50.7 QoS and Voice over IP Cisco Forum FAQ | DSLReports.com, ISP Information

Note:
Following templates are coming from Cisco documentation as Cisco recommends. However you may have to tweak or adjust certain settings in order to meet your specific needs.

LAN Quality of Service Templates

Overview

The purpose of this document is to outline the local area network (LAN) quality of service templates that will be implemented by you Unified Communications engineers. This document contains basic configuration details that should be followed during any UC deployment. The configurations contained within this document are based on Cisco�s Quality of Service SRND and Unified Communications Manager SRND. For a comprehensive list of configuration details, reference the Cisco Quality of Service SRND and Cisco Unified Communications Manager SRND.

The configurations in this document should be considered as the base line for any implementation and should be included in any implementation as part of the standard delivery process. LAN traps should be conducted after implementing the QoS to ensure that proper markings are being set and maintained throughout the enterprise.

The following devices are covered in this FAQ
� Catalyst 3550 Switches
� Catalyst 2960/2970/3560/3750 Switches
� Catalyst 4500 Switches with Native IOS up to Supervisor Engine 7E
� Catalyst 6500 Switches with Native IOS

Markings

The following markings are used to designate traffic, per the Cisco SRND. These are the markings that you will account for in the base professional services implementation pricing.


	Voice Bearer     Control	Video
DSCP	46 (EF)	          24 (CS3)	34 (AF41)
COS	5	          3             4

Soft Clients

When IP Phones are deployed in conjunction with other soft clients, such as CIPC, CUVA, or CUPC, then it is important to ensure the proper marking of soft client UC traffic. This is accomplished through the use of access lists and service policies.

The voice component of a call can be classified in one of two ways, depending on the type of call in progress. A voice-only (or normal) telephone call would have the media classified as CoS 5 (IP Precedence 5 or PHB EF), while the audio channel of a video conference would have the media classified as CoS 4 (IP Precedence 4 or PHB AF41). All the Cisco IP Video Telephony products adhere to the Cisco Corporate QoS Baseline standard, which requires that the audio and video channels of a video call both be marked as CoS 4 (IP Precedence 4 or PHB AF41). The reasons for this recommendation include, but are not limited to, the following:
� To preserve lip-sync between the audio and video channels
� To provide separate classes for audio-only calls and video calls

Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage are both voice and video capable, which presents two challenges when using the ACL and policy map for packet classification and DSCP re-marking. First, Cisco Unified Personal Communicator uses the same IP address and UDP port range to source voice and video streams. The ACL that is based on IP address and port number is not granular enough to differentiate a voice call from a video call in order to apply appropriate DSCP re-marking. Second, Cisco IP Communicator uses the same IP address and UDP port range to source its voice packets. Similarly, the ACL is not granular enough to differentiate the voice stream of an audio-only call from the voice stream of a video call. Therefore, using the ACL and policy-map for packet classification and DSCP re-marking is not a feasible QoS solution for software-based endpoints.

Because both Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage mark their signaling and media packets correctly as they ingress the network, Cisco recommends configuring the policy map to trust the DSCP marking of incoming traffic and apply traffic policing and rate limiting.

1. Catalyst 3550

The Catalyst 3550 switch mode is generally found in the access layer of the LAN. This model supports a 1P3Q1T queuing model.

Global Commands

These commands are entered on a global level and are necessary in all QoS implementations. They are used to properly map COS and DSCP values as well as to associate these markings with the appropriate interface queue and threshold.
Switch(config)#mls qos
Switch(config)#mls qos map cos-dscp 0 8 16 24 34 46 48 56

Trunk Port Commands

Trunk ports, which could include connections to other switches, as well as Dot1Q connections to routers, should be configured to trust the DSCP markings from the neighboring device.
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 75 1
Switch(config-if)#wrr-queue cos-map 1 1
Switch(config-if)#wrr-queue cos-map 2 0
Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7
Switch(config-if)#wrr-queue cos-map 4 5
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust dscp

Voice Servers, WAN Routers, Gateways

Generally speaking, devices such as voice servers, WAN routers, and voice gateways can be trusted, similar to trunk ports.
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 70 1
Switch(config-if)#wrr-queue cos-map 1 1
Switch(config-if)#wrr-queue cos-map 2 0
Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7
Switch(config-if)#wrr-queue cos-map 4 5
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust dscp

IP Phones without Soft Clients

When IP Phones are deployed in an environment without other soft clients such as CIPC, CUVA, or CUPC, then the configuration for these access ports can be to simply trust the COS of the IP Phones. If a client will have any soft clients in the enterprise, it is recommended that you follow the configuration template for �IP Phones with Soft clients� as it is not feasible to know exactly which ports may or may not have soft clients active.
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 70 1
Switch(config-if)#wrr-queue cos-map 1 1
Switch(config-if)#wrr-queue cos-map 2 0
Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7
Switch(config-if)#wrr-queue cos-map 4 5
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust device cisco-phone
Switch(config-if)#mls qos trust cos

IP Phones with Soft Clients

Because both Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage mark their signaling and media packets correctly as they ingress the network, Cisco recommends configuring the policy map to trust the DSCP marking of incoming traffic and apply traffic policing and rate limiting. It should be noted that this document includes IP Phone control traffic for SCCP, Secure SCCP, and SIP implementations.

The client can elect to add additional classes for other applications that fall into the Bulk, Transactional, or Interactive classes such as Oracle, FTP, etc by configuring additional ACLs and class-maps. You will be creating classes for voice and video. All other traffic not included in these classes will be policed at 5Mbps. This helps protect the environment from DoS attacks, and will not affect legitimate traffic.

Policers

Since we are going to be marking traffic from PCs to higher classes within the QoS policies, we need to ensure that we do not open the infrastructure up to a DoS attack from these PCs by allowing them to transmit more data than necessary in each class. This is done with policers. By policing unexpected packets to DSCP 8 (scavenger), we have made excessive packets with policed markings a lower priority than 0.
Switch(config)#mls qos map policed-dscp 0 24 26 34 to 8

Access Lists

Access lists (ACLs) are used to properly identify traffic that will need to be marked at the point of ingress. These ACLs will deviate from LAN segment to LAN segment, as both the voice VLAN and data VLAN may differ from location to location within a deployment.
ip access-list extended VVLAN-VOICE
permit udp any any range 16384 32767
ip access-list extended VVLAN-SIGNALING
remark SCCP
permit tcp any any range 2000 2002
ip access-list extended MULTIMEDIA-CONFERENCING
remark RTP
permit udp any any range 16384 32767
ip access-list extended SIGNALING
remark SIP
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended TRANSACTIONAL-DATA
remark HTTPS
permit tcp any any eq 443
remark ORACLE-SQL*NET
permit tcp any any eq 1521
permit udp any any eq 1521
remark ORACLE
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1526
ip access-list extended BULK-DATA
remark FTP
permit tcp any any eq ftp
permit tcp any any eq ftp-data
remark SSH/SFTP
permit tcp any any eq 22
remark SMTP/SECURE SMTP
permit tcp any any eq smtp
permit tcp any any eq 465
remark IMAP/SECURE IMAP
permit tcp any any eq 143
permit tcp any any eq 993
remark POP3/SECURE POP3
permit tcp any any eq pop3
permit tcp any any eq 995
remark CONNECTED PC BACKUP
permit tcp any eq 1914 any
ip access-list extended SCAVENGER
remark KAZAA
permit tcp any any eq 1214
permit udp any any eq 1214
remark MICROSOFT DIRECT X GAMING
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
remark APPLE ITUNES MUSIC SHARING
permit tcp any any eq 3689
permit udp any any eq 3689
remark BITTORRENT
permit tcp any any range 6881 6999
remark YAHOO GAMES
permit tcp any any eq 11999
remark MSN GAMING ZONE
permit tcp any any range 28800 29100
ip access-list extended DEFAULT
remark EXPLICIT CLASS-DEFAULT
permit ip any any

Class-Maps

Class-Maps are created to place the traffic identified by the access lists into the appropriate QoS classes. The 3550 switch can classify based on VLAN ID, so hierarchy classes are utilized for this switch. In the following example, �VV� refers to the Voice VLAN ID.
class-map match-all VVLAN-VOIP
match access-group name VVLAN-VOIP
class-map match-all VVLAN-SIGNALING
match access-group name VVLAN-SIGNALING
class-map match-all MULTIMEDIA-CONFERENCING
match access-group name MULTIMEDIA-CONFERENCING
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all TRANSACTIONAL-DATA
match access-group name TRANSACTIONAL-DATA
class-map match-all BULK-DATA
match access-group name BULK-DATA
class-map match-all SCAVENGER
match access-group name SCAVENGER
class-map match-all DEFAULT
match access-group name DEFAULT

Policy-Maps

Policy-Maps are created in order to take action on traffic within a class. In these examples, the policers assume that the voice only calls will use G.711 and that video calls will not exceed 384k. If a voice codec with a higher bandwidth was used, such as G.722, the policer for the voice class would need to be altered to 320k, instead of 128k.
policy-map PER-PORT-POLICING
class VVLAN-VOIP
set dscp ef
police 128k 8000 exceed-action drop

class VVLAN-SIGNALING
set dscp cs3
police 32k 8000 exceed-action drop

class MULTIMEDIA-CONFERENCING
set dscp af41
police 5m 8000 exceed-action drop

class SIGNALING
set dscp cs3
police 32k 8000 exceed-action drop

class TRANSACTIONAL-DATA
set dscp af21
police 10m 8000 exceed-action policed-dscp-transmit

class BULK-DATA
set dscp af11
police 10m 8000 exceed-action policed-dscp-transmit

class SCAVENGER
set dscp cs1
police 10m 8000 exceed-action drop

class DEFAULT
set dscp default
police 10m 8000 exceed-action policed-dscp-transmit

IP Phone & PC Ports

In order to enforce the classifications and policies, the policy-map must be applied to the ingress of all IP Phone and PC ports.
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 70 1
Switch(config-if)#wrr-queue cos-map 1 1
Switch(config-if)#wrr-queue cos-map 2 0
Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7
Switch(config-if)#wrr-queue cos-map 4 5
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust device cisco-phone
Switch(config-if)#service-policy input PER-PORT-POLICING

2. Catalyst 2960/2970/3560/3750

These Catalyst switch models are generally found in the access layer of the LAN, although in some deployments, the 3750 is used in the distribution level. These models support a 1P3Q3T queuing model.

Global Commands

These commands are entered on a global level and are necessary in all QoS implementations. They are used to properly map COS and DSCP values as well as to associate these markings with the appropriate interface queue and threshold.
Switch(config)#mls qos
Switch(config)#mls qos map cos-dscp 0 8 16 24 34 46 48 56
Switch(config)#mls qos srr-queue output cos-map queue 1 threshold 3 5
Switch(config)#mls qos srr-queue output cos-map queue 2 threshold 1 2 4
Switch(config)#mls qos srr-queue output cos-map queue 2 threshold 2 3
Switch(config)#mls qos srr-queue output cos-map queue 2 threshold 3 6 7
Switch(config)#mls qos srr-queue output cos-map queue 3 threshold 3 0
Switch(config)#mls qos srr-queue output cos-map queue 4 threshold 3 1
Switch(config)#mls qos srr-queue output dscp-map queue 1 threshold 3 46
Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 16
Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 18 20 22
Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 25
Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 32
Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 34 36 38
Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 2 24 26
Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 3 48 56
Switch(config)#mls qos srr-queue output dscp-map queue 3 threshold 3 0
Switch(config)#mls qos srr-queue output dscp-map queue 4 threshold 1 8
Switch(config)#mls qos srr-queue output dscp-map queue 4 threshold 3 10 12 14
Switch(config)#mls qos queue-set output 1 threshold 2 70 80 100 100
Switch(config)#mls qos queue-set output 1 threshold 4 40 100 100 100

Trunk Port Commands

Trunk ports, which could include connections to other switches, as well as Dot1Q connections to routers, should be configured to trust the DSCP markings from the neighboring device.
Switch(config)#int gx/y
Switch(config-if)#queue-set 1
Switch(config-if)#srr-queue bandwidth share 1 70 25 5
Switch(config-if)#srr-queue bandwidth shape 30 0 0 0
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust dscp

Voice Servers, WAN Routers, Gateways

Generally speaking, devices such as voice servers, WAN routers, and voice gateways can be trusted, similar to trunk ports.
Switch(config)#int gx/y
Switch(config-if)#queue-set 1
Switch(config-if)#srr-queue bandwidth share 1 70 25 5
Switch(config-if)#srr-queue bandwidth shape 30 0 0 0
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust dscp

IP Phones without Soft Clients

When IP Phones are deployed in an environment without other soft clients such as CIPC, CUVA, or CUPC, then the configuration for these access ports can be to simply trust the COS of the IP Phones. If a client will have any soft clients in the enterprise, it is recommended that you follow the configuration template for �IP Phones with Soft clients� as it is not feasible to know exactly which ports may or may not have soft clients active.
Switch(config)#int gx/y
Switch(config-if)#queue-set 1
Switch(config-if)#srr-queue bandwidth share 1 70 25 5
Switch(config-if)#srr-queue bandwidth shape 30 0 0 0
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust device cisco-phone
Switch(config-if)#mls qos trust cos

IP Phones with Soft Clients

Because both Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage mark their signaling and media packets correctly as they ingress the network, Cisco recommends configuring the policy map to trust the DSCP marking of incoming traffic and apply traffic policing and rate limiting. It should be noted that this document includes IP Phone control traffic for SCCP, Secure SCCP, and SIP implementations.

The client can elect to add additional classes for other applications that fall into the Bulk, Transactional, or Interactive classes such as Oracle, FTP, etc by configuring additional ACLs and class-maps. You will be creating classes for voice and video. All other traffic not included in these classes will be policed at 5Mbps. This helps protect the environment from DoS attacks, and will not affect legitimate traffic.

Policers

Since we are going to be marking traffic from PCs to higher classes within the QoS policies, we need to ensure that we do not open the infrastructure up to a DoS attack from these PCs by allowing them to transmit more data than necessary in each class. This is done with policers. By policing unexpected packets to DSCP 8 (scavenger), we have made excessive packets with policed markings a lower priority than 0.
Switch(config)#mls qos map policed-dscp 0 24 26 34 to 8

Access Lists

Access lists (ACLs) are used to properly identify traffic that will need to be marked at the point of ingress. These ACLs will deviate from LAN segment to LAN segment, as both the voice VLAN and data VLAN may differ from location to location within a deployment.
ip access-list extended VVLAN-VOICE
permit udp any any range 16384 32767
ip access-list extended VVLAN-SIGNALING
remark SCCP
permit tcp any any range 2000 2002
ip access-list extended MULTIMEDIA-CONFERENCING
remark RTP
permit udp any any range 16384 32767
ip access-list extended SIGNALING
remark SIP
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended TRANSACTIONAL-DATA
remark HTTPS
permit tcp any any eq 443
remark ORACLE-SQL*NET
permit tcp any any eq 1521
permit udp any any eq 1521
remark ORACLE
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1526
ip access-list extended BULK-DATA
remark FTP
permit tcp any any eq ftp
permit tcp any any eq ftp-data
remark SSH/SFTP
permit tcp any any eq 22
remark SMTP/SECURE SMTP
permit tcp any any eq smtp
permit tcp any any eq 465
remark IMAP/SECURE IMAP
permit tcp any any eq 143
permit tcp any any eq 993
remark POP3/SECURE POP3
permit tcp any any eq pop3
permit tcp any any eq 995
remark CONNECTED PC BACKUP
permit tcp any eq 1914 any
ip access-list extended SCAVENGER
remark KAZAA
permit tcp any any eq 1214
permit udp any any eq 1214
remark MICROSOFT DIRECT X GAMING
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
remark APPLE ITUNES MUSIC SHARING
permit tcp any any eq 3689
permit udp any any eq 3689
remark BITTORRENT
permit tcp any any range 6881 6999
remark YAHOO GAMES
permit tcp any any eq 11999
remark MSN GAMING ZONE
permit tcp any any range 28800 29100
ip access-list extended DEFAULT
remark EXPLICIT CLASS-DEFAULT
permit ip any any

Class-Maps

Class-Maps are created to place the traffic identified by the access lists into the appropriate QoS classes. A class-map is created for each traffic type for which an ACL was created.
class-map match-all VVLAN-VOIP
match access-group name VVLAN-VOIP
class-map match-all VVLAN-SIGNALING
match access-group name VVLAN-SIGNALING
class-map match-all MULTIMEDIA-CONFERENCING
match access-group name MULTIMEDIA-CONFERENCING
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all TRANSACTIONAL-DATA
match access-group name TRANSACTIONAL-DATA
class-map match-all BULK-DATA
match access-group name BULK-DATA
class-map match-all SCAVENGER
match access-group name SCAVENGER
class-map match-all DEFAULT
match access-group name DEFAULT

Policy-Maps

Policy-Maps are created in order to take action on traffic within a class. In these examples, the policers assume that the voice only calls will use G.711 and that video calls will not exceed 384k. If a voice codec with a higher bandwidth was used, such as G.722, the policer for the voice class would need to be altered to 320k, instead of 128k.
policy-map PER-PORT-POLICING
class VVLAN-VOIP
set dscp ef
police 128k 8000 exceed-action drop

class VVLAN-SIGNALING
set dscp cs3
police 32k 8000 exceed-action drop

class MULTIMEDIA-CONFERENCING
set dscp af41
police 5m 8000 exceed-action drop

class SIGNALING
set dscp cs3
police 32k 8000 exceed-action drop

class TRANSACTIONAL-DATA
set dscp af21
police 10m 8000 exceed-action policed-dscp-transmit

class BULK-DATA
set dscp af11
police 10m 8000 exceed-action policed-dscp-transmit

class SCAVENGER
set dscp cs1
police 10m 8000 exceed-action drop

class DEFAULT
set dscp default
police 10m 8000 exceed-action policed-dscp-transmit

IP Phone & PC Ports

In order to enforce the classifications and policies, the policy-map must be applied to the ingress of all IP Phone and PC ports.
Switch(config)#int gx/y
Switch(config-if)#queue-set 1
Switch(config-if)#srr-queue bandwidth share 1 70 25 5
Switch(config-if)#srr-queue bandwidth shape 30 0 0 0
Switch(config-if)#priority-queue out
Switch(config-if)#mls qos trust device cisco-phone
Switch(config-if)#service-policy input PER-PORT-POLICING

3. Catalyst 4500 � Sup II & Sup IV

These Catalyst switch models can be found in the access, distribution, or core layers of the LAN. These models support a 1P3Q1T queuing model.

Global Commands

These commands are entered on a global level and are necessary in all QoS implementations. They are used to properly map COS and DSCP values as well as to associate these markings with the appropriate interface queue and threshold.
Switch(config)#qos
Switch(config)#qos map cos 0 to dscp 0
Switch(config)#qos map cos 1 to dscp 8
Switch(config)#qos map cos 2 to dscp 16
Switch(config)#qos map cos 3 to dscp 24
Switch(config)#qos map cos 4 to dscp 34
Switch(config)#qos map cos 5 to dscp 46
Switch(config)#qos map cos 6 to dscp 48
Switch(config)#qos map cos 7 to dscp 56
Switch(config)#qos dbl
Switch(config)#qos dbl exceed-action ecn
Switch(config)#qos map dscp 0 to tx-queue 2
Switch(config)#qos map dscp 8 10 12 14 to tx-queue 1
Switch(config)#qos map dscp 16 18 20 22 to tx-queue 4
Switch(config)#qos map dscp 24 25 26 to tx-queue 4
Switch(config)#qos map dscp 32 34 36 38 to tx-queue 4
Switch(config)#qos map dscp 46 to tx-queue 3
Switch(config)#qos map dscp 48 56 to tx-queue 4
Switch(config)#policy-map DBL
Switch(config-pmap)#class class-default
Switch(config-pmap-c)#dbl

Trunk Port Commands

Trunk ports, which could include connections to other switches, as well as Dot1Q connections to routers, should be configured to trust the DSCP markings from the neighboring device.
Fast Ethernet
Switch(config)#int fx/y
Switch(config-if)#qos trust dscp
Switch(config-if)#service-policy output DBL
Switch(config-if)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#shape percent 30

Gigabit Ethernet
Switch(config)#int gx/y
Switch(config-if)#qos trust dscp
Switch(config-if)#service-policy output DBL
Switch(config-if)#tx-queue 1
Switch(config-if-tx-queue)#bandwidth percent 5
Switch(config-if-tx-queue)#tx-queue 2
Switch(config-if-tx-queue)#bandwidth percent 25
Switch(config-if-tx-queue)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#bandwidth percent 30
Switch(config-if-tx-queue)#shape percent 30
Switch(config-if-tx-queue)#tx-queue 4
Switch(config-if-tx-queue)#bandwidth percent 40

Voice Servers, WAN Routers, Gateways

Generally speaking, devices such as voice servers, WAN routers, and voice gateways can be trusted, similar to trunk ports.
Fast Ethernet
Switch(config)#int fx/y
Switch(config-if)#qos trust dscp
Switch(config-if)#service-policy output DBL
Switch(config-if)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#shape percent 30

Gigabit Ethernet
Switch(config)#int gx/y
Switch(config-if)#qos trust dscp
Switch(config-if)#service-policy output DBL
Switch(config-if)#tx-queue 1
Switch(config-if-tx-queue)#bandwidth percent 5
Switch(config-if-tx-queue)#tx-queue 2
Switch(config-if-tx-queue)#bandwidth percent 25
Switch(config-if-tx-queue)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#bandwidth percent 30
Switch(config-if-tx-queue)#shape percent 30
Switch(config-if-tx-queue)#tx-queue 4
Switch(config-if-tx-queue)#bandwidth percent 40

IP Phones without Soft Clients

When IP Phones are deployed in an environment without other soft clients such as CIPC, CUVA, or CUPC, then the configuration for these access ports can be to simply trust the COS of the IP Phones. If you will have any soft clients in the enterprise, it is recommended that you follow the configuration template for �IP Phones with Soft clients� as it is not feasible to know exactly which ports may or may not have soft clients active.
Fast Ethernet
Switch(config)#int fx/y
Switch(config-if)#qos trust device cisco-phone
Switch(config-if)#qos trust cos
Switch(config-if)#service-policy output DBL
Switch(config-if)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#shape percent 30

Gigabit Ethernet
Switch(config)#int gx/y
Switch(config-if)#qos trust device cisco-phone
Switch(config-if)#qos trust cos
Switch(config-if)#service-policy output DBL
Switch(config-if)#tx-queue 1
Switch(config-if-tx-queue)#bandwidth percent 5
Switch(config-if-tx-queue)#tx-queue 2
Switch(config-if-tx-queue)#bandwidth percent 25
Switch(config-if-tx-queue)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#bandwidth percent 30
Switch(config-if-tx-queue)#shape percent 30
Switch(config-if-tx-queue)#tx-queue 4
Switch(config-if-tx-queue)#bandwidth percent 40

IP Phones with Soft Clients

Because both Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage mark their signaling and media packets correctly as they ingress the network, Cisco recommends configuring the policy map to trust the DSCP marking of incoming traffic and apply traffic policing and rate limiting. It should be noted that this document includes IP Phone control traffic for SCCP, Secure SCCP, and SIP implementations.

You can elect to add additional classes for other applications that fall into the Bulk, Transactional, or Interactive classes such as Oracle, FTP, etc by configuring additional ACLs and class-maps. You will be creating classes for voice and video. All other traffic not included in these classes will be policed at 5Mbps. This helps protect the environment from DoS attacks, and will not affect legitimate traffic.

Policers

Since we are going to be marking traffic from PCs to higher classes within the QoS policies, we need to ensure that we do not open the infrastructure up to a DoS attack from these PCs by allowing them to transmit more data than necessary in each class. This is done with policers. By policing unexpected packets to DSCP 8 (scavenger), we have made excessive packets with policed markings a lower priority than 0.
Switch(config)#qos map dscp policed 0 24 26 34 to 8

Access Lists

Access lists (ACLs) are used to properly identify traffic that will need to be marked at the point of ingress. These ACLs will deviate from LAN segment to LAN segment, as both the voice VLAN and data VLAN may differ from location to location within a deployment.
ip access-list extended VVLAN-VOICE
permit udp any any range 16384 32767
ip access-list extended VVLAN-SIGNALING
remark SCCP
permit tcp any any range 2000 2002
ip access-list extended MULTIMEDIA-CONFERENCING
remark RTP
permit udp any any range 16384 32767
ip access-list extended SIGNALING
remark SIP
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended TRANSACTIONAL-DATA
remark HTTPS
permit tcp any any eq 443
remark ORACLE-SQL*NET
permit tcp any any eq 1521
permit udp any any eq 1521
remark ORACLE
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1526
ip access-list extended BULK-DATA
remark FTP
permit tcp any any eq ftp
permit tcp any any eq ftp-data
remark SSH/SFTP
permit tcp any any eq 22
remark SMTP/SECURE SMTP
permit tcp any any eq smtp
permit tcp any any eq 465
remark IMAP/SECURE IMAP
permit tcp any any eq 143
permit tcp any any eq 993
remark POP3/SECURE POP3
permit tcp any any eq pop3
permit tcp any any eq 995
remark CONNECTED PC BACKUP
permit tcp any eq 1914 any
ip access-list extended SCAVENGER
remark KAZAA
permit tcp any any eq 1214
permit udp any any eq 1214
remark MICROSOFT DIRECT X GAMING
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
remark APPLE ITUNES MUSIC SHARING
permit tcp any any eq 3689
permit udp any any eq 3689
remark BITTORRENT
permit tcp any any range 6881 6999
remark YAHOO GAMES
permit tcp any any eq 11999
remark MSN GAMING ZONE
permit tcp any any range 28800 29100
ip access-list extended DEFAULT
remark EXPLICIT CLASS-DEFAULT
permit ip any any

Class-Maps

Class-Maps are created to place the traffic identified by the access lists into the appropriate QoS classes. A class-map is created for each traffic type for which an ACL was created.
class-map match-all VVLAN-VOIP
match access-group name VVLAN-VOIP
class-map match-all VVLAN-SIGNALING
match access-group name VVLAN-SIGNALING
class-map match-all MULTIMEDIA-CONFERENCING
match access-group name MULTIMEDIA-CONFERENCING
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all TRANSACTIONAL-DATA
match access-group name TRANSACTIONAL-DATA
class-map match-all BULK-DATA
match access-group name BULK-DATA
class-map match-all SCAVENGER
match access-group name SCAVENGER
class-map match-all DEFAULT
match access-group name DEFAULT

Policy-Maps

Policy-Maps are created in order to take action on traffic within a class. In these examples, the policers assume that the voice only calls will use G.711 and that video calls will not exceed 384k. If a voice codec with a higher bandwidth was used, such as G.722, the policer for the voice class would need to be altered to 320k, instead of 128k.
policy-map PER-PORT-POLICING
class VVLAN-VOIP
set dscp ef
police 128k 8000 exceed-action drop

class VVLAN-SIGNALING
set dscp cs3
police 32k 8000 exceed-action drop

class MULTIMEDIA-CONFERENCING
set dscp af41
police 5m 8000 exceed-action drop

class SIGNALING
set dscp cs3
police 32k 8000 exceed-action drop

class TRANSACTIONAL-DATA
set dscp af21
police 10m 8000 exceed-action policed-dscp-transmit

class BULK-DATA
set dscp af11
police 10m 8000 exceed-action policed-dscp-transmit

class SCAVENGER
set dscp cs1
police 10m 8000 exceed-action drop

class DEFAULT
set dscp default
police 10m 8000 exceed-action policed-dscp-transmit

class class-default
set dscp default
police 10m 8000 exceed-action policed-dscp-transmit

FastEthernet IP Phone & PC Ports

In order to enforce the classifications and policies, the policy-map must be applied to the ingress of all IP Phone and PC ports.
Switch(config)#int fx/y
Switch(config-if)#qos trust device cisco-phone
Switch(config-if)#service-policy output DBL
Switch(config-if)#service-policy input PER-PORT-POLICING
Switch(config-if)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#shape percent 30

Gigabit Ethernet IP Phone & PC Ports

Switch(config)#int gx/y
Switch(config-if)#qos trust device cisco-phone
Switch(config-if)#service-policy output DBL
Switch(config-if)#service-policy input PER-PORT-POLICING
Switch(config-if)#tx-queue 1
Switch(config-if-tx-queue)#bandwidth percent 5
Switch(config-if-tx-queue)#tx-queue 2
Switch(config-if-tx-queue)#bandwidth percent 25
Switch(config-if-tx-queue)#tx-queue 3
Switch(config-if-tx-queue)#priority high
Switch(config-if-tx-queue)#bandwidth percent 30
Switch(config-if-tx-queue)#shape percent 30
Switch(config-if-tx-queue)#tx-queue 4
Switch(config-if-tx-queue)#bandwidth percent 40

4. Catalyst 4500 � Sup VI-E

These Catalyst switch models can be found in the access, distribution, or core layers of the LAN. These models support a 1P3Q1T queuing model.

Global Commands

These commands are entered on a global level and are necessary in all QoS implementations. They are used to properly map COS and DSCP values as well as to associate these markings with the appropriate interface queue and threshold.
Table Map
table-map COS-2-DSCP
map from 0 to 0
map from 1 to 8
map from 2 to 16
map from 3 to 24
map from 4 to 34
map from 5 to 46
map from 6 to 48
map from 7 to 56
default copy
!

Access Lists

Access lists (ACLs) are used to properly identify traffic that will need to be marked at the point of ingress. These ACLs will deviate from LAN segment to LAN segment, as both the voice VLAN and data VLAN may differ from location to location within a deployment.
ip access-list extended VVLAN-VOICE
permit udp any any range 16384 32767
ip access-list extended VVLAN-SIGNALING
remark SCCP
permit tcp any any range 2000 2002
ip access-list extended MULTIMEDIA-CONFERENCING
remark RTP
permit udp any any range 16384 32767
ip access-list extended SIGNALING
remark SIP
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended TRANSACTIONAL-DATA
remark HTTPS
permit tcp any any eq 443
remark ORACLE-SQL*NET
permit tcp any any eq 1521
permit udp any any eq 1521
remark ORACLE
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1526
ip access-list extended BULK-DATA
remark FTP
permit tcp any any eq ftp
permit tcp any any eq ftp-data
remark SSH/SFTP
permit tcp any any eq 22
remark SMTP/SECURE SMTP
permit tcp any any eq smtp
permit tcp any any eq 465
remark IMAP/SECURE IMAP
permit tcp any any eq 143
permit tcp any any eq 993
remark POP3/SECURE POP3
permit tcp any any eq pop3
permit tcp any any eq 995
remark CONNECTED PC BACKUP
permit tcp any eq 1914 any
ip access-list extended SCAVENGER
remark KAZAA
permit tcp any any eq 1214
permit udp any any eq 1214
remark MICROSOFT DIRECT X GAMING
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
remark APPLE ITUNES MUSIC SHARING
permit tcp any any eq 3689
permit udp any any eq 3689
remark BITTORRENT
permit tcp any any range 6881 6999
remark YAHOO GAMES
permit tcp any any eq 11999
remark MSN GAMING ZONE
permit tcp any any range 28800 29100
ip access-list extended DEFAULT
remark EXPLICIT CLASS-DEFAULT
permit ip any any

Class Maps
class-map match-all VVLAN-VOIP
match access-group name VVLAN-VOIP
class-map match-all VVLAN-SIGNALING
match access-group name VVLAN-SIGNALING
class-map match-all MULTIMEDIA-CONFERENCING
match access-group name MULTIMEDIA-CONFERENCING
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all TRANSACTIONAL-DATA
match access-group name TRANSACTIONAL-DATA
class-map match-all BULK-DATA
match access-group name BULK-DATA
class-map match-all SCAVENGER
match access-group name SCAVENGER
class-map match-all DEFAULT
match access-group name DEFAULT

Policy Maps
policy-map DBL
class class-default
dbl
set dscp cos table COS-2-DSCP

policy-map PER-PORT-POLICING
class VVLAN-VOIP
set dscp ef
police 128k bc 8000
conform-action transmit
exceed-action drop

class VVLAN-SIGNALING
set dscp cs3
police 32k bc 8000
conform-action transmit
exceed-action drop

class MULTIMEDIA-CONFERENCING
set dscp af41
police 5m bc 8000
conform-action transmit
exceed-action drop

class SIGNALING
set dscp cs3
police 32k bc 8000
conform-action transmit
exceed-action drop

class TRANSACTIONAL-DATA
set dscp af21
police 10m bc 8000
conform-action transmit
exceed-action set-dscp-transmit cs1

class BULK-DATA
set dscp af11
police 10m bc 8000
conform-action transmit
exceed-action set-dscp-transmit cs1

class SCAVENGER
set dscp cs1
police 10m bc 8000
conform-action transmit
exceed-action drop

class class-default
set dscp default
police 10m bc 8000
conform-action transmit
exceed-action set-dscp-transmit cs1

Access Ports
interface x/x
qos trust device cisco-phone
service-policy input PER-PORT-POLICING
service-policy output DBL

Tunk Ports
interface x/x
service-policy output DBL

5. Catalyst 4500 � Sup 7-E

The per-port/per-VLAN policing model is essentially the same for the Catalyst 4500-E Supervisor 6-E, except that it does not require a global policed-DSCP map and thus the policing commands are slightly different; also no trust-DSCP statement is required on the interface(s)

policy-map VVLAN-POLICERS
class VVLAN-VOIP
set dscp ef
police 128k bc 8000
conform-action transmit
exceed-action drop

class VVLAN-SIGNALING
set dscp cs3
police 32k bc 8000
conform-action transmit
exceed-action drop

class class-default
set dscp default
police 32k bc 8000
conform-action transmit
exceed-action drop

policy-map DVLAN-POLICERS
class MULTIMEDIA-CONFERENCING
set dscp af41
police 5m bc 8000
conform-action transmit
exceed-action drop

class SIGNALING
set dscp cs3
police 32k bc 8000
conform-action transmit
exceed-action drop

class TRANSACTIONAL-DATA
set dscp af21
police 10m bc 8000
conform-action transmit
exceed-action set-dscp-transmit cs1

class BULK-DATA
set dscp af11
police 10m bc 8000
conform-action transmit
exceed-action set-dscp-transmit cs1

class SCAVENGER
set dscp cs1
police 10m bc 8000
conform-action transmit
exceed-action drop

class class-default
set dscp default
police 10m bc 8000
conform-action transmit
exceed-action set-dscp-transmit cs1

interface range GigabitEthernet 2/1-48
switchport access vlan x
switchport voice vlan y
spanning-tree portfast
qos trust device cisco-phone

Data Vlan Interfaces

vlan x
service-policy input DVLAN-POLICERS

Voice Vlan Interfaces

vlan y
service-policy input VVLAN-POLICERS

6. Catalyst 4500: Supervisor V-10GE

6.1. Per-Port User-Based Rate Limiting

UBRL adopts microflow policing capability to dynamically learn traffic flows and rate limit each unique flow to an individual rate and, as such, is a highly effective and efficient policing tool, particularly at the distribution ayer in a medianet campus network.

UBRL is available on Supervisor Engine V-10GE with NetFlow support. UBRL can be applied to ingress traffic on routed interfaces and is typically used in environments where a per-user, granular rate limiting mechanism is required, such as at the distribution layer, to provide a second line of policing defense in the campus. Like other policers, UBRL can be used to drop or remark exceeding flows.

A flow is defined by five-tuples (IP source address, IP destination address, IP protocol field, Layer 4 protocol source, and destination ports), which are the same for each packet in the flow. Flow-based policers apply a single policy to discrete flows without having to specify the virtually-infinite tuple-combinations. UBRL can also be applied with source or destination flow masks; these masks apply an aggregate microflow policing policy to multiple flows sharing the same source or IP destination addresses.

In the per-port UBRL Model, a class map matches on a microflow basis and aggregates these by source addresses. Then a policer applies an aggregate limit to all microflows sharing a common source IP address, remarking traffic in excess of the policing rate.

Remarking is performed by configuring a policed-DSCP map with the global configuration command qos map dscp policed, which specifies which DSCP values are subject to remarking (if out-of-profile) and what these values should be remarked to (which in the case of scavenger class QoS policies, the remarking value is CS1/DSCP 8).

UBRL is supported on Layer 3 interfaces and can be applied on either a per-port or per-port/per-VLAN-basis

Per-Port UBRL Configuration Example on a Catalyst 4500 Supervisor V-10GE
qos map dscp policed 0 10 18 24 34 46 to dscp 8

class-map match-all ENDPOINTS
match flow ip source-address

policy-map UBRL
class ENDPOINTS
police 50m 8000 byte conform-action transmit exceed-action policed-dscp-transmit

interface range TenGigabitEthernet1/1-2
description L3-Dwnlnk to Access-Layer
no switchport
qos trust dscp
service-policy input UBRL

6.2. Per-Port/Per-VLAN User-Based Rate Limiting

In contrast with the previous example, if the campus distribution block is using a Layer 2/Layer 3 design, and as such has Layer 2 trunked interfaces (TenGigabitEthernet 1/1 and 1/2) connecting it to the access layer switches, then UBRL can be applied on a per-port/per-VLAN basis. In this case, separate UBRL policies can be applied to each VLAN traversing the trunked interfaces via per-port/per-VLAN UBRL policies as each VLAN is routed through the switch.

To highlight policy flexibility, additional levels of classification are included in this second UBRL example (which incidentally can also be applied to the per-port UBRL model). Instead of applying a blanket UBRL policy to all endpoints, separate UBRL polices can be applied to different types of endpoints or application-and-endpoint-combinations. For example, VoIP from Cisco IP phones in the VVLAN can be rate limited to 128 Kbps, while signaling traffic from these endpoints can be limited to 32 kbps. Similarly, TelePresence endpoints in the VVLAN (which mark their media flows to CS4) can be limited to 25 Mbps. All other endpoint-generated traffic in the VVLAN can be limited to 32 kbps per endpoint.

