The Network portion provides a discussion on setting up a network for using Voice

over IP (VoIP) including LANs, VLANs, WANs, traffic patterns and QoS. It starts off
with an introduction into the typical home user network, progresses to a small office
home office (SOHO) network and then into a business class network. Critical
components and issues such as VLANs, the WAN link, network address translation
(NAT) and quality of service (QoS) are examined.
This section is divided into the following pages:
Personal Home Network - A typical personal home network configuration is detailed
and the effects and issues that affect VoIP are examined. This is the level that most
experimenters start at.
SOHO Network - A small office home office network is a step above the
typical home network. Here's how to improve the quality and consistency
of the VoIP traffic. This is a step above the home network as the user is concerned
with voice quality and the management of data traffic
Business Network - The business network services many VoIP users and has greater
data traffic. New issues arise and new solutions are required. Here's where they are
discussed.
VLANs - Virtual LANs provide a method of segragating traffic
based on the type of traffic. It is the first step in improving the
quality of service for VoIP.
Routing - the Routing section explores Network Address Translation (NAT),
the Wide Area Network (WAN) link, router on a stick, server on a stick,
layer 3 switches and more.
QoS - quality of service is a method of providing
priority to certain types of traffic such as VoIP in order to
provide a consistent reliable connection. This page discusses
mechanisms that are used to aid in giving VoIP priority over data.
Cisco QuickVPN - here's a simple way of creating a VPN into your SOHO network
using a Cisco SOHO router. In this case, we use the Cisco RV180W SOHO router
which is an extremely powerful SOHO router for a reasonable expenditure.

The next level up from a personal home network is a

Small Office Home Office (SOHO) network. The
requirements change from a purely experimenter, low
VoIP usage to one where the end user is expecting a higher
quality of service (QoS). The end user wants a reliable
voice connection at all times, basically because they are
running a business from home and require a professional
appearance. The budget is still low so some compromises are taken.
The SOHO is an interesting situation as there are a number of choices available with
some that do not require hosting your own PBX:
Rent Phone Service - One choice is to rent a phone service from a VoIP
service provider - they will provide the IP phones, or you can configure your
own soft or hard IP phone to work with their system. They will configure and
maintain the PBX that is hosted at the service provider. The end user has
limited interaction with the PBX and pays a very competitive monthly rate.
This is ideal if you don't have the technical knowledge or time to learn and play
with a PBX. And lastly it is very quick and easy to set up.
Service Provider Hosts PBX - In this scenario, the PBX is hosted at the VoIP
service provider. The user does the software configures of the PBX while the
hardware is maintained by the service provider. Usually, the PBX is a
virtualized on a powerful server as opposed to being a physical machine. The
service provider is responsible for keeping the server up, backed up and its
network connections running. The service provider will provide the connection
to the PSTN.
Host the PBX - The PBX is located at the SOHO on a PC or low end server. It
uses the SOHO 's Internet connection and either connects to the PSTN via
legacy telephony cards, an Analog Telephony Adapter (ATA) or through a VoIP
service provider. The end user takes care of both the software configuration of
the server and the hardware - the end user owns the PBX. This will be a steep
but fun learning experience for those who like a technical challenge.
Host your own PBX - There are several off the shelf PBX offerings that can be
utilized and many free open source PBX engines: Asterisk , FreeSwitch, YATE,
etc.. The open source PBX engine is just one component in creating a fully
functional PBX. Online communities have combined the PBX engine into a
distribution consisting of software and tools that they feel are required to make
a fully functional PBX. Examples are PBX in a

Flash, Elastix, FreePBX, Blue.Box, etc.. In choosing a distribution, the most

important consideration is support and documentation as you will be on a steep
learning curve . Check out what documentation is available, what online
support is available and the attitudes in the online support. Check out how
friendly and helpful the forums are to new user postings.
Traffic Issues
Once, you reach the SOHO level, quality becomes an issue and the configuration and
design of the network becomes of concern. Data traffic starts to interfere with the
voice traffic causing poor audio quality, dropped calls and break-up. What can be
done?
The first step is to identify the areas of the network where the
bottlenecks are between data and voice traffic. The second step is to
limit the traffic by separating the two as much as possible. Let's take a
look at a typical SOHO network topology (drawing of the layout)
which adds a separate Ethernet switch to provide more network
connection than a standard wireless router.

Typical SOHO network

There are three areas of concern for VoIP traffic (which is the main focus of this
website):
1. Local Traffic - This is traffic within the local network. The Ethernet switch
will provide a circuit switched path between all devices on the network so there
is no bottleneck on the copper side. There is a bottleneck concerning the
wireless laptop when it needs to connect to the local copper LAN. Its traffic
must pass through the wireless router/Ethernet switch connection and fight for
bandwidth with Internet traffic. There is a QoS issue with wireless traffic.

2. Outgoing Traffic to the Internet - All traffic to the Internet must pass through
the Ethernet switch/Wireless Router connection. Outgoing voice traffic will be
fighting with data traffic for the port's bandwidth.
3. Incoming Traffic from the Internet - You have no control over the incoming
traffic from the Internet at the SOHO level in this typical SOHO setting. If you
have a hosted PBX then this can be an issue as voice traffic will be competing
with data traffic for bandwidth.

Congestion on the SOHO Network

Simple Solution
The simplest and least expensive solution is to purchase another inexpensive Ethernet
switch and separate the voice and data traffic. One switch for voice. and the other for
data traffic. This moves the bottleneck to inside the wireless router where there are
usually methods to set the priority of data and voice traffic.

Separate Voice and Data Ethernet Switches

One Network
A very important point is that even though there are two Ethernet switches, there is
still only one network with one network address (ex. 192.168.1.0/24) that spans
across both switches. This means that broadcast traffic from both switches will appear
throughout the network.
Router Traffic Management

A lot of wireless routers provide traffic management and QoS through their web based
GUI. The traffic management really only deals with outbound traffic. Priority can be
given to voice protocols like SIP. The router recognizes the voice traffic and given the
choice between sending out data or voice, it will send the voice first. Each router is
different and its capabilities would need to be explored to see how it can manage
traffic.
Aftermarket Router Firmware
There are several aftermarket router firmware upgrades that are both free open source
and paid upgrades that can add more capabilities to your wireless router. The result is
that your el-cheapo router gets a hit of steroids and provides features normally seen
only on expensive enterprise class routers. One of these is DD-WRT which allows you
to set priority based on the physical Ethernet port. You could set the port connected to
the voice Ethernet switch as having priority over the data Ethernet switch's traffic.
Aftermarket router firmware upgrades require a higher level of expertise and patience
to get working correctly.
VLANs and QoS?
Instead of using two separate Ethernet switches, you can upgrade to a more expensive
switch that features VLANs (virtual LANs). The physical switch is able to divide
itself into virtual switches. These virtual switches appear as if they were separate
physical switches as discussed previously and as separate networks with unique
network addresses (ex. 192.168.1.0/24 and 192.168.2.0/24). QoS (Quality of Service)
can be controlled and configured in both the switch and the router. This is a step up in
cost and complexity and the network design is now moving closer to the Business
Network.
The business network services many VoIP users and has greater data traffic. New
issues arise and new solutions are required. Data and voice converge and are using the
same network infrastructure. Quality of Service (QoS) becomes very critical in order
to provide stable voice communications.
The critical areas of design for a Business network for traffic and
congestion are:
Separating data and voice traffic
Security
Providing redundancy throughout the network

 Incorporating sound QoS principles

Congestion on the WAN link
VLAN'd Network
The first step is to separate the voice and data traffic. Two separate networks could be
used but that would be expensive and a waste of resources. A better solution is
to VLAN the network. Layer 2 Ethernet switches are used to divide the physical
network into Virtual LANs (VLANs). These VLANs can span across many switches
and many floors of a building. This physically isolates the data traffic from the voice
traffic.

