1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VLAN - QOS issue?

Discussion in 'Routing & Switching' started by jonny7_2002, Sep 27, 2011.

  1. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    I have an issue with some QOS with a VPN and local internet access.....
    I have attached the network diagram and the config of the branch router is below...
    View attachment 2497

    What i am trying to achieve is to limit the internet access on vlan 2 on the branch side so the VPN traffic (voice traffic) does not get a delay when the internet is being thrashed by the engineers on vlan 2... I know this is not the ideal solution by any means but is what i have to work with! :(

    I have applied the policy to the dialer interface but it does not seem to be taking affect....? if anyone has any ideas, it would be very much apreciated!!

    Config of the branch router....


    hostname XX_VOICE_INTERNET
    !
    ip dhcp excluded-address 172.16.1.250 172.16.1.254
    !
    ip dhcp pool INTERNET
    network 172.16.1.0 255.255.255.0
    default-router 172.16.1.254
    dns-server 8.8.8.8 8.8.4.4
    !
    !
    ip cef
    ip inspect name DIALER_OUT cuseeme
    ip inspect name DIALER_OUT ftp
    ip inspect name DIALER_OUT h323
    ip inspect name DIALER_OUT icmp
    ip inspect name DIALER_OUT netshow
    ip inspect name DIALER_OUT rcmd
    ip inspect name DIALER_OUT realaudio
    ip inspect name DIALER_OUT rtsp
    ip inspect name DIALER_OUT esmtp
    ip inspect name DIALER_OUT sqlnet
    ip inspect name DIALER_OUT streamworks
    ip inspect name DIALER_OUT tftp
    ip inspect name DIALER_OUT tcp router-traffic
    ip inspect name DIALER_OUT udp router-traffic timeout 300
    ip inspect name DIALER_OUT vdolive
    ip inspect name DIALER_OUT dns
    ip inspect name VOICE h323
    ip inspect name VOICE rtsp
    !
    !
    username admin privilege 15 password admin
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key password address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 10 periodic
    !
    !
    crypto ipsec transform-set T1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile P1
    set transform-set T1
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    class-map match-any VPN_VOICE
    match protocol ipsec
    match protocol rtp
    match protocol rtcp
    !
    !
    policy-map QOSPOLICY
    class VPN_VOICE
    police rate percent 65 peak-rate percent 65
    conform-action transmit
    exceed-action set-qos-transmit 4
    violate-action drop
    class class-default
    police rate percent 35 peak-rate percent 35
    conform-action transmit
    exceed-action set-qos-transmit 4
    violate-action drop
    !
    !
    !
    !
    interface Tunnel0
    description VPN_TO_XX
    ip address 192.168.10.2 255.255.255.252
    delay 100
    tunnel source Dialer1
    tunnel destination x.x.x.x
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile P1
    tunnel bandwidth transmit 448
    tunnel bandwidth receive 1952
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode itu-dmt
    !
    interface FastEthernet0
    description YY_SUBNET
    !
    interface FastEthernet1
    description VOICELINK
    switchport access vlan 3
    !
    interface FastEthernet2
    description INTERNET
    switchport access vlan 2
    !
    interface FastEthernet3
    description INTERNET2
    switchport access vlan 2
    !
    interface Vlan1
    ip address 10.2.1.253 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    interface Vlan2
    ip address 172.16.1.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    interface Vlan3
    ip address 192.168.201.1 255.255.255.0
    ip flow ingress
    ip nat inside
    ip inspect VOICE in
    ip virtual-reassembly
    !
    interface Dialer1
    description ISP
    bandwidth 448
    ip address negotiated
    ip nbar protocol-discovery
    ip nat outside
    ip inspect DIALER_OUT out
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname xx@yyy
    ppp chap password 7 xxyyxx
    ppp pap sent-username xx@yyy password 7 xxyyxx
    service-policy output QOSPOLICY
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 10.1.1.0 255.255.255.0 Tunnel0
    ip route 192.168.200.0 255.255.255.0 Tunnel0
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list NAT interface Dialer1 overload
    !
    ip access-list standard NAT
    permit 10.0.0.0 0.255.255.255
    permit 172.16.1.0 0.0.0.255

    !
    dialer-list 1 protocol ip permit



    I have removed some stuff from the config which is not relevant. but if any one can look at the class maps/policys and let me know if i have gone wrong anywhere?

    Cheers
    Jon
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  2. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    What are you seeing/not seeing? is it matching where you expect or not matchin the protocols you expect?

    show policy map int dialer1
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  3. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    I'm possibly well off, but wouldn't this do for your policy:

    class-map match-any VPNVOICE
    match protocol ipsec

    policy-map QoS_Policy
    class VPNVOICE
    priority percent 65
    class class-default
    fair-queue


    then apply to the dialer interface. You should only need to match ipsec protocol since all voice traffic will be encrypted. Then this is offered 65% of available bandwidth, with everything else falling into the default queue and being dropped if there isn't sufficient bandwidth.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  4. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Dialer1

