01-17-2006 12:47 PM - edited 02-21-2020 12:39 AM
Hello,
I am, for the first time, trying to implement qos on a 871 teleworker's router for voip. I have an IPSec VPN to a PIX 6.3. I have used the auto qos command on the external interface, but am not sure what results I will get with this, and what the best way to go is.
Here is the config on the 871...
class-map match-all voice-sig
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
!
!
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map Policy_Voip
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx address xxx
!
crypto ipsec security-association lifetime seconds 900
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map cinvpn 10 ipsec-isakmp
set peer trtxxx
set transform-set strong
match address 100
!
!
!
interface FastEthernet0
switchport access vlan 800
switchport voice vlan 3
switchport priority extend trust
no cdp enable
!
interface FastEthernet1
switchport access vlan 800
switchport voice vlan 3
switchport priority extend trust
no cdp enable
!
interface FastEthernet2
switchport access vlan 800
switchport voice vlan 3
switchport priority extend trust
no cdp enable
!
interface FastEthernet3
switchport access vlan 800
switchport voice vlan 3
switchport priority extend trust
no cdp enable
!
interface FastEthernet4
ip address 172.28.1.212 255.255.0.0
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
auto qos voip
no cdp enable
service-policy output AutoQoS-Policy-UnTrust
!
interface Vlan3
ip address 192.168.35.1 255.255.255.0
!
interface Vlan800
ip address 192.168.34.1 255.255.255.0
!
ip classless
!
ip flow-export destination 172.28.1.211 2055
!
ip http server
no ip http secure-server
!
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
!
access-list 100 remark Tag traffic to be encrypted
access-list 100 permit ip 192.168.34.0 0.0.0.255 172.28.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 172.23.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 172.21.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 172.24.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 172.29.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 10.28.0.0 0.0.255.255
access-list 100 permit ip 192.168.34.0 0.0.0.255 10.254.0.0 0.0.255.255
Thanks.
Solved! Go to Solution.
01-17-2006 01:37 PM
Hello,
there is one thing missing. On the outgoing interface you have already encrypted traffic, which will not be recognized as voip.
I would add "qos pre-classify" to the crypto-map to solve this issue.
crypto map cinvpn 10 ipsec-isakmp
set peer trtxxx
set transform-set strong
match address 100
qos pre-classify
Have a look at "Configuring QoS for Virtual Private Networks" for further details.
Hope this helps! Please rate all posts.
Regards, Martin
01-17-2006 01:37 PM
Hello,
there is one thing missing. On the outgoing interface you have already encrypted traffic, which will not be recognized as voip.
I would add "qos pre-classify" to the crypto-map to solve this issue.
crypto map cinvpn 10 ipsec-isakmp
set peer trtxxx
set transform-set strong
match address 100
qos pre-classify
Have a look at "Configuring QoS for Virtual Private Networks" for further details.
Hope this helps! Please rate all posts.
Regards, Martin
01-18-2006 06:23 AM
Thanks Martin.
What throws me is that I have not worked with Virtual Tunnels before, and most all of the documentation points to using them. What advantage is there to creating and using a virtual tunnel, than not using one.
01-18-2006 09:12 AM
Hello,
well I am a little confused. The original question was about QoS and VPNs, and I think I answered it. In case you need further informations about this subject - let me know. You can rate the post to give me a hint whether it helped or not.
The answer should not imply that you have to do anything else than what you wanted to do with respect to IPSec. Was that your new question?
Or are you interested in knowing different options to setup IPSec between two sites?
Regards, Martin
02-07-2006 12:11 PM
Hello,
Cisco has started using tunnel interfaces for vpns on routers giving them more flexibility for routing. The crypto maps aren't being used in the same way as before and this is the direction I've seen Cisco pushing vpn configurations.
Patrick
11-16-2006 09:53 AM
Your info helped us out with a similiar problem - we didn't know about applying "qos pre-classify" to the crypto map.
This seems to disqualify being able to use the 871 as an EZVPN client and still being able to QOS voice through it. Is that correct?
06-08-2006 01:42 AM
Hi, my question it to the switchport configuration.
The ports should have CDP enabled in order the phones could get its voice LAN No, isn't it?
I attempted to connect IP phones to 871 recently, but I was not able to get the command "switchport voice vlan" working properly. I had to configure the switchport as access, and configure the voice VLAN as access vlan to get the IP phone work.
06-08-2006 04:42 AM
Yes, CDP must be enabled for the phone to enter the voice VLAN.
You'll need to set the switchport mode to trunk, and also set the native VLAN on the port if you are not using VLAN 1 for your access VLAN.
Post back your config if you still have problems.
06-09-2006 01:00 AM
Hi, I'll try to briefly explain my problem with Cisco871 VLAN's on switchports.
I am using "c870-advsecurityk9-mz.124-6.T2.bin" image
I attemted to connect IP phone to the router switchport and connect a PC to the phone,
result is I am able to connect only a IP phone without a PC.
I have non-typical configuration - the 871 is configured as a bridge using
"bridge irb" command
Uplink port:
-------------
interface FastEthernet4
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet4.124
description management
encapsulation dot1Q 124 native
ip address 10.10.24.32 255.255.255.0
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet4.125
encapsulation dot1Q 125
no ip route-cache
no snmp trap link-status
bridge-group 125
bridge-group 125 spanning-disabled
!
interface FastEthernet4.127
encapsulation dot1Q 127
no ip route-cache
no snmp trap link-status
bridge-group 127
bridge-group 127 spanning-disabled
!
interface FastEthernet4.301
description voice
encapsulation dot1Q 301
no ip route-cache
no snmp trap link-status
bridge-group 31
bridge-group 31 spanning-disabled
VLAN interfaces:
----------------
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip route-cache
ip tcp adjust-mss 1452
bridge-group 125
!
interface Vlan301
no ip address
no ip route-cache
bridge-group 31
bridge-group 31 spanning-disabled
!
Bridge virtual interfaces:
--------------------------
interface BVI31
no ip address
!
interface BVI127
no ip address
!
interface BVI125
no ip address
!
bridge 31 protocol ieee
bridge 125 protocol ieee
bridge 127 protocol ieee
Switchport with IP phone working
--------------------------------
interface FastEthernet3
switchport access vlan 301
spanning-tree portfast
switchport testcfg1 - IP phone not working
-------------------------------------
interface FastEthernet0
switchport voice vlan 301
spanning-tree portfast
switchport testcfg2 - IP phone not working
------------------------------------------
interface FastEthernet3
switchport access vlan 301
switchport trunk allowed vlan 1,301,1002-1005
switchport mode trunk
switchport voice vlan 301
spanning-tree portfast
So my question is: Does any way exists how to connect an IP phone and a PC to the Cisco871 switchport?
06-09-2006 03:36 AM
Yes. You will need to upgrade from advanced security to advanced IP services. If memory serves, you cannot have more than one VLAN on adv security. You'll just need to change ios, add the vlans, and FA3 should work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide