[c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement

Sean Shepard sean.shepard at ewavepartners.com
Sat Jun 7 00:05:55 EDT 2008 

Cpu utilization is not averaging very high.  We're not routing between the
VLANs so "router on a stick" doesn't really apply does it?

It's only 1-2 mbps in on the 10mbps Ethernet interface for their IP access
and then parsed out to the appropriate VLAN via the FastEthernet
sub-interfaces.  Intra-(V)LAN traffic should stay on the 3550 unless headed
out the gateway, yes? 

I see what you're saying about putting the 3550 in full L3 operation and
using (I presume) "ip helper-address" looks like it can be configured on
each VLAN. 

-----Original Message-----
From: agristina at gmail.com [mailto:agristina at gmail.com] On Behalf Of Andrew
Gristina
Sent: Friday, June 06, 2008 11:47 PM
To: Sean Shepard
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT randomly stops after a few hours 1721/3550 vlan
arrangement

Check "show proc cpu hist" after it happens.  A 1721 should not be doing
router on a stick for a 100Mb network.  It can barely forward 12Mb/s Cef
switched.  Much less NAT, ACL, QOS, DHCP and whatever else it is doing.
Make the 3550 a L3 switch, if you have to keep DHCP on the 1721 use DHCP
forwarder, use a choke network.

They can't forward stuff on their lan because of the router on a stick
config.

And open a TAC case.

On Fri, Jun 6, 2008 at 6:37 PM, Sean Shepard
<sean.shepard at ewavepartners.com> wrote:
> SCENARIO:
>
>
>
> Customer was blaming us (service provider) for their IP phones 
> (Linksys 942
> models) resetting, sometimes in the middle of a call dropping both the 
> call and their "back of the phone" connected PC.  Customer's IT 
> support/VAR was not aggressive in resolving the issue (we suspected 
> some kind of LAN issue) and so, to prove it wasn't us we stepped a 
> little bit beyond what we normally do ourselves at the customer 
> location.  We dropped in a 3550 SMI switch, set up VLANs and trunked 
> to their 1721 where all DHCP activity is now happening via two DHCP pools.
>
>
>
> Devices appear to be showing up in the correct VLAN and are pulling 
> DHCP from the right pools.  Could not get the Linksys phones to talk 
> through the VLAN/NAT combination (Polycom worked ok it seemed) so we 
> temporarily dropped them onto a public IP scheme which is working fine 
> - we will fix this once everything else is stable.
>
>
>
> What is happening is that DNS resolution through NAT (and possibly other
NAT
> translations) fails after several hours (or has twice).    This is only
> affecting hosts/windows server on VLAN 1.  Their Windows 2003 server 
> acts as the DNS for their data network (it refers outside requests to 
> ours).  When this happens, customer's IT consultant can still remote 
> terminal into their server (via static port mapping) but can't ping 
> out of their network from it.  Reloading the router restores service.
>
>
>
> Customer is also complaining that data transfer speeds are much slower
> between devices on their LAN (they pass around a lot of CAD files).   I'm
> certain this must not be set up properly or we're missing something. 
> any guidance is appreciated.
>
>
>
> RTP isn't breaking up so we didn't bother with priority queue settings 
> on the switch.  Error counts, drops and resets are ZERO on every 
> single "show int" counters.  I'd prefer not to go back to them and 
> recommend the brute force fix of just physically separating the networks.
>
>
>
>
>
> ROUTER "SHOW VER" RELEVANT OUTPUT:
>
> (note: I've been thinking about downgrading to a stable 12.3 release 
> we like
> - 12.4(1a) can't be good ?????)
>
>
>
> Router#show ver
>
> Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a), 
> RELEASE SOFTWARE (fc2)
>
>
>
> ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
>
>
>
> Router uptime is 5 hours, 34 minutes
>
> System returned to ROM by reload at 17:29:46 UTC Fri Jun 6 2008
>
> System restarted at 17:32:00 UTC Fri Jun 6 2008
>
> System image file is "flash:c1700-ipbase-mz.124-1a.bin"
>
>
>
> Cisco 1721 (MPC860P) processor (revision 0x500) with 58405K/7131K 
> bytes of memory.
>
> Processor board ID FOC09246Q0T (879918233), with hardware revision 
> 0000
>
> MPC860P processor: part number 5, mask 2
>
> 1 Ethernet interface
>
> 1 FastEthernet interface
>
> 32K bytes of NVRAM.
>
> 32768K bytes of processor board System flash (Read/Write)
>
>
>
>
>
> ROUTER CONFIGURATION:
>
>
>
> version 12.4
>
> !
>
> resource policy
>
> !
>
> mmi polling-interval 60
>
> no mmi auto-configure
>
> no mmi pvc
>
> mmi snmp-timeout 180
>
> ip subnet-zero
>
> ip cef
>
> !
>
> no ip dhcp use vrf connected
>
> no ip dhcp conflict logging
>
> ip dhcp excluded-address 10.0.0.254
>
> ip dhcp excluded-address xx.xx.xx.97
>
> ip dhcp excluded-address xx.xx.xx.98
>
> ip dhcp excluded-address 10.0.0.1 10.0.0.10
>
> ip dhcp excluded-address 10.0.0.100 10.0.0.110
>
> !
>
> ip dhcp pool phones
>
>   network xx.xx.xx.96 255.255.255.224
>
>   default-router xx.xx.xx.97
>
>   dns-server xx.xx.xx.xx xx.xx.xx.xx
>
>   option 66 ascii "xxxx.xxxxxxxxx.com"
>
>   lease 30
>
> !
>
> ip dhcp pool data
>
>   network 10.0.0.0 255.255.255.0
>
>   default-router 10.0.0.1
>
>   dns-server 10.0.0.100   [cust. Windows server]
>
>   lease 30
>
> !
>
> ip name-server xx.xx.xx.xx
>
> ip name-server xx.xx.xx.xx
>
> !
>
> class-map match-all smtp-filter
>
>  match access-group 102
>
> class-map match-all voip-sip
>
>  match access-group 101
>
> class-map match-all voip-rtp
>
>  match access-group 100
>
> !
>
> !
>
> policy-map voip
>
>  class voip-rtp
>
>  priority 960
>
>  class voip-sip
>
>  bandwidth 56
>
>  class class-default
>
>  fair-queue
>
> policy-map inbound
>
>  class smtp-filter
>
> !
>
> interface Ethernet0
>
>  ip address xx.xx.xx.238 255.255.255.252
>
>  ip nat outside
>
>  load-interval 60
>
>  full-duplex
>
>  no cdp enable
>
>  service-policy input inbound
>
>  service-policy output voip
>
> !
>
> interface FastEthernet0
>
>  no ip address
>
>  speed 100
>
>  full-duplex
>
> !
>
> interface FastEthernet0.1
>
>  encapsulation dot1Q 1 native
>
>  ip address 10.0.0.1 255.255.255.0
>
>  ip nat inside
>
>  no snmp trap link-status
>
> !
>
> interface FastEthernet0.2
>
>  encapsulation dot1Q 2
>
>  ip address xx.xx.xx.97 255.255.255.224
>
>  no snmp trap link-status
>
> !
>
> ip classless
>
> ip route 0.0.0.0 0.0.0.0 xx.xx.xx.237
>
> !
>
> no ip http server
>
> ip nat inside source list 10 interface Ethernet0 overload
>
> ip nat inside source static tcp 10.0.0.100 25 interface Ethernet0 25
>
> ip nat inside source static tcp 10.0.0.100 3389 interface Ethernet0 
> 3389
>
> ip nat inside source static tcp 10.0.0.100 443 interface Ethernet0 443
>
> ip nat inside source static tcp 10.0.0.100 80 interface Ethernet0 80
>
> !
>
> access-list 10 permit 10.0.0.0 0.0.0.255
>
> access-list 100 permit ip any any dscp ef
>
> access-list 101 permit ip any any dscp af31
>
> access-list 102 permit tcp xx.xx.0.0 0.0.255.255 any eq smtp
>
> access-list 102 deny   tcp any any eq smtp
>
> access-list 102 permit ip any any
>
> !
>
> control-plane
>
> !
>
> end
>
>
>
>
>
>
>
> CISCO 3550 SWITCH INFORMATION:
>
>
>
> SWITCH#show ver
>
> Cisco IOS Software, C3550 Software (C3550-IPBASE-M), Version 
> 12.2(25)SEB4, RELEASE SOFTWARE (fc1)
>
> Copyright (c) 1986-2005 by Cisco Systems, Inc.
>
> Compiled Tue 30-Aug-05 13:14 by yenanh
>
>
>
> ROM: Bootstrap program is C3550 boot loader
>
>
>
> SWITCH uptime is 3 days, 1 hour, 33 minutes
>
> System returned to ROM by power-on
>
> System image file is
> "flash:c3550-ipbase-mz.122-25.SEB4/c3550-ipbase-mz.122-25.SEB4.bin"
>
>
>
> Cisco WS-C3550-24 (PowerPC) processor (revision R0) with 65526K/8192K 
> bytes of memory.
>
> Processor board ID CAT0946N39P
>
> Last reset from warm-reset
>
> Running Layer2/3 Switching Image
>
>
>
> 384K bytes of flash-simulated NVRAM.
>
>
>
>
>
> CISCO 3550 SWITCH CONFIGURATION:
>
>
>
> version 12.2
>
> mls qos
>
> ip subnet-zero
>
> ip name-server xx.xx.xx.xx
>
> ip name-server xx.xx.xx.xx
>
> !
>
> !
>
> no file verify auto
>
> spanning-tree mode pvst
>
> spanning-tree extend system-id
>
> !
>
> vlan internal allocation policy ascending
>
> !
>
> interface FastEthernet0/1
>
>  switchport mode access
>
>  switchport voice vlan 2
>
>  mls qos trust dscp
>
>  spanning-tree portfast
>
> !
>
> ! [ports 1-11 configured identically]
>
> !
>
> interface FastEthernet0/12
>
>  description WINDOWS 2003 SERVER
>
>  switchport mode access
>
>  mls qos trust dscp
>
>  spanning-tree portfast
>
> !
>
> interface FastEthernet0/13
>
>  switchport mode access
>
>  switchport voice vlan 2
>
>  mls qos trust dscp
>
>  spanning-tree portfast
>
> !
>
> ! [ports 13-23 configured identically]
>
> !
>
> interface FastEthernet0/24
>
>  description UPLINK TO 1721 ROUTER
>
>  switchport trunk encapsulation dot1q
>
>  switchport mode trunk
>
>  duplex full
>
>  speed 100
>
> !
>
> interface Vlan1
>
>  ip address 10.0.0.254 255.255.255.0
>
> !
>
> interface Vlan2
>
>  ip address xx.xx.xx.98 255.255.255.224
>
> !
>
> ip classless
>
> !
>
> control-plane
>
>
>
>
>
>
>
> !
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list