Professional Documents
Culture Documents
over IP (VoIP) including LANs, VLANs, WANs, traffic patterns and QoS. It starts off
with an introduction into the typical home user network, progresses to a small office
home office (SOHO) network and then into a business class network. Critical
components and issues such as VLANs, the WAN link, network address translation
(NAT) and quality of service (QoS) are examined.
This section is divided into the following pages:
Personal Home Network - A typical personal home network configuration is detailed
and the effects and issues that affect VoIP are examined. This is the level that most
experimenters start at.
SOHO Network - A small office home office network is a step above the
typical home network. Here's how to improve the quality and consistency
of the VoIP traffic. This is a step above the home network as the user is concerned
with voice quality and the management of data traffic
Business Network - The business network services many VoIP users and has greater
data traffic. New issues arise and new solutions are required. Here's where they are
discussed.
VLANs - Virtual LANs provide a method of segragating traffic
based on the type of traffic. It is the first step in improving the
quality of service for VoIP.
Routing - the Routing section explores Network Address Translation (NAT),
the Wide Area Network (WAN) link, router on a stick, server on a stick,
layer 3 switches and more.
QoS - quality of service is a method of providing
priority to certain types of traffic such as VoIP in order to
provide a consistent reliable connection. This page discusses
mechanisms that are used to aid in giving VoIP priority over data.
Cisco QuickVPN - here's a simple way of creating a VPN into your SOHO network
using a Cisco SOHO router. In this case, we use the Cisco RV180W SOHO router
which is an extremely powerful SOHO router for a reasonable expenditure.
2. Outgoing Traffic to the Internet - All traffic to the Internet must pass through
the Ethernet switch/Wireless Router connection. Outgoing voice traffic will be
fighting with data traffic for the port's bandwidth.
3. Incoming Traffic from the Internet - You have no control over the incoming
traffic from the Internet at the SOHO level in this typical SOHO setting. If you
have a hosted PBX then this can be an issue as voice traffic will be competing
with data traffic for bandwidth.
A lot of wireless routers provide traffic management and QoS through their web based
GUI. The traffic management really only deals with outbound traffic. Priority can be
given to voice protocols like SIP. The router recognizes the voice traffic and given the
choice between sending out data or voice, it will send the voice first. Each router is
different and its capabilities would need to be explored to see how it can manage
traffic.
Aftermarket Router Firmware
There are several aftermarket router firmware upgrades that are both free open source
and paid upgrades that can add more capabilities to your wireless router. The result is
that your el-cheapo router gets a hit of steroids and provides features normally seen
only on expensive enterprise class routers. One of these is DD-WRT which allows you
to set priority based on the physical Ethernet port. You could set the port connected to
the voice Ethernet switch as having priority over the data Ethernet switch's traffic.
Aftermarket router firmware upgrades require a higher level of expertise and patience
to get working correctly.
VLANs and QoS?
Instead of using two separate Ethernet switches, you can upgrade to a more expensive
switch that features VLANs (virtual LANs). The physical switch is able to divide
itself into virtual switches. These virtual switches appear as if they were separate
physical switches as discussed previously and as separate networks with unique
network addresses (ex. 192.168.1.0/24 and 192.168.2.0/24). QoS (Quality of Service)
can be controlled and configured in both the switch and the router. This is a step up in
cost and complexity and the network design is now moving closer to the Business
Network.
The business network services many VoIP users and has greater data traffic. New
issues arise and new solutions are required. Data and voice converge and are using the
same network infrastructure. Quality of Service (QoS) becomes very critical in order
to provide stable voice communications.
The critical areas of design for a Business network for traffic and
congestion are:
Separating data and voice traffic
Security
Providing redundancy throughout the network
VLAN'd Switch
Layer 3 Switches
Instead of routers, Layer 3 switches can be used to route between VLANs. A layer 3
switch has limited routing capabilities and unlike a router, it doesn't support WAN
protocols. Layer 3 switches support VLANs by their nature.
