nosx
join:2004-12-27
00000
kudos:5 | reply to tubbynet
Re: Cisco router on stick + cable modem Yes but my post included a picture. ;P LessThan3 tubby. |
|
| reply to chgo_man99
To echo what Doc and Tubby are after, here's my config for DHCP Comcast on a stick.
Make sure CEF is on for the sub-interfaces. For some reason when I initially created them, they had no ip route-cache on them. I found that this basically disables CEF on that interface and they process switch. Cut my throughput to about 6.5 Mbps on just a download speed test...
Interfaces
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.5
description INSIDE VLAN-5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.10
description OUTSIDE
bandwidth 2000
bandwidth receive 12000
encapsulation dot1Q 10
ip address dhcp
ip access-group FW_IN in
ip nat outside
ip virtual-reassembly
no cdp enable
service-policy output OUT_WAN
!
NAT ACL
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 remark NAT_ACL
NAT
ip nat inside source list 1 interface FastEthernet0/0.10 overload
Current IP INT BR
FastEthernet0/0 unassigned YES NVRAM up up
FastEthernet0/0.5 192.168.5.1 YES NVRAM up up
FastEthernet0/0.10 67.170.###.### YES DHCP up up
Full Running-Config
Building configuration...
Current configuration : 3115 bytes
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ################
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip domain name ################
!
!
username ################
!
!
class-map match-any QoS_Iron
match access-group name QoS_Iron
class-map match-any QoS_Gold
match access-group name QoS_Gold
class-map match-any QoS_Silv
match access-group name QoS_Silv
class-map match-any QoS_Plat
match access-group name QoS_Plat
!
!
policy-map OUT_WAN
class QoS_Plat
shape average 64000
class QoS_Gold
shape average 128000
class QoS_Silv
shape average 768000
class QoS_Iron
shape average 768000
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.5
description INSIDE VLAN-5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.10
description OUTSIDE
bandwidth 2000
bandwidth receive 12000
encapsulation dot1Q 10
ip address dhcp
ip access-group FW_IN in
ip nat outside
ip virtual-reassembly
no cdp enable
service-policy output OUT_WAN
!
interface FastEthernet0/0.11
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0.10 overload
ip nat inside source static tcp 192.168.5.10 39472 interface FastEthernet0/0.10 39472
!
ip access-list extended FW_IN
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.0.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
permit tcp any eq domain any
permit udp any eq domain any
permit udp any eq bootps any log
permit tcp any eq www any
permit tcp any any eq 39472
permit udp any any eq 39472
permit tcp any any established
deny ip any any log
ip access-list extended QoS_Bron
ip access-list extended QoS_Gold
permit tcp any any eq 1119
permit tcp any any eq 3724
permit tcp any any eq 4000
permit tcp any any range 6112 6114
ip access-list extended QoS_Iron
permit tcp any eq 39472 any
permit udp any eq 39472 any
permit tcp any range 39500 39550 any
ip access-list extended QoS_Plat
permit tcp any any eq domain
permit udp any any eq domain
ip access-list extended QoS_Silv
permit tcp any any eq www
permit tcp any any eq 443
!
logging 192.168.5.10
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 remark NAT_ACL
snmp-server view mib2 mib-2 included
snmp-server community public RO
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
ntp clock-period 17208084
ntp server 66.220.1.205
!
end
Anyway, hopefully you've already got this working. Regardless, this can be for the next guy trying to be gucci with their Cisco gear at home.
- Andrew |
|
flq06
join:2009-08-06
Verdun, QC | reply to chgo_man99
I haven't read the last post on the thread but just to clarify the definition of router on a stick.
Router on a stick mean multiple subinterface(vlan) on one physical interface, so even if you have a dedicated WAN interface and using multiple vlan on the LAN, it is still a router on a stick.
Pass your CCNP certification and you will agree.
(Source BSCI & BCMSN certification guide) |
|
|
|
Reviews:
 ·AT&T U-Verse
 ·Mediacom
 ·T-Mobile US
1 edit | reply to chgo_man99
I tried the suggested configuration above and it works!
Thanks for your support guys!
I configured my xbox with static ip so I could open NAT to it with ip inside static configuration
My running-config on C1721
Current configuration : 3689 bytes
!
! Last configuration change at 12:20:53 UTC Wed Aug 13 2008
! NVRAM config last updated at 12:17:24 UTC Wed Aug 13 2008
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c1700
!
enable secret 5 $1$7Ktw$kQilIdOAz9RNzmoz5KCCq.
!
username tbabula privilege 15 password 0 sidewander9
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.5
ip dhcp excluded-address 192.168.2.254
!
ip dhcp pool IP-Pool
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 75.75.75.75 75.75.76.76
domain-name comcast.net
lease 5
!
ip cef
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
class-map match-any QoS_Iron
match access-group name QoS_Iron
class-map match-any QoS_Gold
match access-group name QoS_Gold
class-map match-any QoS_Silv
match access-group name QoS_Silv
class-map match-any QoS_Plat
match access-group name QoS_Plat
class-map match-any QoS-Gold
match access-group name Qos_Gold
class-map match-any QoS-Silv
match access-group name Qos_Silv
class-map match-any QoS-Plat
match access-group name Qos_Plat
class-map match-any QoS-Iron
match access-group name Qos_Iron
!
!
policy-map OUT_WAN
class QoS_Plat
shape average 64000
class QoS_Gold
shape average 128000
class QoS_Silv
shape average 768000
class QoS_Iron
shape average 768000
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0.1
description inside vlan 2
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
no cdp enable
!
interface FastEthernet0.2
description OUTSIDE
encapsulation dot1Q 2
ip address dhcp
ip access-group FW-IN in
ip nat outside
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0.2
peer default ip address pool IP-Pool
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
ip nat translation timeout 900
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 400
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4000
ip nat inside source list 1 interface FastEthernet0.2 overload
ip nat inside source static 192.168.2.3 interface FastEthernet0.2
no ip classless
no ip http server
no ip http secure-server
!
!
!
ip access-list extended FW_IN
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.0.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
permit tcp any eq domain any
permit udp any eq domain any
permit udp any eq bootps any log
permit tcp any eq www any
permit tcp any any eq 39472
permit udp any any eq 39472
permit tcp any any established
deny ip any any log
ip access-list extended QoS_Gold
permit tcp any any eq 1119
permit tcp any any eq 3724
permit tcp any any eq 4000
permit tcp any any range 6112 6114
ip access-list extended QoS_Iron
permit tcp any eq 39472 any
permit udp any eq 39472 any
permit tcp any range 39500 39550 any
permit tcp any range 29550 39500 any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
ip access-list extended QoS_Plat
permit tcp any any eq domain
permit udp any any eq domain
ip access-list extended QoS_Silv
permit tcp any any eq www
permit tcp any any eq 443
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 remark NAT_ACL
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password cisco
login
transport input telnet ssh
!
!
end
|
|
| blguy07 - glad to see you're up and running. You really don't need that entire config though. There's a lot of QoS crap in there. All the policy-map, class-map, and associated ACLs are for my outbound QoS.
It's an interesting subject though if you want to read up on it.. |
|
Reviews:
·AT&T U-Verse
·Mediacom
·T-Mobile US
| reply to chgo_man99
I copied your ACL to filter traffic from the Internet. The firewall test websites test successfully as my ports being in stealth mode.
And I also wanted to implement some sort of QoS to optimize traffic, but I was not sure if your QoS list is very customized to your needs or is it more broad like general that anybody could use. Nevertheless I implemented it.
I had problem with opening NAT to Xbox, even after adding ports 3074, so I DMZ it through static ip and static rules. |
|
| reply to chgo_man99
said by chgo_man99:And I also wanted to implement some sort of QoS to optimize traffic, but I was not sure if your QoS list is very customized to your needs or is it more broad like general that anybody could use. Nevertheless I implemented it. What kind of traffic did you want to prioritize? You should be able
to keep the bare skeleton of what hairynavel has and adapt to your
own needs.
Regards |
|
Reviews:
·AT&T U-Verse
·Mediacom
·T-Mobile US
1 edit | said by HELLFIRE  What kind of traffic did you want to prioritize? You should be able
to keep the bare skeleton of what hairynavel has and adapt to your
own needs.
Regards
:
Thanks but I already simplified it. I keep only FW_IN ACL rules. |
|
1 edit | reply to chgo_man99
Basically what I'm trying to give here is four levels of QoS. The different ACLs are there to match traffic, which is then shaped by the policy-map. Here's what they each do:
QoS_Plat matches any outbound DNS requests. And I give it 64kbps. So no matter what I'm doing on any other machine, I'll always be able
to get DNS requests out.
permit tcp any any eq domain
permit udp any any eq domain
QoS_Gold is for World of Warcraft. WoW doesn't use very much in/out, so it works fine with 128kbps. Again, I can Bittorrent till the cows come home, but I'll also be able to play WoW with a decent ping.
permit tcp any any eq 1119
permit tcp any any eq 3724
permit tcp any any eq 4000
permit tcp any any range 6112 6114
QoS_Silv is for internet browsing, 768kbps.
permit tcp any any eq www
permit tcp any any eq 443
QoS_Iron is for bittorrent, 768kpbs.
permit tcp any eq 39472 any
permit udp any eq 39472 any
permit tcp any range 39500 39550 any
So 64+128+768+768 = 1728kbps, with my Comcast upload being 2,000kbps. My ACLs match pretty much all the types of traffic that leaves my router outbound. This gives everything it's fair cut of outgoing bandwidth. So that's what it's all for. |
|
