Solved

Cisco QoS Configuration

Posted on 2011-02-11
11
4,982 Views
Last Modified: 2012-05-11
I'm currently tidying our Cisco 2811 config as the QoS doesn't appear to be controlling our voice traffic very well. It appears that our phone system (Axxess Inter-Tel, now Mitel) isn't using RTP (I might be wrong) for the voice traffic over the WAN. So, I've set the ToS value to 184 to try and capture the traffic better. Also, the NBAR shows a lot of .H323 and Skinny traffic and I can only presume it's the phone system.

We have a 10MB WAN link, Point-to-Point, connected from the 2811 to another 2811 in the remote site. Site 1 WAN port is 10.0.0.1/24 and Site 2 WAN port is 10.0.0.2/24. Site 1 telephone system is 192.168.101.2/24 and Site to is 192.168.103.2/24.

The QoS is also managing Citrix and is set to 5MB of bandwidth. The Voice is set to 2MB. Both of these values need to be guaranteed at all times, and all other traffic needs best effort.

On a side note, NBAR shows a LOT of traffic using the Skype protocol, although I know for a fact Skype isn't in use. Could this be related?

I've got the (attached) config and need somebody to confirm if this is set up right, or if it could be better, or it may be totally wrong! I think I might have duplicated some things unnecessarily, but I'm sure somebody will tell me so!

Thanks in advance....
class-map match-all CITRIX
 match protocol citrix
!
class-map match-any VOICE
 match protocol rtp
 match dscp ef
 match access-group 101
 match access-group 102
!
!
policy-map QOS-POLICY
 class VOICE
    priority 2048
    set dscp ef
 class CITRIX
    bandwidth 5120
!
!
!
interface FastEthernet0/1/0
 no ip address
 ip nbar protocol-discovery
 speed 10
 full-duplex
 service-policy output QOS-POLICY
!
!
interface FastEthernet0/1/0.4094
 description *** LINK TO WAN ***
 encapsulation dot1Q 4094
 ip address 10.0.0.1 255.255.255.0
!
!
!
!For Skinny, H.323, MGCP:
!Signaling traffic
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 11000 11999
access-list 101 permit udp any any eq 2427
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any eq 5036
access-list 101 permit udp any any eq 5060
!
!Phone System Host
access-list 101 permit ip host 192.168.101.2 any
access-list 101 permit ip host 192.168.101.2 any dscp ef
!
!RTP traffic
access-list 102 permit udp any any range 32767
access-list 102 permit udp any any range 16384 32767
!
!
priority-list 1 protocol ip high list 101
!

Open in new window

0
Comment
Question by:Lee Osborne
  • 6
  • 3
  • 2
11 Comments
 
LVL 6

Accepted Solution

by:
ged125 earned 350 total points
Comment Utility
For starters, move the "service-policy output QOS-POLICY" to the "interface FastEthernet0/1/0.4094" section of the config.   You want to prioritze traffic going out to the WAN, not out to your LAN segment.

What version of IOS are you running?
0
 
LVL 15

Author Comment

by:Lee Osborne
Comment Utility
Thanks, ged125.

We're running v12.4(24)T2, boot file - c2801-ipbasek9-mz.124-24.T .

Thanks,
Lee
0
 
LVL 6

Expert Comment

by:ged125
Comment Utility
I think you will find that moving the service policy will result in the outcome you are looking for.  This is of course assuming that the voice traffic is being marked as EF, is RTP or matches one of your access lists.  Does Mitel have any documentation re: QoS markings?
0
 
LVL 15

Author Comment

by:Lee Osborne
Comment Utility
Thanks, that's good to know. I'll update this and start monitoring it on Monday when I'm back in the office.

The traffic currently appears to be picked up as EF and I've manually set the ToS to 184 too. As for Mitel's documentation, I haven't come across any yet. I may give the maintenance provider a call and ask them if they know. I'm hoping that by specifying RTP, DSCP EF, the host IP's, and the port numbers, one of them will pick it up!

Do you have any idea why NBAR would be reporting so much Skype traffic? Is it likely that some other traffic is being incorrectly identified as Skype?

I presume that on the 2811 in the other office, the relevant IP's need to be changed to suit the subnet there and that's pretty much it, it'll basically be the same config?

Lee
0
 
LVL 12

Assisted Solution

by:atrevido
atrevido earned 150 total points
Comment Utility
Are you sure Skype is not installed on anyone's machines?  It is a P2P software so just one user will cause this.

Here are some excerpts from the Mitel 3300 Engineering guidelines regarding QoS and DSCP

LAN QoS policiesStarting in Release 8.0, the 3300 can apply different LAN QoS policies to voice packets,
signaling packets and other packets. Prior to Release 8.0 the 3300 applied the same LAN QoS
policies to all packets. The LAN Policy form in ESM is used for setting the LAN QoS policy values.
In a Cisco based environment the recommended settings are:
• Voice Packets: DSCP: 46, 802.1p:5
• Signaling Packets: DSCP: 26, 802.1p:3
• Other Packets: DSCP:0 802.1p:0

The DSCP value is programmed using DHCP server option (see “DHCP Option
Reclassification” on page 211). This is picked up by the IP phones. The Mitel values for DSCP
was previously fixed at 44 to allow backward compatibility with older TOS based routers.
However, today 46 is the expected value to be used. A DSCP value of 44 will still be directed
to a high priority queue, but 46 is handled in a more “Expedited” manner. It is recommended
that to provide for product at different levels routers (default gateways) map DSCP44 to
DSCP46. The alternative is to map DSCP44 to the EF queue, but then this needs to be
programmed in all routers. Note that the DSCP value can still be programmed to 44 to maintain
backward compatibility or left blank and the IP phones will use their default DSCP value. 53XX
series IP phones use a default DSCP value of 46, while the older IP sets use a default DSCP
value of 44. An example of programming needed for a router is given in the appendix (see
page 270 and page 273).

ANd here is page 270
Router1(config)# class-map match-all
MitelClassMapP-Bit
Router1(config-cmap)# match ip dscp ef [Matches the DSCP value of 46]
Router1(config)# policy-map
MitelPolicyMapP-Bit
Router1(config-pmap)# class
MitelClassMapP-Bit
[Matches the class map looking for DSCP 46]
Router1(config-pmap-c)# set cos 6 [set the 802.1p bit to 6 if DSCP = 46]

No "priority" statement has been set in this Policy Map. This is because the Fast Ethernet
outbound queue is assumed not to be congested due to the ingress traffic coming from theserial interface being much lower than 100Mbps of the Fast Ethernet interface. If the Fast
Ethernet is congested for other traffic reasons then a "priority" statement will be required on
the Fast Ethernet sub-interface Policy Map as well.

Hope that helps
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 15

Author Comment

by:Lee Osborne
Comment Utility
Thanks @atrevido, that looks like some good information. I'm happy that it includes notes about DSCP46 too.

Yep, I'm definitely sure Skype isn't running. Our users don't have permission to install software, and all machines are built from the same image. The amount of traffic that is being reported by NBAR is like a user spending all day on a video call, which would also be very much noticed by managers in the office!

The only (remote) possibility is that someone has their own laptop or something that they have plugged in. But the amount of traffic is still too much for it to not be noticed that they weren't actually working. Do you know of anything that would make the router think it's Skype traffic when it actually isn't?

Lee
0
 
LVL 12

Expert Comment

by:atrevido
Comment Utility
Well, couple things,
First, I think it would be good if you upgraded your router to the latest IOS as NBAR gets smarter and has more of a database with each release.

And I was thinnking how does NBAR really know that is Skype.  I'm not a Skype expert but my understanding is that it pretty much uses any port it can get out on and quite often uses 443, 80.  These are the NBAR supported IOS for Skype
 
Skype 3.0
 12.4(25)T
 2.5
 
Skype 3.5
 12.4(25)T
 2.5
 
Skype 4.0
 12.4(25)T
 Not supported
 

I also read this:
Windows Media Player uses port 7007 to connect an encoder app to a remote server. Default port 7007 facilitates the data traffic between an encoder file and the server during file conversion.Port 7007 is also the default port used by Skype Session Manager to allow a Skype user to initiate a chat or call session after the handshake on port 7007. The port is always bound to an IP address on the client computer for recognition from the server.Port 7007 is bound to the URL xmenmovieverse.com. When an individual accesses the Web-based games on the URL, the browser automatically binds port 7007 for secure login process.Port 7007 is commonly used by the W32.Spybot.Gen3 malware infection. This Trojan/worm looks for an Internet connection on the infected machine and proceeds to connect to the server "irc.nkclan.net" via port 7007.
0
 
LVL 15

Author Comment

by:Lee Osborne
Comment Utility
I think the latest IOS for our router is currently v15 (they skipped 13 and 14!), so I may have to consider that.

You're correct about Skype, it uses a dynamic port each time it loads and uses uPNP. But, if it can't connect using it's dynamic port, it falls back to 443 and/or 80. I think our proxy server would see this traffic as it should use the proxy server settings from IE. Also, our firewall would probably be unhappy about something going out of a dynamic port. I'll have to check those out later today when I can see the active 'Skype' NBAR figures. I'll also see if there is anything on the firewall about a client on port 7007 too. As you mention though, how does it know it's Skype?! I can only imagine it would know this if the traffic was tagged by Skype somehow, but I can't really see that happening. I may have a look to see if Skype recommend any kind of QoS configs in case it does.

It's a bit of a mystery really, I could do with knowing what this traffic is!

Thanks for your help so far...

Lee
0
 
LVL 6

Expert Comment

by:ged125
Comment Utility
What about the original question regarding QoS?  Did my suggestion help??
0
 
LVL 15

Author Comment

by:Lee Osborne
Comment Utility
@ged125 - I'm quite sure that this will help, I'm just waiting for a maintenance window whereby I can upload new configs to the router.

I'll be sure to let you know once this is applied!

Thanks - Lee.
0
 
LVL 15

Author Closing Comment

by:Lee Osborne
Comment Utility
Thanks @ged125, the QoS suggestion seems to have helped.

Thanks @atrevido, the extra information helped regarding Skype and NBAR, but I'm still seeing the Skype NBAR traffic. I think it's something I'll have to go a lot further into.

Lee
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now