QoS Policy to protect VoIP

Wayne Ficklin · ‎09-26-2013

I work at a university where we allow (practically) anything on the network as long as it plays nicely and doesn't interfere with other people's access to the network. With that in mind, I've been tasked with setting up a QoS policy that protects VoIP and Video ...while doing as little to interfere with other people's ability to flood the network with traffic as possible. I've done a little legwork but I'm hitting some roadblocks so I'm coming here to help me rethink things. Below you'll find what I've got so far.

ip access-list ext voip-traffic

remark rtp

permit udp <voice vlan> any range 16384 32767

ip access-list ext voip-signaling

remark SCCP

permit tcp <voice vlan> any range 2000 2002

remark SIP

permit tcp <voice vlan>

any range 5060 5061

permit udp <voice vlan> any range 5060 5061

remark MGCP

permit udp <voice vlan> any eq 2427

permit tcp <voice vlan> any eq 2428

#remark h.323

permit tcp any any eq 1720

permit udp any any eq 1719

permit tcp any any range 11000 11999

ip access-list ext ip-routing

permit eigrp any any

permit ospf any any

ip access-list ext ssh

permit tcp <network of netserv engineers> any eq ssh

class-map match-any VoIP

match ip dscp ef

match access-group name voip-traffic

class-map match-any VoIP-Signaling

match access-group name voip-signaling

match ip dscp cs3

match ip dscp af31

class-map Routing

match access-group name ip-routing

class-map ssh

match access-group name ssh

policy-map QoS-Markings

class VoIP

set dscp ef

class VoIP-Signaling

set dscp cs3

class Routing

set dscp cs6

class ssh

set dscp af21conf

int ra g0/1 - 48

service-policy input QoS-Markings

interface GigabitEthernet0/44

description Where I'm making calls from (cisco 7945)

switchport access vlan 304

switchport mode access

switchport voice vlan 800

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 10

switchport port-security violation protect

switchport port-security aging type inactivity

ip arp inspection limit rate 30 burst interval 5

speed auto 10 100 1000

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

queue-set 2

priority-queue out

mls qos trust device cisco-phone

mls qos trust dscp

snmp trap mac-notification change added

snmp trap mac-notification change removed

no mdix auto

storm-control broadcast level 5.00

spanning-tree portfast

service-policy input QoS-Markings

ip verify source

end

When I show int g0/44 I see that queueing is set to fifo. Show policy-map int g0/44 gives 0 packets/0 bytes for all classes when I place a call.

Anyone care to take a stab at helping me understand why those to things are the case and what I need to do? (Also, ask and I'll be happy to clarify whatever doesn't make sense.)

mikemu · ‎09-26-2013

Wayne can you list what platform you are working on with this config ? You could also engage TAC ..

Wayne Ficklin · ‎09-27-2013

This particular config is on a 3560g at the edge/access. It connects to a 3750E @ the distribution layer, and a 6500 in the core. We've also recently(?) begun deploying 3560x and 3750x.

mikemu · ‎09-27-2013

http://blog.ipexpert.com/2010/05/26/introduction-to-catalyst-3560-qos/

This is a great article from the Ipexpert guys..

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swqos.html

Link to the 3560 guide

The policy looks good to me you may try a TAC case to have them lab\really dig into this

Wayne Ficklin · ‎09-27-2013

Do I need to have a separate "service-policy output " on my uplinks (and upstream switches?)