Solved

acls & qos for dummies

Posted on 2008-10-20
7
1,883 Views
Last Modified: 2013-12-27
Hi experts, i need to setup from zero QoS for our voip & wireless SIP phones.
In short, we tryed to place out PBX and all ip phone on a separate vlan, but unfortunately, due different version of IP phone firmwares, we have 50% of phones that can work only to vlan1. We'll upgrade the firmware, but are more than 60 ip phone, so at the moment i'm thinking about a workaround. I added the 10.72.182.0/24 as secondary ip class on vlan1, reserved only for voip, our DHCP server assign address on this class only to  voip phone mac address, so i'm sure that only voip apparate are in this class (i'm thinking at when we'll upgrade the firmwares, so i'll need to reassign the ip class to the voip vlan and in one shot i'll place all voip in a separate vlan).
THE ACTUAL SITUATION: we have all voip equipement on a dedicated lan, that at the momend is a secondary class on vlan1, (10.72.182.0/24). I would like to try to activate Qos to this IP class, is it possible? If it's possilble, what i need to do? I mean i have to use the mls command? I need to build an ACLS? If yes...well...how can i do?
Our PBX address is 10.72.182.1, the SIP interface is the 10.72.182.2 so i need to priorize the traffic of the voip clients to the 10.72.182.1, and SIP clients to the 10.72.182.2 our catalyst 6513 gateway is 10.72.182.254, concerning SIP wireless phone i have a pool of reserved IP. What should i need to know about our IP phones? I mean, for sip i can choose the TOS id, but for the IP wired phone i know nothing. I can understand that it's a poor condition...but if you can give me some suggestion i'll try to collect more info.
That's all for the moment. Thank's in advance.
0
Comment
Question by:u-boot96
  • 5
  • 2
7 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22763160
- What brand/model IP phones are they?
- What brand/model PABX is it?

---------------------------

For starters the easiest way to provide QoS where you are now is to allocate a pool for your IP phones and just match that by ACL - class it, then prioritise:

!
! Catch all IP traffic originating from the 10.72.182.0/24 network AND
! destined for the same network.
access-list 110 permit ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255
!
! Match the rest
access-list 120 deny ip 10.72.182.0 0.0.0.192 10.72.182.0 0.0.0.192
access-list 120 permit ip any any
!
! Mark them as VoIP packets
class-map voip
 match access-group 110
!
! Catch the rest
class-map data
 match access-group 120
!
! Create a policy map, setting DSCP values depending
! on class.
policy-map qos-policy
 class voip
   set ip dscp 48
 class data
   set ip dscp 16
!
! Set all your ports to obey policy rules depending on VLAN membership
interface range Fa0 - 24
 mls qos vlan-based
!
! Set Vlan1 to apply this policy upon ingress, the 
! DSCP value will then take over for egress QoS.
interface vlan 1
 service-policy input qos-policy
!

Open in new window

0
 

Author Comment

by:u-boot96
ID: 22765247
First of all thank you very much.
The PBX is a  "AAstra MATRA NeXspan L , rj , M7425 Express, R4.2 ", the IP phpnes are AAstra Matra i740 and wireless SIP phones are
"Aastra Phone 312" .
Now i'll try to setup the access list as you suggested, i'll give you feedback if i'll be fired or not =)
 
0
 

Author Closing Comment

by:u-boot96
ID: 31507836
Thank you very much, It seems that our voips now work much but much better than before ;) thank you very much.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:u-boot96
ID: 22774533
Hi Kyleb84, i just need a little clarifycation on the alcs 120
 "Match the rest
access-list 120 deny ip 10.72.182.0 0.0.0.192 10.72.182.0 0.0.0.192
access-list 120 permit ip any any"
 
I have reserved the whole 10.72.182.0/24 subnet for the VOIP traffic, and i don't understand why you subnetted i with 0.0.0.192 = 255.255.255.63...forgive me but i don't understand it.
Please, can you explain me this ACLS? Thank you.
 

 
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22782783
Sorry, my bad, that line should be:

Match the rest
access-list 120 deny ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255
access-list 120 permit ip any any

Those wildcardmasks are inverse of subnet masks, /24 = (Network Mask) 255.255.255.0 = (ACL MASK) 0.0.0.255
0
 

Author Comment

by:u-boot96
ID: 22783721
NP =) thanks for the claryfication.
0
 

Author Comment

by:u-boot96
ID: 22784751

Just another doubt... if pbx and all voip devices are in the same network (10.72.182.0/24) and the 6513 vlan1 secondary address (that is the default gateway in this network) is 10.72.182.254..phones and pbx can communicate without using the gateway (where we enabled mls qos vlan-based) the access lists are really considered and working or not? Another thing that i didn't explained you is our lan enviroment...that is composed by 27 cisco devices (2590,2960,3750)  and the catalyst 6513 is our core device, and all others switches reach the 6513 via fiber optic, the 6513 is equipped with 2  SFM 16 port GBIC for the switch connections and a 48 port 10/100/1000 where ours servers are connected. We have also 6 networks, actually all in vlan1, and their default gateway are primary and secondary IP in vlan1 interface in our cat 6513, for instance for the network 10.72.128.0/24 the dgw is the vlan1 primary ip of the 6513 (10.72.128.254), for the network 10.72.158.0/24 is the vlan1 secondary ip of 6513 10.72.158.258 and so on for all our networks. Now i need to use the vlans to try to segment our network traffic, the first step should have been the voip vlan experiments...but unfortunatly due the voip phones firmware problem we cannot start with this test, but now we are "dancing" with this topic and i would like to solve it. I'm telling this to you because i would like that you know that our voip phones are not directly connected to 6513 but are distributed in many cisco devices. All fiber ports are in trunk mode, so vlans are not a problems, and inter vlan switching is already working, i know perfectly where each phone is connected and the ports are already in trunk mode and the allowed vlans are only the vlan1 and the vlan150 (that i'll use for the voip vlan). So i changed your suggested configuration for the interface range in the 6513 from "interface range Fa0 - 24" in "interface range gigabitEthernet 3/1-16" and "interface range gigabitEthernet 4/1-16" that are our 6513 modules connected to the rest of cisco switches. The AAstra pbx ethernet interface is not direclty connected to the 6513 but in another cisco switch (that reach the 6513 via fiber optic in trunk mode). Now, considering all that i tryed to explain...the access lists are working or not? In the cat 6513 with the sho access-list and mls i had this results

"centrostella#sho access-lists
Extended IP access list 110
    permit ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255 (5917 matches)
Extended IP access list 120
    deny ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255
    permit ip any any (2053189 matches)
Extended IP access list 125
    permit ip any any"

centrostella#show mls qos
  QoS is enabled globally
  Microflow policing is enabled globally
  QoS is vlan-based on the following interfaces:
    Gi3/1 Gi3/2 Gi3/3 Gi3/4 Gi3/5 Gi3/6 Gi3/7 Gi3/8 Gi3/9 Gi3/10
    Gi3/11 Gi3/12 Gi3/13 Gi3/14 Gi3/15 Gi3/16 Gi4/1 Gi4/2 Gi4/3 Gi4/4
    Gi4/5 Gi4/6 Gi4/7 Gi4/8 Gi4/9 Gi4/10 Gi4/11 Gi4/12 Gi4/13 Gi4/14
    Gi4/15 Gi4/16
Vlan or Portchannel(Multi-Earl) policies supported: Yes
 ----- Module [1] -----
  QoS global counters:
    Total packets: 3342320
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 52166
    IP packets with COS changed by policing: 132
    Non-IP packets with COS changed by policing: 0
 
Thank you very much...
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Zaptel people (www.zaptel.com) got kind of annoyed with the fact that they were getting bombarded with searches for the zaptel driver system for Asterisk (not to mention they own the trademark on zaptel). So, they kindly requested that Digium ch…
Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question