3 Layer Hierarchial Model
As the network grows, a redundant mesh topology can be used by dividing the
network into 3 distinct layers. Cisco developed the 3 Layered Hierarchial Model to
address the needs of a large business network.
Core layer - This layer deals with connecting the core network services
together and provides the backbone of the network. It is a high speed layer
provides the edge devices to the outside world.
Distribution layer - This layer is assigned the job of controlling the policies,
routing traffic between VLANs and the core.
Access layer - This layer is connected to the end devices that use the network:
PCs, Servers, IP Phones, Network Printers, etc.. It's job is assign ports to
VLANs and to provide port based policy.
to automatically detect loops and block redundant paths. It is a dynamic protocol and
detects when links fail and auto fall-over to the backup paths.
Quality of Service
Network layer Quality of Service (QoS) can be implemented by assigning priority to
devices through the IP header's ToS/DiffServ field.ToS stands for Type of Service and
consists of 3 bits. This gives a range of priorities from 0 (default) to 7 (highest
priority. Typically, data has a priority of 0 and voice traffic has a
priority of 5.
DiffServ is an improved version of ToS. It stands for Differentiated
Services and consists of the ToS's 3 bits plus 3 more. You either use
ToS or DiffServ but not both. For this simplified explanation, DiffServ
has a priority range of 0 (default) to 64 with data having a priority of 0 and voice a
priority of 46.
In this manner, voice traffic will have priority over data traffic as it is transmitted
throughout the network.
Quality of Service can be implemented at the Data Link layer by using the
IEEE802.1Q (DOT1Q) VLAN frame tagging protocol. VLANs can be given priority
by using the Classification of Service (CoS) field in the DOT1Q tagged frame. The
CoS field consists of 3 bits with a priority of 0 (default) to 7. This leads directly to
MultiProtocol Label Switching (MPLS) which is a complete book in itself.
Congestion on the WAN Link
As a network administrator, you have complete control over your LAN based
network. But you have limited control over the WAN link. You can control the QoS of
traffic leaving your network through sound QoS principles discussed previously. You
can also give priority to voice protocols such as SIP, IAX, RTP, SCCP, H.323, etc.. by
incorporating an Application Layer Gateway (ALG). An ALG examines contents of
the packets leaving the network and can give priority to protocols related to the voice
traffic.
You do not have control of the priority of the traffic entering your network unless you
have a Service Level Agreement (SLA) with your service provider. An SLA will
usually implement a connection to the service provider's MPLS network to control
priority.
Bandwidth
Quality of Service will give voice priority over data but the question that needs to be
asked is "How much bandwidth is needed for voice traffic?". The WAN page will aid
in determining how many voice channels are required for a trunk and how much
bandwidth is needed through the WAN link.
There are many options available for the WAN link but be aware
that some provide asynchronous bandwidth between uploads and
downloads. Cable modems and ADSL are examples. Typically, the
upload bandwidth is a fraction of the download bandwidth. For
example, basic ADSL provides 3 Mbps download but only 500 kbps upload! A better
solution is Synchronous DSL which has equal upload and download bandwidths.
A VLAN or Virtual LAN is a method of dividing a physical Ethernet switch into
separate physical and logical networks. On the physical side, instead of one Ethernet
switch, it appears as if you have multiple physical Ethernet switches. Multiple
Ethernet switches give the advantage as discussed in the SOHO network. The best
part is that VLAN'ing a switch is a software programmed process that is configured
through the switch user's interface. You decide how you want to divide your switch
into virtual switches or VLANs.
VoIP and VLANs Video
the "behind the scenes" traffic that is part of the network support protocol's overhead
not directly involved with transferring data. This is the traffic that is part of the
"broadcast domain" - the traffic that is created by discovery services such as ARP,
DHCP or routing protocols as examples. This behind the scenes traffic can consume
quite a portion of your available bandwidth - up to 35%! When the network is divided
into VLANs, the broadcast domain (range of broadcast traffic) is restricted to each
VLAN. This reduces the amount of broadcast per individual VLAN drastically.
port" instead of "ports to a VLAN". Either way, the end result is the same, there is a
port to VLAN assignment.
