Voice over IP is, as you know for sure, very time-sensitive traffic. That is why VoIP signaling and payload traffic should receive enough bandwidth and as less jitter and delay as possible.
QoS is an important tool to assign VoIP traffic more preference over “normal” traffic. Important for QoS tools to function correctly is placing different kinds of traffic in different queues. To place traffic in different queues, traffic should be classified. All VoIP traffic should be classified and placed in the same queue or given the same priority. I usually use the following ACL’s to match VoIP signaling and payload traffic.
ip access-list extended VOIP-SIGNALING
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended VOIP-PAYLOAD
permit udp any any range 16384 32767
The following table gives some basic explanations for the different permit statements:
|H.323 / H.225
|H.323 / H.245
|Media Gateway Control Protocol (MGCP)
||UDP/2427 and TCP/2428
|Skinny Client Control Protocol (SCCP)
|Simple Gateway Control Protocol (SGCP)
|H.323 / H.225 RAS
|Session Initiation Protocol
|Real-Time Transport Protocol (RTP)
||UDP/16384-32767, even ports only
|Real-Time Control Protocol (RTCP)
||UDP/16384-32767, odd ports only
A decent management server is very important in a network, at least that is my opinion. The most important aspect of a management server is its user friendliness. Our customers are most of the time busy with their own problems and the problems of end users, which include all kind of (silly) problems. So the most of them don’t have a lot of time to spend on configuring a management server.
That is why I like Cacti and especially CactiEZ. CactiEZ is a software appliance, which is up and running in half an hour. After that you just add some devices and you can generate some nice bandwidth statistics with the help of RRDTool. I have also seen a lot of other management servers, like Nagios, HP OpenView and Cisco Works, but the most of them are hard to configure and end up as mp3 player…..
When I configure a management server only for network components like switches, routers and/or firewalls, I always use CactiEZ. It is easy to install and gives me all the things I need. The most important options of Cacti for me are: bandwidth statistics, syslog messages, flow view, mac tracking, reporting and so one. Especially if you combine Cacti(EZ) with SwitchMap, you have a nice, easy to use and robust management server for your network.
I have had different discussions with different customers about the load-balancing algorithms between a Cisco switch, configured with a port-channel and a VMware ESX server using multiple NICs. Our VMware consultants always choose Route based on IP hashes as load-balancing algorithm. This means that load-balancing happens on layer 3 of the OSI model (source-destination-IP).
In my opinion, the switch should be configured the same way. Depending on the model switch, you can have different default load-balancing algoritmhs. For example, the Cisco Catalyst 3750 uses src-mac load-balancing and the Cisco Catalyst 6500 use src-dst-ip load-balancing. You can check the configured load-balancing algorithm with the following command:
show etherchannel load-balancing
If you would like you change the load-balancing algorithm you can use the global configuration command:
port-channel load-balancing <option>
Be aware that this is a global configuration command, so it affects all the configured port-channels on the switch.
To check the load-balancing between the different NICs, you should have a tool to look at real-time bandwidth statistics. I normally use the tool SNMP Traffic Grapher to monitor the different switch ports. On the ESX console you can check the load-balancing with the commands:
- esxtop [enter]
- s2 (schedule interval of 2 seconds) [enter]
- n [network]
The load should be spread fairly even across the different switch ports en vmnics.
I have a customer running a Barracuda SPAM firewall 300. The customer has the specific request that only the administrator can look at Quarantine messages and users shouldn’t get their own Quarantine inbox. To accomplish this I have configured the Quarantine Type: Global.
I see that all Quarantine messages are delivered in the globally configured mailbox. But sometimes the Barracadu still automatically creates an Account Address under the Users tab. The user from that Account has than the ability to look at their own quarantine messages. I thought it would help to configure the option New User Quarantine State to No, but this has no affect.
Does somebody know who to disable the function to automatically create User Accounts on the Barracuda SPAM firewall 300…??
Since the day before yesterday, some of our customers complained having problems with receiving e-mail. The senders from the e-mail noticed that their mail had been blocked by relays.ordb.org. This RBL is offline, according to this article, at least everybody thought. Seems to me, the RBL came online yesterday and blocked everything. I have heard some rumours about the RBL coming online and blocking everything, so postmaster become aware of false configuration of the RBL lists in the mail components. Our customers were using Microsoft Exchange servers and were still using relays.ordb.org in their Connection Filtering rules. After deleting the URL the mail began to flows like nothing happend.