08-22-2012 08:12 AM - edited 03-04-2019 05:20 PM
Hi:
I'm pretty new to this, and I've been trying to read up on what I should do. Here's my situation: we have a new 15mps internet connection coming into our building. We also have a new 891 router. We would like to devote 1.5mbs at the highest priority to one LAN which is just used for VOIP phones. We would like to allow one of the other tenants to use up (but no more than) to 5mps for their LAN, and we'd like to be able to use up to 13.5mps for ourselves if it's available, or at least 8.5mps (15-1.5-5=8.5).
From searching in here and reading the various articles on policing and shaping, I'm thinking that we'd want to set up Class-based weighted fair queueing on a per-interface basis, and have one interface connected to our VOIP switch, one connected to the other tenants switch, and one connected to our firewall. Does this sound like the right way to go? And would anyone have an example of a configuration which achieves this?
Thanks in advance for any help.
Bobby
Solved! Go to Solution.
08-28-2012 03:32 PM
hi Robert,
if you subnet as i have suggested there is clearly no need to NAT anything... If you instead want to NAT then just follow a classical config in which
a) you have your outside interface (the one facing the SP)
b) you have your inside interface (the one facing your switch or the LAN anyway)
c) an accessl list defining the pool to NAT
Having said this, you are chaniging design while you should take some decisions about your infrastructure. For example, which usage of public space do i want to do?
Do i want to NAT or do i just route the networks out?
Do i have to contact the SP to ask them to change the subnet mask (/25 is a too big mask for a poin-to-point config)?
Please mark this thread as answred and rate me!!!
Alessio
08-22-2012 09:15 AM
Actually, on further consideration, I'm not sure that Class-based is what we need - really we want to do bandwidth policing or shaping for all protocols on a per interface basis. Does that sound correct?Thanks,
Bobby
08-23-2012 04:18 AM
Hi Robert,
you are correct in both the cases. You need CBWFQ and internally configuring shaping or policin as it is in your preferences. My suggestion is to deploy a dhcp pool and network only for your neighbour so to write a quite easy policy.
sorry if there are typos !!!!
class-map match-any my_neighbour
match access-group 101
class-map match-any me
match access-group 100
!
!
policy-map Internet
class my_neighbour
bandwidth 3000
class me
bandwidth 10000
class class-default
fair-queue
interface x !(facing Internet)
!
sevice-policy output Internet
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any ! my traffic
access-list 101 permit ip 192.168.20.0 0.0.0.255 any ! my neighbour traffic
read this doc and you will find all what you need. In this template i didn't care about the VOICE because yours is a very small infrastructure and i do not know if you can really have potential issues for 2 or 3 hops..... by the way the SP then would rewrite possibly your values... You can always add a class in the policy treating VOICE!!
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html#wp1021859
Take Care
Alessio
Please rate if you like it
08-23-2012 07:24 AM
Thanks Alessio - that's great, both your example and the reference look like they'll let me get this going. I appreciate it!
Bobby
08-24-2012 09:25 AM
After a bit of reading I have come up with the following. I think this should work to let all traffic (the access-list All-IP) going through FE0 (connected to our VOIP phones) to have priority up to 1.5Mbps; to let our neighbor plugged into FE1 to use up to 5Mbps; and to let my LAN connected to FE2 use at least 8.5Mbps or all available. Does this look right?
ip access-list All-IP
permit ip any any
!
class-map match-all voip
match access-group All-IP
!
policy-map VOIP-1Mbps
class voip
priority 1500
!
interface FastEthernet0
service-policy output VOIP-1Mbps
service-policy input VOIP-1Mbps
!
class-map match-all neighbor
match access-group All-IP
!
policy-map Restrict-to-5Mbps
class neighbor
set dscp default
police 5000 10000 exceed-action drop
!
interface FastEthernet1
service-policy output Restrict-to-5Mbps
service-policy input Restrict-to-5Mbps
!
class-map match-all my_lan
match access-group All-IP
!
policy-map My-LAN-8Mbps
class my_lan
bandwidth 8500
!
interface FastEthernet2
service-policy output My-LAN-8Mbps
service-policy input My-LAN-8Mbps
Thanks for any advice!
08-24-2012 11:41 AM
Hi Robert,
It looks fine to me. Honestly there was not need to apply for each interface a policy in both the directions but it should work.
If one day you will shape the traffic rather than policing it possibly you will see a slight improvement .. Remember that a shaping policy is only applied outbound
If you want to email me full config and topology I can tell you more
Take care
Alessio
08-24-2012 11:47 AM
Thanks for looking! Yes, I figured out after I posted that the both directions thing was overkill. I'm going to try it out and see how it works.
08-24-2012 01:33 PM
I have managed to get all the commands entered I wanted, but when I hook the router up I'm not connected. Here's my setup - if I configure my laptop with one of the static ips assigned by my ISP (say 200.150.140.5), and connect directly to the ethernet from their router, I have access. When I plug their ethernet to the GiabitEthernet0 on my 891, and plug my laptop into FastEthernet0 (leaving it configured with the public IP), I have no connection.
FA0 (the VOIP phones) I would like to be protected with NAT by the 891. FA1 & FA2 will have their own firwalls and servers running on them, so I'd like to pass all traffic to them. I hoped that all traffic would pass on all three to start with, but it seems to be blocking all traffic instead.
I'm assuming that I'm missing a simple route, and I'm going to get my Cisco CCNA books from home over the weekend, but if you wouldn't mind looking at my config file and pointing out any glaring problems that would be great!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
crypto pki token default removal timeout 0
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO891-K9 sn xxxxxxxxxxx
!
username user1 secret 5 xxxxxxxxxxxxxxx.xxxxxxxx.
!
class-map match-all voip
match access-group 99
class-map match-all my-lan
match access-group 99
class-map match-all my-neighbor
match access-group 99
!
policy-map Restrict-to-5Mbps
class my-neighbor
set dscp default
police 8000 10000 conform-action transmit exceed-action drop
policy-map VOIP_1Mbps
class voip
priority 1500
policy-map My-LAN-8Mbps
class my-lan
bandwidth 8500
class class-default
fair-queue
!
interface FastEthernet0
no ip address
service-policy output VOIP_1Mbps
!
interface FastEthernet1
no ip address
service-policy input Restrict-to-5Mbps
service-policy output Restrict-to-5Mbps
!
interface FastEthernet2
no ip address
service-policy output My-LAN-8Mbps
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 99 permit any
!
control-plane
!
mgcp profile default
!
line con 0
logging synchronous
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
line vty 0 4
login local
transport input all
!
end
08-27-2012 07:19 AM
One more wrinkle - we're splitting up the ip range so that we get 200.150.140.2-62 with a gateway of .1, and the neighbor gets 200.150.140.66-126 with a gateway of .65. I guess I'd make the gateway of last resort be .1?
Thanks for any advice!
08-27-2012 07:27 AM
Hi Robert,
the gateway of the last resort , or the next hop for both the LAN 200.150.140.0/26 and 200.150.140.64/26 is the Service prpvider IP address and not an ip address belonging to the LAN. You can even route everything to the layer 3 interface pointing to the ISP if you like. Just a suggestion, think about assigning so many public ip addresses... Essentially my sugestion derives from the fact that many small business company run with /27or even /28 routable (public) subnets !!!
Hope this helps
Rate me if elped you and mark as answered this thread to improve ifit is
Thanks,
Alessio
08-27-2012 01:08 PM
Thanks Alessio:
It's still not working but I appreciate your help!
200.150.140.1 is the isp next hop; there was mention of .65 being a gateway also, our isp may have set that up. .1 certainly works when I hook my laptop up directly. But when I try to go through the router, no luck.
Thanks,
Bobby
08-27-2012 02:30 PM
Hi Robert,
there is a simple solution for that. just re-subnet your /25 subnet:
200.150.140.0/29 ! .1 is the ISP and .6 is your own router
200.150.140.8/29 ! reserved (e.g your DMZ)
200.150.140.16/28 ! your LAN with .17 as gateway
200.150.140.32/27 ! your customer LAN (31 public ip addresses!!!) with .33 as gateway
200.150.140.64/26 ! reserved for future use
on the router a simple
ip route 0.0.0.0 0.0.0.0 200.150.140.1
will route all the packets out to the ISP. In case your customer needs a crazy amount of IP addresses you can just assign the /26 to him (.65 would be the gateway) and you get for future use or for another customer the /27.
in this way it is even easier to deploy different dhcp pools.
Alessio
08-28-2012 02:48 PM
If I subnet like that, how would I deal with using NAT on one interface? I decided to just try to get the VOIP part working, and I came up with the following which does actually work. But now I can't figure out what I should do to get the other interfaces working and routing public ips. Do I add a vlan 2 with an ip address in the 200.150.140.64/26 range? Will that route out through the gigabitethernet0 interface? I haven't been able to get it to work.
Thanks for your continued attention, and I am happy to have at least something working!
ip dhcp pool voippool
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name test.com
dns-server 8.8.8.8 8.8.4.4
lease 0 2
interface FastEthernet0
no ip address
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address 200.150.140.2 255.255.255.128
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat pool voippool 200.150.140.2 200.150.140.2 netmask 255.255.255.128
ip nat inside source list 23 pool voippool overload
ip route 0.0.0.0 0.0.0.0 200.150.140.1
!
access-list 23 permit 10.10.10.0 0.0.0.255
08-28-2012 03:32 PM
hi Robert,
if you subnet as i have suggested there is clearly no need to NAT anything... If you instead want to NAT then just follow a classical config in which
a) you have your outside interface (the one facing the SP)
b) you have your inside interface (the one facing your switch or the LAN anyway)
c) an accessl list defining the pool to NAT
Having said this, you are chaniging design while you should take some decisions about your infrastructure. For example, which usage of public space do i want to do?
Do i want to NAT or do i just route the networks out?
Do i have to contact the SP to ask them to change the subnet mask (/25 is a too big mask for a poin-to-point config)?
Please mark this thread as answred and rate me!!!
Alessio
08-29-2012 06:37 AM
Thanks for all your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide