Simple Cisco QOS needed

[mfoc]

Site B:
Checkpoint VPN1-Edge providing QOS and VPN connection to Site A (VPN to Site A Checkpoint). Public network: 1.2.3.4/24

Site A:
Cisco 2800 edge with Checkpoint behind it. T1 Multilink (2 x T1) Internet connection.

I need a simple QOS policy to put in place that will boost performance for ALL traffic going to and from the Site B network. It doesn't necessarily have to be VOIP specific. I've searched the forums and every solution seems to be different.

 

[KiscoKid]

As you don't need to give priority to any particular traffic stream, you don't really need a QoS configuration - you just need to perhaps tinker with and implement typical link efficiency mechanisms. Such mechanisms include:

1. Link fragmentation and interleaving.

2. You mention voice so if you are running VOIP on this link, you want to introduce some RTP header compression.

The following link explains more about each of these (follow the additional links for pointers about configuring them):

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800ca61b.html

3. You could also perform standard WAN compression which can take multiple forms. The one you choose may depend on the kind of traffic that is passing over the link. The following URL explains more about the compression algorithms available:

http://www.cisco.com/en/US/products/ps6587/products_white_paper09186a00800a85cd.shtml

 

[mfoc]

Thanks for the response.

Does it matter that the interface at Site A is functioning as that office's entire Internet connection? If I apply your aformentioned mechanisms, won't it affect more than just the Site A to Site B traffic?

 

[KiscoKid]

Oh ok that's a bit clearer. You may need QoS after all. Can you tell me what IP subnets are in use at Site B and I will draft a QoS policy for you. Also can you provide a current running configuration ("show running") output from the 2800 router at Site A.

 

[mfoc]

I clinched my teeth and used the SDM QoS Wizard. Here's what it gave me (some items obviously removed for secutiy purposes):

Current configuration : 9512 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
logging console critical
enable secret 5 XXXX
!
no aaa new-model
!
resource policy
!
no network-clock-participate wic 1
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server xxx.xx.x.x
!
!
!
!
!
username XXXX privilege 15 secret 5 XXXX.
username XXXX privilege 15 secret 5 XXXX.
!
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
class-map match-any SDMSVideo-Multilink1
match protocol cuseeme
match protocol netshow
match protocol rtsp
match protocol streamwork
match protocol vdolive
class-map match-any SDMIVideo-Multilink1
match protocol rtp video
class-map match-any SDMManage-Multilink1
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any SDMSignal-Multilink1
match protocol h323
match protocol rtcp
class-map match-any SDMRout-Multilink1
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDMBulk-Multilink1
match protocol exchange
match protocol ftp
match protocol irc
match protocol nntp
match protocol pop3
match protocol printer
match protocol secure-ftp
match protocol secure-irc
match protocol secure-nntp
match protocol secure-pop3
match protocol smtp
match protocol tftp
class-map match-any SDMScave-Multilink1
match protocol napster
match protocol fasttrack
match protocol gnutella
class-map match-any SDMTrans-Multilink1
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-any SDMVoice-Multilink1
match protocol rtp audio
!
!
policy-map SDM-Pol-Multilink1
class SDMVoice-Multilink1
priority percent 70
set dscp ef
class SDMManage-Multilink1
bandwidth remaining percent 3
set dscp cs2
class SDMRout-Multilink1
bandwidth remaining percent 3
set dscp cs6
class SDMTrans-Multilink1
bandwidth remaining percent 33
set dscp af21
class SDMSignal-Multilink1
bandwidth remaining percent 40
set dscp cs3
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Multilink1
description ****** Qwest CID: XXXX ******
bandwidth 3072
ip address xxx.xx.x.x 255.255.255.252
ip nbar protocol-discovery
ntp disable
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
service-policy output SDM-Pol-Multilink1
!
interface FastEthernet0/0
description Connected to CPCORP$ETH-LAN$$FW_INSIDE$
ip address xxx.xx.x.x 255.255.255.128
ip access-group 100 in
no ip unreachables
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address xxx.xx.x.x 255.255.252.0
ip access-group 104 in
no ip unreachables
duplex auto
speed auto
!
interface Serial0/0/0
description ****** Qwest CID: XXXX ******$FW_OUTSIDE$
ip address xxx.xx.x.x 255.255.255.252
no ip unreachables
ip policy route-map cisco
ntp disable
!
interface Serial0/1/0:0
description ****** Qwest CID: XXXX ******
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/1/1:0
description ****** Qwest CID: XXXX ******
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xx.x.x
ip route xxx.xx.x.x 255.255.252.0 xxx.xx.x.x
ip route xxx.xx.x.x 255.255.255.0 xxx.xx.x.x
ip route xxx.xx.x.x 255.255.255.0 xxx.xx.x.x
ip route xxx.xx.x.x 255.255.255.0 xxx.xx.x.x
!
no ip http server
ip http access-class 1
ip http secure-server
!
logging trap debugging
logging facility local1
logging xxx.xx.x.x
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit xxx.xx.x.x
access-list 1 permit xxx.xx.x.x 0.0.0.3
access-list 1 permit xxx.xx.x.x 0.0.3.255
access-list 1 permit xxx.xx.x.x 0.0.0.127
access-list 1 deny any
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host xxx.xx.x.x host xxx.xx.x.x eq 22
access-list 100 permit tcp host xxx.xx.x.x host xxx.xx.x.x eq 443
access-list 100 permit tcp host xxx.xx.x.x host xxx.xx.x.x eq cmd
access-list 100 deny tcp any host xxx.xx.x.x eq telnet
access-list 100 deny tcp any host xxx.xx.x.x eq 22
access-list 100 deny tcp any host xxx.xx.x.x eq www
access-list 100 deny tcp any host xxx.xx.x.x eq 443
access-list 100 deny tcp any host xxx.xx.x.x eq cmd
access-list 100 deny udp any host xxx.xx.x.x eq snmp
access-list 100 permit ip any any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 permit ip any any
access-list 101 permit gre any host xxx.xx.x.x
access-list 101 permit tcp any host xxx.xx.x.x eq 1723
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip host xxx.xx.x.x any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip host xxx.xx.x.x any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp host xxx.xx.x.x host xxx.xx.x.x eq 22
access-list 104 permit tcp host xxx.xx.x.x host xxx.xx.x.x eq 443
access-list 104 permit tcp host xxx.xx.x.x host xxx.xx.x.x eq cmd
access-list 104 deny tcp any host xxx.xx.x.x eq telnet
access-list 104 deny tcp any host xxx.xx.x.x eq 22
access-list 104 deny tcp any host xxx.xx.x.x eq www
access-list 104 deny tcp any host xxx.xx.x.x eq 443
access-list 104 deny tcp any host xxx.xx.x.x eq cmd
access-list 104 deny udp any host xxx.xx.x.x eq snmp
access-list 104 permit ip any any
access-list 130 permit ip xxx.xx.x.x 0.0.255.255 any
route-map cisco permit 10
match ip address 130
set default interface FastEthernet0/1
!
!
!
control-plane
!
!
banner login ^CAuthorized access only
This system is the property of My Company, LLC.
Disconnect IMMEDIATELY as you are not an authorized user!
Contact email address 555-555-5555.
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180204
ntp server xxx.xx.x.xx
!
end

 

[KiscoKid]

Hi

Just a reminder to let me know what IP subnet(s) are in use at your site B