10-09-2012 04:04 AM - edited 03-07-2019 09:21 AM
Hi Experts,
This is existing network diagram and find attached file for configuration of Router and L3 Switch:
ISP provided 6 Mbps internet access link with ethernet Handoff which is terminated over Cisco 1841.
ISP also provided pool of 30 Public ip's 125.63.74.33 /27 , range from 125.63.74.34 to 125.63.74.62.
In my current setup, all Inside to ouside traffic going out through 125.63.74.34 public ip
because this public-ip NAT overload with Router F0/1 interface.
1) I want to divide 6 Mbps link physically into three parts 2Mbps, 2Mbps, 2Mbps for three VLANs.
2) I want to also configure each vlan IN/OUT traffic with different Public ip. is it possible or not ?
Vlan2 = 172.25.162.0 /24 => Inside to outside / Outside to inside traffic through 125.63.74.40
Vlan3 = 172.25.163.0 /24 => Inside to outside / Outside to inside traffic through 125.63.74.41
Vlan4 = 172.25 164.0 /24 => Inside to outside / Outside to inside traffic through 125.63.74.42
How can i configure above desired setup with CBWFQ, plz send me sample configuration.
Solved! Go to Solution.
10-10-2012 01:58 AM
Hello Kuldeep,
1) the .34 is associated to the WAN interface of the router but with a /27 not a /30 I suppose /27 subnet mask
2) You need to use NAT pools as described here
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5
Example:
ip nat pool VLAN2-POOL 125.63.74.42 125.63.74.42 prefix 27
access-list 12 permit
ip nat inside source list 12 pool VLAN2-POOL overload
Do in a similar way for the other vlans
note: delete previous nat statement with interface overload and add it as the last one for all those vlans that you don't want to distinguish.
3)
policy-map PARENT-SHAPE-6Mbps
class class default
shape average 6000000
service-policy SCHEDULER
policy-map SCHEDULER
class VLAN2
bandwidth 2000000
class VLAN3
bandwidth 2000000
class class-default
interface WAN
service-policy
PARENT-SHAPE-6Mbps out
The parent shaper builds a logical pipe of 6 Mbps. Queueing is used as child policy to ensure at least the stated bandwidth to each traffic class. The mechanism is elastic and allows for use of unused bandwidth left by another traffic class,
The key point is how to define the traffic classes VLAN2 and VLAN3
a) making the assumption that NAT has already taken place we can discriminate based on the source public IP addres
access-list 72 permit host 125.63.74.42
access-list 73 permit host 125.63.74.43
class-map VLAN2
match access-group 72
class-map VLAN3
match access-group 73
b) marking inbound to specific values of IP precedence and then matching on IP prec outbound
this would mean marking packets as received on the internal LAN of the C1841
I would suggest you to test method a) first.
Edit:
modified configuration of class-maps introducing the correct match command match access-group instead of match address
Hope to help
Giuseppe
10-09-2012 03:55 PM
1) So you are not using any IP other than .34,.40-42?
2) You can overload each vlan to a particular set of IP addresses in order to get NATting to work
3) You can shape the traffic corresponding to each of the vlans to 2 Mbps with a parent shaper of 6 Mbps
One such variant of the config is here
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t2/feature/guide/clsbsshp.html#wp1025800
10-09-2012 09:04 PM
1) Currently i am using only two ip from public ip pool.
Router ip = 125.63.74.34
Mail server = 125.63.74.50 (static nat with local ip 172.25.162.100)
2) How to overload specific vlan traffic with specific ip, not with set of ip addresses
( plz do not consider Dynamic NAT). Plz explain with necessary commands ?
3) very good URL for understanding but i am unable to see "class-map match-all or any xyz" command
in this url which is sent by you.....
10-10-2012 01:27 AM
anyone else..............who can help and clarify
10-10-2012 01:58 AM
Hello Kuldeep,
1) the .34 is associated to the WAN interface of the router but with a /27 not a /30 I suppose /27 subnet mask
2) You need to use NAT pools as described here
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5
Example:
ip nat pool VLAN2-POOL 125.63.74.42 125.63.74.42 prefix 27
access-list 12 permit
ip nat inside source list 12 pool VLAN2-POOL overload
Do in a similar way for the other vlans
note: delete previous nat statement with interface overload and add it as the last one for all those vlans that you don't want to distinguish.
