871 w/ ADV Security & QoS not matching

Christie Brinker · ‎12-19-2013

I have a Cisco 871 router with Advanced Security and have setup QoS, since I can't match dcsp I have used an ACL with my phone network (attached to this router is a Cisco SF300 running as a Layer 3 switch handling the VLANs).

class-map match-any voice-traffic

match access-group name voice-traffic

!

policy-map voice-policy

class voice-traffic

priority 1000

class class-default

fair-queue

policy-map shaper

class class-default

shape average 3000000 30000 0

service-policy voice-policy

ip access-list extended voice-traffic

permit ip 10.10.51.0 0.0.0.255 any

interface FastEthernet4

ip address 111.111.111.111 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map ipsec

service-policy output shaper

Here's the sh policy-map interface

FastEthernet4

Service-policy output: shaper

    Class-map: class-default (match-any)
      1750843 packets, 335256512 bytes
      5 minute offered rate 20000 bps, drop rate 0 bps
      Match: any
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval Increment
             Rate           Limit bits/int bits/int (ms)      (bytes)
          3000000/3000000   3750   30000     0         10        3750

        Adapt Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         1750769   335180439 99458     90434169 no

Service-policy : voice-policy

        Class-map: voice-traffic (match-any)
          2 packets, 124 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name voice-traffic
            2 packets, 124 bytes
            5 minute rate 0 bps
          Queueing
            Strict Priority
            Output Queue: Conversation 136
            Bandwidth 1000 (kbps) Burst 25000 (Bytes)
            (pkts matched/bytes matched) 0/0
            (total drops/bytes drops) 0/0

        Class-map: class-default (match-any)
          1750842 packets, 335256442 bytes
          5 minute offered rate 20000 bps, drop rate 0 bps
          Match: any
          Queueing
            Flow Based Fair Queueing
            Maximum Number of Hashed Queues 128
        (total queued/total drops/no-buffer drops) 0/59/0

There should be WAY more packets than 2

Peter Paluch · ‎12-19-2013

Hi Christie,

I see you are using a crypto map on your Fa4 interface. Did you configure the qos pre-classify in the crypto map? If not, the service-policy can only see the packets after being IPsec-encapsulated, not recognizing the private IP addresses anymore.

Best regards,

Peter

Christie Brinker · ‎12-19-2013

Not sure if it matters but the phone traffic is not going over the VPN tunnel.

I checked anyways and I do not have the feature to add qos pre-classify to my crypto map. I am on version 12.4(15)

Peter Paluch · ‎12-19-2013

Hi Christie,

Oh, I see. Okay.

The second thing to check is the NAT - again, I see that the Fa4 is a NAT-outside interface. According to the following document:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

the queueing is done as the very last step in the inside-to-outside direction, meaning that the service-policy will again see packets after they have been NATted - so again, the ACL in the corresponding class-map does not apply.

Solution here can get more complicated because you may be performing N:1 NAT (i.e. PAT) and so the global address is not indicative of the VoIP traffic anymore.

I wonder - what IOS feature set are you running? Can you post the output that shows when you enter a class-map and enter the match ? and set ? commands and question marks? I would like to see what other choices we have on your IOS.

Best regards,

Peter

Christie Brinker · ‎12-20-2013

Advanced Security -

c870-advsecurityk9-mz.124-15.T7.bin

Here's the match?

access-group Access group

any Any packets

class-map Class map

cos IEEE 802.1Q/ISL class of service/user priority values

destination-address Destination address

discard-class Discard behavior identifier

flow Flow based QoS parameters

fr-de Match on Frame-relay DE bit

fr-dlci Match on fr-dlci

input-interface Select an input interface to match

ip IP specific values

mpls Multi Protocol Label Switching specific values

not Negate this match result

packet Layer 3 Packet length

precedence Match Precedence in IP(v4) and IPv6 packets

protocol Protocol

qos-group Qos-group

source-address Source address

vlan VLANs to match

Set is not recognized under class-map.

Thanks

Peter Paluch · ‎12-20-2013

Hi Christie,

Of course, set is in the policy-map... Aaargh, how could I have missed that?

Anyway, in your first post, you indicated you can not match DSCP. Why? Do you believe your IP phone is not generating DSCP-marked packets? That would be the easiest thing here, as the DSCP marking is easily recognizable.

Best regards,

Peter

Christie Brinker · ‎12-20-2013

I dont have the option for set under the policy-map

I can't match DSCP on the router, it's not an option in advanced security, only advanced IP.

Peter Paluch · ‎12-20-2013

Christie,

The set option is available in a class section of a policy-map. Try entering a policy-map and enter either an existing class or enter the class-default class and try the set command there.

But is the Advanced Security IOS really so limited? The DSCP should be available in a class-map using match ip dscp command. Is is truly unavailable?

Best regards,

Peter

Christie Brinker · ‎12-20-2013

It appears that way, I believe the feature information says the advanced IP has more QoS options.

Here is what I see under class under policy-map when I do a ?

bandwidth Bandwidth

compression Activate Compression

drop Drop all packets

exit Exit from class action configuration mode

log Log IPv4 and ARP packets

netflow-sampler NetFlow action

no Negate or set default values of a command

police Police

priority Strict Scheduling Priority for this Class

queue-limit Queue Max Threshold for Tail Drop

service-policy Configure Flow Next

set Set QoS values

shape Traffic Shaping

and this is set ?

atm-clp Set ATM CLP bit to 1

cos Set IEEE 802.1Q/ISL class of service/user priority

discard-class Discard behavior identifier

fr-de Set FR DE bit to 1

ip Set IP specific values

mpls Set MPLS specific values

precedence Set precedence in IP(v4) and IPv6 packets

qos-group Set QoS Group

Peter Paluch · ‎12-21-2013

Christie,

I apologize for being so insistent, but can you perhaps enter a class-map again and try the match ip ? command? At my router, it produces this (though admittedly, I do not run AdvSec):

R1(config-cmap)# match ip ?

dscp Match IP DSCP (DiffServ CodePoints)

precedence Match IP precedence

rtp Match RTP port nos

Best regards,

Peter