Cisco QoS Configuration

I'm currently tidying our Cisco 2811 config as the QoS doesn't appear to be controlling our voice traffic very well. It appears that our phone system (Axxess Inter-Tel, now Mitel) isn't using RTP (I might be wrong) for the voice traffic over the WAN. So, I've set the ToS value to 184 to try and capture the traffic better. Also, the NBAR shows a lot of .H323 and Skinny traffic and I can only presume it's the phone system.

We have a 10MB WAN link, Point-to-Point, connected from the 2811 to another 2811 in the remote site. Site 1 WAN port is and Site 2 WAN port is Site 1 telephone system is and Site to is

The QoS is also managing Citrix and is set to 5MB of bandwidth. The Voice is set to 2MB. Both of these values need to be guaranteed at all times, and all other traffic needs best effort.

On a side note, NBAR shows a LOT of traffic using the Skype protocol, although I know for a fact Skype isn't in use. Could this be related?

I've got the (attached) config and need somebody to confirm if this is set up right, or if it could be better, or it may be totally wrong! I think I might have duplicated some things unnecessarily, but I'm sure somebody will tell me so!

Thanks in advance....
class-map match-all CITRIX
 match protocol citrix
class-map match-any VOICE
 match protocol rtp
 match dscp ef
 match access-group 101
 match access-group 102
policy-map QOS-POLICY
 class VOICE
    priority 2048
    set dscp ef
 class CITRIX
    bandwidth 5120
interface FastEthernet0/1/0
 no ip address
 ip nbar protocol-discovery
 speed 10
 service-policy output QOS-POLICY
interface FastEthernet0/1/0.4094
 description *** LINK TO WAN ***
 encapsulation dot1Q 4094
 ip address
!For Skinny, H.323, MGCP:
!Signaling traffic
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 11000 11999
access-list 101 permit udp any any eq 2427
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any eq 5036
access-list 101 permit udp any any eq 5060
!Phone System Host
access-list 101 permit ip host any
access-list 101 permit ip host any dscp ef
!RTP traffic
access-list 102 permit udp any any range 32767
access-list 102 permit udp any any range 16384 32767
priority-list 1 protocol ip high list 101

Open in new window

LVL 15
Lee OsborneAsked:
Who is Participating?
ged125Connect With a Mentor Commented:
For starters, move the "service-policy output QOS-POLICY" to the "interface FastEthernet0/1/0.4094" section of the config.   You want to prioritze traffic going out to the WAN, not out to your LAN segment.

What version of IOS are you running?
Lee OsborneAuthor Commented:
Thanks, ged125.

We're running v12.4(24)T2, boot file - c2801-ipbasek9-mz.124-24.T .

I think you will find that moving the service policy will result in the outcome you are looking for.  This is of course assuming that the voice traffic is being marked as EF, is RTP or matches one of your access lists.  Does Mitel have any documentation re: QoS markings?
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Lee OsborneAuthor Commented:
Thanks, that's good to know. I'll update this and start monitoring it on Monday when I'm back in the office.

The traffic currently appears to be picked up as EF and I've manually set the ToS to 184 too. As for Mitel's documentation, I haven't come across any yet. I may give the maintenance provider a call and ask them if they know. I'm hoping that by specifying RTP, DSCP EF, the host IP's, and the port numbers, one of them will pick it up!

Do you have any idea why NBAR would be reporting so much Skype traffic? Is it likely that some other traffic is being incorrectly identified as Skype?

I presume that on the 2811 in the other office, the relevant IP's need to be changed to suit the subnet there and that's pretty much it, it'll basically be the same config?

atrevidoConnect With a Mentor Commented:
Are you sure Skype is not installed on anyone's machines?  It is a P2P software so just one user will cause this.

Here are some excerpts from the Mitel 3300 Engineering guidelines regarding QoS and DSCP

LAN QoS policiesStarting in Release 8.0, the 3300 can apply different LAN QoS policies to voice packets,
signaling packets and other packets. Prior to Release 8.0 the 3300 applied the same LAN QoS
policies to all packets. The LAN Policy form in ESM is used for setting the LAN QoS policy values.
In a Cisco based environment the recommended settings are:
• Voice Packets: DSCP: 46, 802.1p:5
• Signaling Packets: DSCP: 26, 802.1p:3
• Other Packets: DSCP:0 802.1p:0

