Adding QoS for video phone to existing policy

Unanswered Question
Feb 25th, 2009

I have an existing qos policy for our branches and main site. We are implementing video phones in our branches and I have a few questions on how to best implement the qos

The branch config is as follows, currently the voice and data is in the same class of voice:

class-map match-all DATA-Priority

match access-group 111

class-map match-all VOICE

match access-group 110



policy-map P-QoS

class VOICE

priority percent 21

set dscp ef

class DATA

bandwidth percent 5

set dscp af31

class class-default

set dscp default



The phones for our company are matched on access-list 110.

Access-list 111 is actually an application that the remote branches use that connects to a host in the main site.

Going by the Cisco 8 class design model,

dscp af31 is actually classed for voice control traffic.

My questions are these:

Would it be beneficial to change the policy so that the data priority queue dscp af31 is used for voice signaling?

There does not seem to be any poor qulity calling at the moment, but we are not using the video phones yet.

The 8 class model is a little more detailed than I need, I am thinking I could do something like the following:

class-map match-all Voice

match ip dscp ef

class-map match-all Interactive Video

match ip dscp af41 af42

class-map match-any Call Signaling

match ip dscp cs3

match ip dscp af31

class-map match-all Critical Data

match ip dscp af21 af22

class-map match-all Bulk Data


policy-map WAN-EDGE

class Voice

priority percent 18

class Interactive Video

priority percent 15

class Call Signaling

bandwidth percent 5

class Critical Data

bandwidth percent 27

random-detect dscp-based

class Bulk Data

bandwidth percent 4

Could someone provide some input?

Also, how do the classes in the cisco model match the traffic if they are not usong access-lists?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
Nicholas Matthews Wed, 02/25/2009 - 18:21

I don't think there would be any benefit to adding the voice signaling to your data priority queue. If you find that your signaling queue is dropping packets, you will want to increase the percentage allocated for signaling. If you lump it with the data, it will be much harder to determine this value.

In this case 'class-map match-all Bulk Data' will not be working correctly. I believe that since there are no match statements, this class will be ignored. You can try it and use 'show policy-map interface' to see what happens. The default action of access lists that are referenced but do not exist is to permit everything. I'm not sure about class maps that don't have any statements. I'm on the side that they won't match anything and thus be ignored.

You can match with NBAR with CEF enabled on protocol such as 'match protocol http' and the likes without ACLs, but that doesn't appear to be what you're asking about.



wilson_1234_2 Wed, 02/25/2009 - 19:05

Thanks for the reply,

Some follow up questions if you don't mind:

1. Why done you thing it would benefit to add the voice signaling AS a data priority queue?

2. The fact that the Data-Priority in my existing set-up is referencing "dscp af31", Is there anything special (specific ports or anything else) that this class is tied to that makes it voice signaling?

I don't understand why they used that class for an application when it is specifically a voice signaling class.

3.Ok, on your response about access-lists, I wondered about that because they were not there.

Are you saying that per these classes, each "match" statement is refrencing an access-list list?

class-map match-all Voice

match ip dscp ef

class-map match-all Interactive Video

match ip dscp af41 af42

class-map match-any Call Signaling

match ip dscp cs3

match ip dscp af31

class-map match-all Critical Data

match ip dscp af21 af22

class-map match-all Bulk Data

For example, there should be an access list called


Interactive Video

Call Signaling

Critical Data

Bulk Data

Is that correct?

Also, what is the significance of the "any" and "all" difference?

Nicholas Matthews Wed, 02/25/2009 - 19:20

1) In this case you will want your voice signaling traffic to only have voice signaling. This will allow for easier management and troubleshooting, as well as prevent other data applications from over-utilizing the queue.

You should note that the policy map is order-specific. If you have a class matching dscp af31 above another class matching dscp af31, the class lower in the policy map would not ever match on that.

2. By matching dscp af31, you are matching on 6 bits of the IP header only. This is referred to as the Type of Service (TOS) header of the IP packet. To match on ports or protocol, it would require NBAR or access lists. This matches strictly on the IP header.

This DSCP value was arbitrarily used for voice signaling. There is most likely a reference to this in the DiffServ RFC. There aren't any restrictions from other applications from utilizing this value. This is why it's important to understand and utilize DSCP/COS trusting and marking at your network edges.

