Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1935
Views
0
Helpful
4
Replies

QoS configuration on CE router

Dipesh Patel
Level 2
Level 2

‎04-05-2012 09:02 PM - edited ‎03-07-2019 05:59 AM

Dear Experts,

We have MPLS clound and all the locations are connected via MPLS links. Recently we have configured QoS at all CE routers as well PE routers also.

the configuration for CE router is mentioned here :

ip access-list extended VOICE-APP
remark "RTP"
permit udp any any range 16384 32767
remark "SCCP"
permit tcp any any range 2000 2002
remark "SIP"
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
remark "H.323"
permit udp any any eq 1719 
permit tcp any any eq 1720


ip access-list extended VIDEO-APP
remark "Video"
permit udp any any eq 1718 
permit tcp any any eq 1731 
remark "Polycom-View-Station"
permit udp any any range 3230 3235
permit tcp any any range 3230 3231


ip access-list extended BUSINESS-APP
remark "SAP and DB Traffic"
permit tcp any any range 3200 3299
permit tcp any any range 3600 3699
permit tcp any any range 3300 3399
permit tcp any any range 4800 4899
permit tcp any any range 50000 59916
remark "ORACLE -SQL *NET"
permit tcp any any eq 1521
permit udp any any eq 1521
remark "Oracle"
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1630

************************************************

class-map match-any CM-VOICE-EF
  match ip dscp ef
  match ip dscp cs3
  match ip dscp af31
  match access-group name VOICE-APP

class-map match-any CM-VIDEO-AF41
match ip dscp cs4
match ip dscp af41
match ip dscp af42
match access-group name VIDEO-APP

class-map match-any CM-BUSINESS-AF31
match access-group name BUSINESS-APP

policy-map PM-SP1-DSCP-IN
class CM-VOICE-EF
  set ip dscp ef
class CM-VIDEO-AF41
  set ip dscp af41
class CM-BUSINESS-AF31
  set ip dscp af31

***********************************************
***********************************************

class-map match-any CM-VOIP-OUT
match ip dscp ef
class-map match-any CM-VIDEO-OUT
match ip dscp af41
class-map match-any CM-BUSINESS-OUT
match ip dscp af31

policy-map SP-CE-OUT
class CM-VOIP-OUT
    priority percent 5
class CM-VIDEO-OUT
    bandwidth percent 10
class CM-BUSINESS-OUT
    bandwidth percent 25
class class-default
    bandwidth percent 60


policy-map PM-SP1-DSCP-OUT
class class-default
shape average XXXX000
service-policy SP-CE-OUT

*********************************************
***********************************************

interface FastEthernet0/0
  Description " LAN interface"
  load-interval 30
  service-policy input PM-SP1-DSCP-IN

interface FastEthernet0/1
bandwidth XXXX
load-interval 30
service-policy output PM-SP1-DSCP-OUT

After 2 - 3 days of monitoring we have found that the traffic selected by ACL is comming to respected Classes and service accordingly but in addition to these traffic there are other traffic which are marked by some of the ppalication itseld also coming in entered in the specfifed traffic.

e.g. in VoiP class , we want traffic from IP phones only. but inaddition to this we have found other traffic marking with EF from different servers as well PCs also.

In Business Critical class we have found Lots of traffic with Meking AF31 (Citrix)  as citrix traffic is bydefault co ming with marking AF31.

So how can we reset these unwanted traffic marking and remarking as per our requirement? We want to keep making from IP Phone, VCs as it is. Need to reset the making coming from Servers / PCs.

Can anybody give the suggestion or any change in existing configuration?

Note we do not have configred any tihng LAN for QOS. If it's require from LAN side than how should we proceed.

Please suggest.

Regards

Labels:
0 Helpful
4 Replies 4

sean_evershed
Level 7
Level 7

‎04-06-2012 12:16 AM

Hi,

If too much traffic is being captured then you need to consider where your QoS boundary should be located.

See below an excellent QoS design guide.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND_40/QoSCampus_40.html

As stated in this document the QoS trust boundary needs to be established as close to the endpoints as possible, ie your access layer switch. This means resetting the QoS markings of untrusted devices, for example PCs and honoring the markings of trusted devices, eg Cisco IP phones.

There are templates associated with this design guide for several different types of switches. See for example see one below for 3750s.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/qoscampuscat3xxxaag.html

As shown in Figure 2-13 you also need to ensure that the uplinks between your access switch and distribution layer need to configured to honour your DSCP markings.

Don't forget to rate all posts that are helpful.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-06-2012 05:32 AM

Disclaimer

The     Author of this posting offers the information contained within this     posting without consideration and with the reader's understanding  that    there's no implied or expressed suitability or fitness for any   purpose.   Information provided is for informational purposes only and   should not   be construed as rendering professional advice of any kind.   Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In     no event shall Author be liable for any damages whatsoever   (including,   without limitation, damages for loss of use, data or   profit) arising  out  of the use or inability to use the posting's   information even if  Author  has been advised of the possibility of  such  damage.

Posting

With what you already have, you could modify your ingress policy class-maps to stop blindly trusting DSCP markings.  Instead you examine the traffic and mark correctly.

0 Helpful

Dipesh Patel
Level 2
Level 2
In response to Joseph W. Doherty

‎04-07-2012 12:08 AM

Dear JosephDoherty,

Could you please suggest what to change in my configuration entioned here?

Regards,

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Dipesh Patel

‎04-07-2012 03:03 AM

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Config depends on how strict you want to be.

Now you have:

class-map match-any CM-VIDEO-AF41

match ip dscp cs4

match ip dscp af41

match ip dscp af42

match access-group name VIDEO-APP

which accepts any of the listed DSCP markings or (any) your ACL, but if you did:

class-map match-any CM-VIDEO-AF41

match access-group name VIDEO-APP

it would only accept packets that match your ACL, however you could match the ACL and (all) those markings like:

class-map match-all CM-VIDEO-AF41

match class-map CM-VIDEO-AF41-DSCP

match access-group name VIDEO-APP

class-map match-any CM-VIDEO-AF41-DSCP

match ip dscp cs4

match ip dscp af41

match ip dscp af42

PS:

BTW, later versions of QoS CBWFQ can match different protocols using NBAR, e.g. match protocol rtp (or h323).

This feature can save you the need to sometimes define ACLs.  Depending on the version of NBAR and the protocol, it's either just a "pretty face" on port matches, or it can dig deeper into the packet and might also be stateful.

0 Helpful
Customers Also Viewed These Support Documents