QoS and DSL modem

[lockcole]

Hi all,

I have a faily simple question about QoS.

I have a cisco 877. This has an ATM WIC and 4 switchports. This kit has been configured like a standard DSL modem except I have made 2 vlans so I can seperate 2 different ethernet cables broadcasts. The ATM is a PPPoE connection not a 1483 connection. VLAN2 is for an AP which my flatmates use for there internet and Im on VLAN3 for my client. Most of the config is standard. Im using PAT for the translation as it passes from the inside to the outside. I have a Firewall style ACL build on the outside and just simple ACLs restricting access control. The VLANs have ACLs to stop tunnels being created from the clients.

Now,

On the dialer (PPPoE) as traffic leaves the egress queue its being marked as EF with a priority of 55 (im with virgin and i dont think they are remarking the traffic as it passes into the subinterface on there LNS's).

I want to mark specific traffic (namely give VLAN3 queues a better priority than VLAN2) as it comes into my modem/router. How could I go about this?

My flatmates are torrenting the shit out of the ingress queue as it comes into the dialer. I know QoS is only possible after route processing occurs. This is where the 'pickle' is. I cant mark it as it enters the ingress queue on the dialer as thats not possible (besides NAT/PAT hasnt occured yet).

I have a PIX 506e and a Cisco 2550 sitting around if that helps, though I would like to keep this to one bit of kit if possible.

Inital thoughts to me would indicate i would need to hock up a second router in a stub style, then send the traffic towards that router. This would provide me with an egress queue after NAT/PAT has taken place and allow me to remark the traffic based on desitination IP. Am I on the right track ? Is it possible to remark traffic after NAT/PAT has taken place before it enters the VLANS? If so how would I go about it on an IOS 12.x?

All thoughts are welcome, if u guys need any info please let me know.

 

[lockcole]

Here is the currect config, there are mistakes, I know.

My flatmates are on 192.168.2.3. Find an example from informational console about there torrenting below.

Gate(config)#do sh run
Building configuration...

Current configuration : 7016 bytes
!
! Last configuration change at 20:31:04 GMT Tue Sep 2 2008
! NVRAM config last updated at 20:31:06 GMT Tue Sep 2 2008
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Gate
!
boot-start-marker
boot-end-marker
!
logging count
logging userinfo
logging buffered 196608 informational
no logging rate-limit
logging console informational
logging monitor informational
enable secret 5 ***************************
!
no aaa new-model
!
resource policy
!
clock timezone GMT 0
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool 192.168.2.128/25
network 192.168.2.0 255.255.255.0
default-router 192.168.2.150
dns-server 194.168.4.100 194.168.8.100
lease infinite
!
!
no ip domain lookup
ip multicast-routing
!
!
!
!
!
class-map match-all QOS-Map
match access-group name QOS-Traffic
!
!
policy-map QOS-Policy
class QOS-Map
set dscp ef
priority 55
!
!
no crypto isakmp enable
!
!
!
!
interface Loopback0
no ip address
!
interface ATM0
description ATM WIC
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
service-policy output QOS-Policy
!
interface FastEthernet0
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 2
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan2
description Inside
ip address 192.168.2.150 255.255.255.0
ip access-group LAN in
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
ip igmp immediate-leave group-list 1
!
interface Vlan3
ip address 172.16.3.150 255.255.0.0
ip access-group LAN in
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
ip igmp immediate-leave group-list 1
!
interface Dialer0
description Outside
ip address negotiated
ip access-group WAN-IN in
ip access-group WAN-OUT out
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly
encapsulation ppp
loopback
dialer pool 1
dialer-group 1
no snmp ifindex persist
no cdp enable
ppp chap hostname VIRGIN INTERNET
ppp chap password 7 ******************
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip pim bidir-enable
ip pim rp-address 172.16.3.150
ip pim rp-candidate Vlan3
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended LAN
deny ipinip any any log
deny nos any any log
deny gre any any log
deny tcp any any eq 843 log
permit icmp 172.16.0.0 0.0.255.255 any log
permit ip 172.16.0.0 0.0.255.255 any log
permit icmp 192.168.2.0 0.0.0.255 any log
permit ip 192.168.2.0 0.0.0.255 any log
permit ip any host 255.255.255.255 log
permit ip 224.0.0.0 15.255.255.255 224.0.0.0 15.255.255.255 log
deny ip any any log
deny icmp any any log
ip access-list extended LAN-Virus
deny icmp any any log
deny ipinip any any log
deny nos any any log
deny gre any any log
deny ip host 192.168.2.3 any log
deny tcp any any eq 843 log
permit icmp 172.16.0.0 0.0.255.255 any log
permit ip 172.16.0.0 0.0.255.255 any log
permit icmp 192.168.2.0 0.0.0.255 any log
permit ip 192.168.2.0 0.0.0.255 any log
permit ip any host 255.255.255.255 log
permit ip 224.0.0.0 15.255.255.255 224.0.0.0 15.255.255.255 log
deny ip any any log
ip access-list extended QOS-Traffic
permit tcp any any
permit udp any any
ip access-list extended Upstairs
permit ip any any
ip access-list extended WAN-IN
permit tcp any any established log
deny ipinip any any log
deny gre any any log
deny eigrp any any log
deny nos any any log
deny tcp any any eq ftp
permit udp any eq domain any log
permit icmp any any unreachable log
permit icmp any any echo-reply log
permit icmp any any source-quench log
permit icmp any any packet-too-big log
permit icmp any any timestamp-reply log
permit icmp any any ttl-exceeded log
permit icmp any any reassembly-timeout log
permit icmp any any mask-reply log
permit icmp any any information-reply log
permit icmp any any administratively-prohibited log
permit icmp any any conversion-error log
permit icmp any any dod-host-prohibited log
permit icmp any any dod-net-prohibited log
permit icmp any any general-parameter-problem log
permit icmp any any host-unknown log
permit icmp any any option-missing log
permit icmp any any network-unknown log
permit icmp any any parameter-problem log
permit icmp any any time-exceeded log
permit icmp any any source-route-failed log
permit icmp any any redirect log
permit udp any any eq 27960 log
permit udp any any eq 23837 log
permit udp host 193.142.245.226 eq ntp any eq ntp log
deny ip any any log
deny icmp any any log
ip access-list extended WAN-OUT
deny ipinip any any log
deny gre any any log
deny eigrp any any log
deny nos any any log
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.0.0.255 any
deny tcp any eq 134 135 136 137 138 139 any log
deny udp any eq 134 135 136 netbios-ns netbios-dgm netbios-ss any log
deny tcp any any eq 134 135 136 137 138 139 log
deny udp any any eq 134 135 136 netbios-ns netbios-dgm netbios-ss log
deny tcp any any eq 1024 1025 1026 1027 1028 1029 1030 log
deny udp any any eq 1024 1025 1026 1027 1028 1029 1030 log
deny tcp any eq 1024 1025 1026 1027 1028 1029 1030 any log
deny udp any eq 1024 1025 1026 1027 1028 1029 1030 any log
deny tcp any eq finger any
deny udp any eq snmp any
deny udp any eq tftp any
deny tcp any eq 69 any
deny tcp any eq 8080 any
deny tcp any any eq 3389
deny tcp any any eq 445
deny tcp any eq 445 any
deny udp any eq syslog any
deny udp any eq isakmp any
deny tcp any eq 500 any
deny udp any eq snmp any log
permit icmp any any echo
permit icmp any any traceroute log
permit icmp any any information-request
permit icmp any any mask-request
permit icmp any any timestamp-request
deny icmp any any log
permit ip any any log
!
logging origin-id ip
logging 192.168.2.50
access-list 1 permit any
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 3 permit any
access-list 100 permit ip 172.16.0.0 0.0.255.255 any log
access-list 100 permit ip 192.168.2.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 0 0
password 7 1443400703117E7D76
login
!
scheduler max-task-time 5000
ntp clock-period 17175177
ntp source Dialer0
ntp peer 193.142.245.226
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end


