Cisco 870 doppio PVC per Eutelia

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Salve,

ho un cliente al quale ho dovuto fare il reset del router, poiché configurato anni fa da altri e per il quale non è stato possibile reperire la password per fare il backup. Il mio cliente ha una linea ADSL Eutelia, con dietro un centralino Asterisk, il quale non riesco a farlo ripartire. La connettività funziona con il seguente script:

----------------------------------------------------------------------
ip dhcp pool inside
import all
network 10.0.0.0 255.0.0.0
default-router 10.10.52.1
dns-server 8.8.8.8
lease 0 2
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
description ADSL
bandwidth 1024
bandwidth receive 7168
ip address negotiated
no ip redirects
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 xxxxxxx
ppp pap sent-username [email protected] password 0 xxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0

ip access-list extended nat
permit ip 10.0.0.0 0.255.255.255 any
permit icmp 10.0.0.0 0.255.255.255 any
!
access-list 23 permit 10.0.0.0 0.255.255.255
----------------------------------------------------------------------------------

L'operatore, non fornendo supporto per i router Cisco, mi dice di creare semplicemente una seconda PVC 9/35 con IP statico impostandolo direttamente sul router, pur fornendo una login di autenticazione. Dopodiché mi chiede di ruotare tutte le porte dell'IP statico sull'IP del centralino 10.10.52.51

Io ho proceduto come segue, ma mi sono dovuto fermare perché il router ha iniziato a farmi navigare a singhiozzo, potete aiutarmi? Grazie.

!
interface ATM0.2 point-to-point
description WAN via ADSL
pvc 9/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
description VOIP
bandwidth 1024
bandwidth receive 7168
ip address 62.94.X.X 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxx@voipnet
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxxx@voipmet password 0 xxxxxxx
!
ip route 10.10.52.51 255.0.0.0 Dialer1

ip access-list extended Voce
permit udp 10.10.11.0 0.0.0.255 range 5060 5080 any
permit udp 10.10.11.0 0.0.0.255 range 10000 20000 any
permit ip 10.10.11.0 0.0.0.255 62.94.0.0 0.0.0.255

------------------------------------------------------------------------------------

Non so dove sbattere la testa, spero che qualcuno abbia già affrontato il problema risolvendo.

Grazie.
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Ti do solo alcune indicazioni perché sono di corsa.
Devi levare la route ip route 10.10.52.51 255.0.0.0 Dialer1, e fare un PBR per l'IP che deve uscire sul Dialer1.
inoltre devi fare un nat statico tra quel IP e l'IP pubblico di quel PVC.

Se non risolvi fammi sapere che stasera ti do una mano.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Grazie, faccio questa prova.

Ti faccio sapere.
pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Ciao, non ci tiro fuori le gambe, questa è la configurazione che ho tentato ma lentamente la navigazione si blocca e sembra che il Dialer 1 venga ignorato (non fa traffico). La cosa strana è che, se la navigazione si blocca, i ping verso il mondo continuano ad andare.

IP del centralino ASTERISK 10.10.52.51

La PVC 8/35 per navigare (funziona in DHCP come deve essere), quella 9/35 per il voip
L'IP da impostare sulla seconda PVC 62.94.208.46/16

Eutelia non mi aiuta, in quanto non riconosce questo tipo di configurazione (anche si precedentemente, prima del reset del router, tutto funzionava correttamente). Ho dovuto resettare il router perché non avevamo le password per fare il backup della configurazione, poiché configurato nel 2012 da "una figura" non più reperibile.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ARMONIA-PONTEDERA
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$BKc7$1xF98MH.GTB0FIiNJXog/0
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2044645840
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2044645840
revocation-check none
rsakeypair TP-self-signed-2044645840
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.52.1 10.10.52.100
!
ip dhcp pool inside
import all
network 10.0.0.0 255.0.0.0
default-router 10.10.52.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool ccp-pool
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 $1$6kFv$10QhecWn/OWckK8B039Bf/
!
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
pass
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.2 point-to-point
description WAN via ADSL
pvc 9/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Vlan75
description $FW_INSIDE$
ip address 10.10.52.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 1024
bandwidth receive 7168
ip address negotiated
no ip redirects
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 xxxxxx
ppp pap sent-username [email protected] password 0 xxxxxx
!
interface Dialer1
description Eutelia ADSL - Voce
bandwidth 1024
bandwidth receive 7168
ip address 62.94.208.46 255.255.0.0
no ip redirects
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 2
dialer-group 2
no cdp enable
ppp chap hostname xxxx@voipnet1
ppp chap password 0 xxxxxx
ppp pap refuse
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation icmp-timeout 1
ip nat translation max-entries 100
ip nat inside source list Voce interface Dialer1 overload
ip nat inside source list nat interface Dialer0 overload
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 2
dialer-group 2
no cdp enable
ppp chap hostname xxxx@voipnet1
ppp chap password 0 xxxxxxxx
ppp pap refuse
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation icmp-timeout 1
ip nat translation max-entries 100
ip nat inside source list Voce interface Dialer1 overload
ip nat inside source list nat interface Dialer0 overload
!
ip access-list extended Voce
permit udp 10.0.0.0 0.255.255.255 range 5060 5080 any
permit udp 10.0.0.0 0.255.255.255 range 10000 20000 any
permit ip 10.0.0.0 0.255.255.255 62.94.0.0 0.0.255.255
ip access-list extended nat
permit ip 10.0.0.0 0.255.255.255 any
permit icmp 10.0.0.0 0.255.255.255 any
!
access-list 23 permit 10.0.0.0 0.255.255.255
!
!
!
!
!
route-map PBR permit 10
match ip address Voce
set interface Dialer1
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Ora sono al lavoro e non posso dedicarti tempo. Se nessuno ti aiuta entro stasera, magari mi ci sentiamo via Skype ecc.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Hai risolto?
Non cade foglia che l'inconscio non voglia (S.B.)
pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Purtroppo no, ma adesso è emerso un problema con Eutelia stessa, la pppoa non funziona e prima devono risolvere loro. A quel punto torno sul VoIP. Grazie, ti faccio sapere al momento che la connettività di base torna a funzionare.
pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Ciao, risolta la parte PVC. Adesso dovrei fare in modo che tutto il traffico da e verso l'IP del centralino confluisse attraverso la seconda PVC (Dialer1). Questa configurazione potrebbe andare bene? Perché non sono sicuro che sia corretta, non funziona la telefonata.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ARMONIA-PONTEDERA
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$BKc7$1xF98MH.GTB0FIiNJXog/0
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2044645840
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2044645840
revocation-check none
rsakeypair TP-self-signed-2044645840
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.52.1 10.10.52.100
!
ip dhcp pool inside
import all
network 10.0.0.0 255.0.0.0
default-router 10.10.52.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool ccp-pool
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 $1$6kFv$10QhecWn/OWckK8B039Bf/
!
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
pass
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.2 point-to-point
description WAN via ADSL
pvc 9/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Vlan75
description $FW_INSIDE$
ip address 10.10.52.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 XXXXX
!
interface Dialer1
description Eutelia ADSL - Voce
ip address negotiated
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 2
dialer-group 2
no cdp enable
ppp chap hostname xxxxxxx@voipnet1
ppp chap password 0 xxxxxx
ppp pap refuse
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.10.52.51 255.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation icmp-timeout 1
ip nat translation max-entries 100
ip nat inside source list Voce interface Dialer1 overload
ip nat inside source list nat interface Dialer0 overload

ip access-list extended Voce
permit udp 10.0.0.0 0.255.255.255 range 5060 5080 any
permit udp 10.0.0.0 0.255.255.255 range 10000 20000 any
permit ip 10.0.0.0 0.255.255.255 62.94.0.0 0.0.255.255
ip access-list extended nat
permit ip 10.0.0.0 0.255.255.255 any
permit icmp 10.0.0.0 0.255.255.255 any
!
access-list 23 permit 10.0.0.0 0.255.255.255
!
!
!
!
!
route-map PBR permit 10
match ip address Voce
set interface Dialer1
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Non hai fatto le modifiche che ti avevo scritto.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Ciao, ho rifatto la configurazione, questa è quella attuale. Se lascio la route su Dialer 0 funziona solo il telefono, altrimenti va solo Internet. Qundi, o naviga tutta la classe escluso il centralino oppure solo il centralino e non la classe. Entrambi però prendono la strada giusta, il VOIP va verso la dialer0 e la classe va verso la dialer1.

