asked on

qos on a 2621XM with a NM 16 ESW

I have an issue with a 2621XM with a NM 16 ESW. No matter how I slice it I can not get QoS to work properly. If I pass any data what so ever the voice streams get choppy and break up. It does not seem to me to be marking, honoring the Voice tags. Will you please look this over and give me a hand.

Here is my sanitized config

!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2621XM
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
enable secret 5 (Removed)
enable password 7 (Removed)
!
no aaa new-model
memory-size iomem 20
wrr-queue bandwidth 1 16 64 255
no network-clock-participate slot 1 
no network-clock-participate wic 0 
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address XXX.28.1.1
ip dhcp excluded-address XXX.28.2.1
ip dhcp excluded-address XXX.28.2.10
ip dhcp excluded-address XXX.28.2.11
ip dhcp excluded-address XXX.28.2.254
ip dhcp excluded-address XXX.28.3.1
ip dhcp excluded-address XXX.28.3.254
!
ip dhcp pool vlan10
   network XXX.28.1.0 255.255.255.0
   dns-server XXX.20.0.2 XXX.20.0.14 YYY.142.136.85 YYY.142.182.250 4.2.2.2 
   default-router XXX.28.1.1 
!
ip dhcp pool vlan20
   network XXX.28.2.0 255.255.255.0
   default-router XXX.28.2.1 
   dns-server XXX.20.0.2 XXX.20.0.14 
   option 5 ip XXX.20.0.2 XXX.20.0.14 
   domain-name krpcomm.com
   option 160 ascii "http://XXX.23.0.7:8088"
   option 66 ascii "http://XXX.23.0.7:8088"
!
ip dhcp pool vlan30
   network XXX.28.3.0 255.255.255.0
   default-router XXX.28.3.1 
   dns-server XXX.20.0.2 XXX.20.0.14 4.2.2.2 4.2.2.1 
   option 160 ascii "http://XXX.28.3.254:8088"
   option 66 ascii "http://XXX.28.3.254:8088"
!
!
no ip domain lookup
ip domain name krpcomm.com
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip name-server YYY.142.136.85
ip name-server YYY.142.182.250
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 100
 type echo protocol ipIcmpEcho 4.2.2.1 source-interface FastEthernet0/0
 timeout 2000
 threshold 2000
 frequency 3
ip sla monitor schedule 100 life forever start-time now
ip sla monitor 200
 type echo protocol ipIcmpEcho 4.2.2.2 source-interface FastEthernet0/1
 timeout 2000
 threshold 2000
 frequency 3
ip sla monitor schedule 200 life forever start-time now
!
!
!
mls qos map cos-dscp 0 8 16 24 34 46 48 56
!
password encryption aes
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TRUSTPOINT-SELF-SIGNED
 enrollment selfsigned
 serial-number
 subject-name cn=TRUSTPOINT-SELF-SIGNED
 revocation-check none
 rsakeypair TRUSTPOINT-SELF-SIGNED
!
!
crypto pki certificate chain TRUSTPOINT-SELF-SIGNED
 certificate self-signed 01 nvram:(Removed).cer
username jim privilege 15 password 7 (Removed)
!
!
!
track 100 rtr 100 reachability
 delay down 6 up 18
!
track 200 rtr 200 reachability
 delay down 6 up 18
!
class-map match-any AutoQoS-VoIP-RTP-Trust
 match ip dscp ef 
class-map match-any AutoQoS-VoIP-Control-Trust
 match ip dscp cs3 
 match ip dscp af31 
!
!
policy-map AutoQoS-Policy-Trust
 class AutoQoS-VoIP-RTP-Trust
  priority percent 70
 class AutoQoS-VoIP-Control-Trust
  bandwidth percent 5
 class class-default
  fair-queue
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key (Removed) address YYY.90.165.60 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac 
!
crypto map KRP_CRYPTO_MAP 10 ipsec-isakmp 
 set peer YYY.90.165.60
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA 
 match address 150
 qos pre-classify
!
!
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0/0
 description Internet Connection to ComCast
 ip address VVV.10.106.41 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 auto qos voip trust 
 no cdp enable
 no mop enabled
 crypto map KRP_CRYPTO_MAP
 service-policy output AutoQoS-Policy-Trust
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 description Internet Connection Century-Tel
 ip address TTT.118.19.206 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 auto qos voip trust 
 no cdp enable
 no mop enabled
 crypto map KRP_CRYPTO_MAP
 service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet1/0
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 auto discovery qos 
 spanning-tree portfast
!
interface FastEthernet1/1
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/2
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/3
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/4
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/5
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/6
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/7
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 auto discovery qos 
 spanning-tree portfast
!
interface FastEthernet1/8
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/9
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/10
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/11
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/12
 switchport access vlan 20
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/13
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 20
 switchport priority extend cos 0
 switchport priority override
 duplex full
 speed 100
 mls qos cos override
 spanning-tree portfast
!
interface FastEthernet1/14
 switchport access vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface FastEthernet1/15
 switchport access vlan 10
 switchport voice vlan 20
 duplex full
 speed 100
 mls qos trust dscp
 spanning-tree portfast
!
interface Vlan1
 description default lan do not use
 ip address KKK.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 auto discovery qos 
!
interface Vlan2
 no ip address
!
interface Vlan10
 description DATA VLAN
 ip address XXX.28.1.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
!
interface Vlan20
 ip dhcp relay information trusted
 ip address XXX.28.2.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 auto qos voip trust 
 service-policy output AutoQoS-Policy-Trust
!
interface Vlan30
 ip address XXX.28.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
router eigrp 100
 auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 TTT.10.106.46 10 track 100
ip route 0.0.0.0 0.0.0.0 VVV.118.19.205 11 track 200
ip route 4.2.2.1 255.255.255.255 TTT.10.106.46
ip route 4.2.2.2 255.255.255.255 VVV.118.19.205
ip route XXX.20.0.0 255.255.255.0 XXX.20.0.1
!
!
no ip http server
no ip http secure-server
ip nat pool comcast_ip_addresses TTT.10.106.42 TTT.10.106.45 netmask 255.255.255.248
ip nat inside source route-map CenturyTel interface FastEthernet0/1 overload
ip nat inside source route-map ComCast interface FastEthernet0/0 overload
ip nat inside source static tcp XXX.28.3.254 34341 173.10.106.41 34341 extendable
!
access-list 100 remark These are inclusive wildcard masks
access-list 100 deny   ip XXX.28.0.0 0.0.3.255 XXX.20.0.0 0.3.255.255
access-list 100 deny   ip XXX.28.0.0 0.0.3.255 XXX.24.0.0 0.3.255.255
access-list 100 permit ip XXX.28.0.0 0.0.3.255 any
access-list 150 remark These are inclusive wildcard masks
access-list 150 permit ip XXX.28.0.0 0.0.3.255 XXX.20.0.0 0.3.255.255
access-list 150 permit ip XXX.28.0.0 0.0.3.255 XXX.24.0.0 0.3.255.255
!
route-map CenturyTel permit 20
 match ip address 100
 match interface FastEthernet0/1
!
route-map ComCast permit 10
 match ip address 100
 match interface FastEthernet0/0
!
!
!
control-plane
!
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
rmon alarm 33334 cbQosCMDropBitRate.1587.1589 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
rmon alarm 33335 cbQosCMDropBitRate.1623.1625 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
rmon alarm 33336 cbQosCMDropBitRate.1659.1661 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
!
!
!
!
!
!
!
!
banner motd T
WARNING: This device belongs to Company Nmae.