Sep 2 20:35:12: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 83.21.52.58(6348) -> 86.0.103.32(55456), 1 packet
Sep 2 20:35:14: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 96.229.188.45(27256) -> 86.0.103.32(55477), 1 packet
Sep 2 20:35:16: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 99.164.86.22(6346) -> 86.0.103.32(55379), 1 packet
Sep 2 20:35:17: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 83.21.52.58(6348) -> 86.0.103.32(55456), 1 packet
Sep 2 20:35:18: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 172.16.3.50(1568) -> 192.168.2.150(23), 1 packet
Sep 2 20:35:19: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55432) -> 91.138.13.97(16389), 1 packet
Sep 2 20:35:20: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55379) -> 99.164.86.22(6346), 1 packet
Sep 2 20:35:21: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55379) -> 99.164.86.22(6346), 1 packet
Sep 2 20:35:23: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 96.229.188.45(27256) -> 86.0.103.32(55477), 1 packet
Sep 2 20:35:25: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 172.16.3.50(1568) -> 192.168.2.150(23), 1 packet
Sep 2 20:35:26: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 58.8.77.175(10538) -> 86.0.103.32(55430), 1 packet
Sep 2 20:35:27: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55536) -> 83.20.217.121(6348), 1 packet
Sep 2 20:35:28: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55537) -> 81.190.165.186(6346), 1 packet
Sep 2 20:35:30: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 78.8.80.7(6348) -> 86.0.103.32(55376), 1 packet
Sep 2 20:35:31: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 99.164.86.22(6346) -> 86.0.103.32(55379), 1 packet
Sep 2 20:35:33: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55450) -> 93.105.82.213(6346), 1 packet
Sep 2 20:35:34: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 99.164.86.22(6346) -> 86.0.103.32(55379), 1 packet
Sep 2 20:35:35: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55543) -> 79.185.116.150(6348), 1 packet
Sep 2 20:35:36: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 93.105.82.213(6346) -> 86.0.103.32(55450), 1 packet
Sep 2 20:35:37: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55427) -> 66.183.153.255(6346), 1 packet
Sep 2 20:35:38: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55545) -> 83.22.105.247(6348), 1 packet
Sep 2 20:35:39: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8319 packets
Sep 2 20:35:39: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55551) -> 89.191.168.25(6346), 1 packet
Sep 2 20:35:40: %SEC-6-IPACCESSLOGP: list WAN-IN permitted tcp 84.10.192.9(6346) -> 86.0.103.32(55555), 1 packet
Sep 2 20:35:41: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55557) -> 85.181.95.229(6348), 1 packet
Sep 2 20:35:42: %SEC-6-IPACCESSLOGP: list LAN permitted tcp 192.168.2.3(55427) -> 66.183.153.255(6346), 1 packet

 

[lockcole]

Lol, just noticed forgot to shut down vlan 1 thats now done

 

[lockcole]

Any on the WAN-IN list should I allow multicasting to complete the dence-mode ? As a guess im going to say yes.

Ty for reading

 

[lockcole]

New Postlockcole (TechnicalUser)
2 Sep 08 16:44
Anyway, on the WAN-IN list should I allow multicasting to complete the dence-mode ? As a guess im going to say yes.

Ty for reading

 

[lockcole]

FYI, ACL LAN-Virus is what i use to stop my flatmates torrenting while I watch streaming content if u guys are worried about that Old Skool, if u cant figure it out, knock it off the network

 

[lockcole]

Lol, sorry havnt look at this config in ages, im using PPPoA, not PPPoE

 

[lockcole]

But the LLC header is not going to make a bar of diff when it comes to QoS or Multicasting.

And I think I havnt definded the the line.....

ip igmp immediate-leave group-list 1

In a drunk hasze i must have assumed it was linked to ACL 1, but looking at it again that cant be right, looks like i need to figure out what a group-list is and where to define it in global config.

 

[burtsbees]

I would just use policy maps to limit their bandwidth. It's the easiest solution.

Burt