Hi,

We have a branch office in Cologne and is WAN connected by a cisco 1841 (ios 12.4)

Sometimes people experience quality problems during a conversation.

There is no more than voip phones and thinclients for RDP traffic to the main office using a 50Mb line.

This config is running a few years now made by somebody who left the company, but i have heard from the users that there always were voip quality problems.

I post the config file and hope you can give me some insights in if I can improve the setup which in general must be very basic, so just act as a branch router for using RDP clients and voip data

Hope to hear some do's and dont's and off course the no go's in this config.

Building configuration...

Current configuration : 16396 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname SVCologne
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
enable secret 5 $1$9EnF$K.OVA6mEfBbhj5bnqDr.c/
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
ip cef
!
!
ip inspect audit-trail
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW microsoft-ds
ip inspect name SDM_LOW ms-cluster-net
ip inspect name SDM_LOW ms-dotnetster
ip inspect name SDM_LOW ms-sna
ip inspect name SDM_LOW ms-sql
ip inspect name SDM_LOW ms-sql-m
ip inspect name SDM_LOW msexch-routing
ip inspect name SDM_LOW netbios-dgm
ip inspect name SDM_LOW netbios-ssn
ip inspect name SDM_LOW r-winsock
ip inspect name SDM_LOW clp
ip inspect name SDM_LOW cisco-net-mgmt
ip inspect name SDM_LOW cisco-sys
ip inspect name SDM_LOW cisco-tna
ip inspect name SDM_LOW cisco-fna
ip inspect name SDM_LOW cisco-tdp
ip inspect name SDM_LOW cisco-svcs
ip inspect name SDM_LOW stun
ip inspect name SDM_LOW tr-rsrb
ip inspect name SDM_LOW ftps
ip inspect name SDM_LOW kermit
ip inspect name SDM_LOW uucp
ip inspect name SDM_LOW nfs
ip inspect name SDM_LOW exec
ip inspect name SDM_LOW telnet
ip inspect name SDM_LOW telnets
ip inspect name SDM_LOW rtelnet
ip inspect name SDM_LOW login
ip inspect name SDM_LOW ssh
ip inspect name SDM_LOW shell
ip inspect name SDM_LOW sshell
ip inspect name SDM_LOW pcanywheredata
ip inspect name SDM_LOW pcanywherestat
ip inspect name SDM_LOW x11
ip inspect name SDM_LOW xdmcp
ip inspect name SDM_LOW entrust-svcs
ip inspect name SDM_LOW n2h2server
ip inspect name SDM_LOW realsecure
ip inspect name SDM_LOW creativeserver
ip inspect name SDM_LOW creativepartnr
ip inspect name SDM_LOW cifs
ip inspect name SDM_LOW fcip-port
ip inspect name SDM_LOW hp-alarm-mgr
ip inspect name SDM_LOW hp-collector
ip inspect name SDM_LOW hp-managed-node
ip inspect name SDM_LOW irc
ip inspect name SDM_LOW irc-serv
ip inspect name SDM_LOW ircs
ip inspect name SDM_LOW ircu
ip inspect name SDM_LOW ipass
ip inspect name SDM_LOW netstat
ip inspect name SDM_LOW nntp
ip inspect name SDM_LOW tarantella
ip inspect name SDM_LOW iscsi-target
ip inspect name SDM_LOW iscsi
ip inspect name SDM_LOW sms
ip inspect name SDM_LOW webster
ip inspect name SDM_LOW who
ip inspect name SDM_LOW ntp
ip inspect name SDM_LOW time
no ip dhcp use vrf connected
ip dhcp excluded-address 172.22.4.255 172.22.7.254
ip dhcp excluded-address 172.22.0.1 172.22.3.255
!
ip dhcp pool SVCologne
   import all
   network 172.22.0.0 255.255.248.0
   default-router 172.22.1.1
   domain-name SVCologne
   dns-server 194.8.194.60 208.67.220.220
!
!
ip flow-cache timeout active 1
no ip bootp server
ip domain name svcologne.local
ip name-server 194.8.194.60
ip name-server 213.168.112.60
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
!
crypto pki trustpoint TP-self-signed-1993234793
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1993234793
 revocation-check none
 rsakeypair TP-self-signed-1993234793
!
!
crypto pki certificate chain TP-self-signed-1993234793
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  55937D5B C2B3C359 6B55F0A8 3A2F20F8 8934DAA3 75CE8647 B708F565 6B315998
  A750A0B7 BB7A541D FE5FB82D 3E261A97 8669720E D7B351AA A4D02766 1FD239BD
  41276F27 F0C84727 AAC8BB0B 61ACB7F8 6E41EEDA CF
  quit
username administrator privilege 15 view root secret 5 $1$/RvC$f987692uehbriwdy9wqdowsahfdoesafd/
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any SDMScave-FastEthernet0/1
 match protocol fasttrack
 match protocol gnutella
class-map match-any SDMScave-FastEthernet0/0
 match protocol fasttrack
 match protocol gnutella
class-map match-any SDMTrans-FastEthernet0/1
 match protocol telnet
 match protocol sip
class-map match-any SDMTrans-FastEthernet0/0
 match protocol telnet
 match protocol sip
class-map match-any SDMVoice-FastEthernet0/1
 match protocol rtp audio
class-map match-any SDMVoice-FastEthernet0/0
 match protocol rtp audio
class-map match-any SDMSVideo-FastEthernet0/1
 match protocol cuseeme
 match protocol netshow
 match protocol rtsp
 match protocol streamwork
 match protocol vdolive
class-map match-any SDMSVideo-FastEthernet0/0
 match protocol cuseeme
 match protocol netshow
 match protocol rtsp
 match protocol streamwork
 match protocol vdolive
class-map match-any SDMIVideo-FastEthernet0/1
 match protocol rtp video
class-map match-any SDMIVideo-FastEthernet0/0
 match protocol rtp video
class-map match-any SDMManage-FastEthernet0/0
 match protocol dhcp
 match protocol dns
 match protocol imap
 match protocol kerberos
 match protocol ldap
 match protocol secure-imap
 match protocol secure-ldap
 match protocol snmp
 match protocol socks
 match protocol syslog
class-map match-any SDMManage-FastEthernet0/1
 match protocol dhcp
 match protocol dns
 match protocol imap
 match protocol kerberos
 match protocol ldap
 match protocol secure-imap
 match protocol secure-ldap
 match protocol snmp
 match protocol socks
 match protocol syslog
class-map match-any SDMRout-FastEthernet0/1
 match protocol bgp
 match protocol egp
 match protocol eigrp
 match protocol ospf
 match protocol rip
 match protocol rsvp
class-map match-any SDMRout-FastEthernet0/0
 match protocol bgp
 match protocol egp
 match protocol eigrp
 match protocol ospf
 match protocol rip
 match protocol rsvp
class-map match-any SDMSignal-FastEthernet0/1
 match protocol h323
 match protocol rtcp
class-map match-any SDMSignal-FastEthernet0/0
 match protocol h323
 match protocol rtcp
class-map match-any SDMBulk-FastEthernet0/1
 match protocol exchange
 match protocol ftp
 match protocol irc
 match protocol nntp
 match protocol pop3
 match protocol printer
 match protocol secure-ftp
 match protocol secure-irc
 match protocol secure-nntp
 match protocol secure-pop3
 match protocol smtp
 match protocol tftp
class-map match-any SDMBulk-FastEthernet0/0
 match protocol exchange
 match protocol ftp
 match protocol irc
 match protocol nntp
 match protocol pop3
 match protocol printer
 match protocol secure-ftp
 match protocol secure-irc
 match protocol secure-nntp
 match protocol secure-pop3
 match protocol smtp
 match protocol tftp
!
!
policy-map SDM-Pol-FastEthernet0/1
 class SDMManage-FastEthernet0/1
  set dscp cs2
  priority percent 5
 class SDMVoice-FastEthernet0/1
  set dscp ef
  priority percent 40
 class SDMTrans-FastEthernet0/1
  set dscp cs3
  priority percent 30
policy-map SDM-Pol-FastEthernet0/0
 class SDMManage-FastEthernet0/0
  set dscp cs2
  priority percent 5
 class SDMVoice-FastEthernet0/0
  set dscp ef
  priority percent 40
 class SDMTrans-FastEthernet0/0
  set dscp cs3
  priority percent 30
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 172.22.1.1 255.255.248.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed 100
 full-duplex
 traffic-shape group 150 7000000 50000 50000 1000
 no mop enabled
 service-policy output SDM-Pol-FastEthernet0/0
!
interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-LAN$
 ip address 194.8.219.218 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 no mop enabled
 service-policy output SDM-Pol-FastEthernet0/1
!
ip route 0.0.0.0 0.0.0.0 194.8.219.217 permanent
ip route 194.8.219.218 255.255.255.255 FastEthernet0/0 2 permanent
ip route 194.8.219.219 255.255.255.255 172.22.2.1 3
ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export destination 172.22.2.1 2055
ip flow-top-talkers
 top 100
 sort-by bytes
 cache-timeout 60000
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat translation timeout 1800
ip nat pool NetCologne 194.8.219.216 194.8.219.222 netmask 255.255.255.248
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 172.22.2.1 3768 194.8.219.219 3768 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.22.0.0 0.0.7.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 172.22.0.0 0.0.7.255
access-list 2 deny   any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 172.22.0.0 0.0.7.255
access-list 3 deny   any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 194.8.219.216 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SMTP Block
access-list 100 deny   tcp 172.22.0.0 0.0.255.255 any eq smtp log
access-list 100 permit ip any any
access-list 100 remark VOIP Inside UDP
access-list 100 permit udp any eq 5060 any eq 5060 log
access-list 100 remark UDP:SIP signalling and RTP data
access-list 100 permit udp any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 213.235.200.208
access-list 101 permit udp host 213.235.200.208 eq ntp host 194.8.219.218 eq ntp
access-list 101 remark OpenDNS
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 remark OpenDNS
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 213.168.112.60 eq domain any
access-list 101 permit udp host 194.8.194.60 eq domain any
access-list 101 remark NetCologne DNS1
access-list 101 permit udp host 213.168.112.60 eq domain host 194.8.219.218
access-list 101 remark NetCologne DNS2
access-list 101 permit udp host 194.8.194.60 eq domain host 194.8.219.218
access-list 101 remark VOIP SomeCity
access-list 101 permit udp host 87.203.25.20 any log
access-list 101 remark Send Scanner
access-list 101 permit ip host 87.203.25.20 any log
access-list 101 deny   ip 172.22.0.0 0.0.7.255 any
access-list 101 permit icmp any host 194.8.219.218 echo-reply
access-list 101 permit icmp any host 194.8.219.218 time-exceeded
access-list 101 permit icmp any host 194.8.219.218 unreachable
access-list 101 remark Ping Test
access-list 101 permit ip any host 194.8.219.219 log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 101 remark UDP:SIP signalling and RTP data
access-list 101 permit udp any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 172.22.0.0 0.0.7.255 any
access-list 102 deny   ip any any
access-list 150 permit ip 172.22.4.0 0.0.0.255 any
access-list 150 permit ip any 172.22.4.0 0.0.0.255
snmp-server community SVDESNMP RW
snmp-server community public RO
snmp-server ifindex persist
snmp-server location Cologne
snmp-server contact
no cdp run
!
!
control-plane
!
banner exec ^CCC
*******************************************************
*                                                     *
*        You have logged on to the Cisco 1841         *
*             Unauthorized access to this             *
*           System/network is prohibited !!!!!        *
*                                                     *
*******************************************************
^C
banner login ^CCC
*************************************************************************
*                                                                       *
*                              NOTICE TO USERS                          *
*                                                                       *
*                                                                       *
*************************************************************************
^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178446
ntp update-calendar
ntp server 213.235.200.208 source FastEthernet0/1 prefer
end


 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178446
ntp update-calendar
ntp server 213.235.200.208 source FastEthernet0/1 prefer
end