 46

class-map match-any Signalling

match dscp 26

policy-map SampleQoS

class LLQ

priority percent 50

class Signaling

bandwidth remaining 5

class class-default

fair-queue

policy-map ShapeFor756K

class class-default

shape average 650000

policy-map SampleQoS

int tunnel #

qos pre-classify

int fa 8

service-policy output ShapeFor756K

Note: BTW, signally might be okay in class-default's FQ.  As it's bandwidth needs are light, I've sometimes just dropped it into LLQ too.

I'm close to your suggestions.

I used the command bandwidth instead of shape.

The ISP states the upload is 1.5Mb. Bandwidth tests are much lower, average 750k.

'Sh policy-map Voice fa 8' shows packet matches. Does that mean it's aplying or just matching.

And yes we're trying QoS because we want the router to prioritize the Voice traffic and drop other traffic instead of the ISP deciding what to drop.

Bandwidth utilized as:

These are cable modem network so fa8 handles all traffic, VPN, Tunnels and Internet browsing. This is a media/advertising business. So they like to copy files across the VPNs. Files are few 100k and can be as large as 20MB.

Observed behavoir. Calls are static, but don't drop.

With the current QoS in place, ping test are little better, about 1/3 the dropped pings as when QoS is not applied. However no difference in voice is noted if QoS is applied or not.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Bandwidth command doesn't limit bandwidth.  You need shape if your physical interface has more bandwidth than what's available downstream.

Packet matches, alone, just means the packet match the class criteria.  What you need to prioritize your VoIP when more than your uplink bandwidth is offered (again why you need to shape).

Review Cisco Networking for a $25 gift card