asterisk users - Jan 2005 - QOS / Cisco / Asterisk

We're trying to PQ (Priority Queue) packets on a Cisco using ACL's. What
we're trying to avoid is hardcoding the IP address in the ACL. We were
trying to match by TOS set by Asterisk however it seems we've run into a
snag where the packet TOS tends to get reset somewhere on our network.
Has anyone had this issue? We're running Cisco everywhere inbetween
(even the switches). Is there an alternative way to match these? We've
thought of by port but that's kind of ad-hoc IMHO.

Asterisk1 --> 3560 --> 2600 -- (T1) --> 7500 --> 2900 --> 3550
-->
Asterisk2 

Sniff: (note the dumps between the 2 machines are diff times however
they show the same occurance)

Asterisk1: 1.1.1.1
09:09:10.019191 IP (tos 0x10, ttl  64, id 58, offset 0, flags [DF],
proto 17, length: 60) 1.1.1.1.12056 > 1.1.1.2.19726: [no cksum] UDP,
length 32
09:09:10.030146 IP (tos 0x0, ttl  62, id 63, offset 0, flags [DF], proto
17, length: 60) 1.1.1.2.19726 > 1.1.1.1.12056: [no cksum] UDP, length 32

Asterisk2: Dump on 206.80.70.55
09:34:34.418386 IP (tos 0x0, ttl  62, id 261, offset 0, flags [DF],
proto 17, length: 60) 1.1.1.1.14796 > 1.1.1.2.18996: [no cksum] UDP,
length 32
09:34:34.422974 IP (tos 0x10, ttl  64, id 273, offset 0, flags [DF],
proto 17, length: 60) 1.1.1.2.18996 > 1.1.1.1.14796: [no cksum] UDP,
length 32

On Mon, 2005-01-03 at 13:53 -0600, Matt Schulte wrote:
> We're trying to PQ (Priority Queue) packets on a Cisco using ACL's.
What
> we're trying to avoid is hardcoding the IP address in the ACL. We were
> trying to match by TOS set by Asterisk however it seems we've run into
a
> snag where the packet TOS tends to get reset somewhere on our network.
> Has anyone had this issue? We're running Cisco everywhere inbetween
> (even the switches). Is there an alternative way to match these? We've
> thought of by port but that's kind of ad-hoc IMHO.
If the TOS is getting reset somewhere out there you need to go through
all of your switches and make sure that none of them are messing with
the TOS.  Unfortunately doing QOS on Cisco switches is a black art as
the necessary commands depend on the hardware and the IOS version (or
CatOS version if you are unlucky).  Check the documentation for your
switches for the "mls qos trust" command.

Cisco routers, on the other hand, don't mess with IP TOS/DSCP labels
unless you specifically ask them to.

Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.digium.com/pipermail/asterisk-users/attachments/20050104/3ce0d385/attachment.pgp

Matt Schulte wrote:
> We're trying to PQ (Priority Queue) packets on a Cisco using ACL's.
What
> we're trying to avoid is hardcoding the IP address in the ACL. We were
> trying to match by TOS set by Asterisk however it seems we've run into
a
> snag where the packet TOS tends to get reset somewhere on our network.
> Has anyone had this issue? We're running Cisco everywhere inbetween
> (even the switches). Is there an alternative way to match these? We've
> thought of by port but that's kind of ad-hoc IMHO.
I know some LAN switching devices, in a default "QoS" configuration, 
would treat ports as "diffserv" untrusted ports, or access ports, 
meaning, the DSCP (a reuse of the TOS also) in packets inbound at that 
port are not to be trusted. Have you looked at your switches documentation ?
> 
> Asterisk1 --> 3560 --> 2600 -- (T1) --> 7500 --> 2900 -->
3550 -->
> Asterisk2 
> 
> Sniff: (note the dumps between the 2 machines are diff times however
> they show the same occurance)
> 
> Asterisk1: 1.1.1.1
> 09:09:10.019191 IP (tos 0x10, ttl  64, id 58, offset 0, flags [DF],
> proto 17, length: 60) 1.1.1.1.12056 > 1.1.1.2.19726: [no cksum] UDP,
> length 32
> 09:09:10.030146 IP (tos 0x0, ttl  62, id 63, offset 0, flags [DF], proto
> 17, length: 60) 1.1.1.2.19726 > 1.1.1.1.12056: [no cksum] UDP, length 32
> 
> Asterisk2: Dump on 206.80.70.55
> 09:34:34.418386 IP (tos 0x0, ttl  62, id 261, offset 0, flags [DF],
> proto 17, length: 60) 1.1.1.1.14796 > 1.1.1.2.18996: [no cksum] UDP,
> length 32
> 09:34:34.422974 IP (tos 0x10, ttl  64, id 273, offset 0, flags [DF],
> proto 17, length: 60) 1.1.1.2.18996 > 1.1.1.1.14796: [no cksum] UDP,
> length 32

Yes yes, your right. I forget these switches are smart!!! ;-) 

-----Original Message-----
From: Julio Arruda [mailto:jarruda-asterisk@jarruda.com] 
Sent: Monday, January 03, 2005 4:41 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] QOS / Cisco / Asterisk


