needsy
asked on
Problem with Cisco IP SLA ICMP traffic and policing?
Hi All,
I have a customer router(1801) on which i am running a 2meg Ethernet LL to the web connected to fa0 and also an ADSL for backup on ATM0 Dialer1. I am planning to use IP SLA in conjunction with floating static routes to provide ADSL failover. This all works perfectly in my lab. However I have found that when the Fa0 leased line becomes congested the IP SLA ICMP's are being dropped (My customer uses FTP a lot). This causes the router to think the leased line is down and fails over to ADSL. I have tried raising the tracker delay which helps a bit. What I really need to do is use policing and LLQ to prioritise the ICMP and some SIP trunks the customer is also using.
The following addresses are the customers SIP provider.
88.215.60.0/24
88.215.61.0/24
88.215.62.0/24
88.215.63.0/24
88.215.64.0/24
The customers PABX is behind NAT on 172.16.16.200 connected to a L3 switch.
Below is an overview of what i am doing FYI. I have deleted a few parts of the config for security/clarity purposes. For some reason the IP SLA ICMP traffic is not being marked as DSCP EF? When i issue a "show policy-map interface fastEthernet0" I dont see any marked traffic from the SLA? Also, Will the policers work correctly as I still seem to get poor quality voice even though i am allowing bandwidth for SIP over the 2meg LL?
Thanks very much for any help!
Matt
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
track 123 list threshold percentage
object 1
object 2
threshold percentage up 50
delay down 122
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0
tos 184
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 81.17.72.70 source-interface FastEthernet0
tos 184
!
!
class-map match-any datadevices
match access-group 198
class-map match-any voice
match access-group 110
match protocol sip
match protocol icmp
match dscp ef
!
!
policy-map limit-WWW-not-icmp-or-SIP
class datadevices
police cir 1500000
conform-action transmit
exceed-action drop
policy-map priority-voip-and-icmp
class voice
priority 256
class datadevices
police cir 1500000
conform-action transmit
exceed-action drop
class class-default
fair-queue
!
!
!
interface Vlan1
ip address 192.168.1.253 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip inspect firewall out
ip virtual-reassembly
!
!
!
interface FastEthernet0
bandwidth 2000
ip address X.X.X.X 255.255.255.252
ip nbar protocol-discovery
ip nat outside
ip inspect sip in
ip inspect firewall out
ip virtual-reassembly
duplex auto
speed auto
service-policy input limit-WWW-not-icmp-or-SIP
service-policy output priority-voip-and-icmp
!
!
!
!
ip nat inside source route-map ISP1-map interface FastEthernet0 overload
ip nat inside source static 172.16.16.200 X.X.X.X route-map NAT1 reversible
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0 track 123
ip route 0.0.0.0 0.0.0.0 dialer1 200
ip route 8.8.8.8 255.255.255.255 X.X.X.Y
ip route 81.17.72.70 255.255.255.255 X.X.X.Y
ip route 172.16.16.0 255.255.255.0 192.168.1.254
!
ip access-list extended ACL-A
permit udp any host X.X.X.X eq 5060
!
access-list 110 permit ip any any dscp ef
access-list 110 permit ip any any precedence critical
access-list 110 permit ip host 172.16.16.200 any
! !
access-list 198 deny icmp any any
access-list 198 deny ip 88.215.61.0 0.0.0.255 any
access-list 198 deny ip 88.215.62.0 0.0.0.255 any
access-list 198 deny ip 88.215.63.0 0.0.0.255 any
access-list 198 deny ip 88.215.64.0 0.0.0.255 any
access-list 198 deny ip 88.215.60.0 0.0.0.255 any
access-list 198 deny ip any 88.215.60.0 0.0.0.255
access-list 198 deny ip any 88.215.64.0 0.0.0.255
access-list 198 deny ip any 88.215.63.0 0.0.0.255
access-list 198 deny ip any 88.215.62.0 0.0.0.255
access-list 198 deny ip any 88.215.61.0 0.0.0.255
access-list 198 permit ip any any
access-list 198 permit esp any any
access-list 198 permit gre any any
I have a customer router(1801) on which i am running a 2meg Ethernet LL to the web connected to fa0 and also an ADSL for backup on ATM0 Dialer1. I am planning to use IP SLA in conjunction with floating static routes to provide ADSL failover. This all works perfectly in my lab. However I have found that when the Fa0 leased line becomes congested the IP SLA ICMP's are being dropped (My customer uses FTP a lot). This causes the router to think the leased line is down and fails over to ADSL. I have tried raising the tracker delay which helps a bit. What I really need to do is use policing and LLQ to prioritise the ICMP and some SIP trunks the customer is also using.
