Solved: C1111-8p bridge or nat problem

Nestore · ‎11-27-2020

Hello everyone.

I have a problem configuring the router in question. I am new to using these new c1100 routers and IOS-XE, but I have performed many similar configurations to this with IOS in cisco 800 and 1900 routers in the past.
In my company we have a detachment that does not require a switch, we currently have 5 clients and 1 server so for now I need to use C1111-8P which will have WAN access with fiber and LAN side directly on the router's ethernet ports without additional switches, the rest of the traffic is wireless.

I researched and I realized that for IOS-XE the old BVI is not used but BDI is used. I made configuration that gives me this strange problem: wireless clients surf the internet without problems. Instead, the clients connected to the ethernet ports are able to contact only the search engines and some internet sites, but not all.

I checked by trying some variant of settings for the bridge, and also for the NAT, then for the ACLs but it continues to behave the same.
If I try to ping hostname from the clients connected to the ethernet ports, I get a reply solving the address without problems. but if I try to navigate with the browser the search engine (eg google) is very fast. other sites like Cisco, facebook, go without problems, while others go into timeout. It doesn't matter whether it is http or https traffic.
Smtp and pop3 traffic don't work either.

I paste the affected parts of my setup:

version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
call-home

profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
ip name-server 208.67.222.222 208.67.220.220
ip domain name xxxx
!
ip dhcp pool Ethernet
import all
network 192.168.123.0 255.255.255.0
default-router 192.168.123.253
dns-server 208.67.222.222 208.67.220.220
lease infinite
!

login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
no license feature hseck9
!
license boot level securityk9
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxxx
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
no ip address
speed 1000
no negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/0/0.835
encapsulation dot1Q 835
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Wlan-GigabitEthernet0/1/8
!
interface Vlan1
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 10
!
!
interface Dialer1
ip address negotiated
ip nat outside
ip access-group 101 in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxx password 0 xxxxx
!
interface BDI10
ip address 192.168.123.253 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
ip http access-class ipv4 23
ip http authentication local
ip http secure-server
ip nat inside source route-map vpnmap interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 23 permit 192.168.123.0 0.0.0.255
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
dialer-list 1 protocol ip permit
!
!
route-map vpnmap permit 1
match ip address 100
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
end

Hope someone can help me..

Tks.

Georg Pauwen · ‎11-27-2020

Hello,

the fact that your wirled clients can access some, but not all, sites, could suggest that there is something wrong with the MTU settings on the dialer interface. Try the settings below:

interface Dialer1
ip address negotiated
ip nat outside
--> ip mtu 1492
--> ip tcp adjust-mss 1452

or

interface Dialer1
ip address negotiated
ip nat outside
--> ip mtu 1400
--> ip tcp adjust-mss 1360

View solution in original post

balaji.bandi · ‎11-27-2020

High level for testing before we suggest anything - make a simple config to test.

interface Dialer1
ip address negotiated
ip nat outside
no ip access-group 101 in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxx password 0 xxxxx
!
interface BDI10
ip address 192.168.123.253 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
ip http access-class ipv4 23
ip http authentication local
ip http secure-server
no ip nat inside source route-map vpnmap interface Dialer1 overload
ip nat inside source list 5 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 5 permit 192.168.123.0 0.0.0.255 ( or reuse ACL 23)
access-list 23 permit 192.168.123.0 0.0.0.255
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
dialer-list 1 protocol ip permit
!
!
route-map vpnmap permit 1
match ip address 100

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎11-27-2020

Hello,

the fact that your wirled clients can access some, but not all, sites, could suggest that there is something wrong with the MTU settings on the dialer interface. Try the settings below:

interface Dialer1
ip address negotiated
ip nat outside
--> ip mtu 1492
--> ip tcp adjust-mss 1452

or

interface Dialer1
ip address negotiated
ip nat outside
--> ip mtu 1400
--> ip tcp adjust-mss 1360

balaji.bandi · ‎11-27-2020

@Georg Pauwen - i was suspected MTU also in the first instance, thought of try simple before we fiddle with MTU- but good you suggested- cheers.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎11-28-2020

Hello
As noted by @balaji.bandi you need to use a nat acl with no "any any" as nat doesn't like it, specify what subnet you wish to nat on.
Also as noted by @Georg Pauwen adjusting the mtu on the xDSL rtr when using nat is also recommended and lasty as you are wanting to use a public dns server (cisco umbrella) via PPP try the following

route-map vpnmap permit 1
no match ip address 100
match ip address 23

ip dhcp pool Ethernet
no dns-server 208.67.222.222 208.67.220.220
dns-server 192.168.123.253
exit
ip dns server

int dialer1
mtu 1492
ppp ipcp dns request

interface GigabitEthernet0/0/0
ip tcp adjust-mss 1452

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Nestore · ‎11-28-2020

Thanks @Georg Pauwen your solution is ok!.. in fact I had already used adjust-mss by copying example configurations without understanding why ... Now I have understood well also through this document: https://www.cisco.com/en/US/docs/ios-xml/ios/ipapp /command/ip_tcp_adjust-mss_through_ip_wccp_web-cache_accelerated.html

@balaji.bandithe ACLs posted above are not the ones I use. My setup also includes VPN clients and has extended ACLs. I just tried to open everything to better understand where the problem could be...

Thanks also to @paul driver for configuration of DNS via IPCP... I did not know her. Works fine!

Sorry for my english..

balaji.bandi · ‎11-28-2020

Thank you, Good to know MTU fixes your issue, glad to hear.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help