[cisco-voip] Configure Cisco 871 Branch Office VoIP
Linsemier, Matthew
MLinsemier at apcapital.com
Tue Nov 21 14:08:19 EST 2006
Manoj,
The real question is how many calls do you envision traversing this link
and what codec will you be using.
You can adjust your policy as follows to adjust to the recommended <35%
LLQ.
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 35
This will give you around 700k prioritized for voice traffic. Using
20ms packets at 50pps you can fit roughly 6-8 calls at g.711 (80kbps -
106kbps per call) or 16-25 calls at g.729 (28kbps - 43kpbs).
I don't remember the exact reasoning on why Cisco recommends keeping the
priority queue < 35%, if anyone can refresh my memory I would appreciate
it.
Matt
________________________________
From: Lead Solution [mailto:lead.solution at gmail.com]
Sent: Monday, November 20, 2006 10:38 PM
To: Linsemier, Matthew
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Configure Cisco 871 Branch Office VoIP
Hi Matthew,
Thank you for your reply,
I have 2MB ADSL connection at branch office where I have 871 located.
regarding IOS firewall as this is still not in production I will
configure it once I get all other issue sorted out. Qos automatically
generated as a part of the auto qos voip trust command in interface and
I have added bellow parts
policy-map Shape-2MB
class class-default
shape average 2000000
service-policy AutoQoS-Policy-Trust
Which changes are you recommend t keep my Priority Queue / LLQ < 35% of
total bandwidth.
Thanks again everyone, I would greatly appreciate your comments when you
have time.
Manoj
On 11/21/06, Linsemier, Matthew <MLinsemier at apcapital.com> wrote:
Manoj,
Can you provide a few more details?
* Is this a public or private circuit?
* Is this a symmetrical 2mb link?
Some things to look at:
* No IOS firewall has been enabled (if this is a public link, you
will want to do this)
* As a best practice Cisco states that you should keep your
Priority Queue / LLQ < 35% of total bandwidth
* As a security best practice you may want to disable telnet and
http and stick with ssh and https
* If you want to track MoS and other IP voice related statistics,
you may want to implement IP SLA
Matt
________________________________
From: cisco-voip-bounces at puck.nether.net [mailto:
cisco-voip-bounces at puck.nether.net
<mailto:cisco-voip-bounces at puck.nether.net> ] On Behalf Of Lead Solution
Sent: Monday, November 20, 2006 10:39 AM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Configure Cisco 871 Branch Office VoIP
Hi All,
Bellow is the configuration of our one of the branch office VoIP router.
I would like to share it with you guys and see whether someone can
suggest me better VLAN, QoS configuration. Also, I have policy map 2MB
spplied for FastEthernet 4 and Tunnel. Is this right?
I would greatly appreciate your comments.
Best regards,
Manoj
Building configuration...
Current configuration : 7520 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXX_871
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password xxxxxxxx
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 <http://192.168.5.1/> 192.168.5.99
<http://192.168.5.99/>
ip dhcp excluded-address 192.168.5.151 <http://192.168.5.151/>
192.168.5.254 <http://192.168.5.254/>
ip dhcp excluded-address 172.198.10.1 <http://172.198.10.1/>
172.198.10.99 <http://172.198.10.99/>
ip dhcp excluded-address 172.198.10.151 <http://172.198.10.151/>
172.198.10.254 <http://172.198.10.254/>
!
ip dhcp pool VLAN10
network 172.198.10.0 <http://172.198.10.0/> 255.255.255.0
<http://255.255.255.0/>
default-router 172.198.10.1 <http://172.198.10.1/>
domain-name xxxx.com <http://xxxx.com/>
dns-server 211.129.14.134 <http://211.129.14.134/>
lease 7
!
ip dhcp pool VLAN20
network 192.168.5.0 <http://192.168.5.0/> 255.255.255.0
<http://255.255.255.0/>
default-router 192.168.5.1 <http://192.168.5.1/>
domain-name xxxx.com <http://xxxx.com/>
dns-server 211.129.14.134 <http://211.129.14.134/>
option 150 ip 172.16.0.10 <http://172.16.0.10/>
lease 7
!
