07-06-2020 10:14 PM
If I posted this on the wrong board please let me know. So I am working on home system that I use to practice and develop my skills on, while being functional for my needs. I recently put in service a Cisco C3845 Router as my ABR(connecting my internet modem & my LAN). I am running Nat Overload, and then using ZBFW. I also want to ad QoS for voice traffic as our phones that are connected through Wifi will utilize that connection before the cellular connection. I was looking at adding something like this:
ip access-list extended VOICE_ACL
permit ip any any dscp ef
policy-map VOICE10Mb
class VOICE_CLASS
bandwidth 6000
class class-default
fair-queue
class-map match-any VOICE_CLASS
match access-group name VOICE_ACL
interface GigabitEthernet0/0/0
service-policy output VOICE10Mb
After thinking about it though I was wondering how it would interact with my ZBFW. Also would their be a cleaning way to do it, or to run it through the zones. Here is my config below, be gentle lol:
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
match access-group name INSIDE-TO-DMZ
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
match access-group name OUTSIDE-TO-DMZ
!
!
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
class type inspect OUTSIDE-TO-DMZ-CLASS
inspect
class class-default
drop log
policy-map type inspect INSIDE-TO-DMZ-POLICY
class type inspect INSIDE-TO-DMZ-CLASS
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-POLICY
interface GigabitEthernet0/0
description LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
interface GigabitEthernet0/1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip access-list extended INSIDE-TO-DMZ
permit tcp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255 eq www
permit icmp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq pop3
permit icmp 192.168.0.0 0.0.255.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit tcp any any
permit udp any any
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
permit tcp any 172.17.0.0 0.0.255.255 eq www
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.0.0 0.0.255.255
permit tcp any any eq 8766
permit tcp any any eq 27015
permit tcp any any eq 27016
permit udp any any eq 27016
permit udp any any eq 27015
permit udp any any eq 8766
07-07-2020 12:16 AM
Hello,
just a few things: why would you want to limit the QoS for voice to 6MB ? That is, in today's world, not a lot. I would just use the priority percent, so whatever voice needs, it will alllocate 30 percent to the priority queue.
In the ZBF, I think you need to allow www/pop3/icmp back in as well.
So it should look like below (changes/additions marked in bold):
policy-map VOICE10Mb
class VOICE_CLASS
--> priority percent 30
class class-default
fair-queue
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
match access-group name INSIDE-TO-DMZ
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
match access-group name OUTSIDE-TO-DMZ
!
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
class type inspect OUTSIDE-TO-DMZ-CLASS
inspect
class class-default
drop log
policy-map type inspect INSIDE-TO-DMZ-POLICY
class type inspect INSIDE-TO-DMZ-CLASS
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-POLICY
!
interface GigabitEthernet0/0
description LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface GigabitEthernet0/1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
!
ip access-list extended INSIDE-TO-DMZ
permit tcp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255 eq www
permit icmp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq pop3
permit icmp 192.168.0.0 0.0.255.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit tcp any any
permit udp any any
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
permit tcp any 172.17.0.0 0.0.255.255 eq www
ip access-list extended OUTSIDE-TO-INSIDE
--> permit tcp any 192.168.0.0 0.0.255.255 eq www
--> permit tcp any 192.168.0.0 0.0.255.255 eq pop3
--> permit icmp any 192.168.0.0 0.0.255.255
permit icmp any 192.168.0.0 0.0.255.255
permit tcp any any eq 8766
permit tcp any any eq 27015
permit tcp any any eq 27016
permit udp any any eq 27016
permit udp any any eq 27015
permit udp any any eq 8766
07-07-2020 06:12 AM - edited 07-07-2020 06:21 AM
". . . why would you want to limit the QoS for voice to 6MB ?"
(I assume the 6MB is 6 Mbps.)
BTW, the class-map's "bandwidth 6000" doesn't limit bandwidth to 6 Mbps, it sets a minimum guarantee.
"priority percent 30"
Also BTW, if the class-map believes it has 10 Mbps, the above could limit bandwidth to 3 Mbps, which if you believe 6 Mbps isn't a lot, then 3 Mbps would be only half that.(?) That noted, G.911 uses about 100 Kbps per call, compressed codecs use even less. We don't know codec being used or number of concurrent calls being used, without which, difficult to say whether not enough bandwidth allocated. That aside, recommending PQ does help insure minimum latencies and/or low jitter for VoIP.
07-11-2020 08:49 PM - edited 07-11-2020 08:59 PM
So what difference do I see between a min guarantee , and priority percent?
If I use guarantee, does that not allow the bandwidth amount to be used by anything even if there is no call going on at the moment? Same question for priority percent.
Also does this apply to the incoming voice packets vs outgoing?
I am unsure what codec the world smart app, or Verizon would be using for the VoIP.
Concurrent calls would be 3 at most, but along with video traffic of 2-3 streaming tv's possibly.
07-12-2020 06:13 AM - edited 07-12-2020 08:27 AM
Both bandwidth and priority commands are outgoing only.
Bandwidth command allows other traffic to use unused bandwidth, both from the configured bandwidth class, and allows the configured bandwidth class to obtain bandwidth from other classes.
Priority command also allows other traffic to use unused bandwidth, but if the configured priority class needs to queue packets, it limits the bandwidth to what's been specified. However, if traffic is not queued in the configured priority class, it may use more bandwidth then specified.
The other difference between the commands, bandwidth obtains a proportional amount of dequeuing where priority traffic is dequeued before all the bandwidth configured classes.
For video streaming applications, a bandwidth configured class usually is all that's needed. Use just need to insure it has sufficient bandwidth to support the class's bandwidth needs.
07-12-2020 08:17 AM
Priority command also allows other traffic to use unused bandwidth, but if the configured priority class needs to queue packets, it limits the bandwidth to what's been specified. However, if traffic is not queued in the configured priority class, it may use more bandwidth then specified. So when you it may use more bandwidth than specified, that Means if I have VoIP running and say a download. If VoIP starts to queue it would limit the download to 70% since I have a term of 30% set to VoIP?
The other different between the commands, bandwidth obtains a proportional amount of dequeuing where priority traffic is dequeued before all the bandwidth configured classes. So if queuing starts happening, and VoIP needs more than the bandwidth setting it queue's just like everything else? I is that a correct understanding? And with Priority if it goes over the 30% setting then it still is the number 1 priority for queue?
07-12-2020 12:42 PM - edited 07-12-2020 12:46 PM
"So when you it may use more bandwidth than specified, that Means if I have VoIP running and say a download. If VoIP starts to queue it would limit the download to 70% since I have a term of 30% set to VoIP?"
More or less, correct. Basically, when the aggregate of all traffic exceeds 100% of capacity, the priority percentage will be enforced, leaving 100 minus that percentage for all other traffic.
"So if queuing starts happening, and VoIP needs more than the bandwidth setting it queue's just like everything else? I is that a correct understanding? And with Priority if it goes over the 30% setting then it still is the number 1 priority for queue?"
LLQ (set via the priority command) when there's queuing, priority class is dequeued first (until empty).
For a bandwidth configuration, given:
policy-map example
class class1
bandwidth percent 25
class class2
bandwidth percent 25
class class3
bandwidth percent 50
If aggregate of the above doesn't exceed 100%, then the above has no effect.
If any one class is the only class with traffic, it can have 100%.
If two of the above classes want 100%, if they are classes 1 and 2, each will obtain 50% (25:25, or 1:1), if classes (1 or 2) and 3, class 1 or 2 will obtain 1/3 the bandwidth, and class 3 will obtain 2/3 (25:50, or 1:2).
If all classes want 100%, classes 1 and 2 will obtain 25% and class 3 will obtain 50% (25:25:50).
07-12-2020 02:33 PM
That gives a very clear understanding, I am very glad you went into the ratio as well. So in your opinion whats a better route? Bandwidth or priority?
07-13-2020 08:27 AM
07-11-2020 08:41 PM
Thank you for the response. I just have a couple questions to improve my understanding.
The priority percent would take my total voice traffic and give a percentage of it priority? Would that still cause the calls to have quality issues. For this instance I have the possibility of 3 phone calls going on, and 2 3 tv's streaming video. The phone calls are Verizon cell phones that can route calls through the wif. One of the phones is using the world smart app, which is the one I am worried about most as it is used for work calls. My end goal is to make sure that those work calls have perfect clarity. With adding this information would this still be the best solution?
Also with the ZBFW, I thought it was a state-full firewall. So adding those permits to policy regulating internet traffic to my Lan would be serving what goal? Would that be to allow EU to have access to a mail server\web server if I was to run some?
I appreciate your help and expertise. Your response made it easy to understand.
07-07-2020 06:20 AM
07-11-2020 08:57 PM
The interface is limited by my internet provider at 200Mbps Download and 10Mbps for upload.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide