03-10-2015 01:10 AM - edited 03-05-2019 12:59 AM
Hello,
we are using 886VA router for few years connected to VDSL link. Now we are changing to symetric line and it is finished like ethernet (fix ip). Is there any chance to use on this ADSL router WAN ethernet? It would be not VDSL line anymore. And if yes, could somebody help me with configuration? I am not very strong in IOS.
Thank you guys
Ondrej
Solved! Go to Solution.
03-11-2015 03:00 AM
Hello Ondrej,
Thanks for the configuration.
Okay, let me suggest a change to your configuration with the following assumptions:
The lines you can directly paste into the configuration that would do the necessary modifications and corrections are as follows:
!!! Step 1 vlan 3 name WAN-Internet exit !!! Step 2 interface FastEthernet3 switchport access vlan 3 switchport mode access spanning-tree portfast ! This command may not be supported no shutdown exit !!! Step 3 interface Vlan3 ip address dhcp ip nat outside no shutdown exit !!! Step 4 - You will be prompted to answer 'yes' after the next command no ip nat inside source list 10 interface Dialer1 overload !!! Step 5 no access-list 10 !!! Step 6 access-list 10 permit 10.0.0.0 0.255.255.255 !!! Step 7 route-map NAT-Dialer1 permit 10 match interface Dialer1 match ip address 10 exit route-map NAT-Vlan3 permit 10 match interface Vlan3 match ip address 10 exit !!! Step 8 ip nat inside source route-map NAT-Dialer1 interface Dialer1 overload ip nat inside source route-map NAT-Vlan3 interface Vlan3 overload !!! Step 9 no ip default-network 10.0.0.0 no interface Ethernet0.4
To explain what is done in steps:
Please save your existing configuration before changing it.
Any questions and feedback are welcome. Please keep us posted about how this worked for you.
Best regards,
Peter
03-10-2015 05:36 AM
Hi Ondrej,
If I understand you correctly, your new internet connection is provided over a simple Ethernet handoff, is that correct?
I believe that it should be possible to make your router to work as a common router, routing between Ethernet segments, assuming the following items are true:
Do you believe it would be possible for you to post the existing sanitized configuration of the router?
Thanks!
Best regards,
Peter
03-11-2015 02:13 AM
Hi Peter,
that is correct. And the items you mentioned are true (one free port, create vlan). Here is the existing configuration:
Current configuration : 3825 bytes
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$hrZB$QBuiJ19v0xvzckx9czDsy1
enable password ----------------
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
!
!
!
ip dhcp excluded-address 10.0.0.138
ip dhcp excluded-address 10.0.0.23 10.0.0.24
ip dhcp excluded-address 10.0.0.200
ip dhcp excluded-address 10.0.0.25
!
ip dhcp pool DHCP_SERVER
network 10.0.0.0 255.255.255.0
default-router 10.0.0.138
dns-server 93.153.117.1
lease 7
!
ip dhcp pool DHC_SERVER
dns-server 8.8.8.8
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
license udi pid CISCO886VA-K9 sn FCZ1721C1MV
!
!
username vpntendra secret 4 cWYxPQmiK2DFs.v7Bt18Dfs3s0p5xo/xsS7q5iktz96
username admin secret 4 cWYxPQmiK2DFs.v7Bt18Dfs3s0p5xo/xsS7q5iktz96
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENT-VPN
key ------------
dns 10.0.0.138
pool VPN-pool
acl 120
max-users 10
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
!
!
!
!
!
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.4
!
interface Ethernet0.848
encapsulation dot1Q 848
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 7
no ip address
!
interface FastEthernet1
switchport access vlan 7
no ip address
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan7
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
no ip address
ip nat inside
ip nat enable
ip virtual-reassembly in
!
interface Vlan7
ip address 10.0.0.138 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
bandwidth 30000
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname TO2
ppp chap password 0 TO2
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
no cdp enable
!
ip local pool VPN-pool 10.0.0.181 10.0.0.186
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list 10 interface Dialer1 overload
ip default-network 10.0.0.0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 10 permit any
access-list 120 remark == CISCO VPN USERS ==
access-list 120 permit ip any host 10.0.0.181
access-list 120 permit ip any host 10.0.0.182
access-list 120 permit ip any host 10.0.0.183
access-list 120 permit ip any host 10.0.0.184
access-list 120 permit ip any host 10.0.0.185
access-list 120 permit ip any host 10.0.0.186
dialer-list 1 protocol ip permit
!
snmp-server community public RO
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ----------------
transport input all
!
!
end
Thank you very much you are interested.
Ondrej
03-11-2015 03:00 AM
Hello Ondrej,
Thanks for the configuration.
Okay, let me suggest a change to your configuration with the following assumptions:
The lines you can directly paste into the configuration that would do the necessary modifications and corrections are as follows:
!!! Step 1 vlan 3 name WAN-Internet exit !!! Step 2 interface FastEthernet3 switchport access vlan 3 switchport mode access spanning-tree portfast ! This command may not be supported no shutdown exit !!! Step 3 interface Vlan3 ip address dhcp ip nat outside no shutdown exit !!! Step 4 - You will be prompted to answer 'yes' after the next command no ip nat inside source list 10 interface Dialer1 overload !!! Step 5 no access-list 10 !!! Step 6 access-list 10 permit 10.0.0.0 0.255.255.255 !!! Step 7 route-map NAT-Dialer1 permit 10 match interface Dialer1 match ip address 10 exit route-map NAT-Vlan3 permit 10 match interface Vlan3 match ip address 10 exit !!! Step 8 ip nat inside source route-map NAT-Dialer1 interface Dialer1 overload ip nat inside source route-map NAT-Vlan3 interface Vlan3 overload !!! Step 9 no ip default-network 10.0.0.0 no interface Ethernet0.4
To explain what is done in steps:
Please save your existing configuration before changing it.
Any questions and feedback are welcome. Please keep us posted about how this worked for you.
Best regards,
Peter
03-13-2015 12:55 AM
Hello Peter,
today I will try to configure the router and I will try to connect thru ethernet line (the new one). Could be there any problem with VPN? Or any other problem?
Thank you very much
With regards
Ondrej
03-13-2015 02:52 AM
Peter, I received some informations from new provider. Now I have IP address, mask, GW and DNS servers. So the address is fixed. These informations I will put to interface vlan3, is that right? And how I will change VPN to communicate with this interface?
Thank you very much, Peter.
With regards
Ondrej
03-15-2015 03:54 AM
Hello Peter,
I am little bit confused by the router (or in fact by myself). Whole weekend I am trying to set it up and nothing works. I saved configuration I sent to you last time and reset the router to defaults. I will not use VDSL anymore so I got rid of all this stuff. Here is the current configuration. Is there anything wrong? Do you have some idea why it is not connecting to internet?
Current configuration : 1759 bytes
!
! Last configuration change at 10:13:42 UTC Sun Mar 15 2015
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secretQm 4 cWYxPiK2DFs.v7Bt18Dfs3s0p5xo/xsS7q5iktz96
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
ip dhcp excluded-address 10.0.0.138
ip dhcp excluded-address 10.0.0.1 10.0.0.50
ip dhcp excluded-address 10.0.0.150
!
ip dhcp pool DHCP
import all
network 10.0.0.0 255.255.255.0
dns-server 10.0.0.138
default-router 10.0.0.138
lease 7
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO886VA-K9 sn FCZ1721C1MV
!
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 7
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 3
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan3
description WAN-Internet
ip address 192.168.0.150 255.255.255.0
ip nat outside
no ip virtual-reassembly in
!
interface Vlan7
ip address 10.0.0.138 255.255.255.0
ip nat inside
no ip virtual-reassembly in
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat inside source list 10 interface Vlan3 overload
ip route 0.0.0.0 0.0.0.0 Vlan3
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
!
!
end
Thank you, Peter.
With regards
Ondrej
03-15-2015 04:55 AM
Hi Ondrej,
I am sorry for replying lately.
The primary problem I see with your configuration is the way you have configured your default route. You have basically pointed out the Vlan3 interface, without telling the router who the next hop is. This way of configuring default routes (or any static route in general) works fine only with point-to-point interfaces, such as PPP links or similar connections. However, it may not work properly with multi-access interfaces such as Ethernet where there can be multiple routers reachable over that interface. The router now assumes that the entire internet is directly connected to your Vlan3 interface (just have a look at your show ip route output - it will tell you that the 0.0.0.0/0 is directly connected), and acts accordingly: It simply tries to ARP for every packet's destination, just the way it would do with any destination in a directly connected network. Obviously, the entire internet is not directly connected to your Vlan3 interface, so the destinations do not hear your router's ARP requests, and that is why the internet connection may fail. Sometimes it may work because the upstream router at the ISP may have its Proxy ARP function turned on - the Proxy ARP function allows a router to answer ARP queries looking for any address to which the router knows a route. However, it is a best practice to have Proxy ARP deactivated, and it seems that your provider has done just that. Even if the Proxy ARP was active at your ISP's router, relying on it would create huge ARP traffic, sloppy performance, excessively large ARP tables and in worst cases, memory exhaustion on your router and intermittent reloads.
To sum it up shortly: Whenever defining a static route out an Ethernet or any other multi-access interface, always use the next hop IP address if possible, and avoid creating static routes defined using egress interfaces only.
This issue has been discussed many times on this forum but it keeps popping again and again so that's why I am so outspoken about this :)
This is the set of commands I recommend pasting into your configuration that will correct the configuration:
no ip default-gateway no ip route 0.0.0.0 0.0.0.0 Vlan3 ip route 0.0.0.0 0.0.0.0 192.168.0.1
I see you have used the ip default-gateway command. This command can be quite confusing. The fact is that this command has an effect only if the device has IP routing deactivated - in other words, if the device does not operate as an IP router and does not have a routing table. On routers, this command is practically useless because you want your routers to do IP routing so you almost never turn off the IP routing function on them. So while you have configured it, your router ignores it because its routing is still active and it uses its routing table to direct packets. That is why I am removing this command along with the incorrect static default route, and I am replacing it with an explicit default route directed to 192.168.0.1. Please try out these commands.
Just to complete the thought, the ip default-gateway would be used on switches that do not perform routing - for these, this is the only way of defining a default gateway, as they do not have a routing table.
If these modifications do not work then I will need further diagnostic output from your router - the full outputs of the following commands:
show ip route
show ip interface brief
ping 192.168.0.150
ping 192.168.0.1
Thanks!
Best regards,
Peter
03-16-2015 12:32 AM
Hello Peter,
it perfectly works, thank you. And thanks also for the explanation of whole theme. One thing I don´t understand - why in access list for the original mask 255.255.255.0 is wildcard mask 0.255.255.255? The right mask should be 0.0.0.255?
Peter, thank you very much for all your help, now I won´t forget anytime ;)
With regards
Ondrej
03-16-2015 01:06 AM
Hi Ondrej,
You're welcome - and I am very glad it works!
One thing I don´t understand - why in access list for the original mask 255.255.255.0 is wildcard mask 0.255.255.255? The right mask should be 0.0.0.255?
You are correct that for a subnet mask of 255.255.255.0, the correct wildcard mask is 0.0.0.255. I have originally made an assumption that you may be using any IP subnets from the 10.0.0.0/8 private address space. You are currently using 10.0.0.0/24 but soon, depending on your needs, you may be using 10.0.1.0/24 or others, so I just went and created an ACL for the entire 10.0.0.0/8 address space right away.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide