Abilitare QoS

Wizard · ven 20 feb , 2009 5:20 pm

Sul router remoto mi sa OK ma su quello nel CED sei sicuro?

KMarco · lun 23 feb , 2009 12:09 pm

Ciao,
il problema che ho riscontrato abilitando il QoS sul router CED è che non mi permetteva di applicare le regole direttamente sull'interfaccia ATM0.1 e allora mi sono "inventato" quella configurazione più strana per il QoS
(quella con il "service-policy output PARENT" per intenderci!)

Se applico la regola "service-policy output QoS-Policy" direttamente sull'ATM0 e la tolgo dall'ATM0.1 dovrebbe funzionare secondo te?

Grazie mille per l'aiuto e la pazienza!

Marco

Wizard · lun 23 feb , 2009 5:22 pm

Direi di si...

KMarco · gio 23 apr , 2009 9:49 pm

Ciao,
continuo questo vecchio post perchè da alcuni giorni (o forse da sempre) il QoS ha smesso di funzionare..

Ecco l'output del comando "show policy-map interface" eseguito sul router del CED:

Codice: Seleziona tutto

 ATM0

  Service-policy output: QoS-Policy

    queue stats for all priority classes:

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

    Class-map: QoS-VOIP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 104
      Priority: 54 kbps, burst bytes 1500, b/w exceed drops: 0


    Class-map: class-default (match-any)
      3824 packets, 1036780 bytes
      5 minute offered rate 16000 bps, drop rate 0 bps
      Match: any

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

ed ecco quello eseguito sul router della sede REMOTA:

Codice: Seleziona tutto

 Dialer0

  Service-policy output: QoS-Policy

    queue stats for all priority classes:

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

    Class-map: QoS-VOIP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 104
      Priority: 54 kbps, burst bytes 1500, b/w exceed drops: 0


    Class-map: class-default (match-any)
      894 packets, 146000 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

Per completezza vi allego le configurazioni:
CED

Codice: Seleziona tutto


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CED
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 PASSWORD
!
no aaa new-model
clock timezone PCTime 1
!
crypto pki trustpoint TP-self-signed-498544502
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-498544502
 revocation-check none
 rsakeypair TP-self-signed-498544502
!
!
crypto pki certificate chain TP-self-signed-498544502
 certificate self-signed 01
  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34393835 34343530 32301E17 0D303830 37333030 38303933
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3439 38353434
  35303230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CBDBC2BB BADD695F D409F517 C5BB3446 233BA12B 482EFADF 3C257A25 7D318D11
  B0108A9D 775E5AF8 4A3D2191 35E03FB6 8E8B2610 9CC75DF3 CEAAD655 FCCCB6D1
  0D342DB3 F72CB198 A0E321B7 7F0DC27D F2728ED7 29BCC665 FA34FAD0 D8C6BC16
  010F650D 957BCA30 05D2B31B E51F0315 F774CE90 BCF53B7D 93F09760 E30059E3
  02030100 01A36F30 6D300F06 03551D13 0101FF04 05300301 01FF301A 0603551D
  11041330 11820F52 6F6C6574 74692D54 4F52494E 4F2E301F 0603551D 23041830
  16801412 63C9D4E9 4C5582D3 0EE33F97 3989D81C A3FDFD30 1D060355 1D0E0416
  04141263 C9D4E94C 5582D30E E33F9739 89D81CA3 FDFD300D 06092A86 4886F70D
  01010405 00038181 00AD8CDB C7561C88 B5984BC4 7C6C94DF C09303AF A09E6ED2
  95B80B54 66072CF8 B89D9657 C292C4C7 CC0D2264 DB14C598 176B989C C5E11E9B
  F9B4239E FD77146B F3FF4B47 DF53A528 429F143C 5DE8339C D033256C 5B68F939
  4A23B786 573DD3D0 40BC4DBE 7B3A5540 2B6A77A5 261D8B03 B9B11197 BD035132
  BD3C6525 773C9B11 FC
        quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip name-server 151.99.0.100
ip name-server 151.99.125.1
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username UTENTE privilege 15 secret 5 PASSWORD
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key PASSWORD_VPN address 83.211.xxx.xx4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to 83.211.xxx.xx4
 set peer  83.211.xxx.xx4
 set transform-set ESP-3DES-SHA
 match address 102
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-all QoS-VOIP
 match access-group 104
!
!
policy-map QoS-Policy
 class QoS-VOIP
    priority 54
!
!
!
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 crypto ipsec df-bit clear
 service-policy output QoS-Policy
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip address 85.38.xxx.xx8 255.255.255.252
 ip access-group 101 in
 ip verify unicast reverse-path
 ip flow ingress
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 snmp trap ip verify drop-rate
 pvc 8/35
  tx-ring-limit 3
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
!
interface FastEthernet0
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.250 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.0.1 3389 85.38.xxx.xx8 3389 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 85.38.xxx.xx6 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.233
access-list 101 permit udp host 193.204.114.233 eq ntp host 85.38.xxx.xx8 eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.232
access-list 101 permit udp host 193.204.114.232 eq ntp host 85.38.xxx.xx8 eq ntp
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit udp host  83.211.xxx.xx4 host 85.38.xxx.xx8 eq non500-isak
mp
access-list 101 permit udp host  83.211.xxx.xx4 host 85.38.xxx.xx8 eq isakmp
access-list 101 permit esp host  83.211.xxx.xx4 host 85.38.xxx.xx8
access-list 101 permit ahp host  83.211.xxx.xx4 host 85.38.xxx.xx8
access-list 101 permit udp host 151.99.125.1 eq domain host 85.38.xxx.xx8
access-list 101 permit udp host 151.99.0.100 eq domain host 85.38.xxx.xx8
access-list 101 permit tcp any host 85.38.xxx.xx8 eq 3389
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 85.38.xxx.xx8 echo
access-list 101 permit icmp any host 85.38.xxx.xx8 echo-reply
access-list 101 permit icmp any host 85.38.xxx.xx8 time-exceeded
access-list 101 permit icmp any host 85.38.xxx.xx8 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 remark *** ACL PER QoS-VOIP***
access-list 104 permit ip host 192.168.1.210 any
access-list 104 permit ip any host 192.168.1.210
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 193.204.114.232 prefer source ATM0.1
ntp server 193.204.114.233 source ATM0.1
end

REMOTO

Codice: Seleziona tutto


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname REMOTO
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 PASSWORD
!
no aaa new-model
clock timezone PCTime 1
!
crypto pki trustpoint TP-self-signed-3504550821
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3504550821
 revocation-check none
 rsakeypair TP-self-signed-3504550821
!
!
crypto pki certificate chain TP-self-signed-3504550821
 certificate self-signed 01
  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353034 35353038 3231301E 170D3039 30313232 31363332
  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35303435
  35303832 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  810084C9 2D9A64A4 CC5E06A1 D66C9CEC A005E820 B8ABD06B 60206E15 75204196
  3BF5A819 CE772C0F 59E6A387 6A9BD8E2 FC9054CB A65F79B7 DF8F6E69 FEB7FB2D
  C405FE04 028BCC6D 8985C046 9F5FBF37 42AA9B2D A3FEDF76 0DA27B75 A27E4F7F
  D7448AD5 65989249 F2812892 CFF28B3E 91F0EBFB 00ED4739 EB493DA9 E5C429A1
  8F030203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
  551D1104 13301182 0F526F6C 65747469 2D475541 52454E45 301F0603 551D2304
  18301680 1487C154 34C766B9 75F3F162 EDEEA99C EF567A42 65301D06 03551D0E
  04160414 87C15434 C766B975 F3F162ED EEA99CEF 567A4265 300D0609 2A864886
  F70D0101 04050003 8181004B EBCC49DE EC88985A FFAC9954 2A9FBBAC 55260848
  635F1E32 F351A06C 397CA54F 2420E994 26F1567F F0AC0951 6882CAA9 CD7A5FC9
  DDD414FF 12A50C83 485C169D DBE00C30 C6882CD5 E34D132F 69E0A67B 9B4A24C7
  BCCAADD6 3A03D869 2EDECD34 31062ED6 44526387 7976D704 367776CD 10BF7376
  D86D82D0 38C24380 D4870C
        quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip name-server 151.99.0.100
ip name-server 151.99.125.1
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username UTENTE privilege 15 secret 5 PASSWORD
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key PASSWORD_VPN address 85.38.xxx.xx8
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to85.38.xxx.xx8
 set peer 85.38.xxx.xx8
 set transform-set ESP-3DES-SHA
 match address 102
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-all QoS-VOIP
 match access-group 104
!
!
policy-map QoS-Policy
 class QoS-VOIP
    priority 54
!
!
!
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip flow ingress
 pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.250 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 83.211.xxx.xx4 255.255.255.254
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname UTENTE_PPP
 ppp chap password 7 PASSWORD_PPP
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
 service-policy output QoS-Policy
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 83.211.xxx.xx2 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark *** ACL PER QoS-VOIP***
access-list 104 permit ip host 192.168.1.210 any
access-list 104 permit ip any host 192.168.1.210
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 193.204.114.232 prefer source Dialer0
ntp server 193.204.114.233 source Dialer0
end

A chi riesce a risolvermi il problema, oltre ad essergli profondamente grato, gli offro una birra!

Grazie in anticipo per l'aiuto!

Ciao Ciao
Marco

Abilitare QoS

Login • Iscriviti