Friday, September 28, 2012

VoIP QoS on Cisco 3560 Switches with Polycom and Cisco IP Phones

Today we are going to setup network Quality of Service (QoS) for Voice over IP (VoIP) traffic generated by Polycom and Cisco IP phones. Our goal here is to tag the VoIP packets so that they are placed in a priority outgoing queue so that if the available bandwith is saturated, then the VoIP packets will be the last ones to be dropped by the switch. VoIP is a delay-sensitive application while bulk data transfers are not. When a switch port gets more data that it can handle, the switch will start dropping packets. If a VoIP packet is dropped, people having a conversation will hear a glitch. We don't want that and this is why we must treat the VoIP packets differently than other data packets.

Topology


It's always easier to understand network modifications when we have a topology plan. So here it is :

Figure 1: Example Network Topology

A larger PDF version is also available.

From the topology, we can see that voice traffic follows this path :

IP phone > WS-C3560-48PS-S > WS-C3560G-24TS-S > SonicWall 2400 X4 VoIP interface > SonicWall 2400 X1 WAN interface > WS-C3560G-24TS-S > ISP

As you might imagine, the ISP connected WS-C3560G-24TS switch has three VLANs:
  • VLAN 300 is the VoIP VLAN.
  • VLAN 144 is the WAN (or ISP) VLAN.
  • VLAN 200 is the Management VLAN.
In this example, the WS-C3560-48PS switches are connected to two types of IP phones :

A Little Theory


By default, both Polycom and Cisco IP phones will add a « voice » tag to all the packets they generate. This tag can take two different forms :
The Polycom IP phones will use DSCP while the Cisco IP phones use COS (I'm not 100 % sure on this, anyone?). The idea here is to configure each devices in the packet path to « trust » the packet tag from the other device. Otherwise the packet's tag is not honored.

Configuration


We will start our configuration with both devices into which the IP phones are connected : these are the two WS-C3560-48PS. They can be reached at 172.16.1.2/24 and 172.16.1.3/24. Once both of those devices are configured, we will configure the switch found at 172.16.1.1/24.  I assume that all switches already have IP addresses and that SSH is working on all of them. I also assume you have a user that can perform administrative fonctions.

First WS-C3560-48PS Switch


Connect to the switch and check the interfaces. In this example, also assume that interfaces Fa0/1 to Fa0/47 all start with the same configuration. In a real life scenario, make sure this is true!

ssh 172.22.1.2
switch> enable
switch# sh run int fa0/1
!
interface FastEthernet0/1
 switchport access vlan 300
 switchport mode access
 speed 100
 duplex full
 no cdp enable
end

The interface is set to 100 Mb/s full duplex. It does not send CDP packets. It is in access mode and into VLAN 300, but we don't know what that VLAN is at the moment. Let's check our VLAN Transfer Protocol (VTP) status?

switch# sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : dmz
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Enabled
Device ID                       : 0018.19a9.2800
Configuration last modified by 172.16.1.2 at 3-8-93 23:56:45

Feature VLAN:
--------------
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 9
Configuration Revision            : 20
MD5 digest                        : 0x3B 0x54 0xC1 0x4F 0x88 0x4B 0x84 0xBB 
                                    0xC1 0x82 0x8C 0x07 0x5B 0x27 0x96 0x28 

Ok, so we are a VTP client. Let's check our current VLAN status then.

switch# sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/4
19   DMZ                              active    
144  WAN ISP                          active    
200  Management                       active    Fa0/48
300  VoIP                             active    Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38
                                                Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

We can see that VLAN 300 is indeed our VoIP VLAN. We also see that interface Fa0/48 is connected to the Management VLAN. According to our topology map, interface Gi0/3 is our connection to the WS-C3560G-24TS switch. If it's not listed here, it must be a trunk then. Let's check.

switch# sh int status | inc Gi0/3
Gi0/3     c3560g VoIP trunk  connected    trunk      a-full a-1000 1000BaseSX SFP

switch# sh run int gi0/3
!
interface GigabitEthernet0/3
 description c3560g VoIP trunk
 switchport trunk encapsulation dot1q
 switchport mode trunk
end

So indeed it is. Our first task is to discover which ports have which IP phone? The reason is simple : Polycom IP phones and Cisco IP phones do not have the same configuration. Cisco IP phones support a tightly integrated configuration with the Cisco switches. But the Polycom do not. We thus need to configure each ports differently depending on which type of phone is connected to it.

Luckly for us, both types of devices support Cisco's Cisco Discovery Protocol (CDP). So let's start CDP and check it's status.

switch# conf t
switch(config)# cdp run
switch(config)# end
switch# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
core.company.com
                 Fas 0/48          129             R S I  WS-C4507R Fas 5/44
wan.company.com
                 Gig 0/3           130              S I   WS-C3560G Gig 0/27

Hummm, we don't see any IP phones here. That's because CDP is disabled on all interfaces except those two. Let's enable it to all the other FastEthernet interfaces.

switch# conf t
switch(config)# int range fa0/1 - 47
switch(config-if-range)# cdp enable
switch(config-if-range)# end

Now let's see if we have those phones now.

switch# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
core.company.com
                 Fas 0/48          129             R S I  WS-C4507R Fas 5/44
wan.company.com
                 Gig 0/3           130              S I   WS-C3560G Gig 0/27

Weird, still no phones. I'm not quite sure why (someone knows?), but one trick to get them to talk CDP again is to shutdown the interfaces and bring them back online again.

WARNING : this command will shutdwon all voice operations from that switch. Make sure you have authorization to do this!

switch# conf t
switch(config)# int range fa0/1 - 47
switch(config-if-range)# shutdown
switch(config-if-range)# no shutdown
switch(config-if-range)# end

Most IP phones are Power over Ethernet (PoE) devices. So by doing a shutdown on the interfaces, we also cut the power supply of all the connected IP phones. So if we looked at CDP right after that, we would not see anything new. Why? Because we need to wait for the IP phones to boot and start sending CDP packets. This takes about two or three minutes. After that delay, we check the CDP again.

switch# sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SEP0004f22ebe3e  Fas 0/30          144              H P   Polycom S Port 1
SEP0004f235b3f6  Fas 0/12          145              H P   Polycom S Port 1
SEP0004f22ec344  Fas 0/6           143              H P   Polycom S Port 1
SEP0004f22ebe3f  Fas 0/36          146              H P   Polycom S Port 1
SEP0004f22ec122  Fas 0/28          136              H P   Polycom S Port 1
SEP0004f22c72b3  Fas 0/33          141              H P   Polycom S Port 1
SEP0004f22ec100  Fas 0/9           136              H P   Polycom S Port 1
SEP0004f22cce0b  Fas 0/37          124              H P   Polycom S Port 1
SEP0004f235ad32  Fas 0/8           140              H P   Polycom S Port 1
SEP0004f2318999  Fas 0/34          142              H P   Polycom S Port 1
SEP0004f22ed7fa  Fas 0/14          141              H P   Polycom S Port 1
SEP0004f216a70a  Fas 0/47          142              H P   Polycom S Port 1
SEP0004f22ed0ba  Fas 0/15          141              H P   Polycom S Port 1
SEP0004f22ec3fa  Fas 0/19          138              H P   Polycom S Port 1
SEP0004f22eb0fc  Fas 0/10          140              H P   Polycom S Port 1
SEP0004f22eb037  Fas 0/13          140              H P   Polycom S Port 1
SEP0004f2318675  Fas 0/16          143              H P   Polycom S Port 1
SEP0004f22ec282  Fas 0/29          142              H P   Polycom S Port 1
SEP0004f22ed619  Fas 0/23          139              H P   Polycom S Port 1
SEP0004f22ed718  Fas 0/21          143              H P   Polycom S Port 1
SEP0004f22eb109  Fas 0/3           141              H P   Polycom S Port 1
SEP0004f22ebdb9  Fas 0/26          144              H P   Polycom S Port 1
core.company.com
                 Fas 0/48          133             R S I  WS-C4507R Fas 5/44
SEP0004f22ed758  Fas 0/46          139              H P   Polycom S Port 1
SEP0004f2358788  Fas 0/5           138              H P   Polycom S Port 1
wan.company.com
                 Gig 0/3           134              S I   WS-C3560G Gig 0/27
SIP1CDF0F4A6A5B  Fas 0/38          168              H P   IP Phone  Port 1
SEP0004f22eb17d  Fas 0/32          139              H P   Polycom S Port 1
SEP0004f22ed72b  Fas 0/35          140              H P   Polycom S Port 1
SEP0004f22ec3d7  Fas 0/24          146              H P   Polycom S Port 1
SEP0004f22eb3e7  Fas 0/31          145              H P   Polycom S Port 1
SEP0004f22ed03d  Fas 0/4           136              H P   Polycom S Port 1
SEP0004f22ec13c  Fas 0/20          140              H P   Polycom S Port 1
SEP0004f22ec05d  Fas 0/7           145              H P   Polycom S Port 1
SEP0004f2e4c11a  Fas 0/44          138              H P   Polycom S Port 1
SEP0004f22ed6a5  Fas 0/17          136              H P   Polycom S Port 1
SEP0004f22ec2e9  Fas 0/25          145              H P   Polycom S Port 1
SIP1CDF0F4A676B  Fas 0/18          164              H P   IP Phone  Port 1
SEP0004f22902f7  Fas 0/42          139              H P   Polycom S Port 1
SIP1CDF0F4A6A66  Fas 0/27          132              H P   IP Phone  Port 1

Ah ha! That's better. We now have a complete list of which type of phone is connected to which port. The Cisco IP phones connected ports are :

switch# sh cdp nei | inc IP Phone
SIP1CDF0F4A6A5B  Fas 0/38          152              H P   IP Phone  Port 1
SIP1CDF0F4A676B  Fas 0/18          145              H P   IP Phone  Port 1
SIP1CDF0F4A6A66  Fas 0/27          172              H P   IP Phone  Port 1

While the Polycom phones connected ports are :

switch# sh cdp nei | inc Polycom 
SEP0004f22ebe3e  Fas 0/30          123              H P   Polycom S Port 1
SEP0004f235b3f6  Fas 0/12          123              H P   Polycom S Port 1
SEP0004f22ec344  Fas 0/6           122              H P   Polycom S Port 1
SEP0004f22ebe3f  Fas 0/36          125              H P   Polycom S Port 1
SEP0004f22ec122  Fas 0/28          174              H P   Polycom S Port 1
SEP0004f22c72b3  Fas 0/33          179              H P   Polycom S Port 1
SEP0004f22ec100  Fas 0/9           175              H P   Polycom S Port 1
SEP0004f22cce0b  Fas 0/37          163              H P   Polycom S Port 1
SEP0004f235ad32  Fas 0/8           178              H P   Polycom S Port 1
SEP0004f2318999  Fas 0/34          120              H P   Polycom S Port 1
SEP0004f22ed7fa  Fas 0/14          120              H P   Polycom S Port 1
SEP0004f216a70a  Fas 0/47          120              H P   Polycom S Port 1
SEP0004f22ed0ba  Fas 0/15          179              H P   Polycom S Port 1
SEP0004f22ec3fa  Fas 0/19          177              H P   Polycom S Port 1
SEP0004f22eb0fc  Fas 0/10          178              H P   Polycom S Port 1
SEP0004f22eb037  Fas 0/13          178              H P   Polycom S Port 1
SEP0004f2318675  Fas 0/16          121              H P   Polycom S Port 1
SEP0004f22ec282  Fas 0/29          120              H P   Polycom S Port 1
SEP0004f22ed619  Fas 0/23          177              H P   Polycom S Port 1
SEP0004f22ed718  Fas 0/21          122              H P   Polycom S Port 1
SEP0004f22eb109  Fas 0/3           120              H P   Polycom S Port 1
SEP0004f22ebdb9  Fas 0/26          123              H P   Polycom S Port 1
SEP0004f22ed758  Fas 0/46          178              H P   Polycom S Port 1
SEP0004f2358788  Fas 0/5           176              H P   Polycom S Port 1
SEP0004f22eb17d  Fas 0/32          177              H P   Polycom S Port 1
SEP0004f22ed72b  Fas 0/35          178              H P   Polycom S Port 1
SEP0004f22ec3d7  Fas 0/24          124              H P   Polycom S Port 1
SEP0004f22eb3e7  Fas 0/31          123              H P   Polycom S Port 1
SEP0004f22ed03d  Fas 0/4           175              H P   Polycom S Port 1
SEP0004f22ec13c  Fas 0/20          178              H P   Polycom S Port 1
SEP0004f22ec05d  Fas 0/7           123              H P   Polycom S Port 1
SEP0004f2e4c11a  Fas 0/44          177              H P   Polycom S Port 1
SEP0004f22ed6a5  Fas 0/17          175              H P   Polycom S Port 1
SEP0004f22ec2e9  Fas 0/25          123              H P   Polycom S Port 1
SEP0004f22902f7  Fas 0/42          178              H P   Polycom S Port 1

Polycom SoundPoint IP 335 Ports Configuration


Ok, now that we know all this, we can now configure the telephone ports. Let's start with the Polycom ports.

switch# conf t
switch(config)# int range fa0/3-10, fa0/12-17, fa0/19-21, fa0/23-26, fa0/28-37, fa0/42, fa0/44, fa0/46-47
switch(config-if-range)# description Polycom phone port
switch(config-if-range)# mls qos trust dscp
switch(config-if-range)# auto qos trust 
switch(config-if-range)# priority-queue out 
switch(config-if-range)# spanning-tree portfast
switch(config-if-range)# end

If QoS was not enabled on this switch, then the « mls qos trust dscp » command will enable it. Now check an interface to see what has happened?

switch# sh run int fa0/42
!
interface FastEthernet0/42
 description VoIP telephone port
 switchport access vlan 300
 switchport mode access
 speed 100
 duplex full
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
 mls qos trust dscp
 auto qos trust 
 spanning-tree portfast
end

Notice how the « srr-queue bandwidth share 1 30 35 5 » configuration is now listed. This is placed automatically by the « auto qos trust » command.

Cisco SPA504G IP Phone Ports Configuration


Good, now let's configure the Cisco IP phone connected ports.

switch# conf t
switch(config)# int range fa0/18, fa0/27, fa0/38
switch(config-if-range)# description Cisco IP phone port
switch(config-if-range)# mls qos trust cos
switch(config-if-range)# mls qos trust device cisco-phone
switch(config-if-range)# auto qos voip cisco-phone 
switch(config-if-range)# priority-queue out 
switch(config-if-range)# spanning-tree portfast
switch(config-if-range)# end

Notice how it's a little different from the Polycom configuration. Let's see what happens to the interface?

switch#sh run int fa0/18
!
interface FastEthernet0/18
 description VoIP telephone port
 switchport access vlan 300
 switchport mode access
 speed 100
 duplex full
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone 
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

Again the « srr-queue bandwidth share 1 30 35 5 » configuration was installed along with the « service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY ». 

Running Configuration


Those new interface configurations now have « mls » and « policy-map ». If we have those, then they must be defined in the configuration. Let's find out by checking the running-config. I've listed here only the relevant parts for this blog post :

switch# sh run

mls qos map policed-dscp  0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos   
!         
auto qos srnd4
class-map match-all AUTOQOS_VOIP_DATA_CLASS
 match ip dscp ef 
class-map match-all AUTOQOS_DEFAULT_CLASS
 match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
 match ip dscp cs3 
!         
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
 class AUTOQOS_VOIP_DATA_CLASS
  set dscp ef
  police 128000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_VOIP_SIGNAL_CLASS
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_DEFAULT_CLASS
  set dscp default
  police 10000000 8000 exceed-action policed-dscp-transmit


As you can see, there is a lot going on when we use the auto keywords to configure VoIP QoS.

Trunk Port Configuration


We now have all IP phone connected ports configured. But we haven't configured the trunk port yet. So do this now.


switch# conf t
switch(config)# int gi0/3
switch(config-if)# description c3560g VoIP trunk
switch(config-if)# mls qos trust dscp
switch(config-if)# auto qos trust 
switch(config-if)# priority-queue out 
switch(config-if)# end

And once we're finished, this is what the interface looks like :

switch# sh run int gi0/3
!
interface GigabitEthernet0/3
 description c3560g VoIP trunk
 switchport trunk encapsulation dot1q
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
 mls qos trust dscp
 auto qos trust 
end

Again, we can see the « srr-queue » config has been installed even if we did not explicitly configured it.

Save Configuration


The last task to do on this switch is to save the configuration. Very easy to do, but oh so important!

switch# write memory 
switch# copy run start
switch# copy start tftp

That's it for our first WS-C3560-48PS Switch. Let's configure the second one now.

Second WS-C3560-48PS Switch


On this switch, we simply need to do all what we did on the first one : check VLAN, VTP status, CDP and then configure phone ports and trunk port. I'll skip most of the discussion as I hope I've been clear enough on the first switch.

ssh 172.22.1.3
switch> enable
switch# sh vtp status
switch# sh vlan brief
switch# sh int status | inc Gi0/3
switch# sh run int gi0/3
switch# conf t
switch(config)# cdp run
switch(config)# end
switch# sh cdp neighbors
switch# conf t
switch(config)# int range fa0/1 - 47
switch(config-if-range)# cdp enable

WARNING : 
this command will shutdwon all voice operations from that switch. Make sure you have authorization to do this!

switch(config-if-range)# shutdown
switch(config-if-range)# no shutdown
switch(config-if-range)# end
switch#
switch# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SEP0004f22ec3ed  Fas 0/5           123              H P   Polycom S Port 1
SEP0004f22ed793  Fas 0/6           135              H P   Polycom S Port 1
SEP0004f22ec090  Fas 0/1           130              H P   Polycom S Port 1
core.company.com
                 Fas 0/48          143             R S I  WS-C4507R Fas 5/43
wan.company.com
                 Gig 0/3           136              S I   WS-C3560G Gig 0/28
SIP1CDF0F4A6A9C  Fas 0/42          166              H P   IP Phone  Port 1
SIP1CDF0F4A6AA8  Fas 0/4           169              H P   IP Phone  Port 1
SIP1CDF0F4A6AA7  Fas 0/36          164              H P   IP Phone  Port 1
SIP1CDF0F4A66EE  Fas 0/31          165              H P   IP Phone  Port 1
SIP1CDF0F4A6713  Fas 0/30          165              H P   IP Phone  Port 1
SIP1CDF0F4A6714  Fas 0/44          164              H P   IP Phone  Port 1
SIP1CDF0F4A6AA1  Fas 0/39          164              H P   IP Phone  Port 1
SIP1CDF0F4A6AC2  Fas 0/35          165              H P   IP Phone  Port 1
SEP0004f22ec05f  Fas 0/7           135              H P   Polycom S Port 1
SEP0004f22ed7f0  Fas 0/3           132              H P   Polycom S Port 1
SEP0004f22eb3e3  Fas 0/46          132              H P   Polycom S Port 1
SIP1CDF0F4A6A53  Fas 0/34          164              H P   IP Phone  Port 1
SIP1CDF0F4A6A52  Fas 0/43          165              H P   IP Phone  Port 1
SIP1CDF0F4A6A50  Fas 0/2           164              H P   IP Phone  Port 1
SIP1CDF0F4A6AAC  Fas 0/37          164              H P   IP Phone  Port 1
SIP1CDF0F4A6A57  Fas 0/38          163              H P   IP Phone  Port 1
SIP1CDF0F4A6AAB  Fas 0/40          166              H P   IP Phone  Port 1
SIP1CDF0F4A6AAA  Fas 0/33          165              H P   IP Phone  Port 1
SIP1CDF0F4A6A54  Fas 0/41          166              H P   IP Phone  Port 1

We thus need to configure ports diffrently because this switch also has a mix of Polycom and Cisco phones.

Polycom SoundPoint IP 335 Ports Configuration


Again, as we did on the first VoIP access switch, let's configure the Polycom ports first. In order to do that, we need to narrow our search in CDP to only the Polycom devices.

switch# sh cdp nei | inc Polycom
SEP0004f22ec3ed  Fas 0/5           125              H P   Polycom S Port 1
SEP0004f22ed793  Fas 0/6           137              H P   Polycom S Port 1
SEP0004f22ec090  Fas 0/1           131              H P   Polycom S Port 1
SEP0004f22ec05f  Fas 0/7           136              H P   Polycom S Port 1
SEP0004f22ed7f0  Fas 0/3           133              H P   Polycom S Port 1
SEP0004f22eb3e3  Fas 0/46          133              H P   Polycom S Port 1

Then configure only those ports.

switch# conf t
switch(config)# int range fa0/1, fa0/3, fa0/5-7, fa0/46
switch(config-if-range)# description Polycom phone port
switch(config-if-range)# mls qos trust dscp
switch(config-if-range)# auto qos trust 
switch(config-if-range)# priority-queue out 
switch(config-if-range)# spanning-tree portfast
switch(config-if-range)# end

Cisco SPA504G IP Phone Ports Configuration


Now let's configure the Cisco IP phone connected ports. We first list our Cisco IP Phone ports.

switch# sh cdp nei | inc IP Phone
SIP1CDF0F4A6A9C  Fas 0/42          145              H P   IP Phone  Port 1
SIP1CDF0F4A6AA8  Fas 0/4           124              H P   IP Phone  Port 1
SIP1CDF0F4A6AA7  Fas 0/36          151              H P   IP Phone  Port 1
SIP1CDF0F4A66EE  Fas 0/31          147              H P   IP Phone  Port 1
SIP1CDF0F4A6713  Fas 0/30          143              H P   IP Phone  Port 1
SIP1CDF0F4A6714  Fas 0/44          151              H P   IP Phone  Port 1
SIP1CDF0F4A6AA1  Fas 0/39          147              H P   IP Phone  Port 1
SIP1CDF0F4A6AC2  Fas 0/35          150              H P   IP Phone  Port 1
SIP1CDF0F4A6A53  Fas 0/34          150              H P   IP Phone  Port 1
SIP1CDF0F4A6A52  Fas 0/43          127              H P   IP Phone  Port 1
SIP1CDF0F4A6A50  Fas 0/2           139              H P   IP Phone  Port 1
SIP1CDF0F4A6AAC  Fas 0/37          152              H P   IP Phone  Port 1
SIP1CDF0F4A6A57  Fas 0/38          146              H P   IP Phone  Port 1
SIP1CDF0F4A6AAB  Fas 0/40          170              H P   IP Phone  Port 1
SIP1CDF0F4A6AAA  Fas 0/33          151              H P   IP Phone  Port 1
SIP1CDF0F4A6A54  Fas 0/41          159              H P   IP Phone  Port 1

Once we know our Cisco IP Phone connected ports, we can configure them.

switch# conf t
switch(config)# int range fa0/2, fa0/4, fa0/30-31, fa0/33-44
switch(config-if-range)# description Cisco IP phone port
switch(config-if-range)# mls qos trust cos
switch(config-if-range)# mls qos trust device cisco-phone
switch(config-if-range)# auto qos voip cisco-phone 
switch(config-if-range)# priority-queue out 
switch(config-if-range)# spanning-tree portfast
switch(config-if-range)# end


Trunk Port Configuration


As we did with our first access switch, we need to configure our trunk port.

switch# conf t
switch(config)# int gi0/3
switch(config-if)# description c3560g VoIP trunk
switch(config-if)# mls qos trust dscp
switch(config-if)# auto qos trust 
switch(config-if)# priority-queue out 
switch(config-if)# end

Save Configuration


And finally, save the configuration.

switch# write memory 
switch# copy run start
switch# copy start tftp

That's it for our second WS-C3560-48PS access switch. We must now move on to the WS-C3560G-24TS-S switch which is the central connection for both the VoIP and WAN VLANs, both VoIP access switches and our firewall.

Cisco WS-C3560G-24TS-S Switch Configuration


This switch connects all of our pieces together : both access switches, the firewall and our ISP uplink. So we need to configure these ports :
  • Gi0/1 which is connected to our ISP uplink.
  • Gi0/4 which is connected to the WAN interface in our firewall.
  • Gi0/17 which is connected to the VoIP interface in our firewall.
  • Gi0/27-28 which are connected to the WS-C3560-48PS access switch.
But before we configure any ports, let's check the VTP, VLAN and interface status.

ssh 172.16.1.1
switch> enable
switch#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : dmz
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Enabled
Device ID                       : 001a.2f98.2f00
Configuration last modified by 172.22.200.6 at 3-8-93 23:56:45
Local updater ID is 172.16.1.1 on interface Vl200 (preferred interface)
Preferred interface name is vlan200  

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 9
Configuration Revision            : 20
MD5 digest                        : 0x3B 0x54 0xC1 0x4F 0x88 0x4B 0x84 0xBB 
                                    0xC1 0x82 0x8C 0x07 0x5B 0x27 0x96 0x28 

Ok, so this is the VTP master for VTP domain dmz. It means if we ever need to change VLAN for our three switches, it's via this one that we need to do so.

switch#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/2, Gi0/5, Gi0/7, Gi0/8, Gi0/14, Gi0/15, Gi0/16, Gi0/19, Gi0/20, Gi0/21, Gi0/22, Gi0/23, Gi0/25, Gi0/26
19   DMZ                              active    Gi0/9, Gi0/10, Gi0/11, Gi0/12, Gi0/13
144  WAN         active    Gi0/1, Gi0/3, Gi0/4, Gi0/6
200  Management                       active    Gi0/24
300  VoIP                             active    Gi0/17, Gi0/18
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup

We have all the same VLAN as our two other switches plus a new one : VLAN 19 (DMZ). That means this switch also has some DMZ ports. This is not showed in the VoIP topology and it's not required for our purposes.

Let's see what interfaces are connected on this device?

switch# sh int status | inc connected
Gi0/1     WAN ISP            connected    144        a-full a-1000 10/100/1000BaseTX
Gi0/4     firewall X2 WAN    connected    144          full  a-100 10/100/1000BaseTX
Gi0/9     firewall X3 DMZ    connected    19           full  a-100 10/100/1000BaseTX
Gi0/10    www.company.com    connected    19           full  a-100 10/100/1000BaseTX
Gi0/12    ftp.company.com    connected    19         a-full  a-100 10/100/1000BaseTX
Gi0/17    firewall X4 VoIP   connected    300        a-half  a-100 10/100/1000BaseTX
Gi0/24    Switch mgmt port   connected    200          full  a-100 10/100/1000BaseTX
Gi0/27    VoIP 1 trunk       connected    trunk      a-full a-1000 1000BaseSX SFP
Gi0/28    VoIP 2 trunk       connected    trunk      a-full a-1000 1000BaseSX SFP

As per our topology, we can see that port Gi0/1 is our WAN port. We also see some DMZ hosts (the firewall, a web server and an FTP server). We clearly see that the firewall is connected on three interfaces on this device : Gi0/4 in VLAN 144 which connects to the firewall to the WAN, Gi0/9 in VLAN 19 for the DMZ and Gi0/17 in VLAN 300 which is the VoIP VLAN. Ports Gi0/27 and Gi0/28 are the trunk ports going to the WS-C3560-48PS access switches. While we're here, let's configure them.

Gi0/27-28 Trunk Ports Configuration


switch# conf t
switch(config)# int range gi0/27-28
switch(if-range)# description VoIP trunk
switch(if-range)# switchport trunk allowed vlan 200,300
switch(if-range)# priority-queue out 
switch(if-range)# mls qos trust dscp
switch(if-range)# auto qos voip trust  
switch(if-range)# end

So this configure both trunk ports. Let's see what that gives us?

switch# sh run int gi0/27
!
interface GigabitEthernet0/27
 description VoIP trunk
 switchport trunk allowed vlan 200,300
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out 
 mls qos trust dscp
 auto qos voip trust 
end

switch# sh run int gi0/28
!
interface GigabitEthernet0/28
 description VoIP trunk
 switchport trunk allowed vlan 200,300
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out 
 mls qos trust dscp
 auto qos voip trust 
end

As for the other ports, the « srr-queue bandwidth share 10 10 60 20 » and the « queue-set 2 » were installed without us having to type them.

Notice the « switchport trunk allowed vlan 200,300 » config. It prevents the DMZ and the WAN VLANs to reach the VoIP access switches for security reasons. Let's make sure that is the case.

switch# sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/27      auto             n-802.1q       trunking      200
Gi0/28      auto             n-802.1q       trunking      200

Port        Vlans allowed on trunk
Gi0/27      200,300
Gi0/28      200,300

Port        Vlans allowed and active in management domain
Gi0/27      200,300
Gi0/28      200,300

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/27      300
Gi0/28      300

Indeed, that is the case. These trunk ports will only allow the Management and the VoIP VLANs to reach the VoIP access switches. Which is good.

Gi0/17 Firewall VoIP Interface Port Configuration


We continue with our setup by configuring the Gi0/17 port that connects to the firewall's VoIP interface. Our goal is always the same : make sure the DSCP and CoS tags are honored and not striped when passing on the interface. That's why we add those trust commands.

switch# conf t
switch(config)# int gi0/17
switch(config-if)# description firewall X4 VoIP interface
switch(config-if)# switchport access vlan 300
switch(config-if)# switchport mode access
switch(config-if)# priority-queue out 
switch(config-if)# mls qos trust dscp
switch(config-if)# auto qos voip trust 
switch(config-if)# no cdp enable
switch(config-if)# end

These commands create the configuration :

switch# sh run int gi0/17
!
interface GigabitEthernet0/17
 description firewall X4 VoIP interface
 switchport access vlan 300
 switchport mode access
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out 
 mls qos trust dscp
 auto qos voip trust 
 no cdp enable
end

Our next step is to configure interface Gi0/4 which connects our firewalls's WAN interface to the current switch.

Gi0/4 Firewall WAN Interface Port Configuration


So again, we setup trust commands on this interface.

switch# conf t
switch(config)# int gi0/4
switch(config-if)# description firewall X4 WAN interface
switch(config-if)# switchport access vlan 144
switch(config-if)# switchport mode access
switch(config-if)# priority-queue out 
switch(config-if)# mls qos trust dscp
switch(config-if)# auto qos voip trust 
switch(config-if)# no cdp enable
switch(config-if)# end

And the configuration created by these commands is that one :

switch# sh run int gi0/4 
!
interface GigabitEthernet0/4
 description firewall X4 WAN interface
 switchport access vlan 144
 switchport mode access
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out 
 mls qos trust dscp
 auto qos voip trust 
 no cdp enable
end

We're almost there. One more interface to configure : the WAN ISP interface.

Gi0/1 ISP Uplink Port Configuration


Our last interface to configure is the Gi0/1 which connects to our ISP's switch installed in our data center.

switch# conf t
switch(config)# int gi0/1
switch(config-if)# description ISP uplink
switch(config-if)# switchport access vlan 144
switch(config-if)# switchport mode access
switch(config-if)# priority-queue out 
switch(config-if)# mls qos trust dscp
switch(config-if)# auto qos voip trust 
switch(config-if)# no cdp enable
switch(config-if)# spanning-tree portfast
switch(config-if)# end

And the resulting configuration is :

switch# sh run int gi0/1
!
interface GigabitEthernet0/1
 description ISP uplink
 switchport access vlan 144
 switchport mode access
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out 
 mls qos trust dscp
 auto qos voip trust 
 no cdp enable
 spanning-tree portfast
end


Save Configuration


The last task, as always, is to save the configuration.

switch# write memory 
switch# copy run start
switch# copy start tftp

Great! We now have configured our entire topology for VoIP QoS!

But how do we know it works?

Testing and Monitoring


To check if the configuration is working, one must first clear the statistics of the WAN port Gi0/1 that we just configured. To do this, connect to the switch and issue the following.

switch# clear mls qos interface gi0/1 statistics

Then, we need to generate VoIP traffic. That's quite easy, pickup the phone and call a friend ;) Place him on spearkers and while you're talking, check the statistics on the interface. It will start by a complete zero right after the clear command. But after a while, counters will start to increase. To see the statistics data, do this :

switch# sh mls qos interface gi0/1 statistics
GigabitEthernet0/1 (All statistics are in packets)

  dscp: incoming  
-------------------------------

  0 -  4 :     8648676           16      1984532            0          751  
  5 -  9 :           0           15          156         5502           64  
 10 - 14 :        4611            0           57            0            4  
 15 - 19 :           0          449            0           15            0  
 20 - 24 :          10            0            0            0       304172  
 25 - 29 :           0           25            0            1            0  
 30 - 34 :           4            0           33            0           68  
 35 - 39 :           0            0            0         1167            0  
 40 - 44 :         216            0            0            0            0  
 45 - 49 :           0      4408223            0          271            0  
 50 - 54 :           0            0            0            0            0  
 55 - 59 :        1182            0            0            0            0  
 60 - 64 :           0            0            0            0  
  dscp: outgoing 
-------------------------------

  0 -  4 :     9432900            0            0            0        11952  
  5 -  9 :           0            0            0        58829            0  
 10 - 14 :           0            0            0            0            0  
 15 - 19 :           0            0            0            0            0  
 20 - 24 :           0            0            0            0            0  
 25 - 29 :           0        28328            0            0            0  
 30 - 34 :           0            0            0            0            0  
 35 - 39 :           0            0            0            0            0  
 40 - 44 :           0            0            0            0       459249  
 45 - 49 :           0      4165178            0            0            0  
 50 - 54 :           0            0            0            0            0  
 55 - 59 :           0            0            0            0            0  
 60 - 64 :           0            0            0            0  
  cos: incoming  
-------------------------------

  0 -  4 :    15365764            0            0            0            0  
  5 -  7 :           0            0            0  
  cos: outgoing 
-------------------------------

  0 -  4 :     9444939        58829            0        28328            0  
  5 -  7 :     4624427            0            0  
  output queues enqueued: 
 queue:    threshold1   threshold2   threshold3
-----------------------------------------------
 queue 0:           0           0     4624427 
 queue 1:           0         379      124143 
 queue 2:           0           0           0 
 queue 3:       58829           0     9445149 
          
  output queues dropped: 
 queue:    threshold1   threshold2   threshold3
-----------------------------------------------
 queue 0:           0           0           0 
 queue 1:           0           0           0 
 queue 2:           0           0           0 
 queue 3:           0           0           0 

Policer: Inprofile:            0 OutofProfile:            0 

Hummm, ok, what do all these numbers mean?

Relax. Back off and look at the entire output, not at the numbers. You will find that we have both DSCP incoming and outgoing tables. We also have COS incoming and outgoing tables. And then we have both incoming and outgoing queues. So let's break this down to three subjects :
  • DSCP Statistics
  • COS Statistics
  • Queue Statistics

DSCP Statistics


DSCP stats are displayed like two tables : one for incoming packets (i.e. dscp: incoming) and another for outgoing packets (i.e.dscp: outgoing ). I've highlighted these two tables in bold right here :

switch# sh mls qos interface gi0/1 statistics 
GigabitEthernet0/1 (All statistics are in packets)

  dscp: incoming  
-------------------------------

  0 -  4 :     8648676           16      1984532            0          751  
  5 -  9 :           0           15          156         5502           64  
 10 - 14 :        4611            0           57            0            4  
 15 - 19 :           0          449            0           15            0  
 20 - 24 :          10            0            0            0       304172  
 25 - 29 :           0           25            0            1            0  
 30 - 34 :           4            0           33            0           68  
 35 - 39 :           0            0            0         1167            0  
 40 - 44 :         216            0            0            0            0  
 45 - 49 :           0      4408223            0          271            0  
 50 - 54 :           0            0            0            0            0  
 55 - 59 :        1182            0            0            0            0  
 60 - 64 :           0            0            0            0  
  dscp: outgoing 
-------------------------------

  0 -  4 :     9432900            0            0            0        11952  
  5 -  9 :           0            0            0        58829            0  
 10 - 14 :           0            0            0            0            0  
 15 - 19 :           0            0            0            0            0  
 20 - 24 :           0            0            0            0            0  
 25 - 29 :           0        28328            0            0            0  
 30 - 34 :           0            0            0            0            0  
 35 - 39 :           0            0            0            0            0  
 40 - 44 :           0            0            0            0       459249  
 45 - 49 :           0      4165178            0            0            0  
 50 - 54 :           0            0            0            0            0  
 55 - 59 :           0            0            0            0            0  
 60 - 64 :           0            0            0            0  

Both table are quite the same. One the X axis, or the first column of the table if you prefer, we see a list of ranges : 0 -  4 is followed by 5 -  9 all the way down to 60 - 64. These represent the various possible DSCP values which range from zero to 64.

Each lines represent a possible DSCP value in the range found on the left hand side. For example, take line 45 - 49 from the « dscp: outgoing » table. Right after the 45 - 49 : there are four columns with these values : 0, 4165178, 0 and 0. Since we're looking at the 45 - 49 line, this tells us that DSCP value 45 has 0 packets, DSCP value 46 has 4165178 packets, DSCP values 48 and 49 both don't have any packets at all, so they both show a 0. So we know that this interface (gi0/1) has sent 4165178 packets tagged as DSCP value 46.

Now I didn't choose DSCP value 46 by error : this is the standard VoIP DSCP packet tag! That's because DSCP 46 is the « Expedited Forwarding » DSCP value. So it has a very high priority.
Since we know that the Polycom IP phones tag all their packets with DSCP 46 and we configured all of our equipement to trust each other's QoS values, then we know that a Polycom telephone generating packet tagged as DSCP 46 from either of the VoIP access switches finds it's way to this switch still tagged as a DSCP 46 packet : a VoIP packet.

Now look at both the « dscp: incoming » table and the « dscp: outgoing » table. Notice how they both have a very high value in the DSCP 46 spot. That means VoIP traffic flows in both directions : incoming and outgoing. If you have a high DSCP 46 value in the « dscp: outgoing » table, but a value of 0 in the « dscp: incoming » table, you know something is wrong (or vice-versa). Simply because a telephone conversation is never flowing in one direction only. 

COS Statistics


The COS tables are a bit smaller than the DSCP ones. Again, we have two of them : one for incoming packets and the other for outgoing packets.

  cos: incoming  
-------------------------------

  0 -  4 :    15365764            0            0            0            0  
  5 -  7 :           0            0            0  
  cos: outgoing 
-------------------------------

  0 -  4 :     9444939        58829            0        28328            0  
  5 -  7 :     4624427            0            0  

The trick to read these two table is the same to read the DSCP table : each row (either 0 - 4 and 5 - 7) represent a COS value. These values range from 0 to 7. To find the amount of incoming packets with a COS value of four, we must check the « cos: outgoing » table, select row 0 - 4 and check the fourth value (28328). Simple!

Voice traffic has a COS value of 5 by default.

From « cos: outgoing » table, we can see that this switch has sent 4624427 packets with a COS value of 5. But unfortunately, our ISP sends everything in COS value 0. That's why we see 15365764 packets with COS value 0 in the « cos: incoming » table.

Queue Statistics


The last set of tables displayed by the « sh mls qos interface gi0/1 statistics » command are the queue tables :

  output queues enqueued: 
 queue:    threshold1   threshold2   threshold3
-----------------------------------------------
 queue 0:           0           0     4624427 
 queue 1:           0         379      124143 
 queue 2:           0           0           0 
 queue 3:       58829           0     9445149 
          
  output queues dropped: 
 queue:    threshold1   threshold2   threshold3
-----------------------------------------------
 queue 0:           0           0           0 
 queue 1:           0           0           0 
 queue 2:           0           0           0 
 queue 3:           0           0           0 

There are two tables : the « output queues enqueued » and the « output queues dropped ». Obviously, we don't want any packets to be listed in the « output queues dropped » table. That would mean that the interface is dropping packets. There are many reasons to drop packets, but a high value should indicate that you need to check this problem and fix it (new hardware? better QoS? larger bandwith? YMMV)

There are four queues on each interfaces : queue 0 to queue 3. And each queue has three thresholds : threshold1, threshold2 and threshold3. These queues are the ones referenced by the « srr-queue bandwidth » commands found on all the interfaces we worked with. For example, « srr-queue bandwidth share 1 30 35 5 » assigns different weights to each queue. Queue 0 gets a weight of 1, queue 1 get a weight of 30, 35 for queue 2 and 5 for queue 3. Check out Catalyst 3560 Switch Software Configuration Guide - Configuring QoS for a complete description of the queues.

HTH,

David

References


5 comments:

  1. Nice write-up! Deux morceaux de robot!

    ReplyDelete
  2. Dude i thank you for this!!!

    ReplyDelete
  3. on the main 24-port switch, why did you use "auto qos voip trust" vs "auto qos trust" as on the access layer switches? thanks.

    ReplyDelete