how-to block ads
»Cisco Forum FAQ »How do I configure QoS for VoIP?
»Cisco Forum FAQ »Improving Performance of Cable/DSL Internet using QoS
The biggest challenge running Bittorrent application is that it is very hungry bandwidth application. If your Internet router is doing NAT/PAT, you can also see how extensive Bittorrent applications in using NAT/PAT process and fill up the NAT/PAT table very quickly. In the end, your router might not be able to keep up and then fail to work.
Since the Bittorrent application is very hungry bandwidth one, then the key to have manageable network connection is to apply Quality of Service (QoS). This QoS application is very significant especially when you run high-priority applications such as Voice over IP (VoIP) and some public servers to provide (as example) web and mail services.
Following is sample configuration using CBWFQ (Class-Based Weighted Fair Queueing) QoS of how to have manageable network connection when the network run Bittorrent, VoIP, and other applications such as Online Gaming. The sample configuration should work on any Cisco router platform with following pre-requisites. This configuration has been applied to cheapo 827 router and works fine.
* The router runs IOS image supporting CBWFQ QoS
* The router supports named ACLs
* The router has a 12.4 IOS (not sure about other versions, feel free to try and let me know)
The configuration supposes you assign IP range 192.168.254.0/24 to the LAN
192.168.254.129 to 192.168.254.191 are assigned by DHCP to non static IP machines
192.168.254.11 is assigned to the VoIP ATA (in the exemple below, a Wengo ATA called Wenbox)
192.168.254.1 is my Server for DNS, WINS, NTP and TFTP. Replace by the correct IPs (Local LAN or your ISP addresses)
Notes on Outbound Policy Shaping Implementation:
* Ethernet0 is the physical interface LAN side that receive the traffic
* ATM0 is the physical interface WAN side that send the traffic out to the ISP
* Dialer1 is the logical interface WAN side that controls the Layer-2/3 (PPP and IP) management of the ATM0 interface
* You need to implement outbound policy shaping on the physical to actually execute the queueing/shaping/policing functions. In this sample configuration, outbound policy shaping in on ATM0 interface
* Since the physical interface has specific PVC setting, the outbound policy shaping configuration is available under the PVC configuration
* Should your router has the PVC configuration under sub-interface, then you have to configure the outbound policy shaping on such sub-interface
* In some IOS version, you need to specify the cbr value to have the outbound policy shaping configuration visible as noted in this sample configuration
* Implement outbound policy shaping on Dialer1 interface (or any the logical WAN interface) won't make differences. The issue is that once the data has been encapsulated into PPPoX (PPPoA or PPPoE) there is no proper identification as the traffic goes out the Dialer interface. By tagging the packets as they come into the inside interface with a unique precedence or DSCP value prior encapsulation, it should provide the ability for proper decision making as the packets exit the outside interface.
service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption ! hostname XXXXXXX ! logging buffered 64000 debugging no logging console enable secret ENABLESECRET enable password ENABLEPASSWORD ! clock timezone CET 1 clock summer-time CEDT recurring 1 Sun Apr 3:00 last Sun Oct 3:00 ! no ip source-route no ip dhcp use vrf connected no ip dhcp conflict logging ip dhcp excluded-address 192.168.254.1 192.168.254.128 ip dhcp excluded-address 192.168.254.192 192.168.254.254 ! ip dhcp pool Local-LAN network 192.168.254.0 255.255.255.0 ! Assign 192.168.254.1 as DNS Server dns-server 192.168.254.1 ! Assign 192.168.254.1 as WINS Server netbios-name-server 192.168.254.1 default-router 192.168.254.254 domain-name chezmoi.com netbios-node-type h-node ! Assign 192.168.254.1 as NTP Server option 42 ip 192.168.254.1 ! Assign 192.168.254.1 as Boot/TFTP Server option 66 ascii "192.168.254.1" ! ip dhcp pool Wengo-ATA host 192.168.254.11 255.255.255.0 ! Replace by Wengo 01+ATA Mac Address client-identifier 0100.0cc3.3221.17 ! WARNING SOME ATAs request the DHCP address with their MAC directly. ! In that case use line below and replace by your ATA MAC address hardware-address 000c.c332.2117 ! Replace second and 3rd by your ISP DNS server address dns-server 192.168.254.1 184.108.40.206 220.127.116.11 ! ip cef ! ip domain name chezmoi.com ip name-server 192.168.254.1 no ip bootp server ip ftp source-interface Ethernet0 ! ip ddns update method DynDNS-Eric HTTP add http://dyndnslogin:dyndnspassword@<s>/nic/updatesystem=dyndns&hostname=<h>&myip=<a> interval maximum 28 0 0 0 ! vpdn enable ! ip access-list extended BitTorrent remark --- BitTorrent defaul ports permit tcp any range 6881 6889 any permit udp any range 6881 6889 any permit tcp any any range 6881 6889 permit udp any any range 6881 6889 ! ip access-list extended CityOfHeroes permit ip 192.168.254.0 0.0.0.255 18.104.22.168 0.0.0.255 permit ip 192.168.254.0 0.0.0.255 22.214.171.124 0.0.15.255 ! ip access-list extended FTP remark --- FTP traffic from LAN to FTP servers permit tcp 192.168.254.0 0.0.0.255 any range ftp-data ftp ! ip access-list extended ICMP remark --- ICMP from LAN permit icmp 192.168.254.0 0.0.0.255 any ! ip access-list extended LAN-IPsec remark --- IPSec traffic from LAN permit udp 192.168.254.0 0.0.0.255 any eq 10001 permit udp 192.168.254.0 0.0.0.255 any eq isakmp ! ip access-list extended Local-LANs remark --- permit DHCP permit udp any eq bootpc any permit udp any any eq bootps remark --- permit local LAN permit ip 192.168.254.0 0.0.0.255 any remark --- deny the rest and log deny ip any any log ! ip access-list extended Outbound-DNS remark --- outbound DNS queries permit udp 192.168.254.0 0.0.0.255 any eq domain ! ip access-list extended Skype remark --- Skype traffic permit udp any eq 44330 any ! ip access-list extended Telnet-Traffic remark --- any telnet traffic permit tcp any any eq telnet permit tcp any eq telnet any ! ip access-list extended WWW-and-SSL remark --- deny eMule traffic deny udp any eq 4672 any deny tcp any eq 4662 any remark --- deny BitTorrent traffic deny tcp any range 6881 6889 any deny udp any range 6881 6889 any remark --- permit http and https traffic permit tcp any any eq www permit tcp any any eq 443 ! ip access-list extended Wengo-ATA remark --- traffic from Wengo's ATA box permit ip host 192.168.254.11 any ! ip access-list extended eMule remark --- eMule default ports permit udp any eq 4672 any permit tcp any eq 4662 any permit udp any any eq 4672 permit tcp any any eq 4662 ! ip access-list extended to-SIP-servers remark --- traffic to any SIP server permit udp 192.168.254.0 0.0.0.255 any eq 5060 ! class-map match-any VoIP-Class-Inbound match access-group name Wengo-ATA match access-group name Skype match access-group name to-SIP-servers ! class-map match-any Hi-Class-Inbound match access-group name Outbound-DNS match access-group name Telnet-Traffic match access-group name CityOfHeroes ! class-map match-any Med-Class-Inbound match access-group name WWW-and-SSL match access-group name ICMP match access-group name FTP ! class-map match-any Lo-Class-Inbound match access-group name eMule match access-group name BitTorrent ! policy-map Packet-Tagging class VoIP-Class-Inbound set precedence 5 class Hi-Class-Inbound set precedence 4 class Med-Class-Inbound set precedence 3 class Lo-Class-Inbound police 10000 2000 2000 conform-action set-prec-transmit 2 exceed-action set-prec-transmit 1 class class-default set ip precedence 1 ! interface Ethernet0 description --- Internal LAN ip address 192.168.254.254 255.255.255.0 ip access-group Local-LANs in no ip redirects ip nat inside ip virtual-reassembly load-interval 30 fair-queue service-policy input Packet-Tagging hold-queue 100 out ! class-map match-any VoIP-Class-Outbound match ip precedence 5 ! class-map match-any Hi-Class-Outbound match ip precedence 4 ! class-map match-any Med-Class-Outbound match ip precedence 3 ! class-map match-any Lo-Class-Outbound match ip precedence 2 match ip precedence 1 ! policy-map Packet-Queueing class VoIP-Class-Outbound priority 64 class Hi-Class-Outbound bandwidth remaining percent 50 random-detect random-detect exponential-weighting-constant 8 random-detect precedence 4 20 60 20 class Med-Class-Outbound bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 8 random-detect precedence 3 15 30 15 class Lo-Class-Outbound bandwidth remaining percent 25 random-detect random-detect exponential-weighting-constant 3 random-detect precedence 1 1 15 3 random-detect precedence 2 10 20 10 ! interface ATM0 no ip address load-interval 30 no atm ilmi-keepalive bundle-enable dsl operating-mode auto pvc Cegetel 8/35 cbr 160 encapsulation aal5mux ppp dialer dialer pool-member 1 service-policy output Packet-Queueing ! ! interface Dialer1 bandwidth 160 ip ddns update hostname YouDynDNSHostName ip ddns update DynDNS-Eric host members.dyndns.org ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp authentication chap callin ppp chap hostname YourPPPoA_Username ppp chap password YourPPPoA_password max-reserved-bandwidth 100 ! ip local policy route-map Local-Tagging ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ! ip nat translation port-timeout udp 40080 60 ip nat translation port-timeout udp 4672 180 ip nat translation port-timeout tcp 4662 180 ip nat inside source list Networks_2B_NATed interface Dialer1 overload ip nat inside source static udp 192.168.254.11 5070 interface Dialer1 5070 ip nat inside source static udp 192.168.254.11 10000 interface Dialer1 10000 ip nat inside source static udp 192.168.254.11 10001 interface Dialer1 10001 ! ip access-list standard Allowed-Telnet-Clients permit 192.168.254.0 0.0.0.255 deny any log ip access-list standard DenyAll deny any log ip access-list standard Networks_2B_NATed permit 192.168.254.0 0.0.0.255 ! snmp-server community public RO DenyAll snmp-server enable traps tty ! route-map Local-Tagging permit 20 description --- Telnet traffic goes in High Class match ip address Telnet-Traffic set ip precedence 4 ! route-map Local-Tagging permit 40 description --- The rest goes in Medium class set ip precedence 3 ! alias exec voipnat sh ip nat tra | inc 192.168.254.11 ! line con 0 access-class DenyAll in access-class DenyAll out password LinePassword login transport output none stopbits 1 speed 115200 line vty 0 4 access-class Allowed-Telnet-Clients in access-class DenyAll out password LinePassword login transport input telnet transport output none ! sntp server 192.168.254.1
Following is relavant sample configuration for routers with WAN sub-interfaces, where the rest of configurations is the same as previous.
interface ATM0 no ip address load-interval 30 no atm ilmi-keepalive bundle-enable dsl operating-mode auto ! interface ATM0.35 point-to-point pvc Cegetel 8/35 cbr 384 dialer pool-member 1 service-policy output Packet-Queueing
Peer-to-Peer (P2P) protocols such as Bittorrent and eMule/eDonkey could use any TCP/UDP port numbers and not specifically from port 6881 to 6889 for Bittorrent or port 4662/4672 for eMule/eDonkey. Therefore you might need to implement NBAR (Network Based Application Recognition) for better approach of controlling P2P traffic. Check out the following FAQ for more info.
»Cisco Forum FAQ »Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview
More sample configurations and discussions
»[Config] Question about Cisco 1812 optimization
»[HELP] Cisco 877 VOIP QoS & ASA5505
»[Config] Question about QoS Priority and Policing
»Priority Queue - Threshold other traffic denied service..
»[Config] Setting up QOS/prioritisation on an 877
»[Config] QoS+VoIP on a Cisco - sample config
»VoIP issues with my Cisco 831. (torrents & pulsing voice)
»Can you configure LLQ on 871 with Web Interface
»Getting an Internet 10Meg Ethernet from ATT
»[PBX] Finally!!! (Good Incoming/Outgoing Calls w/o Dropouts)