Solved: Re: New Client, New Setup Help - Page 2

Chris Mickle · ‎01-16-2019

Hello All,

I have a new client that has grown beyond what their current network can provide and wanted to run what I was thinking of implementing by everyone here for some feed back and questions.

What they have now is about 20 users in two offices down the hall from each other and separate cable internet service using the ISP's cable modem as their router and an off the shelf unmanaged switch in each office. They have ringcentral cloud hosted VoIP desk phones and soft clients. The computers are connected through the phones. They would like to have a guest wifi network.

Here's what I'm thinking for your consideration...

First and foremost, connect the two separate offices via an ethernet drop and get rid of one of the cable internet connections. Second, install an ASA and two L2 or L3 switches (3750G maybe) one in each office to connect the endpoints. Third, install access points in each office and have an internal and guest wifi network on different VLANs.

That's all pretty straightforward as I have several clients with this exact configuration, but what I'm not sure about is dealing with the VoIP phones. They currently have no issues with the phones and I don't want to introduce any with my proposed solution. I'm not sure weather I should set up a voice VLAN and bother with QoS for this environment or not.

Any insight would be much appreciated.

Chris Mickle · ‎01-24-2019

It probably doesn't sound right because I stupidly thought that I needed to configure the switch port connected to the ASA's inside interface with the outside vlan at first. I realized the mistake after the fact and now have just g1/0/23 and 1/0/24 as access ports on the outside vlan 5.

Here is the running config though...

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SW1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
switch 1 provision ws-c3750g-24t
system mtu routing 1500
vtp mode transparent
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 5
name outside
!
vlan 10
name domain
!
vlan 20
name guest
!
vlan 30
name ftp
!
vlan 40
name voice
!
vlan 99
name blackhole
lldp run
!
!
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 10
!
interface GigabitEthernet1/0/4
switchport access vlan 10
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
switchport voice vlan 40
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
!
interface GigabitEthernet1/0/7
switchport access vlan 99
!
interface GigabitEthernet1/0/8
switchport access vlan 99
!
interface GigabitEthernet1/0/9
switchport access vlan 99
!
interface GigabitEthernet1/0/10
switchport access vlan 10
!
interface GigabitEthernet1/0/11
switchport access vlan 99
!
interface GigabitEthernet1/0/12
switchport access vlan 99
!
interface GigabitEthernet1/0/13
switchport access vlan 99
!
interface GigabitEthernet1/0/14
switchport access vlan 99
!
interface GigabitEthernet1/0/15
switchport access vlan 99
!
interface GigabitEthernet1/0/16
switchport access vlan 99
!
interface GigabitEthernet1/0/17
switchport access vlan 99
!
interface GigabitEthernet1/0/18
switchport access vlan 99
!
interface GigabitEthernet1/0/19
switchport access vlan 99
!
interface GigabitEthernet1/0/20
switchport access vlan 99
!
interface GigabitEthernet1/0/21
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface GigabitEthernet1/0/22
switchport access vlan 30
!
interface GigabitEthernet1/0/23
switchport access vlan 5
!
interface GigabitEthernet1/0/24
switchport access vlan 5
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.0.8 255.255.255.0
!
ip default-gateway 192.168.0.1
ip classless
ip http server
ip http secure-server
!
!
no cdp run
no cdp tlv location
no cdp tlv app
!
!
!
line con 0
line vty 0 4
login local
length 0
transport input telnet ssh
line vty 5 15
login
!
ntp clock-period 36028833
ntp server 97.107.129.217
end

Seb Rupik · ‎01-24-2019

Evening Chris,
See below for the QoS config on the switch connected to the ISP router (check I've got the right ISP switchport).
You will also need to determine the public IP of your VOIP provider and update the VOICE_TRAFFIC ACL as required.
We are only interested in picking up the incoming VOIP traffic, everything else will be caught in the 'class-default' class map.

!
int gi1/0/23
desc ISP_LINK
service-policy input VOIP_MARK
!
ip access-list extended VOICE_TRAFFIC
permit ip host <your_VOIP_provider_public_ip> any
!
class-map CM_VOIP
match access-group name VOICE_TRAFFIC
exit
!
policy-map VOIP_MARK
class CM_VOIP
set dscp ef
exit
!

Also make sure you have the following configured on every trunk port (at both ends of the link) between your switches:

!
int gi1/0/x
  srr-queue bandwidth share 10 10 60 20
  mls qos trust dscp
!

...and lastly, please mark helpful posts ;)

cheers,
Seb.

Chris Mickle · ‎01-24-2019

Thanks for all your help on this so far.

So it seems that were using the L3 switch as a router to handle QoS and leaving the ASA blissfully ignorant of the whole thing. Is that about the size of it?

I do have one follow-up question on the access list. I'm not sure of VoIP provider's IP address that I need to include in the ACL. The closest thing I can find on that is a networking document they put together, but it doesn't have any specifi IPs. Under section 7 ringcentral supernets, it lists the supernets they use for communications, but that's it. Do I need to add them all to the ACL and if so, what is the syntax to add an entire subnet?

https://success.ringcentral.com/articles/en_US/RC_Knowledge_Article/9233#4.6

Seb Rupik · ‎01-24-2019

The ASA is aware of the markings and can prioritise the traffic as you desire (check the link in a previous post), it just can't adjust the markings.

Just keep in mind that unless you are experiencing congestion on your links the QoS controls have no effect.

OK we have two options either mark all traffic from your providers public subnet as EF :

!
ip access-list extended VOICE_TRAFFIC
  permit ip <public_VOIP_subnet_id> <netmask> any
!

...or we specifically mark traffic on known VOIP ports specified as used by the deskphone in your link:

!
ip access-list extended VOICE_TRAFFIC
  permit udp any any range 20000 39999
  permit udp any any range 40000 49999
  permit udp any any eq 5090
  permit tcp any any eq 5090
  permit tcp any any eq 5096
!

...but depending on the features you are using, the tables in the linked webpage go on and on!

I would suggest you monitor the connection table (sh conn) on the ASA and determine what IPs and ports the phones are using, and tweak the VOICE_TRAFFIC ACL to suit.

cheers,
Seb.

Seb Rupik · ‎01-24-2019

Sorry, missed the supernet bit. Here's the ACL:

!
ip access-list extended VOICE_TRAFFIC
  permit ip 80.81.128.0 255.255.240.0 any
  permit ip 103.44.68.0 255.255.252.0 any
  permit ip 104.245.56.0 255.255.248.0 any
  permit ip 185.23.248.0 255.255.252.0 any
  permit ip 192.209.24.0 255.255.248.0 any
  permit ip 199.68.212.0 255.255.252.0 any
  permit ip 199.255.120.0 255.255.252.0 any
 permit ip 208.87.40.0 255.255.252.0 any
!

...I'd use that.

cheers,

Seb.

Chris Mickle · ‎01-24-2019

I had just finished typing in all those before I saw your reply. But after I entered those, this is the output from the sh run...

ip access-list extended voice_traffic
permit ip 0.0.0.0 255.255.240.0 any
permit ip 0.0.0.0 255.255.252.0 any
permit ip 0.0.0.0 255.255.248.0 any

What gives?

Seb Rupik · ‎01-24-2019

ugh, sorry, wine. We're on a switch. Use wildcard masks:

!
ip access-list extended VOICE_TRAFFIC
  permit ip 80.81.128.0 0.0.15.255 any
  permit ip 103.44.68.0 0.0.3.255 any
  permit ip 104.245.56.0 0.0.7.255 any
  permit ip 185.23.248.0 0.0.3.255 any
  permit ip 192.209.24.0 0.0.7.255 any
  permit ip 199.68.212.0 0.0.3.255 any
  permit ip 199.255.120.0 0.0.3.255 any
  permit ip 208.87.40.0 0.0.3.255 any
!

cheers,

Seb.

Chris Mickle · ‎01-24-2019

Ah there we go. L'm still learning, but it seems to me that on router and switch ACLs you user wildcard masks and on the ASA it's regular subnet masks.

I decided it would be best to go the IP route rather than ports because you were right about there being a ton of them. I did do a sh conn on the ASA and saw the SIP phone using an IP on 104.245.56.0/21 but thought it best to add them all. That seems like it would cover all traffic if the phone decided to switch servers and would be a shorter ACL than all those ports.

I reposted the new switch config in whole for your approval :-)

That documents I linked also says something about nat translate timeout being set to greater than 5 minutes. I haven't had any issues yet. The following is from my ASA config. Does any of this have to do with that and should anything be modified?

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

Here's an unrelated question about NAT on the ASA. I have a /29 public address and I'm currently NATting the VoIP subnet to the same WAN IP as another subnet.

object network domain_internet
nat (domain,outside) dynamic interface

object network voice_internet
nat (voice,outside) dynamic interface

I have the other two subnets NATted to different public IPs.

The only thing I can think of that would cause a problem with NATting multiple inside vlans to the same outside address would be if you had to do static NAT on the same TCP/UDP port for two different inside hosts. Example... two web servers that need TCP 80, one on each vlan there would be no way to do the static NAT.

Are there other concerns like security besides the above mentioned or is that it?

New switch config...

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
switch 1 provision ws-c3750g-24t
system mtu routing 1500
vtp mode transparent
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33

mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 5
name outside
!
vlan 10
name domain
!
vlan 20
name guest
!
vlan 30
name ftp
!
vlan 40
name voice
!
vlan 99
name blackhole
lldp run
!
!
class-map match-all cm_voip
match access-group name voice_traffic
!
!
policy-map voip_mark
class cm_voip
set dscp ef
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 10
!
interface GigabitEthernet1/0/4
switchport access vlan 10
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
switchport voice vlan 40
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
!
interface GigabitEthernet1/0/7
switchport access vlan 99
!
interface GigabitEthernet1/0/8
switchport access vlan 99
!
interface GigabitEthernet1/0/9
switchport access vlan 99
!
interface GigabitEthernet1/0/10
switchport access vlan 10
!
interface GigabitEthernet1/0/11
switchport access vlan 99
!
interface GigabitEthernet1/0/12
switchport access vlan 99
!
interface GigabitEthernet1/0/13
switchport access vlan 99
!
interface GigabitEthernet1/0/14
switchport access vlan 99
!
interface GigabitEthernet1/0/15
switchport access vlan 99
!
interface GigabitEthernet1/0/16
switchport access vlan 99
!
interface GigabitEthernet1/0/17
switchport access vlan 99
!
interface GigabitEthernet1/0/18
switchport access vlan 99
!
interface GigabitEthernet1/0/19
switchport access vlan 99
!
interface GigabitEthernet1/0/20
switchport access vlan 99
!
interface GigabitEthernet1/0/21
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface GigabitEthernet1/0/22
switchport access vlan 30
!
interface GigabitEthernet1/0/23
switchport access vlan 5
!
interface GigabitEthernet1/0/24
description isp_link
switchport access vlan 5
service-policy input voip_mark
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.0.8 255.255.255.0
!
ip default-gateway 192.168.0.1
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended voice_traffic
permit ip 80.81.128.0 0.0.15.255 any
permit ip 103.44.68.0 0.0.3.255 any
permit ip 104.245.56.0 0.0.7.255 any
permit ip 185.23.248.0 0.0.3.255 any
permit ip 192.209.24.0 0.0.7.255 any
permit ip 199.68.212.0 0.0.3.255 any
permit ip 199.255.120.0 0.0.3.255 any
permit ip 208.87.40.0 0.0.3.255 any
!
no cdp run
no cdp tlv location
no cdp tlv app
!
!
!
line con 0
line vty 0 4
login local
length 0
transport input telnet ssh
line vty 5 15
login
!
ntp clock-period 36028782
ntp server 97.107.129.217

Seb Rupik · ‎01-24-2019

OK, you may be NAT'ing to a public /29 but your nat statements are overloading only the IP assigned to the 'outside' interface. The scenario regarding multiple inside hosts needing TCP/80 on the outside is an operational issue. You have another four address available to configure static NAT on...but if you need more than five hosts requiring TCP/80 access you are out of options.

Your switch config looks good.

cheers,
Seb.

Chris Mickle · ‎01-24-2019

Ok Very good. I think I'm all set except for one final question...

How does the switch QoS policy handle the VoIP traffic? Is it just giving the VoIP traffic priority over other traffic as defined by the class and the ACL we configured or is it reserving bandwidth? I only ask because I haven't configured the internet bandwidth value anywhere on the ASA so if it is reserving bandwidth (policing I think it's called) how does it know how much to reserve?

Chris Mickle · ‎01-24-2019

I have those two NAT statements overload the interface IP, but I have two other subnets on different IPs. I don't need that many hosts on the same port, it was just a what if to see if there were any problems with doing that other than the one I mentioned with static NAT.