Similar policy granularity can be applied to the DVLAN policer, if desired. However in this example, a simplified DVLAN policer is applied to all flows to ensure that any DVLAN endpoint transmitting at more than 5% capacity (an example value) of the access edge 10/100/1000 switch ports are subject to data plane policing/scavenger class QoS.

Static DSCP-trust is configured on the physical ports and the per-port/per-VLAN UBRL policers are applied to their respective VLANs within the trunked interface

Per-Port/Per-VLAN UBRL Configuration Example on a Catalyst 4500 Supervisor V-10GE

qos map dscp policed 0 10 18 34 to dscp 8

class-map match-all VOIP-ENDPOINTS
match ip dscp ef
match flow ip source-address

class-map match-all TELEPRESENCE-ENDPOINTS
match ip dscp cs4
match flow ip source-address

class-map match-all SIGNALING-ENDPOINTS
match ip dscp cs3
match flow ip source-address

class-map match-all ENDPOINTS
match flow ip source-address

policy-map VVLAN-UBRL
class VOIP-ENDPOINTS
police 128k 8000 byte conform-action transmit exceed-action drop

class TELEPRESENCE-ENDPOINTS
police 25m 256000 byte conform-action transmit exceed-action drop

class SIGNALING-ENDPOINTS
police 32k 8000 byte conform-action transmit exceed-action drop

class ENDPOINTS
police 32k 8000 byte conform-action transmit exceed-action drop

policy-map DVLAN-UBRL
class ENDPOINTS
police 50m 8000 byte conform-action transmit exceed-action policed-dscp-transmit

interface range TenGigabitEthernet1/1-2
description L2-Dwnlnk to Access-Layer
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,110
switchport mode trunk
qos trust dscp

int vlan 10
service-policy input DVLAN-UBRL

int vlan 110
service-policy input VVLAN-UBRL

7. Catalyst 6500 � Native IOS

These Catalyst switch models can be found in the distribution or core layers of the LAN. The queuing method is directly dependent upon the line cards. Consult the Cisco QoS SRND or line card datasheet on Cisco website documentation to ensure that the proper queuing method is configured on the switch.

Global Commands

These commands are entered on a global level and are necessary in all QoS implementations. They are used to properly map COS and DSCP values as well as to associate these markings with the appropriate interface queue and threshold.
Switch(config)#mls qos
Switch(config)#mls qos map cos-dscp 0 8 16 24 34 46 48 56

Trunk Port Commands

Trunk ports, which could include connections to other switches, as well as Dot1Q connections to routers, should be configured to trust the DSCP markings from the neighboring device. Additionally, with Native IOS, the queue configurations are also made on the actual interfaces and are dependent upon the transmit queue support of the line cards.

2Q2T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 30 70
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue threshold 1 40 100
Switch(config-if)#wrr-queue threshold 2 80 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 1 2 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4 6 7
Switch(config-if)#wrr-queue cos-map 2 2 5
Switch(config-if)#mls qos trust dscp

1P2Q1T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 30 40
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue random-detect min-threshold 1 80
Switch(config-if)#wrr-queue random-detect max-threshold 1 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80
Switch(config-if)#wrr-queue random-detect max-threshold 2 100
Switch(config-if)#wrr-queue cos-map 1 1 1 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P2Q2T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 40 30
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue random-detect min-threshold 1 40 80
Switch(config-if)#wrr-queue random-detect max-threshold 1 80 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 70 80
Switch(config-if)#wrr-queue random-detect max-threshold 2 80 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 1 2 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4
Switch(config-if)#wrr-queue cos-map 2 2 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P3Q1T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 3
Switch(config-if)#wrr-queue random-detect min-threshold 1 80
Switch(config-if)#wrr-queue random-detect max-threshold 1 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80
Switch(config-if)#wrr-queue random-detect max-threshold 2 100
Switch(config-if)#wrr-queue random-detect min-threshold 3 80
Switch(config-if)#wrr-queue random-detect max-threshold 3 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 2 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P3Q4T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 40
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 3
Switch(config-if)#wrr-queue random-detect min-threshold 1 80 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 1 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 2 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 3 80 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 3 100 100 100 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 3 2 2
Switch(config-if)#wrr-queue cos-map 3 3 3
Switch(config-if)#wrr-queue cos-map 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P3Q8T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 40
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 3
Switch(config-if)#wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 3 50 60 70 80 90 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 3 60 70 80 90 100 100 100 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 3 2 2
Switch(config-if)#wrr-queue cos-map 3 3 3
Switch(config-if)#wrr-queue cos-map 3 4 6
Switch(config-if)#wrr-queue cos-map 3 5 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P7Q4T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 20 20 20 5 5
Switch(config-if)#wrr-queue queue-limit 5 25 10 10 10 5 5
Switch(config-if)#wrr-queue random-detect min-threshold 3 80 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 4 80 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 5 80 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 6 80 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 7 80 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 1 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 2 100 100 100 100
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 3
Switch(config-if)#wrr-queue random-detect 4
Switch(config-if)#wrr-queue random-detect 5
Switch(config-if)#wrr-queue random-detect 6
Switch(config-if)#wrr-queue random-detect 7
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 4 1 2
Switch(config-if)#wrr-queue cos-map 5 1 3
Switch(config-if)#wrr-queue cos-map 6 1 6
Switch(config-if)#wrr-queue cos-map 7 1 7
Switch(config-if)#mls qos trust dscp

1P7Q8T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 10 10 10 5 5
Switch(config-if)#wrr-queue bandwidth 5 25 20 20 20 5 5
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 4
Switch(config-if)#wrr-queue random-detect 5
Switch(config-if)#wrr-queue random-detect 6
Switch(config-if)#wrr-queue random-detect 7
Switch(config-if)#wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 3 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 3 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 4 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 4 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 5 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 5 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 6 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 6 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 7 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 7 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 4 1 2
Switch(config-if)#wrr-queue cos-map 5 1 3
Switch(config-if)#wrr-queue cos-map 6 1 6
Switch(config-if)#wrr-queue cos-map 7 1 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

Voice Servers, WAN Routers, Gateways

Generally speaking, devices such as voice servers, WAN routers, and voice gateways can be trusted, similar to trunk ports.

2Q2T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 30 70
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue threshold 1 40 100
Switch(config-if)#wrr-queue threshold 2 80 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 1 2 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4 6 7
Switch(config-if)#wrr-queue cos-map 2 2 5
Switch(config-if)#mls qos trust dscp

1P2Q1T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 30 40
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue random-detect min-threshold 1 80
Switch(config-if)#wrr-queue random-detect max-threshold 1 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80
Switch(config-if)#wrr-queue random-detect max-threshold 2 100
Switch(config-if)#wrr-queue cos-map 1 1 1 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P2Q2T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 40 30
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue random-detect min-threshold 1 40 80
Switch(config-if)#wrr-queue random-detect max-threshold 1 80 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 70 80
Switch(config-if)#wrr-queue random-detect max-threshold 2 80 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 1 2 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4
Switch(config-if)#wrr-queue cos-map 2 2 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P3Q1T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 3
Switch(config-if)#wrr-queue random-detect min-threshold 1 80
Switch(config-if)#wrr-queue random-detect max-threshold 1 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80
Switch(config-if)#wrr-queue random-detect max-threshold 2 100
Switch(config-if)#wrr-queue random-detect min-threshold 3 80
Switch(config-if)#wrr-queue random-detect max-threshold 3 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 2 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P3Q8T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 40
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 3
Switch(config-if)#wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 3 50 60 70 80 90 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 3 60 70 80 90 100 100 100 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 3 2 2
Switch(config-if)#wrr-queue cos-map 3 3 3
Switch(config-if)#wrr-queue cos-map 3 4 6
Switch(config-if)#wrr-queue cos-map 3 5 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

1P7Q8T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 10 10 10 5 5
Switch(config-if)#wrr-queue bandwidth 5 25 20 20 20 5 5
Switch(config-if)#wrr-queue random-detect 1
Switch(config-if)#wrr-queue random-detect 2
Switch(config-if)#wrr-queue random-detect 4
Switch(config-if)#wrr-queue random-detect 5
Switch(config-if)#wrr-queue random-detect 6
Switch(config-if)#wrr-queue random-detect 7
Switch(config-if)#wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 2 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 3 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 3 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 4 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 4 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 5 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 5 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 6 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 6 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect min-threshold 7 80 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue random-detect max-threshold 7 100 100 100 100 100 100 100 100
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 4 1 2
Switch(config-if)#wrr-queue cos-map 5 1 3
Switch(config-if)#wrr-queue cos-map 6 1 6
Switch(config-if)#wrr-queue cos-map 7 1 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#mls qos trust dscp

Access Lists

Access lists (ACLs) are used to properly identify traffic that will need to be marked at the point of ingress. These ACLs will deviate from LAN segment to LAN segment, as both the voice VLAN and data VLAN may differ from location to location within a deployment.
ip access-list extended MULTIMEDIA-CONFERENCING
remark RTP
permit udp any any range 16384 32767
ip access-list extended SIGNALING
remark SCCP
permit tcp any any range 2000 2002
remark SIP
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended TRANSACTIONAL-DATA
remark HTTPS
permit tcp any any eq 443
remark ORACLE-SQL*NET
permit tcp any any eq 1521
permit udp any any eq 1521
remark ORACLE
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1526
ip access-list extended BULK-DATA
remark FTP
permit tcp any any eq ftp
permit tcp any any eq ftp-data
remark SSH/SFTP
permit tcp any any eq 22
remark SMTP/SECURE SMTP
permit tcp any any eq smtp
permit tcp any any eq 465
remark IMAP/SECURE IMAP
permit tcp any any eq 143
permit tcp any any eq 993
remark POP3/SECURE POP3
permit tcp any any eq pop3
permit tcp any any eq 995
remark CONNECTED PC BACKUP
permit tcp any eq 1914 any
ip access-list extended SCAVENGER
remark KAZAA
permit tcp any any eq 1214
permit udp any any eq 1214
remark MICROSOFT DIRECT X GAMING
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
remark APPLE ITUNES MUSIC SHARING
permit tcp any any eq 3689
permit udp any any eq 3689
remark BITTORRENT
permit tcp any any range 6881 6999
remark YAHOO GAMES
permit tcp any any eq 11999
remark MSN GAMING ZONE
permit tcp any any range 28800 29100

Class Maps
class-map match-all VVLAN-VOIP
match dscp ef
class-map match-all VVLAN-SIGNALING
match dscp cs3
class-map match-all MULTIMEDIA-CONFERENCING
match access-group name MULTIMEDIA-CONFERENCING
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all TRANSACTIONAL-DATA
match access-group name TRANSACTIONAL-DATA
class-map match-all BULK-DATA
match access-group name BULK-DATA
class-map match-all SCAVENGER
match access-group name SCAVENGER

Policy Maps
policy-map PER-PORT-POLICING
class VVLAN-VOIP
police 128k 8000
conform-action set-dscp-transmit ef
exceed-action drop

class VVLAN-SIGNALING
police 32k 8000
conform-action set-dscp-transmit cs3
exceed-action drop

class MULTIMEDIA-CONFERENCING
police 5m 8000
conform-action set-dscp-transmit af41
exceed-action drop

class SIGNALING
police 32k 8000
conform-action set-dscp-transmit cs3
exceed-action drop

class TRANSACTIONAL-DATA
police 10m 8000
conform-action set-dscp-transmit af21
exceed-action policed-dscp-transmit

class BULK-DATA
police 10m 8000
conform-action set-dscp-transmit af11
exceed-action policed-dscp-transmit

class SCAVENGER
police 10m 8000
conform-action set-dscp-transmit cs1
exceed-action drop

class class-default
police 10m 8000
conform-action set-dscp-transmit default
exceed-action policed-dscp-transmit

Gigabit Ethernet IP Phone & PC Ports

In order to enforce the classifications and policies, the policy-map must be applied to the ingress of all IP

2Q2T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 30 70
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 1 2 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4 6 7
Switch(config-if)#wrr-queue cos-map 2 2 5
Switch(config-if)#service-policy input PER-PORT-POLICING

1P2Q1T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 30 40
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue cos-map 1 1 1 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)# service-policy input PER-PORT-POLICING

1P2Q2T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 40 30
Switch(config-if)#wrr-queue bandwidth 30 70
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 1 2 0
Switch(config-if)#wrr-queue cos-map 2 1 2 3 4
Switch(config-if)#wrr-queue cos-map 2 2 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#service-policy input PER-PORT-POLICING

1P3Q1T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 2 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#service-policy input PER-PORT-POLICING

1P3Q4T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 40
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 3 2 2
Switch(config-if)#wrr-queue cos-map 3 3 3
Switch(config-if)#wrr-queue cos-map 3 4 6 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#service-policy input PER-PORT-POLICING

1P3Q8T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 40
Switch(config-if)#wrr-queue bandwidth 5 25 70
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 3 2 2
Switch(config-if)#wrr-queue cos-map 3 3 3
Switch(config-if)#wrr-queue cos-map 3 4 6
Switch(config-if)#wrr-queue cos-map 3 5 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#service-policy input PER-PORT-POLICING

1P7Q4T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue bandwidth 5 25 20 20 20 5 5
Switch(config-if)#wrr-queue queue-limit 5 25 10 10 10 5 5
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 4 1 2
Switch(config-if)#wrr-queue cos-map 5 1 3
Switch(config-if)#wrr-queue cos-map 6 1 6
Switch(config-if)#wrr-queue cos-map 7 1 7
Switch(config-if)#service-policy input PER-PORT-POLICING

1P7Q8T Tx Line Cards
Switch(config)#int fx/y
Switch(config-if)#wrr-queue queue-limit 5 25 10 10 10 5 5
Switch(config-if)#wrr-queue bandwidth 5 25 20 20 20 5 5
Switch(config-if)#wrr-queue cos-map 1 1 1
Switch(config-if)#wrr-queue cos-map 2 1 0
Switch(config-if)#wrr-queue cos-map 3 1 4
Switch(config-if)#wrr-queue cos-map 4 1 2
Switch(config-if)#wrr-queue cos-map 5 1 3
Switch(config-if)#wrr-queue cos-map 6 1 6
Switch(config-if)#wrr-queue cos-map 7 1 7
Switch(config-if)#priority-queue cos-map 1 5
Switch(config-if)#service-policy input PER-PORT-POLICING

Per-Port Microflow Policing Model

Microflow policing dynamically learns traffic flows and rate limits each unique flow to an individual rate and as such, is a highly effective and efficient policing tool�particularly at the distribution layer in a medianet campus network.

Microflow policing can be applied to ingress traffic on routed interfaces and is typically used in environments where a per-user, granular rate limiting mechanism is required�such as at the distribution layer�to provide a second-line of policing defense in the campus. Like other policers, microflow policing can be used to drop or remark exceeding flows.

Microflow policers are enabled with the police flow policy-map class-action command. A flow is defined by five-tuples (IP source address, IP destination address, IP protocol field, Layer 4 protocol source, and destination ports), which are the same for each packet in the flow. Microflow policers apply a single policy to discrete traffic flows, without having to specify the virtually-infinite tuple combinations. Microflow policing can also be applied with source or destination flow masks (with the mask src-only and mask dest-only optional keywords, respectively); these masks apply an aggregate microflow policing policy to multiple flows sharing the same source or IP destination addresses.

In the per-port microflow policing model, a flow-based policer is applied with a mask src-only option and applies an aggregate limit to all microflows sharing a common source IP address, remarking traffic in excess of the policing rate.

Remarking is performed by configuring policed-DSCP maps with the global configuration commands mls qos map policed-dscp normal-burst (which specifies the exceeding remarking action) and mls qos map policed-dscp max-burst (which specifies the violating remarking action, in the case of a dual rate policer). These commands specify which DSCP values are subject to remarking if out-of-profile and what value these should be remarked as (which in the case of data plane policing/scavenger class QoS policies, this value is CS1/DSCP 8).

Even if single rate policers are used, it is recommended to configure the mls qos map dscp policed max-burst markdown map, as the maximum_burst_bytes parameter for the policer is set to equal to the normal_burst_bytes parameter, unless explicitly specified otherwise. In other words, the PIR is set to equal the CIR, unless explicitly specified otherwise, and thus the exceed-action policed-dscp-transmit keywords causes PFC QoS to mark traffic down DSCP values as defined by the policed-dscp max-burst markdown map (and not the policed-dscp normal-burst markdown map).

Per-Port Microflow Policing Configuration Example on a Catalyst 6500

mls qos map policed-dscp normal-burst 0 10 18 24 34 46 to 8

mls qos map policed-dscp max-burst 0 10 18 24 34 46 to 8

policy-map MICROFLOW-POLICING
class class-default
police flow mask src-only 50m 8000 conform-action transmit exceed-action policed-dscp-transmit

interface range TenGigabitEthernet 3/1-2
description L3-Dwnlnk to Access-Layer
no switchport
ip flow ingress
service-policy input MICROFLOW-POLICING

Per-VLAN Microflow Policing Model

In contrast with the previous example, if the campus distribution block is using a Layer 2/Layer 3 design, and as such has Layer 2 trunked interfaces (TenGigabitEthernet 3/1 and 3/2) connecting it to the access layer switches, then microflow policing can be applied on a per-VLAN basis. In this case, separate microflow policing policies can be applied to each VLAN.

To highlight policy flexibility, additional levels of classification are included in this second microflow policing example (which incidentally can also be applied to the per-port microflow policing model). Instead of applying a blanket microflow policer to all endpoints, separate microflow policers can be applied to different types of endpoints or application-and-endpoint-combinations. For example, VoIP from Cisco IP phones in the VVLAN can be policed to 128 Kbps, while signaling traffic from these endpoints can be policed to 32 kbps. Similarly, TelePresence endpoints in the VVLAN (which mark their media flows to CS4) can be policed to 25 Mbps. All other endpoint-generated traffic in the VVLAN can be policed to 32 kbps per endpoint.

Similar policy granularity can be applied to the DVLAN policer, if desired. However in this example, a simplified DVLAN policer is applied to all flows to ensure that any DVLAN endpoint transmitting at more than 5% capacity (an example value) of the access edge 10/100/1000 switch ports are subject to data plane policing/scavenger class QoS.

Per-VLAN Microflow Policing Configuration Example on a Catalyst 6500

mls qos map policed-dscp normal-burst 0 10 18 34 to 8
mls qos map policed-dscp max-burst 0 10 18 34 to 8

class-map match-all VOIP-ENDPOINTS
match dscp ef

class-map match-all TELEPRESENCE-ENDPOINTS
match dscp cs4

class-map match-all SIGNALING-ENDPOINTS
match dscp cs3

policy-map VVLAN-MICROFLOW-POLICING
class VOIP-ENDPOINTS
police flow mask src-only 128k 8000 conform-action transmit exceed-action drop

class TELEPRESENCE-ENDPOINTS
police flow mask src-only 25m 256000 conform-action transmit exceed-action drop

class SIGNALING-ENDPOINTS
police flow mask src-only 32k 8000 conform-action transmit exceed-action drop

class class-default
police flow mask src-only 32k 8000 conform-action transmit exceed-action drop

policy-map DVLAN-MICROFLOW-POLICING
class class-default
police flow mask src-only 50m 8000 conform-action transmit exceed-action policed-dscp-transmit

interface vlan x
description VVLAN
ip flow ingress
service-policy input VVLAN-MICROFLOW-POLICING

interface vlan y
description DVLAN
ip flow ingress
service-policy input DVLAN-MICROFLOW-POLICING

interface range TenGigabitEthernet3/1-2
description L2-Dwnlnk to Access-Layer
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan x,y
switchport mode trunk
mls qos vlan-based

Voice Gateways

In order to ensure true end to end QoS throughout the environment, the voice gateways must be configured to properly mark control and bearer traffic sourced from their processes, including MGCP, H.323, and SIP.

MGCP Gateways

By default, MGCP gateways mark bearer traffic with DSCP EF and control traffic with AF31. This is not consistent with current standards. The following modifications should be made to all deployed MGCP gateways.
Router(config)#mgcp ip qos dscp cs3 signaling
Router(config)#mgcp ip qos dscp ef media

H.323/SIP Gateways

By default, H.323 and SIP dial-peers mark bearer traffic with DSCP EF and control traffic AF31. This is not consistent with current standards. The follow modifications should be made to VOIP dial-peers on all deployed H.323 and SIP gateways.
Router(config)#dial-peer voice x voip
Router(config-dial-peer)#ip qos dscp cs3 signaling
Router(config-dial-peer)#ip qos dscp ef media

WAN Quality of Service

When you are trying to guarantee traffic service over long distance involving WAN circuits such as point-to-point, MPLS, and Metro Ethernet; then there must be QoS implementation on your WAN gateway of all ends of your location. In addition, your WAN QoS implementation must match QoS specification your service provider uses to maintain end-to-end QoS service.

As illustration, let's say you have point-to-point 1 Gbps Metro Ethernet circuit from your service provider to interconnect two of your locations. The service provider has specification that 5 Mbps is guaranteed for Class of Service (CoS) Priority 5 (EF) traffic, 5 Mbps is guaranteed for CoS Priority 2; while the remaining bandwidth is freely used for CoS default traffic.

Let's assume you have IP Phone that uses DSCP EF 5 or CoS 5 of UDP port range 16384 - 32767 for voice traffic and uses DSCP AF 41 (CS 3) or CoS 3 of SIP (UDP and TCP port range 5060 - 5061) and SCCP (TCP port range 2000 - 2002) for signalling traffic. Within LAN, you typically let these specification as default while setting all LAN switch access and trunk ports to acknowledge these traffic. Once the traffic is headed to the point-to-point circuit, then somehow you have to modify the traffic specification when you intend to match your traffic specification with the service provider specification.

Assume you like to utilize the service provider CoS 5 for the voice traffic, CoS 2 for the signalling, and remaining bandwidth is utilize for other traffic such as email, web, and file sharing. Therefore as the traffic is about to leave one location over the point-to-point circuit to reach your other location, you need to map your existing CoS 5 traffic to the service provider CoS 5, map your existing CoS 3 traffic to the service provider CoS 2, and map remaining traffic to the service provider CoS default traffic.

When the traffic is already going over the point-to-point circuit from one location and arrive at the other location, you need set your traffic back to its original specification in order to match your traffic specification. Therefore as the traffic arrives at the other location, you need to map the service provider CoS 5 traffic to the original CoS 5 traffic, map the service provider CoS 2 to the original CoS 3, and map remaining traffic as default traffic.

As you may note that these WAN QoS mapping occurs on your WAN gateway while LAN QoS mapping occurs on your LAN. Following is one solution how the WAN QoS mapping and configuration look like. The assumption here is that your WAN gateway is a router using GigabitEthernet 0/0/0 port to connect to the WAN circuit.

!
!!!!!!!!! Catching incoming traffic from IP Phones
!
!
!!!!! Voice traffic
!
class-map match-any VOICE
match dscp ef
match cos 5
!
!
!!!!! Signalling traffic
!
class-map match-any priority
match dscp cs3
match dscp af41
match cos 3
!
!
!!!!!!!!! Map your traffic specification to service provider traffic specification
!
policy-map qospm
class VOICE
set cos 5
priority 5000
class priority
set cos 2
police cir 5000000 bc 11750 pir 7500000 be 29375
conform-action transmit
exceed-action transmit
violate-action drop
class class-default
shape average 990000000
set cos 0
!
!
!!!!!!!! Catching traffic coming through the WAN circuit
!
ip access-list extended SIGNALING
remark SIP
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
remark SCCP
permit tcp any any range 2000 2002
!
ip access-list extended VVLAN-VOIP
permit udp any any range 16384 32767
!
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all VOIP
match access-group name VVLAN-VOIP
!
!
!!!!!!!!! Map service provider traffic specification back to the original traffic specification
!
policy-map WAN_COS_to_DSCP
class VOIP
set dscp ef
class SIGNALING
set dscp cs3
!
!
!!!!!!!!! Implement QoS into your router interface
!
interface GigabitEthernet0/0/0
service-policy output qospm
service-policy input WAN_COS_to_DSCP

For more info regarding these QoS commands, check out the following Cisco link.
Configuring the Modular Quality of Service

Example Network Design and Implementation

The information posted here is a summarized version of the Cisco AVVID QoS Design Guide. The person who posted this is not liable for any network problems or any damage caused by configuring their router to the following specification. If in doubt, open up a Cisco TAC case where a Cisco Engineer will get in touch to help you implement or troubleshoot your design or issue respectively. You may also ask the Cisco forum community for any advice but community accept no liability for any recommendations made which are then implemented.

The example below is using a Cisco 79xx IP Phone, 2924 Switch (12.0(5)XU EN, and a 2600 Router (12.2(11)T IP/FW/IDS PLUS IPSEC 56). Make sure the versions of IOS that you're running support the commands used before implementing in a production environment. It also assumes that you are using separate VLANs for data and voice (VLAN 100 for data, and 101 for voice).

This example assumes the following network setup:
PC--->79xx---->2924---->2600---->Internet

Configuring the 2924 Switch:
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100 !this is the data vlan
switchport mode trunk
switchport voice vlan 101 !the vlan for voice
spanning-tree portfast
switchport priority extend cos 0
speed auto
!

The above port configuration allows for both voice and data traffic from separate vlans. Cisco IP Phones automatically support 802.1q trunking and 802.1p COS tagging, which will tag all outgoing voice traffic with an L2 COS of 5, and a L3 IP Precedence of 5. The 'switchport priority extend cos 0' ensures that all data traffic has it's L2 COS tag re-classified as 0. This will ensure a PC connected to the phone is not also classifying its traffic.

Additionally, if your switch supports inline power, add the following to the above configuration: 'power inline auto'

NOTE: The 'speed auto' command is extremely important. Cisco IP phones default to auto-negotiation for speed and duplex.If the switch port is set to 100baseT full-duplex, the IP phone automatically sets its port to 100baseT half-duplex, causing a duplex mismatch.

Configuring the 2600 router:

The first thing we need to do is define access-lists to match our voice traffic. We will create 2 extended ACLs, one for the voice RTP traffic, and one for the voice signaling traffic.

For Skinny, H.323, MGCP:
!signaling traffic
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 11000 11999
access-list 101 permit udp any any eq 2427
!
!RTP traffic
access-list 102 permit udp any any range 32767

For SIP/IAX/IAX2:
!signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any eq 5036
access-list 101 permit udp any any eq 5060
!
!RTP traffic
access-list 102 permit udp any any range 16384 32767

NOTE: You may also use a 'permit ip 1.1.1.0 0.0.0.255 any' command on the signaling access-list to match all hosts in a particular subnet, assuming all IP phones are on the same subnet and their own vlan.

Next, we create class maps for each type of traffic:
!
class-map match-all voice-traffic
match access-group 102
!
class-map match-all voice-signaling
match access-group 101
!

Then create a policy map for the classes:
!
policy-map qos-voice
class voice-traffic
priority 240
class voice-signaling
bandwidth 16
class class-defult
fair-queue
!

The policy-map on the router places all voice traffic into the Priority Queue, which is given 240kbps of bandwidth. All signaling traffic is in a class-based queue with 16kbps of bandwidth. And all other traffic is queued using Weighted Fair Queuing.

To determine how much bandwidth to give to voice traffic:
Number of simultaneous calls X 80 (for g711u)
Number of simultaneous calls X 11 (for g729)

Finally, apply the policy to the interface:
!
interface FastEthernet0/0
service-policy output qos-voice
!

NOTE: If you are using sub-interfaces, applying the policy to the fa0/0 interface will also apply it to all sub-interfaces (i.e. fa0/0.1, fa0/0.2 etc.) To apply a QoS service-policy to a specific sub-interface refer to this Cisco link.
Applying QoS Features to Ethernet Sub-interfaces

As Qos is generally configured on outgoing traffic, it will help if you have control over both sides of the link. You can also apply rate limiting to inbound traffic if you so choose, however it will only work with TCP traffic.
!
interface Serial0/0
rate-limit input 1408000 8000 8000 conform-action transmit exceed-action drop

This will allow no more than 1408kbps through; any excess will be dropped. Again, this only works for TCP traffic, since dropped packets will cause the sender to back off and try again slower.

-b

Some Discussions

»[HELP] VOIP and data traffic with qos and vlan

got feedback?

Excellent example really clear to understand.

2009-03-09 03:31:39

by nozero edited by aryoba
last modified: 2011-07-01 14:48:18

Improving Performance of Cable/DSL Internet using QoS

Thanks to mplex

for the submission.

said by mplex :
Since I have done a lot of QoS at work lately, I wanted to post a good solution that home users can use to improve the performance of their high speed connection when your outbound traffic rate is congested. It could be congested due to P2P traffic, a home server or anything. Regardless, if your upstream traffic is congested (and that is likely with the pathetic upload speeds on most home connections), latency will increase and everything will be sluggish. Hopefully, this will help.

Below are two qos queuing strategies for home users with slow uplinks on cable and DSL Internet. The first one is simple to implement generally performs well (fair queuing). Fair queuing is complicated to explain but easy to understand. It divides traffic in to flows and throttles heavy flows to allow room for smaller ones. In general, this will keep pings, ssh/telnet, VPN traffic etc responsive while cutting back P2P traffic and other aggressive traffic to make room.

For all of this to work, you have to tell the router how much upstream bandwidth you have, otherwise it will think you have a 10mbit or 100mbit link rather than a 256k WAN link. The best way to achieve this that I have found is Hierarchical Class Based Weighted Fair Queuing (CBWFQ). It's a mouth-full for sure, but in reality it is a simple flexible system for implementing QoS.

The first solution does no classification at all, rather it implements the fair queueing strategy in hopes that it can differentiate between different traffic and give everything a fair share.

!! This policy sets up your general queuing strategy for your WAN interface, which is only fair-queue in this case

policy-map fair-queue-child
class class-default
fair-queue 128 !! 128 allows more active flows than default

!! This policy queues the above policy at a specified rate of 200k

policy-map fair-queue-parent
class class-default
shape average 200000
service-policy fair-queue-child

!! Apply the policy to the physical outbound interface on your router
interface Fa0
service-policy output fair-queue-parent

If you need to change the shape average rate to a lower number, you have to first remove and reapply the policy on the interface for it to take effect.

Note: The command shape average 200000 is extremely important. This is the rate at which outbound traffic will leave your router. This only takes in to account IP packets, and none of the Ethernet/DOCSIS/PPP overhead that is included in that number your ISP quotes as your upload speed. You may also find that the amount of upstream bandwidth you can reliably get may very depending on time of day. This is just your ISP cheating you and the downside of shared bandwidth. Regardless, you will need to tweak your speed to a rate you are happy with. I usually load up a P2P program, then start pinging a reliable router upstream. When it's all said and done, with my 384k connection, the above number of 200k is the only reliable amount of bandwidth I get in the area I live now so don't be suprised to find out your ISP is no good. Here are the results I get without the fair-queue-parent policy applied:

60 packets transmitted, 60 received, 0% packet loss, time 59030ms
rtt min/avg/max/mdev = 371.506/989.091/1625.488/328.546 ms, pipe 2

As you can see, no packet loss, but performance was horrible

Now here are the results with the policy applied:

60 packets transmitted, 60 received, 0% packet loss, time 59080ms
rtt min/avg/max/mdev = 41.084/150.854/614.971/123.688 ms

Here's the applied policy output: sh policy-map int fa0

FastEthernet0

Service-policy output: fair-queue-parent

Class-map: class-default (match-any)
2888 packets, 1763229 bytes
30 second offered rate 185000 bps, drop rate 2000 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
200000/200000 2000 8000 8000 40 1000

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 63 2780 1638576 2768 1635385 yes

Service-policy : fair-queue-child

Class-map: class-default (match-any)
2888 packets, 1763229 bytes
30 second offered rate 185000 bps, drop rate 2000 bps
Match: any
Queuing
Flow Based Fair Queuing
Maximum Number of Hashed Queues 128
(total queued/total drops/no-buffer drops) 63/43/0

The average pings dropped to 150ms; that would be voice quality if it wasn't for the jitter. Still, most people will see a marked improvement implementing fair queuing. If you are a hardcore gamer or remote shell user, you won't be happy until performance is a consistent sub 100ms. For that, it gets a little more complicated.

You could do something like this:

!! Make an access list to match your game/shell traffic etc (This isn't enough to do it)
access-list 101 permit icmp any any
access-list 101 permit udp any any

!! Make a class for that traffic to match your ACLs
class-map match-any important
match access-group 101

!! Edit your existing policy to add the new class
policy-map fair-queue-child
class important
priority [or bandwidth] percent 50

Then remove and re-add the policy to the interface. See it working with the sh policy-map interface fa0 command.

That will setup a strict priority queue for that traffic and always service it first. The downside to using priority is that during times of congestion, priority acts as a policer and caps the traffic class to 50% of the total bandwidth under the parent policy. One way to get around this is setting priority at something like 80%. All the unused bandwidth will be shared proportionally among other classes including the default class. One thing to remember is that you can only have one priority queue. You need to use the bandwidth command under all other classes (otherwise, everything using priority will share the same queue). The bandwidth command uses a round robin mechanism to service the queues proportional to the percentage of bandwidth they have. The default class always gets what's left.

In the real world, the difference between priority and bandwidth is small and some routers don't support it. The policing action is enough to scare me away from using it for anything but udp traffic and small tcp traffic if at all. I also would not use it for large TCP packets since it will share space with your low latency traffic like game traffic and slow it down if it gets ahead of it in the queue.

Using a similiar but more complicated strategy (it still queues low latency for icmp), I get these results with a fully congested link:

60 packets transmitted, 60 received, 0% packet loss, time 59075ms
rtt min/avg/max/mdev = 30.732/60.634/107.809/17.917 ms

So I cut my ping rates by more than half. The average ping rates with no traffic is about 40ms to that location so there is roughly 20ms of overhead on a congested link. Those delays are more likely to be from the docsis timings rather than my router so this is likely the best performance I would think you could get. I can get a little better if I police my P2P traffic at a lower rate as seen below.

The policy below is the one I use. To be honest, it's a mess. Some of the descriptions are wrong and some traffic is probably in the wrong place, but that's because I've edited it so many times for my setup. I would only base your own policy loosly on this one and make your own classes. Just remember to have a maximum of 4 or so classes. Anymore will have strange results. You have to think of how the your traffic will compete for different classes at different times and whether you want that.

access-list 110 remark Management
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit tcp any any range 22 telnet
access-list 110 permit tcp any range 22 telnet any
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any eq 3389 any
access-list 110 deny udp any eq 10000 any !! I want VPN in a seperate class
access-list 110 deny udp any any eq 10000
access-list 110 permit udp any any
!
access-list 120 remark VPN
access-list 120 permit udp any any eq 10000
!
access-list 130 remark Web
access-list 130 permit tcp any any eq www
access-list 130 permit tcp any eq www any
!
access-list 140 remark File Sharing (FS)
access-list 140 permit tcp any any range 6881 6886
access-list 140 permit tcp any range 6881 6886 any
access-list 140 permit tcp any any eq 2234
access-list 140 permit tcp any eq 2234 any
access-list 140 permit tcp any range 4661 4662 any
access-list 140 permit tcp any any range 4661 4662
access-list 140 permit tcp any any eq 1214
access-list 140 permit tcp any any eq 6880
access-list 140 permit tcp any eq 6880 any

class-map match-any nbar-fs
match protocol bittorrent
match protocol kazaa2
match protocol gnutella
match protocol fasttrack
match protocol edonkey
match access-group 140

class-map match-all class2
description [VPN/UDP]
match access-group 120

class-map match-all class3
description [web traffic/other tcp]
match access-group 130

class-map match-all class1
description [SSH/ICMP/RDP]
match access-group 110

policy-map shaped
class nbar-fs
bandwidth percent 5
police cir 140000 bc 1500
conform-action transmit
exceed-action drop
violate-action drop
class class1
priority percent 30
class class2
bandwidth percent 30
queue-limit 16
class class3
bandwidth percent 25
queue-limit 32
class class-default
fair-queue

policy-map shaper
class class-default
shape average 220000
service-policy shaped

interface FastEthernet0
description [WAN-Comcast]
service-policy output shaper

Sample Configuration
»Cisco Forum FAQ »Router runs VoIP, Bit Torrent, Online Gaming; DynDNS - QoS Sample Configuration

Discussion
»1760s+T1 QoS not working?

got feedback?

Please� Please� Please� tell me what router you are using because I need to apply this to my church network ASAP but most of the routers I have used either do not allow me to apply a queuing policy-map into a policing policy-map or they do not allow me to apply the nested policy-map to a FastEthernet interface. My email is rauli75@hotmail.com, awaiting for your reply.

2010-06-15 02:50:39

by aryoba
last modified: 2010-05-19 13:19:37

Router runs VoIP, Bit Torrent, Online Gaming; DynDNS - QoS Sample Configuration

Suggested prerequisite reading
»Cisco Forum FAQ »How do I configure QoS for VoIP?
»Cisco Forum FAQ »Improving Performance of Cable/DSL Internet using QoS

The biggest challenge running Bittorrent application is that it is very hungry bandwidth application. If your Internet router is doing NAT/PAT, you can also see how extensive Bittorrent applications in using NAT/PAT process and fill up the NAT/PAT table very quickly. In the end, your router might not be able to keep up and then fail to work.

Since the Bittorrent application is very hungry bandwidth one, then the key to have manageable network connection is to apply Quality of Service (QoS). This QoS application is very significant especially when you run high-priority applications such as Voice over IP (VoIP) and some public servers to provide (as example) web and mail services.

Following is sample configuration using CBWFQ (Class-Based Weighted Fair Queueing) QoS of how to have manageable network connection when the network run Bittorrent, VoIP, and other applications such as Online Gaming. The sample configuration should work on any Cisco router platform with following pre-requisites. This configuration has been applied to cheapo 827 router and works fine.

Pre-requisites:
* The router runs IOS image supporting CBWFQ QoS
* The router supports named ACLs
* The router has a 12.4 IOS (not sure about other versions, feel free to try and let me know)

The configuration supposes you assign IP range 192.168.254.0/24 to the LAN
192.168.254.129 to 192.168.254.191 are assigned by DHCP to non static IP machines
192.168.254.11 is assigned to the VoIP ATA (in the exemple below, a Wengo ATA called Wenbox)
192.168.254.1 is my Server for DNS, WINS, NTP and TFTP. Replace by the correct IPs (Local LAN or your ISP addresses)

Notes on Outbound Policy Shaping Implementation:
* Ethernet0 is the physical interface LAN side that receive the traffic
* ATM0 is the physical interface WAN side that send the traffic out to the ISP
* Dialer1 is the logical interface WAN side that controls the Layer-2/3 (PPP and IP) management of the ATM0 interface
* You need to implement outbound policy shaping on the physical to actually execute the queueing/shaping/policing functions. In this sample configuration, outbound policy shaping in on ATM0 interface
* Since the physical interface has specific PVC setting, the outbound policy shaping configuration is available under the PVC configuration
* Should your router has the PVC configuration under sub-interface, then you have to configure the outbound policy shaping on such sub-interface
* In some IOS version, you need to specify the cbr value to have the outbound policy shaping configuration visible as noted in this sample configuration
* Implement outbound policy shaping on Dialer1 interface (or any the logical WAN interface) won't make differences. The issue is that once the data has been encapsulated into PPPoX (PPPoA or PPPoE) there is no proper identification as the traffic goes out the Dialer interface. By tagging the packets as they come into the inside interface with a unique precedence or DSCP value prior encapsulation, it should provide the ability for proper decision making as the packets exit the outside interface.

Sample Configuration

service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname XXXXXXX
!
logging buffered 64000 debugging
 
no logging console
enable secret ENABLESECRET
enable password ENABLEPASSWORD
!
clock timezone CET 1
clock summer-time CEDT recurring 1 Sun Apr 3:00 last Sun Oct 3:00
!
no ip source-route
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.254.1 192.168.254.128
ip dhcp excluded-address 192.168.254.192 192.168.254.254
!
ip dhcp pool Local-LAN
network 192.168.254.0 255.255.255.0
! Assign 192.168.254.1 as DNS Server
dns-server 192.168.254.1
! Assign 192.168.254.1 as WINS Server
netbios-name-server 192.168.254.1
default-router 192.168.254.254
domain-name chezmoi.com
netbios-node-type h-node
! Assign 192.168.254.1 as NTP Server
option 42 ip 192.168.254.1
! Assign 192.168.254.1 as Boot/TFTP Server
option 66 ascii "192.168.254.1"
!
ip dhcp pool Wengo-ATA
host 192.168.254.11 255.255.255.0
! Replace by Wengo 01+ATA Mac Address
client-identifier 0100.0cc3.3221.17
! WARNING SOME ATAs request the DHCP address with their MAC directly.
! In that case use line below and replace by your ATA MAC address
hardware-address 000c.c332.2117
! Replace second and 3rd by your ISP DNS server address
dns-server 192.168.254.1 212.94.174.85 212.94.174.86
!
ip cef
!
ip domain name chezmoi.com
ip name-server 192.168.254.1
no ip bootp server
ip ftp source-interface Ethernet0
!
ip ddns update method DynDNS-Eric
HTTP
 
add http://dyndnslogin:dyndnspassword@<s>/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
 
interval maximum 28 0 0 0
!
vpdn enable
!
ip access-list extended BitTorrent
remark --- BitTorrent defaul ports
permit tcp any range 6881 6889 any
permit udp any range 6881 6889 any
permit tcp any any range 6881 6889
permit udp any any range 6881 6889
!
ip access-list extended CityOfHeroes
permit ip 192.168.254.0 0.0.0.255 216.107.254.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 216.107.240.0 0.0.15.255
!
ip access-list extended FTP
remark --- FTP traffic from LAN to FTP servers
permit tcp 192.168.254.0 0.0.0.255 any range ftp-data ftp
!
ip access-list extended ICMP
remark --- ICMP from LAN
permit icmp 192.168.254.0 0.0.0.255 any
!
ip access-list extended LAN-IPsec
remark --- IPSec traffic from LAN
permit udp 192.168.254.0 0.0.0.255 any eq 10001
permit udp 192.168.254.0 0.0.0.255 any eq isakmp
!
ip access-list extended Local-LANs
remark --- permit DHCP
permit udp any eq bootpc any
permit udp any any eq bootps
remark --- permit local LAN
permit ip 192.168.254.0 0.0.0.255 any
remark --- deny the rest and log
deny ip any any log
!
ip access-list extended Outbound-DNS
remark --- outbound DNS queries
permit udp 192.168.254.0 0.0.0.255 any eq domain
!
ip access-list extended Skype
remark --- Skype traffic
permit udp any eq 44330 any
!
ip access-list extended Telnet-Traffic
remark --- any telnet traffic
permit tcp any any eq telnet
permit tcp any eq telnet any
!
ip access-list extended WWW-and-SSL
remark --- deny eMule traffic
deny udp any eq 4672 any
deny tcp any eq 4662 any
remark --- deny BitTorrent traffic
deny tcp any range 6881 6889 any
deny udp any range 6881 6889 any
remark --- permit http and https traffic
permit tcp any any eq www
permit tcp any any eq 443
!
ip access-list extended Wengo-ATA
remark --- traffic from Wengo's ATA box
permit ip host 192.168.254.11 any
!
ip access-list extended eMule
remark --- eMule default ports
permit udp any eq 4672 any
permit tcp any eq 4662 any
permit udp any any eq 4672
permit tcp any any eq 4662
!
ip access-list extended to-SIP-servers
remark --- traffic to any SIP server
permit udp 192.168.254.0 0.0.0.255 any eq 5060
!
class-map match-any VoIP-Class-Inbound
match access-group name Wengo-ATA
match access-group name Skype
match access-group name to-SIP-servers
!
class-map match-any Hi-Class-Inbound
match access-group name Outbound-DNS
match access-group name Telnet-Traffic
match access-group name CityOfHeroes
!
class-map match-any Med-Class-Inbound
match access-group name WWW-and-SSL
match access-group name ICMP
match access-group name FTP
!
class-map match-any Lo-Class-Inbound
match access-group name eMule
match access-group name BitTorrent
!
policy-map Packet-Tagging
class VoIP-Class-Inbound
set precedence 5
class Hi-Class-Inbound
set precedence 4
class Med-Class-Inbound
set precedence 3
class Lo-Class-Inbound
police 10000 2000 2000 conform-action set-prec-transmit 2 exceed-action set-prec-transmit 1
class class-default
set ip precedence 1
!
interface Ethernet0
description --- Internal LAN
ip address 192.168.254.254 255.255.255.0
ip access-group Local-LANs in
no ip redirects
ip nat inside
ip virtual-reassembly
load-interval 30
fair-queue
service-policy input Packet-Tagging
hold-queue 100 out
!
class-map match-any VoIP-Class-Outbound
match ip precedence 5
!
class-map match-any Hi-Class-Outbound
match ip precedence 4
!
class-map match-any Med-Class-Outbound
match ip precedence 3
!
class-map match-any Lo-Class-Outbound
match ip precedence 2
match ip precedence 1
!
policy-map Packet-Queueing
class VoIP-Class-Outbound
priority 64
class Hi-Class-Outbound
bandwidth remaining percent 50
random-detect
random-detect exponential-weighting-constant 8
random-detect precedence 4 20 60 20
class Med-Class-Outbound
bandwidth remaining percent 25
random-detect
random-detect exponential-weighting-constant 8
random-detect precedence 3 15 30 15
class Lo-Class-Outbound
bandwidth remaining percent 25
random-detect
random-detect exponential-weighting-constant 3
random-detect precedence 1 1 15 3
random-detect precedence 2 10 20 10
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc Cegetel 8/35
cbr 160
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output Packet-Queueing
!
!
interface Dialer1
bandwidth 160
ip ddns update hostname YouDynDNSHostName
ip ddns update DynDNS-Eric host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname YourPPPoA_Username
ppp chap password YourPPPoA_password
max-reserved-bandwidth 100
!
ip local policy route-map Local-Tagging
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
ip nat translation port-timeout udp 40080 60
ip nat translation port-timeout udp 4672 180
ip nat translation port-timeout tcp 4662 180
ip nat inside source list Networks_2B_NATed interface Dialer1 overload
ip nat inside source static udp 192.168.254.11 5070 interface Dialer1 5070
ip nat inside source static udp 192.168.254.11 10000 interface Dialer1 10000
ip nat inside source static udp 192.168.254.11 10001 interface Dialer1 10001
!
ip access-list standard Allowed-Telnet-Clients
permit 192.168.254.0 0.0.0.255
deny any log
ip access-list standard DenyAll
deny any log
ip access-list standard Networks_2B_NATed
permit 192.168.254.0 0.0.0.255
!
snmp-server community public RO DenyAll
snmp-server enable traps tty
!
route-map Local-Tagging permit 20
description --- Telnet traffic goes in High Class
match ip address Telnet-Traffic
set ip precedence 4
!
route-map Local-Tagging permit 40
description --- The rest goes in Medium class
set ip precedence 3
!
alias exec voipnat sh ip nat tra | inc 192.168.254.11
!
line con 0
access-class DenyAll in
access-class DenyAll out
password LinePassword
login
transport output none
stopbits 1
speed 115200
line vty 0 4
access-class Allowed-Telnet-Clients in
access-class DenyAll out
password LinePassword
login
transport input telnet
transport output none
!
sntp server 192.168.254.1

Following is relavant sample configuration for routers with WAN sub-interfaces, where the rest of configurations is the same as previous.

interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
!
interface ATM0.35 point-to-point
pvc Cegetel 8/35
cbr 384
dialer pool-member 1
service-policy output Packet-Queueing

Note:
Peer-to-Peer (P2P) protocols such as Bittorrent and eMule/eDonkey could use any TCP/UDP port numbers and not specifically from port 6881 to 6889 for Bittorrent or port 4662/4672 for eMule/eDonkey. Therefore you might need to implement NBAR (Network Based Application Recognition) for better approach of controlling P2P traffic. Check out the following FAQ for more info.

»Cisco Forum FAQ »Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview

More sample configurations and discussions

»[Config] Question about Cisco 1812 optimization
»[HELP] Cisco 877 VOIP QoS & ASA5505
»[Config] Question about QoS Priority and Policing
»Priority Queue - Threshold other traffic denied service..
»[Config] Setting up QOS/prioritisation on an 877
»[Config] QoS+VoIP on a Cisco - sample config
»VoIP issues with my Cisco 831. (torrents & pulsing voice)
»Can you configure LLQ on 871 with Web Interface
»Getting an Internet 10Meg Ethernet from ATT
»[PBX] Finally!!! (Good Incoming/Outgoing Calls w/o Dropouts)

got feedback?

by LilYoda edited by aryoba
last modified: 2012-04-04 12:37:08

Cisco References

LLQ (Shaping) Sample Configuration
»www.cisco.com/en/US/tech/tk1077/···1b.shtml
»www.cisco.com/en/US/tech/tk39/tk···e5.shtml

Between Traffic Shaping and Policing
»www.cisco.com/en/US/tech/tk543/t···25.shtml

Enterprise QOS Solution Reference, Network Design Guide (pdf)
»www.cisco.com/application/pdf/en···b062.pdf

got feedback?

by aryoba
last modified: 2007-06-04 15:29:16

Hold Queue interface value to speed things up

Discussion

»Getting output drops on full T1 with ATT

Official Cisco website link

Troubleshooting Input Queue Drops and Output Queue Drops

Note:
Maximizing hold-queue on router interface may or may not applicable to specific situation as mentioned on this official Cisco link here. Therefore proper QoS (Quality of Service) configuration in addition to maximize hold-queue buffer size is suggested to avoid problems.

got feedback?

by aryoba
last modified: 2011-02-02 08:18:52

Troubleshooting QoS

Auto QoS
»Unexpected side effect of turning QOS on

QoS and WIC-1ADSL module
»Low Latency Queueing Problem With PPPOE(OA?)

got feedback?

by aryoba
last modified: 2009-10-09 12:06:06

Call Manager Express (CME) Sample Configuration

Contribution of Covenant

To work with SIP phones, SCCP phones and a GSM gateway to use a SIP trunk from an ITSP

1.) Allow H.323 to H.323, SIP to SIP and between each other and set the domain for the ITSP. Translation rule to discard the "9" is also setup below:

voice service voip 
 # Allows the placement of calls between disparate call signalling protocols.
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 redirect ip2ip
 sip
  # Packets used in the SIP protocol to be sourced off this interface.
  bind control source-interface FastEthernet0/0.1
  bind media source-interface FastEthernet0/0.1
  registrar server expires max 300 min 60
  # Changes the local host to match the domain of the ITSP otherwise authentication 
  # failures are seen.
  localhost dns:voipcheap.com 
!
 
  # remove the 9 from the beginning of the dial string 
voice translation-rule 1
 rule 1 /\(^9\)/ //
!
!
  # Translate called numbers, therefore destination numbers
voice translation-profile DiscardDigit9
 translate called 1

2.) Setup SIP user agent configuration parameters.

sip-ua
 # Username and password for SIP ITSP's service as well as domain (realm). 
 credentials username cccc password cccc realm voipcheap.com
 authentication username cccc password cccc realm voipcheap.com
 nat symmetric role passive
 nat symmetric check-media-src
 srv version 1
 retry options 0
 # Primary registrar service mentions the actual domain for the ITSP and not the SIP
 # server.
 registrar dns:voipcheap.com expires 3600

4.) A dial-peer is created as a SIP trunk to the SIP server within voipcheap.com's domain and also to the GSM-VoIP gateway.

dial-peer voice 100 voip
 description SIP trunk to sip.voipcheap.com 
 translation-profile outgoing DiscardDigit9
 destination-pattern 9T
 # Set dial-peer to use SIP as call signalling.
 session protocol sipv2
 # Host to send SIP messages to is sip.voipcheap.com.
 session target dns:sip.voipcheap.com
 dtmf-relay rtp-nte sip-notify
 # Use G.711u exclusively.
 codec g711ulaw
 # Disable VAD.
 no vad

Contribution of ladino

1) Configure Voice mail via your Provider

!
telephony-service
 voicemail *123
!
! Assuming *123 is the # to reach voice mail
!
dial-peer voice 2 voip
 description Voicemail
 destination-pattern *123
 session protocol sipv2
 session target dns:chiv1.voipstreet.com
 dtmf-relay rtp-nte
 codec g711ulaw
 no vad

2) Configure Outbound CLID

!
voice translation-rule 8
 rule 1 /302/ /xxxyyyzzz/
!
!xxxyyyzzz  The clid you would like to present
!
voice translation-profile Local-CLID
 translate calling 8
!
!
dial-peer voice 1 voip
 translation-profile outgoing Local-CLID

3) CFNA - Voice Mail
Inbound calls still just ring and ring until going to a busy signal since there's no voicemail with CME

!
ephone-dn  2  dual-line  
  number 301
  call-forward noan *123 timeout 18
!
ephone-dn  3  dual-line  
  number 302
  call-forward noan *123 timeout 18
!

4) B-ACD
Create a Ring Group & Basic Auto Attendant
When you call the number you can enter the extension directly or hold on the line for an operator (ring all phones)

Cisco CME Basic Automatic Call Distribution and Cisco Unity Express Auto Attendant Interoperation Configuration Example

5) Paging group

!
ephone-dn  6
 description Paging
 number 111
 paging ip 239.0.1.20 port 2000
!
ephone  1  
  paging-dn 6  
!    
!  
ephone  2 
  paging-dn 6  
!  
!  
ephone  3  
  paging-dn 6
!

More Sample Configurations

»[Config] CallManager Express / IOS Telephony config
»[Info] 2800 as a resedential gateway?

Discussions
»Cisco 2621XM
»[voice] unknown number when dialing
»[HELP] Callmanager Express can not call or be called after regis
»[HELP] cisco cme over vpn

got feedback?

by aryoba
last modified: 2009-08-16 07:30:55

sep(mac-address).cnf.xml for Cisco 79xx phones running SIP

sep(mac-address).cnf.xml for 7960 running 8.8 SIP

# SIP Configuration Generic File (start)  
 
# Proxy Server  
proxy1_address: "0.0.0.0"  
proxy2_address: "0.0.0.0"  
proxy3_address: "0.0.0.0"  
#proxy4_address: "0.0.0.0"  
#proxy5_address: "0.0.0.0"  
#proxy6_address: "0.0.0.0"  
    
# Line 1 Settings  
line1_name: ""                     ; Line 1 Extension\User ID  
line1_displayname: ""           ; Line 1 Display Name  
line1_shortname: ""  
line1_authname: "UNPROVISIONED"         ; Line 1 Registration Authentication  
line1_password: "UNPROVISIONED"        ; Line 1 Registration Password  
    
# Line 2 Settings  
line2_name: ""                          ; Line 2 Extension\User ID  
line2_displayname: ""                   ; Line 2 Display Name  
line2_shortname: ""  
line2_authname: "UNPROVISIONED"         ; Line 2 Registration Authentication  
line2_password: "UNPROVISIONED"         ; Line 2 Registration Password  
    
# Line 3 Settings  
line3_name: ""                          ; Line 3 Extension\User ID  
line3_displayname: ""                   ; Line 3 Display Name  
line3_shortname: ""  
line3_authname: "UNPROVISIONED"        ; Line 3 Registration Authentication  
line3_password: "UNPROVISIONED"         ; Line 3 Registration Password  
    
# Line 4 Settings  
line4_name: ""                          ; Line 4 Extension\User ID  
line4_displayname: ""                   ; Line 4 Display Name  
line4_shortname: ""  
line4_authname: "UNPROVISIONED"        ; Line 4 Registration Authentication  
line4_password: "UNPROVISIONED"         ; Line 4 Registration Password  
    
# Line 5 Settings  
line5_name: ""                          ; Line 5 Extension\User ID  
line5_displayname: ""                   ; Line 5 Display Name  
line5_authname: "UNPROVISIONED"         ; Line 5 Registration Authentication  
line5_password: "UNPROVISIONED"         ; Line 5 Registration Password  
    
# Line 6 Settings  
line6_name: ""                          ; Line 6 Extension\User ID  
line6_displayname: ""                   ; Line 6 Display Name  
line6_authname: "UNPROVISIONED"         ; Line 6 Registration Authentication  
line6_password: "UNPROVISIONED"         ; Line 6 Registration Password  
    
# Emergency Proxy info  
proxy_emergency: ""  
proxy_emergency_port: "5060"  
    
# Backup Proxy info  
proxy_backup: ""  
proxy_backup_port: "5060"  
    
# Outbound Proxy info  
outbound_proxy: ""  
outbound_proxy_port: "5060"  
    
# NAT/Firewall Traversal  
nat_enable: "0"  
nat_address: ""  
voip_control_port: "5060"  
start_media_port: "21000"  
end_media_port:  "32766"  
nat_received_processing: "0"  
    
# Phone Label (Text desired to be displayed in upper right corner)  
phone_label: "Phone Label"            ; Has no effect on SIP messaging  
    
# Time Zone phone will reside in  
time_zone: CST  
    
# Telnet Level (enable or disable the ability to telnet into this phone  
telnet_level: "2"      ; 0-Disabled (default), 1-Enabled, 2-Privileged  
    
# Phone prompt/password for telnet/console session  
#phone_prompt: "Go Away"                              ; Telnet/Console Prompt  
#phone_password: "moo"                          ; Telnet/Console Password  
    
# Enable_VAD (1-enabled, 0-disabled)  
enable_vad: "0"  
    
# Network Media Type (auto, full100, full10, half100, half10)  
network_media_type: "auto"  
user_info: phone  
    
# URL for external Directory location  
logo_url: "http://path/to/image.bmp"                    ; URL for branding logo to be used on phone display  
    
# SIP Configuration Generic File (stop)

<device>  
<Default>   
<callManagerGroup>   
<members>   
<member priority="0">   
<callManager>   
<ports>   
<ethernetPhonePort>2000</ethernetPhonePort>   
<sipPort>5060</sipPort>  
<securedSipPort>5061</securedSipPort>  
</ports>   
<processNodeName>!!!!! SIP SERVER !!!!!</processNodeName>   
</callManager>   
</member>   
</members>   
</callManagerGroup>  
<loadInformation434 model="Cisco 7942"></loadInformation434>  
</Default>   
<deviceProtocol>SIP</deviceProtocol>  
<sshUserId>admin</sshUserId>  
<sshPassword>admin</sshPassword>  
<devicePool>  
<dateTimeSetting>  
<dateTemplate>D/M/Y</dateTemplate> ; by adding a after the Y shows time in 12 hour mode i.e. D/M/Ya  
<timeZone>!!!!! TIME ZONE !!!!!</timeZone>  
<ntps>   
<ntp>   
<name>!!!!! NTP SERVER !!!!!</name>   
<ntpMode>Unicast</ntpMode>   
</ntp>   
</ntps>   
</dateTimeSetting>  
<callManagerGroup>  
<members>  
<member priority="0">  
<callManager>  
<ports>  
<ethernetPhonePort>2000</ethernetPhonePort>  
<sipPort>5060</sipPort>  
<securedSipPort>5061</securedSipPort>  
</ports>  
<processNodeName>!!!!! SIP SERVER !!!!!</processNodeName>  
</callManager>  
</member>  
</members>  
</callManagerGroup>  
</devicePool>  
<sipProfile>  
<sipProxies>  
<backupProxy></backupProxy>   
<backupProxyPort></backupProxyPort>   
<emergencyProxy></emergencyProxy>   
<emergencyProxyPort></emergencyProxyPort>   
<outboundProxy></outboundProxy>   
<outboundProxyPort></outboundProxyPort>   
<registerWithProxy>true</registerWithProxy>   
</sipProxies>  
<enableVad>false</enableVad>  
<preferredCodec>g729a</preferredCodec>  
<natEnabled>!!!!! TRUE/FALSE !!!!!</natEnabled>   
<natAddress></natAddress>   
<phoneLabel>!!!!! LINE LABEL !!!!!</phoneLabel>  
<sipLines>  
&bull;   
<featureID></featureID>  
<featureLabel></featureLabel>  
<proxy>!!!!! SIP SERVER !!!!!</proxy>  
<port>5060</port>  
<name>09518096</name>  
<displayName>V-Spec</displayName>  
<autoAnswer>  
<autoAnswerEnabled>2</autoAnswerEnabled>  
</autoAnswer>  
<callWaiting>3</callWaiting>  
<authName>!!!!! USERNAME !!!!!</authName>  
<authPassword>!!!!! PASSWORD !!!!!</authPassword>  
<sharedLine>false</sharedLine>  
<messageWaitingLampPolicy>3</messageWaitingLampPolicy>  
<messagesNumber>!!!!! SIP PHONE NUMBER!!!!!</messagesNumber>  
<ringSettingIdle>4</ringSettingIdle>  
<ringSettingActive>5</ringSettingActive>  
<contact>!!!!! SIP PHONE NUMBER !!!!!</contact>  
<forwardCallInfoDisplay>  
<callerName>true</callerName>  
<callerNumber>false</callerNumber>  
<redirectedNumber>false</redirectedNumber>  
<dialedNumber>true</dialedNumber>  
</forwardCallInfoDisplay>  
</line>  
</sipLines>  
<voipControlPort>5060</voipControlPort>   
<dscpForAudio>184</dscpForAudio>   
<ringSettingBusyStationPolicy>0</ringSettingBusyStationPolicy>   
</sipProfile>  
<loadInformation>SIP42.8-5-2S</loadInformation>  
<directoryURL></directoryURL>  
<messagesURL>!!!!! SIP SERVER !!!!!</messagesURL>  
<servicesURL></servicesURL>  
<networkLocale>!!!!! LOCALE !!!!!</networkLocale>   
<networkLocaleInfo>   
<name>!!!!! LOCALE !!!!!</name>   
</networkLocaleInfo>   
</device>

got feedback?

by aryoba
last modified: 2010-06-09 11:32:04

CRS Scripting

»CRS scripting

got feedback?

by aryoba

Various Voice Gateway Router Sample Configurations

Sample Configurations

Dial Peer Configuration Examples

Discussions

»Help with 5 router Frame Relay Config
»Accept Local call and Restrict long distance all
»[voice] unknown number when dialing

got feedback?

by aryoba
last modified: 2010-08-08 07:26:07

MGCP (Media Gateway Control Protocol) Configuration Guide

Discussion

»MGCP gateway registration issues
»[Config] MGCP / CCM-MANAGER Source Address

got feedback?

by aryoba
last modified: 2011-02-02 08:26:30

All FAQs » Cisco Forum FAQ » 50.7 QoS and Voice over IP

50.7 QoS and Voice over IP