The following addresses are the customers SIP provider.
88.215.60.0/24
88.215.61.0/24
88.215.62.0/24
88.215.63.0/24
88.215.64.0/24
The customers PABX is behind NAT on 172.16.16.200 connected to a L3 switch.
Below is an overview of what i am doing FYI. I have deleted a few parts of the config for security/clarity purposes. For some reason the IP SLA ICMP traffic is not being marked as DSCP EF? When i issue a "show policy-map interface fastEthernet0" I dont see any marked traffic from the SLA? Also, Will the policers work correctly as I still seem to get poor quality voice even though i am allowing bandwidth for SIP over the 2meg LL?
Thanks very much for any help!
Matt
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
track 123 list threshold percentage
object 1
object 2
threshold percentage up 50
delay down 122
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0
tos 184
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 81.17.72.70 source-interface FastEthernet0
tos 184
!
!
class-map match-any datadevices
match access-group 198
class-map match-any voice
match access-group 110
match protocol sip
match protocol icmp
match dscp ef
!
!
policy-map limit-WWW-not-icmp-or-SIP
class datadevices
police cir 1500000
conform-action transmit
exceed-action drop
policy-map priority-voip-and-icmp
class voice
priority 256
class datadevices
police cir 1500000
conform-action transmit
exceed-action drop
class class-default
fair-queue
!
!
!
interface Vlan1
ip address 192.168.1.253 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip inspect firewall out
ip virtual-reassembly
!
!
!
interface FastEthernet0
bandwidth 2000
ip address X.X.X.X 255.255.255.252
ip nbar protocol-discovery
ip nat outside
ip inspect sip in
ip inspect firewall out
ip virtual-reassembly
duplex auto
speed auto
service-policy input limit-WWW-not-icmp-or-SIP
service-policy output priority-voip-and-icmp
!
!
!
!
ip nat inside source route-map ISP1-map interface FastEthernet0 overload
ip nat inside source static 172.16.16.200 X.X.X.X route-map NAT1 reversible
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0 track 123
ip route 0.0.0.0 0.0.0.0 dialer1 200
ip route 8.8.8.8 255.255.255.255 X.X.X.Y
ip route 81.17.72.70 255.255.255.255 X.X.X.Y
ip route 172.16.16.0 255.255.255.0 192.168.1.254
!
ip access-list extended ACL-A
permit udp any host X.X.X.X eq 5060
!
access-list 110 permit ip any any dscp ef
access-list 110 permit ip any any precedence critical
access-list 110 permit ip host 172.16.16.200 any
! !
access-list 198 deny icmp any any
access-list 198 deny ip 88.215.61.0 0.0.0.255 any
access-list 198 deny ip 88.215.62.0 0.0.0.255 any
access-list 198 deny ip 88.215.63.0 0.0.0.255 any
access-list 198 deny ip 88.215.64.0 0.0.0.255 any
access-list 198 deny ip 88.215.60.0 0.0.0.255 any
access-list 198 deny ip any 88.215.60.0 0.0.0.255
access-list 198 deny ip any 88.215.64.0 0.0.0.255
access-list 198 deny ip any 88.215.63.0 0.0.0.255
access-list 198 deny ip any 88.215.62.0 0.0.0.255
access-list 198 deny ip any 88.215.61.0 0.0.0.255
access-list 198 permit ip any any
access-list 198 permit esp any any
access-list 198 permit gre any any
ASKER
Hi gmooney7,
Thanks for your input.
I spent some time last night thinking about this issue.. I came up with the following after some extra reading. I guess I could use shaping on fa0 egress? Do you know if there is a big advantage with shaping over LLQ and fair-queue as a class default?
I also need to rate-limit on fa0 ingress to stop SIP users being swamped.
class-map match-any Voice-ICMP
match access-group 198
match protocol icmp
!
!
policy-map WAN-OUT
class Voice-ICMP
set dscp ef
priority 320
class class-default
fair-queue
!
policy-map WAN-IN
class Voice-ICMP
set dscp ef
class class-default
police 1536000 288000 576000 conform-action transmit exceed-action drop
!
interface Fastethernet0
bandwidth 2000
service-policy input WAN-IN
service-policy output WAN-OUT
!
access-list 198 permit icmp any any
access-list 198 permit ip 88.215.61.0 0.0.0.255 any
access-list 198 permit ip 88.215.62.0 0.0.0.255 any
access-list 198 permit ip 88.215.63.0 0.0.0.255 any
access-list 198 permit ip 88.215.64.0 0.0.0.255 any
access-list 198 permit ip 88.215.60.0 0.0.0.255 any
access-list 198 permit ip any 88.215.60.0 0.0.0.255
access-list 198 permit ip any 88.215.64.0 0.0.0.255
access-list 198 permit ip any 88.215.63.0 0.0.0.255
access-list 198 permit ip any 88.215.62.0 0.0.0.255
access-list 198 permit ip any 88.215.61.0 0.0.0.255
Thanks
Matt
Thanks for your input.
I spent some time last night thinking about this issue.. I came up with the following after some extra reading. I guess I could use shaping on fa0 egress? Do you know if there is a big advantage with shaping over LLQ and fair-queue as a class default?
I also need to rate-limit on fa0 ingress to stop SIP users being swamped.
class-map match-any Voice-ICMP
match access-group 198
match protocol icmp
!
!
policy-map WAN-OUT
class Voice-ICMP
set dscp ef
priority 320
class class-default
fair-queue
!
policy-map WAN-IN
class Voice-ICMP
set dscp ef
class class-default
police 1536000 288000 576000 conform-action transmit exceed-action drop
!
interface Fastethernet0
bandwidth 2000
service-policy input WAN-IN
service-policy output WAN-OUT
!
access-list 198 permit icmp any any
access-list 198 permit ip 88.215.61.0 0.0.0.255 any
access-list 198 permit ip 88.215.62.0 0.0.0.255 any
access-list 198 permit ip 88.215.63.0 0.0.0.255 any
access-list 198 permit ip 88.215.64.0 0.0.0.255 any
access-list 198 permit ip 88.215.60.0 0.0.0.255 any
access-list 198 permit ip any 88.215.60.0 0.0.0.255
access-list 198 permit ip any 88.215.64.0 0.0.0.255
access-list 198 permit ip any 88.215.63.0 0.0.0.255
access-list 198 permit ip any 88.215.62.0 0.0.0.255
access-list 198 permit ip any 88.215.61.0 0.0.0.255
Thanks
Matt
ASKER
Also on another note. I still dont understands why my SLA ICMP's arent being seen by QoS MCQ? Maybe a bug or something? Anyone got any ideas?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is a good article on traffic shaping as well. I was wrong about traffic shaping "not" dropping packets...it will if the bit bucket gets too full and can't keep up.
http://www.informit.com/library/content.aspx?b=CCIE_Practical_Studies_II&seqNum=65&rll=1
http://www.informit.com/library/content.aspx?b=CCIE_Practical_Studies_II&seqNum=65&rll=1
ASKER
Great thanks for your help with this.. A nice link.
Matt
Matt
http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html#wp5530
I use traffic shaping on my cisco at home for gaming, and it works like a charm for latency sensitive applications. Very simple to configure. This way you also don't need to worry about your traffic being marked and recognized properly by other devices.
Look at the section detailing generic traffic shaping. good luck.