VLAN'd Switch
Layer 3 Switches
Instead of routers, Layer 3 switches can be used to route between VLANs. A layer 3
switch has limited routing capabilities and unlike a router, it doesn't support WAN
protocols. Layer 3 switches support VLANs by their nature.
3 Layer Hierarchial Model
As the network grows, a redundant mesh topology can be used by dividing the
network into 3 distinct layers. Cisco developed the 3 Layered Hierarchial Model to
address the needs of a large business network.
Core layer - This layer deals with connecting the core network services
together and provides the backbone of the network. It is a high speed layer
provides the edge devices to the outside world.
Distribution layer - This layer is assigned the job of controlling the policies,
routing traffic between VLANs and the core.
Access layer - This layer is connected to the end devices that use the network:
PCs, Servers, IP Phones, Network Printers, etc.. It's job is assign ports to
VLANs and to provide port based policy.

3 Layer Hierachial Model

Physical security is set by access policies on the Access layer and system policies on
the Distribution layer. Which device can physically attach to the network and what
VLAN do they connect to are set on the Access layer. The Distribution layer sets how
VLANs interact together through routing tables and access control lists and which
devices have access to the Core layer. The Core layer provides the high speed
backbone and connection to the Internet.
Redundant Paths
The 3 Layer Hierarchial model provides redundancy through the network by
providing a mesh network. Loops are prevented by using the Spanning Tree Protocol

to automatically detect loops and block redundant paths. It is a dynamic protocol and
detects when links fail and auto fall-over to the backup paths.
Quality of Service
Network layer Quality of Service (QoS) can be implemented by assigning priority to
devices through the IP header's ToS/DiffServ field.ToS stands for Type of Service and
consists of 3 bits. This gives a range of priorities from 0 (default) to 7 (highest
priority. Typically, data has a priority of 0 and voice traffic has a
priority of 5.
DiffServ is an improved version of ToS. It stands for Differentiated
Services and consists of the ToS's 3 bits plus 3 more. You either use
ToS or DiffServ but not both. For this simplified explanation, DiffServ
has a priority range of 0 (default) to 64 with data having a priority of 0 and voice a
priority of 46.
In this manner, voice traffic will have priority over data traffic as it is transmitted
throughout the network.
Quality of Service can be implemented at the Data Link layer by using the
IEEE802.1Q (DOT1Q) VLAN frame tagging protocol. VLANs can be given priority
by using the Classification of Service (CoS) field in the DOT1Q tagged frame. The
CoS field consists of 3 bits with a priority of 0 (default) to 7. This leads directly to
MultiProtocol Label Switching (MPLS) which is a complete book in itself.
Congestion on the WAN Link
As a network administrator, you have complete control over your LAN based
network. But you have limited control over the WAN link. You can control the QoS of
traffic leaving your network through sound QoS principles discussed previously. You
can also give priority to voice protocols such as SIP, IAX, RTP, SCCP, H.323, etc.. by
incorporating an Application Layer Gateway (ALG). An ALG examines contents of
the packets leaving the network and can give priority to protocols related to the voice
traffic.
You do not have control of the priority of the traffic entering your network unless you
have a Service Level Agreement (SLA) with your service provider. An SLA will
usually implement a connection to the service provider's MPLS network to control
priority.
Bandwidth

Quality of Service will give voice priority over data but the question that needs to be
asked is "How much bandwidth is needed for voice traffic?". The WAN page will aid
in determining how many voice channels are required for a trunk and how much
bandwidth is needed through the WAN link.
There are many options available for the WAN link but be aware
that some provide asynchronous bandwidth between uploads and
downloads. Cable modems and ADSL are examples. Typically, the
upload bandwidth is a fraction of the download bandwidth. For
example, basic ADSL provides 3 Mbps download but only 500 kbps upload! A better
solution is Synchronous DSL which has equal upload and download bandwidths.
A VLAN or Virtual LAN is a method of dividing a physical Ethernet switch into
separate physical and logical networks. On the physical side, instead of one Ethernet
switch, it appears as if you have multiple physical Ethernet switches. Multiple
Ethernet switches give the advantage as discussed in the SOHO network. The best
part is that VLAN'ing a switch is a software programmed process that is configured
through the switch user's interface. You decide how you want to divide your switch
into virtual switches or VLANs.
VoIP and VLANs Video

Physical VLAN'd Switch

On the logical side, each VLAN has its own network address (ex. VLAN 1 =
192.168.1.0/24, VLAN 2 = 192.168.2.0/24, etc..). This further isolates the VLAN
traffic and provides better traffic management. Why is this an advantage? It isolates

the "behind the scenes" traffic that is part of the network support protocol's overhead
not directly involved with transferring data. This is the traffic that is part of the
"broadcast domain" - the traffic that is created by discovery services such as ARP,
DHCP or routing protocols as examples. This behind the scenes traffic can consume
quite a portion of your available bandwidth - up to 35%! When the network is divided
into VLANs, the broadcast domain (range of broadcast traffic) is restricted to each
VLAN. This reduces the amount of broadcast per individual VLAN drastically.

Logical VLAN'd Switch

Advantages to VLAN'ing your network
There are very good reasons to VLAN your network:

 Bandwidth - reduces network traffic to only what is needed on the VLAN.

Security - separate LAN into segments based on security. Only those with the
necessary security can access the VLAN.
Segment LAN - separate the LAN into segments by department or user group
rather than by physical location.
QoS - separate voice traffic from data as a first step in providing QoS for VoIP.
This is the big one for our purposes.
VLANs spread across many switches - In larger networks, you can spread the
VLANs across many switches. You use the same physical infrastructure but
now have multiple virtual networks. It makes it very flexible to setup a network
exactly how you want to segment it. This is the real selling point for large
networks.
VLAN Basics
When a switch with VLAN capabilities turns on for the first time, all ports belong to
the default VLAN ID 1. This is so that when you turn on a switch, all the ports work
by default. VLANs are identified by numbers and called VLAN IDs and the first
VLAN is numbered 1. Theoretically, you can have up to 256 VLAN IDs on a single
switch or more but practically the maximum used is much less at around 6 to 10 for a
small network.
Naming VLANs
Remembering which VLAN ID is assigned to which purpose is difficult and
confusing. The solution is to provide names to the VLAN IDs. This way you can
identify the VLAN by its name, for example, Floor10, Accounting, Voice, Data,
Engineering, ServerNet, etc.. Just a note: there are no rules as to the numbering of
VLAN IDs and naming as long as they follow the correct syntax for your switch. You
can use any VLAN ID for any name - it's up to you.
Port Assignment
The physical Ethernet ports of the switch are assigned to the VLAN IDs. The switch
will have specific configuration commands through a command line interface (CLI) or
web GUI. You can assign multiple ports or a single port to a VLAN. Some switch
manufacturers look at it differently and say that you are assigning "VLANs to the

