Re: ATM interface vs Dialer interface: where to set "ip inspect..." , nat and ACL?

David Johnson · ‎01-18-2018

Given a dialer is associated with a physical interface, say ATM0, is there any functional difference in where I put the "ip inspect..." entry? The same question goes for the ACLs, and the "ip nat outside" configurations.

If there is no functional difference, then can I assume the correct placement of the firewall configuration only depends on how I want to keep things flexible for future changes? For example, If the dialer is always going to be on the public facing interface, but that physical interface may change, then I would want these settings on the dialer. However, if my public facing physical interface is fixed, but the dialer may change, then I may want these on the physical interface??

what if these configurations appear on both the dialer, and associated physical interface?

Peter Paluch · ‎01-18-2018

Hi David,

As a general rule, almost every interface command that starts with the ip keyword is effective only on an interface that is itself IP-enabled - and for an interface to be IP-enabled, it must have an IP address assigned. The exceptions, obviously, are the ip address and ip unnumbered commands that enable IP on an interface by assigning an IP address to it.

With a Dialer interface that refers to an underlying physical ATM interface, it is the Dialer interface that holds the entire IP configuration. Therefore, the ip inspect and other IP features should also be configured on the Dialer interface. I am not sure if the ATM interface would accept that command, but even it did, the ip inspect would have absolutely no effect because as far as the ATM interface is concerned, is it not an interface that itself runs IP.

Therefore, ip inspect, ip nat, ip access-group, ip mtu, ip virtual-reassembly, ip tcp adjust-mss, etc. - all these commands only make sense on the Dialer, and would have no effect on the underlying ATM inteface if that interface does not have an IP address on its own - which, in PPPoE or PPPoA, it does not.

This is, by the way, the same issue as with subinterfaces when a router uses a set of VLAN subinterfaces under a physical interface, with the physical interface not being configured for an IP address on its own (in other words, the native VLAN is not used). Enabling NAT, IP Inspect, etc. on the physical interface has no effect, because the physical interface is not IP-enabled - and even if it was, the configuration would apply only to the IP network on the physical interface itself, not to the subinterfaces. All these features have to be configured on the IP-enabled subinterfaces.

Feel welcome to ask further!

Best regards,
Peter

David Johnson · ‎01-18-2018

Peter,

Thanks. So would you consider the "Configuration Example"at : https://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800Guide_chapter_010110.html

incorrect, since there are two "ip..." commands in the ATM0 part of the configuration?

Dave

Peter Paluch · ‎01-18-2018

Hi Dave,

You are welcome.

So would you consider the "Configuration Example"at

https://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800Guide_chapter_010110.html

incorrect, since there are two "ip..." commands in the ATM0 part of the configuration?

Yes, the configuration example is indeed wrong. The ip nat outside and ip virtual-reassembly commands should have been put on the Dialer0 interface instead. Their placement on the ATM0 interface is wrong and useless. The configuration as shown would not successfully enable NAT.

I will try to raise an internal request to have the documentation corrected.

Best regards,
Peter