12-19-2013 06:49 PM - edited 03-04-2019 09:54 PM
I have a Cisco 871 router with Advanced Security and have setup QoS, since I can't match dcsp I have used an ACL with my phone network (attached to this router is a Cisco SF300 running as a Layer 3 switch handling the VLANs).
class-map match-any voice-traffic
match access-group name voice-traffic
!
!
policy-map voice-policy
class voice-traffic
priority 1000
class class-default
fair-queue
policy-map shaper
class class-default
shape average 3000000 30000 0
service-policy voice-policy
ip access-list extended voice-traffic
permit ip 10.10.51.0 0.0.0.255 any
interface FastEthernet4
ip address 111.111.111.111 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ipsec
service-policy output shaper
Here's the sh policy-map interface
FastEthernet4
Service-policy output: shaper
Class-map: class-default (match-any)
1750843 packets, 335256512 bytes
5 minute offered rate 20000 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
3000000/3000000 3750 30000 0 10 3750
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 1750769 335180439 99458 90434169 no
Service-policy : voice-policy
Class-map: voice-traffic (match-any)
2 packets, 124 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name voice-traffic
2 packets, 124 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 136
Bandwidth 1000 (kbps) Burst 25000 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: class-default (match-any)
1750842 packets, 335256442 bytes
5 minute offered rate 20000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 128
(total queued/total drops/no-buffer drops) 0/59/0
There should be WAY more packets than 2
12-19-2013 08:10 PM
Hi Christie,
I see you are using a crypto map on your Fa4 interface. Did you configure the qos pre-classify in the crypto map? If not, the service-policy can only see the packets after being IPsec-encapsulated, not recognizing the private IP addresses anymore.
Best regards,
Peter
12-19-2013 08:29 PM
Not sure if it matters but the phone traffic is not going over the VPN tunnel.
I checked anyways and I do not have the feature to add qos pre-classify to my crypto map. I am on version 12.4(15)
12-19-2013 09:30 PM
Hi Christie,
Oh, I see. Okay.
The second thing to check is the NAT - again, I see that the Fa4 is a NAT-outside interface. According to the following document:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
the queueing is done as the very last step in the inside-to-outside direction, meaning that the service-policy will again see packets after they have been NATted - so again, the ACL in the corresponding class-map does not apply.
Solution here can get more complicated because you may be performing N:1 NAT (i.e. PAT) and so the global address is not indicative of the VoIP traffic anymore.
I wonder - what IOS feature set are you running? Can you post the output that shows when you enter a class-map and enter the match ? and set ? commands and question marks? I would like to see what other choices we have on your IOS.
Best regards,
Peter
12-20-2013 05:05 AM
Advanced Security -
c870-advsecurityk9-mz.124-15.T7.bin
Here's the match?
access-group Access group
any Any packets
class-map Class map
cos IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
discard-class Discard behavior identifier
flow Flow based QoS parameters
fr-de Match on Frame-relay DE bit
fr-dlci Match on fr-dlci
input-interface Select an input interface to match
ip IP specific values
mpls Multi Protocol Label Switching specific values
not Negate this match result
packet Layer 3 Packet length
precedence Match Precedence in IP(v4) and IPv6 packets
protocol Protocol
qos-group Qos-group
source-address Source address
vlan VLANs to match
Set is not recognized under class-map.
Thanks
12-20-2013 02:28 PM
Hi Christie,
Of course, set is in the policy-map... Aaargh, how could I have missed that?
Anyway, in your first post, you indicated you can not match DSCP. Why? Do you believe your IP phone is not generating DSCP-marked packets? That would be the easiest thing here, as the DSCP marking is easily recognizable.
Best regards,
Peter
12-20-2013 03:08 PM
I dont have the option for set under the policy-map
I can't match DSCP on the router, it's not an option in advanced security, only advanced IP.
12-20-2013 03:14 PM
Christie,
The set option is available in a class section of a policy-map. Try entering a policy-map and enter either an existing class or enter the class-default class and try the set command there.
But is the Advanced Security IOS really so limited? The DSCP should be available in a class-map using match ip dscp command. Is is truly unavailable?
Best regards,
Peter
12-20-2013 03:18 PM
It appears that way, I believe the feature information says the advanced IP has more QoS options.
Here is what I see under class under policy-map when I do a ?
bandwidth Bandwidth
compression Activate Compression
drop Drop all packets
exit Exit from class action configuration mode
log Log IPv4 and ARP packets
netflow-sampler NetFlow action
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
service-policy Configure Flow Next
set Set QoS values
shape Traffic Shaping
and this is set ?
atm-clp Set ATM CLP bit to 1
cos Set IEEE 802.1Q/ISL class of service/user priority
discard-class Discard behavior identifier
fr-de Set FR DE bit to 1
ip Set IP specific values
mpls Set MPLS specific values
precedence Set precedence in IP(v4) and IPv6 packets
qos-group Set QoS Group
12-21-2013 12:12 AM
Christie,
I apologize for being so insistent, but can you perhaps enter a class-map again and try the match ip ? command? At my router, it produces this (though admittedly, I do not run AdvSec):
R1(config-cmap)# match ip ?
dscp Match IP DSCP (DiffServ CodePoints)
precedence Match IP precedence
rtp Match RTP port nos
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: