Link to home
Start Free TrialLog in
Avatar of Lee Osborne
Lee OsborneFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco QoS Configuration

I'm currently tidying our Cisco 2811 config as the QoS doesn't appear to be controlling our voice traffic very well. It appears that our phone system (Axxess Inter-Tel, now Mitel) isn't using RTP (I might be wrong) for the voice traffic over the WAN. So, I've set the ToS value to 184 to try and capture the traffic better. Also, the NBAR shows a lot of .H323 and Skinny traffic and I can only presume it's the phone system.

We have a 10MB WAN link, Point-to-Point, connected from the 2811 to another 2811 in the remote site. Site 1 WAN port is 10.0.0.1/24 and Site 2 WAN port is 10.0.0.2/24. Site 1 telephone system is 192.168.101.2/24 and Site to is 192.168.103.2/24.

The QoS is also managing Citrix and is set to 5MB of bandwidth. The Voice is set to 2MB. Both of these values need to be guaranteed at all times, and all other traffic needs best effort.

On a side note, NBAR shows a LOT of traffic using the Skype protocol, although I know for a fact Skype isn't in use. Could this be related?

I've got the (attached) config and need somebody to confirm if this is set up right, or if it could be better, or it may be totally wrong! I think I might have duplicated some things unnecessarily, but I'm sure somebody will tell me so!

Thanks in advance....
class-map match-all CITRIX
 match protocol citrix
!
class-map match-any VOICE
 match protocol rtp
 match dscp ef
 match access-group 101
 match access-group 102
!
!
policy-map QOS-POLICY
 class VOICE
    priority 2048
    set dscp ef
 class CITRIX
    bandwidth 5120
!
!
!
interface FastEthernet0/1/0
 no ip address
 ip nbar protocol-discovery
 speed 10
 full-duplex
 service-policy output QOS-POLICY
!
!
interface FastEthernet0/1/0.4094
 description *** LINK TO WAN ***
 encapsulation dot1Q 4094
 ip address 10.0.0.1 255.255.255.0
!
!
!
!For Skinny, H.323, MGCP:
!Signaling traffic
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 11000 11999
access-list 101 permit udp any any eq 2427
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any eq 5036
access-list 101 permit udp any any eq 5060
!
!Phone System Host
access-list 101 permit ip host 192.168.101.2 any
access-list 101 permit ip host 192.168.101.2 any dscp ef
!
!RTP traffic
access-list 102 permit udp any any range 32767
access-list 102 permit udp any any range 16384 32767
!
!
priority-list 1 protocol ip high list 101
!

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of ged125
ged125
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Lee Osborne

ASKER

Thanks, ged125.

We're running v12.4(24)T2, boot file - c2801-ipbasek9-mz.124-24.T .

Thanks,
Lee
I think you will find that moving the service policy will result in the outcome you are looking for.  This is of course assuming that the voice traffic is being marked as EF, is RTP or matches one of your access lists.  Does Mitel have any documentation re: QoS markings?
Thanks, that's good to know. I'll update this and start monitoring it on Monday when I'm back in the office.

The traffic currently appears to be picked up as EF and I've manually set the ToS to 184 too. As for Mitel's documentation, I haven't come across any yet. I may give the maintenance provider a call and ask them if they know. I'm hoping that by specifying RTP, DSCP EF, the host IP's, and the port numbers, one of them will pick it up!

Do you have any idea why NBAR would be reporting so much Skype traffic? Is it likely that some other traffic is being incorrectly identified as Skype?

I presume that on the 2811 in the other office, the relevant IP's need to be changed to suit the subnet there and that's pretty much it, it'll basically be the same config?

Lee
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks @atrevido, that looks like some good information. I'm happy that it includes notes about DSCP46 too.

Yep, I'm definitely sure Skype isn't running. Our users don't have permission to install software, and all machines are built from the same image. The amount of traffic that is being reported by NBAR is like a user spending all day on a video call, which would also be very much noticed by managers in the office!

The only (remote) possibility is that someone has their own laptop or something that they have plugged in. But the amount of traffic is still too much for it to not be noticed that they weren't actually working. Do you know of anything that would make the router think it's Skype traffic when it actually isn't?

Lee
Well, couple things,
First, I think it would be good if you upgraded your router to the latest IOS as NBAR gets smarter and has more of a database with each release.

And I was thinnking how does NBAR really know that is Skype.  I'm not a Skype expert but my understanding is that it pretty much uses any port it can get out on and quite often uses 443, 80.  These are the NBAR supported IOS for Skype
 
Skype 3.0
 12.4(25)T
 2.5
 
Skype 3.5
 12.4(25)T
 2.5
 
Skype 4.0
 12.4(25)T
 Not supported
 

I also read this:
Windows Media Player uses port 7007 to connect an encoder app to a remote server. Default port 7007 facilitates the data traffic between an encoder file and the server during file conversion.Port 7007 is also the default port used by Skype Session Manager to allow a Skype user to initiate a chat or call session after the handshake on port 7007. The port is always bound to an IP address on the client computer for recognition from the server.Port 7007 is bound to the URL xmenmovieverse.com. When an individual accesses the Web-based games on the URL, the browser automatically binds port 7007 for secure login process.Port 7007 is commonly used by the W32.Spybot.Gen3 malware infection. This Trojan/worm looks for an Internet connection on the infected machine and proceeds to connect to the server "irc.nkclan.net" via port 7007.
I think the latest IOS for our router is currently v15 (they skipped 13 and 14!), so I may have to consider that.

You're correct about Skype, it uses a dynamic port each time it loads and uses uPNP. But, if it can't connect using it's dynamic port, it falls back to 443 and/or 80. I think our proxy server would see this traffic as it should use the proxy server settings from IE. Also, our firewall would probably be unhappy about something going out of a dynamic port. I'll have to check those out later today when I can see the active 'Skype' NBAR figures. I'll also see if there is anything on the firewall about a client on port 7007 too. As you mention though, how does it know it's Skype?! I can only imagine it would know this if the traffic was tagged by Skype somehow, but I can't really see that happening. I may have a look to see if Skype recommend any kind of QoS configs in case it does.

It's a bit of a mystery really, I could do with knowing what this traffic is!

Thanks for your help so far...

Lee
What about the original question regarding QoS?  Did my suggestion help??
@ged125 - I'm quite sure that this will help, I'm just waiting for a maintenance window whereby I can upload new configs to the router.

I'll be sure to let you know once this is applied!

Thanks - Lee.
Thanks @ged125, the QoS suggestion seems to have helped.

Thanks @atrevido, the extra information helped regarding Skype and NBAR, but I'm still seeing the Skype NBAR traffic. I think it's something I'll have to go a lot further into.

Lee