!
no ip domain lookup
ip domain name xxxx.com <http://xxxx.com/>
!
!
crypto pki trustpoint TP-self-signed-1440134037
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1440134037
revocation-check none
rsakeypair TP-self-signed-1440134037
!
!
crypto pki certificate chain TP-self-signed-1440134037
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101
04050030
quit
username pbxl privilege 15 secret 5 $1$Ce8g$9S4kDri6Yyg2gBCVSS1LI0
!
!
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
!
!
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map Shape-2MB
class class-default
shape average 2000000
service-policy AutoQoS-Policy-Trust
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 xxxxxx address 210.181.112.194
<http://210.181.112.194/> no-xauth
!
!
crypto ipsec transform-set XXXLKAMIYA esp-3des esp-md5-hmac
!
crypto ipsec profile GREPRO
set transform-set XXXLKAMIYA
!
!
!
!
!
interface Tunnel0
bandwidth 2000
ip address 10.0.20.2 <http://10.0.20.2/> 255.255.255.0
<http://255.255.255.0/>
tunnel source Dialer0
tunnel destination 210.181.112.194 <http://210.181.112.194/>
tunnel mode ipsec ipv4
tunnel protection ipsec profile GREPRO
service-policy output Shape-2MB
!
interface FastEthernet0
description ********** PC/VoIP **********
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 20
auto qos voip trust
spanning-tree portfast
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet1
description ********** PC/VoIP **********
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 20
auto qos voip trust
spanning-tree portfast
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet2
description ********** PC/VoIP **********
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 20
auto qos voip trust
spanning-tree portfast
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet3
description ********** PC/VoIP **********
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 20
auto qos voip trust
spanning-tree portfast
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet4
bandwidth 2000
no ip address
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
service-policy output Shape-2MB
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.198.1.1 <http://172.198.1.1/> 255.255.255.0
<http://255.255.255.0/>
!
interface Vlan10
description Data Vlan 1
ip address 172.198.10.1 <http://172.198.10.1/> 255.255.255.0
<http://255.255.255.0/>
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan20
description Voice Vlan 1
ip address 192.168.5.1 <http://192.168.5.1/> 255.255.255.0
<http://255.255.255.0/>
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
bandwidth 2000
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxx8 at ffa.xxx.xxx.com
ppp chap password 0 xxxx93
ppp pap sent-username xxxxxx8 at ffa.xxx.xxx.com password 0 cyum93
!
ip route 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/> Dialer0
ip route 172.16.0.0 <http://172.16.0.0/> 255.255.0.0
<http://255.255.0.0/> Tunnel0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.5.0 <http://192.168.5.0/> 0.0.0.255
<http://0.0.0.255/>
access-list 1 permit 172.198.10.0 <http://172.198.10.0/> 0.0.0.255
<http://0.0.0.255/>
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for
Voice Drops" owner AutoQoS
rmon alarm 33333 cbQosCMDropBitRate.18.3164929 30 absolute
rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
rmon alarm 33334 cbQosCMDropBitRate.34.5364641 30 absolute
rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
rmon alarm 33335 cbQosCMDropBitRate.50.14618161 30 absolute
rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
rmon alarm 33336 cbQosCMDropBitRate.66.2065329 30 absolute
rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this
device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a
privilege level of 15.
Please change these publicly known initial credentials using SDM or the
IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you
want to use.
For more information about SDM please follow the instructions in the
QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
end
________________________________
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be
protected by one or more legal privileges. It is intended solely for the
use of the addressee identified above. If you are not the intended
recipient, any use, disclosure, copying or distribution of this
communication is UNAUTHORIZED. Neither this information block, the typed
name of the sender, nor anything else in this message is intended to
constitute an electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete this
communication from your computer. Thank you.
________________________________
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may
be protected by one or more legal privileges. It is intended
solely for the use of the addressee identified above. If you
are not the intended recipient, any use, disclosure, copying
or distribution of this communication is UNAUTHORIZED. Neither
this information block, the typed name of the sender, nor
anything else in this message is intended to constitute an
electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete
this communication from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20061121/a46633c2/attachment-0001.html
More information about the cisco-voip
mailing list