[cisco-voip] Configure Cisco 871 Branch Office VoIP

Mon Nov 20 22:37:49 EST 2006

Hi Matthew,
Thank you for your reply,
I have 2MB ADSL connection at branch office where I have 871 located.
regarding IOS firewall as this is still not in production I will configure
it once I get all other issue sorted out. Qos automatically generated as a
part of the auto qos voip trust command in interface and I have added bellow
parts
policy-map Shape-2MB
 class class-default
  shape average 2000000
  service-policy AutoQoS-Policy-Trust

Which changes are you recommend t keep my Priority Queue / LLQ < 35% of
total bandwidth.
Thanks again everyone, I would greatly appreciate your comments when you
have time.

Manoj

On 11/21/06, Linsemier, Matthew <MLinsemier at apcapital.com> wrote:
>
>  Manoj,
>
>
>
> Can you provide a few more details?
>
>
>
>    - Is this a public or private circuit?
>    - Is this a symmetrical 2mb link?
>
>
>
> Some things to look at:
>
>
>
>    - No IOS firewall has been enabled (if this is a public link, you
>    will want to do this)
>    - As a best practice Cisco states that you should keep your Priority
>    Queue / LLQ < 35% of total bandwidth
>    - As a security best practice you may want to disable telnet and
>    http and stick with ssh and https
>    - If you want to track MoS and other IP voice related statistics,
>    you may want to implement IP SLA
>
>
>
> Matt
>
>
>
>
>  ------------------------------
>
> *From:* cisco-voip-bounces at puck.nether.net [mailto:
> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Lead Solution
> *Sent:* Monday, November 20, 2006 10:39 AM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] Configure Cisco 871 Branch Office VoIP
>
>
>
> Hi All,
>
> Bellow is the configuration of our one of the branch office VoIP router. I
> would like to share it with you guys and see whether someone can suggest
> me better VLAN, QoS configuration. Also, I have policy map 2MB spplied for
> FastEthernet 4 and Tunnel. Is this right?
>
> I would greatly appreciate your comments.
>
>
>
> Best regards,
>
> Manoj
>
>
>
> Building configuration...
>
> Current configuration : 7520 bytes
> !
> version 12.4
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname XXXXX_871
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200 warnings
> enable password xxxxxxxx
> !
> aaa new-model
> !
> !
> !
> aaa session-id common
> !
> resource policy
> !
> ip cef
> !
> !
> no ip dhcp use vrf connected
> ip dhcp excluded-address 192.168.5.1 192.168.5.99
> ip dhcp excluded-address 192.168.5.151 192.168.5.254
> ip dhcp excluded-address 172.198.10.1 172.198.10.99
> ip dhcp excluded-address 172.198.10.151 172.198.10.254
> !
> ip dhcp pool VLAN10
>    network 172.198.10.0 255.255.255.0
>    default-router 172.198.10.1
>    domain-name xxxx.com
>    dns-server 211.129.14.134
>    lease 7
> !
> ip dhcp pool VLAN20
>    network 192.168.5.0 255.255.255.0
>    default-router 192.168.5.1
>    domain-name xxxx.com
>    dns-server 211.129.14.134
>    option 150 ip 172.16.0.10
>    lease 7
> !
> !
> no ip domain lookup
> ip domain name xxxx.com
> !
> !
> crypto pki trustpoint TP-self-signed-1440134037
>  enrollment selfsigned
>  subject-name cn=IOS-Self-Signed-Certificate-1440134037
>  revocation-check none
>  rsakeypair TP-self-signed-1440134037
> !
> !
> crypto pki certificate chain TP-self-signed-1440134037
>  certificate self-signed 01
>   3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>   quit
> username pbxl privilege 15 secret 5 $1$Ce8g$9S4kDri6Yyg2gBCVSS1LI0
> !
> !
> class-map match-any AutoQoS-VoIP-RTP-Trust
>  match ip dscp ef
> class-map match-any AutoQoS-VoIP-Control-Trust
>  match ip dscp cs3
>  match ip dscp af31
> !
> !
> policy-map AutoQoS-Policy-Trust
>  class AutoQoS-VoIP-RTP-Trust
>   priority percent 70
>  class AutoQoS-VoIP-Control-Trust
>   bandwidth percent 5
>  class class-default
>   fair-queue
> policy-map Shape-2MB
>  class class-default
>   shape average 2000000
>   service-policy AutoQoS-Policy-Trust
> !
> !
> !
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> crypto isakmp key 6 xxxxxx address 210.181.112.194 no-xauth
> !
> !
> crypto ipsec transform-set XXXLKAMIYA esp-3des esp-md5-hmac
> !
> crypto ipsec profile GREPRO
>  set transform-set XXXLKAMIYA
> !
> !
> !
> !
> !
> interface Tunnel0
>  bandwidth 2000
>  ip address 10.0.20.2 255.255.255.0
>  tunnel source Dialer0
>  tunnel destination 210.181.112.194
>  tunnel mode ipsec ipv4
>  tunnel protection ipsec profile GREPRO
>  service-policy output Shape-2MB
> !
> interface FastEthernet0
>  description ********** PC/VoIP **********
>  switchport trunk native vlan 10
>  switchport mode trunk
>  switchport voice vlan 20
>  auto qos voip trust
>  spanning-tree portfast
>  service-policy output AutoQoS-Policy-Trust
> !
> interface FastEthernet1
>  description ********** PC/VoIP **********
>  switchport trunk native vlan 10
>  switchport mode trunk
>  switchport voice vlan 20
>  auto qos voip trust
>  spanning-tree portfast
>  service-policy output AutoQoS-Policy-Trust
> !
> interface FastEthernet2
>  description ********** PC/VoIP **********
>  switchport trunk native vlan 10
>  switchport mode trunk
>  switchport voice vlan 20
>  auto qos voip trust
>  spanning-tree portfast
>  service-policy output AutoQoS-Policy-Trust
> !
> interface FastEthernet3
>  description ********** PC/VoIP **********
>  switchport trunk native vlan 10
>  switchport mode trunk
>  switchport voice vlan 20
>  auto qos voip trust
>  spanning-tree portfast
>  service-policy output AutoQoS-Policy-Trust
> !
> interface FastEthernet4
>  bandwidth 2000
>  no ip address
>  ip nat outside
>  ip virtual-reassembly
>  ip tcp adjust-mss 1452
>  duplex auto
>  speed auto
>  pppoe enable
>  pppoe-client dial-pool-number 1
>  service-policy output Shape-2MB
> !
> interface Vlan1
>  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
>  ip address 172.198.1.1 255.255.255.0
> !
> interface Vlan10
>  description Data Vlan 1
>  ip address 172.198.10.1 255.255.255.0
>  ip nat inside
>  ip virtual-reassembly
>  ip tcp adjust-mss 1452
> !
> interface Vlan20
>  description Voice Vlan 1
>  ip address 192.168.5.1 255.255.255.0
>  ip nat inside
>  ip virtual-reassembly
>  ip tcp adjust-mss 1452
> !
> interface Dialer0
>  bandwidth 2000
>  ip address negotiated
>  ip mtu 1452
>  ip nat outside
>  ip virtual-reassembly
>  encapsulation ppp
>  dialer pool 1
>  dialer-group 1
>  no cdp enable
>  ppp authentication chap pap callin
>  ppp chap hostname xxxxxx8 at ffa.xxx.xxx.com
>  ppp chap password 0 xxxx93
>  ppp pap sent-username xxxxxx8 at ffa.xxx.xxx.com password 0 cyum93
> !
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip route 172.16.0.0 255.255.0.0 Tunnel0
> !
> !
> ip http server
> ip http access-class 23
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 60 life 86400 requests 10000
> ip nat inside source list 1 interface Dialer0 overload
> !
> access-list 1 permit 192.168.5.0 0.0.0.255
> access-list 1 permit 172.198.10.0 0.0.0.255
> dialer-list 1 protocol ip permit
> no cdp run
> !
> !
> !
> !
> control-plane
> !
> rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for
> Voice Drops" owner AutoQoS
> rmon alarm 33333 cbQosCMDropBitRate.18.3164929 30 absolute
> rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
> rmon alarm 33334 cbQosCMDropBitRate.34.5364641 30 absolute
> rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
> rmon alarm 33335 cbQosCMDropBitRate.50.14618161 30 absolute
> rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
> rmon alarm 33336 cbQosCMDropBitRate.66.2065329 30 absolute
> rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
> banner login ^C
> -----------------------------------------------------------------------
> Cisco Router and Security Device Manager (SDM) is installed on this
> device.
> This feature requires the one-time use of the username "cisco"
> with the password "cisco". The default username and password have a
> privilege level of 15.
>
> Please change these publicly known initial credentials using SDM or the
> IOS CLI.
> Here are the Cisco IOS commands.
>
> username <myuser>  privilege 15 secret 0 <mypassword>
> no username cisco
>
> Replace <myuser> and <mypassword> with the username and password you want
> to use.
>
> For more information about SDM please follow the instructions in the QUICK
> START
> GUIDE for your router or go to http://www.cisco.com/go/sdm
> -----------------------------------------------------------------------
> ^C
> !
> line con 0
>  no modem enable
> line aux 0
> line vty 0 4
>  length 0
>  transport input telnet ssh
> !
> scheduler max-task-time 5000
> end
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
>
> ------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20061121/f312acff/attachment-0001.html 