12-15-2006 08:06 AM - edited 03-14-2019 07:15 PM
I am piloting a site with IP Phones over an IPSEC tunnel. Because of the Internet, I know my tagging is lost once it leaves the LAN, but want the QOS to be optimized at the very least.
Should the policy map be applied to the gig interface or the tunnel interface?
12-15-2006 08:11 AM
Check out http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns109/networking_solutions_white_paper09186a008018913f.shtml I think this is what you're looking for (with config examples).
Good luck!
-Mark
12-15-2006 04:04 PM
The matter with the approach explained in the WP, is that essentially you are limiting bandwidth to tunnels, to whatever you believe the internet performance to be. Traffic in excess is dropped, (TCP senders will benefit however) and a quasi-LLQ is given to voice traffic. If you have no issue with that, then works fine. But will never get full circuit capacity or at least need a fine tuning.
12-15-2006 11:33 PM
We are running 10 ipphone on an Ipsec tunnel with Qos with a centralied ccm deployement for over a year.We do see occasional Voice quality issues primarily when we see a increase in round trip times.Some of the things which you should consider in this deployement is
1. Use LLQ in your Qos policy to priortize voice traffic
2. Provide guarnteed bandwitdh for signalling trafic to aviod unregistrations of ipphones.
3.Use an ISP which can provide a SLA on Latency,packet drops.
4.Use hardware encryption and decryption as much as possible.
Hope this helps
Thanks
Aman
12-16-2006 03:14 AM
hi Chris
i think the url provided by Mark is good link
but the topic discussed in there will work only for static address, a criterion that you know in advance, so what if ,if you dont know the address or you want to classify your traffic based on other caracteristics of the packets such ports number whitch in this situation will be encrypted whicth mean you cannot access them!!!!
the solution for such case is the use of (QOS pre-classify) command under the tunnel or the crypto map, that command will keep a copy of the packet before it hits the tunnel.
but if you want to classify your traffic by the marking done before by the ipphone or others , here the IOS will copy automaticaly the TOS field of the original packet the TOS field of the encapsulating packet IPSEC, so it works without difficulties!
HTH
please do rate if it does clarify
12-16-2006 06:37 AM
Indeed the clean approach is like kamal said, if you directly map between DSCP for packets inside and outside, even if these arrive out of sequence because queuing in the ISP cloud, IPSEC is smart enough to deal with the cypherstream details and no problem should occur.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide