LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @09:13PM
|  [Config] QoS+VoIP on a Cisco - sample config
Well, took me a while, so I figured I'd post my config, if it can help out others
I will break it down in 7 sections
1) base: what I think every router should have
2) LAN & DHCP: the Local LAN config and DHCP server
3) cable: the specific part of connection I used to connect to Charter High Speed Internet service
4) marking: the coloring of inbound packets
5) local marking: the coloring of locally generated packets
6) lingo specific: cause I have lingo, and it was a b*tch to setup, so here it it
7) queueing: the fun in the post, how to make QoS work
more detail in each section, feel free to comment, and I'll try to keep the post updated if you find obvious errors |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @11:29PM
| [Config] QoS+VoIP on a Cisco - base
Here is the basic
Out of the below, you may want to adjust the timezone seetings, and remove the config for the aux port if your router doesn't have one...
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
! Come on, let your imagination go wild and name your router !
hostname XXXXXXXX
!
logging buffered 16000 debugging
no logging console
!
! the enable password is not used, but must
! be different from the enable secret
enable secret XXXXXXXX
enable password XXXXXXXX
!
! Modify the 2 following lines to match your timezone, or remove if you
! want the router to display GMT time
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 3:00 last Sun Oct 3:00
!
ip subnet-zero
no ip source-route
no cdp run
no ip bootp server
no ip http server
no ip finger
ip classless
!
! You can change the below to your own badass disclaimer/banner
!
banner motd #
NOTICE: This is a private network device. All activities on this system
are monitored and recorded.
Actual or attempted use, access, examination, or configuration
change by an unauthorized person will result in criminal and
civil prosecution to the full extent of the law.
Enter password
#
!
! Doesn't have to be the same PWD on Console,Aux and VTY ports
!
line con 0
password XXXXXXXX
login
transport output none
line aux 0
password XXXXXXXX
login
transport input none
transport output none
line vty 0 4
password XXXXXXXX
login
transport input telnet
transport output none |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @09:12PM
| reply to LilYoda
[Config] QoS+VoIP on a Cisco - LAN & DHCP
Starting here, all the below relies on a LAN segment of 192.168.254.0/24 (mask of 255.255.255.0)
The below config assumes that 192.168.254.1 is your DNS, NTP server and WINS server. This is my case, cause I have setup those features on my linux server. If you use another DNS/NTP/WINS, change the corresponding options below. If you don't have a WINS or NTP server, remove the lines related to it
If you don't have a private DNS server, replace the "dns-server 192.168.254.1" with the IP address of your ISP's DNS
DHCP addresses will be given in the 192.168.254.128 -> 192.168.254.192 range
!
service dhcp
!
ip domain-name XXX.com
ip name-server 192.168.254.1
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.254.1 192.168.254.128
ip dhcp excluded-address 192.168.254.192 192.168.254.254
!
ip dhcp pool Local-LAN
network 192.168.254.0 255.255.255.0
default-router 192.168.254.253
domain-name XXX.com
netbios-node-type h-node
! DNS server
dns-server 192.168.254.1
! WINS server
netbios-name-server 192.168.254.1
! NTP server
option 42 ip 192.168.254.1
!
interface Ethernet1
description --- Internal LAN
ip address 192.168.254.253 255.255.255.0
no ip redirects
fair-queue
!
! Sync the router clock using the NTP server IP
ntp server 192.168.254.1 |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @09:12PM
| reply to LilYoda
[Config] QoS+VoIP on a Cisco - Charter HSI
Just for info, if you have Charter HSI, here's what the connection to it would look like:
! The below assumes you want to make your router 192.168.254.253
! (replace ethernet0 and ethernet1 by your outside and inside interfaces)
!
service dhcp
!
interface Ethernet0
description --- Connected to broadband
ip address dhcp
ip nat outside
arp timeout 300
!
interface Ethernet1
ip nat inside
!
ip access-list standard Networks_2B_NATed
permit 192.168.254.0 0.0.0.255
!
ip nat inside source list Networks_2B_NATed interface Ethernet0 overload
In case you want to host servers, here are 2 sample commands for port forwarding (making a service on your LAN available to the Internet)
! Line below is for making the TeamSpeak server (192.168.254.1)
! reachable from the outside world (this is an exemple of port forwarding)
ip nat inside source static udp 192.168.254.1 8767 interface Ethernet0 8767
!
! Line below is for making the Squid proxy (192.168.254.1)
! reachable from the outside world (this is an exemple of port forwarding)
ip nat inside source static tcp 192.168.254.1 8080 interface Ethernet0 8080 |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @09:12PM
| reply to LilYoda
[Config] QoS+VoIP on a Cisco - Lingo
This is in case you have a Lingo ATA on your LAN.
The below assumes you want your ATA to be 192.168.254.11, if that ain't the case, replace by the IP you wanna give it in all posts from here.
ip dhcp pool Lingo-ATA
! REPLACE THE IP BELOW IF YOU WANT TO GIVE ANOTHER ADDRESS TO YOUR LINGO ATA
host 192.168.254.11 255.255.255.0
! REPLACE THE MAC BELOW BY YOUR LINGO ATA MAC ADDRESS
hardware-address 00c3.8c56.ef57
ip nat inside source static udp 192.168.254.11 69 interface Ethernet0 69
ip nat inside source static udp 192.168.254.11 5060 interface Ethernet0 5060
ip nat inside source static udp 192.168.254.11 13456 interface Ethernet0 13456
This line isn't mandatory, so try it only if the service isn't reliabe without it.
It is a major pain, as you would have to update this line every time your ISP gives you a new address, so I recommend using this as last resort and for troubleshooting ONLY!
ip nat inside source static 192.168.254.11 XXX.XXX.XXX.XXX no-alias |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @11:26PM
| reply to LilYoda
[Config] QoS+VoIP on a Cisco - coloring
OK, let's get into the funny stuff...
I like to have 4 types of traffic
The VoIP traffic, the high importance data, the medium importance data, and the low importance one (aka the cr@p)
All the below are exemples, you need to either write your access-lists to match what goes where, or use the NBAR service, which I haven't tested yet.
! mandatory (I think)
ip cef
ip access-list extended Lingo-ATA
remark --- traffic from Lingo's ATA box
permit ip host 192.168.254.11 any
ip access-list extended Skype
remark --- Skype traffic
permit udp any eq 44330 any
ip access-list extended TS-server
remark --- TeamSpeak Server traffic
permit udp host 192.168.254.1 eq 8767 any
ip access-list extended Outbound-DNS
remark --- outbound DNS queries
permit udp 192.168.254.0 0.0.0.255 any eq domain
ip access-list extended Telnet-Traffic
remark --- any telnet traffic
permit tcp any any eq telnet
permit tcp any eq telnet any
ip access-list extended WWW-and-SSL
remark --- make sure you deny eMule traffic
deny udp any eq 4672 any
deny tcp any eq 4662 any
remark --- make sure you deny BitTorrent traffic
deny tcp any range 6881 6889 any
deny udp any range 6881 6889 any
remark --- make sure you deny any other P2P app traffic
deny udp any range XXXX XXXX any
remark --- permit http and https traffic
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended ICMP
remark --- ICMP from LAN
permit icmp 192.168.254.0 0.0.0.255 any
ip access-list extended FTP
remark --- FTP traffic from LAN to FTP servers
permit tcp 192.168.254.0 0.0.0.255 any eq ftp
permit tcp 192.168.254.0 0.0.0.255 any eq ftp-data
ip access-list extended eMule
remark --- eMule default ports
permit udp any eq 4672 any
permit tcp any eq 4662 any
permit udp any any eq 4672
permit tcp any any eq 4662
ip access-list extended BitTorrent
remark --- BitTorrent default ports
permit tcp any range 6881 6889 any
permit udp any range 6881 6889 any
permit tcp any any range 6881 6889
permit udp any any range 6881 6889
ip access-list extended Squid
permit tcp host 192.168.254.1 eq 8080 any
If you want a specific traffic to go in a class, make a new ACL like the ones above, and add a "match" statement in the correct class below
class-map match-any VoIP-Class-Inbound
match access-group name Lingo-ATA
match access-group name Skype
match access-group name TS-server
! DSCP value EF is commonly allocated to voice traffic so
! in case you have a voice application already coloring the
! traffic to EF, you're all set, no need for a new ACL
match ip dscp ef
class-map match-any Hi-Class-Inbound
match access-group name Outbound-DNS
match access-group name Telnet-Traffic
match access-group name WWW-and-SSL
class-map match-any Med-Class-Inbound
match access-group name ICMP
match access-group name FTP
class-map match-any Lo-Class-Inbound
match access-group name eMule
match access-group name BitTorrent
match access-group name Squid
VoIP class colored as Precedence 7
High class colored as Precedence 6 when below 85000 bps and Precedence 5 when above
Medium class colored as Precedence 4 when below 43000 bps and Precedence 3 when above
Low class colored as Precedence 2 when below 43000 bps and Precedence 1 when above
Rest of traffic colored as Precedence 1
policy-map Packet-Tagging
class VoIP-Class-Inbound
police 72000 9000 9000 conform-action set-prec-trans 7 exceed-action set-prec-trans 7
class Hi-Class-Inbound
police 85000 10000 10000 conform-action set-prec-trans 6 exceed-action set-dscp-tran 5
class Med-Class-Inbound
police 43000 5000 5000 conform-action set-prec-trans 4 exceed-action set-prec-trans 3
class Lo-Class-Inbound
police 43000 5000 5000 conform-action set-prec-trans 2 exceed-action set-prec-trans 1
class class-default
set ip precedence 1
interface Ethernet1
service-policy input Packet-Tagging
EDIT: made a simpler version using Precedence instead of DSCP |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 19th, @12:22AM
| reply to LilYoda
[Config] QoS+VoIP on a Cisco - local marking
Why is that? Well, because when you telnet to your router from the internet (bad bad you, this isn't secure you know? :p ) your packets aren't going inbound on Ethernet1, so they aren't colored, so the queueing engine won't know what to do with those...
route-map Local-Tagging permit 20
description --- Telnet traffic goes in High Class
match ip address Telnet-Traffic
set ip precedence 6
!
route-map Local-Tagging permit 40
description --- The rest goes in Medium class
set ip precedence 4
!
ip local policy route-map Local-Tagging
EDIT: made a simpler version using precedence instead of DSCP |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @11:24PM
| reply to LilYoda
[Config] QoS+VoIP on a Cisco - queuing
And here's the beauty, the queuing engine
Took me a while to figure it out
class-map match-any VoIP-Class-Outbound
match ip precedence 7
class-map match-any Hi-Class-Outbound
match ip precedence 6
match ip precedence 5
class-map match-any Med-Class-Outbound
match ip precedence 4
match ip precedence 3
class-map match-any Lo-Class-Outbound
match ip precedence 2
match ip precedence 1
But in my experience, you have to be really aggressive to slow down eMule and Bittorent traffic.
policy-map Data-Only-Queueing
class Hi-Class-Outbound
bandwidth percent 50
random-detect prec-based
random-detect exponential-weighting-constant 8
random-detect precedence 6 20 60 20
random-detect precedence 5 6 15 6
class Med-Class-Outbound
bandwidth percent 25
random-detect prec-based
random-detect exponential-weighting-constant 8
random-detect precedence 4 15 30 15
random-detect precedence 3 1 15 3
class Lo-Class-Outbound
bandwidth percent 25
random-detect prec-based
random-detect exponential-weighting-constant 3
random-detect precedence 2 15 30 15
random-detect precedence 1 1 15 3
Uses LLQ with 72Kbps assigned to the Voice class, and 171Kbps assigned to data, using the queuing defined above
policy-map Packet-Queueing
class VoIP-Class-Outbound
priority 72
class class-default
shape average 171000
bandwidth 171
service-policy Data-Only-Queueing
max-reserved-bandwidth 95 leaves 14Kbps (in my case) for anything that wasn't foreseen (routing updates, uncolored traffic, etc...)
interface Ethernet0
bandwidth 256
max-reserved-bandwidth 95
service-policy output Packet-Queueing
tx-ring-limit 2
tx-queue-limit 2 |
|
vonsen
Just Because
Premium
join:2005-01-06
| reply to LilYoda
Re: [Config] QoS+VoIP on a Cisco - sample config
I thank you. My cisco thanks you.
--
Email these Lingo executives about the misrepresented 18% hike: psingh@primustel.com,nhazard@primustel.com,tkloster@primustel.com,jdepodesta@primustel.com,t book@primustel.com,smcintyre@primustel.com,anayar@primustel.com,tlawson@primustel.com,mguirg is@primustel.com,jmelick@primustel.com,jrosenblatt@primustel.com,ghicks@primustel.com,mmagil l@primustel.com |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
edit:
January 18th, @11:38PM
| reply to LilYoda
[Config] QoS+VoIP on a Cisco - Add-ons
life savers:
The 2 aliases below show you all stats of your upload traffic, and all stats of the queuing (how many packets dropped by the queuing engine, etc...)
alias exec out show policy-map interface Ethernet0 *
| exclude 0/0 0/0 0/0
alias exec in show policy-map interface Ethernet1
(*) WARNING 1 long line(s) split
now from the console just type "out" or "in" to get your stats. If there is a lazy way to do things, it is my duty to find it :D
EDIT watch out for the line break in the exemple above, the "alias exec out" line ends after the last "0/0" and there is no "*" in the final line. It should be
"alias exec out show policy-map interface Ethernet0 | exclude 0/0 0/0 0/0" |
|
hlygrail
join:2002-09-08
| reply to LilYoda
Re: [Config] QoS+VoIP on a Cisco - queuing
God Bless You!!
I was getting ready to post a question looking for a way to assign priority queueing to my 1720, having tried and failed (now I see why!).
Thank you for doing -- and DOCUMENTING -- the legwork for all to benefit. |
|
paarlberg
join:2000-07-28
Lilburn, GA
| Here is what I used on my 2621 to add QoS for H.323 and 3Com NBX pbx and phones. The "match ip dscp 46" was for the 3Com NBX portion.
**********************************************
ip cef
class-map match-any VOICE
match protocol rtp
match ip dscp 46
exit
policy-map QOS-RTP
class VOICE
priority percent 50
exit
**********************************************
Then you must apply to each interface that you want it to use..
**********************************************
interface
service-policy output QOS-RTP
**********************************************
You can also set priority by max bandwidth instead of percent (128k in the example below). Would recommend percent on ADSL and bandwidth for ethernet or high-speed serial. If you use both create a new policy-map for that.. QOS-RTP-DSL and QOS-RTP-ETH, or something like that..
**********************************************
priority bandwidth 128
********************************************** |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| reply to LilYoda
Re: [Config] QoS+VoIP on a Cisco - sample config
How did your ADT alarm like using VoIP to call out or did it even work at all? Most VoIP gateways and Cisco IOS have the ability to disable modems and faxes from working. Not to mention, a VoIP line is more likely to get squirrely and easily hose up modem negotiation. Just curious to hear your experience with it.
--
Ignorance is temporary...stupidity lasts forever! |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains | reply to LilYoda
Got lazy, haven't done the wiring yet  |
|
BigBlockChev
join:2004-09-18 | What version / level of IOS do you need to support these neat QoS features? (I'm a Cisco dinosaur, the last version I used was 11.2 on a 4500M). I'm interested in getting a used 2621 for home office use though. |
|
LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains
| reply to LilYoda
It runs on almost any platform, except the 800 series.
I think the 800
a) doesn't support named access-lists (which isn't a blocking point just very annoying to troubleshoot all those ACLs if they only have numbers)
b) doesn't support policy nesting... Can't call a policy map from within another policy map. There may be a workaround (like including all in 1 policy, but I haven't tried it, cause I don't have a 800 handy
I am using 12.2.24 on a 4700, but I think it runs on 12.1 IOSes. You just need an IP Plus version, no need for enterprise IOS |
|
ugalosh
join:2002-12-07
Baltimore, MD
| The posts above all contain:
"EDIT: made a simpler version using precedence instead of DSCP"
Is that the version posted? Kinda new at this and trying comprehend it all. Working to try find a version of ios for my 2600 that has the 'police' command in policy-map, with very little success.
Thanks,
Uga. |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| I believe that the police command under policy-maps was included in a later 12.2T train code or 12.3.
Otherwise you can use cascaded rate-limit commands to do the same thing. When you set a rate-limit and an exceed-action of drop, anything beyond the threshold gets policed automatically.
--
Ignorance is temporary...stupidity lasts forever! |
|
Innuendo
Premium
join:2002-12-20 | reply to LilYoda
LilYoda,
Thanks for sharing your hard work here for all to benefit.
This, IMHO, should be submitted as a FAQ so your hard work can benefit people in the future without danger of it getting buried in the sands of time. |
|
smp606
join:2002-01-16
PA | reply to LilYoda
Very nice write-up! |
|
