cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8578
Views
0
Helpful
12
Replies

Configure QoS for voice traffic over site-to-site VPN tunnel

femi.agboade
Level 1
Level 1

Hi,

I want to configure QoS for voice traffic over a site-to-site VPN tunnel.

I have a Cisco 851 router on the branch end and a Cisco 1800 router at the HQ. The setup is an Avaya Gateway located at the HQ and the idea is that the phones at the branch office are connected over the VPN tunnel to the gateway at the HQ.

I have a 1MB internet link at the HQ from a service provider and 256kbps internet link (from a different service provider) at the branch office. The branch office has just 3 users.

I would appreciate any advice or help with this please.

Regards,

Femi

12 Replies 12

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Hi Femi,

Long time ;-)

Are you using crypto maps to establish VPN connectivity between the sites?

If you you need:

1) QoS pre-classify on both branch and HQ locations. You enabled those under crypto map.

crypto map MAP 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set TRA

match address VPN

qos pre-classify

2) You need create a class-map and policy-map to match traffic and of course apply it to interface:

class-map match-all VOICE

match  dscp ef

policy-map POLICY

class VOICE

    priority 64

class class-default

    fair-queue

interface Ethernet0/0

ip address 10.0.0.1 255.255.255.0

crypto map MAP

service-policy output POLICY

This should be normally enough for your branch. You might need a bit more on HQ, depending on how much traffic the phones will generate (it depends on codec used, compression etc etc).

The config above is to make sure that voice calls will be sent before anything else.

HTH.

Marcin

Hi there Marcin,

Been a while indeed ...how are things?

Thank you for your valuable response as always. I had actually tried your suggestions above because I actually do have crypto maps setup for the VPN connectivity. However, the problem seems to be with the Cisco 871 (running

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T7)

router at the branch office on which I am unable to run "qos pre-calssify" and "match dscp ef" commands.

Being that I am not an Avaya expert, I will speak to the administrator tomorrow about the codecs and I feel it might be quite helpful.

However, my aim is to ensure that voice calls are given priority over the link before anything else at the branch office.

So, I hope you still have some magic up your sleeves.

Regards,

Femi

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Two secrets to make this usually (NB: no guarantee across Internet) work well.

First, traffic shape your HQ side's egress to branch side 256 Kbps.  (NB: you might need to shape up to 15% slower to account for L2 overhead.)

Second, don't use these Internet connections for anything other than the VPN traffic.

Of course, you will still need to classify and prioritize VoIP payload.  You might also need to treat VoIP signaling special too.  Also minimize your physical interface hardware FIFO queues (tx-ring-limit), if you can on your routers.

Hello Joseph,

Thank you for the comments. However, the internet link at the branch office will serve both for phone connectivity and internet access for the 3 staff seated there. So to say the link shouldnt be used for anything else would be impossible.

Secondly, I am not sure I understand what you mean by shaping the HQ's egress? Could you be a bit more clear, possibly with a sample config and explanation?

Regards,

Femi

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

"So to say the link shouldnt be used for anything else would be impossible."  Not impossible, just impractical.  The key to supporting real-time traffic like VoIP is guaranteeing its priority over other traffic.  If you share an Internet link with "raw" Internet traffic you'll be unable to provide this guarantee for VoIP.  In such situations, I recommend, if available, as 2nd inexpensive (e.g. DSL, cable) Internet link for other than VPN traffic.

An example config (NB: syntax likely incorrect and incomplete)

class-map match-all VoIP

match protocol ???

class-map match-all Branch1

match ACL

class-map match-all Branch2

match ACL

policy-map parent

class Branch1

shape 256

service-policy child

class Branch2

service-policy child

policy-map child

class VoIP

priority 30 percent

class-default

fair-queue

Depending on you VPN configuration, you might apply the parent policy on the physical interface or tunnel interface.  If applied on the physical interface, you'll likely need to use the qos pre-classify.

Hello,

I have tried what you suggested above but still unable to make any headway. For your information, the VPN was purely setup for the voice traffic and nothing else. Hence I can dedicate the entire bandwidth of the tunnel to voice traffic.

I'm beginning to tear my head out as all I have tried so far hasnt worked.

Another observation i noticed was that when i did a 'sh int tun0' command, the tunnel bandwidth is capped at 9kbps, please see below:

ROUTER#sh int tun0

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Description: Tunnel to HQ

  Internet address is 192.168.200.2/30

  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 1.1.1.1, destination 2.2.2.2

  Tunnel protocol/transport IP/IP

  Tunnel TTL 255

  Fast tunneling enabled

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Last input 00:45:29, output 00:45:31, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1220

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     1719 packets input, 227853 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     3116 packets output, 479098 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

ROUTER#

In the light of this, any suggestions you can give please? Anyone?

Regards,

Femi

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Tunnel is bandwidth is a logical setting, doesn't impact bandwidth actually available.

So neither side, HQ or Branch, used Internet for other traffic, at all, then your VPN traffic?

Could you post "show interface" and "show service-policy ouput" for both HQ and Branch while running test.

Hi,

The internet at both sites would be used for internet traffic at the respective sites, however, the VPN is setup only to allow the phones at the BO (branch office) to communicate seamlessly with the gateway and phones at the HO.

Please see the attached config files of both routers.

Below is the sh int commands at both sites:

BO

BO#sh int

FastEthernet0 is up, line protocol is up

  Hardware is Fast Ethernet, address is 0023.04b4.c9b2 (bia 0023.04b4.c9b2)

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:24, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     5514865 packets input, 628355208 bytes, 0 no buffer

     Received 27102 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 input packets with dribble condition detected

     9252374 packets output, 2416457743 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

!

FastEthernet4 is up, line protocol is up

  Hardware is PQUICC_FEC, address is 0023.04b4.c9bc (bia 0023.04b4.c9bc)

  Description: WAN_FW_OUTSIDE$ETH-WAN$

  Internet address is 2.2.2.2

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/1849/0 (size/max/drops/flushes); Total output drops: 7911

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     9370828 packets input, 2433613948 bytes

     Received 0 broadcasts, 0 runts, 0 giants, 1722 throttles

     4 input errors, 4 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     5995792 packets output, 621464716 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

!

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Description: Tunnel to HO

  Internet address is 192.168.200.2/30

  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 2.2.2.2, destination 1.1.1.1

  Tunnel protocol/transport IP/IP

  Tunnel TTL 255

  Fast tunneling enabled

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Last input 09:42:55, output 09:42:55, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1432

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     2569 packets input, 311090 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     8973 packets output, 2125874 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

NVI0 is up, line protocol is up

  Hardware is NVI

  Interface is unnumbered. Using address of FastEthernet4 (2.2.2.2)

  MTU 1514 bytes, BW 10000000 Kbit/sec, DLY 0 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation UNKNOWN, loopback not set

  Last input never, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     0 packets output, 0 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

Vlan101 is up, line protocol is up

  Hardware is EtherSVI, address is 0023.04b4.c9b2 (bia 0023.04b4.c9b2)

  Description: LAN_FW_INSIDE

  Internet address is 192.168.1.254/24

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:01, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     5483705 packets input, 603199135 bytes, 0 no buffer

     Received 42752 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     9178879 packets output, 2373500083 bytes, 0 underruns

     0 output errors, 1 interface resets

     0 output buffer failures, 0 output buffers swapped out

HO

LINETRALE_GW#sh int

FastEthernet0 is up, line protocol is up

  Hardware is PQ3_TSEC, address is 001d.70c6.c8de (bia 001d.70c6.c8de)

  Description: $ES_WAN$$FW_OUTSIDE$

  Internet address is 1.1.1.1

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/1/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 12000 bits/sec, 5 packets/sec

  5 minute output rate 2000 bits/sec, 3 packets/sec

     12138005 packets input, 3378735889 bytes

     Received 1359087 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     9057314 packets output, 984709135 bytes, 0 underruns

     0 output errors, 0 collisions, 6 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

!

FastEthernet2 is up, line protocol is up

  Hardware is FastEthernet, address is 001d.70c6.c8e0 (bia 001d.70c6.c8e0)

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:06, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 1000 bits/sec, 2 packets/sec

  5 minute output rate 10000 bits/sec, 1 packets/sec

     9258792 packets input, 1061924560 bytes, 0 no buffer

     Received 363301 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 input packets with dribble condition detected

     10734065 packets output, 3322573063 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

!

Tunnel1 is up, line protocol is up

  Hardware is Tunnel

  Description: Tunnel to BO

  Internet address is 192.168.200.1/30

  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 1.1.1.1, destination 2.2.2.2

  Tunnel protocol/transport IP/IP

  Tunnel TTL 255

  Fast tunneling enabled

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Last input 14:41:35, output 2d10h, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 118

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     8781 packets input, 1234171 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     7089 packets output, 840502 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

NVI0 is up, line protocol is up

  Hardware is NVI

  Interface is unnumbered. Using address of NVI0 (0.0.0.0)

  MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation UNKNOWN, loopback not set

  Last input never, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     0 packets output, 0 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

Vlan101 is up, line protocol is up

  Hardware is EtherSVI, address is 001d.70c6.c8de (bia 001d.70c6.c8de)

  Description: $ES_LAN$$FW_INSIDE$

  Internet address is 192.168.0.254/24

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 2000 bits/sec, 3 packets/sec

  5 minute output rate 11000 bits/sec, 2 packets/sec

     9188943 packets input, 1018191942 bytes, 0 no buffer

     Received 509724 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     10555051 packets output, 3262932066 bytes, 0 underruns

     0 output errors, 1 interface resets

     0 output buffer failures, 0 output buffers swapped out

Looking forward to your comments.

Thanks a lot for the help so far.

Regards,

Femi

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Again, if you use the Internet links for anything other than your VPN traffic, you can not guarantee any level of performance!

During any congestion event, VoIP generally require precedence over other traffic and allowing Internet traffic outside of your QoS precludes guaranteeing that precedence.

Although you're shaping, you're only using GTS when I described shaping using CBWFQ with LLQ for VoIP packets.  However, if the only traffic to be passed across the tunnel is VoIP, then no shaping should be necessary.  (This assumes no other traffic on the links but VoIP.)

When dealing with VoIP, looking at even 30 second loads on interfaces can be misleading, the default of 5 minute interface load averages compounds this.  I.e., reduce the load interval to the minimum, 30 seconds, to provide a slightly better picture of real-time interface load.

Do I understand correctly, that VoIP works but works poorly?  Further, this was true at the time these stats were taken?

Hello Joseph,

Thanks a lot for taking the time to help, really appreciate it.

I understand the risk of using the internet links for anything other than VPN traffic.

As regards traffic through the tunnel, yes only the VoIP traffic will be permitted at this time.

What is obtainable right now is that the phones at the BO get registered with the gateway, but I dont get signalling, that is no dial tone and when I place a call from the HO to the phones at the BO, I get a ring back tone from the HO phone, but the phone never actually rings out at the BO.

And yes, this is the situation as at the time I took the readings.

What are your thoughts?

Regards,

Femi

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

My thoughts?  At this time you likely don't have a QoS issue, but more likely have a fundamental VoIP issue.  I suspect some of your VoIP traffic isn't making it, at all, end-to-end.  That's what I would suggest you investigate next.

There is a VoIP forum where you might post for help, although, of course, more Cisco centric than Avaya.

Hi,

Thanks for the comments. I will consider your suggestions and make a new post in the VoIP forum.

Thanks.

Femi