• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1393
  • Last Modified:

Problem with Cisco IP SLA ICMP traffic and policing?

Hi All,
 
I have a customer router(1801) on which i am running a 2meg Ethernet LL to the web connected to fa0 and also an ADSL for backup on ATM0 Dialer1. I am planning to use IP SLA in conjunction with floating static routes to provide ADSL failover. This all works perfectly in my lab. However I have found that when the Fa0 leased line becomes congested the IP SLA ICMP's are being dropped (My customer uses FTP a lot). This causes the router to think the leased line is down and fails over to ADSL. I have tried raising the tracker delay which helps a bit. What I really need to do is use policing and LLQ to prioritise the ICMP and some SIP trunks the customer is also using.
 
 
The following addresses are the customers SIP provider.
 
88.215.60.0/24
88.215.61.0/24
88.215.62.0/24
88.215.63.0/24
88.215.64.0/24
 
The customers PABX is behind NAT on 172.16.16.200 connected to a L3 switch.
 
Below is an overview of what i am doing FYI. I have deleted a few parts of the config for security/clarity purposes. For some reason the IP SLA ICMP traffic is not being marked as DSCP EF? When i issue a "show policy-map interface fastEthernet0" I dont see any marked traffic from the SLA? Also, Will the policers work correctly as I still seem to get poor quality voice even though i am allowing bandwidth for SIP over the 2meg LL?
 
Thanks very much for any help!
 
Matt
 
 
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
track 123 list threshold percentage
object 1
object 2
threshold percentage up 50
delay down 122
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0
tos 184
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 81.17.72.70 source-interface FastEthernet0
tos 184
!
!
class-map match-any datadevices
match access-group 198
class-map match-any voice
match access-group 110
match protocol sip
match protocol icmp
match  dscp ef
!
!
policy-map limit-WWW-not-icmp-or-SIP
class datadevices
   police cir 1500000
     conform-action transmit
     exceed-action drop
policy-map priority-voip-and-icmp
class voice
    priority 256
class datadevices
   police cir 1500000
     conform-action transmit
     exceed-action drop
class class-default
    fair-queue
!
!
!
interface Vlan1
ip address 192.168.1.253 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip inspect firewall out
ip virtual-reassembly
!
!
!
interface FastEthernet0
bandwidth 2000
ip address X.X.X.X 255.255.255.252
ip nbar protocol-discovery
ip nat outside
ip inspect sip in
ip inspect firewall out
ip virtual-reassembly
duplex auto
speed auto
service-policy input limit-WWW-not-icmp-or-SIP
service-policy output priority-voip-and-icmp
!
!                                
!            
!
ip nat inside source route-map ISP1-map interface FastEthernet0 overload
ip nat inside source static 172.16.16.200 X.X.X.X route-map NAT1 reversible
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0 track 123
ip route 0.0.0.0 0.0.0.0 dialer1 200
 
ip route 8.8.8.8 255.255.255.255 X.X.X.Y
ip route 81.17.72.70 255.255.255.255 X.X.X.Y
ip route 172.16.16.0 255.255.255.0 192.168.1.254
 
!
ip access-list extended ACL-A
permit udp any host X.X.X.X eq 5060
!                                
access-list 110 permit ip any any dscp ef
access-list 110 permit ip any any precedence critical
access-list 110 permit ip host 172.16.16.200 any
!                                                                                                                                                    !
access-list 198 deny   icmp any any
access-list 198 deny   ip 88.215.61.0 0.0.0.255 any
access-list 198 deny   ip 88.215.62.0 0.0.0.255 any
access-list 198 deny   ip 88.215.63.0 0.0.0.255 any
access-list 198 deny   ip 88.215.64.0 0.0.0.255 any
access-list 198 deny   ip 88.215.60.0 0.0.0.255 any
access-list 198 deny   ip any 88.215.60.0 0.0.0.255
access-list 198 deny   ip any 88.215.64.0 0.0.0.255
access-list 198 deny   ip any 88.215.63.0 0.0.0.255
access-list 198 deny   ip any 88.215.62.0 0.0.0.255
access-list 198 deny   ip any 88.215.61.0 0.0.0.255
access-list 198 permit ip any any
access-list 198 permit esp any any
access-list 198 permit gre any any
 