3)
policy-map PARENT-SHAPE-6Mbps
class class default
shape average 6000000
service-policy SCHEDULER
policy-map SCHEDULER
class VLAN2
bandwidth 2000000
class VLAN3
bandwidth 2000000
class class-default
interface WAN
service-policy
PARENT-SHAPE-6Mbps out
The parent shaper builds a logical pipe of 6 Mbps. Queueing is used as child policy to ensure at least the stated bandwidth to each traffic class. The mechanism is elastic and allows for use of unused bandwidth left by another traffic class,
The key point is how to define the traffic classes VLAN2 and VLAN3
a) making the assumption that NAT has already taken place we can discriminate based on the source public IP addres
access-list 72 permit host 125.63.74.42
access-list 73 permit host 125.63.74.43
class-map VLAN2
match access-group 72
class-map VLAN3
match access-group 73
b) marking inbound to specific values of IP precedence and then matching on IP prec outbound
this would mean marking packets as received on the internal LAN of the C1841
I would suggest you to test method a) first.
Edit:
modified configuration of class-maps introducing the correct match command match access-group instead of match address
Hope to help
Giuseppe
10-10-2012 02:29 AM
Hi Giuseppe,
As always you answers are appreciable..............
2) You have configure NAT Pool with standard access list 12, can i configure
same with Extended access list 101 ?
3) Where i will configure Qos CBWFQ=> Router 1841 OR Cisco 3560 Switch ?
10-10-2012 02:59 AM
Hello Kuldeep,
2) only standard ACLs can be invoked directly in a ip nat source statement
see
An extended ACL can be referenced only within a route-map then the route-map is used in ip nat source statement
Be aware that you need a different ACL for each NAT pool / IP subnet so the use of a standard ACL is appropriate.
ip nat pool VLAN2-POOL 125.63.74.40 125.63.74.40 prefix 27
access-list 12 permit 172.25.162.0 0.0.0.255
ip nat inside source list 12 pool VLAN2-POOL overload
ip nat pool VLAN3-POOL 125.63.74.41 125.63.74.41 prefix 27
access-list 13 permit 172.25.163.0 0.0.0.255
ip nat inside source list 13 pool VLAN3-POOL overload
ip nat pool VLAN4-POOL 125.63.74.42 125.63.74.42 prefix 27
access-list 14 permit 172.25.164.0 0.0.0.255
ip nat inside source list 14 pool VLAN4-POOL overload
if you use an extended ACL for all other NAT translations you need to deny the subnets with a specific NAT pool
So your access-list 101 may become
access-list 101 deny ip 172.25.162.0 0.0.0.255 any
access-list 101 deny ip 172.25.163.0 0.0.0.255 any
access-list 101 deny ip 172.25.164.0 0.0.0.255 any
access-list 101 permit ip 172.25.160.0 0.0.0.31.255 any
route-map NAT-OTHER permit 10
match ip address 101
ip nat source inside route-map NAT-OTHER interface WAN overload
2)
Nested policy Shaper + CBWFQ is applied on internet facing interface of Cisco 1841
Edit:
modified last line of acl 101 with correct wildcard mask
Hope to help
Giuseppe
10-10-2012 03:16 AM
Hi Giuseppe,
There are following basic Queries given below:
1. I have one confusion with NAT POOL suggest by you, I want to know that this Pool works
in which direction=>
Inside to outside
OR
Outside to inside
OR
Both
For Example, if we talk about VLAN2 then Traffic of Inside to outside and outside to inside
should be go through 125.63.74.40 public ip. will that happen or not ?
2) Can i configure specific Public-ip traffic with specific vlan through given below URL method:
Plz check this link and see OPTION 2 of this thread and suggest me.
3) I want to ask General Question that if i access internet in my LAN pc ,
then What will i call it:
Traffic is coming to inside OR Traffic going to outside ?
10-10-2012 04:25 AM
Hello Kuldeep,
1) inside to outside NAT translations are triggered when a packet has to go from the inside to the outside
this means that internet access will work well. If there is a server that should be accessed from outside a different configuration is needed ( static NAT using one public IP address)
2)
in theory is not supported see the comment in the same web page. The command reference does not list this possibility however the use of NAT pools is not so difficult to understand and it works for sure. Also NAT pools have names that can help to understand the configuration.
3)
all the question is who starts the session and in which direction; when you access the internet from your PC you are opening TCP sessions from inside to outside that is the same direction that NAT overload works.
Hope to help
Giuseppe
10-10-2012 06:01 AM
Hi Giuseppe,
Actually this problem is related to Mail Server (Lotus Domino) and
i am unable to control Spam .I want to secure mail server through
Router or switch end. If it could not be possible through it then
after i will purchase Mcafee Gateway security software for Mail server.
If you have any solution then suggest me so that I do not have to buy any Software.
Network Description of existing setup as i already discussed with you:
Router ip = 125.63.74.34
Mail server = 125.63.74.50 ( @xyz.com)
ip nat inside source static 172.25.162.100 125.63.74.50
I configured one of vlan2 ip i.e 172.25.162.100 for Mail server and map with Public ip at router end.
1) I want to know that when any outside domain user send mail to our mail server
then that request hit which public ip first to enter inside :
125.63.74.34 OR 125.63.74.50
10-10-2012 06:37 AM
Hello Kuldeep,
the mail server will be contacted on the
125.63.74.50 as the static NAT is more specific.
Also the static NAT allows for communications started from outside to inside. NAT overload only for sessions started from inside to outside.
For more safety it would be wise to deny the internal host in the ACL used for NAT overload to avoid competition.
>> i am unable to control Spam .I want to secure mail server through
Router or switch end. If it could not be possible through it then
after i will purchase Mcafee Gateway security software for Mail server
No, the router cannot inspect the mail contents to discard spam, you need a SW based product running on the mail server like the one you have mentioned
Hope to help
Giuseppe
10-10-2012 07:27 AM
Hey G Larosa, I got a few question for you if you don't mind.
policy-map PARENT-SHAPE-6Mbps
class class default
shape average 6000000
service-policy SCHEDULER
policy-map SCHEDULER
class VLAN2
bandwidth 2000000
class VLAN3
bandwidth 2000000
class class-default
interface WAN
service-policy
PARENT-SHAPE-6Mbps out
I understand the first policy map but I didn't see yo uapply the SCHDULER policy map anywhere.
Also what is the different between bandwidth and shape average. I'm assume shape only allows
6000000 and bandwidth allows only 2000000 but can use additional bandwidth if not being used by the
other classes?
10-10-2012 11:17 AM
Hello John,
the SCHEDULER policy is invoked within the parent policy
policy-map PARENT-SHAPE-6Mbps
.....
>> service-policy SCHEDULER
This is an example of hierarchical modular QoS. The parent policy is a shaper that shapes all traffic to 6 Mbps.
This creates a logical pipe of 6 Mbps speed.
The child policy is a form of CBWFQ that is triggered when shaping is in action. It provides at least 2 Mbps to each traffic class when traffic is shaped (CBWFQ is always on on newer IOS images running new HQF).
CBWFQ is elastic and allows a class to use more then stated rate if there is bandwidth available
Hope to help
Giuseppe
10-11-2012 12:56 AM
Hi Giuseppe,
I have some Qustions :
1) you have already checked this link under which syntax of command was not correct.
ip nat inside source list 2 192.168.1.2 overload
ip nat inside source list 3 192.168.1.3 overload
ip nat inside source list 4 192.168.1.4 overload
2) This is another url for same which is published by CCIE
Professional, Plz check once. I think given below command is
incorrect. Am i right ?
ip nat inside source list 1 interface 192.168.1.1 overload
3) I have pool of 30 Public ip and presently i am using only 6 Public ip
with Static NAT and remaining 24 public ip are not usable.
So i want to create VLAN with remaining Public ip after that
i will use this public ip vlan in LAN where i can put direct Public
ip to any computer. how can i do this ? Plz explain with configuration.
OR
Plz suggest same method with Router end if i buy one Fastethernet
port HWIC card for router (bcoz 1841 have 2 FE port). Through this
extra FE port on Router, i can use remaining public ip. In this
Scenerio, i will connect simple Hub to Router newly FE port and
after connect some computers to Hub where i will put public ip
to that computers directly. Here concept is something like DMZ. ??
10-11-2012 01:41 AM
Hello Kuldeep,
1) 2) I strongly recommend to refer to Cisco documentation instead of looking for study notes of somebody else found in the internet.
Command syntax errors can be easily verified is enough to try to enter the command in the router and if an error is present the CLI will tell you error at ^ and the command is not accepted. That's all.
Also the command as proposed in 2) looks like wrong. But you can easily test it as explained above.
3)
My understanding of your current scenario is the following:
ISP has given you a /27 public IP subnet with .34 address assigned to the internet facing interface of your C1841.
You cannot subnet this space without taking agreements with the ISP.
To further subnet this space you need to work with ISP so that you convert the /27 in two /28 dividing the address space in two parts.
Without this operation,you cannot assign overlapping IP addresses in the router, IOS does not allow this.
So a change with impact on service would be needed on your side and on ISP side to be done during a maintenance window.
You can consider the following alternative:
just use static nat translations but with a dedicated internal subnet for servers.
I would not add hardware to you router all you need is to use static nat translations for those servers you would like to be accessed from outside like you did for the mail server
It is a good idea to put these servers in their own internal IP subnet, that you can call your DMZ, so creating a new VLan (on Cisco 3560 switch) and a new vlan based subinterface on the C1841 is a good idea.
Putting all servers accessed from the internet in a separate subnet is good for security
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide