Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
0
Helpful
2
Replies

QOS service-policy what is the correct interface to appy it to

bwilks
Level 1
Level 1

‎10-21-2010 12:16 AM - edited ‎03-04-2019 10:11 AM

Hi,

I have three Cisco 887 routers (adsl) connected to the Internet and connected to each other via site-to-site tunnels.

We run voice SIP, RDP (remote desk top protocol), we want to stop Internet and site-to-site downloads interfering with voice and RDP.

My questions: What is the correct interface to apply the QOS service-policy to?

We had someone set this up for us, originally the service-policy was applied to both interface ATM0.1 and dialer0.

Does this config (from one of the routers) look correct ?

version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
clock timezone XXX 10
!
dot11 syslog
!
dot11 ssid XXX
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 XXXX
!
ip source-route
!
!
ip cef
ip domain name XXXX
ip name-server XXXX
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username XXXX privilege 15 password XXXX
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key XXXX address XXX.228.57.63 no-xauth
crypto isakmp key XXXX address XXX.151.83.99 no-xauth
!
!
crypto ipsec transform-set IPSECVPN esp-3des esp-sha-hmac
!
crypto map IPSECVPN 10 ipsec-isakmp
description L2L VPN to XXX XXX.228.57.63
set peer XXX.228.57.63
set transform-set IPSECVPN
set pfs group2
match address 120
qos pre-classify
crypto map IPSECVPN 11 ipsec-isakmp
description L2L VPN to XXX.151.83.99 XXX
set peer XXX.151.83.99
set transform-set IPSECVPN
set pfs group2
match address 121
qos pre-classify
!
archive
log config
  hidekeys
!
!
!
class-map match-any VOICE
match  dscp ef
match  dscp cs3
match  dscp af41
match access-group name VOICE-CONTROL
match access-group name VOICE
match access-group name IPPHONE
class-map match-all RemoteSupport
match access-group name RDP
!        
!        
policy-map VOICEWAN
class VOICE
    priority 300
class class-default
    fair-queue
!
!
bridge irb
!
!
interface ATM0
bandwidth 771
bandwidth inherit
bandwidth receive 3718
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
  vbr-nrt 700 700
  tx-ring-limit 2
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  service-policy output VOICEWAN
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
!
ssid pcg
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!        
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!        
interface Vlan1
no ip address
bridge-group 1
!        
interface Dialer0
description $FW_OUTSIDE$
bandwidth 771
bandwidth inherit
bandwidth receive 3718
ip address XXX.228.155.114 255.255.255.0
ip access-group 104 in
ip mtu 952
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXX
ppp chap password 7 XXX
ppp multilink
ppp multilink interleave
crypto map IPSECVPN
!        
interface BVI1
description $FW_INSIDE$
ip address 192.168.41.252 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 912
!        
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.41.23 22222 interface Dialer0 22222
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list extended RDP
permit tcp any any eq 3389
permit tcp any eq 3389 any
ip access-list extended VOICE
permit udp any any range 16384 32767
ip access-list extended VOICE-CONTROL
remark Match VoIP Control Traffic
remark SIP
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
remark SCCP
permit tcp any any range 2000 2002
remark H323 Fast Start
permit tcp any any eq 1720
remark H323 Slow Start
permit tcp any any range 11000 11999
remark MGCP
permit udp any any eq 2427
!
access-list 1 remark http allowed access from
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.41.0 0.0.0.255
access-list 101 remark ssh telnet access from
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.41.0 0.0.0.255 any
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip XXX.167.210.0 0.0.0.255 any
access-list 101 permit ip XXX.49.253.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 remark Auto generated by CCP for NTP (123) 192.168.41.10
access-list 102 permit udp host 192.168.41.10 eq ntp host 192.168.41.252 eq ntp
access-list 102 deny   ip XXX.228.155.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host XXX.130.4.4 eq domain host XXX.228.155.114
access-list 104 permit tcp host XXX.49.253.212 host XXX.228.155.114 eq 22222
access-list 104 permit gre any host XXX.228.155.114
access-list 104 permit tcp host XXX.49.253.212 host XXX.228.155.114 eq 22
access-list 104 permit tcp host XXX.167.210.119 host XXX.228.155.114 eq 22
access-list 104 permit icmp host XXX.151.83.99 host XXX.228.155.114
access-list 104 permit icmp host XXX.228.57.63 host XXX.228.155.114
access-list 104 permit icmp host XXX.49.253.212 host XXX.228.155.114
access-list 104 permit esp any any
access-list 104 permit udp host XXX.228.57.63 host XXX.228.155.114 eq isakmp
access-list 104 permit udp host XXX.151.83.99 host XXX.228.155.114 eq isakmp
access-list 104 deny   ip 192.168.41.0 0.0.0.255 any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 105 deny   ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 deny   ip 192.168.41.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny   ip 192.168.41.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 105 deny   ip 192.168.41.0 0.0.0.255 192.168.43.0 0.0.0.255
access-list 105 deny   ip 192.168.41.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 105 permit ip 192.168.41.0 0.0.0.255 any
access-list 120 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 192.168.41.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 121 permit ip 192.168.41.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map nonat permit 1
match ip address 105
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 101 in
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
ntp server 192.168.41.10 prefer
end

thanks

Labels:
0 Helpful
2 Replies 2

Calin C.
Level 5
Level 5

‎10-21-2010 02:49 AM

Hello

Apply it to the L3 interface (in your case Dialer0) direction OUT.

Cheers,

Calin

0 Helpful

bwilks
Level 1
Level 1
In response to Calin C.

‎10-21-2010 05:06 AM

Thanks Calin,

The reason I ask this question is I see a different answers some apply it to the sub interface atm0.1 and say this because the pvc is here.

Can you tell me why I should apply it to the dialer interface? Or how should I confirm its working?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card