cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
996
Views
25
Helpful
11
Replies

Routing using ZBFW combined with QoS DSCP 46 EF

If I posted this on the wrong board please let me know. So I am working on home system that I use to practice and develop my skills on, while being functional for my needs. I recently put in service a Cisco C3845 Router as my ABR(connecting my internet modem & my LAN). I am running Nat Overload, and then using ZBFW. I also want to ad QoS for voice traffic as our phones that are connected through Wifi will utilize that connection before the cellular connection. I was looking at adding something like this:

 

ip access-list extended VOICE_ACL
 permit ip any any dscp ef

policy-map VOICE10Mb
 class VOICE_CLASS
    bandwidth 6000
 class class-default
    fair-queue

class-map match-any VOICE_CLASS
 match access-group name VOICE_ACL

interface GigabitEthernet0/0/0
 service-policy output VOICE10Mb

 

After thinking about it though I was wondering how it would interact with my ZBFW. Also would their be a cleaning way to do it, or to run it through the zones. Here is my config below, be gentle lol: 

 

class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
match access-group name INSIDE-TO-DMZ
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
match access-group name OUTSIDE-TO-DMZ
!
!
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
class type inspect OUTSIDE-TO-DMZ-CLASS
inspect
class class-default
drop log
policy-map type inspect INSIDE-TO-DMZ-POLICY
class type inspect INSIDE-TO-DMZ-CLASS
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log

zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-POLICY

interface GigabitEthernet0/0
description LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE

 

interface GigabitEthernet0/1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE

ip nat inside source list NAT interface GigabitEthernet0/1 overload

ip access-list extended INSIDE-TO-DMZ
permit tcp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255 eq www
permit icmp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq pop3
permit icmp 192.168.0.0 0.0.255.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit tcp any any
permit udp any any
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
permit tcp any 172.17.0.0 0.0.255.255 eq www
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.0.0 0.0.255.255
permit tcp any any eq 8766
permit tcp any any eq 27015
permit tcp any any eq 27016
permit udp any any eq 27016
permit udp any any eq 27015
permit udp any any eq 8766

11 Replies 11

Hello,

 

just a few things: why would you want to limit the QoS for voice to 6MB ? That is, in today's world, not a lot. I would just use the priority percent, so whatever voice needs, it will alllocate 30 percent to the priority queue.

 

In the ZBF, I think you need to allow www/pop3/icmp back in as well. 

 

So it should look like below (changes/additions marked in bold):

 

policy-map VOICE10Mb
class VOICE_CLASS
--> priority percent 30
class class-default
fair-queue
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
match access-group name INSIDE-TO-DMZ
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
match access-group name OUTSIDE-TO-DMZ
!
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
class type inspect OUTSIDE-TO-DMZ-CLASS
inspect
class class-default
drop log
policy-map type inspect INSIDE-TO-DMZ-POLICY
class type inspect INSIDE-TO-DMZ-CLASS
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-POLICY
!
interface GigabitEthernet0/0
description LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface GigabitEthernet0/1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
!
ip access-list extended INSIDE-TO-DMZ
permit tcp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255 eq www
permit icmp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq pop3
permit icmp 192.168.0.0 0.0.255.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit tcp any any
permit udp any any
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
permit tcp any 172.17.0.0 0.0.255.255 eq www
ip access-list extended OUTSIDE-TO-INSIDE
--> permit tcp any 192.168.0.0 0.0.255.255 eq www
--> permit tcp any 192.168.0.0 0.0.255.255 eq pop3
--> permit icmp any 192.168.0.0 0.0.255.255
permit icmp any 192.168.0.0 0.0.255.255
permit tcp any any eq 8766
permit tcp any any eq 27015
permit tcp any any eq 27016
permit udp any any eq 27016
permit udp any any eq 27015
permit udp any any eq 8766

 

". . . why would you want to limit the QoS for voice to 6MB ?"

(I assume the 6MB is 6 Mbps.)

BTW, the class-map's "bandwidth 6000" doesn't limit bandwidth to 6 Mbps, it sets a minimum guarantee.

"priority percent 30"

Also BTW, if the class-map believes it has 10 Mbps, the above could limit bandwidth to 3 Mbps, which if you believe 6 Mbps isn't a lot, then 3 Mbps would be only half that.(?) That noted, G.911 uses about 100 Kbps per call, compressed codecs use even less. We don't know codec being used or number of concurrent calls being used, without which, difficult to say whether not enough bandwidth allocated. That aside, recommending PQ does help insure minimum latencies and/or low jitter for VoIP.

So what difference do I see between a min guarantee , and priority percent? 

If I use guarantee, does that not allow the bandwidth amount to be used by anything even if there is no call going on at the moment?  Same question for priority percent. 

Also does this apply to the incoming voice packets vs outgoing? 

I am unsure what codec the world smart app, or Verizon would be using for the VoIP. 

Concurrent calls would be 3 at most, but along with video traffic of 2-3 streaming tv's possibly. 

 

Both bandwidth and priority commands are outgoing only.

Bandwidth command allows other traffic to use unused bandwidth, both from the configured bandwidth class, and allows the configured bandwidth class to obtain bandwidth from other classes.

