01-18-2018 08:18 AM - edited 03-05-2019 09:47 AM
Given a dialer is associated with a physical interface, say ATM0, is there any functional difference in where I put the "ip inspect..." entry? The same question goes for the ACLs, and the "ip nat outside" configurations.
If there is no functional difference, then can I assume the correct placement of the firewall configuration only depends on how I want to keep things flexible for future changes? For example, If the dialer is always going to be on the public facing interface, but that physical interface may change, then I would want these settings on the dialer. However, if my public facing physical interface is fixed, but the dialer may change, then I may want these on the physical interface??
what if these configurations appear on both the dialer, and associated physical interface?
01-18-2018 08:27 AM - edited 01-18-2018 08:29 AM
Hi David,
As a general rule, almost every interface command that starts with the ip keyword is effective only on an interface that is itself IP-enabled - and for an interface to be IP-enabled, it must have an IP address assigned. The exceptions, obviously, are the ip address and ip unnumbered commands that enable IP on an interface by assigning an IP address to it.
With a Dialer interface that refers to an underlying physical ATM interface, it is the Dialer interface that holds the entire IP configuration. Therefore, the ip inspect and other IP features should also be configured on the Dialer interface. I am not sure if the ATM interface would accept that command, but even it did, the ip inspect would have absolutely no effect because as far as the ATM interface is concerned, is it not an interface that itself runs IP.
Therefore, ip inspect, ip nat, ip access-group, ip mtu, ip virtual-reassembly, ip tcp adjust-mss, etc. - all these commands only make sense on the Dialer, and would have no effect on the underlying ATM inteface if that interface does not have an IP address on its own - which, in PPPoE or PPPoA, it does not.
This is, by the way, the same issue as with subinterfaces when a router uses a set of VLAN subinterfaces under a physical interface, with the physical interface not being configured for an IP address on its own (in other words, the native VLAN is not used). Enabling NAT, IP Inspect, etc. on the physical interface has no effect, because the physical interface is not IP-enabled - and even if it was, the configuration would apply only to the IP network on the physical interface itself, not to the subinterfaces. All these features have to be configured on the IP-enabled subinterfaces.
Feel welcome to ask further!
Best regards,
Peter
01-18-2018 01:24 PM
Peter,
Thanks. So would you consider the "Configuration Example"at : https://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800Guide_chapter_010110.html
incorrect, since there are two "ip..." commands in the ATM0 part of the configuration?
Dave
01-18-2018 02:06 PM
Hi Dave,
You are welcome.
So would you consider the "Configuration Example"at
incorrect, since there are two "ip..." commands in the ATM0 part of the configuration?
Yes, the configuration example is indeed wrong. The ip nat outside and ip virtual-reassembly commands should have been put on the Dialer0 interface instead. Their placement on the ATM0 interface is wrong and useless. The configuration as shown would not successfully enable NAT.
I will try to raise an internal request to have the documentation corrected.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide