C1921 with EHWIC-4ESG not routing between PPPoE Dialer and SVI VLAN1

INISI Support · ‎02-08-2016

Hi, using a C1921 with ehwic-4esg as internet router. Using pppoe connection across build-in gigabit port to ISP and svi vlan1 to route traffic to firewalls. pppoe connection works fine (can ping the internet, etc) but svi is not routing any traffic. See below config.

Interface vlan1 is using "IP unnumbered dialer 1". Also tried "ip address pool IAS" but didn't make any difference.

IOS version 15.4(3)M3.

Any help will be appreciated...

Thanks,

Rico.

====================================

!
hostname rtr01
!
ip dhcp pool IAS
import all
origin ipcp
dns-server 194.151.228.18 194.151.228.34
!
ip cef
multilink bundle-name authenticated
!
cts logging verbose
!
redundancy
!
no cdp run
!
policy-map custom-shaper-30Mbps
class class-default
shape average 28800000
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP CPE
no ip address
load-interval 30
duplex full
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output custom-shaper-30Mbps
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
ip unnumbered Dialer1
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
!
interface Dialer1
description Customer Traffic PPPoE Connection
ip address negotiated
ip verify unicast reverse-path
encapsulation ppp
mtu 1492
dialer pool 1
dialer-group 1
ppp pap sent-username <removed> password <removed>
ppp ipcp mask request
ppp ipcp address accept
!
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!

=========================================================================

rtr01#sh vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0/0, Gi0/0/1, Gi0/0/2, Gi0/0/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet 100001     1500 -      -      -        -    -        1002   1003
1002 fddi 101002     1500 -      -      -        -    -        1      1003
1003 tr    101003     1500 1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500 -      -      1        ibm -        0      0
1005 trnet 101005     1500 -      -      1        ibm -        0      0

==========================================================================

rtr01#sh int status

Port    Name               Status       Vlan       Duplex Speed Type
Gi0/0/0                    connected    1          a-full a-1000 10/100BaseTX/1000BaseT
Gi0/0/1                    connected    1          a-full a-1000 10/100BaseTX/1000BaseT
Gi0/0/2                    connected    1          a-full   a-100 10/100BaseTX/1000BaseT
Gi0/0/3                    notconnect   1            auto    auto 10/100BaseTX/1000BaseT

acampbell · ‎02-08-2016

Hi,

What does show ip int brief verify as ip addresses.

Regards

Alex

Regards, Alex. Please rate useful posts.

INISI Support · ‎02-08-2016

Hi Alex,

See below. This is from the logs I collected, we did a role-back to the original 871 router. I've slightly modified the output and set the first 3 digits of the IP address to x.x.x. Btw, this output is with the IP unnumbered config. The 871 router is using the "ip address pool IAS" on the svi interface but this didn't work on the 1921...

Thanks, Rico.

rtr01#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM administratively down down
GigabitEthernet0/0         unassigned      YES NVRAM up                    up
GigabitEthernet0/1         unassigned      YES NVRAM administratively down down
GigabitEthernet0/0/0       unassigned      YES unset up                    up
GigabitEthernet0/0/1       unassigned      YES unset up                    up
GigabitEthernet0/0/2       unassigned      YES unset up                    up
GigabitEthernet0/0/3       unassigned      YES unset down                  down
Dialer1                    x.x.x.65      YES IPCP   up                    up
Virtual-Access1            unassigned      YES unset up                    up
Virtual-Access2            unassigned      YES unset up                    up
Vlan1                      x.x.x.65      YES unset up                    up

John Malisa · ‎02-21-2016

Why don't you assign a different static IP to SVI Interface VLAN1, NAT inside, remove IP unnumbered and have it on the same subnet as the firewall's interface.

Set the default route on the firewall to point to the SVI's IP.

Also set an ACL for all subnets or hosts that need to be NATted on the router. That way you only NAT at the router. Also NAT outside on Dialer1.

Thanks

John

INISI Support · ‎07-12-2016

It turned out to be a netmask issue. The pppoe connection negotiated a /32 IP address which is not really usefull when using it as a routed interface. So used a dhcp pool to assign the ip address to the vlan1 interface which was basically the original configuration of the 871 router. The second issue was that this only worked after saving the new config and rebooting the 1921 router. It didn't work when only shuting down the interface and re-enabling it...