Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2013
Views
0
Helpful
9
Replies

886VA as a classical router (ethernet)

Go to solution
ondrej.gorcik1
Level 1
Level 1

‎03-10-2015 01:10 AM - edited ‎03-05-2019 12:59 AM

Hello,

we are using 886VA router for few years connected to VDSL link. Now we are changing to symetric line and it is finished like ethernet (fix ip). Is there any chance to use on this ADSL router WAN ethernet? It would be not VDSL line anymore. And if yes, could somebody help me with configuration? I am not very strong in IOS.

Thank you guys

Ondrej

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to ondrej.gorcik1

‎03-11-2015 03:00 AM

Hello Ondrej,

Thanks for the configuration.

Okay, let me suggest a change to your configuration with the following assumptions:

  • We will need a separate switchport to connect to the new Ethernet WAN connection. The FastEthernet3 seems to be unused - let's use that one.
  • We will need a separate VLAN on the switch to represent the new Ethernet WAN connection and to put the Fa3 interface into. Any VLAN number unused on the switch will do. I suggest using VLAN3.
  • I do not know whether you will assign a static IP address for the new Ethernet WAN connection, or if you are going to receive it via DHCP. For now, I am assuming it is going to be done via DHCP. I do not suppose you are going to run PPPoE on the new Ethernet WAN connection. If so, the configuration will need to be changed. I am assuming a plain IP-over-Ethernet for now.
  • The modifications to the configuration will keep your existing DSL connectivity intact, and will only add the configuration necessary for the new Ethernet WAN to become active but not used yet. The existing default route will not be changed and the internet wil continue to be accessed over the DSL only. This way, you can gradually migrate to the new connection once it is there.

The lines you can directly paste into the configuration that would do the necessary modifications and corrections are as follows:

!!! Step 1
vlan 3
 name WAN-Internet
 exit

!!! Step 2
interface FastEthernet3
 switchport access vlan 3
 switchport mode access
 spanning-tree portfast ! This command may not be supported
 no shutdown
 exit

!!! Step 3
interface Vlan3
 ip address dhcp
 ip nat outside
 no shutdown
 exit

!!! Step 4 - You will be prompted to answer 'yes' after the next command
no ip nat inside source list 10 interface Dialer1 overload

!!! Step 5
no access-list 10

!!! Step 6
access-list 10 permit 10.0.0.0 0.255.255.255

!!! Step 7
route-map NAT-Dialer1 permit 10
 match interface Dialer1
 match ip address 10
 exit
route-map NAT-Vlan3 permit 10
 match interface Vlan3
 match ip address 10
 exit

!!! Step 8
ip nat inside source route-map NAT-Dialer1 interface Dialer1 overload
ip nat inside source route-map NAT-Vlan3 interface Vlan3 overload

!!! Step 9
no ip default-network 10.0.0.0
no interface Ethernet0.4

 

To explain what is done in steps:

