Cisco IOS TrafficShaping for ADSL traffic

Sin_Chase · 14 Oct 2009 at 15:25

So, I am trying to implement some QoS Traffic Shaping on my Cisco 877 to ensure certain clients on the network do not hose my bandwidth.

Have played with a couple of things but cannot get it to work.

For testing I am plugged into fe0 with my system and am trying to shape FTP traffic to have 90% bandwidth over anything else.

This is what I currently have on fe0

Code:

sinhome#show policy-map interface fastEthernet 0
 FastEthernet0

  Service-policy output: SHAPE_LAN

    Class-map: class-default (match-any)
      358 packets, 21480 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
          1680000/1680000   10500  42000     42000     25        5250

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         358       21480     0         0         no

      Service-policy : FTPSHAPE

        Class-map: PREMIUM (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol nfs
            0 packets, 0 bytes
            5 minute rate 0 bps
          Queueing
            Output Queue: Conversation 73
            Bandwidth 90 (%)
            Bandwidth 1512 (kbps) Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

        Class-map: class-default (match-any)
          273 packets, 16380 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any
          Queueing
            Output Queue: Conversation 74
            Bandwidth 10 (%)
            Bandwidth 168 (kbps) Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

And this is the relevant config:

Code:

class-map match-any PREMIUM
 match protocol ftp
!
!
policy-map FTPSHAPE
  class PREMIUM
  bandwidth percent 90
  class class-default
  bandwidth percent 10
!
policy-map SHAPE_LAN
  class class-default
  shape average 1680000
  service-policy FTPSHAPE

!
interface FastEthernet0
 description LAN
 service-policy output SHAPE_LAN

You cannot apply GTS to ATM0, Dialer1 etc so thats why it is on fe0 with the shape average of 1680000 (I'm on 2Mbit but I have understated it to make sure I am triggering). Am I missing something?

I start a HTTP download off and it takes 100% of the bandwidth, then I trigger a FTP download which should trigger shaping, but the shaping is not happening.

Help please!

Sin_Chase · 14 Oct 2009 at 15:46

I might be doing this wrong, as in output being upload, and I want input.

As GTS wont work on input can anyone recommend what method to use?

Sin_Chase · 14 Oct 2009 at 16:05

Ok, this works

Code:

class-map match-any THROTTLE
 match protocol ftp
!
!
policy-map THROTTLEDSL
  class THROTTLE
  police cir 1500000
    conform-action transmit
    exceed-action drop
    violate-action drop

Code:

interface Dialer1
 description newtel-DSL$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 no cdp enable
 ppp pap sent-username ********** password 7 ***************
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 service-policy input THROTTLEDSL

Sin_Chase · 14 Oct 2009 at 16:20

Next step, applying it to an access-group instead of protocol.

Using:

Code:

access-list 11 permit 192.168.1.1

class-map match-any THROTTLE
  match access-group 11

But it does not seem to be working. Is the Dialer1 interface only capable of matching against protocols?

Sin_Chase · 15 Oct 2009 at 11:51

bigredshark said:
Without seeing your whole config it's difficult to say but as you're running NAT, I'm not sure the attempt to match an internal IP on the dialer interface input will actually match anything. I can't say for sure as I've never had reason to configure NAT and policy maps together like this...

Think my efforts would be better directed at a fe port?

As for my whole config:

(cleared of QoS stuff)

Code:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sinhome
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
enable secret 5 ********************
enable password 7 *****************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 213.133.223.11
   lease 0 2
!
!
ip tcp synwait-time 10
ip ftp username cisco
ip ftp password 7 ************************
no ip bootp server
ip domain name sin.local
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW https
!
!
crypto pki trustpoint TP-self-signed-4281229074
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4281229074
 revocation-check none
 rsakeypair TP-self-signed-4281229074
!
!
crypto pki certificate chain TP-self-signed-4281229074
 certificate self-signed 01 nvram:IOS-Self-Sig#3401.cer
username **** privilege 15 secret 5 *********************************************
!
!
!
!
!
!
interface ATM0
 description $ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 dsl enable-training-log
!
interface FastEthernet0
 description LAN
!
interface FastEthernet1
 description LAN
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer1
 description newtel-DSL$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 no cdp enable
 ppp pap sent-username ****** password 7 **************
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 5005 interface Dialer1 5005
ip nat inside source static tcp 192.168.1.1 5004 interface Dialer1 5004
ip nat inside source static tcp 192.168.1.1 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.1.1 5002 interface Dialer1 5002
ip nat inside source static tcp 192.168.1.1 5001 interface Dialer1 5001
ip nat inside source static tcp 192.168.1.1 5000 interface Dialer1 5000
ip nat inside source static tcp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.1 12345 interface Dialer1 12345
ip nat inside source static tcp 192.168.1.1 5900 interface Dialer1 5900
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq ftp
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 permit udp any any eq 3784
access-list 101 permit tcp any any eq 3784
access-list 101 permit tcp any any eq 5900
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 12345
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 54321
access-list 101 permit udp any any eq 54321
access-list 101 permit udp any any eq 113
access-list 101 permit tcp any any eq ident
access-list 101 permit tcp any any eq 5000
access-list 101 permit tcp any any eq 5001
access-list 101 permit tcp any any eq 5002
access-list 101 permit tcp any any eq 5003
access-list 101 permit tcp any any eq 5004
access-list 101 permit tcp any any eq 5005
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   icmp any any echo-reply
access-list 101 deny   icmp any any time-exceeded
access-list 101 deny   icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
no cdp run
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
banner motd ^CCC
                        You are Accessing Restricted Equipment
                        All Activities are Monitored and Logged
                        Unauthorised Use Prohibited

                        By accessing you agree to have your activites Monitored and Logged
^C
!
line con 0
 password 7 71125508
 no modem enable
 transport output telnet
line aux 0
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Sin_Chase · 15 Oct 2009 at 12:16

As long as it works I don't mind class matching against:

Anything being downloaded to fe1.
Anything being downloaded by an internal IP address/range (which we seem to think will not work because of NATing)

I do not mind throttling fe1 as it will only be internet bound traffic so if there is a solution that way I am all ears.

Sin_Chase · 15 Oct 2009 at 12:44

Protocol alone? Nope.

It would work policing say HTTP traffic from clients connected via wireless on fe1 but it would also police my traffic connected directly on fe0.

Surely it must be possible as many many consumer routers support QoS for bandwidth throttling. My old Billion 7300G throttles bandwidth perfectly based on IP, protocol etc.

Could I setup fe1 through 3 to be in VLAN2, throttle that VLAN and have it access VLAN1 also? (this would not be required but usefull)

Sin_Chase · 15 Oct 2009 at 13:14

I have a second router, but I specifically came off that onto an 877 because it was unreliable and kept falling over!

Surely I can throttle on a fe port? Like I said, the clients I want to throttle will only be accessing the Dialer interface so if I can throttle the port before it even gets there that would work?

fe0 - My systems
fe1 - Wireless AP
Wireless AP - Everything else coming to net

Ideally I want to throttle fe1 input and output, even if that means limiting the 100mbit capability of the fe port, if this makes sense?

I can throttle VLAN1 with:

class-map match-any LOW
match any

policy-map THROTTLE
class LOW
police 500000
conform-action transmit
exceed-action drop
violate-action drop

interface vlan1
service-policy input THROTTLE
service-policy output THROTTLE

But applying this to fe ports does not work.

It seems the 877 out of the box comes with vlan1 configured on the 4 switch ports, but with advanced IP Services (which I have) you can have up to 4 VLANs. I am too much of a cisco noob to wrap my head around this and start configuring different VLANs!

Sin_Chase · 15 Oct 2009 at 13:48

How does this look?

Code:

class-map match-any LOW
 match any 
!
!
policy-map THROTTLE
  class LOW
  police cir 500000
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
policy-map THROTTLEUP
  class LOW
  police cir 250000
    conform-action transmit 
    exceed-action drop 
    violate-action drop 

interface FastEthernet0
 description LAN
!
interface FastEthernet1
 description WIRELESS-AP Access
 switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 service-policy input THROTTLE
 service-policy output THROTTLEUP

access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any

Sin_Chase · 15 Oct 2009 at 18:29

Chief - With shaping yes.

With policing - no

I have got it working with another vlan and policing.

But for some reason policing the upload below 256000bps kills upload.

At 256000 it will hold and do its thing, albeit at about half of what it should upload but anything below means a 96000byte chunk is uploaded then the connection drops.

Any ideas?

Sin_Chase · 15 Oct 2009 at 19:05

Well, I upped the burst size and it seems to allow a 96000bps police value to work.

Strange, not sure if its the laptop or the wireless AP that is giving a burst size of 1000bytes issues as my friend on an identical DSL line can use 96000bps with a burst size of 1000 fine.

Sin_Chase · 15 Oct 2009 at 19:48

Well, tested some VOIP with only 12kb/sec of allocated upload on the restricted vlan and its perfect, so I'm not complaining

My final config looks like this:

Code:

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sinhome
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
enable secret 5 *******
enable password 7 *******
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.101 192.168.1.254
ip dhcp excluded-address 192.168.2.101 192.168.2.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254 
   dns-server 213.133.223.11 
   lease 0 2
!
ip dhcp pool pool-vlan2
   import all
   network 192.168.2.0 255.255.255.0
   domain-name sin.local
   dns-server 213.133.223.11 
   default-router 192.168.2.254 
!
!
ip tcp synwait-time 10
ip ftp username *******
ip ftp password 7 *******
no ip bootp server
ip domain name sin.local
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW https
!
!
crypto pki trustpoint TP-self-signed-4281229074
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4281229074
 revocation-check none
 rsakeypair TP-self-signed-4281229074
!
!
crypto pki certificate chain TP-self-signed-4281229074
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34323831 32323930 3734301E 170D3032 30333031 30323433 
  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383132 
  32393037 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D776 2D080092 06EE0645 9164B647 C44D9A72 F9718B24 CC83CD7D 18481D60 
  538DEA20 DE7E5D77 7785CF87 A9694044 383574B4 C077D247 45868296 5BBC09A7 
  051CFF07 595C2CBD 0FA14CA7 1EEBEDD6 BD33F52E 854EC2C0 FDCF991C 0E15B081 
  A99E6836 2C3134B1 E17BECE6 C7701090 A5E65EB3 619F08E1 CFC579BC A9176604 
  78870203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 14FD5244 939A8D2A 264483C2 8166F370 8F990754 
  16301D06 03551D0E 04160414 FD524493 9A8D2A26 4483C281 66F3708F 99075416 
  300D0609 2A864886 F70D0101 04050003 81810019 3B928E96 EDEE91F2 64B8EC61 
  187EF75D 386C0A58 E8CC8CA2 BECFCE1D A8786959 DF47F43F 52CEFF05 8F802E4A 
  F05B5203 308DB2EC A8D84FE6 39E9DEA9 219B407F AA26837F 00390084 4362D91B 
  DC6AFAD1 F5582ED4 F77E8168 1EF8D8D4 8E7A10F0 0994D22C 3FCFF1E2 766E3E1C 
  D2197683 7BC95092 E841D274 0B5B0EA0 3E0361
  quit
username root privilege 15 secret 5 $1$JQsP$EaVbgA7xJAHtnPxRQa.tD0
!
!
class-map match-any LOWBW
 match any 
!
!
policy-map 256000BPS
  class LOWBW
  police cir 256000
    conform-action transmit 
    exceed-action set-qos-transmit 4
    violate-action drop 
policy-map 96000BPS
  class LOWBW
  police cir 96000 bc 12000 be 12000
    conform-action transmit 
    exceed-action set-qos-transmit 4
    violate-action drop 
!
! 
!
!
!
!
interface ATM0
 description $ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto 
 dsl enable-training-log
!
interface FastEthernet0
 description LAN
!
interface FastEthernet1
 description WIRELESS-AP Access
 switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 description $FW_INSIDE$
 ip address 192.168.2.254 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 service-policy input 96000BPS
 service-policy output 256000BPS
!
interface Dialer1
 description newtel-DSL$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 no cdp enable
 ppp pap sent-username ******* password 7 *******
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat source static udp 192.168.1.1 6100 interface Dialer1 6100
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.1 12360 interface Dialer1 12360
ip nat inside source static tcp 192.168.1.1 12359 interface Dialer1 12359
ip nat inside source static tcp 192.168.1.1 12358 interface Dialer1 12358
ip nat inside source static tcp 192.168.1.1 12357 interface Dialer1 12357
ip nat inside source static tcp 192.168.1.1 12356 interface Dialer1 12356
ip nat inside source static tcp 192.168.1.1 12355 interface Dialer1 12355
ip nat inside source static tcp 192.168.1.1 12354 interface Dialer1 12354
ip nat inside source static tcp 192.168.1.1 12353 interface Dialer1 12353
ip nat inside source static tcp 192.168.1.1 12352 interface Dialer1 12352
ip nat inside source static tcp 192.168.1.1 12351 interface Dialer1 12351
ip nat inside source static tcp 192.168.1.1 12350 interface Dialer1 12350
ip nat inside source static udp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 5005 interface Dialer1 5005
ip nat inside source static tcp 192.168.1.1 5004 interface Dialer1 5004
ip nat inside source static tcp 192.168.1.1 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.1.1 5002 interface Dialer1 5002
ip nat inside source static tcp 192.168.1.1 5001 interface Dialer1 5001
ip nat inside source static tcp 192.168.1.1 5000 interface Dialer1 5000
ip nat inside source static tcp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.1 12345 interface Dialer1 12345
ip nat inside source static tcp 192.168.1.1 5900 interface Dialer1 5900
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.1.1
access-list 11 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.2.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq ftp
access-list 101 permit udp any any eq 113
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 permit udp any any eq 3784
access-list 101 permit tcp any any eq 3784
access-list 101 permit tcp any any eq 5900
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 12345
access-list 101 permit tcp any any range 12350 12360
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 54321
access-list 101 permit udp any any eq 54321
access-list 101 permit tcp any any eq ident
access-list 101 permit tcp any any eq 5000
access-list 101 permit tcp any any eq 5001
access-list 101 permit tcp any any eq 5002
access-list 101 permit tcp any any eq 5003
access-list 101 permit tcp any any eq 5004
access-list 101 permit tcp any any eq 5005
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   icmp any any echo-reply
access-list 101 deny   icmp any any time-exceeded
access-list 101 deny   icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 103 remark Vlan2 inbound
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 remark 127.0.0.1
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
no cdp run
!
!
control-plane
!
banner login 
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use. 

For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------

banner motd CC
			You are Accessing Restricted Equipment
			All Activities are Monitored and Logged
			Unauthorised Use Prohibited

			Vy accessing you agree to have your activites Monitored and Logged

!
line con 0
 password 7 *******
 no modem enable
 transport output telnet
line aux 0
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Input and Output on the fe2 is reversed when looking at Upload/Download on the Dialer1 interface.

Sin_Chase · 16 Oct 2009 at 11:13

There is some stuff I need to tidy up myself but could you point out what you think is rubbish?

As for not being elegant, it will do for now - at least until I can find out if there is a better solution on an 877.

Sin_Chase · 16 Oct 2009 at 14:44

Awesome stuff V-Spec, the explanations ontop of the config is appreciated!

Will this work with access-groups matching against IPs or do I still have the NATing screwing that up?

I'm running the latest 12.4 IOS with Advanced IP, which I guess will support this.

Sin_Chase · 16 Oct 2009 at 16:08

Hopefully Option 1 is applicable as I am not shaping my traffic on service priority. Shaping it so that a host range has a set maximum.

Shall have a nose but my police hack job will work for now.

Could you perhaps post an example of tagging ALL packets on Vlan1 with a higher priority?

Sin_Chase · 18 Oct 2009 at 19:31

Agreed, some Flow Diagrams for IOS logic would be fantastic!