Solved

QoS and ACLs

Posted on 2010-11-15
15
751 Views
Last Modified: 2012-06-21
I am trying to see if we are doing QoS to best practices. We use Avaya phones, which tag the traffic themselves. On our Cisco switches, I have trust dscp on every switchport. Is this correct? ( I used the auto voip command as well)

The router is matching on dscp ef and dscp af, but I don't think we need to match on af according to Cisco. Can someone look at the code and let me know if we should be doing something different?

Thank you

ps: All our voice traffic is on 172.16.11.0 subnet. Thats why the ACL is matching on it


class-map match-all CM4-Priority-Apps
 description ***** Priority-Applications Class Map *****
 match access-group 100
class-map match-all CM5-VoIP-RTP
 description *******  Avaya VoIP RTP Class Map  ********
 match access-group 100
class-map match-any VOICE
 match ip precedence 5
 match ip dscp ef
class-map match-any VOICE_SIGNALING
 match ip precedence 3
 match ip dscp af31
class-map match-all CM3-VoIP-Control
 description ********  VoIP Control Class Map  *********
 match access-group 100
!
!
policy-map VOIP_WAN
 class VOICE
  priority percent 40
 class VOICE_SIGNALING
  bandwidth percent 5
 class class-default
  fair-queue
  random-detect
policy-map QoS-Policy
 description ***** Ensured Marking *****
 class CM5-VoIP-RTP
  set ip dscp ef


access-list 100 permit ip 172.16.11.0 0.0.0.255 any

Open in new window

access switch


interface GigabitEthernet1/0/2
 switchport trunk native vlan 10
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out
 mls qos trust dscp
 auto qos voip trust

Open in new window

core switch (router connects to this guy)


interface GigabitEthernet4/24
 description **** SL MPLS ROUTER ****
 switchport mode access
 switchport nonegotiate
 service-policy output autoqos-voip-policy
 speed 1000
 duplex full
 qos trust dscp
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Open in new window

0
Comment
Question by:orus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 34142997
http://www.cisco.com/application/pdf/paws/46523/2950qosfaq.pdf

all the things related to QOs and COs has given..pls read the document
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 34145192
Which service policy are you using on your router? VOIP_WAN and Qos-policy are not attached to the interface.

You can use an ACL to classify RTP traffic. However if Avaya is already marking it, then you do not need the ACL to re-identify RTP stream and re-mark it.
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 34145199
Can you let us know how Avaya is marking the Call Signalling and RTP traffic?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:orus
ID: 34146006
The Avaya should be marking dscp ef from the phones, same for signalling.

The service policy is VOIP_WAN applied outbound on outside interface, of router
QoS-Policy applies inbound on LAN interface of router
0
 

Author Comment

by:orus
ID: 34146102
So let me verify if this is the correct way to do this:

On the router, (first code posted), we are marking traffic coming in the LAN and marking traffic exiting into the WAN, with dscp ef

on the switch ports, we are not tagging or remarking, we are simply trusting and queuing the traffic appropriately?
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 34150103
If Avaya is already marking with EF, then there is no need for QoS-Policy which marks the Avaya traffic again as EF.
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 34150155
The settings applied to interface GigabitEthernet4/24 indicates that your actual physical WAN connection is a Gigabit link on your edge router to the ISP. You're allocating 33%, 330 Mbps priority traffic towards your WAN interface. You need to make sure that the priority traffic will not consume ALL of the bandwidth on your WAN link. If this happens, you will be cut off from the network, as network control traffic like BGP packets will be dropped when priority traffic takes over the whole WAN bandwidth.
0
 

Author Comment

by:orus
ID: 34150202
4/24 is actually a switchport on our 4507. It is connected to the ethernet interface of our router. Our router has a multilink (4 T1s) to SP
0
 

Author Comment

by:orus
ID: 34152226
The reason for qos-policy is for traffic coming from other locations. We want to ensure marking remains when going from router to lan.  Is this not needed if phone at remote site marks?
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 34154273
>> The reason for qos-policy is for traffic coming from other locations. We want to ensure marking remains when going from router to lan.  Is this not needed if phone at remote site marks?

No, you do not need that. The TOS/DSCP marking is carried over the WAN untouched (unless your WAN SP deliberately overwrites it to void your QoS). You should just trust the received DSCP/TOS value coming from the WAN to your router.


Can you post the output of "show policy-map interface <your WAN interface>" during busy hour? It will tell us if your voice traffic is matched and queued properly.
0
 

Author Comment

by:orus
ID: 34154746
I have attached the requested output. Looks like lots of things beign matched on ip precedence 5. What is this and how does it relate to dscp ef

thanks
c3845-MPLS#sh policy-map int multilink1
 Multilink1

  Service-policy output: VOIP_WAN

    Class-map: VOICE (match-any)
      14826 packets, 1033595 bytes
      5 minute offered rate 83000 bps, drop rate 0 bps
      Match: ip precedence 5
        14826 packets, 1033595 bytes
        5 minute rate 83000 bps
      Match: ip dscp ef (46)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 40 (%)
        Bandwidth 2304 (kbps) Burst 57600 (Bytes)
        (pkts matched/bytes matched) 14531/1012187
        (total drops/bytes drops) 0/0

    Class-map: VOICE_SIGNALING (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: ip precedence 3
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: ip dscp af31 (26)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Queueing
        Output Queue: Conversation 265
        Bandwidth 5 (%)
        Bandwidth 288 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: class-default (match-any)
      71405 packets, 76937191 bytes
      5 minute offered rate 3598000 bps, drop rate 0 bps
      Match: any
      Queueing
        Flow Based Fair Queueing
        Maximum Number of Hashed Queues 256
        (total queued/total drops/no-buffer drops) 35/19/0
         exponential weight: 9

  class    Transmitted      Random drop      Tail drop    Minimum Maximum  Mark
           pkts/bytes       pkts/bytes       pkts/bytes    thresh  thresh  prob
      0   71364/76911090       19/24738          0/0           20      40  1/10
      1       0/0               0/0              0/0           22      40  1/10
      2       0/0               0/0              0/0           24      40  1/10
      3       0/0               0/0              0/0           26      40  1/10
      4       0/0               0/0              0/0           28      40  1/10
      5       0/0               0/0              0/0           30      40  1/10
      6      22/1363            0/0              0/0           32      40  1/10
      7       0/0               0/0              0/0           34      40  1/10
   rsvp       0/0               0/0              0/0           36      40  1/10

c3845-MPLS#

Open in new window

0
 

Author Comment

by:orus
ID: 34154759
and here is the config from that same router for the QoS. I was told we don't need af31 in there anymore, since avaya uses dscp ef for signaling and voice?
class-map match-all CM4-Priority-Apps
 description ***** Priority-Applications Class Map *****
 match access-group 100
class-map match-all CM5-VoIP-RTP
 description *******  Avaya VoIP RTP Class Map  ********
 match access-group 100
class-map match-any VOICE
 match ip precedence 5
 match ip dscp ef
class-map match-any VOICE_SIGNALING
 match ip precedence 3
 match ip dscp af31
class-map match-all CM3-VoIP-Control
 description ********  VoIP Control Class Map  *********
 match access-group 100
!
!
policy-map VOIP_WAN
 class VOICE
  priority percent 40
 class VOICE_SIGNALING
  bandwidth percent 5
 class class-default
  fair-queue
  random-detect
policy-map QoS-Policy
 description ***** Ensured Marking *****
 class CM5-VoIP-RTP
  set ip dscp ef

Open in new window

0
 

Author Comment

by:orus
ID: 34159061
So before I close this:

If the IP phones mark the traffic themselves, all I need to do is trust it in my switches and routers. I don't need to remark it going out to service provider?

The same is true for return traffic. As long as it is marked at the remote end, it should cross the SP, go through my CE router and into my LAN, as long as I am trusting dscp ef?
0
 
LVL 9

Accepted Solution

by:
Alex Bahar earned 500 total points
ID: 34161187
That is correct. Currently all (well known) voip and video endpoints are capable of marking their RTP streams in the IP header (DSCP).
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 34161197
However just to be safe, I recommend you to check your vendor's documents whether they are marking DSCP EF or TOS 5. Out there there might be some vendors still marking with TOS 5 (CS 5) instead of DSCP EF. In your config, you are matching both IP Prec 5 and DSCP EF, it is a good approach that covers all.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question