  1. VLAN 3 is created and assigned a name
  2. Interface Fa3 is made an access port (a member of a single VLAN) in VLAN 3, activated and asked to become forwarding immediately in STP, saving 30 seconds
  3. Interface Vlan3 is created, representing the new Ethernet WAN connection reachable over VLAN 3. The interface is told to get its IP address via DHCP and to act as a NAT outside interface. Note that the DHCP will also assign a default route to your router but because DHCP-derived default routes have an administrative distance of 254, they will be less preferred and therefore not installed into your routing table if a better default route is available - and it truly is, the one already configured over the Dialer1 interface, having its default administrative distance of 1.
  4. We need to remove the old NAT configuration because with two uplinks, the NAT has to pay attention not just to the source IP address but also to the outgoing interface, and do the translation depending on what WAN interface the packet is going to be forwarded. Therefore, the existing NAT configuration must be removed and replaced. Removing the existing ip nat inside source... command will most probably cause the router to inform you that there are NAT translations already in place, and if you remove that command, they will be deleted. Make sure to answer 'yes' when prompted.
  5. Your existing ACL 10 is bad. Using a "permit any" style of ACL for NAT purposes is officially unsupported, and could lead to problems. I am therefore deleting the old ACL.
  6. ACL 10 is recreated correctly, permitting all inside stations from the 10.0.0.0/8 space to be NATted. I assume that the public IP addresses you are going to get from your ISP are not from the same space. If they are, we will need to correct the ACL again.
  7. Two route-maps are created. A route-map is a complex matching construction that allows IOS to make choices based not only on IP addressing but also on other criteria. In this case, I am going to use it to match both on the sender IP address (the match ip address criterion) and the egress interface the packet is going to be routed out (the match interface criterion).
  8. NAT is activated again, this time using the route-maps from the previous step as the selection criteria to know when and how to translate packets. If a packet is from 10.0.0.0/8 and is going to be routed out the Dialer1 interface, rewrite the sender to the IP address of the Di1 interface. If a packet is from 10.0.0.0/8 and is going to be routed out the Vlan3 interface, rewrite the sender to the IP address of the Vlan3 interface.
  9. Useless commands from your configuration are removed. The ip default-network is a fossil from very, very old IOS versions and the less you know about it, the better ;) The Ethernet0.4 subinterface was obviously created but not finalized, and you do not appear to be using it so I am removing it to reduce the clutter.

Please save your existing configuration before changing it.

Any questions and feedback are welcome. Please keep us posted about how this worked for you.

Best regards,
Peter

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-10-2015 05:36 AM

Hi Ondrej,

If I understand you correctly, your new internet connection is provided over a simple Ethernet handoff, is that correct?

I believe that it should be possible to make your router to work as a common router, routing between Ethernet segments, assuming the following items are true:

  • You have at least one free port in the 4-port built-in switch
  • You can create VLANs on the router and assign the switchports into independent VLANs

Do you believe it would be possible for you to post the existing sanitized configuration of the router?

Thanks!

Best regards,
Peter

0 Helpful

Go to solution
ondrej.gorcik1
Level 1
Level 1
In response to Peter Paluch

‎03-11-2015 02:13 AM

Hi Peter,

that is correct. And the items you mentioned are true (one free port, create vlan). Here is the existing configuration: 

Current configuration : 3825 bytes
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$hrZB$QBuiJ19v0xvzckx9czDsy1
enable password ----------------
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
!
!
!
ip dhcp excluded-address 10.0.0.138
ip dhcp excluded-address 10.0.0.23 10.0.0.24
ip dhcp excluded-address 10.0.0.200
ip dhcp excluded-address 10.0.0.25
!
ip dhcp pool DHCP_SERVER
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.138 
 dns-server 93.153.117.1 
 lease 7
!
ip dhcp pool DHC_SERVER
 dns-server 8.8.8.8 
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
license udi pid CISCO886VA-K9 sn FCZ1721C1MV
!
!
username vpntendra secret 4 cWYxPQmiK2DFs.v7Bt18Dfs3s0p5xo/xsS7q5iktz96
username admin secret 4 cWYxPQmiK2DFs.v7Bt18Dfs3s0p5xo/xsS7q5iktz96
!
!
!
!
!
controller VDSL 0
!

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group CCLIENT-VPN
 key ------------
 dns 10.0.0.138
 pool VPN-pool
 acl 120
 max-users 10
crypto isakmp profile vpn-ike-profile-1
   match identity group CCLIENT-VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile VPN-Profile-1
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
!
interface Ethernet0.4
!
interface Ethernet0.848
 encapsulation dot1Q 848
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 switchport access vlan 7
 no ip address
!
interface FastEthernet1
 switchport access vlan 7
 no ip address
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface Virtual-Template2 type tunnel
 ip unnumbered Vlan7
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
 no ip address
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
!
interface Vlan7
 ip address 10.0.0.138 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 bandwidth 30000
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname TO2
 ppp chap password 0 TO2
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default
 no cdp enable
!
ip local pool VPN-pool 10.0.0.181 10.0.0.186
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list 10 interface Dialer1 overload
ip default-network 10.0.0.0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 10 permit any
access-list 120 remark == CISCO VPN USERS ==
access-list 120 permit ip any host 10.0.0.181
access-list 120 permit ip any host 10.0.0.182
access-list 120 permit ip any host 10.0.0.183
access-list 120 permit ip any host 10.0.0.184
access-list 120 permit ip any host 10.0.0.185
access-list 120 permit ip any host 10.0.0.186
dialer-list 1 protocol ip permit
!
snmp-server community public RO
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password ----------------
 transport input all
!
!
end

 

Thank you very much you are interested.

 

Ondrej

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to ondrej.gorcik1

‎03-11-2015 03:00 AM

Hello Ondrej,

Thanks for the configuration.

Okay, let me suggest a change to your configuration with the following assumptions:

  • We will need a separate switchport to connect to the new Ethernet WAN connection. The FastEthernet3 seems to be unused - let's use that one.
  • We will need a separate VLAN on the switch to represent the new Ethernet WAN connection and to put the Fa3 interface into. Any VLAN number unused on the switch will do. I suggest using VLAN3.
  • I do not know whether you will assign a static IP address for the new Ethernet WAN connection, or if you are going to receive it via DHCP. For now, I am assuming it is going to be done via DHCP. I do not suppose you are going to run PPPoE on the new Ethernet WAN connection. If so, the configuration will need to be changed. I am assuming a plain IP-over-Ethernet for now.
  • The modifications to the configuration will keep your existing DSL connectivity intact, and will only add the configuration necessary for the new Ethernet WAN to become active but not used yet. The existing default route will not be changed and the internet wil continue to be accessed over the DSL only. This way, you can gradually migrate to the new connection once it is there.

The lines you can directly paste into the configuration that would do the necessary modifications and corrections are as follows:

!!! Step 1
vlan 3
 name WAN-Internet
 exit

!!! Step 2
interface FastEthernet3
 switchport access vlan 3
 switchport mode access
 spanning-tree portfast ! This command may not be supported
 no shutdown
 exit

!!! Step 3
interface Vlan3
 ip address dhcp
 ip nat outside
 no shutdown
 exit

!!! Step 4 - You will be prompted to answer 'yes' after the next command
no ip nat inside source list 10 interface Dialer1 overload

!!! Step 5
no access-list 10

!!! Step 6
access-list 10 permit 10.0.0.0 0.255.255.255

!!! Step 7
route-map NAT-Dialer1 permit 10
 match interface Dialer1
 match ip address 10
 exit
route-map NAT-Vlan3 permit 10
 match interface Vlan3
 match ip address 10
 exit

!!! Step 8
ip nat inside source route-map NAT-Dialer1 interface Dialer1 overload
ip nat inside source route-map NAT-Vlan3 interface Vlan3 overload

!!! Step 9
no ip default-network 10.0.0.0
no interface Ethernet0.4

 

To explain what is done in steps:

  1. VLAN 3 is created and assigned a name
  2. Interface Fa3 is made an access port (a member of a single VLAN) in VLAN 3, activated and asked to become forwarding immediately in STP, saving 30 seconds
  3. Interface Vlan3 is created, representing the new Ethernet WAN connection reachable over VLAN 3. The interface is told to get its IP address via DHCP and to act as a NAT outside interface. Note that the DHCP will also assign a default route to your router but because DHCP-derived default routes have an administrative distance of 254, they will be less preferred and therefore not installed into your routing table if a better default route is available - and it truly is, the one already configured over the Dialer1 interface, having its default administrative distance of 1.
  4. We need to remove the old NAT configuration because with two uplinks, the NAT has to pay attention not just to the source IP address but also to the outgoing interface, and do the translation depending on what WAN interface the packet is going to be forwarded. Therefore, the existing NAT configuration must be removed and replaced. Removing the existing ip nat inside source... command will most probably cause the router to inform you that there are NAT translations already in place, and if you remove that command, they will be deleted. Make sure to answer 'yes' when prompted.
  5. Your existing ACL 10 is bad. Using a "permit any" style of ACL for NAT purposes is officially unsupported, and could lead to problems. I am therefore deleting the old ACL.
  6. ACL 10 is recreated correctly, permitting all inside stations from the 10.0.0.0/8 space to be NATted. I assume that the public IP addresses you are going to get from your ISP are not from the same space. If they are, we will need to correct the ACL again.
  7. Two route-maps are created. A route-map is a complex matching construction that allows IOS to make choices based not only on IP addressing but also on other criteria. In this case, I am going to use it to match both on the sender IP address (the match ip address criterion) and the egress interface the packet is going to be routed out (the match interface criterion).
  8. NAT is activated again, this time using the route-maps from the previous step as the selection criteria to know when and how to translate packets. If a packet is from 10.0.0.0/8 and is going to be routed out the Dialer1 interface, rewrite the sender to the IP address of the Di1 interface. If a packet is from 10.0.0.0/8 and is going to be routed out the Vlan3 interface, rewrite the sender to the IP address of the Vlan3 interface.
  9. Useless commands from your configuration are removed. The ip default-network is a fossil from very, very old IOS versions and the less you know about it, the better ;) The Ethernet0.4 subinterface was obviously created but not finalized, and you do not appear to be using it so I am removing it to reduce the clutter.

Please save your existing configuration before changing it.

Any questions and feedback are welcome. Please keep us posted about how this worked for you.

Best regards,
Peter

0 Helpful

Go to solution
ondrej.gorcik1
Level 1
Level 1
In response to Peter Paluch

‎03-13-2015 12:55 AM

Hello Peter,
today I will try to configure the router and I will try to connect thru ethernet line (the new one). Could be there any problem with VPN? Or any other problem?

Thank you very much

With regards

 

Ondrej

0 Helpful

Go to solution
ondrej.gorcik1
Level 1
Level 1
In response to ondrej.gorcik1

‎03-13-2015 02:52 AM

Peter, I received some informations from new provider. Now I have IP address, mask, GW and DNS servers. So the address is fixed. These informations I will put to interface vlan3, is that right? And how I will change VPN to communicate with this interface?

Thank you very much, Peter.

With regards

Ondrej

0 Helpful

Go to solution
ondrej.gorcik1
Level 1
Level 1
In response to Peter Paluch

‎03-15-2015 03:54 AM

Hello Peter,

I am little bit confused by the router (or in fact by myself). Whole weekend I am trying to set it up and nothing works. I saved configuration I sent to you last time and reset the router to defaults. I will not use VDSL anymore so I got rid of all this stuff. Here is the current configuration. Is there anything wrong? Do you have some idea why it is not connecting to internet? 

 

Current configuration : 1759 bytes
!
! Last configuration change at 10:13:42 UTC Sun Mar 15 2015
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secretQm 4 cWYxPiK2DFs.v7Bt18Dfs3s0p5xo/xsS7q5iktz96
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
ip dhcp excluded-address 10.0.0.138
ip dhcp excluded-address 10.0.0.1 10.0.0.50
ip dhcp excluded-address 10.0.0.150
!
ip dhcp pool DHCP
 import all
 network 10.0.0.0 255.255.255.0
 dns-server 10.0.0.138 
 default-router 10.0.0.138 
 lease 7
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO886VA-K9 sn FCZ1721C1MV
!
!
!
!
!
!
!
controller VDSL 0
!

!
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 switchport access vlan 7
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport access vlan 3
 no ip address
 spanning-tree portfast
!
interface Vlan1
 no ip address
!
interface Vlan3
 description WAN-Internet
 ip address 192.168.0.150 255.255.255.0
 ip nat outside
 no ip virtual-reassembly in
!
interface Vlan7
 ip address 10.0.0.138 255.255.255.0
 ip nat inside
 no ip virtual-reassembly in
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat inside source list 10 interface Vlan3 overload
ip route 0.0.0.0 0.0.0.0 Vlan3
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
 transport input all
!
!
end

 

Thank you, Peter.

