Jim Barber
asked on
qos on a 2621XM with a NM 16 ESW
I have an issue with a 2621XM with a NM 16 ESW. No matter how I slice it I can not get QoS to work properly. If I pass any data what so ever the voice streams get choppy and break up. It does not seem to me to be marking, honoring the Voice tags. Will you please look this over and give me a hand.
Here is my sanitized config
Here is my sanitized config
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2621XM
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
enable secret 5 (Removed)
enable password 7 (Removed)
!
no aaa new-model
memory-size iomem 20
wrr-queue bandwidth 1 16 64 255
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address XXX.28.1.1
ip dhcp excluded-address XXX.28.2.1
ip dhcp excluded-address XXX.28.2.10
ip dhcp excluded-address XXX.28.2.11
ip dhcp excluded-address XXX.28.2.254
ip dhcp excluded-address XXX.28.3.1
ip dhcp excluded-address XXX.28.3.254
!
ip dhcp pool vlan10
network XXX.28.1.0 255.255.255.0
dns-server XXX.20.0.2 XXX.20.0.14 YYY.142.136.85 YYY.142.182.250 4.2.2.2
default-router XXX.28.1.1
!
ip dhcp pool vlan20
network XXX.28.2.0 255.255.255.0
default-router XXX.28.2.1
dns-server XXX.20.0.2 XXX.20.0.14
option 5 ip XXX.20.0.2 XXX.20.0.14
domain-name krpcomm.com
option 160 ascii "http://XXX.23.0.7:8088"
option 66 ascii "http://XXX.23.0.7:8088"
!
ip dhcp pool vlan30
network XXX.28.3.0 255.255.255.0
default-router XXX.28.3.1
dns-server XXX.20.0.2 XXX.20.0.14 4.2.2.2 4.2.2.1
option 160 ascii "http://XXX.28.3.254:8088"
option 66 ascii "http://XXX.28.3.254:8088"
!
!
no ip domain lookup
ip domain name krpcomm.com
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip name-server YYY.142.136.85
ip name-server YYY.142.182.250
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.1 source-interface FastEthernet0/0
timeout 2000
threshold 2000
frequency 3
ip sla monitor schedule 100 life forever start-time now
ip sla monitor 200
type echo protocol ipIcmpEcho 4.2.2.2 source-interface FastEthernet0/1
timeout 2000
threshold 2000
frequency 3
ip sla monitor schedule 200 life forever start-time now
!
!
!
mls qos map cos-dscp 0 8 16 24 34 46 48 56
!
password encryption aes
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TRUSTPOINT-SELF-SIGNED
enrollment selfsigned
serial-number
subject-name cn=TRUSTPOINT-SELF-SIGNED
revocation-check none
rsakeypair TRUSTPOINT-SELF-SIGNED
!
!
crypto pki certificate chain TRUSTPOINT-SELF-SIGNED
certificate self-signed 01 nvram:(Removed).cer
username jim privilege 15 password 7 (Removed)
!
!
!
track 100 rtr 100 reachability
delay down 6 up 18
!
track 200 rtr 200 reachability
delay down 6 up 18
!
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
!
!
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key (Removed) address YYY.90.165.60 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto map KRP_CRYPTO_MAP 10 ipsec-isakmp
set peer YYY.90.165.60
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
match address 150
qos pre-classify
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
description Internet Connection to ComCast
ip address VVV.10.106.41 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
auto qos voip trust
no cdp enable
no mop enabled
crypto map KRP_CRYPTO_MAP
service-policy output AutoQoS-Policy-Trust
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description Internet Connection Century-Tel
ip address TTT.118.19.206 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
auto qos voip trust
no cdp enable
no mop enabled
crypto map KRP_CRYPTO_MAP
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet1/0
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
auto discovery qos
spanning-tree portfast
!
interface FastEthernet1/1
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/2
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/3
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/4
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/5
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/6
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/7
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
auto discovery qos
spanning-tree portfast
!
interface FastEthernet1/8
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/9
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/10
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/11
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/12
switchport access vlan 20
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/13
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 20
switchport priority extend cos 0
switchport priority override
duplex full
speed 100
mls qos cos override
spanning-tree portfast
!
interface FastEthernet1/14
switchport access vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface FastEthernet1/15
switchport access vlan 10
switchport voice vlan 20
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface Vlan1
description default lan do not use
ip address KKK.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
auto discovery qos
!
interface Vlan2
no ip address
!
interface Vlan10
description DATA VLAN
ip address XXX.28.1.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Vlan20
ip dhcp relay information trusted
ip address XXX.28.2.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
auto qos voip trust
service-policy output AutoQoS-Policy-Trust
!
interface Vlan30
ip address XXX.28.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router eigrp 100
auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 TTT.10.106.46 10 track 100
ip route 0.0.0.0 0.0.0.0 VVV.118.19.205 11 track 200
ip route 4.2.2.1 255.255.255.255 TTT.10.106.46
ip route 4.2.2.2 255.255.255.255 VVV.118.19.205
ip route XXX.20.0.0 255.255.255.0 XXX.20.0.1
!
!
no ip http server
no ip http secure-server
ip nat pool comcast_ip_addresses TTT.10.106.42 TTT.10.106.45 netmask 255.255.255.248
ip nat inside source route-map CenturyTel interface FastEthernet0/1 overload
ip nat inside source route-map ComCast interface FastEthernet0/0 overload
ip nat inside source static tcp XXX.28.3.254 34341 173.10.106.41 34341 extendable
!
access-list 100 remark These are inclusive wildcard masks
access-list 100 deny ip XXX.28.0.0 0.0.3.255 XXX.20.0.0 0.3.255.255
access-list 100 deny ip XXX.28.0.0 0.0.3.255 XXX.24.0.0 0.3.255.255
access-list 100 permit ip XXX.28.0.0 0.0.3.255 any
access-list 150 remark These are inclusive wildcard masks
access-list 150 permit ip XXX.28.0.0 0.0.3.255 XXX.20.0.0 0.3.255.255
access-list 150 permit ip XXX.28.0.0 0.0.3.255 XXX.24.0.0 0.3.255.255
!
route-map CenturyTel permit 20
match ip address 100
match interface FastEthernet0/1
!
route-map ComCast permit 10
match ip address 100
match interface FastEthernet0/0
!
!
!
control-plane
!
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
rmon alarm 33334 cbQosCMDropBitRate.1587.1589 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
rmon alarm 33335 cbQosCMDropBitRate.1623.1625 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
rmon alarm 33336 cbQosCMDropBitRate.1659.1661 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
!
!
!
!
!
!
!
!
banner motd T
WARNING: This device belongs to Company Nmae.
To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording.
Any unauthorized access or use of this System is prohibited and is subject to criminal and civil penalties.
!
line con 0
privilege level 15
speed 115200
line aux 0
line vty 0 4
privilege level 15
password 7 (Removed)
login local
length 0
transport input telnet ssh
line vty 5 15
privilege level 15
password 7 (Removed)
login
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I understand the rate limiting, but how do you nest it with a policy?
I can add something like the following on an interface
rate-limit input access-group 101 5000000 5000 5000 conform-action transmit exceed-action drop
rate-limit output access-group 101 2000000 5000 5000 conform-action transmit exceed-action drop
I can add something like the following on an interface
rate-limit input access-group 101 5000000 5000 5000 conform-action transmit exceed-action drop
rate-limit output access-group 101 2000000 5000 5000 conform-action transmit exceed-action drop
The nested policy will look way like that, you´ll have to apply it on the outgoing direction on your WAN-interface:
policy-map polWAN-OUT
class class-default
shape average <Your WAN-!!!!UPSTREAM!!!-bandwi dth in bps>
service-policy AutoQoS-Policy-Trust
int fa0/0
service-policy output polWAN-OUT
Since your AutoQoS-Policie uses percents, it will adopt the defined bandwidth in the parent statement regarding shaping average.
BTW, i can´t see that no traffic is classified as default:
Class-map: class-default (match-any)
153647 packets, 21395393 bytes
As you can obviously see, there are some matched packets...
policy-map polWAN-OUT
class class-default
shape average <Your WAN-!!!!UPSTREAM!!!-bandwi
service-policy AutoQoS-Policy-Trust
int fa0/0
service-policy output polWAN-OUT
Since your AutoQoS-Policie uses percents, it will adopt the defined bandwidth in the parent statement regarding shaping average.
BTW, i can´t see that no traffic is classified as default:
Class-map: class-default (match-any)
153647 packets, 21395393 bytes
As you can obviously see, there are some matched packets...
ASKER
What about the inbound?
Since you can´t influence how fast and how many pps hit your external IF this would make not much sense. To do this you´ll have to configure the other side. Apply an output policy on the opposing routers IF.
You don´t have big chances to do this, because its an internet connection towards the provider? OK, apply an output-policy on the SVI of your router.
These are your choices.
You can for sure apply policys to limit incoming traffic on your WAN-IF in the inbound direction, but this won´t free bandwidth, because the packets are already on the wire, on the way to your router.
You don´t have big chances to do this, because its an internet connection towards the provider? OK, apply an output-policy on the SVI of your router.
These are your choices.
You can for sure apply policys to limit incoming traffic on your WAN-IF in the inbound direction, but this won´t free bandwidth, because the packets are already on the wire, on the way to your router.
ASKER
Open in new window