Kategorie: Quality of Service (QoS)
Priorisierung von bestimmten IP-Paketen innerhalb eines IPSec Tunnels
Das folgende Beispiel zeigt die Priorisierung von bestimmten IP-Paketen innerhalb eines IPSec Tunnels. Beispiel mit IPSec-Version 7.1.12p1.
Scenario:
Die zwei Standorte haben jeweils einen Zugang ins Internet und sind mittels IPSec Tunnel miteinander verbunden.
1. IPSec Konfiguration am Router in der Filiale (VPN Access 25):
Für die Konfiguration ist ein virtuelles IPSec Interface erforderlich. Das hat den Vorteil, daß ich dieses Interface bei der Konfiguration von Quality of Service (QoS) zur Verfügung habe.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT]: Configure Peer vpn25
_______________________________________________________________________________
Description: Zentrale
Admin Status: up Oper Status: up
Peer Address: 62.63.64.65
Peer IDs: 62.63.64.65
Pre Shared Key: *
IPSec Callback >
Peer specific Settings >
Virtual Interface: yes
Interface IP Settings >
SAVE CANCEL
_______________________________________________________________________________
[IPSEC][PEERS][EDIT]: Configure Peer vpn25
_______________________________________________________________________________
Description: Zentrale
Admin Status: up Oper Status: up
Peer Address: 62.63.64.65
Peer IDs: 62.63.64.65
Pre Shared Key: *
IPSec Callback >
Peer specific Settings >
Virtual Interface: yes
Interface IP Settings >
SAVE CANCEL
_______________________________________________________________________________
Im Menü "Interface IP Settings" wird das Routing für die IPSec-Verbindung vorgenommen.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][IP][BASIC]: IP-Settings (Zentrale) vpn25
_______________________________________________________________________________
IP Transit Network no
Local IP Address 192.168.150.1
Default Route no
Remote IP Address 192.168.44.0
Remote Netmask 255.255.255.0
SAVE CANCEL
_______________________________________________________________________________
[IPSEC][PEERS][EDIT][IP][BASIC]: IP-Settings (Zentrale) vpn25
_______________________________________________________________________________
IP Transit Network no
Local IP Address 192.168.150.1
Default Route no
Remote IP Address 192.168.44.0
Remote Netmask 255.255.255.0
SAVE CANCEL
_______________________________________________________________________________
2. VoIP Konfiguration am Router in der Filiale:
Die Dienste Proxy und Gatekeeper müssen beide gestartet werden (running).
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[VOIP][GK][GLOBAL]: VoIP Gatekeeper Global Configuration vpn25
_______________________________________________________________________________
Gatekeeper ID vpn25
Interface with limited Bandwidth none
Max. Bandwidth (KBits/s) 5
Bandwidth per Call (KBits/s) 5
Type of Call Routing dynamic
Type of Registration unrestricted
Location Policy relaxed
Time to Live (sec) 120
IRRfrequency (sec) 60
Max. # of Entries in Call History 25
H.323 Gateway
Alternate Gatekeeper (Priority 0) 62.63.64.65
Alternate Gatekeeper (Priority 1)
Alternate Gatekeeper (Priority 2)
SAVE CANCEL
_______________________________________________________________________________
[VOIP][GK][GLOBAL]: VoIP Gatekeeper Global Configuration vpn25
_______________________________________________________________________________
Gatekeeper ID vpn25
Interface with limited Bandwidth none
Max. Bandwidth (KBits/s) 5
Bandwidth per Call (KBits/s) 5
Type of Call Routing dynamic
Type of Registration unrestricted
Location Policy relaxed
Time to Live (sec) 120
IRRfrequency (sec) 60
Max. # of Entries in Call History 25
H.323 Gateway
Alternate Gatekeeper (Priority 0) 62.63.64.65
Alternate Gatekeeper (Priority 1)
Alternate Gatekeeper (Priority 2)
SAVE CANCEL
_______________________________________________________________________________
Als "Alternate Gatekeeper" wird die IP-Adresse des Zentralrouters eingetragen, da dieser ebenfalls als VoIP Gateway zu konfigurieren ist.
In dem Menü "Gatekeeper User Table" werden die H.323-User konfiguriert.
In dem Menü "Gatekeeper User Table" werden die H.323-User konfiguriert.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[VOIP][GK][USER TABLE]: Configure Gatekeeper User Table vpn25
_______________________________________________________________________________
Username Alias E.164 # IP Address
Herbert Herbert 4711 192.168.44.100
ip200 ip200 4712 192.168.150.100
ADD DELETE EXIT
_______________________________________________________________________________
[VOIP][GK][USER TABLE]: Configure Gatekeeper User Table vpn25
_______________________________________________________________________________
Username Alias E.164 # IP Address
Herbert Herbert 4711 192.168.44.100
ip200 ip200 4712 192.168.150.100
ADD DELETE EXIT
_______________________________________________________________________________
3. QoS Konfiguration am Router in der Filiale:
1) IP Filter
Der Filter muß eindeutig konfiguriert werden, damit die Klassifizierung und damit die Priorisierung innerhalb des IPSec Tunnels funktioniert.
In diesem Beispiel wird das TOS-Feld von dem IP-Telefon (IP200) übernommen. Der Wert ist standardmäßig auf 1C (hexadezimal) gesetzt. Dieser Wert muß beim Router binär konfiguriert werden (00011100).
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][FILTER][USER TABLE][EDIT] vpn25
_______________________________________________________________________________
Description VoIP
Index 1
Protocol any
Source Address
Source Mask
Destination Address
Destination Mask
Type of Service (TOS) 00011100 TOS Mask 11111111
SAVE CANCEL
_______________________________________________________________________________
[QOS][FILTER][USER TABLE][EDIT] vpn25
_______________________________________________________________________________
Description VoIP
Index 1
Protocol any
Source Address
Source Mask
Destination Address
Destination Mask
Type of Service (TOS) 00011100 TOS Mask 11111111
SAVE CANCEL
_______________________________________________________________________________
2) IP Classification and Signalling
Die Klassifizierung dieser Pakete erfolgt hier in eingehender Richtung.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][CLASS][EDIT] vpn25
_______________________________________________________________________________
Index 1
Filter VoIP (1)
Direction incoming
Action classify (keep TOS) M
Classification >
Signalling (TOS) >
Next Rule none
SAVE CANCEL
_______________________________________________________________________________
[QOS][CLASS][EDIT] vpn25
_______________________________________________________________________________
Index 1
Filter VoIP (1)
Direction incoming
Action classify (keep TOS) M
Classification >
Signalling (TOS) >
Next Rule none
SAVE CANCEL
_______________________________________________________________________________
Diese Pakete sollen als "high priority" klassifiziert werden.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][CLASS][EDIT][CLASS]: Configure IP QoS Classification vpn25
_______________________________________________________________________________
Class Type high priority
OK CANCEL
_______________________________________________________________________________
[QOS][CLASS][EDIT][CLASS]: Configure IP QoS Classification vpn25
_______________________________________________________________________________
Class Type high priority
OK CANCEL
_______________________________________________________________________________
3) Interfaces and Policies
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][INTERFACES]: Enable IP QoS Classification and Policies vpn25
_______________________________________________________________________________
Interface First Rule First Filter Scheduler TxRate Limit
T-DSL no IP QoS classification
Zentrale no IP QoS classification PQ
en0-1 1 1 (VoIP)
en0-1-snap no IP QoS classification
en0-2 no IP QoS classification
en0-2-snap no IP QoS classification
en0-3 no IP QoS classification
en0-3-snap no IP QoS classification
EXIT
_______________________________________________________________________________
[QOS][INTERFACES]: Enable IP QoS Classification and Policies vpn25
_______________________________________________________________________________
Interface First Rule First Filter Scheduler TxRate Limit
T-DSL no IP QoS classification
Zentrale no IP QoS classification PQ
en0-1 1 1 (VoIP)
en0-1-snap no IP QoS classification
en0-2 no IP QoS classification
en0-2-snap no IP QoS classification
en0-3 no IP QoS classification
en0-3-snap no IP QoS classification
EXIT
_______________________________________________________________________________
Am Ethernet-Interface en0-1 erfolgt die Klassifizierung der Pakete.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT] vpn25
_______________________________________________________________________________
Interface en0-1
IP QoS Classification via RI 1 FI 1 (VoIP)
QoS Scheduling and Shaping >
Class-Based QoS Policies >
SAVE CANCEL
_______________________________________________________________________________
[QOS][INTERFACES][EDIT] vpn25
_______________________________________________________________________________
Interface en0-1
IP QoS Classification via RI 1 FI 1 (VoIP)
QoS Scheduling and Shaping >
Class-Based QoS Policies >
SAVE CANCEL
_______________________________________________________________________________
Die Priorisierung der klassifizierten Pakete erfolgt auf dem virtuellen IPSec-Interface "Zentrale".
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT] vpn25
_______________________________________________________________________________
Interface Zentrale
IP QoS Classification via none
QoS Scheduling and Shaping >
Class-Based QoS Policies >
SAVE CANCEL
_______________________________________________________________________________
[QOS][INTERFACES][EDIT] vpn25
_______________________________________________________________________________
Interface Zentrale
IP QoS Classification via none
QoS Scheduling and Shaping >
Class-Based QoS Policies >
SAVE CANCEL
_______________________________________________________________________________
Die Priorisierung der Pakete erfolgt anhand des Algorithmus "priority queueing".
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT][SCHEDULER]: Configure QoS Scheduling and Shaping vpn25
_______________________________________________________________________________
Queueing and Scheduling Algorithm priority queueing (PQ)
Specify Traffic Shaping no
OK CANCEL
_______________________________________________________________________________
[QOS][INTERFACES][EDIT][SCHEDULER]: Configure QoS Scheduling and Shaping vpn25
_______________________________________________________________________________
Queueing and Scheduling Algorithm priority queueing (PQ)
Specify Traffic Shaping no
OK CANCEL
_______________________________________________________________________________
Die Queue "high priority" muß zwingend in die Policy Liste mit aufgenommen werden, damit sie berücksichtigt wird.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT][POLICY]: Configure QoS Policies vpn25
_______________________________________________________________________________
Configure QoS Policies
Type ID Tx Rate Limitation
high priority 0 bounded
default 0 not bounded
ADD DELETE EXIT
_______________________________________________________________________________
[QOS][INTERFACES][EDIT][POLICY]: Configure QoS Policies vpn25
_______________________________________________________________________________
Configure QoS Policies
Type ID Tx Rate Limitation
high priority 0 bounded
default 0 not bounded
ADD DELETE EXIT
_______________________________________________________________________________
4. Test:
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[VOIP][MONITORING][REGISTERED USERS]: Show Gatekeeper Registered Users vpn25
_______________________________________________________________________________
Username Alias E.164 # IP Address
ip200 4712 192.168.150.100
vpn100@Bintec-Sup 62.63.64.65
Herbert 4711 192.168.44.100
EXIT
_______________________________________________________________________________
[VOIP][MONITORING][REGISTERED USERS]: Show Gatekeeper Registered Users vpn25
_______________________________________________________________________________
Username Alias E.164 # IP Address
ip200 4712 192.168.150.100
vpn100@Bintec-Sup 62.63.64.65
Herbert 4711 192.168.44.100
EXIT
_______________________________________________________________________________
Der H.323-User in der Filiale (ip200) ruft einen H.323-User in der Zentrale (Herbert) an.
VPN Access 25 Setup Tool BinTec Access Networks GmbH
[VOIP]..[ACTIVE CALLS]: Show Gatekeeper/Proxy routed active calls vpn25
_______________________________________________________________________________
Calling Party E.164 # Called Party E.164 # Time
Herbert 4711 3:23:20
EXIT
_______________________________________________________________________________
[VOIP]..[ACTIVE CALLS]: Show Gatekeeper/Proxy routed active calls vpn25
_______________________________________________________________________________
Calling Party E.164 # Called Party E.164 # Time
Herbert 4711 3:23:20
EXIT
_______________________________________________________________________________
5. Kontrolle:
Eine Kontrolle der QoS-Statistik kann man zur Zeit nur mittels der MIB-Tabellen vornehmen.
Ab dem Image 7.2.1 gibt es auch im SETUP-Tool eine Kontrollmöglichkeit.
Ab dem Image 7.2.1 gibt es auch im SETUP-Tool eine Kontrollmöglichkeit.
vpn25:> qospolicystattable
inx IfIndex(*ro) Type(ro) ClassId(ro)
OutPkts(ro) OutOctets(ro) PktsQueued(ro)
OctetsQueued(ro) PktsDropped(ro) OctetsDropped(ro)
State(rw)
00 100001 high_priority 0
8199 739478 0
0 0 0
running
01 100001 default 0
13732 848300 0
0 0 0
running
vpn25:>
inx IfIndex(*ro) Type(ro) ClassId(ro)
OutPkts(ro) OutOctets(ro) PktsQueued(ro)
OctetsQueued(ro) PktsDropped(ro) OctetsDropped(ro)
State(rw)
00 100001 high_priority 0
8199 739478 0
0 0 0
running
01 100001 default 0
13732 848300 0
0 0 0
running
vpn25:>
Die Tabelle "qospolicystattable" zeigt die Statistik für die beiden Queues "high priority" und "default" an.
Die Werte in der Queue "high priority" steigen rapide an, sobald ein H.323 Gespräch stattfindet.
Der Wert 100001 (IfIndex) steht für das virtuelle IPSec-Interface.
Die Werte in der Queue "high priority" steigen rapide an, sobald ein H.323 Gespräch stattfindet.
Der Wert 100001 (IfIndex) steht für das virtuelle IPSec-Interface.
vpn25:> ifstat
Index Descr Type Mtu Speed St Ipkts Ies Opkts Oes PhyAddr/ChgTime
…
000100 en0-1 eth 1500 100M up 27104 0 23084 0 00:a0:f9:06:5b:6b
…
010001 T-DSL ppp 1492 128K up 26821 0 26892 0 0 00:00:11
100001 Zentrale tunn 1418 10M up 16049 0 22345 5 0 00:00:14
total: 18
vpn25:>
Index Descr Type Mtu Speed St Ipkts Ies Opkts Oes PhyAddr/ChgTime
…
000100 en0-1 eth 1500 100M up 27104 0 23084 0 00:a0:f9:06:5b:6b
…
010001 T-DSL ppp 1492 128K up 26821 0 26892 0 0 00:00:11
100001 Zentrale tunn 1418 10M up 16049 0 22345 5 0 00:00:14
total: 18
vpn25:>