3. None of the listed classes are matching access lists, only the previously mentioned DSCP values.

The format of the command is "class-map [ match-all | match-any ] ". Those five names are just the names of the classes, which are then referenced in the policy map. It is possible to add multiple match statements to each class. If you have multiple statements, the match-any is a logical OR statement on the statements, and the match-all is a logical AND between the statements.


wilson_1234_2 Wed, 02/25/2009 - 20:09

Thanks for the excellent replies nick,

One last question, you may have answeredthis and I didnt get it:

If I am matching each class to an access-list and the desktops will each have a Cisco IP phone with an IP address, and the desktop has a video camera, am I matching the phone IP address to voice and the desktop ip address to video, or are they both matched to the phone?

In which case,

I have to match both classes to the same IP Address, how do I do that?

Nicholas Matthews Thu, 02/26/2009 - 07:59

If the video is coming from the PC it will have a different IP address than the phones, so this should be an issue.

You should be able to match voice and video with two separate access lists without a problem.


wilson_1234_2 Thu, 02/26/2009 - 14:44

Thanks nic,

Just so I understand correctly,

You are saying above that the classes do not necessarily have to reference an access list,

That the policy in my original post is a valid policy and by not referencing an access-list, any traffic matching the TOS header will be prioritized per the policy?

is this correct?

Also in my earlier post, when I mentioned "they" I was refering to the person that originally designed the policy in my router, I don't understand why they used the af31 class for priority data, when it is a voice signaling class.

Would that part of the policy even prioritise the traffic matching the access-list when there are no TOS headers for voice signaling present in the packets (it is basically a host/client application on port 23)?

Nicholas Matthews Thu, 02/26/2009 - 15:08

It's all valid except for this class:

class-map match-all Bulk Data

It doesn't have any match statements at all.

af31 is the default for many types of signaling, so it's why 'they' used that particular value.

The TOS is a mandatory part of the IP hearder and every IP packet has a value. Most are 0 by default, except when some application or router has specifically changed it. This is why switchports going to PC are generally in the untrusted state, and mark everything to 0. It's not specific to voice. The only thing that is specific to voice is that value 46 or EF is used for voice.

It all depends on how you use your class maps. It you match on ACLs, then you can match on any field an ACL can match on. If you want to match on the TOS byte, you can do that as well.



wilson_1234_2 Thu, 02/26/2009 - 15:59

Thanks nick,

"The only thing that is specific to voice is that value 46 or EF is used for voice."

Which is how you can prioritise via tos markings with an access-list, correct?

Also the reason as you mentioned to make sure the switch is configured correctly to make sure the tos is not changed in any way?

I appreciate your excellent answers.

Nicholas Matthews Thu, 02/26/2009 - 18:30

There are many ways to classify voice.

If you know that your voice subnet is, you can do something like this:

access-list 101 permit udp any range 16384 32768

access-list 101 permit udp range 16384 32768

class-map match-any voice-acl

match ip access-group 101


class-map match-any voice-rtp-nbar

match protocol rtp audio


class-map match-any voice-dscp

match dscp ef


access-list 102 permit udp any any dscp ef

class-map match-any voice-acl-dscp

match ip access-group 102


access-list 103 permit udp any any precedence 5

class-map match-any voice-acl-precedence

match ip access-group 103


class-map match-any voice-precedence

match precedence 5


class-map match-any voice-ip-rtp

match ip rtp 16384 16383

These are all different ways to classify voice. It really depends on what you prefer and how it's configured.

These access-lists are nearly identical in how they match:




The difference is that NBAR is going to require more CPU utilization because NBAR requires for the CPU to read the packets, instead of being fast-switched with CEF in hardware (or close to it). RTP also only uses the even ports, and I believe NBAR for audio only matches the even ports - but this is something that I have not tested. The odd ports are for RTCP which doesn't really matter.

These classes are also almost identical:





The difference is the DSCP is 6 bits. If you only look at the first 3 bits of this, you have the precedence. (The first 3 bits of 46 equals 5). This means if you have DSCP values 40-47, it will match on precedence 5.

You could combine the two, and it would look something like this:

access-list 111 permit udp any range 16384 32768 dscp ef

access-list 111 permit udp range 16384 32768 dscp ef

class-map match-any voice-acl-rtp-dscp

match ip access-group 111

This matches only udp packets within ports 16384-327768 that are marked with a DSCP value of EF in either direction.

You should also note that the UDP range of 16384 to 32768 is actually only what Cisco uses as their standard, and is not a RFC or ITU standard. If you have a SIP/H323 trunk to another vendor, it is very likely you will use UDP ports outside this range. It may be better to use NBAR in this case because it will actually do a deep protocol inspection on the packets.

Hope this answers your question :)


wilson_1234_2 Thu, 02/26/2009 - 19:03

I am sorry nick, I promise this will be the last question on this, but you are helping me get a really good understanding:

If I were going to use the access-list 101 in you example (which is how our is), does the voice signaling class use the same acl as the voice priority class?


My previous post were comments on your answers to see if I was understanding what you were getting across, thanks for the help, it is greatly appreciated.

Nicholas Matthews Thu, 02/26/2009 - 19:20

Hi Wilson,

Your voice signaling will use a different access list. RTP traffic flows from endpoint to endpoint. Endpoints include phones and gateways primarily, but there can also be mid-points such as transcoders, conference bridges, and media termination points.

Because of this, you can have your UDP traffic flow from one endpoint to a number of other IP addresses.

Your call signaling however, is much more centralized. Generally devices only signal to a certain set of specified devices with a certain set of protocols.

It's harder to give an exact ACL for signaling other than the previously mentioned commonly used signaling DSCP values of af31 and cs3.

Here are some examples depending on your protocol:

(We'll assume these are all outbound QoS policies and that your signaling is going to a device)


access-list 120 permit tcp any host eq 2427

access-list 120 permit tcp any host eq 2727

access-list 120 permit tcp any host eq 2428

access-list 120 permit udp any host eq 2727

access-list 120 permit udp any host eq 2427


access-list 121 permit tcp any host range 1718 1720

access-list 121 permit tcp any host range 11000 - 11999


access-list 122 permit udp any host range 5060 5061

access-list 122 permit tcp any host range 5060 5061


access-list 123 permit tcp any host range 2000 2002

For reference, I used 'show ip nbar port-map ' for most of these. 99% of MGCP will be on TCP 2427, SCCP TCP 2000, H323 TCP 1720, and SIP UDP 5060. There are some other variants like RAS and the secure versions that use other ports that are worth defining.

I don't mind answering - maybe someone else out there will get some use out of this :)



wilson_1234_2 Mon, 03/02/2009 - 19:19


I have a couple more questions on this, sorry,

The policy I was going to apply above is going on our MPLS connected Main site and branches.

We have gold CAR purchased from the provider.

According to the provider the Gold CAR is only for class "ef".

If they are only prioritizing ef, what happens to the rest of my policy I have configured end to end?

Does it get ignored?

For example in my policy I have a priority queue that matches what Verizon will prioritize for voice, but Verizon is not prioritizing the other classes, will they get prioritized by my policy?

If not, then I don't need them.

If they do, then I don't need the Gold CAR, correct?

policy-map P-QoS

class VOICE

priority percent 21

set dscp ef

class DATA

bandwidth percent 5

set dscp af31

class class-default

set dscp default



You mentioned abovce that I can trigger the match on the map-classes in different ways.

If I trigger the priority on access-list, does the tos header get ignored?


I can have several different priority queues correct?

Nicholas Matthews Mon, 03/02/2009 - 19:45

So when the provider says you have a CAR class of EF, it basically means they're going to give you a fixed level of bandwidth and police you if you go over this.

This can be dangerous because if your voice goes over their value, they will start dropping packets even if there is available bandwidth on your link. You should be mindful of your network edge to make sure that only your voice is coming in as EF. You may want to match your voice based on protocol, and unmark everything else.

To prevent this, it is suggested to find out exactly what that value is and configure a class that matches voice and has a strict priority value.

Such as:

class-map match-any VOICE-TRAFFIC

match protocol rtp audio

policy-map voice-qos



set dscp EF


class class-default

set dscp 0


Even if your provider is only providing QoS through their network for EF, it is still valuable for you to have QoS on your side.

If you have a typical topology like this:

Device--LAN1--WAN Router1---[Provider Cloud]---WAN Router2---LAN2--Device2

-You can lose packets in:

LAN1/2 (very unlikely as long as you don't have a very large switched networks / policers)

-At the outgoing interface of WAN Router1

-Somewhere in the provider cloud

You shouldn't lose packets in your LAN, which really only leaves your WAN router and the cloud. By configuring QoS outbound on your WAN router you can very significantly lower the chances of dropping your traffic.

