Cisco: Mark voice packets at the network edge

You know how Cisco always advise to mark the packet as close to the your network edge as you can? Even more you can find a lot of example where Cisco show how to trust the packets directly on the access switch, but not all the time you can do this.

First because not everybody has devices that mark correct packets (like Cisco IP Phones) but we still have to deal somehow with packet marking as maybe your provider treat packets different on their backbone based on their marking.

In this idea what I’m taking care the most are the voice packets as usually this has to be prioritized on the network. Let’s face it, if you have a TCP connection and some FTP packet are retransmitted you don’t notice this too much, but if you have delay on your phone conversation with your boss, that it’s not so good.

Please have a look at the topology below:

In this scenario we have a Voice server and some IP Phones (I know they look like Cisco IP phone, but pretend they are not) connected to the access switch. Let’s assume that  we cannot trust marking on this packets as they arrive from this devices.

Here we run into one of the two issues. First if we trust the marking on the access port, than we don’t know what we are stuck with. If we don’t trust them, then the packets header DiffServ (TOS) bits are rewrite with a value of zero making no difference between voice packets and regular ones.

My solution is the following. I’m not saying that’s the only solution or the best, but it’s working:

On the access switch:

1. enable globally:

mls qos

2. configure and access-list that match the voice packet; this is a very general list:

access-list 101 permit udp any any range 16384 32767
access-list 101 permit udp any range 16384 32767 any
access-list 101 permit udp any any range 5060 5061
access-list 101 permit udp any range 5060 5061 any

3. match the access-list in a class-map

class-map match-all VOIP
match access-group 101

4.configure a policy-map with the class-map above and set the DSCP value to EF (decimal 46) or COS or whatever you need

policy-map ASTERISK
class VOIP
set dscp ef

5.on the access port configure the service-policy direction inbound

int x/y
service-policy input ASTERISK

6.on all trunks from your access switch to your first Layer 3 device trust this DSCP  value (or what you have set, as now we are sure what values we set) with:

mls qos trust dscp

Let me know if it’s working!

Cisco tips: Track down communication issues – Part 2

In the 1st Part of this series, I’ve described the most common steps that you should follow to troubleshoot a total lack of communication between a Layer 2 device (Cisco switch) and an end user connected device. As I promised here is the second part, in which I’ll try to show you what you can check when you have no problem with connection, but still you encounter a degradation in service. By this degraded service, I understand a scenario when you have packet loss for example, or intermitent connection which will affect communication and more than sure will make user users not very happy.

We will stick with the same scenario when a end user device is connected to a Cisco switch. Remember that until now, we just troubleshoot at the Layer 1 and Layer 2. Today we will stick in the same area, so nothing directly related to IP, routing protocols or complex networking environment.

Scenario 2: You have an end device connected to a switch and you have degraded communication

a) Check for errors on the interface:

In this example there is no errors, but if you find something there, you may want to keep an eye on this port. Try to issue the above command couple of times to see if the errors are increasing in real time, as this is the worst case possible and you should take action immediately. Error on the interface can be caused by faulty interface on the switch or on the other end, ethernet cable issue or wrong configuration

b) Check the interface queue and drop packets

Interface queue is very important and you should check it during your troubleshooting process. With the above command you can see how many packets are in the input / output queue, which is the transmit and receive rate and very important if you have packets dropped from input and output queue. Usually this happens when there is a lot of load on the switch and it cannot process as quick as it’s needed all the packets. This lead us to the next step.

c) Check the CPU load on the switch

The command output is longer but most interesting for this example are the first 2 rows which show load in 60 seconds and in 60 minutes. If you have there peaks up to 100, then it’s bad and the device is having some issues that need to be fixed.

d) Identify what process is keeping the CPU busy

Most of the time, this is easy to read and to see what process is taking all your CPU power. When you see there Fifo Error Detection with 100% than you have to think that maybe there is something wrong with the queue on one of the interfaces and try to find which one is having problem. This is not straighforward and you have to check a lot of things, but can be helpful. To be honest, I see a lot of engineers just reloading the device and then problem is solved (if it was due to a hardware issue and not a configuration mistake).

e) Check for memory issue on the switch

Again, if you run out of memory, bad things can happend to your device and as well to the communication with device connected to the switch. Reloading of the device solved about 90% of this kind of problems. I don’t recommend just unplug the power cable as soon as you see a memory problem. First have a look, maybe there is something you can fix without reloading the device.

f) Check for problems with storm-control implementation

In one of previous posts I have explained how you can use storm-control to limit the available bandwidth on a Cisco switch interface. In the example above I set this bandwidth to 1 % from the available one gigabit (I know is stupid, but imagine a typo mistake). Imagine what effect will this have on the traffic. Everything above 1 % is keeped in the queue until this is full and then silent discarded.

e) As a general rule, have a look into the logs (maybe this should be first step!)

If there are a lot of Spanning-tree reconfiguration, interface flapping or anything else that looks suspicious, be sure to check on this as you can find there the root cause for your problems.

Do you have any other tips in regard to this topic? Anything else you check and can be added here? Be sure to comment below and your suggestion will be taken into consideration.

Cisco tips: Track down communication issues – Part 1

You know how sometimes you plug in everything, configure device / ports and then the un-expected result is “not working”. Then you start to troubleshoot, which is a good point, but very important is where are you looking for the root cause of your issue.

A lot of people who have communication issue start by issuing a ping from one end to the other one. This is a good approach when somebody is reporting service issue (e.g. my webserver doesn’t work) as with the ping you can see immediately if is a communication issue or a server one. This scenario ussualy occurs when you already have a working environment and after a while somebody encounter a service issue.

Instead when you just deployed a new connection and you are having issue with it, ping is not the best approach. In the following article I will try to show you some good steps proven to be effective when you start troubleshooting. For today I will take as example a faulty communication between a Cisco switch and an end device (server or user device). This involes in the first step basic Layer 2 troubleshooting.

Scenario 1: You have an end device connected to a switch and you have no communication

a) Check the interface connection status:

OK – port is connected and protocol shows up status

Not OK – check the faulty port as it is in shutdown state

Not OK – port is not connected, protocol shows down status
You can check for cable error (damage, faulty plug, unplugged) or ask the owner of the remote device to check it.

If you found any error in the above step, try to fix them now. If the interface is connected, but still not working, follow on to the next steps.

b) Check speed and duplex settings
-if you have auto-negotiation here and it fails, you will end with an interface in down status
-again if you have static settings here, check to be the same on both sides.
-for more pro and cons regarding auto-negotiation vs static, please see Greg Ferro’s article

c) Check the interface switchport configuration:

There is no right and wrong configuration here, but I can point you to check the following:
– very important, check if the access VLAN is the right one
– if you have switchport auto-negotiation enabled, check to see that this is correctly achieved
– if you have switchport static configuration, check to have the correct settings for your needs
– if you need trunking (to an end device), check to allow the necessary VLANs on that trunk
– if you use private VLANs, pay attention to the configuration of primary and secondary vlan and right association

d) Check security on the Access port (BPDU guard, port-security, mac-address access-list…):

– port is in shutdown state due to Security Violation (1); The mac-address that you see there is the one coming to the port from the other end, but also you can see that there is a Configured Mac Address (1) on the port; Most probably the one configured on the port does not match the one from the network.

-if the result is like above one, you may want to check if that mac-address access-list allow communication from end device mac-address

– if your interface status is like this, you might have an issue with spanning-tree BPDUguard being enabled on the interface; I know I said that this is end device connected, but what if the user needed an extra port, and he connected there a switch? You always have to assume what’s the worst and check for possible issue.

f) Check the Spanning-tree protocol on the switch port

– your output might look different than the above one, but be sure to have there FWD (Forwarding) status if the port is connected to an end device.
– again it is very rare not to be in FWD status, but if the device has some strange bridging capabilities or user added another device in the middle, like a switch than you can identify a problem with Spanning-tree.

This are the basic stuff that I checked in regard to Layer 2 topology when I have no communication to the end host. In the next part, I will do a short presentation of the scenario when you have communication to end device, but the connection encounter traffic deprecation.

Check the 2nd Part of this series which deals with communication deprecation at Layer 2.

Do you have any other tips in regard to this topic? Anything else you check and can be added here? Be sure to comment below and your suggestion will be taken into consideration.

Cisco: Frame-Relay back-to-back routers in simple steps

In one of my earlier posts I have presented how to connect 3 routers in a Hub and Spoke Frame-Relay topology. Now I want to show you how to connect 2 routers back to back, in a Frame Relay topology. With a back to back connection and without any FR switch, things are a little bit different than in the Hub and Spooke topology.

First let’s have a look to the topology:

We have 2 routers, connected back to back. The interface status on both routers:

sh run int s0/0
interface Serial0/0
no ip address

First let set up the encapsulation to Frame-Relay and to bring the interfaces UP:

conf t
interface S0/0
encapsulation frame-relay
no shutdown

Everything should be fine now, but it’s not, as if you check your interfaces you will see that they are in a Up/Down status on both routers:

sh int s0/0
Serial0/0 is up, line protocol is down

Even this is messing up a little bit with our brains, the Up/Down status is normal in this phase. Why? Remember that we do not have a FR switch, both interface consider themselved DTE side and LMI is not working. You can check if LMI like this:

R1#sh frame-relay lmi

LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0             Invalid Prot Disc 0
Invalid dummy Call Ref 0              Invalid Msg Type 0
Invalid Status Message 0              Invalid Lock Shift 0
Invalid Information ID 0              Invalid Report IE Len 0
Invalid Report Request 0              Invalid Keep IE Len 0
Num Status Enq. Sent 6                Num Status msgs Rcvd 0
Num Update Status Rcvd 0              Num Status Timeouts 5
Last Full Status Req 00:00:04         Last Full Status Rcvd never

You will see Sent packages on both routers, but nothing received as there is no FR switch. In this conditions we have to disable LMI and to assign DLCIs manually. To disable LMI, issue the following command under Frame-Relay interface:

interface S0/0
no keepalive

Now interfaces should be in a Up/Up status:

sh int s0/0
Serial0/0 is up, line protocol is up

As in this moment everything looks fine, let’s start to configure the Frame-Relay back to back connections. Obvious, at least for me, when you have a back to back connection, first things that comes into your mind is a point-to-point interface. Let’s start with this configuration (we will use from diagram the black line connection with subnet /24) . I will show only the configuration on the primary router, but it’s the same on the secondary one, just with a different IP address in the 4th octet.

interface S0/0.100 point-to-point
ip address
frame-relay interface-dlci 100

Remember DLCIs are only local significant so you can define whatever number you want there, but of course the same DLCI number on both sides. Let’s check if everything is fine:

R1#show frame-relay map
Serial0/0.100 (up): point-to-point dlci, dlci 100(0x64,0x1840), broadcast

R1#show frame-relay pvc | i STATUS

We can see a point-to-point dlci in frame-relay map, and a static defined PVC. If you ping from R1 to R2 and viceversa it should work.

This was the straight forward solution, but going a little bit more into details, you can be required in some situations that you have to use a multipoint Frame-Relay interface. Actually what is a multipoint interface more than multiple point-to-point interfaces. Let’s take the sencond line (red one, with subnet /24 in the topology) and configure this back to back connection using multipoint interfaces:

interface s0/0.110 multipoint
ip address
frame-relay map ip 110 broadcast
frame-relay map ip 110

As you see the configuration is different from the point-to-point interface. Actually under multipoint interface you can issue the frame-relay interface-dlci 110 command, but this will not help too much. Remember that we have disable LMI in the first steps because we do not have a FR switch. No FR switch means no automatic L3 to L2 mapping. In other words even if you specify the interface-dlci, the interface being a multipoint will not know where to forward packets. Why this didn’t happen in the point-to-point scenario, you may ask. Well, because there the keyword is interface sx/x point-to-point, so by it’s nature the interface knows that there is only one destination possible, meaning the other end (or point if you want).

In this scenario we had to manually map L3 to L2 with the command frame-relay map. Actually you only need the first frame-relay map, pointing to the other router IP address, but I add the last command just in case you want to ping your own interface.

Now maybe you ask which is the third scenario (blue line). Well, this is not very common in the real environment, but maybe you have to deal with it in a special condition like lab environment, Cisco exam and so on. Let’s say that you have a request that you need to have 3 virtual PVC connections, but only 2 subinterface. Now, you already have 2 subinterface configured, so how can you achieve the third PVC connection. The answer is that you configure the main interface with the same configuration like in multipoint subinterface scenario. By it’s nature and interface is described point to multipoint, so in a Frame Relay scenario like this you have to manually map L3 to L2:

interface Serial0/0
ip address
encapsulation frame-relay
no keepalive
frame-relay map ip 120
frame-relay map ip 120 broadcast

If you followed this tutorial, at the end you should have reachability over the 3 subnets.