Priority command also allows other traffic to use unused bandwidth, but if the configured priority class needs to queue packets, it limits the bandwidth to what's been specified. However, if traffic is not queued in the configured priority class, it may use more bandwidth then specified.

The other difference between the commands, bandwidth obtains a proportional amount of dequeuing where priority traffic is dequeued before all the bandwidth configured classes.

For video streaming applications, a bandwidth configured class usually is all that's needed. Use just need to insure it has sufficient bandwidth to support the class's bandwidth needs.

Priority command also allows other traffic to use unused bandwidth, but if the configured priority class needs to queue packets, it limits the bandwidth to what's been specified. However, if traffic is not queued in the configured priority class, it may use more bandwidth then specified.   So when you it may use more bandwidth than specified, that Means if I have VoIP running and say  a download. If VoIP starts to queue it would limit the download to 70% since I have a term of 30% set to VoIP? 

 

The other different between the commands, bandwidth obtains a proportional amount of dequeuing where priority traffic is dequeued before all the bandwidth configured classes.   So if queuing starts happening, and VoIP needs more than the bandwidth setting it queue's just like everything else? I is that a correct understanding? And with Priority if it goes over the 30% setting then it still is the number 1 priority for queue? 

 

"So when you it may use more bandwidth than specified, that Means if I have VoIP running and say a download. If VoIP starts to queue it would limit the download to 70% since I have a term of 30% set to VoIP?"

More or less, correct. Basically, when the aggregate of all traffic exceeds 100% of capacity, the priority percentage will be enforced, leaving 100 minus that percentage for all other traffic.

"So if queuing starts happening, and VoIP needs more than the bandwidth setting it queue's just like everything else? I is that a correct understanding? And with Priority if it goes over the 30% setting then it still is the number 1 priority for queue?"

LLQ (set via the priority command) when there's queuing, priority class is dequeued first (until empty).

For a bandwidth configuration, given:

policy-map example
class class1
bandwidth percent 25
class class2
bandwidth percent 25
class class3
bandwidth percent 50

If aggregate of the above doesn't exceed 100%, then the above has no effect.

If any one class is the only class with traffic, it can have 100%.

If two of the above classes want 100%, if they are classes 1 and 2, each will obtain 50% (25:25, or 1:1), if classes (1 or 2) and 3, class 1 or 2 will obtain 1/3 the bandwidth, and class 3 will obtain 2/3 (25:50, or 1:2).

If all classes want 100%, classes 1 and 2 will obtain 25% and class 3 will obtain 50% (25:25:50).

That gives a very clear understanding, I am very glad you went into the ratio as well. So in your opinion whats a better route? Bandwidth or priority? 

 

For DSCP 46, EF, traffic, generally (when it's available) you use some form of priority queuing. This to insure minimum latency and jitter.

VolP, at least the bearer traffic, normally should be treated such. Video real-time traffic, like video conferencing should, ideally, be treated such too. However, video is much more bandwidth hungry than VoIP, it's also always a variable bandwidth demand, and it mixed with VoIP, might disrupt it. So, sometime you'll see real-time video within a bandwidth class, but then the video, itself, might be more prone to quality issues.

If the video is not real-time, e.g. video streaming, that generally works very well in a bandwidth class although you need to insure it obtains the bandwidth it needs and/or buffers it needs, to avoid packet drops.

To recap:
video bearer: generally always some from of PQ
non-real-time video: almost always a bandwidth class, often one dedicated for it to insure both the bandwidth it needs and buffers it needs
real-time video: might be PQ or a bandwidth class - also some video codecs allows you to treat the audio flow differently from the video flow

Thank you for the response. I just have a couple questions to improve my understanding.

The priority percent would take my total voice traffic and give a percentage of it priority? Would that still cause the calls to have quality issues. For this instance I have the possibility of 3 phone calls going on, and 2 3 tv's streaming video. The phone calls are Verizon cell phones that can route calls through the wif. One of the phones is using the world smart app, which is the one I am worried about most as it is used for  work calls. My end goal is to make sure that those work calls have perfect clarity. With adding this information would this still be the best solution?

 

Also with the ZBFW, I thought it was a state-full firewall. So adding those permits to policy regulating internet traffic to my Lan would be serving what goal? Would that be to allow EU to have access to a mail server\web server if I was to run some? 

I appreciate your help and expertise. Your response made it easy to understand. 

Joseph W. Doherty
Hall of Fame
Hall of Fame
ip access-list extended VOICE_ACL
permit ip any any dscp ef

policy-map VOICE10Mb
class VOICE_CLASS
bandwidth 6000
class class-default
fair-queue

class-map match-any VOICE_CLASS
match access-group name VOICE_ACL

The above might be shortened to:

policy-map VOICE10Mb
class VOICE_CLASS
match ip dscp ef !unsure I have the syntax correct, it also varies between IOS versions
priority percent 30 !Georg's recommendation is fine, Cisco recommends up to about one third
class class-default
bandwidth remaining percent 100
fair-queue

interface GigabitEthernet0/0/0
service-policy output VOICE10Mb !is interface physically running at 10 Mbps?

The interface is limited by my internet provider at 200Mbps Download and 10Mbps for upload. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: