LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
1 edit | reply to ugalosh
Re: [Config] QoS+VoIP on a Cisco - sample config
said by ugalosh  :The posts above all contain: "EDIT: made a simpler version using precedence instead of DSCP" Is that the version posted? Kinda new at this and trying comprehend it all. Working to try find a version of ios for my 2600 that has the 'police' command in policy-map, with very little success. Yes, I was using DSCP in the past, but found out precedence works just as well, and precedence numbers are easier to follow than DSCP ones
police statements work on any 2600/3600/3700/4500 with a 12.2.24 IOS (IP PLUS versions, the ones with "-is-" in the name)
I think you also have to turn "ip cef" on before you can access the police statement
I think it works on 1720s too, but almost sure that policy nesting doesn't work on 800 chassis |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
| reply to rolande
said by rolande :I believe that the police command under policy-maps was included in a later 12.2T train code or 12.3. Otherwise you can use cascaded rate-limit commands to do the same thing. When you set a rate-limit and an exceed-action of drop, anything beyond the threshold gets policed automatically. True... However, there's 2 differences between police and rate-limit on an interface
1) rate-limit on an interface needs an ACL. In my case, I have 1 ACL per type of traffic, then I bundled all the ACLs in a class-map. It makes it a LOT easier to move one traffic between classes, or to add a new type of traffic to a class
2) the police statements are not here to drop the traffic, but to recolor it. Then the queueing engine (WRED) treats traffic that's exceeding its bandwidth more aggresively.
If you dropped anything above a specific bandwidth, then you'd waste the bandwidth assigned to classes not in use.
In my case, I wanted to reserve 72 Kbps to VoIP, but the remaining 171Kbps to be shared between 3 classes of data traffic. That means that if I am not sending anything that gets colored as HI or MED class, the LO class uses all the 171 Kbps bandwidth. But most of its traffic is colored with precedence 1 instead or precedence 2 (only 43Kbps get colored with precedence 2)
So the WRED queueing engine is more aggressive towards precedence 1 than precedence 2 (cause I configured it like that). Then if I start sending say some MED traffic. It gets colored as Prec. 4 up to 43Kbps and Prec 3 above...
So in the end, the WRED sends packets out in the order of precedence 4, 2, then 3, then 1... Meaning it's very likely the exceeding prec. 1 traffic will be dropped by WRED, and some of the Prec. 3 as well.
I'm not sure I'm making this very clear. I know it's a weird concept... Let me know if more info is needed, or if I'm the only one to understand my post  |
|
ultatryon
join:2002-04-10
Waterford, CT
| reply to LilYoda
I just made a derivitive configuration based on this information on a 1720 w/ a WIC-1ENET running 12.2(4)YA6 (Feature Set K9O3SY7)
So, I can definately vouch that it runs on a 1720 
Oh, and to bump this back to the top |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains | reply to LilYoda
w0000t  |
|
plm2005
join:2005-03-25
Bulgaria
| reply to LilYoda
Hi LilYoda,
I have some questions on how to customize your brilliant QoS config file. On what email can I contact you?
I have cisco 1712 and a VPN site-to-site.
It is configured directly on the WAN interface and I am wondering how to give priority to the IPsec traffic.
I also want to give priority to Skype and tried something with UDP port, but not quite sure if it works. I am using NBAR and this is not working as expected.
You configuration seems much better. |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
| I wanted to use NBAR, but it isn't supported on my 4700 
For the Skype and IPSec traffic, I already have the ACLs built, however I locked myself out of my router yesterday, in a daring attempt to improve my tacacs config *sigh*
So you'll have to wait till I get back home and can break into the router through the console port, which should be some time next week |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs: | What TACACS server do you use? I am contemplating setting one up on my Linux server for my terminal server on my lab rack. Got any good suggestions? Thanks!
--
Ignorance is temporary...stupidity lasts forever! |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
1 edit | reply to LilYoda
linux debian + tac_plus, works like a charm
(except when you're a numb nuts like me and mess up the key on the router )
I got the latest version of tac_plus recently for my work lab, so that I could give different rights based on the source IP. I'll post the version here when I get back to work on monday |
|
plm2005
join:2005-03-25
Bulgaria
| reply to LilYoda
NBAR was real disaster. My router crashed two times after I configured something with NBAR. I just got 2 memory crashes so I removed this shit.
I will wait for the ACLs.
I hope I will manage it.
I have some problems with Microsoft FRS now, so it took my time during the weekend. |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| Did you globally enable 'ip cef' before enabling NBAR protocol matching? Depending on what you were using NBAR for, a 1712 is kind of a small router if you were doing too much with it. You could easily kill the memory or CPU.
Did you get log msgs or traceback msgs on console? Did the router crash or just log malloc messages?
--
Ignorance is temporary...stupidity lasts forever! |
|
plm2005
join:2005-03-25
Bulgaria | yes I have ip cef, but NBAR is not for me.
I had big crash files.
It happened in the past, because of memory bugs, but the new IOS has other much worse bugs so I will stay with the current IOS for now. |
|
Brandonv7
join:2000-09-14
Minneapolis, MN
clubs:
| reply to LilYoda
You don't have to have an ACL to use the basic Rate-Limit command, do you? I read it as you only use an ACL if you want to rate limit just some of the traffic through that interface?
--
"Rose Tints My World To Keep Me Safe From My Trouble And Pain"Take a trip down the River Roads!! |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains | I believe this is correct.
But you can also attach a access-list, and use it to color inbound traffic by using set-prec-transmit as your conform and exceed actions. |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| reply to Brandonv7
That is correct. If you want to use rate-limit to color traffic with different precedence values it would be pointless without ACLs
--
Ignorance is temporary...stupidity lasts forever! |
|
Brandonv7
join:2000-09-14
Minneapolis, MN
clubs:
| But that would only if you want to prioritize different kinds of traffic as it does in this voip config. The rate limit command itself doesn't require an ACL thought. That is what i was trying to clarify for a problem i am working on..
--
"Rose Tints My World To Keep Me Safe From My Trouble And Pain"Take a trip down the River Roads!! |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| Yes. Again, my first statement was that you were correct in your assumption. Without an ACL, the rate-limit command applies to all traffic going in and/or out of an interface depending on the direction it is applied or if it is applied in both directions.
--
Ignorance is temporary...stupidity lasts forever! |
|
harlen
| reply to LilYoda
LilYoda writes: but I haven't tried it, cause I don't have a 800 handy
Want access to play with one?
I'll be trying out your config examples on the weekend on my 827. Running c820-k9osy6-mz.123-9.bin |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
1 edit | I'm working on a house renovation this week-end, so I won't be able to help
As far as I remember, the 800 series does not allow for one policy-map to call another policy map (aka policy nesting)
I am not sure either if it supports named ACLs now. If it still doesn't, the config might be a LOT nastier to troubleshoot :)
So you could probably still get away with it by using one single policy map like
policy-map Packet-Queueing
class VoIP-Class-Outbound
priority 72
class Hi-Class-Outbound
bandwidth remaining percent 50
random-detect prec-based
random-detect exponential-weighting-constant 8
random-detect precedence 6 20 60 20
random-detect precedence 5 6 15 6
class Med-Class-Outbound
bandwidth remaining percent 25
random-detect prec-based
random-detect exponential-weighting-constant 8
random-detect precedence 4 15 30 15
random-detect precedence 3 1 15 3
class Lo-Class-Outbound
bandwidth remaining percent 25
random-detect prec-based
random-detect exponential-weighting-constant 3
random-detect precedence 2 15 30 15
random-detect precedence 1 1 15 3
If it doesn't work, I could look into it and work with you some time next week :) |
|
