[cisco-voip] DMVPN and QOS implementaion

[Linsemier, Matthew]

Manoj,

Here is our head-end configuration that we use.  We have a 6MB Internet
link at this time which is also shared among browsing.  We are using a
PacketShaper to prioritize the IPSec traffic above others in the pipe
and using QoS in the routers to prioritize what's in the tunnel.  If
anyone has suggestions for my configuration as well, please advise.

class-map match-any Voice
 match ip dscp ef 
class-map match-any Control
 match ip dscp cs3 
 match ip dscp af31

policy-map DMVPN_QoS
 class Voice
  priority percent 70
 class Control
  bandwidth percent 5
 class class-default
  fair-queue
  random-detect
policy-map Shape-6M
 class class-default
  shape average 6144000
  service-policy DMVPN_QoS

interface GigabitEthernet0/1
bandwidth 6144
 ip address X.X.X.X X.X.X.X
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect IOS_FW in
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 service-policy output Shape-6M

Matt


-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Manoj Kalpage
Sent: Friday, September 29, 2006 11:32 AM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] DMVPN and QOS implementaion

Hi all,
We have hosted PBX system which is located in data centre and we have
dedicated 1MB internet connection. At present we only have four remote
sites and all of them have high speed ADSL connection for both their
data and Voice. Each sites has 4 to 5 phones. We used to use PIX 515 at
Data centre and PIX 501 at remote sites. As we were experiencing voice
quality issue we moved to Cisco 2821 at Data centre and 800 series at
remote sites. I have configured DMVPN using GRE over IPSec for our VPN
network. all the tunnels are up and seems to be working fine so far but
I am just wondering whether I got right QoS configuration at HeadEnd
Router. As, I am a newbie for QoS, I have referred various cisco
documentations to configure bellow DMVPN and QoS for our head end
router. Since we don't have data transaction at HeadEnd site I think I
can use 75% of bandwidth for voice it self.  Can some one help me figure
out QoS requirment for my network environment.

Thank you in advanced,

Best regards
Manoj

------------------------------------------------------------------------
---
Building configuration...

Current configuration : 5063 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PBXLGATE01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip cef

!
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-2723000426  enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2723000426
 revocation-check none
 rsakeypair TP-self-signed-2723000426
!
!
crypto pki certificate chain TP-self-signed-2723000426  certificate
self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101
04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
43657274
  quit
username xxxx privilege 15 secret 5 @#@#@@@GlPb96SyZxV6Q0 !
!
class-map match-all VOICE
 match ip dscp ef
class-map match-all SCAVENGER
 match ip dscp cs1
class-map match-any INTERNETWORK-CONTROL  match ip dscp cs6  match
access-group name IKE class-map match-any CALL-SIGNALING  match ip dscp
cs3  match ip dscp af31 !
!
policy-map V3PN-EDGE
 class VOICE
  priority percent 55
 class CALL-SIGNALING
  bandwidth percent 5
 class INTERNETWORK-CONTROL
  bandwidth percent 5
 class SCAVENGER
  bandwidth percent 1
  queue-limit 1
 class class-default
  bandwidth percent 9
  queue-limit 16
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key 6 G0G0G0G0 address 0.0.0.0 0.0.0.0 !
!
crypto ipsec transform-set PBXL esp-3des esp-md5-hmac !
crypto ipsec profile PBXL
 set security-association lifetime seconds 120  set transform-set PBXL !
!
interface Tunnel0
 ip address 10.10.1.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication xxxxxxxx
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile PBXL
!

interface FastEthernet0/0
 description Connect to Verizon Network
 bandwidth 1000
 ip address 222.222.222.222 255.255.255.192  ip nbar protocol-discovery
ip nat outside  ip virtual-reassembly  duplex auto  speed auto
service-policy output V3PN-EDGE !
interface FastEthernet0/1
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
router eigrp 90
 network 10.0.0.0
 network 172.16.0.0 0.0.0.255
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 222.222.222.222 !
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1000 ip nat inside
source list 1 interface FastEthernet0/0 overload !
ip access-list extended IKE
 permit udp any eq isakmp any eq isakmp
!
access-list 1 permit 192.168.4.0 0.0.0.255 !
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

PBXLGATE01# 

CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may
be protected by one or more legal privileges. It is intended
solely for the use of the addressee identified above. If you
are not the intended recipient, any use, disclosure, copying
or distribution of this communication is UNAUTHORIZED. Neither
this information block, the typed name of the sender, nor
anything else in this message is intended to constitute an
electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete
this communication from your computer. Thank you.