VLAN - QOS issue?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I have an issue with some QOS with a VPN and local internet access.....
I have attached the network diagram and the config of the branch router is below...
View attachment 2497

What i am trying to achieve is to limit the internet access on vlan 2 on the branch side so the VPN traffic (voice traffic) does not get a delay when the internet is being thrashed by the engineers on vlan 2... I know this is not the ideal solution by any means but is what i have to work with!

I have applied the policy to the dialer interface but it does not seem to be taking affect....? if anyone has any ideas, it would be very much apreciated!!

Config of the branch router....


hostname XX_VOICE_INTERNET
!
ip dhcp excluded-address 172.16.1.250 172.16.1.254
!
ip dhcp pool INTERNET
network 172.16.1.0 255.255.255.0
default-router 172.16.1.254
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip inspect name DIALER_OUT cuseeme
ip inspect name DIALER_OUT ftp
ip inspect name DIALER_OUT h323
ip inspect name DIALER_OUT icmp
ip inspect name DIALER_OUT netshow
ip inspect name DIALER_OUT rcmd
ip inspect name DIALER_OUT realaudio
ip inspect name DIALER_OUT rtsp
ip inspect name DIALER_OUT esmtp
ip inspect name DIALER_OUT sqlnet
ip inspect name DIALER_OUT streamworks
ip inspect name DIALER_OUT tftp
ip inspect name DIALER_OUT tcp router-traffic
ip inspect name DIALER_OUT udp router-traffic timeout 300
ip inspect name DIALER_OUT vdolive
ip inspect name DIALER_OUT dns
ip inspect name VOICE h323
ip inspect name VOICE rtsp
!
!
username admin privilege 15 password admin
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
!
archive
log config
hidekeys
!
!
!
class-map match-any VPN_VOICE
match protocol ipsec
match protocol rtp
match protocol rtcp
!
!
policy-map QOSPOLICY
class VPN_VOICE
police rate percent 65 peak-rate percent 65
conform-action transmit
exceed-action set-qos-transmit 4
violate-action drop
class class-default
police rate percent 35 peak-rate percent 35
conform-action transmit
exceed-action set-qos-transmit 4
violate-action drop!
!
!
!
interface Tunnel0
description VPN_TO_XX
ip address 192.168.10.2 255.255.255.252
delay 100
tunnel source Dialer1
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
tunnel bandwidth transmit 448
tunnel bandwidth receive 1952
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode itu-dmt
!
interface FastEthernet0
description YY_SUBNET
!
interface FastEthernet1
description VOICELINK
switchport access vlan 3
!
interface FastEthernet2
description INTERNET
switchport access vlan 2
!
interface FastEthernet3
description INTERNET2
switchport access vlan 2
!
interface Vlan1
ip address 10.2.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 172.16.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 192.168.201.1 255.255.255.0
ip flow ingress
ip nat inside
ip inspect VOICE in
ip virtual-reassembly
!
interface Dialer1
description ISP
bandwidth 448
ip address negotiated
ip nbar protocol-discovery
ip nat outside
ip inspect DIALER_OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xx@yyy
ppp chap password 7 xxyyxx
ppp pap sent-username xx@yyy password 7 xxyyxx
service-policy output QOSPOLICY
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 192.168.200.0 255.255.255.0 Tunnel0
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list standard NAT
permit 10.0.0.0 0.255.255.255
permit 172.16.1.0 0.0.0.255

!
dialer-list 1 protocol ip permit


I have removed some stuff from the config which is not relevant. but if any one can look at the class maps/policys and let me know if i have gone wrong anywhere?

Cheers
Jon

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What are you seeing/not seeing? is it matching where you expect or not matchin the protocols you expect?

show policy map int dialer1

 

I'm possibly well off, but wouldn't this do for your policy:

class-map match-any VPNVOICE
match protocol ipsec

policy-map QoS_Policy
class VPNVOICE
priority percent 65
class class-default
fair-queue


then apply to the dialer interface. You should only need to match ipsec protocol since all voice traffic will be encrypted. Then this is offered 65% of available bandwidth, with everything else falling into the default queue and being dropped if there isn't sufficient bandwidth.

