08-22-2018 01:06 PM - edited 03-08-2019 03:57 PM
I may be missing something here. We have two CS3850 switches in our data center that will never have a VOIP device attached to them. They do carry VOIP traffic over a dedicated vlan. Everything I read has to do with setting up QoS per port. I would just like to setup QoS on the switches to prioritize our VOIP traffic based on the vlan.
Topology wise. In our office we have a HP Procurve switch that our phones connect to. This switch is connected to one CS3850 in our data center. The CS3850 is connected to our primary firewall. It is also connected to second CS3850 (no stack) which is connected to our secondary firewall. I have QoS configured on the HP and the firewalls. Just not sure about the CISCO switches. We are using polycom phones with hosted PBX.
I did find the following
class-map match-any VOIP_bearer
match ip dscp EF
class-map match-any VOIP_signaling
match ip dscp CS3
policy-map VOICE-Policy
class VOIP_bearer
priority percent 33
class VOIP_signaling
bandwidth percent 10
I am not completely sure if this is going to do what I want it to do.
Solved! Go to Solution.
08-23-2018 06:47 AM
So if I made the following changes (I did find an article showing this) I should be good. Also it is a catalyst CS3850 running ver 16.3.5b
class-map match-any VOIP_bearer
match ip dscp EF
class-map match-any VOIP_signaling
match ip dscp CS3
policy-map VOICE-Policy
class VOIP_bearer
priority level 1 percent 33
police cir percent 10 conform-action transmit exceed-action drop
class VOIP_signaling
bandwidth percent 10
08-22-2018 02:01 PM
Hello,
the config looks good actually, apply it to an SVI (Vlan interface) and you should be good to go...
08-23-2018 06:47 AM
So if I made the following changes (I did find an article showing this) I should be good. Also it is a catalyst CS3850 running ver 16.3.5b
class-map match-any VOIP_bearer
match ip dscp EF
class-map match-any VOIP_signaling
match ip dscp CS3
policy-map VOICE-Policy
class VOIP_bearer
priority level 1 percent 33
police cir percent 10 conform-action transmit exceed-action drop
class VOIP_signaling
bandwidth percent 10
08-23-2018 09:30 AM
Looks good to me.
If it helps, this is my QoS profile I use on Catalyst 9300s running 16.6 (basically the same as 3850/16.3), except I manually removed the CoPP stuff, and manually added some extra line breaks for readability.
As an explanation of the "set ip dscp" lines consider that when you set a DSCP, the switch automatically sets a related CoS based on a table-map (it's really poorly documented, but there's a default table-map in the configuration). If you're not worried about QoS normalization, you don't need to worry about that.
rive150-td001es01#sh run | sec ^(policy|class)-map
class-map match-any network-control-mgmt
match cos 6 7
match ip dscp cs6 cs7
!
class-map match-any voice-rtp
match cos 5
match ip dscp ef
!
class-map match-any voice-signalling
match cos 3
match ip dscp cs3
!
class-map match-any Layer3-mgmt
match cos 6
match ip dscp cs6
!
class-map match-any Layer2-mgmt
match cos 7
match ip dscp cs7
!
!
!
policy-map qos-ingress-marking
description QoS Marking on frame ingress
!
class Layer2-mgmt
set ip dscp cs7
!
class Layer3-mgmt
set ip dscp cs6
!
class voice-rtp
set ip dscp ef
!
class voice-signalling
set ip dscp cs3
!
class class-default
set dscp default
!
!
!
policy-map qos-egress-user
description QoS Egress Queue management: host interface
!
class voice-rtp
priority level 1
police cir percent 1 conform-action transmit exceed-action drop
!
class voice-signalling
bandwidth remaining percent 1
queue-buffers ratio 10
!
class network-control-mgmt
bandwidth remaining percent 1
queue-buffers ratio 10
!
class class-default
bandwidth remaining percent 98
!
!
!
policy-map qos-egress-uplink
description QoS Egress Queue management: network interface
!
class voice-rtp
priority level 1
police cir percent 10 conform-action transmit exceed-action drop
!
class voice-signalling
bandwidth remaining percent 10
queue-buffers ratio 10
!
class network-control-mgmt
bandwidth remaining percent 10
queue-buffers ratio 10
!
class class-default
bandwidth remaining percent 80
rive150-td001es01#
rive150-td001es01#sh run int t1/0/1
Building configuration...
Current configuration : 502 bytes
!
interface TenGigabitEthernet1/0/1
description rive150-b02ap01 10.18.43.40
switchport access vlan 2200
switchport mode access
switchport nonegotiate
switchport voice vlan 2400
device-tracking attach-policy DT_HOST
power inline port 2-event
power inline police action errdisable
history BPS all
udld port aggressive
no vtp
spanning-tree portfast
spanning-tree guard root
service-policy input qos-ingress-marking
service-policy output qos-egress-user
ip dhcp snooping limit rate 15
end
rive150-td001es01#
rive150-td001es01#sh run int t1/1/1
Building configuration...
Current configuration : 434 bytes
!
interface TenGigabitEthernet1/1/1
description rive150-dist-gw01 (128.197.254.43) te6/2
switchport trunk native vlan 2800
switchport trunk allowed vlan 2000,2200,2400,2600,2800,3000,3200
switchport mode trunk
switchport nonegotiate
device-tracking attach-policy DT_NETWORK
history BPS all
udld port aggressive
no vtp
service-policy input qos-ingress-marking
service-policy output qos-egress-uplink
ip dhcp snooping trust
end
rive150-td001es01#
08-23-2018 10:58 AM
08-23-2018 11:11 AM
In terms of "it's just a switch," they're pretty solid platforms. The 3560X made out with the fixed-form main switches and the modular network ports, the 3850s and 9300s are continuing in that and it's working really good. The UADP2 controller on the 9300 is basically the same (is the same?) as the 3850, so that's nice; on 16.6, the only difference *at all* is that the 3850 can configure 97 VTYs and the 9300 can configure 98, to-date that's literally the only command difference we've found in the models.
I've started using PRIME Infrastructure for automation, some of the things that can't be automated in IOS XE I fire up and do in TCLSH, the 16.6 codebase has the GuestShell that I can access if I really need something like that (though I'd like to avoid going that route if I can...).
Basically though we've started considering a Campus Fabric aka SD-A paradigm similar to what you're alluding, which is why we shifted to the 9300s. We have a few thousand 3850s so it's gonna be a while, but at least the 3850 supports the first few iterations of SD-A.
We already using ISE for wireless authentication, and we just got DNA-C for wireless experience analytics processing/reporting, so we're starting to get the needed pieces positioned to be able to do it.
The bigger problem for us is that we have a lot of cleanup to do before we can truly go that route (70,000 ports but only DHCP on 25% of those; no 802.1x anywhere on the wired side; etc), so we have to go through the pain of addressing the shortcomings and then maybe 5yr from now we can actually implement SD-A. By then hopefully they'll have a solid validated design with the bugs worked out :-)
08-23-2018 11:15 AM
08-23-2018 11:29 AM
You too. Glad you got the issue resolved.
08-22-2018 02:42 PM - edited 08-23-2018 02:42 AM
I'm not sure specifically what you mean by a "CS3850". I'm going to assume you mean Catalyst 3850. It also depends what version of code you're using; different versions have slightly different syntax and operation.
So, how are you using these switches?
However, if you're looking to shift to a VLAN-based QoS paradigm, you need to be careful:
At first glance, this appears to be what you're asking for:
"allows the user to perform QoS treatment at the VLAN level (classification and QoS actions) using the incoming frame’s VLAN information."
But note, its not quite what you're hoping for. That's only for an incoming frame. Policing is almost always done on egress frame. So can egress policing be done on the VLAN interface?
"Although the policy map is applied to the VLAN interface, any policing (rate-limiting) action can only be performed on a per-port basis. You cannot configure the policer to take account of the sum of traffic from a number of physical ports. Each port needs to have a separate policer governing the traffic coming into that port."
And there lies the kicker. The VLAN interface on a Catalyst 3850 has no policing capability. So although you can punt some QoS aspect to the VLAN interface, if you're looking to use a policer you still need to apply a QoS policy to the physical interface because that's the only place the Cat3850 has the capability of doing policing.
Then there's additional caveats about doing VLAN-based QoS. Let's say you have ingress traffic on one port, and egress another port within the same VLAN (these are still switches at heart, after all). In that case, if it's a trunk port, how do you handle that? Which VLAN QoS traffic marking policy to you apply on the interface? Or does it change dynamically to switch to the correct VLAN? Or do you still need to apply a QoS policy to the physical interface anyway, if the QoS mechanism only kicks-in if the Ethernet frame's destination MAC address is the VLAN interface's MAC address?
Ultimately, applying a QoS policy on the interface becomes the easiest and most straight-forward approach.
weylin
08-22-2018 02:55 PM
And lest I forget - if you just want to define a QoS policy based on the VLAN, I'll suggest that's not enough. What you really want to do is set head-of-the-line priviledges for the RTP traffic (that's the traffic that actually carries the audio), and police it so that noone takes advantage of the QoS, either maliciously or because of an errant process.
You could setup the class-map to match against the VLAN ID. And that would work. But, that catches everything in the VLAN. Spanning-tree; ARP; and other traffic is still running on the VLAN. RTCP is a companior protocol to RTP, and runs in the same subnet/VLAN. I'm not sure what VoIP management protocol you're using, but whether H.323, SCCP, Skinny, or SIP, they also all run in the same VLAN. But you only want to specifically match the RTP traffic, and only give *those* packets head-of-line queuing. having fluctuations in RTP delivery times, such as the tiny RTP packets sitting behind several really fat email packets on another VLAN, are noticeable to the users (variation in one-way delivery time is referred to as "jitter").
You can match on DSCP if you want, it certainly can't hurt. But typically, DSCP and CoS are strictly aligned (there's lots of sites that give the industry de facto CoS values, unfortunately not a lot of sites that say it simply); and typically, that alignment is enforced on ingress. Assuming that alignment is enforced, then you only need match CoS, since each of these traffic classifications is (typically) set to different CoS values. Then, you can quickly identify the RTP packets, and put them in the priority queue, with everything else going in the standard queue(s); and, police the priority queue so that it at-most only consumes some nominal amount of capacity (usually 10%).
weylin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide