Trying to set-up a priority queue for Voice and Video traffic, below is the current ASA config. The WAN link is 6mb, trying to limit the Internet traffic to 4mb and save 2mb for the PQ, config belowTraffic just isn't hitting the PQ
priority-queue outside
queue-limit 512
tx-ring-limit 200
!
class-map Video
description Video
match dscp af31
[code]....
i have a 3560 connecting to a sp with limited bandwidth. i have one interface on the switch whose traffic i do not want to drop. i want this traffic to go into the high priority queue. i am not sure how this should be configured, but here is my best guess and my current qos configuration on the switch:
qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 1 4 6 7
mls qos srr-queue output cos-map queue 2 threshold 2 3(code)
since cos 5 is mapped to dscp 46 then this traffic would go into the priority queue. is this correct ?
We're testing the reference system shown in the figure below. System Description Four 2960 switches are used for transport;Equipment 1 and Equipment 2 exchange packets for synchronization;To reach synchronization Equipment 1 and 2 must exchange data with a very low jitter. 2960 Configuration details Four our test puprose, we're using 100Mbit/s ports (22 and 23) as trunk.In order to obtain minimum jitter We performed these configurations:We Enabled QoS;We Marked Synchronization packets with CoS 7 and DSCP 63;We marked other kind of traffic inserted in different ports) with CoS 0;We set "trust DSCP" on trunk ports;On the trunk ports we mapped traffic with CoS 7/DSCP 63 (and only this) on output queue 1;We enabled the expedite queue (priority-queue out). QuestionWith these settings we aim at forcing our synchronization packtes to precede other kind of traffic and go from Equipment 1 to Equipment 2 with minimum jitter.Unfortunately we experienced high jitter when both synchronization packets and other traffic are sent through the systems.
View 9 Replies View RelatedI need to trust and prioritize voip traffic on my 6509 core
at the moment I have mls qos trust dscp on the interface
Is this enough? or do I need to enable the priority queue? how do i do this ? as it doesnt accept the priority queue out command like a normal switch
After opening up Solarwinds NPM, I noticed that a few of my interfaces had lots of discards (who knows how long it's been sets the counters were reset)
interface GigabitEthernet1/0/25description Etherchannel to MamaCassswitchport trunk encapsulation dot1qswitchport mode trunkswitchport nonegotiatepriority-queue outchannel-group 4 mode on
interface GigabitEthernet2/0/25description Etherchannel to MamaCassswitchport trunk encapsulation dot1qswitchport mode trunkswitchport nonegotiatepriority-queue outchannel-group 4 mode on
interface Port-channel4switchport trunk encapsulation dot1qswitchport mode trunkswitchport nonegotiate,It looks as if priority-queue was configured outbound on these interfaces, could this be the cause of the transmit discards which are now up to 79,835, I just reset the counters on the interfaces a little while ago.
I'm not the best in the world when it comes to QoS, we do have some VoIP phones, but they are only a specific network, and do not travel outside, since there are used mainly for VoIP training. I do know both interfaces are running the default of FIFO.
I have a Cisco Catalyst 2960 with IOS Release12.2(53)SE (because of a contract I can not update it) -> the release notes for this version describe the following:
When auto-QoS is enabled on the switch, priority queuing is not enabled. Instead, the switch uses shaped round robin (SRR) as the queuing mechanism. The auto-QoS feature is designed on each platform based on the feature set and hardware limitations, and the queuing mechanism supported on each platform might be different. There is no workaround. (CSCee22591)
My config is as follows:
interface FastEthernet0/1 switchport access vlan 200 switchport mode access srr-queue bandwidth share 10 10 60 20 priority-queue out mls qos trust dscp auto qos voip trust no cdp enable network-policy 1 spanning-tree portfastMy question now is:When the priority queue is not enabled with auto-qos because of the software bug is it nevertheless enabled with the additional priority-queue out command?
I am trying to implement priority queuing (LLQ) on a pair of 10GE links between a 4507 with Sup6E and a 4948 which are configured as an etherchannel. I am unable to configure a priority queue on the 4507. I am running into the following issues:
I want to have a priority queue for voice traffic and specify minimum bandwidth for a critical application. If I configure a class with the priority command it will not let me use the bandwidth command on another class unless the priority class is policed. If I try it without the police command I get the message "bandwidth kbps/percent command cannot co-exist with strict priority in the same policy-map ". If I add a police statement to the priority class then I don't get this error.
When I try to apply the resulting service-policy to the physical interface it says "% A service-policy with non-queuing actions should be attached to the port-channel associated with this physical port" and does not add the command to the config.
If I try to associate the same policy-map to the port-channel rather than the physical interface it says "% A service-policy with queuing actions can be attached in output direction only on physical ports" and does not add the command to the config.
All of the other interfaces on the 4500 are working OK. The trunks have auto qos voip trust configured and access ports are marking the critical application traffic.
The 4507 is running 12.2(44)SG1 EnterpriseK9. I don't have the luxury to upgrade blindly to fix the problem unless I can identify a specific bug that is causing the problem.
I am trying to setup a network using Cisco 2960 switches with vlans configured. One vlan will handle video coming from four cameras that are connected to another 2960.
We have four cameras feeeding one port each on a 2960, that 2960 in turn feeds one port on the main 2960 which is the video vlan for that site. From the site it goes back to a Cisco 3750 to be sent over to a Sonicwall firewall. If we connect to the 2960 that the camera are connected to we can see the video, but not on the main site 2960.
anyway to implement priority marking on the voice packets on the IP communcicator which installed in a laptop (running Data VLAN in the switch)?
View 1 Replies View RelatedWe have some point-to-point sites linked with our HO with 10-30mbps speed. We have provided DID telephone lines to these sites as well.
We want to limit the bandwidth with 1mb bandwidth only and also make sure that the voice traffic (DID telephone lines) gets the priority over all other traffic even if they are utilitizing the 1mb link completely. We have some Cisco 1841 routers that we are planning to configure on the main uplink on each of these sites. how to give the priority to the voice traffic yet limiting the bandwidth to 1mb.
I'm trying to configure QoS on my 877 router to give priority to voice packets. However, when I do a show policy-map for WAN interface, all the classes show 0 bps. When I do a show int for the WAN interface, I get the correct bandwidth util.
This 877 is meant for a home network. I'm running a Cisco 7970 phone using phone-proxy back to my HQ. I'm also shaping the traffic.
Here is my config
Class Map match-any EF (id 1)
Match ip precedence 5
Class Map match-any class-default (id 0)
Match any
I am about to buy a NMP (WD Live Hub) to put my local video/music/pic content on and drive many TVs in my house. These NMP also have services like Hulu, NetFlix, etc. I plan to sign-up for NetFlix and do the unlimited streaming thing via the WD Hub. I have a 5Mbps broadband pipe which is right at the suggested level for HD streams.....but I think the DIR-655 can prioritize streams/video ?
plan to put the Hub on Static (Reserved) IP address on my network....however, I've never messed with a Router and prioritization. I assume it is something to do with the port(s) used, etc. I have no idea the ports that will be used by the Hub for NetFlix, how/where in the DIR-655 I can accomplish this how to ID the ports used would be great....eg. some variant of Netstat command, etc ?
I need to prioritize voice traffic through the ASA
priority-queue outside
tx-ring-limit 200
queue-limit 2000
Do the above values look correct? and why is the priority queue applied to the outside interface and not the inside? (or both). Also is this the part that ensures that the regular traffic does not choke the voice traffic?
class-map voip-class
match dscp ef
policy-map outsidemap
class voip-class
priority
service-policy outsidemap interface outside
Will the global policy remain which this interface policy taking priority?
I have a question regarding firewall configurations. Is it possible to have two interfaces ( for two internet service providers) one for voice and one for data. Can I have two Outside Interfaces that one will apply to a pppoe client group and the other will apply to a static IP? Is this possible and if so What would be the steps on applying this connection? Also to note I have a point to point connection already established for the pppoe. I also have another point to point connection for data, but however I do not know how to apply this to the firewall.
View 3 Replies View RelatedI have a setup using an ASA 5510 8.2(2). In the DMZ (192.168.12.x) there is a server, switch and multiple cameras for surveillance of the site. In the Inside (140.152.25.x) are the pcs that can run the client software to view the video feed, or it can pull from the server in the DMZ.
On the server in the DMZ, you can see the feed, along with any pc you connect to that network. On any machine on the Inside, or through VPN, you cannot either with the client software or pulling from the surveillance server.
I am watching the connection through ASDM and don’t see any particular port being blocked, but I do see TCP connections being terminated by inspection. So far I’ve taken out inspections for http and rstp. I don’t really see anything else that would drop video. I've attached the error I keep seeing.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code].....
There are two Polycom devices behind ASA (Terminal HDX7000 and MCU RMX1000), ASA is connected to Cisco 1900 router which is connected to ISP.
Polycom devices are NATed (unique global address per device) on router and h323 inspection is done on ASA. The issue is that when trying to connect from outside to conference on MCU I don't receive any video (but MCU shows me like a connected participant). The same is true when MCU try to call outside terminals, they are shown as connected participants, but there is just a black screen. On ASA all ports are opened (both in and out) and there are no ACLs on router. And what means NAT configuration on Polycom devices, why it is needed when NATing is done on router (such configuration option I've seen also on Tandberg and another vendor's devices)?
I am using ASA 5510 and I have a specific problem with Http Connection to receive a video Flow ( RSTP protocol ) in the LAN. Some Pc users (192.168.1.133,in the log) with ASA Lan Interface as gateway can ping the Camera but don't receveive the video flow.Some Pc users (192.168.1.116,in the log) using another gateway can ping and receive the video flow. I used Whireshark to capture traffic between camera and Pc using the 2 gateway. I joined Logs with this message.It seems to be a problem of TCP segments on the ASA, I try to changed some TCP options but it's still the same:- Disable Force Maximum Segment Size- Enable Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Second.
View 7 Replies View RelatedWe have just acquired a cisco profile 42 video conferencing equipment and am required to open ports for SIP and H232, any pointers on hw that can be acquired i have a cisco ASA 5510, Some one told me to open port 16384 but i need pointers on how to do it becuase I already set an access list to any.
the config
Internet -> ASA 5510 -> Switch -> Profile 42 and other devices
I have a customer with a Cisco ASA 5510 firewall, an inside network containing a Genetec video recording server, and cameras installed on broadband modems throughout the area (each with a public IP). They've recently purchased Axis Q6034-E cameras that use H.264 to stream back to the video recording server. The camera has a view mode where you can watch it through H.264 or Motion JPEG. The view with M-JPEG works, but when I switch to H.264 the video stream is denied. We have allowed RTSP, RTP, and HTTP (it's setup with only http, not 443)traffic from the camera address on the cable company public network but are still being denied the video stream. The recording software requires that the feed come from the H.264 feed, so the motion jpeg does not fix the underlying issue of being able to record.
We know it's the firewall because if we install the camera on the inside network, the video feed in H.264 works to the recorder.
How to enable something special on the firewall to allow traffic through from the device?
how many users supports the 2600 series ap air voice, video, and data average any document or link
View 3 Replies View RelatedI have two goals on my Cisco 3750E -
* Limit bandwidth to match carrier provided bandwidth (10M ethernet port, but only 6M provisioned)
* Prioritize some traffic over others through the use of a priority queue.
I have come up with this design:
access-list 100 remark priority traffic
access-list 100 permit ip 10.1.1.0 0.0.3.255 any
access-list 100 permit ip any 10.1.1.0 0.0.3.255
[Code]....
How do I know? Is there a show command to show priority packets?
Am I right in assigning dscp 46 to this interesting traffic? That way it goes to queue 2?
Am I right in applying the priority-queue out command to the interface?
We also have voice traffic. But I think i can trust it to queue up into the router with trusted dscp
In QoS, voice traffic is usually marked EF and placed in a priority queue. But interactive video traffic, like VTC, should also receive priority treatment. Can I put both classes in their own priority queues in the same policy map? I thought there could only be one LLQ, but I'm not sure about it. An example of the config I'm thinking of is below. Voice would be marked EF, VTC would be marked AF41.
View 6 Replies View RelatedWe tested a QoS in a Cisco 3750E, IOS: 12.2(58)SE2.Voice traffice in the correct Q without any problem, but all the others traffic the Defualt Q (0), tried to capture the traffic and tcp/udp port are correct.Any thing wrong with my ACL or DSCP - CoS?? ( that ACL works fin on 4500 and 6500) [code]
View 3 Replies View RelatedIs there any way I can tell if an network priority is setup on the router? The last week or so the internet has been unusually slow sometimes, and not slow at all other. I don't have a good relationship with my roommate (network administrator) and I feel she may have put a network priority on the router for her and or her boyfriends computer/s. Is there any way to tell? Is there a particular way in which the internet behaves when a priority is set? I just don't want to pay for the internet if it is not going to work most of the time.
View 6 Replies View RelatedWe have 3 sets of applications. The first does not require much bandwidth but is very critical, the other two is more bandwidth consuming but less critical. I would like to know if it's possible to reflect this priorities on the router configuration. Is it possible to set the ports 10000, 10001 and 10002 of the external IP have higher priority to be handled, for example? Also, is it possible to limit the bandwidth that goes through a set of ports?
I must prevent the 2 sets of less critical applications to strugle the critical ones. What router can provide this capabilities? Is the 1921 able to do this job?
I have a classical "inside + DMZ + outside" configuration.I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.
P.S.: I'm using a 5510 machine running version 8.2
Just wondering if there are any methods or commands, natively, in the asa5510 for determining all traffic in to and from a certain server passing through the asa. This would be without a syslog server or something similar.
View 3 Replies View RelatedCore Internal Network -> Cisco ASA 5510 -> DMZ Switch.If i send a ping reguest from internal network to servers in DMZ Switch over the ASA 5510, i can see a delay in response, some times this delay can be more than 80ms, this is a problem for the web applications in http traffic.How i can find what's happening on my ASA? I disable the inspect traffic over the IPS, disable the policy maps below, reload the two boxes, but doesn't works, the problem still persists. [code]
View 2 Replies View RelatedI'm currently using ASA 5510 with software 8.4.1 and I have an issue with nat configuration. I used the following config line:nat (inside, dmz) source dynamic LAN Pat1 destination Server1 Server1
The traffic is not flowing and when I use Packet Tracer, packets are dropped at the NAT rule with the following error: Drop-reason: (acl-drop) Flow is denied by configured rule.The only ACE I have is permit ip any any.
I have an ASA with an outside ACL that is configured to allow 208.84.248.95 SIP/5060 to 1x.x.x.46. I show no hits. I added an ACL to do a packet capture, it sees the packet coming into the ASA but not going to the Serv Prov interface. I see hits on the vuong ACL but not the production acl_out ACL.. What is up?
NOTE:ACL_out is the ACL we use to allow outside traffic to enter our network.
FW1(config)# sh access-list | i 1.x.x.46
access-list acl_out line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0xc09a9387 (*NO HITS)
access-list acl_out line 658 extended permit udp host 208.84.248.95 host 1x.x.x.46 eq sip (hitcnt=0) 0x0f327179 (NO HITS)
[code]...
It was tested and verified from the inside network to make sure the server is listening on that port. Below we created an ACL to allow all IP from another test PC to the Server IP 1x.x.x.46. We did a telnet to port 5060 and it showed hits but not on the acl_out ACL.
ccess-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0x2759fa92
FW1(config)# q
FW1# capture capture1 access-list vuong interface outside
[code]...
Below we applied the same ACL to the ServProv interface to see if traffic was going where it was supposed to . By trying to telnet to the 1x.x.x46 IP from 63.x.x.140 IP. Looking below, no traffic appeared on the capture2.
FW1# capture capture2 access-list vuong interface ServProv
FW1# sh capture capture2
0 packet captured
0 packet shown
[code]...
Capture 1 above shows the last 3 incoming messages initiated from 63.x.x.140 to the 1x.x.x.46! Vuong ACL belows shows 3 more hits.....nothing on the acl_out ACL???
FW1# sh access-list vuong
access-list vuong; 1 elements; name hash: 0x29df3e90
access-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=6) 0x2759fa92
[code]...
I have manually configured the Firewall ASA 5510 from existing PIX to match the configuration, however when I connect the firewall to the Network, no traffic is flowing in either direction. I have the Inside network on the 172.29.0.0 subnet and the outside network on 20.2.0.0 subnet. I am attaching the cofiguration file.
View 4 Replies View RelatedOne Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020
How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
-Host IP on inside network - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl
Im having problems with google saying we generate to much traffic to [URL]
I need to know which machines on the inside are talking so much with google. Can this be done via ASA 5510? do i need a third party program for this?