The DSCP value is programmed using DHCP server option (see “DHCP Option
Reclassification” on page 211). This is picked up by the IP phones. The Mitel values for DSCP
was previously fixed at 44 to allow backward compatibility with older TOS based routers.
However, today 46 is the expected value to be used. A DSCP value of 44 will still be directed
to a high priority queue, but 46 is handled in a more “Expedited” manner. It is recommended
that to provide for product at different levels routers (default gateways) map DSCP44 to
DSCP46. The alternative is to map DSCP44 to the EF queue, but then this needs to be
programmed in all routers. Note that the DSCP value can still be programmed to 44 to maintain
backward compatibility or left blank and the IP phones will use their default DSCP value. 53XX
series IP phones use a default DSCP value of 46, while the older IP sets use a default DSCP
value of 44. An example of programming needed for a router is given in the appendix (see
page 270 and page 273).

ANd here is page 270
Router1(config)# class-map match-all
Router1(config-cmap)# match ip dscp ef [Matches the DSCP value of 46]
Router1(config)# policy-map
Router1(config-pmap)# class
[Matches the class map looking for DSCP 46]
Router1(config-pmap-c)# set cos 6 [set the 802.1p bit to 6 if DSCP = 46]

No "priority" statement has been set in this Policy Map. This is because the Fast Ethernet
outbound queue is assumed not to be congested due to the ingress traffic coming from theserial interface being much lower than 100Mbps of the Fast Ethernet interface. If the Fast
Ethernet is congested for other traffic reasons then a "priority" statement will be required on
the Fast Ethernet sub-interface Policy Map as well.

Hope that helps
Lee OsborneAuthor Commented:
Thanks @atrevido, that looks like some good information. I'm happy that it includes notes about DSCP46 too.

Yep, I'm definitely sure Skype isn't running. Our users don't have permission to install software, and all machines are built from the same image. The amount of traffic that is being reported by NBAR is like a user spending all day on a video call, which would also be very much noticed by managers in the office!

The only (remote) possibility is that someone has their own laptop or something that they have plugged in. But the amount of traffic is still too much for it to not be noticed that they weren't actually working. Do you know of anything that would make the router think it's Skype traffic when it actually isn't?

Well, couple things,
First, I think it would be good if you upgraded your router to the latest IOS as NBAR gets smarter and has more of a database with each release.

And I was thinnking how does NBAR really know that is Skype.  I'm not a Skype expert but my understanding is that it pretty much uses any port it can get out on and quite often uses 443, 80.  These are the NBAR supported IOS for Skype
Skype 3.0
Skype 3.5
Skype 4.0
 Not supported

I also read this:
Windows Media Player uses port 7007 to connect an encoder app to a remote server. Default port 7007 facilitates the data traffic between an encoder file and the server during file conversion.Port 7007 is also the default port used by Skype Session Manager to allow a Skype user to initiate a chat or call session after the handshake on port 7007. The port is always bound to an IP address on the client computer for recognition from the server.Port 7007 is bound to the URL When an individual accesses the Web-based games on the URL, the browser automatically binds port 7007 for secure login process.Port 7007 is commonly used by the W32.Spybot.Gen3 malware infection. This Trojan/worm looks for an Internet connection on the infected machine and proceeds to connect to the server "" via port 7007.
Lee OsborneAuthor Commented:
I think the latest IOS for our router is currently v15 (they skipped 13 and 14!), so I may have to consider that.

You're correct about Skype, it uses a dynamic port each time it loads and uses uPNP. But, if it can't connect using it's dynamic port, it falls back to 443 and/or 80. I think our proxy server would see this traffic as it should use the proxy server settings from IE. Also, our firewall would probably be unhappy about something going out of a dynamic port. I'll have to check those out later today when I can see the active 'Skype' NBAR figures. I'll also see if there is anything on the firewall about a client on port 7007 too. As you mention though, how does it know it's Skype?! I can only imagine it would know this if the traffic was tagged by Skype somehow, but I can't really see that happening. I may have a look to see if Skype recommend any kind of QoS configs in case it does.

It's a bit of a mystery really, I could do with knowing what this traffic is!

Thanks for your help so far...

What about the original question regarding QoS?  Did my suggestion help??
Lee OsborneAuthor Commented:
@ged125 - I'm quite sure that this will help, I'm just waiting for a maintenance window whereby I can upload new configs to the router.

I'll be sure to let you know once this is applied!

Thanks - Lee.
Lee OsborneAuthor Commented:
Thanks @ged125, the QoS suggestion seems to have helped.

Thanks @atrevido, the extra information helped regarding Skype and NBAR, but I'm still seeing the Skype NBAR traffic. I think it's something I'll have to go a lot further into.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.