    Service-policy output: QOSPOLICY

    Class-map: VPN_VOICE (match-any)
    1067970 packets, 124620706 bytes
    5 minute offered rate 4000 bps, drop rate 0 bps
    Match: protocol ipsec
    1063523 packets, 124339432 bytes
    5 minute rate 4000 bps
    Match: protocol rtp
    4427 packets, 279418 bytes
    5 minute rate 0 bps
    Match: protocol rtcp
    21 packets, 1856 bytes
    5 minute rate 0 bps
    police:
    rate 65 %
    rate 291000 bps, burst 9093 bytes
    peak-rate 65 %
    peak-rate 291000 bps, peak-burst 9093 bytes
    conformed 986936 packets, 116920976 bytes; actions:
    transmit
    exceeded 0 packets, 0 bytes; actions:
    set-qos-transmit 4
    violated 0 packets, 0 bytes; actions:
    drop
    conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
    578241 packets, 97834588 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: any
    police:
    rate 35 %
    rate 156500 bps, burst 4890 bytes
    peak-rate 35 %
    peak-rate 156500 bps, peak-burst 4890 bytes
    conformed 464163 packets, 27489281 bytes; actions:
    transmit
    exceeded 0 packets, 0 bytes; actions:
    set-qos-transmit 4
    violated 757 packets, 773601 bytes; actions:
    drop

    conformed 0 bps, exceed 0 bps, violate 0 bps



    It does show the policy as working but the problem is that when the engineers download large files etc it will thrash the link and the voice quality drops out....? this is why i set it to police as i thought this would limit the amount they could use rather than QOS it when there is a bottleneck!?

    Thoughts?
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  5. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Yes this would work, to be fair i need to tidy up the config a little as some of the class map entries are remnants of my previous attempts to sort this out.

    I thought I read somewhere ages ago that applying it to the dialer interface doesnt work correctly and every example i look at on the web seems to show an ATM sub interface configured for the DSL access rather than using dialers.
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  6. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Is voice quality poor in both directions? As you can see there have only been 757 packets dropped from the defaul queue and nothing dropped from the voice queue...

    If voice quality is still poor i would expect it only to be on the recieve side, where there isn't any QoS.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  7. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    This is a QoS policy we deployed for RDP traffic on an 877

    ip access-list extended RDPTraffic remark ##### QoS For Site To Site RDP #####
    permit tcp any any eq 3389

    class-map RDP
    match access-group RDPTraffic

    policy-map RDPPriority
    class RDP
    priority percent 50

    interface Dialer0
    service-policy output RDPPriority

    crypto map headoffice 10
    qos pre-classify
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  8. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Sorry, i meant the voice quality is poor in the way that you get delay and jitter rather than missing packets so i presumed (maybe incorrectly?) that the bottleneck on the branch router was the problem especialy as when the engineers thrash the connection i can see the dialer interface reach 200+ load on the interface counters...

    The other side has plenty of bandwidth and is dedicated for this link, it has no other hosts using its internet connection.

    i know that ultimately this is going over an ADSL connection which is silly but generally it is pretty stable unless the engineers download a huge amount! :cry:
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  9. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    What i mean is that policy map only shows you there are no drops in the output queue. Which end of the call is reporing the clal to be poor quality? One side? or Both? If the branch end is saturating it's downstream bandwidth (the engineers downloads), it doesn't matter how much bandwidth you have at the main site as it's the local ADSL which is saturated.

    This is why it is key to know the direction of the poor quality. I'd say with your current QoS policy, transmitted voice should be fine. But recieve will still be contending with the engineers downloads.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  10. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Craigie thanks for that, the more examples i see the more stuff falls in place! :biggrin

    i presume that the QOS pre classify marks the packets before encapsulation..... DIDNT KNOW THAT! Thanks!
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  11. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    This is correct, they can hear us but we have problems with the quality coming to us at the branch..
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  12. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    The QoS pre-classify is not applicable in this scenario as you are not queueing using DSCP markings, also they won't be honoured by the upstream routers as it goes over the internet.

    You'll need to figure out how to limit the download speed of the engineering guys, while not limiting the voice traffic. Currently you have the policy map applied outbound.....does IOS allow you to add a separete policy inbound? If not there will be another way to do it for sure.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  13. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    CLICK!!!!!

    It has just clicked.... the QOS is applied outbound which obviously does not apply to the inbound traffic, as the configuaration "service policy outbound" suggests... lol! :oops:

    How daft am i being!!! Daniel you are a star in just pointing out what a numpty i am being! i have been looking at the wrong direction! lol :biggrin

    I will take a look at the inbound, i know you cannot apply a service policy inbound on a dialer interace (you can do it but i dont belive it works!!)

    I will post back when i have a fully fledged, over complicated discontiguous plan in place! :lol:

    Thanks again D08 (and Craigie)
    Jon
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  14. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Haha glad it has now clicked :)

    Maybe look at applying a policy to the ethernet interface which connects the engineering dept - OUTBOUND. This may end up being a bit inefficient as there wouldn't be a way to control dynamically allowing them to use all available bandwidth when there are no voice calls, and throttlign back when there are. There's plenty different methods you could use here i think, just about picking which one fits best.

    Good Luck :)
     
    Certifications: CCENT, CCNA
    WIP: CCNP

Share This Page

Loading...