We help IT Professionals succeed at work.

DMVPN Want to send voip(sip/rtp) over the tunnel, and all other data traffic out WAN port

chikagoh
chikagoh asked
on
Medium Priority
2,095 Views
Last Modified: 2012-05-06
Greetings,

I have a basic Hub-Spoke DMVPN network.  I would like for all voip(SIP /RTP) traffic to go over the VPN tunnels, and everything else(standard Internet data) to go out the WAN port(uplink to ISP).

Any help would be appreciated.
Comment
Watch Question

Commented:
DMVPN provides access to the tunnel through routing. If you want SIP/RTP traffic to go through the tunnels make the routing for those networks or that type of traffic prefer the tunnel as the path. Are you concerned with hub to spoke communication or spoke to hub? Also what type of routing are you doing on your dmvpn config, EIGRP or OSPF. If you can identify the networks of interest and the basic routing/tunnel configs we can provide more specific configuration guidance.

-t

Author

Commented:
I am using EIGRP.  Currently I use a route-map to send all traffic from each spoke's LAN over the VPN to the Hub and then onto the Internet(from the Hub's ISP connection).  I would like to limit this to just VoIP, and all other traffic go out the WAN.

Hub Config:

crypto keyring dmvpnspokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key XXX
!        
crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp profile DMVPN
   keyring dmvpnspokes
   match identity address 0.0.0.0
!        
!        
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!        
crypto ipsec profile DMVPN_BRIT
 set transform-set strong
 set isakmp-profile DMVPN

interface Tunnel0
 bandwidth 1000
 ip address 11.11.11.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication XXX
 ip nhrp map multicast dynamic
 ip nhrp network-id XXX
 ip nhrp holdtime 300
 ip nhrp redirect
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 no ip mroute-cache
 delay 1000
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key XXX
 tunnel protection ipsec profile DMVPN_BRIT



Spoke Config:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key XXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile DMVPN_BRIT
 set security-association lifetime seconds 120
 set transform-set strong


interface Tunnel0
 bandwidth 1000
 ip address 11.11.11.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nat outside
 ip nhrp authentication XXX
 ip nhrp map 11.11.11.1 x.x.x.x
 ip nhrp map multicast x.x.x.x
 ip nhrp network-id XXX
 ip nhrp holdtime 300
 ip nhrp nhs 11.11.11.1
 ip nhrp shortcut
 ip nhrp redirect
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1360
 no ip mroute-cache
 delay 200
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key XXX
 tunnel protection ipsec profile DMVPN_BRIT


interface FastEthernet0/0
 description TO-_ISP
 ip address dhcp client-id FastEthernet0/0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled


interface Vlan1
 description INSIDE
 ip address 172.16.211.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip policy route-map TOVPN

access-list 111 permit ip 172.16.211.0 0.0.0.255 any

route-map TOWAN permit 10
 match ip address 111
 set interface Tunnel0

Author

Commented:
Also, the remote networks of interest is nearly impossible to identify.  We use a voip hosting provider with SBCs, AS's and thousands of media gateways.  I am hoping to identify the protocol to determine the route to take (VPN or Fa0/0 NAT)

Commented:
is this a cisco voice solution or something else? if so you could use the dsp clasification of the RTP and C&C streams as the classifier if you can trust the devices with QoS.

Author

Commented:
No cisco call manager  Polycom phones, cisco 1861 routers

Commented:
perfect. you can classify the traffic based to be routed through the tunnels upon the source ips and destination protocols as well as dscp values. I would match dscp values 3 and 5 and af41 and send them through the tunnel. you could also do any to any on tcp/2000.

let me know if you need more help setting this up.

-t

Author

Commented:
What is tcp/2000 for?  I know SIP is udp/5060 and RTP is an upper range of UDP ports.

Could I also use class/policy maps (i've used these for qos) to send SIP and RTP Audio through the tunnel, or does it need to be dscp only?

I can work a config and post it tonight to make sure it's correct.

Commented:
tcp/2000 is skinny or sccp the alternative to sip.

you could absolutely use class/policy maps like you would use for QoS for this. That is kind of what I was leading you towards, just didn't know how much you had done before.

-t

Author

Commented:
I would want to use whichever is best in regards to performance and minimal overhead.  I will also want to implement QoS at some point, so whatever will work easiest with that.
Commented:
I would use a basic QoS design to identify the traffic of interest and also route that traffic through your VPN tunnels. Set it up once right and then you don't need to revisit it later.

What I typically recommend is to allocate 33% to RTP and 5-10% to C&C depending on the bandwidth available. everything else is best effort.

Are you going to be doing video as well? that would also go into the 33%.

hope this helps,

-t

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.