Cisco 2621XM Qos/Tos settings 1

[imagefree]

Hi,

I need some help. I am the lone IT guy at a small call centre and I am having call quality issues. My attempt to segregate traffic without VLANs has been adequate but not perfect.
I have a T1 and a 6meg ADSL at my disposal, I've been trying to route all web traffic through the ADSL using NAT policies and firewall restrictions.

My current set up is a Cisco 2600 -> Sonicwall 2400 -> linksys router

The sonicwall has two WAN ports one from the cisco and the other from the adsl. The sonicwall doesnt provide vlans so I've been using load balancing round robin, routing most http traffic through the ADSL.
This is not ideal and I suffer from poor quality even dropped calls.

Ive been told that "bandwidth reservation for voice and TOS priority would be ideal."

The question is. How do you configure a Cisco 2600 router to reserve bandwith for udp traffic up to 90% and 10 % for the tcp?

I would appreciate your help and time.

 

[imagefree]

Here is the output from the ip nbar cmd.

router#show ip nbar protocol-discovery stats bit-rate top-n 10

Serial0/0
Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
rtp 67000 111000
sip 8000 6000
rtcp 2000 3000
http 3000 0
icmp 0 0
dns 0 0
pop3 0 0
secure-http 0 0
ntp 0 0
h323 0 0
unknown 120000 0
Total 200000 120000

 

[Minue]

Hello
Is the new route-map working?Also wanted to let you know that the router is load balancing with the 2 equal default routes.Try testing the administrative again,with metric 5 on the serial:

ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 200.110.2.173 5

Regards

ps.How was the voice traffic in the last few days?

 

[imagefree]

I turned off the route-map not sure if was working. I'm about to try it again.

I will try the new administrative commands.
I am now having latency issues, there is delay of 2-3 seconds on the calls going through the router with the current config.

 

[imagefree]

Yes the new one works, but I was having problems this morning before implementing it. The bandwidth priority wasnt effective. The percentage rate gives better call quality.

Need to separate the RTP packets. We are using sip that should get preference.

 

[imagefree]

The administrative cmd below works.
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 200.110.2.173 5

The ADSL is still the primary route.
The administrative cmd hasnt caused a clash. I can ping from each interface and when both are connected.
I can make calls from the ADSL when the T1 is down so it is working as a fall back.

I will do some more testing in the morning.
The call quality wasnt all that hot on Monday and Tuesday (before I got latency issues, looking into it with my ISP), I will post another protocol-discovery.

Thanks again Minue for sticking with this.

 

[imagefree]

Hey Minue,

There is one issue with the setup.
I cannot connect to my WAN ip addresses from home when the ADSL interface is connected/up. Which means that my downloads are going through the ADSL exclusively since it is set as the default route.

Any idea how I can resolve this. It is essential that I can connect to my WAN interface/ips from outside the LAN.

 

[Minue]

Hello
For the telnet issue,was it possible to connect before the new implementation?Which WAN address your'e using to telnet,can you ping it?Also what error is it giving you?

"Need to separate the RTP packets. We are using sip that should get preference."

Please note that SIP is the management protocol,but really it's RTP that carrying the voice packets.In any case I will try to work on something more specific to divide the VOIP traffic.In the meantime please send me another NBAR output,so that I can verify that router not load-balancing and the kind of traffic that is passing.

Regards

 

[imagefree]

Yes it was possible to connect before the ADSL was placed on the Router. I have a block of ip addresses, and yes I can ping them, just cannot connect to the php page or ssh to them.

Here is a more recent nbar post, I added the ADSL to the nbar to get an idea of what both interfaces are doing.
Serial0/0
Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
rtp 238000 281000
http 102000 0
sip 8000 4000
rtcp 2000 2000
dns 0 0
icmp 0 0
ftp 0 0
secure-http 0 0
h323 0 0
netbios 0 0
unknown 299000 2000
Total 649000 289000

FastEthernet0/1
Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 536000 123000
pop3 4000 0
h323 3000 0
icmp 0 1000
rtp 0 0
sip 0 0
secure-http 0 0
dns 0 0
smtp 0 0
netbios 0 0
unknown 5000 3000
Total 548000 127000

 

[Minue]

So are trying to SSH directly to the LAN subnet or the WAN?What's the error you are getting?There's really nothing strange in the configuration that should stop you from remotely accessing the router.You could try taking out the "ip nat inside" on the LAN interface to test it.Also do a tracert to ip address your'e trying to SSH,to see if it's trying to pass through the ADSL interface?Do you have the same ISP for the T1 and ADSL circuits.
As for NBAR we still have HTTP traffic leaking in on the serial interface from the Internet,this seems like Asymmetric routing.This should be look into,but I don't think it's causing a big harm.
Regards

 

[imagefree]

I am having difficulty logging into a php webpage or the ssh of an ip address on my WAN subnet.

I'll try the taking off the "ip nat inside," and the tracert (that was my speculation that it hits the ADSL ip first).
Yes its the same ISP.

It is causing some harm. Voice quality could be better. How do we stop the leak?

 

[imagefree]

Taking off the inside nat did the trick.
What about this line of code?
-ip nat inside source list 1 interface FastEthernet0/1 overload

 

[Minue]

Did you mean that php webpage is on the LAN or WAN?Your WAN is a point-to-point subnet.So you just have one IP address.If you have WEB servers on the LAN, we can't NAT.We will have to build a route-map.Or make the router bridge the ADSL modem,so that the it gets the IP wan address of the Modem.With this method we can get rid of the NAT.Can you access the Modem or is it ISP property?

What about this line of code?
-ip nat inside source list 1 interface FastEthernet0/1 overload

The above code tells the router to NAT (Change) all addresses in the the access-list 1 to the ip address of the FastEthernet0/1.

Regards

 

[imagefree]

I have six WAN ip's 200.100.49.57-62 255.255.255.248

This line was the problem.
-ip nat inside source list 1 interface FastEthernet0/1 overload

The FastEthernet0/0 is assigned 200.100.49.57
The config for access-list 1 is 10 permit 208.163.49.0, wildcard bits 0.0.0.255

By your explanation if the above code changes all the addresses in access-list 1 to the ip address of FastEthernet0/1 it will change any request or external attempt to reach that subnet.

Its working now with 'ip nat inside' removed

 

[imagefree]

Here is a protocol-discovery from today with the nat removed.

router#sho ip nbar protocol-discovery stats bit-rate top-n 10

Serial0/0
Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
rtp 273000 427000
http 80000 0
sip 6000 5000
rtcp 2000 3000
ssh 1000 0
secure-http 0 0
secure-http 0 0
h323 0 0
pop3 0 0
icmp 0 0
unknown 468000 0
Total 830000 435000

FastEthernet0/1
Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
ssh 0 7000
http 0 4000
icmp 0 1000
rtp 0 0
secure-http 0 0
sip 0 0
rtsp 0 0
h323 0 0
pop3 0 0
dns 0 0
unknown 0 0
Total 0 12000

Not good...

 

[Minue]

Hello
We need NAT to make the config work,or we need to give interface FastEthernet0/1 the Public address of the Modem by bridging the modem.

I have six WAN ip's 200.100.49.57-62 255.255.255.248

I reality these would be call LAN address even though they are public address.Because they reside on the internal (LAN) interface.The way your network is design with public on the LAN with servers we can't use this kind of NAT.We can solve these problem but I would need more information and time.Unfortunately I am leaving for Holiday tommorow for two weeks.So I don't know if the best choice is to roll back to your old setup or continue using NAT.When I get back in we can finally beat these problems.Please advice.
Regards

 

[Minue]

Hello
Don't be despair!!I think I have find a work around to keep the present config.Replace the "ip nat inside" and then apply the below router-map .This should exclude the php server from being NAT.I would advice to use the WAN point-to-point for SSH instead of one on the internal subnet.If you choose to continue using the normal address.Please put in an access list for it.

route-map NO_NAT permit 10
match ip address 120

ip nat inside source route-map NO_NAT interface FastEthernet0 overload

access-list 120 deny ip host IP_OF_PHP_SERVER any
access-list 120 deny ip host "IP_OF_SSH_if needed" any
access-list 120 permit ip 200.100.49.57 0.0.0.7 any

If the above solution doesn't,we would have to look into the asymmetric routing problem that you have.It looks like your ISP is sending your return traffic to a different interface than the exit.Maybe because of a routing issue.If you look at NBAR you will see that you have some output on one interface and it's input on another.Also change the interface refresh rate to have better stats.

interface FastEthernet0/1
load-interval 60

interface serial0/0
load-interval 60

Regards

 

[imagefree]

Hey Minue,

I tried the commands above briefly but they didnt work. I will try them again the next opportunity I get.

I dont understand this command, why 0.0.0.7 any
access-list 120 permit ip 200.100.49.57 0.0.0.7 any

And yes I am still having that asymmetric routing issue.
http input is via T1, out put is via ADSL.

 

[imagefree]

Hey Minue,

I found some time to look into the last configs you sent.

Had to enter:
access-list 120 permit ip 200.100.49.57 0.0.0.7 0.0.0.0
instead of:
access-list 120 permit ip 200.100.49.57 0.0.0.7 any

With the ip nat inside on the traffic is routing as intended

Serial0/0
Input Output
----- ------
Protocol 1min Bit Rate (bps) 1min Bit Rate (bps)
------------------------ ------------------------ ------------------------
rtp 615000 364000
sip 10000 7000
rtcp 3000 0
http 0 0
h323 0 0
secure-http 0 0
pop3 0 0
ftp 0 0
ssh 0 0
dns 0 0
unknown 4000 0
unknown 4000 0

FastEthernet0/1
Input Output
----- ------
Protocol 1min Bit Rate (bps) 1min Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 44000 3000
icmp 0 1000
ftp 0 0
ssh 0 0
h323 0 0
secure-http 0 0
smtp 0 0
pop3 0 0
rtp 0 0
sip 0 0
unknown 0 0
Total 44000 4000

But the route-map isnt working, still cant access the php from outside the local net. No packets hitting the route-map.
route-map NO_NAT, permit, sequence 10
Match clauses:
ip address (access-lists): 120
Set clauses:
interface FastEthernet0/0
Policy routing matches: 0 packets, 0 bytes
route-map ROUTE_VOIP, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
interface Serial0/0 FastEthernet0/1
Policy routing matches: 79414049 packets, 3106599382 bytes

The overloads are configured
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source route-map NO_NAT interface FastEthernet0/0 overload

Here are my access-lists
access-list 1 permit 200.100.49.0 0.0.0.255
access-list 110 permit udp any any
access-list 120 deny ip host 200.100.49.59 any
access-list 120 deny ip host 200.100.49.60 any
access-list 120 deny ip host 200.100.49.61 any
access-list 120 deny ip host 200.100.49.62 any
access-list 120 permit ip host 200.100.49.57 host 0.0.0.7

Seems if I solve this ip nat problem I solve my asymmetric problem. Either that or I will be forced to setup my VPN access.

 

[t00r]

Just found this interesting thread.
Did you managed to make NAT work in this case?

As far as I understood your topology looks like in attachment.
Do you have public IPs on S0/0 and F0/1 of your 2621 and private IP on F0/0?

t00r

 

[imagefree]

Yes you are spot on.

And no I havent gotten the NAT to work, it works but I need to get to be able to ssh and hit the phps. Where the thread ends is where I am. I am currently trying to get the Sonicwall's vpn client to work.

I can connect to the LAN but I still cant ssh or get to the phps. I get an ip address from the sonicwall, I can ping the sonicwall's LAN ip, I can ping my PC but thats it. Cant acomplish what I am looking to do.
Log in remotely as if I am at the office and administer changes to my servers and web clients.