Cisco 2621XM Qos/Tos settings 1

[imagefree]

Hi,

I need some help. I am the lone IT guy at a small call centre and I am having call quality issues. My attempt to segregate traffic without VLANs has been adequate but not perfect.
I have a T1 and a 6meg ADSL at my disposal, I've been trying to route all web traffic through the ADSL using NAT policies and firewall restrictions.

My current set up is a Cisco 2600 -> Sonicwall 2400 -> linksys router

The sonicwall has two WAN ports one from the cisco and the other from the adsl. The sonicwall doesnt provide vlans so I've been using load balancing round robin, routing most http traffic through the ADSL.
This is not ideal and I suffer from poor quality even dropped calls.

Ive been told that "bandwidth reservation for voice and TOS priority would be ideal."

The question is. How do you configure a Cisco 2600 router to reserve bandwith for udp traffic up to 90% and 10 % for the tcp?

I would appreciate your help and time.

 

[burtsbees]

What is this

access-list 120 permit ip host 200.100.49.57 host 0.0.0.7

???

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[imagefree]

I was asking the same question.
Didnt get any response.

Minue said I directed me to enter
access-list 120 permit ip 200.100.49.57 0.0.0.7 any

Which wasnt accepted so I entered
access-list 120 permit ip 200.100.49.57 0.0.0.7 0.0.0.0

Care to help

 

[t00r]

Where are your public servers located?
I've put two scenarios in the attachment. Does any of this correlates to your network?

Just trying to understand where the NAT should be

t00r

 

[imagefree]

The public servers have two NICs one assigned to the LAN, which is behind the firewall. The other NIC is the public ip which is behind the cisco router.

The ADSL is being utilised for http traffic, thanks to Minue's help. The public ip's are via T1 thus the Cisco WAN interface.

 

[t00r]

Some like this?
And I assume your servers public IP block (200.100.49.56/29 ?) belongs to ADSL ISP not to T1 ISP. Am I correct?
Do you need to use NAT for your LAN IPs on T1 connection?

t00r

 

[imagefree]

We are using the same ISP for ADSL and T1 connection. The block of IPs are from the T1.

Based on the configs that I am using, without the NAT on the f0/0 the route maps do not work as they should. When ip nat inside is disabled on the f0/0 interface http traffic input is via T1 output is via ADSL. When it is enabled both are via ADSL which is great.

So based on the configs NAT is needed.

 

[t00r]

Your incoming traffic for 200.100.49.56/29 would be coming thru T1 no matter what you do since your ISP has static route for that subnet pointing to your T1 line.
When you NATting that subnet all of the traffic looks like it's coming from ADSL connection IP address, that is why returning traffic goes back to ADSL connection.
You would need get static IP for your DSL connection and work with your ISP so provider can configure his routers to use the both T1 and DSL line to get to your static IP block. On their side they need to put static routes for your network. Something like this:

ip route 200.100.49.56 255.255.255.248 200.110.2.174
ip route 200.100.49.56 255.255.255.248 <Your-static-DSL-IP>

or use some kind of routing protocol. You have to talk to them to make this work.

If you don't do that the only option would be getting your incoming HTTP traffic thru T1 connection.

The outgoing traffic from your LAN could be sent any way you want. In this case you should NAT your LAN traffic on your Sonicwall firewall and not on Cisco router.

t00r

 

[t00r]

One more thing you can do is to get static IP for your DSL connection and do static NAT for your web-servers. In this case you would be doing all NATting on 2621. You'd need to poind your DNS records to DSL IP. The downsides of that:
1. You can have only 1 public web-server on tcp port 80
2. If you loose your DSL connection people wouldn't be able to connect to you web servers even when T1 line is up

t00r

 

[imagefree]

I get what you say, most of it. Can you explain how when the ip nat inside is turned on on the LAN interface of the router, all the http is going through the ADSL in and out.

The routing maps are acting as they should when the nat inside is in place.

Because of this I have ruled out asking for a static ip from my provider for the ADSL.

 

[unclerico]

i tried to read through this whole thread but man is it long. i don't know if a new thread would be warranted or not. can you post the updated config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[imagefree]

I'm looking to break the record for longest thread.

Here is the current running config:

Current configuration : 1947 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway.gss
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxx
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
class-map match-any RTP
match protocol rtp audio
!
interface FastEthernet0/0
description LAN to Sonicwall
ip address 200.100.49.57 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map ROUTE_VOIP
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1544
ip address 200.100.32.174 255.255.255.252
ip nbar protocol-discovery
service-policy output VOICE
encapsulation ppp
load-interval 60
service-module t1 timeslots 1-24
!
interface FastEthernet0/1
description outside WAN
bandwidth 6000
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
service-policy output VOICE
load-interval 60
duplex auto
speed auto
pppoe enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 200.100.32.173 5
ip route 192.168.6.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source route-map NO_NAT interface FastEthernet0/0 overload
!
!
access-list 1 permit 200.100.49.0 0.0.0.255
access-list 110 permit udp any any
access-list 120 deny ip host 200.100.49.60 any
access-list 120 permit ip host 200.100.49.57 0.0.0.0 0.0.0.7
!
route-map NO_NAT permit 10
match ip address 120
!
route-map ROUTE_VOIP permit 10
match ip address 110
set interface Serial0/0 FastEthernet0/1
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end

 

[t00r]

Lets assume you have ip nat inside in the f0/0 config.
here is what router does when the packet is received at f0/0:
1. Checks packet destination IP-address and defines next-hop IP and outgoing interface (192.168.6.1 and f0/1 - see ip route 0.0.0.0 0.0.0.0 192.168.6.1 and ip route 192.168.6.0 255.255.255.0 FastEthernet0/1 lines)
2. Checks packet against ROUTE_VOIP router map and modifies outgoing interface to S0/0 for udp traffic.
3. For the packets that coming out of f0/1 we have nat inside and nat outside pair of interfaces. Then ip nat inside source list 1 interface FastEthernet0/1 overload and ip nat inside source route-map NO_NAT interface FastEthernet0/0 overload lines come into play. So the router checks the packets against ACL 1 (which permits all your public IPs and a little bit more) and route map NO_NAT (which is actually redundant because of ACL 1).
4. If the packet is permitted by ACL then router replaces source IP address to the IP address of f0/1 (the interface FastEthernet0/0 part of the line - NAT), possibly replaces source port for tcp and udp traffic (overload part - PAT), stores the translation into NAT table in the router (you can check that by sh ip nat trans)
5. Packet is being sent from outgoing interface.

Huh, that was a long explanation.
And now about static IP part. Right now your servers with public IPs probably have DNS A records which links

http://www.your-company.com

name with one or more of your public IP addresses. If you want you incoming http connections go through your DSL line people should send their packets to the ip address aloocated for your DSL connection. You can not put that DSL ip address into DNS since it's dynamic and can change from time to time. That is why you need a static IP if you want to serve http requests from Internet.

t00r

 

[imagefree]

Thanks for the explanation.

I thought it would be possible to specify which addresses not to NAT on the LAN interface of the router.

So you are recommending that I request from my isp a static line instead of the bridge I am currently getting. That way I use that ADSL WAN IP for my php webpages and ssh session(s).

Would the NAT interfere with an attempt to route the ADSL WAN IP to one of T1 WAN IPs?

 

[t00r]

Sure you can specify which addresses to NAT. But for the addresses that belong to your T1 line your return traffic will always go through T1 line.
When you NAT the traffic then for the rest of the world all packets look like they sent from the IP address of the interface that were specified in ip nat inside source ... statement. That is why you are getting returning traffic through DSL line.

If you get a static IP-address you can put static NAT config for your web server:

ip nat inside source static tcp <IP-address-of-web-server> 80 interface f0/1 80

When the router receives packet into f0/1 interface on tcp port 80 it'll forward that packet to the port 80 of your web-server. And you have to make sure that your outgoing web-traffic is sent through f0/1 interface too:

ip access-list extended TRAFFIC_TO_NAT
permit tcp <IP-address-of-web-server> 80 any
ip access-list extended VOICE_TRAFFIC
permit udp any any
policy-map PBR_MAP permit 10
match ip address TRAFFIC_TO_NAT
set interface f0/1
policy-map PBR_MAP permit 20
match ip address VOICE_TRAFFIC
set interface s0/0
policy-map PBR_MAP permit 30
set interface f0/1
interface f0/0
ip policy route-map PBR_MAP

If you have several ssh destinations you can map them to different ports:

ip nat inside source static tcp <PC1-address> 22 interface f0/1 22
ip nat inside source static tcp <PC2-address> 22 interface f0/1 2201
ip nat inside source static tcp <PC3-address> 22 interface f0/1 2202

From outside you point your ssh client for PC1 to f0/1 IP-address port 22, PC2 - port 2201, PC3 - 2202

If you want I can help you configure interface state tracking so you can automatically put you VoIP and regular traffic to the right interface in case if one of them is down. But I'll need to know exact IOS version you are using since cisco have changed tracking configuration in the middle of 12.3T series.

BTW, it looks like your current DSL modem doesn't do bridging but actual routing (and possibly NATting too) according to your cisco config. Just make sure your modem doesn't do NATting when you have your static DSL IP.

Regards,

t00r

 

[t00r]

One more thing - if you have more than one web-server you'll be able to put only of them on actual port 80 when NATting, just like in ssh config.

t00r

 

[imagefree]

I would be grateful for the help I think this might be the best time to open a new thread.

http://www.tek-tips.com/viewthread.cfm?qid=1562639&page=1