cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
3l3mn8r
Contributor
Contributor

SIP and DATA traffic on separate ports

Jump to solution

We have had a 7100 using SIP for over two years now and the ISP has now indicated that we need to change our configuration.  Currently all traffic SIP and DATA go out Ethernet 0/0 on a single 10Mbps circuit.  They need us to use a separate port (eth 0/1) to send all data traffic.  The ISP has a Cisco Calyx router that has port 1 for the SIP connection and port 2 for the DATA connection.  I assume that PBR would be the way to do it but I am not sure how that configuration should be done.  Here is an example of the current configuration.  The section in red is of concern for the ip routes or PBR.  Any help is greatly appreciated.

interface eth 0/0

  description SIP Ethernet

  speed 10

  ip address  70.XX.XXX.XXX  255.255.255.252

  access-policy Public

  crypto map VPN

  media-gateway ip primary

  no shutdown

  no lldp send-and-receive

!

ip access-list standard NAT

  remark Internet Connection Sharing

  permit any

!

ip access-list extended InterVLAN

  remark Voice / Data VLAN Traffic

  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255   

  permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255   

!

ip access-list extended self

  remark Traffic to Netvanta

  permit ip any  any     log

!

ip access-list extended web-acl-11

  remark SIP Service Provider Traffic

  permit udp 216.XX.XXX.0 0.0.1.255  any eq 5060    log

  permit udp 216.XX.XXY.0 0.0.1.255  any eq 5060    log

!

ip policy-class Private

  allow list VPN-20-vpn-selectors stateless

  allow list self self

  allow list InterVLAN stateless

  allow list NAT policy Tunnel

  nat source list NAT interface eth 0/0 overload

!

ip policy-class Public

  allow reverse list VPN-20-vpn-selectors stateless

  nat destination list web-acl-13 address 10.10.10.8

  allow list web-acl-11 self

  allow list Admin self

  nat destination list web-acl-9 address 10.10.10.10

  nat destination list web-acl-6 address 10.10.10.8 port 21


!


Labels (3)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: SIP and DATA traffic on separate ports

Jump to solution


3l3mn8r wrote:



We have had a 7100 using SIP for over two years now and the ISP has now indicated that we need to change our configuration.  Currently all traffic SIP and DATA go out Ethernet 0/0 on a single 10Mbps circuit.  They need us to use a separate port (eth 0/1) to send all data traffic.  The ISP has a Cisco Calyx router that has port 1 for the SIP connection and port 2 for the DATA connection.  I assume that PBR would be the way to do it but I am not sure how that configuration should be done.  Here is an example of the current configuration.  The section in red is of concern for the ip routes or PBR.  Any help is greatly appreciated.





interface eth 0/0


  description SIP Ethernet


  speed 10


  ip address  70.XX.XXX.XXX  255.255.255.252


  access-policy Public


  crypto map VPN


  media-gateway ip primary


  no shutdown


  no lldp send-and-receive



!


ip access-list standard NAT


  remark Internet Connection Sharing


  permit any


!


ip access-list extended InterVLAN


  remark Voice / Data VLAN Traffic


  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255  


  permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255  


!


ip access-list extended self


  remark Traffic to Netvanta


  permit ip any  any     log


!


ip access-list extended web-acl-11


  remark SIP Service Provider Traffic


  permit udp 216.XX.XXX.0 0.0.1.255  any eq 5060    log


  permit udp 216.XX.XXY.0 0.0.1.255  any eq 5060    log


!


ip policy-class Private


  allow list VPN-20-vpn-selectors stateless


  allow list self self


  allow list InterVLAN stateless


  allow list NAT policy Tunnel


  nat source list NAT interface eth 0/0 overload


!


ip policy-class Public


  allow reverse list VPN-20-vpn-selectors stateless


  nat destination list web-acl-13 address 10.10.10.8


  allow list web-acl-11 self


  allow list Admin self


  nat destination list web-acl-9 address 10.10.10.10


  nat destination list web-acl-6 address 10.10.10.8 port 21



!




You shouldn't need to use PBR in this case. You will need to leave eth 0/0 for one of the connections (whichever IP address isn't changing). For the "new" connection, set up a VLAN interface and assign one of the switchports to this VLAN. The default route will need to traverse the "data" connection. Assuming your SIP provider can give you the IP addresses/subnets of their SIP and media servers, you can create static routes to go to those hosts through the "voice" connection.

I would recommend separate policy-classes for the voice and data VLANs. They would look similar to this:

ip access-list standard voip_subnet

  match 10.10.20.0 0.0.0.255

ip access-list standard data_subnet

  match 10.10.10.0 0.0.0.255

ip policy-class Data

  allow list data_subnet self

  allow list InterVLAN (the ACL created in the default config)

  nat source list data_subnet address [address of the interface connected to "data"] overload

ip policy-class Voice

  allow list voip_subnet self

  allow list InterVLAN (the ACL created in the default config)

  nat source list voip_subnet address [address of the interface connected to "voice"] overload

Each policy-class would be assigned to the corresponding VLAN interface.

Please remember that Policy-Based Routing is not supported in the NetVanta 7100.

View solution in original post

0 Kudos
12 Replies
jayh
Honored Contributor
Honored Contributor

Re: SIP and DATA traffic on separate ports

Jump to solution

Do they really want SIP separated from other VoIP such as RTP, or is one connection for VoIP and the other for data?  I suspect the latter.

This should get you close.  Assuming 10.10.10.0/24 is data, 10.10.20.0 is phones, swap if otherwise...

interface eth 0/0

  description Ethernet-VoIP

  speed 10 ! - can be dangerous and break auto-negotiation - check duplex

  ip address  70.XX.XXX.XXX  255.255.255.252

  access-policy Public

  media-gateway ip primary

  no shutdown

  no lldp send-and-receive

interface eth 0/1

  description Ethernet-DATA

  speed 10 ! - can be dangerous and break auto-negotiation - check duplex

  ip address  YY.YY.YY.YY 255.255.255.252

  access-policy Public

  crypto map VPN

  no shutdown

  no lldp send-and-receive

!

ip policy-class Private-Data

  allow list self self

  allow list InterVLAN stateless

  nat source list NAT interface eth 0/1 overload

ip policy-class Private-Voip

  allow list self self

  allow list InterVLAN stateless

  nat source list NAT interface eth 0/0 overload

route-map voip-map permit 10

  match ip address voip-map-list

  set ip next-hop 70.XX.XX.XY  ! <--- Gateway for VoIP

  set interface eth 0/0

ip access-list extended voip-map-list

  deny ip any 10.0.0.0 0.255.255.255

  permit ip any any

interface [interface for data LAN] - add

  ip access-policy Private-Data

interface [interface for voice LAN] - add

  ip policy route-map voip-map

  ip access-policy Private-Voip

If you are doing SIP proxy or have local phones you may also need ip local policy route-map voip-map

Change the default route to the new data WAN gateway. 

3l3mn8r
Contributor
Contributor

Re: SIP and DATA traffic on separate ports

Jump to solution

Thanks for the info Jay.

Yes, one connection for Voip and one for Data.

Yes, 7100 default subnets in use for voice and data vlans.

A couple questions.

If you are doing SIP proxy or have local phones you may also need ip local policy route-map voip-map

  This is a typical 7100 with 12 Adtran 712 phones, do you consider those local phones?

Change the default route to the new data WAN gateway

  What if the new Data WAN gateway is the same as the Voip gateway, ISP has given us same gateway and subnet with ip range of x.x.x.106 (SIP) through x.x.x.110 (Data) will that make a difference? Wait a minute 5 addresses for a /30 doesn't sound right or does it, need to get the subnet calc out again.

interface [interface for data or voip LAN] - add

  What are we looking for here. Not sure what you mean.

thanks for your help

jayh
Honored Contributor
Honored Contributor

Re: SIP and DATA traffic on separate ports

Jump to solution

3l3mn8r wrote:



If you are doing SIP proxy or have local phones you may also need ip local policy route-map voip-map


  This is a typical 7100 with 12 Adtran 712 phones, do you consider those local phones?


The ip local policy route-map voip-map causes traffic sourced from the Adtran itself to follow the route-map for VoIP, that is to use the VoIP WAN interface and gateway.  So, you will want this.  In fact, if the SIP phones don't NAT out to the Internet and do all of their signaling to the 7100 this makes things easier, and you might be able to avoid the route-map and NAT on the phone subnet entirely.  "show IP policy-sessions" during a phone call will give some clues.  If the RTP UDP is all between the phones and self and between self and the outside media gateway then you may not need to NAT the phones at all, or only to get to an outside configuration server, NTP server, etc.



  What if the new Data WAN gateway is the same as the Voip gateway, ISP has given us same gateway and subnet with ip range of x.x.x.106 (SIP) through x.x.x.110 (Data) will that make a difference? Wait a minute 5 addresses for a /30 doesn't sound right or does it, need to get the subnet calc out again.


2 usables on a /30.  The .106 address is part of x.x.x.104/30.  The other side will be .105 .  Likewise .110 is part of x.x.x.108/30, the other side will be .109 .


interface [interface for data or voip LAN] - add


  What are we looking for here. Not sure what you mean.



thanks for your help


You will have an interface for each of your LANs, voice and data.  Most likely a VLAN interface, I'm not that familiar with the 7100. The statements below for policy and route-map should be applied to that interface's configuration.  Whatever interfaces have your IP address configuration for the data and voice inside subnets need this configuration. Substitute the interface name such as VLAN nn for the placeholder in the brackets.

The config I suggested is on-the-fly and may not be right or need some tweaking.  It's guaranteed to be worth what you paid for it...

Anonymous
Not applicable

Re: SIP and DATA traffic on separate ports

Jump to solution


3l3mn8r wrote:



We have had a 7100 using SIP for over two years now and the ISP has now indicated that we need to change our configuration.  Currently all traffic SIP and DATA go out Ethernet 0/0 on a single 10Mbps circuit.  They need us to use a separate port (eth 0/1) to send all data traffic.  The ISP has a Cisco Calyx router that has port 1 for the SIP connection and port 2 for the DATA connection.  I assume that PBR would be the way to do it but I am not sure how that configuration should be done.  Here is an example of the current configuration.  The section in red is of concern for the ip routes or PBR.  Any help is greatly appreciated.





interface eth 0/0


  description SIP Ethernet


  speed 10


  ip address  70.XX.XXX.XXX  255.255.255.252


  access-policy Public


  crypto map VPN


  media-gateway ip primary


  no shutdown


  no lldp send-and-receive



!


ip access-list standard NAT


  remark Internet Connection Sharing


  permit any


!


ip access-list extended InterVLAN


  remark Voice / Data VLAN Traffic


  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255  


  permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255  


!


ip access-list extended self


  remark Traffic to Netvanta


  permit ip any  any     log


!


ip access-list extended web-acl-11


  remark SIP Service Provider Traffic


  permit udp 216.XX.XXX.0 0.0.1.255  any eq 5060    log


  permit udp 216.XX.XXY.0 0.0.1.255  any eq 5060    log


!


ip policy-class Private


  allow list VPN-20-vpn-selectors stateless


  allow list self self


  allow list InterVLAN stateless


  allow list NAT policy Tunnel


  nat source list NAT interface eth 0/0 overload


!


ip policy-class Public


  allow reverse list VPN-20-vpn-selectors stateless


  nat destination list web-acl-13 address 10.10.10.8


  allow list web-acl-11 self


  allow list Admin self


  nat destination list web-acl-9 address 10.10.10.10


  nat destination list web-acl-6 address 10.10.10.8 port 21



!




You shouldn't need to use PBR in this case. You will need to leave eth 0/0 for one of the connections (whichever IP address isn't changing). For the "new" connection, set up a VLAN interface and assign one of the switchports to this VLAN. The default route will need to traverse the "data" connection. Assuming your SIP provider can give you the IP addresses/subnets of their SIP and media servers, you can create static routes to go to those hosts through the "voice" connection.

I would recommend separate policy-classes for the voice and data VLANs. They would look similar to this:

ip access-list standard voip_subnet

  match 10.10.20.0 0.0.0.255

ip access-list standard data_subnet

  match 10.10.10.0 0.0.0.255

ip policy-class Data

  allow list data_subnet self

  allow list InterVLAN (the ACL created in the default config)

  nat source list data_subnet address [address of the interface connected to "data"] overload

ip policy-class Voice

  allow list voip_subnet self

  allow list InterVLAN (the ACL created in the default config)

  nat source list voip_subnet address [address of the interface connected to "voice"] overload

Each policy-class would be assigned to the corresponding VLAN interface.

Please remember that Policy-Based Routing is not supported in the NetVanta 7100.

View solution in original post

0 Kudos
3l3mn8r
Contributor
Contributor

Re: SIP and DATA traffic on separate ports

Jump to solution

So would I then remove the ip policy-class Private and move all other lines to the corresponding Data or Voice policy classes?

e.g.

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  access-policy Data

  media-gateway ip primary

  no shutdown

!

interface vlan 2

  ip address  10.10.20.1  255.255.255.0

  access-policy Voice

  media-gateway ip primary

  no shutdown

Ip policy-class Data

  allow list VPN-20-vpn-selectors stateless

  allow list data_subnet self

  allow list InterVLAN stateless

  allow list NAT policy Tunnel

  nat source list data_subnet interface eth 0/1 overload or address  70.xxx.xxx.xxy overload

Anonymous
Not applicable

Re: SIP and DATA traffic on separate ports

Jump to solution

3l3mn8r wrote:



So would I then remove the ip policy-class Private and move all other lines to the corresponding Data or Voice policy classes?



e.g.



interface vlan 1


  ip address  10.10.10.1  255.255.255.0


  access-policy Data


  media-gateway ip primary


  no shutdown


!


interface vlan 2


  ip address  10.10.20.1  255.255.255.0


  access-policy Voice


  media-gateway ip primary


  no shutdown



Ip policy-class Data


  allow list VPN-20-vpn-selectors stateless


  allow list data_subnet self


  allow list InterVLAN stateless


  allow list NAT policy Tunnel


  nat source list data_subnet interface eth 0/1 overload or address  70.xxx.xxx.xxy overload




That is correct.

3l3mn8r
Contributor
Contributor

Re: SIP and DATA traffic on separate ports

Jump to solution

ip access-list standard voip_subnet

  match 10.10.20.0 0.0.0.255

ip access-list standard data_subnet

  match 10.10.10.0 0.0.0.255

"Match" is not an command option for ip access-list data_subnet

Anonymous
Not applicable

Re: SIP and DATA traffic on separate ports

Jump to solution

3l3mn8r wrote:



ip access-list standard voip_subnet


  match 10.10.20.0 0.0.0.255



ip access-list standard data_subnet


  match 10.10.10.0 0.0.0.255




"Match" is not an command option for ip access-list data_subnet


My apologies. That should be 'permit'. I got crossed up with the Policy-class statements.

3l3mn8r
Contributor
Contributor

Re: SIP and DATA traffic on separate ports

Jump to solution

One last thing.  When I attempt to add the routes for the sip provider traffic I get an invalid destination mask.

Let say for example the sip servers are these below.  I just made them up they did not give me exact IP address just the ranges similar to below.

ip access-list extended web-acl-11

  remark SIP Service Provider Traffic

  permit udp 216.10.112.0 0.0.1.255  any eq 5060    log  Not sure why the ISP told me to use this destination mask 0.0.1.255

  permit udp 216.11.111.0 0.0.1.255  any eq 5060    log

Then I would create the routes to send this traffic out the voice interface eth 0/0

216.10.112.0 0.0.0.255 70.xxx.xxx.xxx  or should it be 255.0.0.0 for the dest mask?  Not

Anonymous
Not applicable

Re: SIP and DATA traffic on separate ports

Jump to solution

ACLs use wildcard masks. Route statements use subnet masks. 0.0.0.255 converts to 255.255.255.0

3l3mn8r
Contributor
Contributor

Re: SIP and DATA traffic on separate ports

Jump to solution

Right, so if my permit for the acl has 0.0.1.255, should I then use 255.1.0.0 or should it just be 255.0.0.0. 

Anonymous
Not applicable

Re: SIP and DATA traffic on separate ports

Jump to solution

That would be 255.254.0.0. Here is a formula:

Subnet mask = 255.255.255.255 - Wildcard mask