Solved

acls & qos for dummies

Posted on 2008-10-20
7
1,876 Views
Last Modified: 2013-12-27
Hi experts, i need to setup from zero QoS for our voip & wireless SIP phones.
In short, we tryed to place out PBX and all ip phone on a separate vlan, but unfortunately, due different version of IP phone firmwares, we have 50% of phones that can work only to vlan1. We'll upgrade the firmware, but are more than 60 ip phone, so at the moment i'm thinking about a workaround. I added the 10.72.182.0/24 as secondary ip class on vlan1, reserved only for voip, our DHCP server assign address on this class only to  voip phone mac address, so i'm sure that only voip apparate are in this class (i'm thinking at when we'll upgrade the firmwares, so i'll need to reassign the ip class to the voip vlan and in one shot i'll place all voip in a separate vlan).
THE ACTUAL SITUATION: we have all voip equipement on a dedicated lan, that at the momend is a secondary class on vlan1, (10.72.182.0/24). I would like to try to activate Qos to this IP class, is it possible? If it's possilble, what i need to do? I mean i have to use the mls command? I need to build an ACLS? If yes...well...how can i do?
Our PBX address is 10.72.182.1, the SIP interface is the 10.72.182.2 so i need to priorize the traffic of the voip clients to the 10.72.182.1, and SIP clients to the 10.72.182.2 our catalyst 6513 gateway is 10.72.182.254, concerning SIP wireless phone i have a pool of reserved IP. What should i need to know about our IP phones? I mean, for sip i can choose the TOS id, but for the IP wired phone i know nothing. I can understand that it's a poor condition...but if you can give me some suggestion i'll try to collect more info.
That's all for the moment. Thank's in advance.
0
Comment
Question by:u-boot96
  • 5
  • 2
7 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
Comment Utility
- What brand/model IP phones are they?
- What brand/model PABX is it?

---------------------------

For starters the easiest way to provide QoS where you are now is to allocate a pool for your IP phones and just match that by ACL - class it, then prioritise:

!

! Catch all IP traffic originating from the 10.72.182.0/24 network AND

! destined for the same network.

access-list 110 permit ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255

!

! Match the rest

access-list 120 deny ip 10.72.182.0 0.0.0.192 10.72.182.0 0.0.0.192

access-list 120 permit ip any any

!

! Mark them as VoIP packets

class-map voip

 match access-group 110

!

! Catch the rest

class-map data

 match access-group 120

!

! Create a policy map, setting DSCP values depending

! on class.

policy-map qos-policy

 class voip

   set ip dscp 48

 class data

   set ip dscp 16

!

! Set all your ports to obey policy rules depending on VLAN membership

interface range Fa0 - 24

 mls qos vlan-based

!

! Set Vlan1 to apply this policy upon ingress, the 

! DSCP value will then take over for egress QoS.

interface vlan 1

 service-policy input qos-policy

!

Open in new window

0
 

Author Comment

by:u-boot96
Comment Utility
First of all thank you very much.
The PBX is a  "AAstra MATRA NeXspan L , rj , M7425 Express, R4.2 ", the IP phpnes are AAstra Matra i740 and wireless SIP phones are
"Aastra Phone 312" .
Now i'll try to setup the access list as you suggested, i'll give you feedback if i'll be fired or not =)
 
0
 

Author Closing Comment

by:u-boot96
Comment Utility
Thank you very much, It seems that our voips now work much but much better than before ;) thank you very much.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:u-boot96
Comment Utility
Hi Kyleb84, i just need a little clarifycation on the alcs 120
 "Match the rest
access-list 120 deny ip 10.72.182.0 0.0.0.192 10.72.182.0 0.0.0.192
access-list 120 permit ip any any"
 
I have reserved the whole 10.72.182.0/24 subnet for the VOIP traffic, and i don't understand why you subnetted i with 0.0.0.192 = 255.255.255.63...forgive me but i don't understand it.
Please, can you explain me this ACLS? Thank you.
 

 
0
 
LVL 10

Expert Comment

by:kyleb84
Comment Utility
Sorry, my bad, that line should be:

Match the rest
access-list 120 deny ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255
access-list 120 permit ip any any

Those wildcardmasks are inverse of subnet masks, /24 = (Network Mask) 255.255.255.0 = (ACL MASK) 0.0.0.255
0
 

Author Comment

by:u-boot96
Comment Utility
NP =) thanks for the claryfication.
0
 

Author Comment

by:u-boot96
Comment Utility

Just another doubt... if pbx and all voip devices are in the same network (10.72.182.0/24) and the 6513 vlan1 secondary address (that is the default gateway in this network) is 10.72.182.254..phones and pbx can communicate without using the gateway (where we enabled mls qos vlan-based) the access lists are really considered and working or not? Another thing that i didn't explained you is our lan enviroment...that is composed by 27 cisco devices (2590,2960,3750)  and the catalyst 6513 is our core device, and all others switches reach the 6513 via fiber optic, the 6513 is equipped with 2  SFM 16 port GBIC for the switch connections and a 48 port 10/100/1000 where ours servers are connected. We have also 6 networks, actually all in vlan1, and their default gateway are primary and secondary IP in vlan1 interface in our cat 6513, for instance for the network 10.72.128.0/24 the dgw is the vlan1 primary ip of the 6513 (10.72.128.254), for the network 10.72.158.0/24 is the vlan1 secondary ip of 6513 10.72.158.258 and so on for all our networks. Now i need to use the vlans to try to segment our network traffic, the first step should have been the voip vlan experiments...but unfortunatly due the voip phones firmware problem we cannot start with this test, but now we are "dancing" with this topic and i would like to solve it. I'm telling this to you because i would like that you know that our voip phones are not directly connected to 6513 but are distributed in many cisco devices. All fiber ports are in trunk mode, so vlans are not a problems, and inter vlan switching is already working, i know perfectly where each phone is connected and the ports are already in trunk mode and the allowed vlans are only the vlan1 and the vlan150 (that i'll use for the voip vlan). So i changed your suggested configuration for the interface range in the 6513 from "interface range Fa0 - 24" in "interface range gigabitEthernet 3/1-16" and "interface range gigabitEthernet 4/1-16" that are our 6513 modules connected to the rest of cisco switches. The AAstra pbx ethernet interface is not direclty connected to the 6513 but in another cisco switch (that reach the 6513 via fiber optic in trunk mode). Now, considering all that i tryed to explain...the access lists are working or not? In the cat 6513 with the sho access-list and mls i had this results

"centrostella#sho access-lists
Extended IP access list 110
    permit ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255 (5917 matches)
Extended IP access list 120
    deny ip 10.72.182.0 0.0.0.255 10.72.182.0 0.0.0.255
    permit ip any any (2053189 matches)
Extended IP access list 125
    permit ip any any"

centrostella#show mls qos
  QoS is enabled globally
  Microflow policing is enabled globally
  QoS is vlan-based on the following interfaces:
    Gi3/1 Gi3/2 Gi3/3 Gi3/4 Gi3/5 Gi3/6 Gi3/7 Gi3/8 Gi3/9 Gi3/10
    Gi3/11 Gi3/12 Gi3/13 Gi3/14 Gi3/15 Gi3/16 Gi4/1 Gi4/2 Gi4/3 Gi4/4
    Gi4/5 Gi4/6 Gi4/7 Gi4/8 Gi4/9 Gi4/10 Gi4/11 Gi4/12 Gi4/13 Gi4/14
    Gi4/15 Gi4/16
Vlan or Portchannel(Multi-Earl) policies supported: Yes
 ----- Module [1] -----
  QoS global counters:
    Total packets: 3342320
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 52166
    IP packets with COS changed by policing: 132
    Non-IP packets with COS changed by policing: 0
 
Thank you very much...
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now