09-26-2013 11:39 AM
I work at a university where we allow (practically) anything on the network as long as it plays nicely and doesn't interfere with other people's access to the network. With that in mind, I've been tasked with setting up a QoS policy that protects VoIP and Video ...while doing as little to interfere with other people's ability to flood the network with traffic as possible. I've done a little legwork but I'm hitting some roadblocks so I'm coming here to help me rethink things. Below you'll find what I've got so far.
ip access-list ext voip-traffic
remark rtp
permit udp <voice vlan> any range 16384 32767
ip access-list ext voip-signaling
remark SCCP
permit tcp <voice vlan> any range 2000 2002
remark SIP
permit tcp <voice vlan>
any range 5060 5061
permit udp <voice vlan> any range 5060 5061
remark MGCP
permit udp <voice vlan> any eq 2427
permit tcp <voice vlan> any eq 2428
#remark h.323
permit tcp any any eq 1720
permit udp any any eq 1719
permit tcp any any range 11000 11999
ip access-list ext ip-routing
permit eigrp any any
permit ospf any any
ip access-list ext ssh
permit tcp <network of netserv engineers> any eq ssh
class-map match-any VoIP
match ip dscp ef
match access-group name voip-traffic
class-map match-any VoIP-Signaling
match access-group name voip-signaling
match ip dscp cs3
match ip dscp af31
class-map Routing
match access-group name ip-routing
class-map ssh
match access-group name ssh
policy-map QoS-Markings
class VoIP
set dscp ef
class VoIP-Signaling
set dscp cs3
class Routing
set dscp cs6
class ssh
set dscp af21conf
int ra g0/1 - 48
service-policy input QoS-Markings
interface GigabitEthernet0/44
description Where I'm making calls from (cisco 7945)
switchport access vlan 304
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 10
switchport port-security violation protect
switchport port-security aging type inactivity
ip arp inspection limit rate 30 burst interval 5
speed auto 10 100 1000
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
snmp trap mac-notification change added
snmp trap mac-notification change removed
no mdix auto
storm-control broadcast level 5.00
spanning-tree portfast
service-policy input QoS-Markings
ip verify source
end
When I show int g0/44 I see that queueing is set to fifo. Show policy-map int g0/44 gives 0 packets/0 bytes for all classes when I place a call.
Anyone care to take a stab at helping me understand why those to things are the case and what I need to do? (Also, ask and I'll be happy to clarify whatever doesn't make sense.)
09-26-2013 09:13 PM
Wayne can you list what platform you are working on with this config ? You could also engage TAC ..
09-27-2013 05:10 AM
This particular config is on a 3560g at the edge/access. It connects to a 3750E @ the distribution layer, and a 6500 in the core. We've also recently(?) begun deploying 3560x and 3750x.
09-27-2013 05:56 AM
http://blog.ipexpert.com/2010/05/26/introduction-to-catalyst-3560-qos/
This is a great article from the Ipexpert guys..
Link to the 3560 guide
The policy looks good to me you may try a TAC case to have them lab\really dig into this
09-27-2013 07:45 AM
Do I need to have a separate "service-policy output
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: