Friday, 25 November 2011

Applying QoS to VoIP Packets in a VPN Tunnel

For remote sites that use VoIP and are linked to the central site via an IPsec site to site VPN you can't match the outbound VoIP packets based on port ranges, IP addresses, etc. as it has been encapsulated in the tunnel. However when a packet is encapsulated its DSCP marking is copied to the new packet header. Therefore if the VoIP traffic is correctly identified inbound to the router, you can match packets for QoS on the outbound interface via the DSCP markings.
Below is a simple configuration to match inbound RTP packets based on the port range and assign it to the outbound priority queue:

class-map match-all VOIP_OUT
 match ip dscp ef
class-map match-all RTP
 match access-group name VOICE_PAYLOAD
!
policy-map MARK_RTP
 class RTP
  set ip dscp ef
policy-map VOIP_OUT
 class VOIP_OUT
  priority 384
 class class-default
  fair-queue
!
ip access-list extended VOICE_PAYLOAD
 permit udp any any range 16384 32767
!
interface GigabitEthernet0/0
 description LAN
 service-policy input MARK_RTP
!
interface GigabitEthernet0/1
 description WAN
 service-policy output VOIP_OUT
!


Alternatively if your IP phones are already marking the RTP packets the correct DSCP value, you can do away with the inbound service-policy. For this to work you must prevent the switch from overriding the DSCP markings on packets received from the IP phone by using the mls qos trust device cisco-phone command on the interfaces phones are attached to.

You can monitor the number of packets being matched by the policy-maps using the show policy-map interface command:

GigabitEthernet0/1

  Service-policy output: VOIP_OUT

    queue stats for all priority classes:
     
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 26176/7067520

    Class-map: VOIP_OUT (match-all)
      26176 packets, 7067520 bytes
      5 minute offered rate 122000 bps, drop rate 0 bps
      Match: ip dscp ef (46)
      Priority: 384 kbps, burst bytes 9600, b/w exceed drops: 0
     

    Class-map: class-default (match-any)
      51651 packets, 8147526 bytes
      5 minute offered rate 38000 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
      (pkts output/bytes output) 51651/7939473
      Fair-queue: per-flow queue limit 16

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete