[c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement

Sean Shepard sean.shepard at ewavepartners.com
Fri Jun 6 21:37:28 EDT 2008 

SCENARIO:

 

Customer was blaming us (service provider) for their IP phones (Linksys 942
models) resetting, sometimes in the middle of a call dropping both the call
and their "back of the phone" connected PC.  Customer's IT support/VAR was
not aggressive in resolving the issue (we suspected some kind of LAN issue)
and so, to prove it wasn't us we stepped a little bit beyond what we
normally do ourselves at the customer location.  We dropped in a 3550 SMI
switch, set up VLANs and trunked to their 1721 where all DHCP activity is
now happening via two DHCP pools.

 

Devices appear to be showing up in the correct VLAN and are pulling DHCP
from the right pools.  Could not get the Linksys phones to talk through the
VLAN/NAT combination (Polycom worked ok it seemed) so we temporarily dropped
them onto a public IP scheme which is working fine - we will fix this once
everything else is stable.

 

What is happening is that DNS resolution through NAT (and possibly other NAT
translations) fails after several hours (or has twice).    This is only
affecting hosts/windows server on VLAN 1.  Their Windows 2003 server acts as
the DNS for their data network (it refers outside requests to ours).  When
this happens, customer's IT consultant can still remote terminal into their
server (via static port mapping) but can't ping out of their network from
it.  Reloading the router restores service.

 

Customer is also complaining that data transfer speeds are much slower
between devices on their LAN (they pass around a lot of CAD files).   I'm
certain this must not be set up properly or we're missing something. any
guidance is appreciated. 

 

RTP isn't breaking up so we didn't bother with priority queue settings on
the switch.  Error counts, drops and resets are ZERO on every single "show
int" counters.  I'd prefer not to go back to them and recommend the brute
force fix of just physically separating the networks.

 

 

ROUTER "SHOW VER" RELEVANT OUTPUT:

(note: I've been thinking about downgrading to a stable 12.3 release we like
- 12.4(1a) can't be good ?????)

 

Router#show ver

Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a),
RELEASE SOFTWARE (fc2)

 

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

 

Router uptime is 5 hours, 34 minutes

System returned to ROM by reload at 17:29:46 UTC Fri Jun 6 2008

System restarted at 17:32:00 UTC Fri Jun 6 2008

System image file is "flash:c1700-ipbase-mz.124-1a.bin"

 

Cisco 1721 (MPC860P) processor (revision 0x500) with 58405K/7131K bytes of
memory.

Processor board ID FOC09246Q0T (879918233), with hardware revision 0000

MPC860P processor: part number 5, mask 2

1 Ethernet interface

1 FastEthernet interface

32K bytes of NVRAM.

32768K bytes of processor board System flash (Read/Write)

 

 

ROUTER CONFIGURATION:

 

version 12.4

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 10.0.0.254

ip dhcp excluded-address xx.xx.xx.97

ip dhcp excluded-address xx.xx.xx.98

ip dhcp excluded-address 10.0.0.1 10.0.0.10

ip dhcp excluded-address 10.0.0.100 10.0.0.110

! 

ip dhcp pool phones

   network xx.xx.xx.96 255.255.255.224

   default-router xx.xx.xx.97

   dns-server xx.xx.xx.xx xx.xx.xx.xx

   option 66 ascii "xxxx.xxxxxxxxx.com"

   lease 30

!

ip dhcp pool data

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.1

   dns-server 10.0.0.100   [cust. Windows server]

   lease 30

!

ip name-server xx.xx.xx.xx

ip name-server xx.xx.xx.xx

!

class-map match-all smtp-filter

 match access-group 102

class-map match-all voip-sip

 match access-group 101

class-map match-all voip-rtp

 match access-group 100

!

!

policy-map voip

 class voip-rtp

  priority 960

 class voip-sip

  bandwidth 56

 class class-default

  fair-queue

policy-map inbound

 class smtp-filter

!

interface Ethernet0

 ip address xx.xx.xx.238 255.255.255.252

 ip nat outside

 load-interval 60

 full-duplex

 no cdp enable

 service-policy input inbound

 service-policy output voip

!

interface FastEthernet0

 no ip address

 speed 100

 full-duplex

!

interface FastEthernet0.1

 encapsulation dot1Q 1 native

 ip address 10.0.0.1 255.255.255.0

 ip nat inside

 no snmp trap link-status

!

interface FastEthernet0.2

 encapsulation dot1Q 2

 ip address xx.xx.xx.97 255.255.255.224

 no snmp trap link-status

!

ip classless

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.237

!

no ip http server

ip nat inside source list 10 interface Ethernet0 overload

ip nat inside source static tcp 10.0.0.100 25 interface Ethernet0 25

ip nat inside source static tcp 10.0.0.100 3389 interface Ethernet0 3389

ip nat inside source static tcp 10.0.0.100 443 interface Ethernet0 443

ip nat inside source static tcp 10.0.0.100 80 interface Ethernet0 80

!

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 100 permit ip any any dscp ef

access-list 101 permit ip any any dscp af31

access-list 102 permit tcp xx.xx.0.0 0.0.255.255 any eq smtp

access-list 102 deny   tcp any any eq smtp

access-list 102 permit ip any any

!

control-plane

!

end

 

 

 

CISCO 3550 SWITCH INFORMATION:

 

SWITCH#show ver

Cisco IOS Software, C3550 Software (C3550-IPBASE-M), Version 12.2(25)SEB4,
RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Tue 30-Aug-05 13:14 by yenanh

 

ROM: Bootstrap program is C3550 boot loader

 

SWITCH uptime is 3 days, 1 hour, 33 minutes

System returned to ROM by power-on

System image file is
"flash:c3550-ipbase-mz.122-25.SEB4/c3550-ipbase-mz.122-25.SEB4.bin"

 

Cisco WS-C3550-24 (PowerPC) processor (revision R0) with 65526K/8192K bytes
of memory.

Processor board ID CAT0946N39P

Last reset from warm-reset

Running Layer2/3 Switching Image

 

384K bytes of flash-simulated NVRAM.

 

 

CISCO 3550 SWITCH CONFIGURATION:

 

version 12.2

mls qos

ip subnet-zero

ip name-server xx.xx.xx.xx

ip name-server xx.xx.xx.xx

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

 switchport mode access

 switchport voice vlan 2

 mls qos trust dscp

 spanning-tree portfast

!

! [ports 1-11 configured identically]

!

interface FastEthernet0/12

 description WINDOWS 2003 SERVER

 switchport mode access

 mls qos trust dscp

 spanning-tree portfast

!

interface FastEthernet0/13

 switchport mode access

 switchport voice vlan 2

 mls qos trust dscp

 spanning-tree portfast

!

! [ports 13-23 configured identically]

!

interface FastEthernet0/24

 description UPLINK TO 1721 ROUTER

 switchport trunk encapsulation dot1q

 switchport mode trunk

 duplex full

 speed 100

!

interface Vlan1

 ip address 10.0.0.254 255.255.255.0

!

interface Vlan2

 ip address xx.xx.xx.98 255.255.255.224

!

ip classless

!

control-plane

 

 

 

!

More information about the cisco-nsp mailing list