0
needsy
Asked:
needsy
  • 3
  • 3
1 Solution
 
gmooney7Commented:
You might just use traffic shaping on your fa/0 interface, create an access list specifying ftp, www, and other services that clog the pipe.  This will keep your queues from filling up as much, since ftp and www will eat every bit of bandwidth you give it.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html#wp5530

I use traffic shaping on my cisco at home for gaming, and it works like a charm for latency sensitive applications.  Very simple to configure.  This way you also don't need to worry about your traffic being marked and recognized properly by other devices.

Look at the section detailing generic traffic shaping.  good luck.
0
 
needsyAuthor Commented:
Hi gmooney7,

Thanks for your input.

I spent some time last night thinking about this issue.. I came up with the following after some extra reading. I guess I could use shaping on fa0 egress? Do you know if there is a big advantage with shaping over LLQ and fair-queue as a class default?

I also need to rate-limit on fa0 ingress to stop SIP users being swamped.
 
class-map match-any Voice-ICMP
match access-group 198
match protocol icmp
!
!
policy-map WAN-OUT
class Voice-ICMP
  set dscp ef
  priority 320
class class-default
  fair-queue
!
policy-map WAN-IN
class Voice-ICMP
  set dscp ef
class class-default
   police 1536000 288000 576000 conform-action transmit exceed-action drop
!
interface Fastethernet0
bandwidth 2000
service-policy input WAN-IN
service-policy output WAN-OUT
!
access-list 198 permit icmp any any
access-list 198 permit ip 88.215.61.0 0.0.0.255 any
access-list 198 permit ip 88.215.62.0 0.0.0.255 any
access-list 198 permit ip 88.215.63.0 0.0.0.255 any
access-list 198 permit ip 88.215.64.0 0.0.0.255 any
access-list 198 permit ip 88.215.60.0 0.0.0.255 any
access-list 198 permit ip any 88.215.60.0 0.0.0.255
access-list 198 permit ip any 88.215.64.0 0.0.0.255
access-list 198 permit ip any 88.215.63.0 0.0.0.255
access-list 198 permit ip any 88.215.62.0 0.0.0.255
access-list 198 permit ip any 88.215.61.0 0.0.0.255

Thanks

Matt
0
 
needsyAuthor Commented:
Also on another note. I still dont understands why my SLA ICMP's arent being seen by QoS MCQ? Maybe a bug or something? Anyone got any ideas?

Thanks
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
gmooney7Commented:
The thing with shaping is that it delays packets, instead of dropping them. Queuing drops packets, and tcp traffic will respond better to delays than packet drops.

Shaping also applies to outbound traffic, so you need to apply the traffic shape to both your inside and outside interfaces to control traffic.  Here is an example acl for port 80 traffic

access-list 150 permit tcp any eq 80 any
access-list 150 permit tcp any any eq 80

int fa 0/0
traffic-shape group 150 1000000

int ser 0/0/0
traffic-shape group 150 1000000

You can set your burst rate, etc after specifying bw in bps, but you can take the defaults.

So, this will limit www traffic to 1mb down and 1mb up.  You would include additional lines in your acl for more protocols, ie. ftp, https, etc.  

All other traffic can use the full bandwidth of the interfaces.   This will maintain low latency for your real time traffic when they decide to download/upload loads through ftp, http, etc.
0
 
gmooney7Commented:
Here is a good article on traffic shaping as well.  I was wrong about traffic shaping "not" dropping packets...it will if the bit bucket gets too full and can't keep up.

http://www.informit.com/library/content.aspx?b=CCIE_Practical_Studies_II&seqNum=65&rll=1
0
 
needsyAuthor Commented:
Great thanks for your help with this.. A nice link.

Matt
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now