cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6165
Views
15
Helpful
23
Replies

1 ISP + Public IP's + Bandwidth Distribution + VLAN's

Kuldeep singh
Level 1
Level 1

Hi Experts,

This is existing network diagram and find attached file for configuration of Router and L3 Switch:

Nattt.JPG

ISP provided 6 Mbps internet access link with ethernet Handoff  which is terminated over Cisco 1841.

ISP also provided pool of 30 Public ip's 125.63.74.33 /27 , range from  125.63.74.34  to  125.63.74.62.

In my current setup, all Inside to ouside traffic going out through 125.63.74.34 public ip

because this public-ip NAT overload with Router F0/1 interface.

1) I want to divide 6 Mbps link physically into three parts 2Mbps, 2Mbps, 2Mbps for three VLANs.

2) I want to also configure each vlan IN/OUT traffic with different Public ip. is it possible or not ?

Vlan2 =  172.25.162.0 /24 =>  Inside to outside / Outside to inside traffic through  125.63.74.40

Vlan3 =  172.25.163.0 /24 =>  Inside to outside / Outside to inside traffic through  125.63.74.41

Vlan4 =  172.25 164.0 /24 =>  Inside to outside / Outside to inside traffic through  125.63.74.42

How can i configure above desired setup with CBWFQ,  plz send me sample configuration.

1 Accepted Solution

Accepted Solutions

Hello Kuldeep,

1)  the .34 is associated to the WAN interface of the router but with a /27 not a /30 I suppose /27 subnet mask

2)  You need to use NAT pools as described here

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5

Example:

ip nat pool VLAN2-POOL  125.63.74.42 125.63.74.42 prefix 27

access-list 12 permit

ip nat inside source list 12 pool VLAN2-POOL overload

Do in a similar way for the other vlans

note: delete previous nat statement with interface overload  and add it as the last one for all those vlans that you don't want to distinguish.

3)

policy-map PARENT-SHAPE-6Mbps

class class default

shape average 6000000

service-policy SCHEDULER

policy-map SCHEDULER

class  VLAN2

bandwidth 2000000

class VLAN3

bandwidth 2000000

class class-default

interface WAN

service-policy

PARENT-SHAPE-6Mbps out

The parent shaper builds a logical pipe of  6 Mbps. Queueing is used as child policy to ensure at least the stated bandwidth to each traffic class. The mechanism is elastic and allows for use of unused bandwidth left by another traffic class,

The key point is how to define the traffic classes VLAN2 and VLAN3

a)  making the assumption that NAT has already taken place we can discriminate based on the source public IP addres

access-list 72 permit host 125.63.74.42

access-list 73 permit host 125.63.74.43

class-map VLAN2

match access-group 72

class-map VLAN3

match access-group 73

b)  marking inbound to specific values of IP precedence and then matching on IP prec outbound

this would mean marking packets as received on the internal LAN of the C1841

I would suggest you to test method a) first.

Edit:

modified configuration of class-maps introducing the correct match command match access-group instead of match address

Hope to help

Giuseppe

View solution in original post

23 Replies 23

skarthic
Cisco Employee
Cisco Employee

1) So you are not using any IP other than .34,.40-42?

2) You can overload each vlan to a particular set of IP addresses in order to get NATting to work

3) You can shape the traffic corresponding to each of the vlans to 2 Mbps with a parent shaper of 6 Mbps

One such variant of the config is here

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t2/feature/guide/clsbsshp.html#wp1025800

1)  Currently i am using only two ip from public ip pool.

     Router ip =    125.63.74.34

     Mail server =  125.63.74.50 (static nat with local ip 172.25.162.100)

2)  How to overload specific vlan traffic with specific ip, not with set of ip addresses 

    ( plz do not consider Dynamic NAT).   Plz explain with necessary commands ?

3) very good URL for understanding  but i am unable to see "class-map match-all or any xyz" command

    in this url which is sent by you.....

anyone else..............who can help and clarify

Hello Kuldeep,

1)  the .34 is associated to the WAN interface of the router but with a /27 not a /30 I suppose /27 subnet mask

2)  You need to use NAT pools as described here

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5

Example:

ip nat pool VLAN2-POOL  125.63.74.42 125.63.74.42 prefix 27

access-list 12 permit

ip nat inside source list 12 pool VLAN2-POOL overload

Do in a similar way for the other vlans

note: delete previous nat statement with interface overload  and add it as the last one for all those vlans that you don't want to distinguish.

3)

policy-map PARENT-SHAPE-6Mbps

class class default

shape average 6000000

service-policy SCHEDULER

policy-map SCHEDULER

class  VLAN2

bandwidth 2000000

class VLAN3

bandwidth 2000000

class class-default

interface WAN

service-policy

PARENT-SHAPE-6Mbps out

The parent shaper builds a logical pipe of  6 Mbps. Queueing is used as child policy to ensure at least the stated bandwidth to each traffic class. The mechanism is elastic and allows for use of unused bandwidth left by another traffic class,

The key point is how to define the traffic classes VLAN2 and VLAN3

a)  making the assumption that NAT has already taken place we can discriminate based on the source public IP addres

access-list 72 permit host 125.63.74.42

access-list 73 permit host 125.63.74.43

class-map VLAN2

match access-group 72

class-map VLAN3

match access-group 73

b)  marking inbound to specific values of IP precedence and then matching on IP prec outbound

this would mean marking packets as received on the internal LAN of the C1841

I would suggest you to test method a) first.

Edit:

modified configuration of class-maps introducing the correct match command match access-group instead of match address

Hope to help

Giuseppe

Hi Giuseppe,

As always you answers are appreciable..............

2) You have configure NAT Pool with standard access list 12, can i configure

    same with Extended access list 101 ?

3) Where i will configure Qos CBWFQ=>  Router 1841   OR  Cisco 3560 Switch ?

Hello Kuldeep,

2) only standard ACLs can be invoked directly in a ip nat source statement

see

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-50AB3423-9AB0-4706-BEF8-2772F1C8C662

An extended ACL can be referenced only within a route-map then the route-map is used in ip nat source statement

Be aware that you need a different ACL for each NAT pool / IP subnet so the use of a standard ACL is appropriate.

ip nat pool VLAN2-POOL  125.63.74.40 125.63.74.40 prefix 27

access-list 12 permit 172.25.162.0 0.0.0.255

ip nat inside source list 12 pool VLAN2-POOL overload

ip nat pool VLAN3-POOL  125.63.74.41 125.63.74.41 prefix 27

access-list 13 permit 172.25.163.0 0.0.0.255

ip nat inside source list 13 pool VLAN3-POOL overload

ip nat pool VLAN4-POOL  125.63.74.42 125.63.74.42 prefix 27

access-list 14 permit 172.25.164.0 0.0.0.255

ip nat inside source list 14 pool VLAN4-POOL overload

if you use an extended ACL for all other NAT translations you need to deny the subnets with a specific NAT pool

So your access-list 101 may become

access-list 101 deny ip 172.25.162.0 0.0.0.255 any

access-list 101 deny ip 172.25.163.0 0.0.0.255 any

access-list 101 deny ip 172.25.164.0 0.0.0.255 any

access-list 101 permit ip 172.25.160.0 0.0.0.31.255 any

route-map NAT-OTHER permit 10

match ip address 101

ip nat source inside route-map NAT-OTHER interface WAN overload

2)

Nested policy Shaper + CBWFQ is applied on internet facing interface of Cisco 1841

Edit:

modified last line of acl 101 with correct wildcard mask

Hope to help

Giuseppe

Hi Giuseppe,

There are following basic Queries given below:

1. I have one confusion with NAT POOL suggest by you, I want to know that this Pool works

    in which direction=>

   Inside to outside

       OR

   Outside to inside

       OR

   Both

For Example, if we talk about VLAN2 then Traffic of Inside to outside and outside to inside

should be go through 125.63.74.40 public ip.  will that happen or not ?

2) Can i configure specific Public-ip traffic with specific vlan through given below URL method:

http://www.anythingoverip.co.za/tutorials/course-content/ccna/configuring-pat-on-cisco-routers-nat-overload/

Plz check this link and see OPTION 2 of this thread and suggest me.

3) I want to ask General Question that if i access internet in my LAN pc ,

    then What will i call it:

    Traffic is coming to inside    OR      Traffic going to outside ?

Hello Kuldeep,

1) inside to outside NAT translations are triggered when a packet has to go from the inside to the outside

this means that internet access will work well. If there is a server that should be accessed from outside a different configuration is needed ( static NAT using one public IP address)

2)

in theory is not supported see the comment in the same web page. The command reference does not list this possibility however the use of NAT pools is not so difficult to understand and it works for sure. Also NAT pools have names that can help to understand the configuration.

3)

all the question is who starts the session and in which direction; when you access the internet from your PC you are opening TCP sessions from inside to outside that is the same direction that NAT overload works.

Hope to help

Giuseppe

Hi Giuseppe,

Actually this problem is related to Mail Server (Lotus Domino) and

i am unable to control Spam .I want to secure mail server through

Router or switch end. If it could not be possible through it then

after i will purchase Mcafee Gateway security software for Mail server.

If you have any solution then suggest me so that I do not have to buy any Software.

Network Description of existing setup as i already discussed with you:

Router ip    =  125.63.74.34

Mail server  =  125.63.74.50  ( @xyz.com)

ip nat inside source static 172.25.162.100  125.63.74.50

I configured one of vlan2 ip i.e 172.25.162.100  for Mail server and map with Public ip at router end.

1)  I want to know that when any outside domain user send mail to our mail server

     then that request hit which public ip first to enter inside :  

     125.63.74.34    OR     125.63.74.50

Hello Kuldeep,

the mail server will be contacted on the

125.63.74.50  as the static NAT is more specific.

Also the static NAT allows for communications started from outside to inside. NAT overload only for sessions started from inside to outside.

For more safety it would be wise to deny the internal host in the ACL used for NAT overload to avoid competition.

>> i am unable to control Spam .I want to secure mail server through

Router or switch end. If it could not be possible through it then

after i will purchase Mcafee Gateway security software for Mail server

No, the router cannot inspect the mail contents to discard spam, you need a SW based product running on the mail server like the one you have mentioned

Hope to help

Giuseppe

Hey G Larosa, I got a few question for you if you don't mind.

policy-map PARENT-SHAPE-6Mbps

class class default

shape average 6000000

service-policy SCHEDULER


policy-map SCHEDULER

class  VLAN2

bandwidth 2000000

class VLAN3

bandwidth 2000000

class class-default


interface WAN

service-policy

PARENT-SHAPE-6Mbps out

I understand the first policy map but I didn't see yo uapply the SCHDULER policy map anywhere.

Also what is the different between bandwidth and shape average. I'm assume shape only allows

6000000 and bandwidth allows only 2000000 but can use additional bandwidth if not being used by the

other classes?

Hello John,

the SCHEDULER policy is invoked within the parent policy

policy-map PARENT-SHAPE-6Mbps

.....

>> service-policy SCHEDULER

This is an example of hierarchical modular QoS. The parent policy is a shaper that shapes all traffic to 6 Mbps.

This creates a logical pipe of 6 Mbps speed.

The child policy is a form of CBWFQ that is triggered when shaping is in action. It provides at least 2 Mbps to each traffic class when traffic is shaped (CBWFQ is always on on newer IOS images running new HQF).

CBWFQ is elastic and allows a class to use more then stated rate if there is bandwidth available

Hope to help

Giuseppe

Hi Giuseppe,

I have some Qustions :

1) you have already checked this link under which syntax of command was not correct.

http://www.anythingoverip.co.za/tutorials/course-content/ccna/configuring-pat-on-cisco-routers-nat-overload/

ip nat inside source list 2 192.168.1.2 overload

ip nat inside source list 3 192.168.1.3 overload

ip nat inside source list 4 192.168.1.4 overload

2) This is another url for same which is published by CCIE

    Professional, Plz check once. I think given below command is

    incorrect. Am i right ?

    http://blog.sazza.de/?p=75

    ip nat inside source list 1 interface 192.168.1.1 overload


3) I have pool of 30 Public ip and presently i am using only 6 Public ip

    with Static NAT and remaining 24 public ip are not usable.

    So i want to create VLAN with remaining Public ip after that

    i will use this public ip vlan in LAN where i can put direct Public

    ip to any computer. how can i do this ? Plz explain with configuration.

                                   OR

   Plz suggest same method with Router end if i buy one Fastethernet

   port HWIC card for router (bcoz 1841 have 2 FE port). Through this

   extra FE port on Router, i can use remaining public ip. In this

   Scenerio, i will connect simple Hub to Router newly FE port and

   after connect some computers to Hub where i will put public ip

   to that computers directly. Here concept is something like DMZ. ??


Hello Kuldeep,

1) 2)   I strongly recommend to refer to Cisco documentation instead of looking for study notes of somebody else found in the internet.

Command syntax errors can be easily verified is enough to try to enter the command in the router and if an error is present the CLI will tell you error at ^ and the command is not accepted. That's all.

Also the command as proposed in 2) looks like wrong. But you can easily test it as explained above.

3)

My understanding of your current scenario is the following:

ISP has given you a /27 public IP subnet with .34 address assigned to the internet facing interface of your C1841.

You cannot subnet this space without taking agreements with the ISP.

To further subnet this space you need to work with ISP so that you convert the /27 in two /28 dividing the address space in two parts.

Without this operation,you cannot assign overlapping IP addresses in the router, IOS does not allow this.

So a change with impact on service would be needed on your side and on ISP side to be done during a maintenance window.

You can consider the following alternative:

just use static nat translations but with a dedicated internal subnet for servers.

I would not add hardware to you router all you need is to use static nat translations for those servers you would like to be accessed from outside like you did for the mail server

It is a good idea to put these servers in their own internal IP subnet, that you can call your DMZ, so creating a new VLan (on Cisco 3560 switch)  and a new vlan based subinterface on the C1841 is a good idea.

Putting all servers accessed from the internet in a separate subnet is good for security

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco