[c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement
Andrew Gristina
agristina+cisco-nsp at gmail.com
Fri Jun 6 23:47:25 EDT 2008
Check "show proc cpu hist" after it happens. A 1721 should not be
doing router on a stick for a 100Mb network. It can barely forward
12Mb/s Cef switched. Much less NAT, ACL, QOS, DHCP and whatever else
it is doing. Make the 3550 a L3 switch, if you have to keep DHCP on
the 1721 use DHCP forwarder, use a choke network.
They can't forward stuff on their lan because of the router on a stick config.
And open a TAC case.
On Fri, Jun 6, 2008 at 6:37 PM, Sean Shepard
<sean.shepard at ewavepartners.com> wrote:
> SCENARIO:
>
>
>
> Customer was blaming us (service provider) for their IP phones (Linksys 942
> models) resetting, sometimes in the middle of a call dropping both the call
> and their "back of the phone" connected PC. Customer's IT support/VAR was
> not aggressive in resolving the issue (we suspected some kind of LAN issue)
> and so, to prove it wasn't us we stepped a little bit beyond what we
> normally do ourselves at the customer location. We dropped in a 3550 SMI
> switch, set up VLANs and trunked to their 1721 where all DHCP activity is
> now happening via two DHCP pools.
>
>
>
> Devices appear to be showing up in the correct VLAN and are pulling DHCP
> from the right pools. Could not get the Linksys phones to talk through the
> VLAN/NAT combination (Polycom worked ok it seemed) so we temporarily dropped
> them onto a public IP scheme which is working fine - we will fix this once
> everything else is stable.
>
>
>
> What is happening is that DNS resolution through NAT (and possibly other NAT
> translations) fails after several hours (or has twice). This is only
> affecting hosts/windows server on VLAN 1. Their Windows 2003 server acts as
> the DNS for their data network (it refers outside requests to ours). When
> this happens, customer's IT consultant can still remote terminal into their
> server (via static port mapping) but can't ping out of their network from
> it. Reloading the router restores service.
>
>
>
> Customer is also complaining that data transfer speeds are much slower
> between devices on their LAN (they pass around a lot of CAD files). I'm
> certain this must not be set up properly or we're missing something. any
> guidance is appreciated.
>
>
>
> RTP isn't breaking up so we didn't bother with priority queue settings on
> the switch. Error counts, drops and resets are ZERO on every single "show
> int" counters. I'd prefer not to go back to them and recommend the brute
> force fix of just physically separating the networks.
>
>
>
>
>
> ROUTER "SHOW VER" RELEVANT OUTPUT:
>
> (note: I've been thinking about downgrading to a stable 12.3 release we like
> - 12.4(1a) can't be good ?????)
>
>
>
> Router#show ver
>
> Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a),
> RELEASE SOFTWARE (fc2)
>
>
>
> ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
>
>
>
> Router uptime is 5 hours, 34 minutes
>
> System returned to ROM by reload at 17:29:46 UTC Fri Jun 6 2008
>
> System restarted at 17:32:00 UTC Fri Jun 6 2008
>
> System image file is "flash:c1700-ipbase-mz.124-1a.bin"
>
>
>
> Cisco 1721 (MPC860P) processor (revision 0x500) with 58405K/7131K bytes of
> memory.
>
> Processor board ID FOC09246Q0T (879918233), with hardware revision 0000
>
> MPC860P processor: part number 5, mask 2
>
> 1 Ethernet interface
>
> 1 FastEthernet interface
>
> 32K bytes of NVRAM.
>
> 32768K bytes of processor board System flash (Read/Write)
>
>
>
>
>
> ROUTER CONFIGURATION:
>
>
>
> version 12.4
>
> !
>
> resource policy
>
> !
>
> mmi polling-interval 60
>
> no mmi auto-configure
>
> no mmi pvc
>
> mmi snmp-timeout 180
>
> ip subnet-zero
>
> ip cef
>
> !
>
> no ip dhcp use vrf connected
>
> no ip dhcp conflict logging
>
> ip dhcp excluded-address 10.0.0.254
>
> ip dhcp excluded-address xx.xx.xx.97
>
> ip dhcp excluded-address xx.xx.xx.98
>
> ip dhcp excluded-address 10.0.0.1 10.0.0.10
>
> ip dhcp excluded-address 10.0.0.100 10.0.0.110
>
> !
>
> ip dhcp pool phones
>
> network xx.xx.xx.96 255.255.255.224
>
> default-router xx.xx.xx.97
>
> dns-server xx.xx.xx.xx xx.xx.xx.xx
>
> option 66 ascii "xxxx.xxxxxxxxx.com"
>
> lease 30
>
> !
>
> ip dhcp pool data
>
> network 10.0.0.0 255.255.255.0
>
> default-router 10.0.0.1
>
> dns-server 10.0.0.100 [cust. Windows server]
>
> lease 30
>
> !
>
> ip name-server xx.xx.xx.xx
>
> ip name-server xx.xx.xx.xx
>
> !
>
> class-map match-all smtp-filter
>
> match access-group 102
>
> class-map match-all voip-sip
>
> match access-group 101
>
> class-map match-all voip-rtp
>
> match access-group 100
>
> !
>
> !
>
> policy-map voip
>
> class voip-rtp
>
> priority 960
>
> class voip-sip
>
> bandwidth 56
>
> class class-default
>
> fair-queue
>
> policy-map inbound
>
> class smtp-filter
>
> !
>
> interface Ethernet0
>
> ip address xx.xx.xx.238 255.255.255.252
>
> ip nat outside
>
> load-interval 60
>
> full-duplex
>
> no cdp enable
>
> service-policy input inbound
>
> service-policy output voip
>
> !
>
> interface FastEthernet0
>
> no ip address
>
> speed 100
>
> full-duplex
>
> !
>
> interface FastEthernet0.1
>
> encapsulation dot1Q 1 native
>
> ip address 10.0.0.1 255.255.255.0
>
> ip nat inside
>
> no snmp trap link-status
>
> !
>
> interface FastEthernet0.2
>
> encapsulation dot1Q 2
>
> ip address xx.xx.xx.97 255.255.255.224
>
> no snmp trap link-status
>
> !
>
> ip classless
>
> ip route 0.0.0.0 0.0.0.0 xx.xx.xx.237
>
> !
>
> no ip http server
>
> ip nat inside source list 10 interface Ethernet0 overload
>
> ip nat inside source static tcp 10.0.0.100 25 interface Ethernet0 25
>
> ip nat inside source static tcp 10.0.0.100 3389 interface Ethernet0 3389
>
> ip nat inside source static tcp 10.0.0.100 443 interface Ethernet0 443
>
> ip nat inside source static tcp 10.0.0.100 80 interface Ethernet0 80
>
> !
>
> access-list 10 permit 10.0.0.0 0.0.0.255
>
> access-list 100 permit ip any any dscp ef
>
> access-list 101 permit ip any any dscp af31
>
> access-list 102 permit tcp xx.xx.0.0 0.0.255.255 any eq smtp
>
> access-list 102 deny tcp any any eq smtp
>
> access-list 102 permit ip any any
>
> !
>
> control-plane
>
> !
>
> end
>
>
>
>
>
>
>
> CISCO 3550 SWITCH INFORMATION:
>
>
>
> SWITCH#show ver
>
> Cisco IOS Software, C3550 Software (C3550-IPBASE-M), Version 12.2(25)SEB4,
> RELEASE SOFTWARE (fc1)
>
> Copyright (c) 1986-2005 by Cisco Systems, Inc.
>
> Compiled Tue 30-Aug-05 13:14 by yenanh
>
>
>
> ROM: Bootstrap program is C3550 boot loader
>
>
>
> SWITCH uptime is 3 days, 1 hour, 33 minutes
>
> System returned to ROM by power-on
>
> System image file is
> "flash:c3550-ipbase-mz.122-25.SEB4/c3550-ipbase-mz.122-25.SEB4.bin"
>
>
>
> Cisco WS-C3550-24 (PowerPC) processor (revision R0) with 65526K/8192K bytes
> of memory.
>
> Processor board ID CAT0946N39P
>
> Last reset from warm-reset
>
> Running Layer2/3 Switching Image
>
>
>
> 384K bytes of flash-simulated NVRAM.
>
>
>
>
>
> CISCO 3550 SWITCH CONFIGURATION:
>
>
>
> version 12.2
>
> mls qos
>
> ip subnet-zero
>
> ip name-server xx.xx.xx.xx
>
> ip name-server xx.xx.xx.xx
>
> !
>
> !
>
> no file verify auto
>
> spanning-tree mode pvst
>
> spanning-tree extend system-id
>
> !
>
> vlan internal allocation policy ascending
>
> !
>
> interface FastEthernet0/1
>
> switchport mode access
>
> switchport voice vlan 2
>
> mls qos trust dscp
>
> spanning-tree portfast
>
> !
>
> ! [ports 1-11 configured identically]
>
> !
>
> interface FastEthernet0/12
>
> description WINDOWS 2003 SERVER
>
> switchport mode access
>
> mls qos trust dscp
>
> spanning-tree portfast
>
> !
>
> interface FastEthernet0/13
>
> switchport mode access
>
> switchport voice vlan 2
>
> mls qos trust dscp
>
> spanning-tree portfast
>
> !
>
> ! [ports 13-23 configured identically]
>
> !
>
> interface FastEthernet0/24
>
> description UPLINK TO 1721 ROUTER
>
> switchport trunk encapsulation dot1q
>
> switchport mode trunk
>
> duplex full
>
> speed 100
>
> !
>
> interface Vlan1
>
> ip address 10.0.0.254 255.255.255.0
>
> !
>
> interface Vlan2
>
> ip address xx.xx.xx.98 255.255.255.224
>
> !
>
> ip classless
>
> !
>
> control-plane
>
>
>
>
>
>
>
> !
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list