Important Concept: Only those ports on the same VLAN can talk to each other. The
ports are isolated from all other VLANs!
Network Addresses
Each VLAN will have its own network address. VLAN 20 will belong to and have a
different network address than VLAN 30. There is a convention (not a rule but a best
practice) that the network address corresponds to the VLAN ID. For example,
VLAN 10 (Desktop) uses network address 192.168.10.0/24 and VLAN 30 (VoIP) uses
network address 192.168.30.0/24. The purpose is to make it easier to troubleshoot the
network and to easily determine which VLAN and network, a device belongs to. As
networks grow and the number of VLANs increase, following this rule of thumb will
simplify network management.
VLAN'd Network
Switch VLAN Configuration
There is no standard VLAN configuration method for Ethernet switches. Each switch
manufacturer uses their own configuration commands either through a web GUI or
command line. The config examples will use the Cisco command line just because I'm
familiar with Cisco switches. Regardless, all follow the same basic process:
1. Create the VLAN ID - In configuration mode, type "vlan 10" to create a vlan
with ID 10.
vlan 10
2. Name the VLAN - Give VLAN 10 the name Desktop, type "name Desktop".
name Desktop
Normally an Ethernet port on a switch can only be assigned to one VLAN but there
are special circumstances where a port can be configured to use more than one VLAN.
The first use is a IEEE802.1Q trunk (often referred to as dot1q for short). This trunk is
only used to connect switch to switch and switch to router to allow VLAN traffic to
pass. IEEE802.1Q is a standard created by the IEEE to pass many VLANs between
switches.
Note that the IP phone is on a different network (192.168.30.0/24) then the desktop
PC (192.168.10.0/24). The IP phone's internal Ethernet switch must be configured
either manually through the phone's web GUI or through the server's tftp
configuration files in order to know which VLAN is the voice VLAN.
The Routing portion provides a discussion on the different methods available and
options used in routing between voice and data networks. InterVLAN routing is
discussed with advantages and disadvantages of each method discussed.
Important Point: In order to route between two networks, the networks must be on
separate IP networks. For example, the data network can be on 192.168.1.0/24 and the
voice network can be on 192.168.2.1/24. These are two separate networks. The
networks can be on separate VLANs. In order to route data between the VLANs, a
routing device must be used - it can be a router or a layer 3 switch.
This section is divided into the following pages:
Single Port Routing - This refers to LAN side routing between voice and data
networks using a single port between the router and the switch. The router has a WAN
port and no VLANs have been assigned to the switch.
Separate VLAN Ports - On the switch separate VLAN'd ports are
configured for voice and data and the router has two LAN ports in addition
to the WAN port
Router on a Stick - This uses only one LAN port to connect to the router. The port
is configured as a trunk to the switch that allows multiple VLANs and their networks
to pass through. The router must be able to do multiVLAN trunking using
IEEE802.1Q.
In these areas of bandwidth contention, we can give the voice traffic an advantage by
giving it a higher priority then data traffic. We can do this at the Network layer by
using the IP header's ToS/DSCP field. The ToS (Type of Service) field has 3 bits that
can assign priority to an IP packet. The priority range is from 0 - 7 with the lowest
priority being 0 and it is the default setting.
We can assign voice traffic to a priority of 5. Packets with a higher priority wins in the
bandwidth war! This is the most common method of setting priority for VoIP end
devices. IP phones can configure the voice traffic for a higher priority through either
manually configuring the VLAN ID and priorirty value through the phone's Web GUI
or by setting the VLAN ID and priority in the tftp config file.
Priority Bits on Steriods: DSCP!
The ToS/DSCP field can be expanded and used
as Differentiated Services Code Point (DSCP), most often referred to as
DiffServ. It is an improved ToS mechanism and provides 6 bits for
priority. It uses the same 3 bits as ToS plus 3 more! With 6 bits, the priority ranges
from 0 to 64. Again the default priority is 0 and voice traffic is usually set to 46. You
use either ToS or DiffServ but not both!
Apply QoS to your Network
Data traffic has the default priority of 0 and voice traffic has a priority of either ToS =
5 or DiffServ = 46. Voice will have priority on the links with bandwidth contention
mentioned earlier. Voice will not break-up during large data transfers!
VLAN Priority
VLANs can be given priority by using the IEEE802.1Q (Dot1Q) protocol tagging.
The Dot1Q protocol inserts an extra field into the Ethernet frame. This field contains a
special 802.1P subfield called Classification of Service (CoS). It consists of 3 bits for
classification of ranging from 0 - 7 (similar to ToS). It classifies traffic as background
to network critical and works at the Frame level. This leads to MultiProtocol Label
Switching (MPLS). Just a note: thisonly applies to trunking that runs the Dot1Q
protocol.
Cisco "AutoQoS" command
QoS can be very complicated and sometimes an innocent command like
Cisco's "autoqos" can seem like a quick solution but there is always a
catch. You apply the autoqos command on your switch to an multiVLAN access port
for an IP phone:
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
switchport voice vlan 30
auto qos voip cisco-phone
Here's what happens, you end up with extra code on the interface:
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
switchport voice vlan 30
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
map cos-dscp 0 8 16 26 32 46 48 56
srr-queue input bandwidth 90 10
srr-queue input threshold 1 8 16
srr-queue input threshold 2 34 66
srr-queue input buffers 67 33
srr-queue input cos-map queue 1 threshold 2 1
srr-queue input cos-map queue 1 threshold 3 0
srr-queue input cos-map queue 2 threshold 1 2
srr-queue input cos-map queue 2 threshold 2 4 6 7
srr-queue input cos-map queue 2 threshold 3 3 5
srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
srr-queue input dscp-map queue 1 threshold 3 32
srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
srr-queue output cos-map queue 1 threshold 3 5
srr-queue output cos-map queue 2 threshold 3 3 6 7
srr-queue output cos-map queue 3 threshold 3 2 4
srr-queue output cos-map queue 4 threshold 2 1
srr-queue output cos-map queue 4 threshold 3 0
srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
srr-queue
srr-queue
srr-queue
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
output
output
output
output
output
output
output
output
output
output
output
output
output
Now this might be a good thing but what if it breaks something? How are you going
to fix it? What do all those numbers mean? BTW, "mls" stands for multilayer
switching. This is scary stuff so you should always test your configuration when using
commands like this to see what they do.
Control of QoS
You have complete control over QoS on the LAN, because you are the
master of the LAN and can configure and tune it. But what about the WAN
connection? You can control the traffic going out but what about the traffic coming in?
To control the incoming traffic, you must have a QoS agreement with Service
Provider for the WAN connection. Otherwise, you can only control the QoS on
outgoing but not incoming!
Cisco QuickVPN - here's a simple way of creating a VPN into your SOHO network
using a Cisco SOHO router. In this case, we use the Cisco RV180W SOHO router
which is an extremely powerful SOHO router for a reasonable expenditure.
4. You can download the router's certificate by going to Security - SSL Certificate
- Export for Client and saving the certificate under an appropriate name to
distribute with the Quick VPN software.
For the Clients:
1. Go to Cisco and download the free Quick VPN (QVPN) software for RV180W
Wireless-N Multifunction VPN Router (or whichever model you have)
http://www.cisco.com/c/en/us/products/routers/quick_vpn.html
2. Install the software and run it.
- Give it a profile name, enter the user name and password and server IP
address.
3. You may get a pop-up window that says the Server's certificate doesn't exist on
your local computer. Do NOT quit the connection. Install the previously saved
SSL certificate to the c:\Program Files\Cisco Small Business\QuickVPN Client\
directory. Next time you connect, you will not get the pop-up warning.
That's it, your PC can connect through a VPN to your router.
The single network refers to the connection between the router and the switch. The
Ethernet switch may be included as part of the router or they might be two separate
devices. There is only one connection defined between the router and the switch and
the complete LAN side resides on one network. (ex. 192.168.1.0/24). This means that
broadcast traffic from all devices will appear throughout the network. this is the
typical default configuration that routers right out of the box will have.
For the separate VLAN routing network. Each VLAN has a port
connected to the router. This means that the router has multiple LAN side ports. In the
simplest scenario, there is one port/connection dedicated to the voice VLAN and
another port/connection dedicated to the data VLAN.
and typically out of reach for a home network or even a SOHO's budget. They
typically require an expert level of knowledge to configure that usually requires
training of some sort.
A lot of routers can provide traffic management for VoIP protocols and QoS through
their web based GUI or command line interface. The traffic management typically
deals with outbound traffic. Priority can be given to voice protocols like SIP or to the
voice VLAN. The router recognizes the voice traffic and when given the choice
between sending out data or voice, it will send the voice first. Each router is different
and its capabilities would need to be explored to see how it can manage traffic.
Broadband Routers
Most home broadband routers have a built-in 4 or 8 port switch that when taken "right
out of the box" will not have the capabilities to separate the LAN ports into individual
networks that would fit the requirements of the Separate VLAN Routing Network.
Aftermarket Router Firmware
There are several aftermarket router firmware upgrades that are both free open source
and paid upgrades that can add more capabilities to your router. The result is that your
el-cheapo router gets a hit of steroids and provides features normally seen only on
expensive enterprise class routers. One of these is DD-WRT which allows you to
VLAN the internal switch, assign each port to a VLAN and create individual DHCP
servers for each VLAN. Unfortunately, aftermarket router firmware upgrades require
a level of expertise and patience to get working correctly.
Advantages
The advantages to a Separate VLAN Routing Network are
The voice and data traffic are on separate networks until it reaches the router
and WAN link
LAN Voice traffic is not affected by data traffic - built-in quality of service
The voice network's outgoing traffic can be given priority over the data
network on the WAN link
Voice traffic protocols like SIP and RTP can be given priority over data traffic
on the WAN link
Disadvantages
The disadvantages to a Separate VLAN Routing Network are:
It is more complex to set up compared to other networks
For each VLAN, the router requires a separate physical Ethernet port
The number of LAN ports on the router will limit the number of VLANs
Routers can be expensive
The WAN link is the bottleneck for traffic
Overall this is a very good solution as it pushes the traffic bottleneck and QoS
problems to the router/WAN link. Enterprise class routers have built-in mechanisms to
deal with these exact problems and manage the traffic on the WAN link. As a network
grows, the number of VLANs will increase and finding a router with many LAN ports
becomes expensive and difficult. Typically an enterprise router has 1 WAN port and
maybe 2 LAN ports.
Note: Soft IP phones that run as apps on the PC ,such as the Xlite softphone, still
reside on the data LAN and will have quality issues as their traffic will be fighting
with the data traffic for bandwidth.
The Router on a Stick network uses one connection between the router and the switch.
The switch must be VLAN'd and normally on a VLAN'd switch port, the port is
assigned to just one VLAN. In the Router on a Stick configuration, the port is
assigned multiple VLANs and called a trunk. There are a few standards for
configuring the trunk, the method used in these examples is IEEE802.1Q sometimes
referred to as "dot1q".
expensive enterprise class routers. One of these is DD-WRT which allows you to
VLAN the internal switch, assign each port to a VLAN and create individual DHCP
servers for each VLAN. Unfortunately, aftermarket router firmware upgrades require
a level of expertise and patience to get working correctly.
IEEE802.1Q (dot1q) Background Info
Dot1q only exists within a switch OR between switches OR between a switch and a
router as in this Router on a Stick network. It's job is to tag traffic on the trunk with
the VLAN ID so that the destination knows which VLAN to send the Ethernet frame.
This is called tagging the Ethernet frame. The Ethernet frame is modified with
tagging information according to the IEEE802.1Q standard and again ONLY exists on
the trunk. When the frame reaches its destination (the router or the switch), the
tagging is removed.
goes to an end device like a PC or Laptop, the dot1q tagging is removed. The tagging
only exists within a switch OR between switches OR between a switch and a router as
in this Router on a Stick network
Special VLANs
There are a few special VLANs that are associated with a dot1q network:
Native VLAN - This is the default VLAN that all switches initially boot to.
When you first turn on a switch, all ports are automatically assigned to the
native VLAN which normally has the VLAN ID 1 (one). This is so that the
switch works right out of the box until you configure it for VLANs. An
important point is that any port that is not assigned by you to a specific VLAN
(like 10, 20, 30 or 40 in our example) will be automatically assigned to VLAN
1.
This opens up a security hole! So for good physical security, all unused ports
should be closed. Enterprise level switches allow you to turn off or shut down
unused ports. Another important point is that untagged traffic coming into a
switch is automatically assigned to the native VLAN. With this knowledge, you
will want to control where untagged traffic goes to by changing the native
VLAN's ID to a controlled VLAN of your choice.
Management VLAN - Good practice in a large network is to have a special
VLAN called the Management VLAN for security purposes. Its purpose is to
connect all of the network devices like switches and routers together for
administration and configuration. This is a private VLAN that only system
admins can access. Normal day to day users and guests on the network do not
have access to it and therefore cannot hack the system.
I've seen in many examples of VLAN'd networks where the Management
VLAN and the native VLAN are the same VLAN. This is BAD practice!
Anyone who physically connects to the default VLAN either accidentally or
through a switch port that defaults to the native VLAN will now have access to
the Management VLAN. Untagged traffic will now be on what should be a
secure network! Always separate your native VLAN and Management VLAN.
Configuration Example
You must configure both ends of the trunk: the switch side and the router side. This
example is based on Cisco configuration, only because that's what I'm used to. Other
brands will be configured similarly.
Switch Configuration - On the switch, you must configure the port to the
router as a dot1q trunk.
interface fastethernet0/5
<-- this is port 5 that is connected to the
router
switchport trunk encapsulation dot1q <-- optional, indicates trunk
protocol
switchport mode trunk <-- configures port as a trunk
switchport trunk native vlan 99 <-- sets VLAN ID 99 as the native VLAN
for the trunk
interface fa0/0
<-- this is the physical interface
no shutdown
<-- in the Cisco world, this is how you turn on the
interface
interface fa0/0.10
<-- this creates the subinterface and ties it to
VLAN 10
encapsulation dot1q 10 <-- This uses IEEE802.1Q tagging of frames
ip address 192.168.10.1 255.255.255.0 <-- assign an IP address to the
subinterface
You only need to turn on the physical interface. As a matter of fact, you must
turn on the physical interface for it to work.
This would be done for each VLAN: 20, 30 and 40. So there would be 4 subinterfaces
created.
InterVLAN Routing
The IP address assigned to the subinterface becomes the default gateway for the
VLAN. So in the above example 192.168.10.1 is the default gateway for VLAN 10.
The neat part is that the routing is automatically done between subinterfaces, no
routing rules need be configured as the router is aware of any networks directly
connected to it. In this case, it is aware of the networks connected to the subinterfaces
by the subinterface's IP address and subnet mask.
Advantages
The advantages to a Router on a Stick Network are
Voice and data traffic are on separate VLANs
The number of VLANs are not limited by the number of router LAN ports as
only one port is required
Only one LAN connection is required for multiple VLANs
Disadvantages
The disadvantages to a Router on a Stick Network are:
It is more complex to set up compared to other networks
Traffic between VLANs goes into the router and out of the router through the
same port
The trunk is a major source of congestion
I've found that the trunk becomes a major source of congestion as all interVLAN
traffic has to go in and out on the same port. So if VLAN 10 wanted to talk to VLAN
20, then traffic from VLAN 10 would go to the router via the trunk. The router would
route the traffic to VLAN 20's subinterface and then out the same trunk. I've measured
that the trunk can only carry 60% of traffic compared to having separate ports for
VLANs.
Summary
Router on a Stick networks were a 90s solution to interVLAN routing. A much better
solution is to use a more modern solution: Layer 3 switch.
Layer 3 Switches
So what is the difference between a Layer 3 switch and a router? It used to be that
Layer 3 switches could only route between VLANs on the switch and couldn't run
routing protocols like RIP but now Layer 3 switches can run routing protocol. At the
time of writing this, Layer 3 switches couldn't run WAN protocols like Frame Relay,
T1 lines, ISDN, PPP or ATM but I think that is mainly because they don't have an
interface to those protocols.
It isn't hard to imagine a switch manufacturer adding plugin
module support for a WAN protocol in the near future! But then
again, there is the rising usage of carrier Ethernet which is
replacing the traditional WAN protocols. A Layer 3 switch can
make direct connection to the WAN using one of its Ethernet ports and making the
legacy WAN protocols obsolete!
VLAN'd Network
The first step is to separate the voice and data traffic. Two separate networks could be
used but that would be expensive and a waste of resources. A better solution is
to VLAN the network. Layer 3 Ethernet switches are used to divide the physical
network into Virtual LANs (VLANs). These VLANs can span across many switches
and many floors of a building. This physically isolates the data traffic from the voice
traffic.
Layer 3 Switches
Passing the Functionality
One of things that happens when you use Layer 3 Switches is the passing of
functionality of services from what was traditionally the router to the Layer 3 switch.
The routing between VLANs (called InterVLAN routing) is now the responsibility of
the Layer 3 switch. What also goes with it, is DHCP services. The switch now
provides the DHCP server for each of its VLANs. Each VLAN will have its own
subnet address and the associated DHCP pool.
A new VLAN is created specifically for routing between the router and the switch. For
lack of a better name, I've called the WAN VLAN as that is where the traffic is going
to and coming from.
The router now has more specific functions: interfacing to the WAN using
WAN protocols, providing Network Address Translation (NAT) and
providing security by acting as a firewall. The configuration of the router
becomes much simpler.
Configuring a Layer 3 switch for routing
It is surprisingly easy to configure a Layer 3 Switch for InterVLAN routing. If you
come from the complex Router on a Stick configuration then you will find this so easy
that it won't make sense! This configuration is based on Cisco just because I'm
familiar with it. So here goes:
1. Enable Layer 3 Functionality - some routers like the Layer 2 Cisco 2960 switch
(with the latest IOS) require that you first enable Layer 3 functionality by
setting the SDM Preferences:
2.
3.
Switch(config)#ip routing
That's it for InterVLAN routing! The switch will automatically route between
VLANs - no trunks, no native VLAN, no sub-interfaces!
21.Set the default route on the switch:
You will have to set a default route back to the router (192.168.50.1) and at the
router static routes back to the VLANs. This is the default route set on the
switch to send traffic back to the router:
ip route 0.0.0.0 0.0.0.0 192.168.50.2
route
route
route
route
192.168.10.0
192.168.20.0
192.168.30.0
192.168.40.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
192.168.50.1
192.168.50.1
192.168.50.1
192.168.50.1
C
C
S*
Router#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.197.4.11 to network 0.0.0.0
C
S
S
S
S
C
S*
LAN IP address. There is a NAT translation table that keeps track of which packet
belongs to which device.
Symmetric NAT
Symmetric NAT is used for outgoing (egress) communications. The LAN source IP
address is translated to the public IP address. The LAN source port is mapped to a
unique external port such as 21000. The NAT translation table keeps track of the
mappings. When a response from the Internet comes in to the public IP address, the
translation table looks up the destination port in its translation table. If it matches
21000 then it sets the destination IP address to the LAN IP address and resets the port
to the original value. Just remember that this is a two way
communication.
With Cisco routers, you can assign multiple IP addresses to the public
facing Ethernet interface. I needed to open the PBX and a tftp/ftp server
to the outside world for my lab environment. I gave the public side
Ethernet interface a primary IP address and a secondary IP address then
used one to one mapping to point to my internal servers. The public
interface is configured as the NAT outside port. For Cisco, the relevant
configuration is as follows:
interface FastEthernet0/0
description WAN port, .240 is PSTNserver, .249 is ITSP
ip address 10.163.95.249 255.255.255.0 secondary
ip address 10.163.95.240 255.255.255.0
ip nat outside
interface FastEthernet0/1
description LAN interface
ip address 192.168.202.1 255.255.255.0
ip nat inside
ip nat inside source list 120 interface FastEthernet0/0 overload
access-list 120 permit ip any any
The LAN interface is configured as NAT inside. The "ip nat inside source list 120 ..."
indicates that the LAN traffic must be translated to the FastEthernet0/0 port (WAN)
connection. The "overload" command enables Port Address Translation. The last line
is a "form of a firewall" rule called an Access Control List (ACL). The ACL is number
120 and in this example, it allows any source IP address to go to any destination IP
address. Not much security here. There are whole courses available for understanding
ACLs and the security implementations to lock down your router. ACLs are beyond
the scope of this NAT page.
NAT Methods
Naturally as with everything concerning the Internet, there are many other "methods"
of NAT: "one to one"/full cone, restricted cone, port restricted and symmetric NAT.
Each has its merits and functions. The two that I've mentioned will work in 90% of
the cases. I'm not going to go into detail on all of these methods, a google search will
provide you with more information then you would care to know about NAT.
PAT - Port Address Translation
For VoIP, the bad guy in this equation of NAT is PAT (Port Address Translation).
When a packet transverses (goes through) NAT, NAT changes the TCP or UDP port to
another one so that it can track the packet in its NAT translation table. When the
packet returns, it is changed back to the original port. So in addition to changing the
IP address, the port gets changed too!
For the most part this works very well. Except that for
the SIP protocol, there are two protocols sent for voice
communications: SIP (Session Initiation Protocol) and
RTP (Real Time Protocol). SIP is used for setting up the
call, RTP is used for carrying the voice conversation.
Instead of tracking just one port, two ports must be
translated. To make matters worse, the SIP header
contains information identifying the RTP packet's port.
If the RTP port is translated to anther port, then the SIP header will point to the wrong
RTP port used! The result is a problem called "one way audio". Where one party can
call the other party and only one party can hear the other. This is a typical symptom of
a NAT problem.
The problem becomes even worse if there is NAT at both ends of the call! Now, each
end is performing NAT and PAT translations! Static port mapping for your PBX is one
way to overcome this problem but firewall rules or access control lists are absolutely
necessary. Static port mapping opens up your PBX to the Internet which is not really a
good idea! Providing whitelists of acceptable IP addresses and VPN(Virtual Private
Network) connections to remote clients are
necessary security measures.
In case you were wondering, the number 3600 is the number of seconds in an
hour and is used to make sure that the units hours and seconds cancel.
4. Next we need to determine the number of voice channels that are needed to
meet the required blocking. To do this we use the Erlang B table (pdf) under the
% blocking column. For our example, we select the closest value to 8.9 Erlangs
from the 5% blocking column. That would require a minimum of 13 channels.
For 1% blocking, 16 channels would be the minimum number of channels
required.
5. Now we can determine the bandwidth required. To do this we need to know the
voice codec that is going to be used. Voice codecs are selected for two reasons:
voice quality and bandwidth used. On the LAN, there is plenty of bandwidth
available so the g.711 (alaw or ulaw) codec is used. The codec uses 64 kbps of
BW just for transporting the voice communications. In addition to the
bandwidth used by the voice codec, there is the bandwidth overhead of the
voice protocols used, the WAN protocol, and the TCP/UDP and IP protocols!
The Asterisk Guru has a nice online bandwidth calculator for determining the
total bandwidth used based on the number of incoming and outgoing channels
using common codecs and VoIP protocols.
In our example, for 5% blocking we needed 15 channels using the SIP protocol
and the g.711 codec. We would need a minimum of 2,070 kbps or roughly 2
Mbps, of our WAN link's bandwidth, dedicated to voice traffic.
Control of QoS
You have complete control over Quality of Service (QoS) on the LAN, because you
are the master of the LAN and can configure and tune it. But what about the WAN
connection? You can control the traffic going out but what about the traffic coming in?
To control the incoming traffic, you must have a QoS agreement with Service
Provider for the WAN connection. Otherwise, you can only control the QoS on
outgoing but not incoming!