12 Replies Latest reply on Aug 2, 2013 12:02 PM by james_ucs

    SIP and DATA traffic on separate ports

    3l3mn8r New Member

      We have had a 7100 using SIP for over two years now and the ISP has now indicated that we need to change our configuration.  Currently all traffic SIP and DATA go out Ethernet 0/0 on a single 10Mbps circuit.  They need us to use a separate port (eth 0/1) to send all data traffic.  The ISP has a Cisco Calyx router that has port 1 for the SIP connection and port 2 for the DATA connection.  I assume that PBR would be the way to do it but I am not sure how that configuration should be done.  Here is an example of the current configuration.  The section in red is of concern for the ip routes or PBR.  Any help is greatly appreciated.

       

       

       

      interface eth 0/0

        description SIP Ethernet

        speed 10

        ip address  70.XX.XXX.XXX  255.255.255.252

        access-policy Public

        crypto map VPN

        media-gateway ip primary

        no shutdown

        no lldp send-and-receive

      !

      ip access-list standard NAT

        remark Internet Connection Sharing

        permit any

      !

      ip access-list extended InterVLAN

        remark Voice / Data VLAN Traffic

        permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255   

        permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255   

      !

      ip access-list extended self

        remark Traffic to Netvanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-11

        remark SIP Service Provider Traffic

        permit udp 216.XX.XXX.0 0.0.1.255  any eq 5060    log

        permit udp 216.XX.XXY.0 0.0.1.255  any eq 5060    log

      !

      ip policy-class Private

        allow list VPN-20-vpn-selectors stateless

        allow list self self

        allow list InterVLAN stateless

        allow list NAT policy Tunnel

        nat source list NAT interface eth 0/0 overload

      !

      ip policy-class Public

        allow reverse list VPN-20-vpn-selectors stateless

        nat destination list web-acl-13 address 10.10.10.8

        allow list web-acl-11 self

        allow list Admin self

        nat destination list web-acl-9 address 10.10.10.10

        nat destination list web-acl-6 address 10.10.10.8 port 21


      !


        • Re: SIP and DATA traffic on separate ports
          jayh Hall_of_Fame

          Do they really want SIP separated from other VoIP such as RTP, or is one connection for VoIP and the other for data?  I suspect the latter.

           

          This should get you close.  Assuming 10.10.10.0/24 is data, 10.10.20.0 is phones, swap if otherwise...

           

          interface eth 0/0

            description Ethernet-VoIP

            speed 10 ! - can be dangerous and break auto-negotiation - check duplex

            ip address  70.XX.XXX.XXX  255.255.255.252

            access-policy Public

            media-gateway ip primary

            no shutdown

            no lldp send-and-receive

           

          interface eth 0/1

            description Ethernet-DATA

            speed 10 ! - can be dangerous and break auto-negotiation - check duplex

            ip address  YY.YY.YY.YY 255.255.255.252

            access-policy Public

            crypto map VPN

            no shutdown

            no lldp send-and-receive

          !

          ip policy-class Private-Data

            allow list self self

            allow list InterVLAN stateless

            nat source list NAT interface eth 0/1 overload

           

          ip policy-class Private-Voip

            allow list self self

            allow list InterVLAN stateless

            nat source list NAT interface eth 0/0 overload

           

          route-map voip-map permit 10

            match ip address voip-map-list

            set ip next-hop 70.XX.XX.XY  ! <--- Gateway for VoIP

            set interface eth 0/0

           

          ip access-list extended voip-map-list

            deny ip any 10.0.0.0 0.255.255.255

            permit ip any any

           

          interface [interface for data LAN] - add

            ip access-policy Private-Data

           

          interface [interface for voice LAN] - add

            ip policy route-map voip-map

            ip access-policy Private-Voip

           

          If you are doing SIP proxy or have local phones you may also need ip local policy route-map voip-map

           

          Change the default route to the new data WAN gateway. 

            • Re: SIP and DATA traffic on separate ports
              3l3mn8r New Member

              Thanks for the info Jay.

               

              Yes, one connection for Voip and one for Data.

               

              Yes, 7100 default subnets in use for voice and data vlans.

               

              A couple questions.

               

              If you are doing SIP proxy or have local phones you may also need ip local policy route-map voip-map

                This is a typical 7100 with 12 Adtran 712 phones, do you consider those local phones?

               

              Change the default route to the new data WAN gateway

                What if the new Data WAN gateway is the same as the Voip gateway, ISP has given us same gateway and subnet with ip range of x.x.x.106 (SIP) through x.x.x.110 (Data) will that make a difference? Wait a minute 5 addresses for a /30 doesn't sound right or does it, need to get the subnet calc out again.

               

              interface [interface for data or voip LAN] - add

                What are we looking for here. Not sure what you mean.

               

              thanks for your help

                • Re: SIP and DATA traffic on separate ports
                  jayh Hall_of_Fame

                  3l3mn8r wrote:

                   

                  If you are doing SIP proxy or have local phones you may also need ip local policy route-map voip-map

                    This is a typical 7100 with 12 Adtran 712 phones, do you consider those local phones?

                   

                  The ip local policy route-map voip-map causes traffic sourced from the Adtran itself to follow the route-map for VoIP, that is to use the VoIP WAN interface and gateway.  So, you will want this.  In fact, if the SIP phones don't NAT out to the Internet and do all of their signaling to the 7100 this makes things easier, and you might be able to avoid the route-map and NAT on the phone subnet entirely.  "show IP policy-sessions" during a phone call will give some clues.  If the RTP UDP is all between the phones and self and between self and the outside media gateway then you may not need to NAT the phones at all, or only to get to an outside configuration server, NTP server, etc.


                    What if the new Data WAN gateway is the same as the Voip gateway, ISP has given us same gateway and subnet with ip range of x.x.x.106 (SIP) through x.x.x.110 (Data) will that make a difference? Wait a minute 5 addresses for a /30 doesn't sound right or does it, need to get the subnet calc out again.

                   

                  2 usables on a /30.  The .106 address is part of x.x.x.104/30.  The other side will be .105 .  Likewise .110 is part of x.x.x.108/30, the other side will be .109 .

                   

                  interface [interface for data or voip LAN] - add

                    What are we looking for here. Not sure what you mean.

                   

                  thanks for your help

                   

                  You will have an interface for each of your LANs, voice and data.  Most likely a VLAN interface, I'm not that familiar with the 7100. The statements below for policy and route-map should be applied to that interface's configuration.  Whatever interfaces have your IP address configuration for the data and voice inside subnets need this configuration. Substitute the interface name such as VLAN nn for the placeholder in the brackets.

                   

                  The config I suggested is on-the-fly and may not be right or need some tweaking.  It's guaranteed to be worth what you paid for it...

              • Re: SIP and DATA traffic on separate ports
                james_ucs Employee

                3l3mn8r wrote:

                 

                We have had a 7100 using SIP for over two years now and the ISP has now indicated that we need to change our configuration.  Currently all traffic SIP and DATA go out Ethernet 0/0 on a single 10Mbps circuit.  They need us to use a separate port (eth 0/1) to send all data traffic.  The ISP has a Cisco Calyx router that has port 1 for the SIP connection and port 2 for the DATA connection.  I assume that PBR would be the way to do it but I am not sure how that configuration should be done.  Here is an example of the current configuration.  The section in red is of concern for the ip routes or PBR.  Any help is greatly appreciated.

                 

                 

                 

                interface eth 0/0

                  description SIP Ethernet

                  speed 10

                  ip address  70.XX.XXX.XXX  255.255.255.252

                  access-policy Public

                  crypto map VPN

                  media-gateway ip primary

                  no shutdown

                  no lldp send-and-receive

                !

                ip access-list standard NAT

                  remark Internet Connection Sharing

                  permit any

                !

                ip access-list extended InterVLAN

                  remark Voice / Data VLAN Traffic

                  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255  

                  permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255  

                !

                ip access-list extended self

                  remark Traffic to Netvanta

                  permit ip any  any     log

                !

                ip access-list extended web-acl-11

                  remark SIP Service Provider Traffic

                  permit udp 216.XX.XXX.0 0.0.1.255  any eq 5060    log

                  permit udp 216.XX.XXY.0 0.0.1.255  any eq 5060    log

                !

                ip policy-class Private

                  allow list VPN-20-vpn-selectors stateless

                  allow list self self

                  allow list InterVLAN stateless

                  allow list NAT policy Tunnel

                  nat source list NAT interface eth 0/0 overload

                !

                ip policy-class Public

                  allow reverse list VPN-20-vpn-selectors stateless

                  nat destination list web-acl-13 address 10.10.10.8

                  allow list web-acl-11 self

                  allow list Admin self

                  nat destination list web-acl-9 address 10.10.10.10

                  nat destination list web-acl-6 address 10.10.10.8 port 21


                !


                 

                You shouldn't need to use PBR in this case. You will need to leave eth 0/0 for one of the connections (whichever IP address isn't changing). For the "new" connection, set up a VLAN interface and assign one of the switchports to this VLAN. The default route will need to traverse the "data" connection. Assuming your SIP provider can give you the IP addresses/subnets of their SIP and media servers, you can create static routes to go to those hosts through the "voice" connection.

                 

                I would recommend separate policy-classes for the voice and data VLANs. They would look similar to this:

                ip access-list standard voip_subnet

                  match 10.10.20.0 0.0.0.255

                 

                ip access-list standard data_subnet

                  match 10.10.10.0 0.0.0.255

                 

                ip policy-class Data

                  allow list data_subnet self

                  allow list InterVLAN (the ACL created in the default config)

                  nat source list data_subnet address [address of the interface connected to "data"] overload

                 

                ip policy-class Voice

                  allow list voip_subnet self

                  allow list InterVLAN (the ACL created in the default config)

                  nat source list voip_subnet address [address of the interface connected to "voice"] overload

                 

                Each policy-class would be assigned to the corresponding VLAN interface.

                 

                Please remember that Policy-Based Routing is not supported in the NetVanta 7100.

                  • Re: SIP and DATA traffic on separate ports
                    3l3mn8r New Member

                    So would I then remove the ip policy-class Private and move all other lines to the corresponding Data or Voice policy classes?

                     

                    e.g.

                     

                    interface vlan 1

                      ip address  10.10.10.1  255.255.255.0

                      access-policy Data

                      media-gateway ip primary

                      no shutdown

                    !

                    interface vlan 2

                      ip address  10.10.20.1  255.255.255.0

                      access-policy Voice

                      media-gateway ip primary

                      no shutdown

                     

                    Ip policy-class Data

                      allow list VPN-20-vpn-selectors stateless

                      allow list data_subnet self

                      allow list InterVLAN stateless

                      allow list NAT policy Tunnel

                      nat source list data_subnet interface eth 0/1 overload or address  70.xxx.xxx.xxy overload

                     

                      • Re: SIP and DATA traffic on separate ports
                        james_ucs Employee

                        3l3mn8r wrote:

                         

                        So would I then remove the ip policy-class Private and move all other lines to the corresponding Data or Voice policy classes?

                         

                        e.g.

                         

                        interface vlan 1

                          ip address  10.10.10.1  255.255.255.0

                          access-policy Data

                          media-gateway ip primary

                          no shutdown

                        !

                        interface vlan 2

                          ip address  10.10.20.1  255.255.255.0

                          access-policy Voice

                          media-gateway ip primary

                          no shutdown

                         

                        Ip policy-class Data

                          allow list VPN-20-vpn-selectors stateless

                          allow list data_subnet self

                          allow list InterVLAN stateless

                          allow list NAT policy Tunnel

                          nat source list data_subnet interface eth 0/1 overload or address  70.xxx.xxx.xxy overload

                         

                         

                        That is correct.