×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Split Internet Bandwidth Using 891

Answered Question

Hi:

I'm pretty new to this, and I've been trying to read up on what I should do. Here's my situation: we have a new 15mps internet connection coming into our building. We also have a new 891 router. We would like to devote 1.5mbs at the highest priority to one LAN which is just used for VOIP phones. We would like to allow one of the other tenants to use up (but no more than) to 5mps for their LAN, and we'd like to be able to use up to 13.5mps for ourselves if it's available, or at least 8.5mps (15-1.5-5=8.5).

From searching in here and reading the various articles on policing and shaping, I'm thinking that we'd want to set up Class-based weighted fair queueing on a per-interface basis, and have one interface connected to our VOIP switch, one connected to the other tenants switch, and one connected to our firewall. Does this sound like the right way to go? And would anyone have an example of a configuration which achieves this?

Thanks in advance for any help.

Bobby

Correct Answer by Alessio Andreoli about 4 years 11 months ago

hi Robert,

if you subnet as i have suggested there is clearly no need to NAT anything... If you instead want to NAT then just follow a classical config in which


a) you have your outside interface (the one facing the SP)

b) you have your inside interface (the one facing your switch or the LAN anyway)

c) an accessl list defining the pool to NAT


Having said this, you are chaniging design while you should take some decisions about your infrastructure. For example, which usage of public space do i want to do?

Do i want to NAT or do i just route the networks out?


Do i have to contact the SP to ask them to change the subnet mask (/25 is a too big mask for a poin-to-point config)?


Please mark this thread as answred and rate me!!!


Alessio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Alessio Andreoli Thu, 08/23/2012 - 04:18
User Badges:
  • Silver, 250 points or more

Hi Robert,

you are correct in both the cases. You need CBWFQ and internally configuring shaping or policin as it is in your preferences. My suggestion is to deploy a dhcp pool and network only for your neighbour so to write a quite easy policy.


sorry if there are typos !!!!


class-map match-any my_neighbour
  match access-group 101
class-map match-any me
  match access-group 100
!
!
policy-map Internet
  class my_neighbour
   bandwidth 3000
  class me
   bandwidth 10000
  class class-default
   fair-queue


interface  x !(facing Internet)
!

sevice-policy output Internet
!


access-list 100 permit ip 192.168.10.0 0.0.0.255 any ! my traffic
access-list 101 permit ip 192.168.20.0 0.0.0.255 any ! my neighbour traffic


read this doc and you will find all what you need. In this template i didn't care about the VOICE because yours is a very small infrastructure and i do not know if you can really have potential issues for 2 or 3 hops..... by the way the SP then would rewrite possibly your values... You can always add a class in the policy treating VOICE!!


http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html#wp1021859


Take Care
Alessio

      

Please rate if you like it

After a bit of reading I have come up with the following. I think this should work to let all traffic (the access-list All-IP) going through FE0 (connected to our VOIP phones) to have priority up to 1.5Mbps; to let our neighbor plugged into FE1 to use up to 5Mbps; and to let my LAN connected to FE2 use at least 8.5Mbps or all available. Does this look right?


ip access-list All-IP

permit ip any any

!

class-map match-all voip

match access-group All-IP

!

policy-map VOIP-1Mbps

class voip

priority 1500

!

interface FastEthernet0

service-policy output VOIP-1Mbps

service-policy input VOIP-1Mbps

!

class-map match-all neighbor

match access-group All-IP

!

policy-map Restrict-to-5Mbps

class neighbor

set dscp default

police 5000 10000 exceed-action drop

!

interface FastEthernet1

service-policy output Restrict-to-5Mbps

service-policy input Restrict-to-5Mbps

!

class-map match-all my_lan

match access-group All-IP

!

policy-map My-LAN-8Mbps

class my_lan

bandwidth 8500

!

interface FastEthernet2

service-policy output My-LAN-8Mbps

service-policy input My-LAN-8Mbps


Thanks for any advice!

Alessio Andreoli Fri, 08/24/2012 - 11:41
User Badges:
  • Silver, 250 points or more

Hi Robert,

It looks fine to me. Honestly there was not need to apply for each interface a policy in both the directions but it should work.

If one day you will shape the traffic rather than policing it possibly you will see a slight improvement .. Remember that a shaping policy is only applied outbound


If you want to email me full config and topology I can tell you more


Take care


Alessio

I have managed to get all the commands entered I wanted, but when I hook the router up I'm not connected. Here's my setup - if I configure my laptop with one of the static ips assigned by my ISP (say 200.150.140.5), and connect directly to the ethernet from their router, I have access. When I plug their ethernet to the GiabitEthernet0 on my 891, and plug my laptop into FastEthernet0 (leaving it configured with the public IP), I have no connection.


FA0 (the VOIP phones) I would like to be protected with NAT by the 891.  FA1 & FA2 will have their own firwalls and servers running on them,  so I'd like to pass all traffic to them. I hoped that all traffic would  pass on all three to start with, but it seems to be blocking all traffic  instead.


I'm assuming that I'm missing a simple route, and I'm going to get my Cisco CCNA books from home over the weekend, but if you wouldn't mind looking at my config file and pointing out any glaring problems that would be great!


version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot config usbflash0:CVO-BOOT.CFG

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxx

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO891-K9 sn xxxxxxxxxxx

!

username user1 secret 5 xxxxxxxxxxxxxxx.xxxxxxxx.

!

class-map match-all voip

match access-group 99

class-map match-all my-lan

match access-group 99

class-map match-all my-neighbor

match access-group 99

!

policy-map Restrict-to-5Mbps

class my-neighbor

  set dscp default

  police 8000 10000 conform-action transmit  exceed-action drop

policy-map VOIP_1Mbps

class voip

  priority 1500

policy-map My-LAN-8Mbps

class my-lan

  bandwidth 8500

class class-default

  fair-queue

!

interface FastEthernet0

no ip address

service-policy output VOIP_1Mbps

!

interface FastEthernet1

no ip address

service-policy input Restrict-to-5Mbps

service-policy output Restrict-to-5Mbps

!

interface FastEthernet2

no ip address

service-policy output My-LAN-8Mbps

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

access-list 99 permit any

!

control-plane

!

mgcp profile default

!

line con 0

logging synchronous

login local

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login local

line vty 0 4

login local

transport input all

!

end

Alessio Andreoli Mon, 08/27/2012 - 07:27
User Badges:
  • Silver, 250 points or more

Hi Robert,

the gateway of the last resort , or the next hop for both the LAN 200.150.140.0/26 and 200.150.140.64/26 is the Service prpvider IP address and not an ip address belonging to the LAN. You can even route everything to the layer 3 interface pointing to the ISP if you like. Just a suggestion, think about assigning so many public ip addresses... Essentially my sugestion derives from the fact that many small business company run with /27or even /28 routable (public) subnets !!!


Hope this helps


Rate me if  elped you and mark as answered this thread to improve ifit is


Thanks,

Alessio

Alessio Andreoli Mon, 08/27/2012 - 14:30
User Badges:
  • Silver, 250 points or more

Hi Robert,

there is a simple solution for that. just re-subnet your /25 subnet:


200.150.140.0/29  ! .1 is the ISP and .6 is your own router

200.150.140.8/29  ! reserved (e.g your DMZ)

200.150.140.16/28 ! your LAN with .17 as gateway

200.150.140.32/27 ! your customer LAN (31 public ip addresses!!!) with .33 as gateway

200.150.140.64/26 ! reserved for future use



on the router a simple


ip route 0.0.0.0 0.0.0.0 200.150.140.1


will route all the packets out to the ISP. In case your customer needs a crazy amount of IP addresses you can just assign the /26 to him (.65 would be the gateway) and you get for future use or for another customer the /27.


in this way it is even easier to deploy different dhcp pools.



Alessio

If I subnet like that, how would I deal with using NAT on one interface? I decided to just try to get the VOIP part working, and I came up with the following which does actually work. But now I can't figure out what I should do to get the other interfaces working and routing public ips. Do I add a vlan 2 with an ip address in the 200.150.140.64/26 range? Will that route out through the gigabitethernet0 interface? I haven't been able to get it to work.

Thanks for your continued attention, and I am happy to have at least something working!



ip dhcp pool voippool

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

domain-name test.com

dns-server 8.8.8.8 8.8.4.4

lease 0 2


interface FastEthernet0

no ip address


interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0

ip address 200.150.140.2 255.255.255.128

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip nat pool voippool 200.150.140.2 200.150.140.2 netmask 255.255.255.128

ip nat inside source list 23 pool voippool overload

ip route 0.0.0.0 0.0.0.0 200.150.140.1

!

access-list 23 permit 10.10.10.0 0.0.0.255


Correct Answer
Alessio Andreoli Tue, 08/28/2012 - 15:32
User Badges:
  • Silver, 250 points or more

hi Robert,

if you subnet as i have suggested there is clearly no need to NAT anything... If you instead want to NAT then just follow a classical config in which


a) you have your outside interface (the one facing the SP)

b) you have your inside interface (the one facing your switch or the LAN anyway)

c) an accessl list defining the pool to NAT


Having said this, you are chaniging design while you should take some decisions about your infrastructure. For example, which usage of public space do i want to do?

Do i want to NAT or do i just route the networks out?


Do i have to contact the SP to ask them to change the subnet mask (/25 is a too big mask for a poin-to-point config)?


Please mark this thread as answred and rate me!!!


Alessio

Actions

This Discussion

Related Content