port" instead of "ports to a VLAN". Either way, the end result is the same, there is a
port to VLAN assignment.
Important Concept: Only those ports on the same VLAN can talk to each other. The
ports are isolated from all other VLANs!
Network Addresses
Each VLAN will have its own network address. VLAN 20 will belong to and have a
different network address than VLAN 30. There is a convention (not a rule but a best
practice) that the network address corresponds to the VLAN ID. For example,
VLAN 10 (Desktop) uses network address 192.168.10.0/24 and VLAN 30 (VoIP) uses
network address 192.168.30.0/24. The purpose is to make it easier to troubleshoot the
network and to easily determine which VLAN and network, a device belongs to. As
networks grow and the number of VLANs increase, following this rule of thumb will
simplify network management.

VLAN'd Network
Switch VLAN Configuration
There is no standard VLAN configuration method for Ethernet switches. Each switch
manufacturer uses their own configuration commands either through a web GUI or
command line. The config examples will use the Cisco command line just because I'm
familiar with Cisco switches. Regardless, all follow the same basic process:
1. Create the VLAN ID - In configuration mode, type "vlan 10" to create a vlan
with ID 10.
vlan 10

2. Name the VLAN - Give VLAN 10 the name Desktop, type "name Desktop".
name Desktop

3. Assign ports to the VLAN - Configure one port or a range of ports:

4. interface range fa0/1 - 8
5. switchport mode access
switchport access vlan 10

View the VLAN configuration

Again because there is no standard, we'll use Cisco. In User Exec mode (type "end" to
get there), type "show vlan". It will show the new VLAN and the ports now assigned
to it.
VLAN Name
Status
Ports
---- -------------------------------- --------------------------------------1
default
active
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10
Desktop
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8

What about Unassigned Ethernet Ports?

Ports that haven't been manually assigned to an Ethernet port remain part of VLAN 1.
Usually best practices require that unused Ethernet ports be "shut down" for physical
security reasons. That way no one can accidentally or intentionally (as in hacking)
access a VLAN that the Administrator does not want them to access.
How do you access between VLANs?
From the information provided so far, you can't. Each VLAN is its own network with
its own network address. In order to access one VLAN from another you need to
access between networks. This requires a different device: a router or a layer 3
switch. A layer 3 switch can only route between Ethernet networks. It can't route
across a WAN protocols and it is limited in the higher level routing protocols at this
time. Routing between VLANs is further covered in the Routing webpage.
Dot1Q Trunks

Normally an Ethernet port on a switch can only be assigned to one VLAN but there
are special circumstances where a port can be configured to use more than one VLAN.
The first use is a IEEE802.1Q trunk (often referred to as dot1q for short). This trunk is
only used to connect switch to switch and switch to router to allow VLAN traffic to
pass. IEEE802.1Q is a standard created by the IEEE to pass many VLANs between
switches.

Switch to Switch Dot1Q Trunk

In the switch to switch example, you may have VLANs spanning across two or more
switches. The trunk allows two or more VLANs to pass through this special port.
Dot1Q trunking is covered further in Business Networks. In the switch to router
example, a router is connected to a switch to provide routing services between the
VLANs. An easy to remember nickname for this configuration is "Router on a Stick"
which is further covered in the Routingwebpage.
Multi-VLAN Ports
A second circumstance is when a VoIP phone is connected to a switch. Inside a VoIP
phone is a 3 port Ethernet switch. The LAN port is connected to the Ethernet switch
port that has two VLANs assigned to it: VLAN 30 VoIP (voice) and VLAN 10
Desktop (data). There is an internal port that is connected to the IP phone on the VoIP
VLAN and a third physical port that is used for connecting to a PC on the Desktop
VLAN. This reduces the requirement of running separate Ethernet cables for voice
and data to each user's desk.

VoIP Multi-VLAN Port

Create a Multi-VLAN Port

This is an example of creating a multi-VLAN port for a VoIP phone on a Cisco switch.
There is an additional line from a normal VLAN configuration that identifies the voice
vlan.
interface fa0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 30

Note that the IP phone is on a different network (192.168.30.0/24) then the desktop
PC (192.168.10.0/24). The IP phone's internal Ethernet switch must be configured
either manually through the phone's web GUI or through the server's tftp
configuration files in order to know which VLAN is the voice VLAN.
The Routing portion provides a discussion on the different methods available and
options used in routing between voice and data networks. InterVLAN routing is
discussed with advantages and disadvantages of each method discussed.
Important Point: In order to route between two networks, the networks must be on
separate IP networks. For example, the data network can be on 192.168.1.0/24 and the
voice network can be on 192.168.2.1/24. These are two separate networks. The
networks can be on separate VLANs. In order to route data between the VLANs, a
routing device must be used - it can be a router or a layer 3 switch.
This section is divided into the following pages:
Single Port Routing - This refers to LAN side routing between voice and data
networks using a single port between the router and the switch. The router has a WAN
port and no VLANs have been assigned to the switch.
Separate VLAN Ports - On the switch separate VLAN'd ports are
configured for voice and data and the router has two LAN ports in addition
to the WAN port
Router on a Stick - This uses only one LAN port to connect to the router. The port
is configured as a trunk to the switch that allows multiple VLANs and their networks
to pass through. The router must be able to do multiVLAN trunking using
IEEE802.1Q.

Layer 3 Switch - this method uses the routing capabilities of a layer 3

switch to route between VLANs. It is simple and the preferred method to
use for inter-VLAN routing.
NAT and PAT - Network Address Translation and Port Address
Translation can be a huge problem for VoIP, especially SIP traffic. Here's
what NAT is and the problems associated with it.
WAN
Traffic - the WAN link is the connection to the rest of the
world and the bottleneck for traffic coming into and out of your network. Here's what
you can do to improve the quality of service for your VoIP
traffic.
Subnetting - The classes of networks (A, B and C) do not
provide much flexibility in designing a network. Each class of
network only provides for a fixed number of networks (125, 16,382 or 2,097,150) and
a fixed number of hosts (16,777,214, 65,534 or 254). Using the class system is
referred to as having a classful network. In the real world, pretty much all networks do
not fit the class system. The solution is to divide the class network into smaller
subnetworks or subnets for short. The term for dividing networks into smaller subnets
is called subnetting.
Quality of Service (QoS) is the methodology for
providing a level of service for communication.
It is often thought of as giving certain types of
data priority over others. It is actually more than
that and embraces the complete network design.
VoIP and QoS
Problems with VoIP:
Voice traffic is real time traffic and must provide the voice stream in real-time. Voice
traffic can not be delayed otherwise the intelligence is lost. It makes no sense to insert
a word 1 second later in a sentence! So delayed packets are dropped. Lost packets are
also dropped and are not re-requested because resending them would introduce a
delay.
Fighting for Bandwidth

Voice and Data are battling for the shared

bandwidth of the network. During large data
transfers, Voice traffic can be delayed, lost and
packets can be dropped. Audio quality suffers!
Solutions
Separate the voice traffic and data traffic into
separate physical networks. This isolates the traffic but it is not always possible to
have two separate physical networks! So do the most practical thing and VLAN the
network! You are still using the same infrastructure but have divided up the network
into virtual LANs.
Critical areas are where the data and voice traffic transverse the same link. These
areas of bandwidth contention are the WAN link, Dot1Q Trunks and MultiVLAN
ports.