However, once it leaves your router the marking will be ignored if it is not EF in this case.

The way the priority queue works is that is will send any priority packet before any other packet. It does this up until the kbps limit you have configured (or burst value if it's configured as well), and if the link is NOT under congestion it will continue sending the rest. This is fairly basic.

If you have multiple priority queues, each class will be limited to the bandwidth value given. The example commonly used for this is video. Say you want to prioritize voice and video, but since video will often dynamically use as much bandwidth as is available, you create two priority queues to prevent this.


class voice-and-video

class voice

priority 300

class video

priority 400

This would limit voice to 300 kbps under congestion and video to 400 kpbs under congestion.

"If I trigger the priority on access-list, does the tos header get ignored?"

Each class will only match based upon what you tell it to. If your class map or access do not reference the DSCP/precedence value, it will not be used.

You can still do this:

class-map match-all voice-acl-and-dscp

match ip access-group 101

match dscp EF

This matches on both the access list and DSCP. If you removed the EF statement, that particular class will ignore EF.



wilson_1234_2 Tue, 03/03/2009 - 05:50


Thanks for the excellent reply and explanations nic.

It is greatly appreciated and I am getting a much better understanding thanks to you.


We have much more of the Gold CAR than we need,

For example our five branches have at the most 25 users.

Each site has X2 T1s with 1544 Gold CAR at the branches.

The Main Site has 15M and I am not sure how much, but for this example say we have &.5 of Gold CAR.

There is no way for us to utilize all of the gold CAR for voice alone and your example of video is the reason for me asking all of these questions (we are implementing video communication).

Verizon sold us the GOLD CAR because our managers worked with them on the video project.

Are we saying now that the only traffic that Verizon is prioritizing is our voice traffic from branch to branch?

Which is g729, which would be about 30K per call?

Can we create the policy so it will prioritize our video traffic with the ef class?

Nicholas Matthews Tue, 03/03/2009 - 06:22

You may want to try understanding what the provider is doing.

They have a policy that more or less equates to this:

class-map match-any CLASS-EF

match dscp ef

policy-map GOLD-POLICY

class CLASS-EF

priority 1544

class class-default

All they are matching is EF. Here, any packet can be marked EF, and they'll (theoretically anyway) prioritize it.

If you wanted your web traffic to not be dropped, you could do this:

class-map match-any web-traffic

match protocol http

policy-map do-not-drop-web-traffic

class web-traffic

set dscp ef

You should note that most video traffic is going to be marked AF41 or CS4 by default.

If you have a 1.544 Mb link, and they're giving you 1.544 Mb of Gold CAR, then you would want to mark everything as DSCP EF so none of your traffic gets marked. Basically - you would want to maximize it by using as much of the available CAR as possible without going over.



wilson_1234_2 Tue, 03/03/2009 - 07:47

Sorry nic, I thought I did understand what they were doing.

I didn't understand how to manipulate our policy to best utilize how they had theirs set up.

Maybe you mentioned this earlier, but I didn't "see" what you were saying until just now, which is why I ask all these questions.

Even though it may be frustrating for you, it really does help alot, and is greatly appreciated.

So, I can call voice video and voice signaling all as ef, match by access list and it all should get prioritized.

Thanks for all of your time and assistance in this.

wilson_1234_2 Tue, 03/03/2009 - 08:47

Per your post above:

"You should note that the policy map is order-specific. If you have a class matching dscp af31 above another class matching dscp af31, the class lower in the policy map would not ever match on that."

Won't this prevent me from doing what I had suggested?:

class-map match-all DATA-Priority

match access-group 111

class-map match-all VOICE

match access-group 110

class-map match-all VIDEO

match access-group 109



policy-map PEFCU-QoS

class VOICE

priority percent 13

set dscp ef

class VIDEO

priority percent 29

set dscp ef

class DATA-Priority

bandwidth 128

set dscp ef

class class-default

set dscp default



wilson_1234_2 Tue, 03/03/2009 - 08:58


I hope this has not been a bad experience for you and you will no steer clear from another other question I may have in the future.

so that comment is only if the match is made by default TOS marking and not when you define the marking and match access-lists?

Is that correct?


This Discussion