Solved: Re: VoIP over VPN Config

Dinsmore Engineer · ‎01-17-2006

Hello,

I am, for the first time, trying to implement qos on a 871 teleworker's router for voip. I have an IPSec VPN to a PIX 6.3. I have used the auto qos command on the external interface, but am not sure what results I will get with this, and what the best way to go is.

Here is the config on the 871...

class-map match-all voice-sig

class-map match-any AutoQoS-VoIP-Remark

match ip dscp ef

match ip dscp cs3

match ip dscp af31

class-map match-any AutoQoS-VoIP-Control-UnTrust

match access-group name AutoQoS-VoIP-Control

class-map match-any AutoQoS-VoIP-RTP-UnTrust

match protocol rtp audio

match access-group name AutoQoS-VoIP-RTCP

!

policy-map AutoQoS-Policy-UnTrust

class AutoQoS-VoIP-RTP-UnTrust

priority percent 70

set dscp ef

class AutoQoS-VoIP-Control-UnTrust

bandwidth percent 5

set dscp af31

class AutoQoS-VoIP-Remark

set dscp default

class class-default

fair-queue

policy-map Policy_Voip

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxx address xxx

!

crypto ipsec security-association lifetime seconds 900

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto map cinvpn 10 ipsec-isakmp

set peer trtxxx

set transform-set strong

match address 100

!

interface FastEthernet0

switchport access vlan 800

switchport voice vlan 3

switchport priority extend trust

no cdp enable

!

interface FastEthernet1

switchport access vlan 800

switchport voice vlan 3

switchport priority extend trust

no cdp enable

!

interface FastEthernet2

switchport access vlan 800

switchport voice vlan 3

switchport priority extend trust

no cdp enable

!

interface FastEthernet3

switchport access vlan 800

switchport voice vlan 3

switchport priority extend trust

no cdp enable

!

interface FastEthernet4

ip address 172.28.1.212 255.255.0.0

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

auto qos voip

no cdp enable

service-policy output AutoQoS-Policy-UnTrust

!

interface Vlan3

ip address 192.168.35.1 255.255.255.0

!

interface Vlan800

ip address 192.168.34.1 255.255.255.0

!

ip classless

!

ip flow-export destination 172.28.1.211 2055

!

ip http server

no ip http secure-server

!

ip access-list extended AutoQoS-VoIP-Control

permit tcp any any eq 1720

permit tcp any any range 11000 11999

permit udp any any eq 2427

permit tcp any any eq 2428

permit tcp any any range 2000 2002

permit udp any any eq 1719

permit udp any any eq 5060

ip access-list extended AutoQoS-VoIP-RTCP

permit udp any any range 16384 32767

!

access-list 100 remark Tag traffic to be encrypted

access-list 100 permit ip 192.168.34.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 172.23.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 172.22.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 172.24.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 172.29.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 10.28.0.0 0.0.255.255

access-list 100 permit ip 192.168.34.0 0.0.0.255 10.254.0.0 0.0.255.255

Thanks.

mheusinger · ‎01-17-2006

Hello,

there is one thing missing. On the outgoing interface you have already encrypted traffic, which will not be recognized as voip.

I would add "qos pre-classify" to the crypto-map to solve this issue.

crypto map cinvpn 10 ipsec-isakmp

set peer trtxxx

set transform-set strong

match address 100

qos pre-classify

Have a look at "Configuring QoS for Virtual Private Networks" for further details.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d3.html

Hope this helps! Please rate all posts.

Regards, Martin

View solution in original post

mheusinger · ‎01-17-2006

Hello,

there is one thing missing. On the outgoing interface you have already encrypted traffic, which will not be recognized as voip.

I would add "qos pre-classify" to the crypto-map to solve this issue.

crypto map cinvpn 10 ipsec-isakmp

set peer trtxxx

set transform-set strong

match address 100

qos pre-classify

Have a look at "Configuring QoS for Virtual Private Networks" for further details.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d3.html

Hope this helps! Please rate all posts.

Regards, Martin

Dinsmore Engineer · ‎01-18-2006

Thanks Martin.

What throws me is that I have not worked with Virtual Tunnels before, and most all of the documentation points to using them. What advantage is there to creating and using a virtual tunnel, than not using one.

mheusinger · ‎01-18-2006

Hello,

well I am a little confused. The original question was about QoS and VPNs, and I think I answered it. In case you need further informations about this subject - let me know. You can rate the post to give me a hint whether it helped or not.

The answer should not imply that you have to do anything else than what you wanted to do with respect to IPSec. Was that your new question?

Or are you interested in knowing different options to setup IPSec between two sites?

Regards, Martin

Patrick Laidlaw · ‎02-07-2006

Hello,

Cisco has started using tunnel interfaces for vpns on routers giving them more flexibility for routing. The crypto maps aren't being used in the same way as before and this is the direction I've seen Cisco pushing vpn configurations.

Patrick

jkeeffe · ‎11-16-2006

Your info helped us out with a similiar problem - we didn't know about applying "qos pre-classify" to the crypto map.

This seems to disqualify being able to use the 871 as an EZVPN client and still being able to QOS voice through it. Is that correct?

fopravil · ‎06-08-2006

Hi, my question it to the switchport configuration.

The ports should have CDP enabled in order the phones could get its voice LAN No, isn't it?

I attempted to connect IP phones to 871 recently, but I was not able to get the command "switchport voice vlan" working properly. I had to configure the switchport as access, and configure the voice VLAN as access vlan to get the IP phone work.

jheckart · ‎06-08-2006

Yes, CDP must be enabled for the phone to enter the voice VLAN.

You'll need to set the switchport mode to trunk, and also set the native VLAN on the port if you are not using VLAN 1 for your access VLAN.

Post back your config if you still have problems.

fopravil · ‎06-09-2006

Hi, I'll try to briefly explain my problem with Cisco871 VLAN's on switchports.

I am using "c870-advsecurityk9-mz.124-6.T2.bin" image

I attemted to connect IP phone to the router switchport and connect a PC to the phone,

result is I am able to connect only a IP phone without a PC.

I have non-typical configuration - the 871 is configured as a bridge using

"bridge irb" command

Uplink port:

-------------

interface FastEthernet4

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet4.124

description management

encapsulation dot1Q 124 native

ip address 10.10.24.32 255.255.255.0

no ip route-cache

no snmp trap link-status

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet4.125

encapsulation dot1Q 125

no ip route-cache

no snmp trap link-status

bridge-group 125

bridge-group 125 spanning-disabled

!

interface FastEthernet4.127

encapsulation dot1Q 127

no ip route-cache

no snmp trap link-status

bridge-group 127

bridge-group 127 spanning-disabled

!

interface FastEthernet4.301

description voice

encapsulation dot1Q 301

no ip route-cache

no snmp trap link-status

bridge-group 31

bridge-group 31 spanning-disabled

VLAN interfaces:

----------------

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address

no ip route-cache

ip tcp adjust-mss 1452

bridge-group 125

!

interface Vlan301

no ip address

no ip route-cache

bridge-group 31

bridge-group 31 spanning-disabled

!

Bridge virtual interfaces:

--------------------------

interface BVI31

no ip address

!

interface BVI127

no ip address

!

interface BVI125

no ip address

!

bridge 31 protocol ieee

bridge 125 protocol ieee

bridge 127 protocol ieee

Switchport with IP phone working

--------------------------------

interface FastEthernet3

switchport access vlan 301

spanning-tree portfast

switchport testcfg1 - IP phone not working

-------------------------------------

interface FastEthernet0

switchport voice vlan 301

spanning-tree portfast

switchport testcfg2 - IP phone not working

------------------------------------------

interface FastEthernet3

switchport access vlan 301

switchport trunk allowed vlan 1,301,1002-1005

switchport mode trunk

switchport voice vlan 301

spanning-tree portfast

So my question is: Does any way exists how to connect an IP phone and a PC to the Cisco871 switchport?

jheckart · ‎06-09-2006

Yes. You will need to upgrade from advanced security to advanced IP services. If memory serves, you cannot have more than one VLAN on adv security. You'll just need to change ios, add the vlans, and FA3 should work.