In this example we want to apply a policer to each individual phone at a branch office so that each phone can only produce enough bandwidth for 1 g711/g722 audio call. Non-conforming voice traffic (RTP packets above the 93Kbps used for that single g711/g722 audio call) will be dropped. The idea here is there must be something sinister going on if a phone is producing more than 1 calls worth of traffic and we want to protect our network by dropping this sinister traffic at the source. The other requirements are that video traffic from each individual phone is policed to 1Mbps and signaling is policed to 24kbps. In both of these cases we won’t drop the non-conforming traffic but instead mark down the layer 3 DSCP Per Hop Behavior to a lower priority (CS1 or DSCP 8).
Now to the interesting part. Whereas we can apply a service-policy to a port on the 3750/3560 we are using at HQ-SW, we want to achieve the policing requirement on the gateways that are using an Etherswitch module. Here it is not possible to apply a service-policy to the port. We must apply the policy to the SVI but still maintain the per device policer.
Here are some of the restrictions and considerations we have to bear in mind.
– You cannot put a service-policy on the switchports on a EHWIC-4ESG-P.
– You can put a service-policy on the SVI.
– You must police in a child policy-map.
We are going to have to use a hierarchical policy-map in order to achieve our objective of policing. In other words a policy-map called from within another policy-map.
On our branch gateway R3:
There is no way to enable “mls qos” on the branch routers.
Our class-maps define how we match traffic coming in from the phones. The phone sends traffic with appropriate markings by default (can be customized in UCM Enterprise and Service Parameters on UCM and voice register / telephony-service on CME). The switch can classify traffic in a service-policy before anything happens to those markings. So we don’t need an ACL to search on appropriate port numbers.
class-map match-all VIDEO match ip dscp af41 class-map match-all VOICE match ip dscp ef class-map match-all SIG match ip dscp cs3
We need the policer to be applied to each phone- we must not police a collection of phones but each individual phone. So create the following class-maps:
class-map match-all sitec-p1 match source-address mac 0011.2222.3333 class-map match-all sitec-p2 match source-address mac 0011.4444.5555
Now we must add a policy-map to police each individual class. Remember- the policer must be in a child policy so these policers have to be invoked from a “parent” policy-map.
policy-map POLICE-SIG class sitec-p1 police 24000 8000 conform-action transmit exceed-action set-dscp-transmit cs1 class sitec-p2 police 24000 8000 conform-action transmit exceed-action set-dscp-transmit cs1 ! policy-map POLICE-VIDEO class sitec-p1 police 1000000 8000 conform-action transmit exceed-action set-dscp-transmit cs1 class sitec-p2 police 1000000 8000 conform-action transmit exceed-action set-dscp-transmit cs1 ! policy-map POLICE-VOICE class sitec-p1 police 93000 8000 conform-action transmit exceed-action set-dscp-transmit cs1 class sitec-p2 police 93000 8000 conform-action transmit exceed-action set-dscp-transmit cs1
Now let’s add our parent policy-map. For each VOICE, VIDEO and SIGNALING we are going to set the dscp (to avoid the implicit “set dscp 0”) and because we have to perform some kind of action. Then once the setting of DSCP has been performed we shall invoke the “per-phone” policer.
The default class which catches “other traffic” doesn’t have a policer- we are just marking to DSCP 0 or best effort.
policy-map PARENT class VOICE set dscp ef service-policy POLICE-VOICE class VIDEO set dscp af41 service-policy POLICE-VIDEO class SIG set dscp cs3 service-policy POLICE-SIG class class-default set dscp default
We should apply this service-policy on the Voice SVI on R2.
int vlan 502 service-p in PARENT
Verification
Call from Site C Phone 2 to 2001. You will see packets in the class for Site C Phone 2 and no packets in the class for Site C Phone 1.
A nice trick is to bring policed rate for voice traffic (for the specific device) down to a low rate and then you will be able to see the policer in action (dropping packets). We will bring the rate down t 10kbps.
policy-map POLICE-VOICE class sitec-p1 police 10000 8000 conform-action transmit exceed-action drop
Now make a call from this specific device and check the policer.
Remember to put your policed rate back to the original value! And there you have it, a policer for each individual device on an Etherswitch module.
Vik Malhi, CCIE#13890
Facebook: https://www.facebook.com/VikMalhi
Twitter: @vikmalhi
With this configuration, SiteC voice traffic intera-site calls won’t be policed because it does not transit the SVI??
@cciecollab2k14 – with the EHWIC the service-policy on the SVI is always processed . So calls between two devices locally connected , a call from a device in/out of the ISDN PRI and obviously calls over the WAN to HQ and Site B will all be subject to the marking and policing configured in the policy within the SVI.
I had the same thought btw- and had to test and prove before making such bold statements!
I am not trying to make bold statements and have no reason to do so. I made to comments because I found your article interesting and would like to understand more.
I meant intra-site calls (between SiteC Phone 1 and SiteC Phone 2) and traffic is not transiting the SVI.
Your configuration will work for the following:
– Voice call between SiteC and HQ/SiteB but what if codec is iLBC or G729. the policy will allow more than 3x calls.
– Voice calls from SiteC to PSTN
– Video call between SiteC/HQ
But what about:
– Signaling between SiteC phones and CME??
– voice traffic between SiteC phones
– Data traffic between switched locally on the EHWIC.
correction: the policy will allow more than 1x calls if other codec than g711 is negotiated (between sitec and SB/HQ). so when 93k (max 1 G711 call) will come into play?
This is not a CAC function, whilst it is w.r.t. QOS so the important thing is the total rate used by the phone instantly.
93 kbps is obviously more than 1 call when low bit rate codecs are used. You have to take the worst case. As Shady says- it is not CAC so # of calls is not something that makes sense. Rather the total value.
@ cciecollab2k14
– signaling between SC and CME – the policy-map within the SVI is invoked and hence the policer is active.
– voice traffic between 2 x SC phones- the policy-map within the SVI is invoked and hence the policer is active.
– For data traffic we would need a policy-map/policer on the data SVI.
hello Vlk,
thanks for sharing this solutions. Please tell me how You count 93Kbps for g711/g722 call?
best regards
P.
You can find some discussion around the value in this post + comment.
https://www.collabcert.com/blog/qos/how-much-bandwidth-does-1-call-consume/
Hi Vik,
awesome post, just one question, instead of matching phones per mac’s could we use ports ?
class-map phone-ports
match input-interface Gig 0/0/0 – 0/0/1
I know this would work on 3750
Thanks,
What is your opinion guys of applying service-policy for output RTP streams as well?
Something like that:
!
int vlan 502
service-p in PARENT
service-p out PARENT1
!
where PARENT1 is another service-policy which control outgoing RTPs from switch card
As I see in provided solution only incoming RTP streams from IP phones are influenced by service policy PARENT.
you don’t really want to police packets going to the phone (destination) – only at the source (from phones). policing at the destination is a little pointless as that would mean you are dropping a packet that has traversed your network and reached its destination only to be dropped at the very end.