SIP QOS on CIsco 887VA Help

DOUGLAS DRURY · ‎11-09-2017

Hi All.

I’m looking for some help with SIP/VOIP prioritization on my Cisco 887va. We have a remotely hosted SIP phone system. The problem is when we are working on PC’s for clients and they start to download updates for Windows 10 we are getting choppy audio on calls. I’m trying to fix this with some QOS/priority towards SIP traffic. However, in my testing and development I need a bit of help.

Below is my configuration that I’m adapted from examples. We are on an FTTC/VDSL line 70Mb download and 20Mb Upload speeds.

ip access-list extended VOIP

permit tcp any any range 6000 6049

permit tcp any any eq 5060

class-map match-any VoIP

match access-group name VOIP

policy-map VOIPQOS

class VoIP

priority percent 50

set dscp ef

class class-default

fair-queue

When I try to apply this to the dialer interface I get the below error

RT (config-if)#service-policy output VOIPQOS

Flow Fair Queueing feature is not supported in default class of parent level policy of

Georg Pauwen · ‎11-10-2017

Hello,

I think it has to do with the IOS version you are running...which one do you have ?

Try and apply the service policy to the physical (ATM) interface, that should get rid of the error message....

DOUGLAS DRURY · ‎11-10-2017

Thanks for the reply.

I'm using IOS: System image file is "flash:c880data-universalk9-mz.153-3.M9.bin"

When I tried to apply the command to the interface I go the below. I'm on a VDSL line so I use Ethernet0.101

RT(config)#inter ethernet 0.101
RT(config-subif)#service-policy output VOIPQOS
CBWFQ : Not supported on subinterfaces
RT(config-subif)#exit
RT(config)#inter ethernet 0
RT(config-if)#
RT(config-if)#service-policy output VOIPQOS
Service_policy with queueing features on this interface is not allowed
if dialer based queuing policy is already installed.

RT(config-if)#

Georg Pauwen · ‎11-10-2017

Hello,

have you removed the service policy from the dialer interface before applying it to the physical interface ?

DOUGLAS DRURY · ‎11-10-2017

Hi,

I couldn't apply it to the dialer interface anyway because the router rejected the command with the error: Flow Fair Queueing feature is not supported in default class of parent level policy of.

Thanks

Georg Pauwen · ‎11-10-2017

Hello,

try to configure a child policy as below, then apply the parent policy to the interface:

policy-map VOIPQOS_CHILD
class VoIP
priority percent 50
set dscp ef
class class-default
fair-queue

policy-map VOIPQOS_PARENT
class class-default
service-policy VOIPQOS_CHILD

DOUGLAS DRURY · ‎11-10-2017

Hi,

I tried your suggestion and got the below for each of the interfaces. It hasn't applied to any of the interfaces

RT(config-if)#service-policy output VOIPQOS_PARENT
Cannot attach queuing-based child policy to a non-queuing based class
RTconfig-if)#
RT(config-subif)#service-policy output VOIPQOS_PARENT
Cannot attach queuing-based child policy to a non-queuing based class
RT(config)#
RT(config)#interface ether 0
RT(config-if)#service-policy output VOIPQOS_PARENT
Service_policy with queueing features on this interface is not allowed
if dialer based queuing policy is already installed.
RT(config)#

Georg Pauwen · ‎11-10-2017

Hello,

post the full current configuration of your router if possible...

Georg Pauwen · ‎11-10-2017

Hello,

the problem might be that you have to configure something under the default class in the parent policy. Try and add the below (in bold):

policy-map VOIPQOS_CHILD
class VoIP
priority percent 50
set dscp ef
class class-default
fair-queue

policy-map VOIPQOS_PARENT
class class-default
shape average 20000000
service-policy VOIPQOS_CHILD

DOUGLAS DRURY · ‎11-10-2017

Hi,

Thanks for your help so far.

I tried to add shape average 20000000 in the parent policy but the router rejected it with % Invalid input detected at '^' marker. The marker was at shape

Below is my configuration.

RT#sh run br
Building configuration...

Current configuration : 5419 bytes
!
! Last configuration change at 08:18:00 UTC Fri Nov 10 2017 by doug
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RT
!
boot-start-marker
boot system flash:c880data-universalk9-mz.153-3.M9.bin
boot system flash:c880data-universalk9-mz.153-3.M.bin
boot-end-marker
!
!
enable secret 4 sii94NGY12oyst/3n4bnmySHfE/PcvkoNt83rjGoB8I
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1949736083
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1949736083
revocation-check none
rsakeypair TP-self-signed-1949736083
!
!
crypto pki certificate chain TP-self-signed-1949736083
certificate self-signed 01
!
!
!
!

!
ip dhcp excluded-address 192.168.20.20 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
!
!
ip domain name REMOVED.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ181070DN
!
!
username REMOVED privilege 15 secret 4 REMOVED
!
!
!
!
!
controller VDSL 0
firmware filename flash:VA_A_39m_B_38h3_24h.bin
!
!
class-map match-any VoIP
match access-group name VOIP
!
policy-map VOIPQOS_CHILD
class VoIP
priority percent 50
set dscp ef
class class-default
fair-queue
policy-map VOIPQOS_PARENT
class class-default
service-policy VOIPQOS_CHILD
!
!
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key REMOVED address REMOVED no-xauth
!
crypto isakmp client configuration group VPNUSERS
key REMOVED
dns 192.168.1.201
domain REMOVED.local
pool VPN-POOL
acl VPNSPLIT
!
!
crypto ipsec transform-set REMOVED esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
set transform-set REMOVED
reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 10 ipsec-isakmp
set peer REMOVED
set transform-set REMOVED
match address S2S
crypto map MAP-OUTSIDE 65000 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport access vlan 20
no ip address
!
interface FastEthernet2
switchport access vlan 90
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan15
ip address 192.168.15.3 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan90
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description BT VDSL
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname REMOVED
ppp chap password 0 REMOVED
ppp ipcp address accept
no cdp enable
crypto map MAP-OUTSIDE
!
!
router eigrp 10
network 192.168.1.0
network 192.168.20.0
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.15.0 255.255.255.0 Vlan1
ip route 192.168.30.0 255.255.255.0 192.168.20.203
!
ip access-list extended NAT
deny ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended S2S
permit ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended VOIP
permit tcp any any range 6000 6049
permit tcp any any eq 5060
ip access-list extended VPNSPLIT
permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
!
end
RT#

Georg Pauwen · ‎11-10-2017

Hello,

try and disable NBAR protocol discovery on the dialer interface:

--> no ip nbar protocol-discovery

What are your options in the default class ('shape' is giving an error, what else is there) ?

Joseph W. Doherty · ‎11-10-2017

Are you also doing general Internet access using the same link?

If so, to effectively manage VoIP traffic, you have to preclude general Internet access on the same link. This because, you can not generally well manage ingress bandwidth, so Internet traffic will generally disrupt VoIP traffic regardless of what you do.