Critical QoS points in the network.

Quality of Service's Priority to the Rescue!

In these areas of bandwidth contention, we can give the voice traffic an advantage by
giving it a higher priority then data traffic. We can do this at the Network layer by
using the IP header's ToS/DSCP field. The ToS (Type of Service) field has 3 bits that
can assign priority to an IP packet. The priority range is from 0 - 7 with the lowest
priority being 0 and it is the default setting.
We can assign voice traffic to a priority of 5. Packets with a higher priority wins in the
bandwidth war! This is the most common method of setting priority for VoIP end
devices. IP phones can configure the voice traffic for a higher priority through either
manually configuring the VLAN ID and priorirty value through the phone's Web GUI
or by setting the VLAN ID and priority in the tftp config file.
Priority Bits on Steriods: DSCP!
The ToS/DSCP field can be expanded and used
as Differentiated Services Code Point (DSCP), most often referred to as
DiffServ. It is an improved ToS mechanism and provides 6 bits for
priority. It uses the same 3 bits as ToS plus 3 more! With 6 bits, the priority ranges
from 0 to 64. Again the default priority is 0 and voice traffic is usually set to 46. You
use either ToS or DiffServ but not both!
Apply QoS to your Network
Data traffic has the default priority of 0 and voice traffic has a priority of either ToS =
5 or DiffServ = 46. Voice will have priority on the links with bandwidth contention
mentioned earlier. Voice will not break-up during large data transfers!
VLAN Priority
VLANs can be given priority by using the IEEE802.1Q (Dot1Q) protocol tagging.
The Dot1Q protocol inserts an extra field into the Ethernet frame. This field contains a
special 802.1P subfield called Classification of Service (CoS). It consists of 3 bits for
classification of ranging from 0 - 7 (similar to ToS). It classifies traffic as background
to network critical and works at the Frame level. This leads to MultiProtocol Label
Switching (MPLS). Just a note: thisonly applies to trunking that runs the Dot1Q
protocol.
Cisco "AutoQoS" command
QoS can be very complicated and sometimes an innocent command like
Cisco's "autoqos" can seem like a quick solution but there is always a

catch. You apply the autoqos command on your switch to an multiVLAN access port
for an IP phone:
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
switchport voice vlan 30
auto qos voip cisco-phone

Here's what happens, you end up with extra code on the interface:
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
switchport voice vlan 30
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast

And a complete QoS implementation on your switch!

mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls

qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos

map cos-dscp 0 8 16 26 32 46 48 56
srr-queue input bandwidth 90 10
srr-queue input threshold 1 8 16
srr-queue input threshold 2 34 66
srr-queue input buffers 67 33
srr-queue input cos-map queue 1 threshold 2 1
srr-queue input cos-map queue 1 threshold 3 0
srr-queue input cos-map queue 2 threshold 1 2
srr-queue input cos-map queue 2 threshold 2 4 6 7
srr-queue input cos-map queue 2 threshold 3 3 5
srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
srr-queue input dscp-map queue 1 threshold 3 32
srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
srr-queue output cos-map queue 1 threshold 3 5
srr-queue output cos-map queue 2 threshold 3 3 6 7
srr-queue output cos-map queue 3 threshold 3 2 4
srr-queue output cos-map queue 4 threshold 2 1
srr-queue output cos-map queue 4 threshold 3 0
srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39

mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls
mls

qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos
qos

srr-queue
srr-queue
srr-queue
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set
queue-set

output
output
output
output
output
output
output
output
output
output
output
output
output

dscp-map queue 4 threshold 1 8

dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
1 threshold 1 138 138 92 138
1 threshold 2 138 138 92 400
1 threshold 3 36 77 100 318
1 threshold 4 20 50 67 400
2 threshold 1 149 149 100 149
2 threshold 2 118 118 100 235
2 threshold 3 41 68 100 272
2 threshold 4 42 72 100 242
1 buffers 10 10 26 54
2 buffers 16 6 17 61

Now this might be a good thing but what if it breaks something? How are you going
to fix it? What do all those numbers mean? BTW, "mls" stands for multilayer
switching. This is scary stuff so you should always test your configuration when using
commands like this to see what they do.
Control of QoS
You have complete control over QoS on the LAN, because you are the
master of the LAN and can configure and tune it. But what about the WAN
connection? You can control the traffic going out but what about the traffic coming in?
To control the incoming traffic, you must have a QoS agreement with Service
Provider for the WAN connection. Otherwise, you can only control the QoS on
outgoing but not incoming!

The WAN link is the big problem!

WAN QoS Solutions
On some routers, the physical Ethernet ports can have priorities. You can use one port
for the voice traffic and give it priority over the data traffic port. Some companies
have two WAN connections, one dedicated specifically for voice traffic and the other
for data traffic.
Application Layer Gateways
Another option is an Application Layer
Gateway (ALG). An ALG can examine
the packet for the Application layer
information. It can make decisions based
on the presence of an Application layer
voice protocol such as SIP, IAX, SCCP, H.323, RTP, RTCP, etc. And give the voice
protocols priority on the WAN link over the data traffic.

Cisco QuickVPN - here's a simple way of creating a VPN into your SOHO network
using a Cisco SOHO router. In this case, we use the Cisco RV180W SOHO router
which is an extremely powerful SOHO router for a reasonable expenditure.

Virtual Private Network connects through Firewalls

Cisco RV180W SOHO WiFi router

These instructions work for any of the SOHO line of WiFi routers that Cisco provides.
It is very simple and the complete instructions are on Page 108 of the RV180W
Administrator's guide - section titled: Remote Access with Cisco QuickVPN.
1. On the router, go to VPN - IPsec - VPN users. Add a user with a password.
Make sure QuickVPN is the selected protocol.
2. To enable access via Cisco QuickVPN, you must enable remote management to
open port 443 for SSL. Go to Administration - Management Interface - Web
Access. Enable Remote Management then Save.
3. Determine the router's WAN IP address or its domain name for clients to
connect to.

4. You can download the router's certificate by going to Security - SSL Certificate
- Export for Client and saving the certificate under an appropriate name to
distribute with the Quick VPN software.
For the Clients:
1. Go to Cisco and download the free Quick VPN (QVPN) software for RV180W
Wireless-N Multifunction VPN Router (or whichever model you have)
http://www.cisco.com/c/en/us/products/routers/quick_vpn.html
2. Install the software and run it.
- Give it a profile name, enter the user name and password and server IP
address.
3. You may get a pop-up window that says the Server's certificate doesn't exist on
your local computer. Do NOT quit the connection. Install the previously saved
SSL certificate to the c:\Program Files\Cisco Small Business\QuickVPN Client\
directory. Next time you connect, you will not get the pop-up warning.
That's it, your PC can connect through a VPN to your router.
The single network refers to the connection between the router and the switch. The
Ethernet switch may be included as part of the router or they might be two separate
devices. There is only one connection defined between the router and the switch and
the complete LAN side resides on one network. (ex. 192.168.1.0/24). This means that
broadcast traffic from all devices will appear throughout the network. this is the
typical default configuration that routers right out of the box will have.

Single Routing network

Advantages
The main advantage to a single routing network is that it is a simple out of the box
configuration. Hook it up and it will work if you have a few IP phones but as more IP
phones are added, more problems occur. More data traffic, poorer voice quality.
Disadvantages
The disadvantages to a single routing network are:

 Voice and data share the same bandwidth

Realtime voice traffic fights for bandwidth with data traffic
Voice traffic will have longer delays causing echo
Voice traffic will have more lost packets causing poor audio quality
A lot of wireless routers can provide traffic management for VoIP protocols and QoS
through their web based GUI. The traffic management typically deals with outbound
traffic. Priority can be given to voice protocols like SIP. The router recognizes the
voice traffic and when given the choice between sending out data or voice, it will send
the voice first. Each router is different and its capabilities would need to be explored
to see how it can manage traffic.
Aftermarket Router Firmware
There are several aftermarket router firmware upgrades that are both free open source
and paid upgrades that can add more capabilities to your wireless router. The result is
that your el-cheapo router gets a hit of steroids and provides features normally seen
only on expensive enterprise class routers. One of these is DD-WRT which allows you
to set priority based on the physical Ethernet port. You could set the port connected to
the voice Ethernet switch as having priority over the data Ethernet switch's traffic.
Aftermarket router firmware upgrades require a higher level of expertise and patience
to get working correctly.

For the separate VLAN routing network. Each VLAN has a port
connected to the router. This means that the router has multiple LAN side ports. In the
simplest scenario, there is one port/connection dedicated to the voice VLAN and
another port/connection dedicated to the data VLAN.

Separate VLAN Routing network

Switch Requirements
This means that you must have a switch with VLAN capabilities. The switch's ports
must be assigned to a voice or data VLAN. Each VLAN is assigned to a network with
a unique network address.
Router Requirements
The router must have multiple LAN ports AND each port must be configured to a
separate network. Each port is assigned a network address that becomes the Default
Gateway for that network. Also each router port should be able to act as a DHCP
server for its unique network.
Enterprise class routers have these capabilities and are provided by a host of
companies like Cisco, 3Com, Juniper, HP, etc.. The catch is that they are expensive

and typically out of reach for a home network or even a SOHO's budget. They
typically require an expert level of knowledge to configure that usually requires
training of some sort.
A lot of routers can provide traffic management for VoIP protocols and QoS through
their web based GUI or command line interface. The traffic management typically
deals with outbound traffic. Priority can be given to voice protocols like SIP or to the
voice VLAN. The router recognizes the voice traffic and when given the choice
between sending out data or voice, it will send the voice first. Each router is different
and its capabilities would need to be explored to see how it can manage traffic.
Broadband Routers
Most home broadband routers have a built-in 4 or 8 port switch that when taken "right
out of the box" will not have the capabilities to separate the LAN ports into individual
networks that would fit the requirements of the Separate VLAN Routing Network.
Aftermarket Router Firmware
There are several aftermarket router firmware upgrades that are both free open source
and paid upgrades that can add more capabilities to your router. The result is that your
el-cheapo router gets a hit of steroids and provides features normally seen only on
expensive enterprise class routers. One of these is DD-WRT which allows you to
VLAN the internal switch, assign each port to a VLAN and create individual DHCP
servers for each VLAN. Unfortunately, aftermarket router firmware upgrades require
a level of expertise and patience to get working correctly.
Advantages
The advantages to a Separate VLAN Routing Network are
The voice and data traffic are on separate networks until it reaches the router
and WAN link
LAN Voice traffic is not affected by data traffic - built-in quality of service
The voice network's outgoing traffic can be given priority over the data
network on the WAN link
Voice traffic protocols like SIP and RTP can be given priority over data traffic
on the WAN link

Disadvantages
The disadvantages to a Separate VLAN Routing Network are:
It is more complex to set up compared to other networks
For each VLAN, the router requires a separate physical Ethernet port
The number of LAN ports on the router will limit the number of VLANs
Routers can be expensive
The WAN link is the bottleneck for traffic
Overall this is a very good solution as it pushes the traffic bottleneck and QoS
problems to the router/WAN link. Enterprise class routers have built-in mechanisms to
deal with these exact problems and manage the traffic on the WAN link. As a network
grows, the number of VLANs will increase and finding a router with many LAN ports
becomes expensive and difficult. Typically an enterprise router has 1 WAN port and
maybe 2 LAN ports.
Note: Soft IP phones that run as apps on the PC ,such as the Xlite softphone, still
reside on the data LAN and will have quality issues as their traffic will be fighting
with the data traffic for bandwidth.
The Router on a Stick network uses one connection between the router and the switch.
The switch must be VLAN'd and normally on a VLAN'd switch port, the port is
assigned to just one VLAN. In the Router on a Stick configuration, the port is
assigned multiple VLANs and called a trunk. There are a few standards for
configuring the trunk, the method used in these examples is IEEE802.1Q sometimes
referred to as "dot1q".

Router on a Stick network

In order to utilize the Router on a Stick network, your switch must be VLAN'd, your
switch must support a trunking method like dot1q and your router must support the
dot1q trunking method. Most consumer level broadband wireless routers do not
support dot1q routing at this time. Typically, you would be looking at an enterprise
level router and switch for these services which naturally are more expensive.
Aftermarket Router Firmware
There are several aftermarket router firmware upgrades that are both free open source
and paid upgrades that can add more capabilities to your router. The result is that your
el-cheapo router gets a hit of steroids and provides features normally seen only on

expensive enterprise class routers. One of these is DD-WRT which allows you to
VLAN the internal switch, assign each port to a VLAN and create individual DHCP
servers for each VLAN. Unfortunately, aftermarket router firmware upgrades require
a level of expertise and patience to get working correctly.
IEEE802.1Q (dot1q) Background Info
Dot1q only exists within a switch OR between switches OR between a switch and a
router as in this Router on a Stick network. It's job is to tag traffic on the trunk with
the VLAN ID so that the destination knows which VLAN to send the Ethernet frame.
This is called tagging the Ethernet frame. The Ethernet frame is modified with
tagging information according to the IEEE802.1Q standard and again ONLY exists on
the trunk. When the frame reaches its destination (the router or the switch), the
tagging is removed.

Frame Tagging on dot1q Trunk

In the above image, the Ethernet frames belonging to VLAN 10 will be tagged with
the VLAN ID "10", similarly VLAN 20, 30 and 40 frames will be tagged with the
VLAN IDs 20, 30 and 40 respectively. When an Ethernet frame leaves the switch and

goes to an end device like a PC or Laptop, the dot1q tagging is removed. The tagging
only exists within a switch OR between switches OR between a switch and a router as
in this Router on a Stick network
Special VLANs
There are a few special VLANs that are associated with a dot1q network:
Native VLAN - This is the default VLAN that all switches initially boot to.
When you first turn on a switch, all ports are automatically assigned to the
native VLAN which normally has the VLAN ID 1 (one). This is so that the
switch works right out of the box until you configure it for VLANs. An
important point is that any port that is not assigned by you to a specific VLAN
(like 10, 20, 30 or 40 in our example) will be automatically assigned to VLAN
1.
This opens up a security hole! So for good physical security, all unused ports
should be closed. Enterprise level switches allow you to turn off or shut down
unused ports. Another important point is that untagged traffic coming into a
switch is automatically assigned to the native VLAN. With this knowledge, you
will want to control where untagged traffic goes to by changing the native
VLAN's ID to a controlled VLAN of your choice.
Management VLAN - Good practice in a large network is to have a special
VLAN called the Management VLAN for security purposes. Its purpose is to
connect all of the network devices like switches and routers together for
administration and configuration. This is a private VLAN that only system
admins can access. Normal day to day users and guests on the network do not
have access to it and therefore cannot hack the system.
I've seen in many examples of VLAN'd networks where the Management
VLAN and the native VLAN are the same VLAN. This is BAD practice!
Anyone who physically connects to the default VLAN either accidentally or
through a switch port that defaults to the native VLAN will now have access to
the Management VLAN. Untagged traffic will now be on what should be a
secure network! Always separate your native VLAN and Management VLAN.
Configuration Example
You must configure both ends of the trunk: the switch side and the router side. This
example is based on Cisco configuration, only because that's what I'm used to. Other
brands will be configured similarly.

 Switch Configuration - On the switch, you must configure the port to the
router as a dot1q trunk.

interface fastethernet0/5
<-- this is port 5 that is connected to the
router
switchport trunk encapsulation dot1q <-- optional, indicates trunk
protocol
switchport mode trunk <-- configures port as a trunk
switchport trunk native vlan 99 <-- sets VLAN ID 99 as the native VLAN
for the trunk

Router Configuration - On the router, you do something a little different, you

create a subinterface for each VLAN on the physical Ethernet port. The
subinterface becomes the default gateway for the VLAN. This is an example
for the VLAN 10 subinterface, the other VLANs are configured similarly:

interface fa0/0
<-- this is the physical interface
no shutdown
<-- in the Cisco world, this is how you turn on the
interface
interface fa0/0.10
<-- this creates the subinterface and ties it to
VLAN 10
encapsulation dot1q 10 <-- This uses IEEE802.1Q tagging of frames
ip address 192.168.10.1 255.255.255.0 <-- assign an IP address to the
subinterface

You only need to turn on the physical interface. As a matter of fact, you must
turn on the physical interface for it to work.
This would be done for each VLAN: 20, 30 and 40. So there would be 4 subinterfaces
created.
InterVLAN Routing
The IP address assigned to the subinterface becomes the default gateway for the
VLAN. So in the above example 192.168.10.1 is the default gateway for VLAN 10.
The neat part is that the routing is automatically done between subinterfaces, no
routing rules need be configured as the router is aware of any networks directly
connected to it. In this case, it is aware of the networks connected to the subinterfaces
by the subinterface's IP address and subnet mask.
Advantages
The advantages to a Router on a Stick Network are
Voice and data traffic are on separate VLANs

 The number of VLANs are not limited by the number of router LAN ports as
only one port is required
Only one LAN connection is required for multiple VLANs
Disadvantages
The disadvantages to a Router on a Stick Network are:
It is more complex to set up compared to other networks
Traffic between VLANs goes into the router and out of the router through the
same port
The trunk is a major source of congestion
I've found that the trunk becomes a major source of congestion as all interVLAN
traffic has to go in and out on the same port. So if VLAN 10 wanted to talk to VLAN
20, then traffic from VLAN 10 would go to the router via the trunk. The router would
route the traffic to VLAN 20's subinterface and then out the same trunk. I've measured
that the trunk can only carry 60% of traffic compared to having separate ports for
VLANs.
Summary
Router on a Stick networks were a 90s solution to interVLAN routing. A much better
solution is to use a more modern solution: Layer 3 switch.

Routing used to be the sole function of routers. Normally, you

would use a router to route between VLANs on a network as indicated in the Single,
Separate and Router on a Stick buttons on the top of this page. Layer 3 switches are
able to route between VLANs and to do it very fast compared to a router.

Layer 3 Switches
So what is the difference between a Layer 3 switch and a router? It used to be that
Layer 3 switches could only route between VLANs on the switch and couldn't run
routing protocols like RIP but now Layer 3 switches can run routing protocol. At the
time of writing this, Layer 3 switches couldn't run WAN protocols like Frame Relay,
T1 lines, ISDN, PPP or ATM but I think that is mainly because they don't have an
interface to those protocols.
It isn't hard to imagine a switch manufacturer adding plugin
module support for a WAN protocol in the near future! But then
again, there is the rising usage of carrier Ethernet which is
replacing the traditional WAN protocols. A Layer 3 switch can
make direct connection to the WAN using one of its Ethernet ports and making the
legacy WAN protocols obsolete!
VLAN'd Network
The first step is to separate the voice and data traffic. Two separate networks could be
used but that would be expensive and a waste of resources. A better solution is
to VLAN the network. Layer 3 Ethernet switches are used to divide the physical
network into Virtual LANs (VLANs). These VLANs can span across many switches
and many floors of a building. This physically isolates the data traffic from the voice
traffic.

Layer 3 Switches
Passing the Functionality
One of things that happens when you use Layer 3 Switches is the passing of
functionality of services from what was traditionally the router to the Layer 3 switch.
The routing between VLANs (called InterVLAN routing) is now the responsibility of
the Layer 3 switch. What also goes with it, is DHCP services. The switch now
provides the DHCP server for each of its VLANs. Each VLAN will have its own
subnet address and the associated DHCP pool.

A new VLAN is created specifically for routing between the router and the switch. For
lack of a better name, I've called the WAN VLAN as that is where the traffic is going
to and coming from.
The router now has more specific functions: interfacing to the WAN using
WAN protocols, providing Network Address Translation (NAT) and
providing security by acting as a firewall. The configuration of the router
becomes much simpler.
Configuring a Layer 3 switch for routing
It is surprisingly easy to configure a Layer 3 Switch for InterVLAN routing. If you
come from the complex Router on a Stick configuration then you will find this so easy
that it won't make sense! This configuration is based on Cisco just because I'm
familiar with it. So here goes:
1. Enable Layer 3 Functionality - some routers like the Layer 2 Cisco 2960 switch
(with the latest IOS) require that you first enable Layer 3 functionality by
setting the SDM Preferences:
2.
3.

Switch(config)#sdm prefer lanbase-routing

Switch#reload

4. Enable Layer 3 routing - switches that are specifically designated Layer 3

switches usually just need to enable routing:
5.

Switch(config)#ip routing

6. Create VLAN interfaces for each VLAN:

7. interface vlan 10
8. description Desktop VLAN 10
9. ip address 192.168.20.1
10. description Servernet VLAN 20
11. ip address 192.168.20.1 255.255.255.0
12. interface vlan 30
13. description VoIP VLAN 30
14. ip address 192.168.30.1 255.255.255.0
15. interface vlan 40
16. description Wireless VLAN 40
17. ip address 192.168.40.1 255.255.255.0
18. interface vlan 50
19. description WAN VLAN 50
20. ip address 192.168.50.1 255.255.255.0

That's it for InterVLAN routing! The switch will automatically route between
VLANs - no trunks, no native VLAN, no sub-interfaces!
21.Set the default route on the switch:
You will have to set a default route back to the router (192.168.50.1) and at the
router static routes back to the VLANs. This is the default route set on the
switch to send traffic back to the router:
ip route 0.0.0.0 0.0.0.0 192.168.50.2

22.Configure the static routes on the router

These are the static routes set on the router to send traffic to the switch's
VLANs. VLAN 50 is directly connected so a static route is not necessary:
ip
ip
ip
ip

route
route
route
route

192.168.10.0
192.168.20.0
192.168.30.0
192.168.40.0

255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0

192.168.50.1
192.168.50.1
192.168.50.1
192.168.50.1

23.Check your routing:

You can check that the routes are set and working properly by issuing the
"show ip route" command. This will show the directly connected routes, the
default routes and the static routes. Be aware that for some switches, if there is
not a physical device connected to a VLAN, the VLAN interface may not come
up! I've run into this where everything is configured properly but the routing is
broken until a device like a laptop or PC is plugged into the port assigned to the
VLAN. Very frustrating to troubleshoot!
Switch#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.50.2 to network 0.0.0.0
C
C
C

192.168.10.0/24 is directly connected, Vlan10

192.168.20.0/24 is directly connected, Vlan20
192.168.30.0/24 is directly connected, Vlan30

C
C
S*

192.168.40.0/24 is directly connected, Vlan40

192.168.50.0/24 is directly connected, Vlan50
0.0.0.0/0 [1/0] via 192.168.50.2

Router#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.197.4.11 to network 0.0.0.0
C
S
S
S
S
C
S*

10.0.0.0/24 is subnetted, 1 subnets

10.197.4.0 is directly connected, FastEthernet0/0
192.168.10.0/24 [1/0] via 192.168.50.1
192.168.20.0/24 [1/0] via 192.168.50.1
192.168.30.0/24 [1/0] via 192.168.50.1
192.168.40.0/24 [1/0] via 192.168.50.1
192.168.50.0/24 is directly connected, FastEthernet0/1
0.0.0.0/0 [1/0] via 10.197.4.11

Network Address Translation or NAT for short, is a method of solving

the shortage of IP addresses. The Internet Corporation for Assigned Names and
Numbers (ICANN) coordinates the Internet Protocol (IP) address allocation. You must
apply to receive apublic IP network address. Unfortunately, even though there are
4,294,967,296 possible unique addresses, there are no public IP addresses available
anymore. They've all been assigned. You must "rent" IP addresses from your local
Internet Service Provider (ISP). They usually own the rights to a block of IP addresses
and will rent them out for a fee.
NAT is called by different names depending on which branch of IT you are
dealing with. With routers, it goes by NAT, with Unix and firewalls, it often goes by
IP masquerading. At one point, I believe that in the Microsoft world, it was called an
IP proxy at one time. It sometimes goes by the name Network Address and Port
Translation or NAPT. We'll just call it NAT on this page.

2012 was when there were no more public IP addresses available.

NAT to the Rescue
So, what can you do? There are no more public IP addresses available? NAT
is the solution. It allows you to hide a complete network using private IP
addresses behind a single public IP address. For each class of IP, there is a
range of private IP addresses that you can use:
Private Address Ranges
Class A 10.0.0.0 - 10.255.255.255 network mask 255.0.0.0
Class B 172.16.0.0 - 172.31.255.255 network mask 255.255.0.0
Class C 192.168.0.0 - 192.168.255.255 network mask 255.255.255.0

Network Address Translation

In the above network, there is one public IP address of 142.110.123.210 at the router
WAN port. On the LAN side, the network consists of the private address range of
192.168.1.0/24. The router is running network address translation. All LAN traffic
gets translated to the public IP address. To the rest of the world, the public port looks
like one very busy PC!
As a LAN packet passes through the router, the router replaces the LAN source IP
address with the public IP address. As many different devices live on the LAN, there
has to be a mechanism to keep track of which returning response belongs to which

LAN IP address. There is a NAT translation table that keeps track of which packet
belongs to which device.
Symmetric NAT
Symmetric NAT is used for outgoing (egress) communications. The LAN source IP
address is translated to the public IP address. The LAN source port is mapped to a
unique external port such as 21000. The NAT translation table keeps track of the
mappings. When a response from the Internet comes in to the public IP address, the
translation table looks up the destination port in its translation table. If it matches
21000 then it sets the destination IP address to the LAN IP address and resets the port
to the original value. Just remember that this is a two way
communication.
With Cisco routers, you can assign multiple IP addresses to the public
facing Ethernet interface. I needed to open the PBX and a tftp/ftp server
to the outside world for my lab environment. I gave the public side
Ethernet interface a primary IP address and a secondary IP address then
used one to one mapping to point to my internal servers. The public
interface is configured as the NAT outside port. For Cisco, the relevant
configuration is as follows:
interface FastEthernet0/0
description WAN port, .240 is PSTNserver, .249 is ITSP
ip address 10.163.95.249 255.255.255.0 secondary
ip address 10.163.95.240 255.255.255.0
ip nat outside
interface FastEthernet0/1
description LAN interface
ip address 192.168.202.1 255.255.255.0
ip nat inside
ip nat inside source list 120 interface FastEthernet0/0 overload
access-list 120 permit ip any any

The LAN interface is configured as NAT inside. The "ip nat inside source list 120 ..."
indicates that the LAN traffic must be translated to the FastEthernet0/0 port (WAN)
connection. The "overload" command enables Port Address Translation. The last line
is a "form of a firewall" rule called an Access Control List (ACL). The ACL is number
120 and in this example, it allows any source IP address to go to any destination IP
address. Not much security here. There are whole courses available for understanding
ACLs and the security implementations to lock down your router. ACLs are beyond
the scope of this NAT page.

Static Port Mapping

For the incoming (ingress) communications to your network, you can
statically map the external port to an internal IP address. In this case, the
public IP address is mapped directly to one internal LAN IP address. This is good if
you have one or two servers running and one is a PBX. NAT can cause big headaches
for VoIP and especially the SIP/RTP protocols - the problems will be talked about later
on this page under PAT. I used static port mapping of NAT to solve a VoIP problem.
The Cisco commands seem to be written backwards. In the following, commands the
inside interface is written before the outside. Logically, I would think it would be
written that anything coming in on this outside interface would go to this local IP
address. It's written opposite. Here's the relevant Cisco configuration:
ip nat inside source static 192.168.203.254 10.163.95.240
ip nat inside source static 192.168.202.252 10.163.95.249

NAT Methods
Naturally as with everything concerning the Internet, there are many other "methods"
of NAT: "one to one"/full cone, restricted cone, port restricted and symmetric NAT.
Each has its merits and functions. The two that I've mentioned will work in 90% of
the cases. I'm not going to go into detail on all of these methods, a google search will
provide you with more information then you would care to know about NAT.
PAT - Port Address Translation
For VoIP, the bad guy in this equation of NAT is PAT (Port Address Translation).
When a packet transverses (goes through) NAT, NAT changes the TCP or UDP port to
another one so that it can track the packet in its NAT translation table. When the
packet returns, it is changed back to the original port. So in addition to changing the
IP address, the port gets changed too!
For the most part this works very well. Except that for
the SIP protocol, there are two protocols sent for voice
communications: SIP (Session Initiation Protocol) and
RTP (Real Time Protocol). SIP is used for setting up the
call, RTP is used for carrying the voice conversation.
Instead of tracking just one port, two ports must be
translated. To make matters worse, the SIP header
contains information identifying the RTP packet's port.

If the RTP port is translated to anther port, then the SIP header will point to the wrong
RTP port used! The result is a problem called "one way audio". Where one party can
call the other party and only one party can hear the other. This is a typical symptom of
a NAT problem.
The problem becomes even worse if there is NAT at both ends of the call! Now, each
end is performing NAT and PAT translations! Static port mapping for your PBX is one
way to overcome this problem but firewall rules or access control lists are absolutely
necessary. Static port mapping opens up your PBX to the Internet which is not really a
good idea! Providing whitelists of acceptable IP addresses and VPN(Virtual Private
Network) connections to remote clients are
necessary security measures.

The Wide Area Network (WAN)

link is usually the bottleneck for data and voice traffic. On the LAN side, we have lots
of bandwidth running 100 Mbps or 1Gpbs Ethernet. The link to the outside world, the
WAN link, is where the bandwidth suffers. It is usually significantly lower than the
LAN bandwidth.
There are many options available for the WAN link but be aware that some provide
asynchronous bandwidth between uploads and downloads. Cable modems and ADSL
are examples. Typically, the upload bandwidth is a fraction of the download
bandwidth. For example, basic ADSL provides 3 Mbps download but only 500 kbps
upload! A better solution is Synchronous DSL which has equal upload and download
bandwidths.
Often the bandwidth that you purchase, is not what you actually end
up. There's a lot of reasons why the bandwidth at your receiving end is
different. For ADSL, it can be the number of line taps, the quality and
age of the cable running to your premise. For cable modems, it can be
the number of users on the cable path. The best solution is to test your line using one
of the online speed testers line like SpeedTest.netto see what your actual upload and
download speed is.

How much bandwidth is needed?

You must take into account the data and voice traffic that you
are using. The simple answer to how much bandwidth is needed
is "as much as you can afford"! Still, we would like to know
what the minimum requirements are. A good process to find this out is:
1. Monitor your data traffic on the WAN to determine the peak traffic
2. Monitor your voice traffic to find out the peak number of concurrent calls
From the above information, you can determine how much bandwidth is used and you
can determine how big a WAN pipe you need. On some routers, you can allocate a
portion of the available bandwidth specifically for voice traffic.
How to Calculate Voice Bandwidth
If it is a new installation, you may not be able to monitor the voice
traffic to find out the bandwidth for the peak calls. There is a way to
calculate the number of channels using Erlang B tables. Erlangs are
a unit of communication that will be used to look-up the number of
channels from a Erlang B table. The table will indicate the number of channels
required for a certain percentage of blocking. The percentage of blocking refers to
how often an incoming call will be busy.
The standard blocking percentages are 1% for 1 in 100 calls will receive a busy signal
- this would be for emergency services or a company that absolutely depends on their
phone system for their revenue. For most businesses, 5% blocking would be sufficient
where 1 in 20 calls would report as busy. Just a note, this blocking not only affects
incoming calls but outgoing calls also. If you can afford the bandwidth, go with 1%
blocking!
1. The first step is to monitor or estimate the number of incoming and outging
calls during peak hours. For this example, we'll say that there 51 concurrent
calls (simulatenous calls) during an hour (51 calls/hour).
2. Next monitor or estimate the average time per call in seconds. For this
example, the average call will last 10.5 minutes or 630 seconds.
3. Now we run these two numbers through this formula to calculate the number of
Erlangs:

In case you were wondering, the number 3600 is the number of seconds in an
hour and is used to make sure that the units hours and seconds cancel.
4. Next we need to determine the number of voice channels that are needed to
meet the required blocking. To do this we use the Erlang B table (pdf) under the
% blocking column. For our example, we select the closest value to 8.9 Erlangs
from the 5% blocking column. That would require a minimum of 13 channels.
For 1% blocking, 16 channels would be the minimum number of channels
required.

5. Now we can determine the bandwidth required. To do this we need to know the
voice codec that is going to be used. Voice codecs are selected for two reasons:
voice quality and bandwidth used. On the LAN, there is plenty of bandwidth
available so the g.711 (alaw or ulaw) codec is used. The codec uses 64 kbps of
BW just for transporting the voice communications. In addition to the
bandwidth used by the voice codec, there is the bandwidth overhead of the
voice protocols used, the WAN protocol, and the TCP/UDP and IP protocols!
The Asterisk Guru has a nice online bandwidth calculator for determining the
total bandwidth used based on the number of incoming and outgoing channels
using common codecs and VoIP protocols.

In our example, for 5% blocking we needed 15 channels using the SIP protocol
and the g.711 codec. We would need a minimum of 2,070 kbps or roughly 2
Mbps, of our WAN link's bandwidth, dedicated to voice traffic.
Control of QoS

You have complete control over Quality of Service (QoS) on the LAN, because you
are the master of the LAN and can configure and tune it. But what about the WAN
connection? You can control the traffic going out but what about the traffic coming in?
To control the incoming traffic, you must have a QoS agreement with Service
Provider for the WAN connection. Otherwise, you can only control the QoS on
outgoing but not incoming!

The WAN link is the big problem!

WAN QoS Solutions
On some routers, the physical Ethernet ports can have priorities. You can use one port
for the voice traffic and give it priority over the data traffic port. Some companies
have two WAN connections, one dedicated specifically for voice traffic and the other
for data traffic.
Application Layer Gateways

Another option is an Application Layer

Gateway (ALG). An ALG can examine
the packet for the Application layer
information. It can make decisions based
on the presence of an Application layer
voice protocol such as SIP, IAX, SCCP,
H.323, RTP, RTCP, etc. And give the
voice protocols priority on the WAN link over the data traffic.