With regards

 

Ondrej

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to ondrej.gorcik1

‎03-15-2015 04:55 AM

Hi Ondrej,

I am sorry for replying lately.

The primary problem I see with your configuration is the way you have configured your default route. You have basically pointed out the Vlan3 interface, without telling the router who the next hop is. This way of configuring default routes (or any static route in general) works fine only with point-to-point interfaces, such as PPP links or similar connections. However, it may not work properly with multi-access interfaces such as Ethernet where there can be multiple routers reachable over that interface. The router now assumes that the entire internet is directly connected to your Vlan3 interface (just have a look at your show ip route output - it will tell you that the 0.0.0.0/0 is directly connected), and acts accordingly: It simply tries to ARP for every packet's destination, just the way it would do with any destination in a directly connected network. Obviously, the entire internet is not directly connected to your Vlan3 interface, so the destinations do not hear your router's ARP requests, and that is why the internet connection may fail. Sometimes it may work because the upstream router at the ISP may have its Proxy ARP function turned on - the Proxy ARP function allows a router to answer ARP queries looking for any address to which the router knows a route. However, it is a best practice to have Proxy ARP deactivated, and it seems that your provider has done just that. Even if the Proxy ARP was active at your ISP's router, relying on it would create huge ARP traffic, sloppy performance, excessively large ARP tables and in worst cases, memory exhaustion on your router and intermittent reloads.

To sum it up shortly: Whenever defining a static route out an Ethernet or any other multi-access interface, always use the next hop IP address if possible, and avoid creating static routes defined using egress interfaces only.

This issue has been discussed many times on this forum but it keeps popping again and again so that's why I am so outspoken about this :)

This is the set of commands I recommend pasting into your configuration that will correct the configuration:

no ip default-gateway
no ip route 0.0.0.0 0.0.0.0 Vlan3
ip route 0.0.0.0 0.0.0.0 192.168.0.1

I see you have used the ip default-gateway command. This command can be quite confusing. The fact is that this command has an effect only if the device has IP routing deactivated - in other words, if the device does not operate as an IP router and does not have a routing table. On routers, this command is practically useless because you want your routers to do IP routing so you almost never turn off the IP routing function on them. So while you have configured it, your router ignores it because its routing is still active and it uses its routing table to direct packets. That is why I am removing this command along with the incorrect static default route, and I am replacing it with an explicit default route directed to 192.168.0.1. Please try out these commands.

Just to complete the thought, the ip default-gateway would be used on switches that do not perform routing - for these, this is the only way of defining a default gateway, as they do not have a routing table.

If these modifications do not work then I will need further diagnostic output from your router - the full outputs of the following commands:

show ip route
show ip interface brief
ping 192.168.0.150
ping 192.168.0.1
 

Thanks!

Best regards,
Peter

0 Helpful

Go to solution
ondrej.gorcik1
Level 1
Level 1
In response to Peter Paluch

‎03-16-2015 12:32 AM

Hello Peter,

it perfectly works, thank you. And thanks also for the explanation of whole theme. One thing I don´t understand - why in access list for the original mask 255.255.255.0 is wildcard mask 0.255.255.255? The right mask should be 0.0.0.255? 

Peter, thank you very much for all your help, now I won´t forget anytime ;)

With regards

 

Ondrej

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to ondrej.gorcik1

‎03-16-2015 01:06 AM

Hi Ondrej,

You're welcome - and I am very glad it works!

One thing I don´t understand - why in access list for the original mask 255.255.255.0 is wildcard mask 0.255.255.255? The right mask should be 0.0.0.255? 

You are correct that for a subnet mask of 255.255.255.0, the correct wildcard mask is 0.0.0.255. I have originally made an assumption that you may be using any IP subnets from the 10.0.0.0/8 private address space. You are currently using 10.0.0.0/24 but soon, depending on your needs, you may be using 10.0.1.0/24 or others, so I just went and created an ACL for the entire 10.0.0.0/8 address space right away.

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card