The purpose of this document is to outline the local area network (LAN) quality of service templates that will be implemented by you Unified Communications engineers. This document contains basic configuration details that should be followed during any UC deployment. The configurations contained within this document are based on Ciscos Quality of Service SRND and Unified Communications Manager SRND. For a comprehensive list of configuration details, reference the Cisco Quality of Service SRND and Cisco Unified Communications Manager SRND.

The configurations in this document should be considered as the base line for any implementation and should be included in any implementation as part of the standard delivery process. LAN traps should be conducted after implementing the QoS to ensure that proper markings are being set and maintained throughout the enterprise.

The following devices are covered in this FAQ
* Catalyst 3550 Switches
* Catalyst 2960/2970/3560/3750 Switches
* Catalyst 4500 Switches with Native IOS up to Supervisor Engine 7E
* Catalyst 6500 Switches with Native IOS

Markings

The following markings are used to designate traffic, per the Cisco SRND. These are the markings that you will account for in the base professional services implementation pricing.

    Voice Bearer     Control    Video

DSCP    46 (EF)      24 (CS3)   34 (AF41)

COS      5            3          4

Soft Clients

When IP Phones are deployed in conjunction with other soft clients, such as CIPC, CUVA, or CUPC, then it is important to ensure the proper marking of soft client UC traffic. This is accomplished through the use of access lists and service policies.

The voice component of a call can be classified in one of two ways, depending on the type of call in progress. A voice-only (or normal) telephone call would have the media classified as CoS 5 (IP Precedence 5 or PHB EF), while the audio channel of a video conference would have the media classified as CoS 4 (IP Precedence 4 or PHB AF41). All the Cisco IP Video Telephony products adhere to the Cisco Corporate QoS Baseline standard, which requires that the audio and video channels of a video call both be marked as CoS 4 (IP Precedence 4 or PHB AF41). The reasons for this recommendation include, but are not limited to, the following:
* To preserve lip-sync between the audio and video channels
* To provide separate classes for audio-only calls and video calls

Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage are both voice and video capable, which presents two challenges when using the ACL and policy map for packet classification and DSCP re-marking. First, Cisco Unified Personal Communicator uses the same IP address and UDP port range to source voice and video streams. The ACL that is based on IP address and port number is not granular enough to differentiate a voice call from a video call in order to apply appropriate DSCP re-marking. Second, Cisco IP Communicator uses the same IP address and UDP port range to source its voice packets. Similarly, the ACL is not granular enough to differentiate the voice stream of an audio-only call from the voice stream of a video call. Therefore, using the ACL and policy-map for packet classification and DSCP re-marking is not a feasible QoS solution for software-based endpoints.

Because both Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage mark their signaling and media packets correctly as they ingress the network, Cisco recommends configuring the policy map to trust the DSCP marking of incoming traffic and apply traffic policing and rate limiting.

1. Catalyst 3550

The Catalyst 3550 switch mode is generally found in the access layer of the LAN. This model supports a 1P3Q1T queuing model.

Global Commands

These commands are entered on a global level and are necessary in all QoS implementations. They are used to properly map COS and DSCP values as well as to associate these markings with the appropriate interface queue and threshold.

Switch(config)#mls qos

Switch(config)#mls qos map cos-dscp 0 8 16 24 34 46 48 56

Trunk Port Commands

Trunk ports, which could include connections to other switches, as well as Dot1Q connections to routers, should be configured to trust the DSCP markings from the neighboring device.

Switch(config)#int fx/y

Switch(config-if)#wrr-queue bandwidth 5 25 75 1

Switch(config-if)#wrr-queue cos-map 1 1

Switch(config-if)#wrr-queue cos-map 2 0

Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7

Switch(config-if)#wrr-queue cos-map 4 5

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust dscp

Voice Servers, WAN Routers, Gateways

Generally speaking, devices such as voice servers, WAN routers, and voice gateways can be trusted, similar to trunk ports.

Switch(config)#int fx/y

Switch(config-if)#wrr-queue bandwidth 5 25 70 1

Switch(config-if)#wrr-queue cos-map 1 1

Switch(config-if)#wrr-queue cos-map 2 0

Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7

Switch(config-if)#wrr-queue cos-map 4 5

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust dscp

IP Phones without Soft Clients

When IP Phones are deployed in an environment without other soft clients such as CIPC, CUVA, or CUPC, then the configuration for these access ports can be to simply trust the COS of the IP Phones. If a client will have any soft clients in the enterprise, it is recommended that you follow the configuration template for IP Phones with Soft clients as it is not feasible to know exactly which ports may or may not have soft clients active.

Switch(config)#int fx/y

Switch(config-if)#wrr-queue bandwidth 5 25 70 1

Switch(config-if)#wrr-queue cos-map 1 1

Switch(config-if)#wrr-queue cos-map 2 0

Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7

Switch(config-if)#wrr-queue cos-map 4 5

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust device cisco-phone

Switch(config-if)#mls qos trust cos

IP Phones with Soft Clients

Because both Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage mark their signaling and media packets correctly as they ingress the network, Cisco recommends configuring the policy map to trust the DSCP marking of incoming traffic and apply traffic policing and rate limiting. It should be noted that this document includes IP Phone control traffic for SCCP, Secure SCCP, and SIP implementations.

The client can elect to add additional classes for other applications that fall into the Bulk, Transactional, or Interactive classes such as Oracle, FTP, etc by configuring additional ACLs and class-maps. You will be creating classes for voice and video. All other traffic not included in these classes will be policed at 5Mbps. This helps protect the environment from DoS attacks, and will not affect legitimate traffic.

Policers

Since we are going to be marking traffic from PCs to higher classes within the QoS policies, we need to ensure that we do not open the infrastructure up to a DoS attack from these PCs by allowing them to transmit more data than necessary in each class. This is done with policers. By policing unexpected packets to DSCP 8 (scavenger), we have made excessive packets with policed markings a lower priority than 0.

Switch(config)#mls qos map policed-dscp 0 24 26 34 to 8

Access Lists

Access lists (ACLs) are used to properly identify traffic that will need to be marked at the point of ingress. These ACLs will deviate from LAN segment to LAN segment, as both the voice VLAN and data VLAN may differ from location to location within a deployment.

ip access-list extended VVLAN-VOICE

 permit udp any any range 16384 32767

ip access-list extended VVLAN-SIGNALING

 remark SCCP

 permit tcp any any range 2000 2002

ip access-list extended MULTIMEDIA-CONFERENCING

 remark RTP

 permit udp any any range 16384 32767

ip access-list extended SIGNALING

 remark SIP

 permit tcp any any range 5060 5061

 permit udp any any range 5060 5061

ip access-list extended TRANSACTIONAL-DATA

 remark HTTPS

 permit tcp any any eq 443

 remark ORACLE-SQL*NET

 permit tcp any any eq 1521

 permit udp any any eq 1521

 remark ORACLE

 permit tcp any any eq 1526

 permit udp any any eq 1526

 permit tcp any any eq 1575

 permit udp any any eq 1575

 permit tcp any any eq 1630

 permit udp any any eq 1526

ip access-list extended BULK-DATA

 remark FTP

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark SSH/SFTP

 permit tcp any any eq 22

 remark SMTP/SECURE SMTP

 permit tcp any any eq smtp

 permit tcp any any eq 465

 remark IMAP/SECURE IMAP

 permit tcp any any eq 143

 permit tcp any any eq 993

 remark POP3/SECURE POP3

 permit tcp any any eq pop3

 permit tcp any any eq 995

 remark CONNECTED PC BACKUP

 permit tcp any eq 1914 any

ip access-list extended SCAVENGER

 remark KAZAA

 permit tcp any any eq 1214

 permit udp any any eq 1214

 remark MICROSOFT DIRECT X GAMING

 permit tcp any any range 2300 2400

 permit udp any any range 2300 2400

 remark APPLE ITUNES MUSIC SHARING

 permit tcp any any eq 3689

 permit udp any any eq 3689

 remark BITTORRENT

 permit tcp any any range 6881 6999

 remark YAHOO GAMES

 permit tcp any any eq 11999

 remark MSN GAMING ZONE

 permit tcp any any range 28800 29100

ip access-list extended DEFAULT

 remark EXPLICIT CLASS-DEFAULT

 permit ip any any

Class-Maps

Class-Maps are created to place the traffic identified by the access lists into the appropriate QoS classes. The 3550 switch can classify based on VLAN ID, so hierarchy classes are utilized for this switch. In the following example, VV refers to the Voice VLAN ID.

class-map match-all VVLAN-VOICE

 match access-group name VVLAN-VOICE

class-map match-all VVLAN-SIGNALING

 match access-group name VVLAN-SIGNALING

class-map match-all MULTIMEDIA-CONFERENCING

 match access-group name MULTIMEDIA-CONFERENCING

class-map match-all SIGNALING

 match access-group name SIGNALING

class-map match-all TRANSACTIONAL-DATA

 match access-group name TRANSACTIONAL-DATA

class-map match-all BULK-DATA

 match access-group name BULK-DATA

class-map match-all SCAVENGER

 match access-group name SCAVENGER

class-map match-all DEFAULT

 match access-group name DEFAULT

Policy-Maps

Policy-Maps are created in order to take action on traffic within a class. In these examples, the policers assume that the voice only calls will use G.711 and that video calls will not exceed 384k. If a voice codec with a higher bandwidth was used, such as G.722, the policer for the voice class would need to be altered to 320k, instead of 128k.

policy-map PER-PORT-POLICING

 class VVLAN-VOICE

 set dscp ef

 police 128k 8000 exceed-action drop

 class VVLAN-SIGNALING

 set dscp cs3

 police 32k 8000 exceed-action drop

 class MULTIMEDIA-CONFERENCING

 set dscp af41

 police 5m 8000 exceed-action drop

 class SIGNALING

 set dscp cs3

 police 32k 8000 exceed-action drop

 class TRANSACTIONAL-DATA

 set dscp af21

 police 10m 8000 exceed-action policed-dscp-transmit

 class BULK-DATA

 set dscp af11

 police 10m 8000 exceed-action policed-dscp-transmit

 class SCAVENGER

 set dscp cs1

 police 10m 8000 exceed-action drop

 class DEFAULT

 set dscp default

 police 10m 8000 exceed-action policed-dscp-transmit

IP Phone and PC Ports

In order to enforce the classifications and policies, the policy-map must be applied to the ingress of all IP Phone and PC ports.

Switch(config)#int fx/y

Switch(config-if)#wrr-queue bandwidth 5 25 70 1

Switch(config-if)#wrr-queue cos-map 1 1

Switch(config-if)#wrr-queue cos-map 2 0

Switch(config-if)#wrr-queue cos-map 3 2 3 4 6 7

Switch(config-if)#wrr-queue cos-map 4 5

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust device cisco-phone

Switch(config-if)#service-policy input PER-PORT-POLICING