Solved

Problem with Cisco IP SLA ICMP traffic and policing?

Posted on 2011-02-14
6
1,361 Views
Last Modified: 2012-05-11
Hi All,
 
I have a customer router(1801) on which i am running a 2meg Ethernet LL to the web connected to fa0 and also an ADSL for backup on ATM0 Dialer1. I am planning to use IP SLA in conjunction with floating static routes to provide ADSL failover. This all works perfectly in my lab. However I have found that when the Fa0 leased line becomes congested the IP SLA ICMP's are being dropped (My customer uses FTP a lot). This causes the router to think the leased line is down and fails over to ADSL. I have tried raising the tracker delay which helps a bit. What I really need to do is use policing and LLQ to prioritise the ICMP and some SIP trunks the customer is also using.
 
 
The following addresses are the customers SIP provider.
 
88.215.60.0/24
88.215.61.0/24
88.215.62.0/24
88.215.63.0/24
88.215.64.0/24
 
The customers PABX is behind NAT on 172.16.16.200 connected to a L3 switch.
 
Below is an overview of what i am doing FYI. I have deleted a few parts of the config for security/clarity purposes. For some reason the IP SLA ICMP traffic is not being marked as DSCP EF? When i issue a "show policy-map interface fastEthernet0" I dont see any marked traffic from the SLA? Also, Will the policers work correctly as I still seem to get poor quality voice even though i am allowing bandwidth for SIP over the 2meg LL?
 
Thanks very much for any help!
 
Matt
 
 
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
track 123 list threshold percentage
object 1
object 2
threshold percentage up 50
delay down 122
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0
tos 184
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 81.17.72.70 source-interface FastEthernet0
tos 184
!
!
class-map match-any datadevices
match access-group 198
class-map match-any voice
match access-group 110
match protocol sip
match protocol icmp
match  dscp ef
!
!
policy-map limit-WWW-not-icmp-or-SIP
class datadevices
   police cir 1500000
     conform-action transmit
     exceed-action drop
policy-map priority-voip-and-icmp
class voice
    priority 256
class datadevices
   police cir 1500000
     conform-action transmit
     exceed-action drop
class class-default
    fair-queue
!
!
!
interface Vlan1
ip address 192.168.1.253 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip inspect firewall out
ip virtual-reassembly
!
!
!
interface FastEthernet0
bandwidth 2000
ip address X.X.X.X 255.255.255.252
ip nbar protocol-discovery
ip nat outside
ip inspect sip in
ip inspect firewall out
ip virtual-reassembly
duplex auto
speed auto
service-policy input limit-WWW-not-icmp-or-SIP
service-policy output priority-voip-and-icmp
!
!                                
!            
!
ip nat inside source route-map ISP1-map interface FastEthernet0 overload
ip nat inside source static 172.16.16.200 X.X.X.X route-map NAT1 reversible
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0 track 123
ip route 0.0.0.0 0.0.0.0 dialer1 200
 
ip route 8.8.8.8 255.255.255.255 X.X.X.Y
ip route 81.17.72.70 255.255.255.255 X.X.X.Y
ip route 172.16.16.0 255.255.255.0 192.168.1.254
 
!
ip access-list extended ACL-A
permit udp any host X.X.X.X eq 5060
!                                
access-list 110 permit ip any any dscp ef
access-list 110 permit ip any any precedence critical
access-list 110 permit ip host 172.16.16.200 any
!                                                                                                                                                    !
access-list 198 deny   icmp any any
access-list 198 deny   ip 88.215.61.0 0.0.0.255 any
access-list 198 deny   ip 88.215.62.0 0.0.0.255 any
access-list 198 deny   ip 88.215.63.0 0.0.0.255 any
access-list 198 deny   ip 88.215.64.0 0.0.0.255 any
access-list 198 deny   ip 88.215.60.0 0.0.0.255 any
access-list 198 deny   ip any 88.215.60.0 0.0.0.255
access-list 198 deny   ip any 88.215.64.0 0.0.0.255
access-list 198 deny   ip any 88.215.63.0 0.0.0.255
access-list 198 deny   ip any 88.215.62.0 0.0.0.255
access-list 198 deny   ip any 88.215.61.0 0.0.0.255
access-list 198 permit ip any any
access-list 198 permit esp any any
access-list 198 permit gre any any
 
0
Comment
Question by:needsy
  • 3
  • 3
6 Comments
 
LVL 4

Expert Comment

by:gmooney7
ID: 34890816
You might just use traffic shaping on your fa/0 interface, create an access list specifying ftp, www, and other services that clog the pipe.  This will keep your queues from filling up as much, since ftp and www will eat every bit of bandwidth you give it.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html#wp5530

I use traffic shaping on my cisco at home for gaming, and it works like a charm for latency sensitive applications.  Very simple to configure.  This way you also don't need to worry about your traffic being marked and recognized properly by other devices.

Look at the section detailing generic traffic shaping.  good luck.
0
 
LVL 1

Author Comment

by:needsy
ID: 34895512
Hi gmooney7,

Thanks for your input.

I spent some time last night thinking about this issue.. I came up with the following after some extra reading. I guess I could use shaping on fa0 egress? Do you know if there is a big advantage with shaping over LLQ and fair-queue as a class default?

I also need to rate-limit on fa0 ingress to stop SIP users being swamped.
 
class-map match-any Voice-ICMP
match access-group 198
match protocol icmp
!
!
policy-map WAN-OUT
class Voice-ICMP
  set dscp ef
  priority 320
class class-default
  fair-queue
!
policy-map WAN-IN
class Voice-ICMP
  set dscp ef
class class-default
   police 1536000 288000 576000 conform-action transmit exceed-action drop
!
interface Fastethernet0
bandwidth 2000
service-policy input WAN-IN
service-policy output WAN-OUT
!
access-list 198 permit icmp any any
access-list 198 permit ip 88.215.61.0 0.0.0.255 any
access-list 198 permit ip 88.215.62.0 0.0.0.255 any
access-list 198 permit ip 88.215.63.0 0.0.0.255 any
access-list 198 permit ip 88.215.64.0 0.0.0.255 any
access-list 198 permit ip 88.215.60.0 0.0.0.255 any
access-list 198 permit ip any 88.215.60.0 0.0.0.255
access-list 198 permit ip any 88.215.64.0 0.0.0.255
access-list 198 permit ip any 88.215.63.0 0.0.0.255
access-list 198 permit ip any 88.215.62.0 0.0.0.255
access-list 198 permit ip any 88.215.61.0 0.0.0.255

Thanks

Matt
0
 
LVL 1

Author Comment

by:needsy
ID: 34895528
Also on another note. I still dont understands why my SLA ICMP's arent being seen by QoS MCQ? Maybe a bug or something? Anyone got any ideas?

Thanks
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Accepted Solution

by:
gmooney7 earned 500 total points
ID: 34896840
The thing with shaping is that it delays packets, instead of dropping them. Queuing drops packets, and tcp traffic will respond better to delays than packet drops.

Shaping also applies to outbound traffic, so you need to apply the traffic shape to both your inside and outside interfaces to control traffic.  Here is an example acl for port 80 traffic

access-list 150 permit tcp any eq 80 any
access-list 150 permit tcp any any eq 80

int fa 0/0
traffic-shape group 150 1000000

int ser 0/0/0
traffic-shape group 150 1000000

You can set your burst rate, etc after specifying bw in bps, but you can take the defaults.

So, this will limit www traffic to 1mb down and 1mb up.  You would include additional lines in your acl for more protocols, ie. ftp, https, etc.  

All other traffic can use the full bandwidth of the interfaces.   This will maintain low latency for your real time traffic when they decide to download/upload loads through ftp, http, etc.
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 34897298
Here is a good article on traffic shaping as well.  I was wrong about traffic shaping "not" dropping packets...it will if the bit bucket gets too full and can't keep up.

http://www.informit.com/library/content.aspx?b=CCIE_Practical_Studies_II&seqNum=65&rll=1
0
 
LVL 1

Author Comment

by:needsy
ID: 34907035
Great thanks for your help with this.. A nice link.

Matt
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now