 reply to LilYoda
[Config] QoS+VoIP on a Cisco - coloring
OK, let's get into the funny stuff...
I like to have 4 types of traffic
The VoIP traffic, the high importance data, the medium importance data, and the low importance one (aka the cr@p)
All the below are exemples, you need to either write your access-lists to match what goes where, or use the NBAR service, which I haven't tested yet.
! mandatory (I think)
ip cef
ip access-list extended Lingo-ATA
remark --- traffic from Lingo's ATA box
permit ip host 192.168.254.11 any
ip access-list extended Skype
remark --- Skype traffic
permit udp any eq 44330 any
ip access-list extended TS-server
remark --- TeamSpeak Server traffic
permit udp host 192.168.254.1 eq 8767 any
ip access-list extended Outbound-DNS
remark --- outbound DNS queries
permit udp 192.168.254.0 0.0.0.255 any eq domain
ip access-list extended Telnet-Traffic
remark --- any telnet traffic
permit tcp any any eq telnet
permit tcp any eq telnet any
ip access-list extended WWW-and-SSL
remark --- make sure you deny eMule traffic
deny udp any eq 4672 any
deny tcp any eq 4662 any
remark --- make sure you deny BitTorrent traffic
deny tcp any range 6881 6889 any
deny udp any range 6881 6889 any
remark --- make sure you deny any other P2P app traffic
deny udp any range XXXX XXXX any
remark --- permit http and https traffic
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended ICMP
remark --- ICMP from LAN
permit icmp 192.168.254.0 0.0.0.255 any
ip access-list extended FTP
remark --- FTP traffic from LAN to FTP servers
permit tcp 192.168.254.0 0.0.0.255 any eq ftp
permit tcp 192.168.254.0 0.0.0.255 any eq ftp-data
ip access-list extended eMule
remark --- eMule default ports
permit udp any eq 4672 any
permit tcp any eq 4662 any
permit udp any any eq 4672
permit tcp any any eq 4662
ip access-list extended BitTorrent
remark --- BitTorrent default ports
permit tcp any range 6881 6889 any
permit udp any range 6881 6889 any
permit tcp any any range 6881 6889
permit udp any any range 6881 6889
ip access-list extended Squid
permit tcp host 192.168.254.1 eq 8080 any
If you want a specific traffic to go in a class, make a new ACL like the ones above, and add a "match" statement in the correct class below
class-map match-any VoIP-Class-Inbound
match access-group name Lingo-ATA
match access-group name Skype
match access-group name TS-server
! DSCP value EF is commonly allocated to voice traffic so
! in case you have a voice application already coloring the
! traffic to EF, you're all set, no need for a new ACL
match ip dscp ef
class-map match-any Hi-Class-Inbound
match access-group name Outbound-DNS
match access-group name Telnet-Traffic
match access-group name WWW-and-SSL
class-map match-any Med-Class-Inbound
match access-group name ICMP
match access-group name FTP
class-map match-any Lo-Class-Inbound
match access-group name eMule
match access-group name BitTorrent
match access-group name Squid
VoIP class colored as Precedence 7
High class colored as Precedence 6 when below 85000 bps and Precedence 5 when above
Medium class colored as Precedence 4 when below 43000 bps and Precedence 3 when above
Low class colored as Precedence 2 when below 43000 bps and Precedence 1 when above
Rest of traffic colored as Precedence 1
policy-map Packet-Tagging
class VoIP-Class-Inbound
police 72000 9000 9000 conform-action set-prec-trans 7 exceed-action set-prec-trans 7
class Hi-Class-Inbound
police 85000 10000 10000 conform-action set-prec-trans 6 exceed-action set-dscp-tran 5
class Med-Class-Inbound
police 43000 5000 5000 conform-action set-prec-trans 4 exceed-action set-prec-trans 3
class Lo-Class-Inbound
police 43000 5000 5000 conform-action set-prec-trans 2 exceed-action set-prec-trans 1
class class-default
set ip precedence 1
interface Ethernet1
service-policy input Packet-Tagging
EDIT: made a simpler version using Precedence instead of DSCP | 