To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. 

Any unauthorized access or use of this System is prohibited and is subject to criminal and civil penalties. 

!
line con 0
 privilege level 15
 speed 115200
line aux 0
line vty 0 4
 privilege level 15
 password 7 (Removed)
 login local
 length 0
 transport input telnet ssh
line vty 5 15
 privilege level 15
 password 7 (Removed)
 login
!
!
end

Open in new window

ASKER CERTIFIED SOLUTION

jasonr0025

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Jim Barber

ASKER

So issuing the "show policy-map interface fastethernet 0/0" command shows that no traffic is being labled as default. It appears to me that it is all being marked as EF or CS3.

  Service-policy output: AutoQoS-Policy-Trust

    Class-map: AutoQoS-VoIP-RTP-Trust (match-any)
      8597 packets, 1084734 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: ip dscp ef (46)
        8597 packets, 1084734 bytes
        5 minute rate 0 bps
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 70 (%)
        Bandwidth 70000 (kbps) Burst 1750000 (Bytes)
        (pkts matched/bytes matched) 8597/1084734
        (total drops/bytes drops) 0/0

    Class-map: AutoQoS-VoIP-Control-Trust (match-any)
      725 packets, 305568 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: ip dscp cs3 (24)
        724 packets, 304904 bytes
        5 minute rate 0 bps
      Match: ip dscp af31 (26)
        1 packets, 664 bytes
        5 minute rate 0 bps
      Queueing
        Output Queue: Conversation 265
        Bandwidth 5 (%)
        Bandwidth 5000 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 725/305568
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: class-default (match-any)
      153647 packets, 21395393 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
        Flow Based Fair Queueing
        Maximum Number of Hashed Queues 256
        (total queued/total drops/no-buffer drops) 0/0/0

Open in new window

Jim Barber

ASKER

I understand the rate limiting, but how do you nest it with a policy?

I can add something like the following on an interface

rate-limit input access-group 101 5000000 5000 5000 conform-action transmit exceed-action drop
rate-limit output access-group 101 2000000 5000 5000 conform-action transmit exceed-action drop

t509

The nested policy will look way like that, you´ll have to apply it on the outgoing direction on your WAN-interface:

policy-map polWAN-OUT
class class-default
shape average <Your WAN-!!!!UPSTREAM!!!-bandwidth in bps>
service-policy AutoQoS-Policy-Trust

int fa0/0
service-policy output polWAN-OUT

Since your AutoQoS-Policie uses percents, it will adopt the defined bandwidth in the parent statement regarding shaping average.

BTW, i can´t see that no traffic is classified as default:

Class-map: class-default (match-any)
153647 packets, 21395393 bytes

As you can obviously see, there are some matched packets...

Jim Barber

ASKER

What about the inbound?

t509

Since you can´t influence how fast and how many pps hit your external IF this would make not much sense. To do this you´ll have to configure the other side. Apply an output policy on the opposing routers IF.

You don´t have big chances to do this, because its an internet connection towards the provider? OK, apply an output-policy on the SVI of your router.

These are your choices.
You can for sure apply policys to limit incoming traffic on your WAN-IF in the inbound direction, but this won´t free bandwidth, because the packets are already on the wire, on the way to your router.