Io vorrei che l'acl INTERNET uscisse dalla Dialer 1 e il centralino (acl VOIP) dal dialer 0, contemporaneamenge. E' quello che non riesco a fare. Ho trovato vari esempi di VRF, PBR e stack, ma nessuno mi da il risultato sperato.


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ARMONIA-PONTEDERA
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 <removed>
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2044645840
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2044645840
revocation-check none
rsakeypair TP-self-signed-2044645840
!
!
crypto pki certificate chain TP-self-signed-2044645840
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303434 36343538 3430301E 170D3032 30343031 31393135
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30343436
34353834 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009190 B0A88CCF 1399E308 AB9A07E7 BFB9507E B612FAA8 2DEFD45B 68EFC1B8
C96305FC 76CB85FE C3273D28 3166D14D E325A982 D600A1E5 A87BB1C8 58357FD6
DE5A49AF AEA99D15 941179B9 54EA0A06 9EDE3E23 C1040C04 EDE79FDE BDD93E02
03A512D2 6355D636 1DE10282 0950A6E2 D884EA7B F4D1CA69 AFF4B1D7 AE325D7C
CA290203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
551D1104 09300782 05535235 3230301F 0603551D 23041830 1680146A 504DC748
744BBD6D ADB583D9 1B79F4FA B372E030 1D060355 1D0E0416 04146A50 4DC74874
4BBD6DAD B583D91B 79F4FAB3 72E0300D 06092A86 4886F70D 01010405 00038181
00886B4D 09E09796 D3266F39 13FA42AF 6BA321D8 D127BCBB 0B9A7881 F3DD9C62
F133FA1A 7FCBD002 BFB0685B 50528FC5 5D314FD8 AFD61E2F 650887C8 C4B1C7BE
9D9A7324 8B10FD7F 088F785B DCDD9D0C 49871070 F4B5ED63 752F5DDF 1E00CABD
65A72F05 AC0854DD 13387776 9F519025 B89AAA38 C0DD70C6 45E85423 AD22BF28 0F
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.10.52.1
ip dhcp excluded-address 10.10.52.51
!
ip dhcp pool inside
import all
network 10.0.0.0 255.0.0.0
default-router 10.10.52.1
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 <removed>
!
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
pass
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description VOIP
pvc 9/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.2 point-to-point
description ADSL
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Vlan1
no ip address
shutdown
!
interface Vlan75
description $FW_INSIDE$
ip address 10.10.52.1 255.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname xxxxxx@voipnet1
ppp chap password 0 xxxxxx
ppp pap refuse
!
interface Dialer1
description ADSL
ip address negotiated
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer-group 2
no cdp enable
ppp chap hostname [email protected]
ppp chap password 0 xxxxxx
ppp pap refuse
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list INTERNET interface Dialer1 overload
ip nat inside source list VOIP interface Dialer0 overload
!
ip access-list extended INTERNET
permit ip 10.0.0.0 0.255.255.255 any
permit icmp 10.0.0.0 0.255.255.255 any
!
ip access-list extended VOIP
permit ip 10.10.52.51 0.255.255.255 any
permit icmp 10.10.52.51 255.255.255 any
!
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Non serve VRF e QoS (visto che c'è un PVC dedicato). Devi mettere solo UNA default route per il traffico Internet e fare il PBR per il Voip (per indirizzare il traffico sul corretto PVC).

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Avrei aggiunto questo:

ip policy route-map PBR (all'interno della Vlan 75)

route-map PBR permit 10
match ip address VOCE
match interface Dialer0
!

e rimosso: ip route 0.0.0.0 0.0.0.0 Dialer0

Ma non funziona così, il telefono non va, dove sbaglio?
pakepa
n00b
Messaggi: 13
Iscritto il: sab 25 giu , 2016 6:50 am

Scusa, correggo:

route-map PBR permit 10
match ip address VOIP
match interface Dialer0
!
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Sostituisci

Codice: Seleziona tutto

match interface
con

Codice: Seleziona tutto

set ip  next-hop IP_NEXT_HOP
Naturalmente l'ACL deve includere tutto il traffico voce.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Puoi usare anche

Codice: Seleziona tutto

set interface
.
Non cade foglia che l'inconscio non voglia (S.B.)
Rispondi