02-25-2009 04:58 PM - edited 03-17-2019 09:39 PM
I have an existing qos policy for our branches and main site. We are implementing video phones in our branches and I have a few questions on how to best implement the qos
The branch config is as follows, currently the voice and data is in the same class of voice:
class-map match-all DATA-Priority
match access-group 111
class-map match-all VOICE
match access-group 110
!
!
policy-map P-QoS
class VOICE
priority percent 21
set dscp ef
class DATA
bandwidth percent 5
set dscp af31
class class-default
set dscp default
fair-queue
random-detect
The phones for our company are matched on access-list 110.
Access-list 111 is actually an application that the remote branches use that connects to a host in the main site.
Going by the Cisco 8 class design model,
dscp af31 is actually classed for voice control traffic.
My questions are these:
Would it be beneficial to change the policy so that the data priority queue dscp af31 is used for voice signaling?
There does not seem to be any poor qulity calling at the moment, but we are not using the video phones yet.
The 8 class model is a little more detailed than I need, I am thinking I could do something like the following:
class-map match-all Voice
match ip dscp ef
class-map match-all Interactive Video
match ip dscp af41 af42
class-map match-any Call Signaling
match ip dscp cs3
match ip dscp af31
class-map match-all Critical Data
match ip dscp af21 af22
class-map match-all Bulk Data
!
policy-map WAN-EDGE
class Voice
priority percent 18
class Interactive Video
priority percent 15
class Call Signaling
bandwidth percent 5
class Critical Data
bandwidth percent 27
random-detect dscp-based
class Bulk Data
bandwidth percent 4
Could someone provide some input?
Also, how do the classes in the cisco model match the traffic if they are not usong access-lists?
02-25-2009 06:21 PM
I don't think there would be any benefit to adding the voice signaling to your data priority queue. If you find that your signaling queue is dropping packets, you will want to increase the percentage allocated for signaling. If you lump it with the data, it will be much harder to determine this value.
In this case 'class-map match-all Bulk Data' will not be working correctly. I believe that since there are no match statements, this class will be ignored. You can try it and use 'show policy-map interface' to see what happens. The default action of access lists that are referenced but do not exist is to permit everything. I'm not sure about class maps that don't have any statements. I'm on the side that they won't match anything and thus be ignored.
You can match with NBAR with CEF enabled on protocol such as 'match protocol http' and the likes without ACLs, but that doesn't appear to be what you're asking about.
hth,
nick
02-25-2009 07:05 PM
Thanks for the reply,
Some follow up questions if you don't mind:
1. Why done you thing it would benefit to add the voice signaling AS a data priority queue?
2. The fact that the Data-Priority in my existing set-up is referencing "dscp af31", Is there anything special (specific ports or anything else) that this class is tied to that makes it voice signaling?
I don't understand why they used that class for an application when it is specifically a voice signaling class.
3.Ok, on your response about access-lists, I wondered about that because they were not there.
Are you saying that per these classes, each "match" statement is refrencing an access-list list?
class-map match-all Voice
match ip dscp ef
class-map match-all Interactive Video
match ip dscp af41 af42
class-map match-any Call Signaling
match ip dscp cs3
match ip dscp af31
class-map match-all Critical Data
match ip dscp af21 af22
class-map match-all Bulk Data
For example, there should be an access list called
Voice
Interactive Video
Call Signaling
Critical Data
Bulk Data
Is that correct?
Also, what is the significance of the "any" and "all" difference?
02-25-2009 07:20 PM
1) In this case you will want your voice signaling traffic to only have voice signaling. This will allow for easier management and troubleshooting, as well as prevent other data applications from over-utilizing the queue.
You should note that the policy map is order-specific. If you have a class matching dscp af31 above another class matching dscp af31, the class lower in the policy map would not ever match on that.
2. By matching dscp af31, you are matching on 6 bits of the IP header only. This is referred to as the Type of Service (TOS) header of the IP packet. To match on ports or protocol, it would require NBAR or access lists. This matches strictly on the IP header.
This DSCP value was arbitrarily used for voice signaling. There is most likely a reference to this in the DiffServ RFC. There aren't any restrictions from other applications from utilizing this value. This is why it's important to understand and utilize DSCP/COS trusting and marking at your network edges.
3. None of the listed classes are matching access lists, only the previously mentioned DSCP values.
The format of the command is "class-map [ match-all | match-any ]
-nick
02-25-2009 08:09 PM
Thanks for the excellent replies nick,
One last question, you may have answeredthis and I didnt get it:
If I am matching each class to an access-list and the desktops will each have a Cisco IP phone with an IP address, and the desktop has a video camera, am I matching the phone IP address to voice and the desktop ip address to video, or are they both matched to the phone?
In which case,
I have to match both classes to the same IP Address, how do I do that?
02-26-2009 07:59 AM
If the video is coming from the PC it will have a different IP address than the phones, so this should be an issue.
You should be able to match voice and video with two separate access lists without a problem.
-nick
02-26-2009 02:44 PM
Thanks nic,
Just so I understand correctly,
You are saying above that the classes do not necessarily have to reference an access list,
That the policy in my original post is a valid policy and by not referencing an access-list, any traffic matching the TOS header will be prioritized per the policy?
is this correct?
Also in my earlier post, when I mentioned "they" I was refering to the person that originally designed the policy in my router, I don't understand why they used the af31 class for priority data, when it is a voice signaling class.
Would that part of the policy even prioritise the traffic matching the access-list when there are no TOS headers for voice signaling present in the packets (it is basically a host/client application on port 23)?
02-26-2009 03:08 PM
It's all valid except for this class:
class-map match-all Bulk Data
It doesn't have any match statements at all.
af31 is the default for many types of signaling, so it's why 'they' used that particular value.
The TOS is a mandatory part of the IP hearder and every IP packet has a value. Most are 0 by default, except when some application or router has specifically changed it. This is why switchports going to PC are generally in the untrusted state, and mark everything to 0. It's not specific to voice. The only thing that is specific to voice is that value 46 or EF is used for voice.
It all depends on how you use your class maps. It you match on ACLs, then you can match on any field an ACL can match on. If you want to match on the TOS byte, you can do that as well.
hth,
nick
02-26-2009 03:59 PM
Thanks nick,
"The only thing that is specific to voice is that value 46 or EF is used for voice."
Which is how you can prioritise via tos markings with an access-list, correct?
Also the reason as you mentioned to make sure the switch is configured correctly to make sure the tos is not changed in any way?
I appreciate your excellent answers.
02-26-2009 06:30 PM
There are many ways to classify voice.
If you know that your voice subnet is 10.10.10.0/24, you can do something like this:
access-list 101 permit udp any 10.10.10.0 0.0.0.255 range 16384 32768
access-list 101 permit udp 10.10.10.0 0.0.0.255 range 16384 32768
class-map match-any voice-acl
match ip access-group 101
or
class-map match-any voice-rtp-nbar
match protocol rtp audio
or
class-map match-any voice-dscp
match dscp ef
or
access-list 102 permit udp any any dscp ef
class-map match-any voice-acl-dscp
match ip access-group 102
or
access-list 103 permit udp any any precedence 5
class-map match-any voice-acl-precedence
match ip access-group 103
or
class-map match-any voice-precedence
match precedence 5
or
class-map match-any voice-ip-rtp
match ip rtp 16384 16383
These are all different ways to classify voice. It really depends on what you prefer and how it's configured.
These access-lists are nearly identical in how they match:
voice-ip-rtp
voice-acl
voice-rtp-nbar
The difference is that NBAR is going to require more CPU utilization because NBAR requires for the CPU to read the packets, instead of being fast-switched with CEF in hardware (or close to it). RTP also only uses the even ports, and I believe NBAR for audio only matches the even ports - but this is something that I have not tested. The odd ports are for RTCP which doesn't really matter.
These classes are also almost identical:
voice-dscp
voice-precedence
voice-acl-dscp
voice-acl-precedence
The difference is the DSCP is 6 bits. If you only look at the first 3 bits of this, you have the precedence. (The first 3 bits of 46 equals 5). This means if you have DSCP values 40-47, it will match on precedence 5.
You could combine the two, and it would look something like this:
access-list 111 permit udp any 10.10.10.0 0.0.0.255 range 16384 32768 dscp ef
access-list 111 permit udp 10.10.10.0 0.0.0.255 range 16384 32768 dscp ef
class-map match-any voice-acl-rtp-dscp
match ip access-group 111
This matches only udp packets within ports 16384-327768 that are marked with a DSCP value of EF in either direction.
You should also note that the UDP range of 16384 to 32768 is actually only what Cisco uses as their standard, and is not a RFC or ITU standard. If you have a SIP/H323 trunk to another vendor, it is very likely you will use UDP ports outside this range. It may be better to use NBAR in this case because it will actually do a deep protocol inspection on the packets.
Hope this answers your question :)
-nick
02-26-2009 07:03 PM
I am sorry nick, I promise this will be the last question on this, but you are helping me get a really good understanding:
If I were going to use the access-list 101 in you example (which is how our is), does the voice signaling class use the same acl as the voice priority class?
PS
My previous post were comments on your answers to see if I was understanding what you were getting across, thanks for the help, it is greatly appreciated.
02-26-2009 07:20 PM
Hi Wilson,
Your voice signaling will use a different access list. RTP traffic flows from endpoint to endpoint. Endpoints include phones and gateways primarily, but there can also be mid-points such as transcoders, conference bridges, and media termination points.
Because of this, you can have your UDP traffic flow from one endpoint to a number of other IP addresses.
Your call signaling however, is much more centralized. Generally devices only signal to a certain set of specified devices with a certain set of protocols.
It's harder to give an exact ACL for signaling other than the previously mentioned commonly used signaling DSCP values of af31 and cs3.
Here are some examples depending on your protocol:
(We'll assume these are all outbound QoS policies and that your signaling is going to a 1.1.1.1 device)
MGCP:
access-list 120 permit tcp any host 1.1.1.1 eq 2427
access-list 120 permit tcp any host 1.1.1.1 eq 2727
access-list 120 permit tcp any host 1.1.1.1 eq 2428
access-list 120 permit udp any host 1.1.1.1 eq 2727
access-list 120 permit udp any host 1.1.1.1 eq 2427
H323:
access-list 121 permit tcp any host 1.1.1.1 range 1718 1720
access-list 121 permit tcp any host 1.1.1.1 range 11000 - 11999
SIP:
access-list 122 permit udp any host 1.1.1.1 range 5060 5061
access-list 122 permit tcp any host 1.1.1.1 range 5060 5061
SCCP:
access-list 123 permit tcp any host 1.1.1.1 range 2000 2002
For reference, I used 'show ip nbar port-map
I don't mind answering - maybe someone else out there will get some use out of this :)
hth,
nick
03-02-2009 07:19 PM
nic,
I have a couple more questions on this, sorry,
The policy I was going to apply above is going on our MPLS connected Main site and branches.
We have gold CAR purchased from the provider.
According to the provider the Gold CAR is only for class "ef".
If they are only prioritizing ef, what happens to the rest of my policy I have configured end to end?
Does it get ignored?
For example in my policy I have a priority queue that matches what Verizon will prioritize for voice, but Verizon is not prioritizing the other classes, will they get prioritized by my policy?
If not, then I don't need them.
If they do, then I don't need the Gold CAR, correct?
policy-map P-QoS
class VOICE
priority percent 21
set dscp ef
class DATA
bandwidth percent 5
set dscp af31
class class-default
set dscp default
fair-queue
random-detect
You mentioned abovce that I can trigger the match on the map-classes in different ways.
If I trigger the priority on access-list, does the tos header get ignored?
also,
I can have several different priority queues correct?
03-02-2009 07:45 PM
So when the provider says you have a CAR class of EF, it basically means they're going to give you a fixed level of bandwidth and police you if you go over this.
This can be dangerous because if your voice goes over their value, they will start dropping packets even if there is available bandwidth on your link. You should be mindful of your network edge to make sure that only your voice is coming in as EF. You may want to match your voice based on protocol, and unmark everything else.
To prevent this, it is suggested to find out exactly what that value is and configure a class that matches voice and has a strict priority value.
Such as:
class-map match-any VOICE-TRAFFIC
match protocol rtp audio
policy-map voice-qos
class VOICE-TRAFFIC
priority
set dscp EF
....
class class-default
set dscp 0
random-detect
Even if your provider is only providing QoS through their network for EF, it is still valuable for you to have QoS on your side.
If you have a typical topology like this:
Device--LAN1--WAN Router1---[Provider Cloud]---WAN Router2---LAN2--Device2
-You can lose packets in:
LAN1/2 (very unlikely as long as you don't have a very large switched networks / policers)
-At the outgoing interface of WAN Router1
-Somewhere in the provider cloud
You shouldn't lose packets in your LAN, which really only leaves your WAN router and the cloud. By configuring QoS outbound on your WAN router you can very significantly lower the chances of dropping your traffic.
However, once it leaves your router the marking will be ignored if it is not EF in this case.
The way the priority queue works is that is will send any priority packet before any other packet. It does this up until the kbps limit you have configured (or burst value if it's configured as well), and if the link is NOT under congestion it will continue sending the rest. This is fairly basic.
If you have multiple priority queues, each class will be limited to the bandwidth value given. The example commonly used for this is video. Say you want to prioritize voice and video, but since video will often dynamically use as much bandwidth as is available, you create two priority queues to prevent this.
Example:
class voice-and-video
class voice
priority 300
class video
priority 400
This would limit voice to 300 kbps under congestion and video to 400 kpbs under congestion.
"If I trigger the priority on access-list, does the tos header get ignored?"
Each class will only match based upon what you tell it to. If your class map or access do not reference the DSCP/precedence value, it will not be used.
You can still do this:
class-map match-all voice-acl-and-dscp
match ip access-group 101
match dscp EF
This matches on both the access list and DSCP. If you removed the EF statement, that particular class will ignore EF.
hth,
nick
03-03-2009 05:50 AM
Wow,
Thanks for the excellent reply and explanations nic.
It is greatly appreciated and I am getting a much better understanding thanks to you.
Now,
We have much more of the Gold CAR than we need,
For example our five branches have at the most 25 users.
Each site has X2 T1s with 1544 Gold CAR at the branches.
The Main Site has 15M and I am not sure how much, but for this example say we have &.5 of Gold CAR.
There is no way for us to utilize all of the gold CAR for voice alone and your example of video is the reason for me asking all of these questions (we are implementing video communication).
Verizon sold us the GOLD CAR because our managers worked with them on the video project.
Are we saying now that the only traffic that Verizon is prioritizing is our voice traffic from branch to branch?
Which is g729, which would be about 30K per call?
Can we create the policy so it will prioritize our video traffic with the ef class?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide