DiffServ and QOS for VOIP

[kenmiecomputer]

I am trying to implement QOS for VOIP but can't seem to get any of the packets to go into the priority queue. This is an Avaya phone system that is tagging the packets with DSCP of 46 and 34 and COS of 5. I have 2950 switches and 1760 routers. Below are the configurations that I have in place. There is onle one VLAN (long story). What am I missing?

If I do a "show policy-map int s0/0" I see the below output but as you can see there are no matches:


Serial0/0

Service-policy output: voipQoS

Class-map: VoIP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip dscp af41
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 768 (kbps) Burst 19200 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0

Class-map: class-default (match-any)
6818395 packets, 1036550438 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/58/0
exponential weight: 9

dscp Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
af11 0/0 0/0 0/0 32 40 1/10
af12 0/0 0/0 0/0 28 40 1/10
af13 0/0 0/0 0/0 24 40 1/10
af21 0/0 0/0 0/0 32 40 1/10
af22 0/0 0/0 0/0 28 40 1/10
af23 0/0 0/0 0/0 24 40 1/10
af31 0/0 0/0 0/0 32 40 1/10
af32 0/0 0/0 0/0 28 40 1/10
af33 0/0 0/0 0/0 24 40 1/10
af41 0/0 0/0 0/0 32 40 1/10
af42 0/0 0/0 0/0 28 40 1/10
af43 0/0 0/0 0/0 24 40 1/10
cs1 0/0 0/0 0/0 22 40 1/10
cs2 0/0 0/0 0/0 24 40 1/10
cs3 0/0 0/0 0/0 26 40 1/10
cs4 0/0 0/0 0/0 28 40 1/10
cs5 0/0 0/0 0/0 30 40 1/10
cs6 1593/122843 0/0 0/0 32 40 1/10
cs7 0/0 0/0 0/0 34 40 1/10
ef 0/0 0/0 0/0 36 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10
default 6816750/1036381477 21/17228 37/31356 20 40 1/10

___________________
Router Config:

!
class-map match-any VoIP
match ip dscp ef
match ip dscp af41
!
policy-map voipQoS
class VoIP
priority 768
class class-default
fair-queue
random-detect dscp-based
!
interface FastEthernet0/0
no ip address
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address x.x.x.x x.x.x.x
!
interface Serial0/0
bandwidth 1544
no ip address
service-policy output voipQoS
encapsulation frame-relay
no ip mroute-cache
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address x.x.x.x x.x.x.x
frame-relay interface-dlci 100 IETF
!

Switch Config:

interface FastEthernet0/1
switchport mode trunk
switchport priority extend trust
no ip address
duplex full
speed 100
spanning-tree portfast
!

 

[ADB100]

The switch config should just be set to trust either DSCP or CoS, otherwise it will strip the tags off:

interface fastethernet0/1
mls qos trust dscp

Enter the following to see the trust state of the interfaces:

show mls qos interface

Additionally the 2950 can only understand certain DSCP values (0,8,10,16,18,24,26,32,34,40,46,48 & 56) so make sure your equipment sets one it can understand.

You should also tailor your service-policy to accurately reflect the amount of bandwidth you will need; the RTP traffic should be placed into the strict priority queue (LLQ) and the signalling should be placed into its own queue. There is a tool on CCO for calculating what is required based on link types, codecs etc (Voice Codec Bandwidth Calculator).

Andy



Andy

 

[BuckWeet]

on the 2950's make sure you use 'mls trust qos dscp pass-through cos'


BuckWeet

 

[kenmiecomputer]

OK, I put the "mls qos trust dscp" on the port of one of the phones, on the port going to the router and on the port going to the phone system...

I now see this

FastEthernet0/1
trust state: trust dscp
trust mode: trust dscp
COS override: dis
default COS: 0
pass-through: none
trust device: none

the "mls trust qos dscp pass-through cos" is not a valid command but I do see there must be a way to configure pass-through as it's shown in the mls qos display...

when I view the policy map I still don't see any packets in the priority queue... any ideas?

 

[kenmiecomputer]

Additional info that may help too...

The router is on port 24 of switch #1
The phone is on port 10 of switch #1
The phone system is on port 19 of switch #2
Switch #1 Gig/01 is connected to Switch #2 Gig/02

 

[kenmiecomputer]

this command works "mls qos trust cos pass-through dscp"

Now I see the below when I do a "show mls qos int fa0/10"

FastEthernet0/10
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
pass-through: dscp
trust device: none

sorry to bombard you with so much, will try this and brb,

 

[kenmiecomputer]

OK, still no go... I did find this "On interfaces configured as Layer 2 802.1Q trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN" Since I only have 1 VLAN I'm thinking this may be my problem? If so, how can I do QOS without implementing VLANs?

 

[ADB100]

If your devices are correctly setting the DSCP values then you can use these for QoS, much more granular than CoS or IP Precedence (64 states as opposed to 8).

You should also enable expedite queueing on the 2950 to correctly handle the voice traffic. I have the following configured:

wrr-queue bandwidth 10 20 70 0

This sets queue 4 as the expedite queue and allocates weights for the other 3 queues (Q1 10%, Q2 20% & Q3 70%).

mls qos map cos-dscp 0 8 16 24 34 46 48 56

This sets the CoS-to-DSCP Mappings (CoS 0 to DSCP 0, CoS 1 to DSCP 8, CoS 2 to DSCP 16 etc).

Set your interfaces to trust DSCP and then check out the counters for WAN router service-policy.

Andy

 

[ADB100]

Also remap the CoS to Queue maps as follows:

wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 3
wrr-queue cos-map 3 4 6 7
wrr-queue cos-map 4 5

This allows CoS 5 (which will be DSCP 46 & 40) to use the egress expedite queue. It also sets the voice signalling and router traffic to queue 3. DSCP 34 for signalling is unusual, Cisco use either 24 or 26 (CS3 or AF31) depending on the code. Latest recommendations are CS3 (DSCP 24) for signalling.

Andy

 

[kenmiecomputer]

I changed back to trusting DSCP, implemented the wrr-queue and mls qos mappings but I still see nothing in the queue on the router.

I confirmed with Avaya last week and they are doing DSCP 46 for audio and DSCP 34 for signaling.

Everybody has gone home from the remote sites so I can't make a call across to WAN now so I'm not sure if I can even test this? I'm assuming even with no calls some signaling traffic will still be going on?

Here are the latest configurations, I'm hoping you can see something that I've obviously done wrong...

Router:

Current configuration : 1661 bytes
!
version 12.2
{DELETED}
!
class-map match-any VoIP
match ip dscp ef
match ip dscp af41
!
policy-map voipQoS
class VoIP
priority 768
class class-default
fair-queue
random-detect dscp-based
!
interface FastEthernet0/0
no ip address
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address x.x.x.x x.x.x.x
!
interface Serial0/0
bandwidth 1544
no ip address
service-policy output voipQoS
encapsulation frame-relay
no ip mroute-cache
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description Verizon Internet Services
ip address x.x.x.x x.x.x.x
frame-relay interface-dlci 100 IETF
!
{DELETED}
end
_______________________

Switch #1:

Current configuration : 4527 bytes
!
version 12.1
!
{DELETED}
!
wrr-queue bandwidth 10 20 70 0
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 3
wrr-queue cos-map 3 4 6 7
wrr-queue cos-map 4 5
mls qos map cos-dscp 0 8 16 24 34 46 48 56
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
{DELETED}
!
interface FastEthernet0/10
description PHONE TEST PORT
switchport mode trunk
switchport priority extend trust
no ip address
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
{DELETED}
!
interface FastEthernet0/24
description ROUTER PORT
switchport mode trunk
switchport priority extend trust
no ip address
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet0/1
description LINK TO SWITCH 2
switchport mode trunk
switchport priority extend trust
no ip address
speed 1000
mls qos trust dscp
!
{DELETED}
!
interface Vlan1
ip address x.x.x.x x.x.x.x
no ip route-cache
!
end
_______________

Switch #2:

Current configuration : 4527 bytes
!
version 12.1
!
{DELETED}
!
wrr-queue bandwidth 10 20 70 0
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 3
wrr-queue cos-map 3 4 6 7
wrr-queue cos-map 4 5
mls qos map cos-dscp 0 8 16 24 34 46 48 56
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
{DELETED}
!
interface FastEthernet0/19
description AVAYA PHONE SYSTEM
switchport mode trunk
switchport priority extend trust
no ip address
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast
!
{DELETED}
!
interface GigabitEthernet0/2
description LINK TO SWITCH 1
switchport mode trunk
switchport priority extend trust
no ip address
speed 1000
mls qos trust dscp
!
interface Vlan1
ip address x.x.x.x x.x.x.x
no ip route-cache
!
{DELETED}
end

 

[ADB100]

The trunking seems overkill if you are just running a single VLAN IMO. I also don't know why you have the 'switchport priority extend trust' configured, as this conflicts with the 'mls qos trust' commands, I would remove it and just have 'mls qos trust dscp'. the link to the router is also configured as a trunk without any tagged VLAN's - again this is just overkill IMO.

Since the LLQ is effectively a FIFO queue allocating anything more than 33% of the total link bandwidth to it is not recommended, you have allocated 768k out of 1544k which is almost half.

To verify if the PABX is setting the correct DSCP values you could SPAN a port and put a sniffer on.

You could also try an extended ping from the 2950 and set the TOS byte to 184 (equivilent of DSCP 46), this should trigger the counters in the policy.


Andy

 

[kenmiecomputer]

I removed the trunking (didn't think I needed it either since we didn't have VLAN's but the vendor that installed this system is useless for help so all I have had is their "recommended Cisco settings") anyway that is another story...

I also removed the "switchport priority extend trust", that was my attempt to get the switch to accept the tagging.

I adjusted the 768k to 512k, again the 768k was in the vendors documenation as to what to set it to...

The switch ports now look like:

interface FastEthernet0/1
no ip address
duplex full
speed 100
mls qos trust dscp
spanning-tree portfast

I also removed the subinterface on the Router, thereby removing the dot1q encapsulation and just put the IP back on the int fa0/0.

I tried pinging the remote sites from the 2950 with a TOS of 184 and the router still did not prioritize the packets.

I do see that the counters are increasing for the dscp of cs6 as well as the "default" dscp, if that helps you any.

I hate to say it but now what?

 

[kenmiecomputer]

I don't suppose the cs6 packets I'm seeing when I do a show policy map would be the packets I'm looking for would they? Are the DSCP markings getting translated into a COS of 6 and I'm looking for the wrong thing? ie DSCP of 46 instead of COS of 6

 

[kenmiecomputer]

well now it gets more interesting. I went to program the remote switches/routers with what we had so far and ran into problems...

There are two switches at the main location they are WS-C2950-T running enhanced, there are two remote locations with a single WS-C2950 which are only running the standard image... standard image does not allow "mls qos trust dscp", it only allows cos... they also will not allow me to do "mls qos map cos-dscp 0 8 16 24 34 46 48 56

 

[ADB100]

Standard image does not support trusting DSCP. The CS6 packets are packets sourced by the router usually (routing updates, keepalives etc).

I just tried an extended ping with TOS 184 to my PC from a 2950-T running 12.1(22)EA2 (enhanced image) and captured it with Ethereal and I can see the DSCP 46 being set so you should see the same. Why not try this to make sure DSCP is being set.

Just to elimate the switches can you not connect the PABX directly to the router with a cross-over cable and see if the counters increase?


Andy

 

[kenmiecomputer]

So I'll need to upgrade the remote switches with a new IOS?

I got ethereal and here is what was captured from the ping. Does it look correct?

0000 00 0b cd 9e b2 7b 00 0d 29 8f ee 80 08 00 45 b8 .....{..).....E.
0010 00 64 00 87 00 00 ff 01 a2 74 0a 01 01 e6 0a 01 .d.......t......
0020 01 fe 08 00 c9 46 1c db 05 5b 00 00 00 01 e2 53 .....F...[.....S
0030 b0 78 ab cd ab cd ab cd ab cd ab cd ab cd ab cd .x..............
0040 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0050 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0060 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0070 ab cd ..

 

[kenmiecomputer]

I realize now that DSCP 46 should be a hex value of 2E so it looks like the DSCP is not being sent, back to the drawing board...

 

[ADB100]

Enhanced Image is platform dependant - There is a single IOS image for both SI & EI but the enhanced features are only available on certain 2950 switches - I think all the ones with Gigabit Ethernet ports? I assume the remote 2950's don't have any Gig uplink ports?

In your trace the TOS Byte is set to 0xB8 (184 decimal) which is DSCP 46 - binary 10111000, the last 2 bits are not used and are set to 0 101110 is Decimal 46; EF.

It is directly after the Header length field, in this case '0x45' - 20. Destination MAC '000bcdb27b00' Source MAC '0d298fee80' Ethertype '0800' header length 45 and TOS Field 'b8'.

Whether trust DSCP is enabled or disabled the DSCP field remains the same. I have also connected 2 2950's together with a cross-over cable; 1 running SI the other EI and ran ping between 2 hosts (setting TOS to 184) and I see the DSCP set every time.

Andy

 

[kenmiecomputer]

You are correct, the remotes do not have the gig uplinks.

If DSCP is working correctly on my switches and the router is not seeing it could it be an issue with the firewall (SonicWALL TZ170) between the switch and router or do I have a router configuration issue still?

 

[ADB100]

Ahh, a piece of info you forgot to mention........

I don't know much about the SonicWALL Firewall so can't really help you there, sorry.

I had a quick search on Google but I can't see anything specific. If you have the documentation for the SonicWALL then I suggest you have a look for QoS and DSCP etc.

One thing I noticed with the 2950 is if you trust CoS on a trunk port the DSCP values are re-written unless you enable DSCP pass-through as well:

mls qos trust cos pass-through dscp

Andy