guardy
join:2006-03-19
New Zealand
| [Config] Setting up QOS/prioritisation on an 877
Hi all,
First post and it's an appeal for some help ... 
First of all, what I have:
Cisco 877 router with 128mb ram/28mb flash running IP Adv IOS 12.4(6)T
This is on a PPPOA ADSL connection with 2mb down and 128kb up.
The problem is mainly when using Bittorrent (the client I use is uTorrent 1.5). Whenever this is running, everything else slows down - web, ftp, latency for gaming goes through the roof. This appears to be also when it is transferring very little. As soon as uTorrent is closed, things speed up. I've read a number of other threads that suggest that the upload is causing problems with the ACK's not getting through or perhaps the NAT table is filling up.
When I check the memory usage it doesn't seem to be excessive. Would the CPU/memory usage be affected with the NT table filling? I'm guessing the memory usage may increase but the CPU wouldn't increase?
So what are my options for getting around this? I was hoping there would be a way of adding QOS to the config that basically put the priority for any p2p or bittorrent usage at the bottom of the list and everything else above (or something like that - if I can get it working, I may fine-tune it further) ...
The other option I considered trying was having another machine using DMZ and having that download. I believe that would solve the NAT issue? Or am I not correct in that assumption?
Is there any other options I have?
If you've read this far, I appreciate you taking the time ...
Any info or suggestions will be gratefully received ...
Cheers,
Steve |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| said by guardy  :So what are my options for getting around this? Dont use P2P and you'll be fine (in more ways than one..) 
Of course, you could always close your P2P program when you want to do something like game, or download something off the net.
Just bear in mind though, that you cant really do much in the way of controlling what comes over your link to you. That needs to be done from your ISP's end of the link. You can really only control what goes out of your link, so you might not get the best result.
You can give HTTP/email/etc requests top priority leaving your network, but if you have 2-3 people sending you a constant stream in bit torrent you will have issues where browsing etc might still be slow.
For best results the same QOS policy needs to be implemented at both ends.
I dont have any info on hand at the moment, but if you search Cisco's website you are bound to find something there which might help you. |
|
guardy
join:2006-03-19
New Zealand
| Well, I don't tend to run BT 24/7 but I just find it frustrating that when I do wish to use it, I have to make sure no-one else is doing anything online. (Normally that would just be my wife wishing to do some gaming, but that's enough reason to not just go ahead and start a BT transfer ... )
I can understand that there is little control over what is sent, however isn't TCP/IP a two way transfer - as in the data can be throttled, either from the BT client or from a program such as ... Netlimiter? (haven't used it before, but the name rings a bell) or even as a function of TCP/IP?
In any case, the problems occur even when the upstream and/or downstream aren't saturated. For example if I'm transferring a file via ftp and turn on BT the ftp transfer will become very erratic speed-wise and the overall speeds for both transfers will drop (and cause browsing, etc to slow). Hense I was thinking it *may* be something related to NAT, though I was kinda hoping that an 877 would be okay with this (being new and the "latest and greatest" in terms of a home router from Cisco). Or perhaps it is and I'm missing something in the config, hense the thought of prioritising traffic from the router. If it's not saturating the link, then surely other traffic being given the priority would help?
Anyway, I hope my rambling makes some sense.
Thanks again ...
Steve |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia | reply to guardy
Can you post your config minus passwords and anything else that would make you identifyable.
Cheers |
|
guardy
join:2006-03-19
New Zealand
| I'm sure there are a number of things that could be improved in the config, but I don't think it's *critically* bad ...
Having said that, I'll take any advise that is forthcoming - once again, it'll be hugely appreciated ...
Thanks,
Steve
Mercury877#sh run
Building configuration...
Current configuration : 7119 bytes
!
! Last configuration change at 15:21:11 NZST Sun Mar 19 2006 by Steve
! NVRAM config last updated at 21:58:45 NZDT Tue Mar 14 2006
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service dhcp
!
hostname Mercury877
!
boot-start-marker
boot-end-marker
!
logging buffered 10240 debugging
logging console critical
enable secret xxxxx
!
no aaa new-model
!
resource policy
!
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name local
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall pptp
ip inspect name firewall rtsp
ip inspect name firewall skinny
ip ips notify SDEE
ip ips name intrusion
!
!
!
username xxxxx privilege 15 secret xxxxx
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
bandwidth 2000
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect firewall out
ip ips intrusion in
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username xxxxx password xxxxx
ppp ipcp dns request
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.1 4711 interface Dialer0 4711
ip nat inside source static udp 192.168.1.1 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.1.1 4662 interface Dialer0 4662
ip nat inside source static udp 192.168.1.1 50101 interface Dialer0 50101
ip nat inside source static tcp 192.168.1.1 50101 interface Dialer0 50101
ip nat inside source static tcp 192.168.1.1 8080 interface Dialer0 8080
ip nat inside source static tcp 192.168.1.250 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.1 3489 interface Dialer0 3489
ip nat inside source static tcp 192.168.1.250 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.250 3389 interface Dialer0 3389
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 permit udp host 128.250.36.2 eq ntp any eq ntp
access-list 101 permit udp host 130.88.200.98 eq ntp any eq ntp
access-list 101 permit udp host 139.80.64.114 eq ntp any eq ntp
access-list 101 permit udp host 203.109.252.7 eq ntp any eq ntp
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any log
access-list 101 deny icmp any any echo
access-list 101 permit udp host 202.180.64.9 eq domain any gt 1023
access-list 101 permit udp host 202.180.64.2 eq domain any gt 1023
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 3489
access-list 101 permit tcp any any eq 50101
access-list 101 permit udp any any eq 50101
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672
access-list 101 permit tcp any any eq 4711
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.1.254
access-list 102 permit ip any host 192.168.1.1
access-list 102 deny ip any host 192.168.1.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
banner motd ^C
You require authorisation to connect to this device.
If you are not authorised to connect to this device please disconnect now. If
you fail to disconnect you may be prosecuted under the Crimes Amendment
Act 2003 section 252 under New Zealand law.
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 2 in
login
!
scheduler max-task-time 5000
ntp clock-period 17174980
ntp server 128.250.36.2 prefer
ntp server 130.88.200.98
ntp server 139.80.64.114
ntp server 203.109.252.7
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| reply to guardy
You could try removing the ACLs from your dialer and vlan interface and see if that makes any difference.
Remember that every packet that enters the dialer or vlan interface will be checked against that interfaces respective ACL. Lots of tiny packets means the processor spends more time matching packets against ACLs, and less time actually routing data.
This would be my first point of call.
For a simple home network, neither of those ACLs (101 and 102) should really even be neccessary. Basically the only traffic that is going to enter your network is going to be either:
a. responses to requests translated through NAT
b. traffic that comes in on a port you have forwarded
Anything else will hit the router, and unless the router can actually do anything with it (e.g. telnet connect request), it will be dropped.
Let us know how you go |
|
guardy
join:2006-03-19
New Zealand
| Right, well, I tried the following (which I think removed all the ACL's) ... and promptly found I couldn't browse (though people in the house playing WoW seemed to still be okay - at least initially) ... any ideas why this didn't work? ... and is this the kind of thing you suggest? Are there any other things to tidy up in this config that I missed? (I'm sure there are) Or perhaps are there things I should add that aren't there?
In the meantime, I've put things all back how they were ... my wife was getting grumpy when she eventually did disconnect - oops!
Thanks again ...
Steve
Mercury877#sh run
Building configuration...
Current configuration : 3956 bytes
!
! Last configuration change at 22:53:22 NZST Mon Mar 20 2006
! NVRAM config last updated at 22:53:24 NZST Mon Mar 20 2006
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service dhcp
!
hostname Mercury877
!
boot-start-marker
boot-end-marker
!
logging buffered 10240 debugging
logging console critical
enable secret xxxxx
!
no aaa new-model
!
resource policy
!
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name local
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall pptp
ip inspect name firewall rtsp
ip inspect name firewall skinny
ip ips notify SDEE
ip ips name intrusion
!
!
!
username xxxxx privilege 15 secret xxxxx
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
bandwidth 2000
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect firewall out
ip ips intrusion in
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username xxxxx password xxxxx
ppp ipcp dns request
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.1 4711 interface Dialer0 4711
ip nat inside source static udp 192.168.1.1 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.1.1 4662 interface Dialer0 4662
ip nat inside source static udp 192.168.1.1 50101 interface Dialer0 50101
ip nat inside source static tcp 192.168.1.1 50101 interface Dialer0 50101
ip nat inside source static tcp 192.168.1.1 8080 interface Dialer0 8080
ip nat inside source static tcp 192.168.1.250 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.1 3489 interface Dialer0 3489
ip nat inside source static tcp 192.168.1.250 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.250 3389 interface Dialer0 3389
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
banner motd ^C
You require authorisation to connect to this device.
If you are not authorised to connect to this device please disconnect now. If
you fail to disconnect you may be prosecuted under the Crimes Amendment
Act 2003 section 252 under New Zealand law.
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 2 in
login
!
scheduler max-task-time 5000
ntp clock-period 17174966
ntp server 128.250.36.2 prefer
ntp server 130.88.200.98
ntp server 139.80.64.114
ntp server 203.109.252.7
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end |
|
pstewart
Premium,VIP
join:2005-10-12
Peterborough, ON
| reply to guardy
The ACL's probably aren't causing the problem compared to running IPS. Try de-applying it from your interface and see what happens.
If you have CCO access, there are a number of bugs on certain platforms and certain releases that effect throughput dramaticaly....
--
Nexicom 5 Meg DSL - 540/79KB/s |
|
guardy
join:2006-03-19
New Zealand
| Thanks - after looking around I've heard various things about IPS - a lot of it not overly positive. So okay, I'll have a go at removing that and see how I get on. Might just wait till a time when the connection isn't being used though - just in case I manage to kill the connection again ...
Thanks for the suggestion ...
Steve |
|
mplex
join:2004-04-15
Charleston, SC
| reply to guardy
guardy, I use this setup and it works great. I do a lot of ssh and console work, and with this setup, I can max out bandwidth and everything works great and I can't even tell p2p is running:
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit tcp any any eq 22
access-list 110 permit tcp any eq 22 any
access-list 110 permit tcp any any eq telnet
access-list 110 permit tcp any eq telnet any
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any eq 3389 any
access-list 110 deny udp any eq 10000 any
access-list 110 deny udp any any eq 10000
access-list 110 permit udp any any
access-list 120 permit udp any any eq 10000
access-list 130 permit tcp any any eq www
access-list 130 permit tcp any eq www any
access-list 140 permit tcp any any eq 6881
access-list 140 permit tcp any any eq 6882
access-list 140 permit tcp any any eq 6883
access-list 140 permit tcp any any eq 6884
access-list 140 permit tcp any any eq 6885
access-list 140 permit tcp any any eq 6886
access-list 140 permit tcp any eq 6881 any
access-list 140 permit tcp any eq 6882 any
access-list 140 permit tcp any eq 6883 any
access-list 140 permit tcp any eq 6884 any
access-list 140 permit tcp any eq 6885 any
access-list 140 permit tcp any eq 6886 any
access-list 140 permit tcp any any eq 2234
access-list 140 permit tcp any eq 2234 any
access-list 140 permit tcp any eq 4661 any
access-list 140 permit tcp any eq 4662 any
access-list 140 permit tcp any any eq 4661
access-list 140 permit tcp any any eq 4662
access-list 140 permit tcp any any eq 1214
access-list 140 permit tcp any any eq 6880
access-list 140 permit tcp any eq 6880 any
!! You don't really need the match protocol statements if your router won't support it, just rely on ACL 140
class-map match-any nbar-fs
match protocol bittorrent
match protocol kazaa2
match protocol gnutella
match protocol fasttrack
match protocol edonkey
match access-group 140
class-map match-all class2
description [VPN/UDP]
match access-group 120
class-map match-all class3
description [web traffic/other tcp]
match access-group 130
class-map match-all class1
description [SSH/ICMP/RDP]
match access-group 110
policy-map shaped
class nbar-fs
bandwidth percent 5
!! Not necessary but I like to throttle p2p even more
police 140000 30000 60000 conform-action transmit exceed-action drop violate-action drop
class class1
bandwidth percent 30
class class2
bandwidth percent 30
class class3
bandwidth percent 25
class class-default
bandwidth percent 10
policy-map shaper
class class-default
shape average 240000 !! adjust this for your outgoing BW
!! mine is 384k, but 240k is all I
!! reliably get in my area before pings go up
service-policy shaped
int fa0 !! WAN Link
service-policy output shaper
end
sh policy-map int fa0
P2P will find a way around the class nbar-fs classification and some traffic will fall back to the default class. The trick to this setup is to make sure you protect the protocols that need protecting. For me, that is ssh, http, and all udp traffic. Works like a charm. You can remove the policy and everything goes to crap, 200ms pings. As soon as you reapply, pings drop back to 30ms.
Good luck. |
|
guardy
join:2006-03-19
New Zealand
| Thanks for the tips on setting the config up. Due to work and RL it'll be a couple of days before I can test this out properly ... but I'll post back as soon as I have ...
This could well be exactly what I was looking for ...
Thanks!
Steve |
|
guardy
join:2006-03-19
New Zealand
| Okay, just in the process of setting this up. I think it all makes sense to me (well, vaguely ).
The only thing I'm stumbling on at the moment is which interface I apply this to.
I would have thought it would have to be Dialer 0 (being the outgoing interface) but it says: "GTS : Not supported on this interface"
Any ideas on this?
Thanks,
Steve |
|
guardy
join:2006-03-19
New Zealand
| Does anyone have any idea on which interface I might set this up on? Or is something like this not possible on a DSL router? Any help/suggestions would be most appreciated ...
Thanks,
Steve |
|
Phraxos
Premium
join:2004-06-12
UK
| This is a complete guess guardy bit as no one has jumped in after a few days.........have you tried applying it to the DSL interface?
Also I can't see any reason not to apply the policy to the LAN interface instead. If you shape that interface you are in effect shaping what goes out on the WAN interface.
As I said though, I have very little experience with QOS - just trying to give you some ideas |
|
usr
join:2005-06-30
germany | reply to guardy
mplex,
thanks for your QoS example. You use 4 ACLs. Could I use your example, only using my existen 2 ACLs (1 for Dialer1, 1 for FastEthernet0)? |
|
Phraxos
Premium
join:2004-06-12
UK
| Usr, the ACLS are nothing to do with the interfaces.
They identify which traffic goes into which group (class) for QOS matching. You can split it up into as many or as few groups as you wish to (within reason). Once split into groups you then say what priority/bandwidth you want to give to each group (class). |
|
usr
join:2005-06-30
germany
| reply to guardy
Phraxos,
ah, I understand. So, the ACLs are only used for classifying the classes. So, I'll leave my current ACLs, define more ACLs for my QoS setup and define the bandwidth. Thanks for your help |
|
usr
join:2005-06-30
germany | reply to guardy
guardy,
I got the same error. I applied the rules on my physical DSL interface. I'm testing if it's working... |
|
guardy
join:2006-03-19
New Zealand
| I thought I'd tried applying this to the dsl interface also (ATM0 ?) ... perhaps not ...
I'd be interested in any feedback you have on this ...
I'm going to (hopefully) be able to sit down tonight and do a little more testing also ...
I'll post back my findings ...
Thanks,
Steve |
|
usr
join:2005-06-30
germany
| Ok, I applied the rules to my config, but the pings are still rising, when bittorrent is running. Here's my config:
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 informational
logging console warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
memory-size iomem 20
clock timezone MET 1
clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
!
ip nbar pdlm flash://bittorrent.pdlm
!
!
!
ip tcp selective-ack
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip cef
no ip domain lookup
ip domain name xxxxxxx.local
no ip bootp server
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name firewall tftp timeout 30
ip inspect name firewall udp timeout 15
ip inspect name firewall tcp timeout 3600
ip inspect name firewall icmp
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall pop3
ip inspect name firewall imap
ip inspect name firewall https
ip inspect name firewall http
ip inspect name firewall dns
ip inspect name firewall ntp
ip inspect name firewall ident
ip inspect name firewall telnet
ip inspect name firewall ssh
ip inspect name firewall ircu
ip inspect name firewall cuseeme
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall rtsp
ip inspect name firewall appleqtc
ip inspect name firewall isakmp
ip inspect name firewall ipsec-msft
ip inspect name firewall esmtp
ip inspect name firewall ftp
!
vpdn enable
!
!
!
!
!
!
class-map match-all smtp
description SMTP class
match access-group 105
class-map match-all browsing
description HTTP/DNS/ICMP class
match access-group 104
class-map match-any nbar-fs
description p2p class
match protocol bittorrent
match protocol kazaa2
match protocol gnutella
match protocol fasttrack
match protocol edonkey
match access-group 102
class-map match-all owa
description owa class
match access-group 103
!
!
policy-map shaped
class nbar-fs
bandwidth percent 20
class smtp
bandwidth percent 15
class browsing
bandwidth percent 20
class owa
bandwidth percent 20
class class-default
bandwidth percent 25
policy-map shaper
class class-default
shape average 530000
service-policy shaped
!
!
!
!
!
interface Ethernet0
description T-DSL physical WAN interface
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
service-policy output shaper
!
interface FastEthernet0
description LAN interface
ip address 192.168.0.2 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
no cdp enable
!
interface Dialer1
description T-DSL virtual WAN interface
mtu 1492
ip address negotiated
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect firewall in
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
ntp disable
no cdp enable
ppp authentication chap callin
ppp chap hostname ispusername
ppp pap sent-username dsl/xxxxxxx@xxxxxx.xx password 7 xxxxxxxxx
!
no ip forward-protocol udp bootps
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 1
no ip http secure-server
!
ip nat translation tcp-timeout 1800
ip nat translation udp-timeout 240
ip nat translation dns-timeout 45
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.1 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.30 6881 interface Dialer1 6881
ip nat inside source static tcp 192.168.0.30 6889 interface Dialer1 6889
ip nat inside source static tcp 192.168.0.30 4662 interface Dialer1 4662
ip nat inside source static udp 192.168.0.30 4672 interface Dialer1 4672
!
!
logging trap debugging
logging facility local6
logging 192.168.0.1
access-list 1 remark Telnet and HTTP access from inside network only
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark Inbound ACL on dialer1
access-list 100 remark Deny private ips and log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 100 remark Deny fragmented icmp and log
access-list 100 deny icmp any any log-input fragments
access-list 100 remark Allow certain icmp types
access-list 100 permit icmp any any net-unreachable
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any port-unreachable
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any administratively-prohibited
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any ttl-exceeded
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any echo
access-list 100 remark Permit VPN traffic
access-list 100 permit udp any any eq isakmp
access-list 100 permit esp any any
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit udp any any eq 10000
access-list 100 permit udp any any eq ntp
access-list 100 remark Permit traffic to OWA
access-list 100 permit tcp any any eq 443
access-list 100 remark Permit bittorrent traffic to 192.168.0.30
access-list 100 permit tcp any any eq 6881
access-list 100 permit tcp any any eq 6889
access-list 100 remark Permit emule traffic to 192.168.0.30
access-list 100 permit tcp any any eq 4662
access-list 100 permit udp any any eq 4762
access-list 101 remark Inbound ACL on FastEthernet0
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any parameter-problem
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 remark Permit DNS lookups from 192.168.0.1
access-list 101 permit udp host 192.168.0.1 any eq domain
access-list 101 remark Permit tcp/udp from host 192.168.0.30 port greater than 1024
access-list 101 permit tcp host 192.168.0.30 any gt 1024
access-list 101 permit udp host 192.168.0.30 any gt 1024
access-list 101 remark Standard ACL for 192.168.0.0/24 network
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 22
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 81
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 88
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq pop3
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq ident
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 143
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 443
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 554
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 1755
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq 1755
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 1863
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 3128
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 4040
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 5190
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any range 6600 6669
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 7070
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 7071
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 8000
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 8001
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 8080
access-list 101 remark Permit Cisco VPN Client
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq isakmp
access-list 101 permit esp 192.168.0.0 0.0.0.255 any
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq non500-isakmp
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq 10000
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq ntp
access-list 101 remark Permit telnet from inside network to router
access-list 101 permit tcp any host 192.168.0.2 eq telnet
access-list 102 remark ACL for p2p qos
access-list 102 permit tcp any any eq 6881
access-list 102 permit tcp any any eq 6889
access-list 102 permit tcp any any eq 4662
access-list 102 permit udp any any eq 4672
access-list 102 permit tcp any eq 6881 any
access-list 102 permit tcp any eq 6889 any
access-list 102 permit tcp any eq 4662 any
access-list 102 permit udp any eq 4672 any
access-list 103 remark ACL for OWA
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any eq 443 any
access-list 104 remark browsing and icmp
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any eq www any
access-list 104 permit udp any any eq domain
access-list 104 permit udp any eq domain any
access-list 104 permit icmp any any echo
access-list 104 permit icmp any any echo-reply
access-list 105 remark ACL for SMTP
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any eq smtp any
access-list dynamic-extended
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner exec �
xxxxxxxxxxxxxxx
�
xxxxxxxxxx
�
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxx
line aux 0
exec-timeout 0 1
no exec
line vty 0 4
access-class 1 in
exec-timeout 0 0
password 7 xxxxxxxxxxxx
login
transport input telnet
!
scheduler allocate 4000 1000
scheduler interval 500
sntp server 192.168.0.1
ntp source FastEthernet0
end
I couldn't apply the rule to my PPPoE interface Dialer1, so I chose the pysical interface Ethernet0. |
|