Matt Schulte wrote:
> We're trying to PQ (Priority Queue) packets on a Cisco using ACL's.
> What we're trying to avoid is hardcoding the IP address in the ACL. We
> were trying to match by TOS set by Asterisk however it seems we've run
> into a snag where the packet TOS tends to get reset somewhere on our 
> network. Has anyone had this issue? We're running Cisco everywhere 
> inbetween (even the switches). Is there an alternative way to match 
> these? We've thought of by port but that's kind of ad-hoc IMHO.
I know some LAN switching devices, in a default "QoS" configuration, 
would treat ports as "diffserv" untrusted ports, or access ports, 
meaning, the DSCP (a reuse of the TOS also) in packets inbound at that 
port are not to be trusted. Have you looked at your switches
documentation ?
> 
> Asterisk1 --> 3560 --> 2600 -- (T1) --> 7500 --> 2900 -->
3550 -->
> Asterisk2
> 
> Sniff: (note the dumps between the 2 machines are diff times however 
> they show the same occurance)
> 
> Asterisk1: 1.1.1.1
> 09:09:10.019191 IP (tos 0x10, ttl  64, id 58, offset 0, flags [DF], 
> proto 17, length: 60) 1.1.1.1.12056 > 1.1.1.2.19726: [no cksum] UDP, 
> length 32 09:09:10.030146 IP (tos 0x0, ttl  62, id 63, offset 0, flags
> [DF], proto 17, length: 60) 1.1.1.2.19726 > 1.1.1.1.12056: [no cksum] 
> UDP, length 32
> 
> Asterisk2: Dump on 206.80.70.55
> 09:34:34.418386 IP (tos 0x0, ttl  62, id 261, offset 0, flags [DF], 
> proto 17, length: 60) 1.1.1.1.14796 > 1.1.1.2.18996: [no cksum] UDP, 
> length 32 09:34:34.422974 IP (tos 0x10, ttl  64, id 273, offset 0, 
> flags [DF], proto 17, length: 60) 1.1.1.2.18996 > 1.1.1.1.14796: [no 
> cksum] UDP, length 32
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

> What's wrong with doing it by port? 
We're actually using SIP to terminate calls, going by rtp.conf the ports
could range several thousand ports. What we're going for is only
honoring TOS for that particular customer, luckily these are T1
customers hosted on our routers. They understand that their firewalls
cannot pass TOS, if they do (ie: we packet sniff and see this) then
they're on their own.

In a nutshell we wanted to avoid using hardcoded ports, what if say a
game server was in that port range (and used udp lol), you would be
rather screwed.
>same TOS flags as Asterisk, by prioritizing port 4569 (IAX2 protocol)
you know for sure that the
>only packets in that queue are VoIP traffic. Also, what about your
incoming traffic? Are the TOS 
>flags correct there? I'm not saying that TOS is bad, just that as
you've seen, it can get changed 
>along the way. I'm using port number to separate traffic and it is
working great. 
>
>-Ron

We're trying to PQ (Priority Queue) packets on a Cisco using ACL's.
-------------------------------
 
You do not want to use PQ for voice QOS.    You will still receive far too
much jitter.   Instead configure LLQ which was specifically designed for
voice scheduling on an interface.    Aside from being designed for voice,
LLQ also allows you to create lower priority queues for other traffic
without running into queue starvation problems.
 
For a complete description on designing and configuring Cisco networks for
voice QOS see:
 
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns17/c649/ccmigratio
n_09186a00800d67ed.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20050104/7b62d649/attachment.htm

Yes yes, we've been through all that actually :-) We did find out it was
one of the 3550's reseting the TOS.

	-----Original Message-----
	From: rsenykoff@harrislogic.com
[mailto:rsenykoff@harrislogic.com] 
	Sent: Tuesday, January 04, 2005 2:40 PM
	To: asterisk-users@lists.digium.com
	Subject: RE: [Asterisk-Users] QOS / Cisco / Asterisk
	
	

	<snip> 
	
	
	> What's wrong with doing it by port? 
	
	We're actually using SIP to terminate calls, going by rtp.conf
the ports
	could range several thousand ports. What we're going for is only
	honoring TOS for that particular customer, luckily these are T1
	customers hosted on our routers. They understand that their
firewalls
	cannot pass TOS, if they do (ie: we packet sniff and see this)
then
	they're on their own.
	
	In a nutshell we wanted to avoid using hardcoded ports, what if
say a
	game server was in that port range (and used udp lol), you would
be
	rather screwed. 
	
	</snip> 
	
	Ahh OK. Well, how about configuring a laptop with ethereal
(http://www.ethereal.com/) and capturing the packets you have in mind?
It even runs on Windows. :p It's pretty easy to specify a particular
destination or so, for limiting which traffic you sniff. You could use
an old hub and start plugging the laptop in between routers using the
hub so it can capture the packets. Should be fairly quick to isolate
which router is modifying the TOS value. Just an idea... of course you
have to have physical access to the network... 
	
	HTH, 
	-Ron 
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20050105/7605c982/attachment.htm