 

Dialer1

Service-policy output: QOSPOLICY

Class-map: VPN_VOICE (match-any)
1067970 packets, 124620706 bytes
5 minute offered rate 4000 bps, drop rate 0 bps
Match: protocol ipsec
1063523 packets, 124339432 bytes
5 minute rate 4000 bps
Match: protocol rtp
4427 packets, 279418 bytes
5 minute rate 0 bps
Match: protocol rtcp
21 packets, 1856 bytes
5 minute rate 0 bps
police:
rate 65 %
rate 291000 bps, burst 9093 bytes
peak-rate 65 %
peak-rate 291000 bps, peak-burst 9093 bytes
conformed 986936 packets, 116920976 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
set-qos-transmit 4
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps

Class-map: class-default (match-any)
578241 packets, 97834588 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
rate 35 %
rate 156500 bps, burst 4890 bytes
peak-rate 35 %
peak-rate 156500 bps, peak-burst 4890 bytes
conformed 464163 packets, 27489281 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
set-qos-transmit 4
violated 757 packets, 773601 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps



It does show the policy as working but the problem is that when the engineers download large files etc it will thrash the link and the voice quality drops out....? this is why i set it to police as i thought this would limit the amount they could use rather than QOS it when there is a bottleneck!?

Thoughts?

 

Yes this would work, to be fair i need to tidy up the config a little as some of the class map entries are remnants of my previous attempts to sort this out.

I thought I read somewhere ages ago that applying it to the dialer interface doesnt work correctly and every example i look at on the web seems to show an ATM sub interface configured for the DSL access rather than using dialers.

 

Is voice quality poor in both directions? As you can see there have only been 757 packets dropped from the defaul queue and nothing dropped from the voice queue...

If voice quality is still poor i would expect it only to be on the recieve side, where there isn't any QoS.

 

This is a QoS policy we deployed for RDP traffic on an 877

ip access-list extended RDPTraffic remark ##### QoS For Site To Site RDP #####
permit tcp any any eq 3389

class-map RDP
match access-group RDPTraffic

policy-map RDPPriority
class RDP
priority percent 50

interface Dialer0
service-policy output RDPPriority

crypto map headoffice 10
qos pre-classify

 

Sorry, i meant the voice quality is poor in the way that you get delay and jitter rather than missing packets so i presumed (maybe incorrectly?) that the bottleneck on the branch router was the problem especialy as when the engineers thrash the connection i can see the dialer interface reach 200+ load on the interface counters...

The other side has plenty of bandwidth and is dedicated for this link, it has no other hosts using its internet connection.

i know that ultimately this is going over an ADSL connection which is silly but generally it is pretty stable unless the engineers download a huge amount!

 

What i mean is that policy map only shows you there are no drops in the output queue. Which end of the call is reporing the clal to be poor quality? One side? or Both? If the branch end is saturating it's downstream bandwidth (the engineers downloads), it doesn't matter how much bandwidth you have at the main site as it's the local ADSL which is saturated.

This is why it is key to know the direction of the poor quality. I'd say with your current QoS policy, transmitted voice should be fine. But recieve will still be contending with the engineers downloads.

 

Craigie thanks for that, the more examples i see the more stuff falls in place!

i presume that the QOS pre classify marks the packets before encapsulation..... DIDNT KNOW THAT! Thanks!

 

This is correct, they can hear us but we have problems with the quality coming to us at the branch..

 

The QoS pre-classify is not applicable in this scenario as you are not queueing using DSCP markings, also they won't be honoured by the upstream routers as it goes over the internet.

You'll need to figure out how to limit the download speed of the engineering guys, while not limiting the voice traffic. Currently you have the policy map applied outbound.....does IOS allow you to add a separete policy inbound? If not there will be another way to do it for sure.

 

CLICK!!!!!

It has just clicked.... the QOS is applied outbound which obviously does not apply to the inbound traffic, as the configuaration "service policy outbound" suggests... lol!

How daft am i being!!! Daniel you are a star in just pointing out what a numpty i am being! i have been looking at the wrong direction! lol

I will take a look at the inbound, i know you cannot apply a service policy inbound on a dialer interace (you can do it but i dont belive it works!!)

I will post back when i have a fully fledged, over complicated discontiguous plan in place!

Thanks again D08 (and Craigie)
Jon

 

Haha glad it has now clicked

Maybe look at applying a policy to the ethernet interface which connects the engineering dept - OUTBOUND. This may end up being a bit inefficient as there wouldn't be a way to control dynamically allowing them to use all available bandwidth when there are no voice calls, and throttlign back when there are. There's plenty different methods you could use here i think, just about picking which one fits best.

Good Luck