Solved: Re: Cisco 1941w sharing VDSL

karlosthehat · ‎11-17-2021

Hi everyone, newb here.

I picked up a cheap 1941w, but know very little about them and as such this is a very steep learning curve. This particular one has a VDSL2 module and 1x 8 port POE gigabit module. I have a VLAN that covers 8x POE gigabit ports which is my main network, a separate admin VLAN and then share the VDSL to both of these.

So far all is good, I am connected to the internet (my ISP has assigned a static IP and it displays correctly) but I can't figure out how to share it to my VLAN's or the router itself. I found some other threads on the topic but they are all related to FTTP etc and I can't get it to work with VDSL2. If I try to test the WAN connection or ping something, it doesn't work despite being connected to the internet. My ISP tool says I am synced but I can't ping the router.

Any help appreciated!

config:

Using 5380 out of 262136 bytes
!
! Last configuration change at 22:38:06 UTC Wed Nov 17 2021 by thepoint
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname thepoint
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
enable password xxxxx
!
no aaa new-model
memory-size iomem 5
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool admin
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.1.1
!
!
!
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941W-N/K9 sn FGL163823NB
hw-module ism 0
!
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.1.0 255.255.255.0
!
object-group network vpn_remote_subnets
any
!
username thepoint privilege 15 secret 5 xxxxx
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
operating mode vdsl2
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
!
crypto isakmp policy 1
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface wlan-ap0
no ip address
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
no ip address
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0/0
switchport mode trunk
no ip address
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
cdp enable
!
interface Ethernet0/0/0
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1412
load-interval 30
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet0/0/0 overload
ip nat inside source list nat-list interface Ethernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
!
!
!
snmp-server community thepoint RO
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 0.0.0.1 255.255.255.0
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password xxxxxx
login
transport input none
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎11-18-2021

Hello,

make the changes marked in bold:

Using 5380 out of 262136 bytes
!
! Last configuration change at 22:38:06 UTC Wed Nov 17 2021 by thepoint
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname thepoint
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
enable password xxxxx
!
no aaa new-model
memory-size iomem 5
service-module wlan-ap 0 bootimage autonomous
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool admin
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.1.1
!
!
!
ip cef
no ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
license udi pid CISCO1941W-N/K9 sn FGL163823NB
hw-module ism 0
!
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.1.0 255.255.255.0
!
object-group network vpn_remote_subnets
any
!
username thepoint privilege 15 secret 5 xxxxx
!
redundancy
!
controller VDSL 0/0/0
operating mode vdsl2
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
crypto isakmp policy 1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface wlan-ap0
no ip address
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
no ip address
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0/0
switchport mode trunk
no ip address
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
cdp enable
!
interface Ethernet0/0/0
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
--> zone-member security WAN
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1412
load-interval 30
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet0/0/0 overload
--> no ip nat inside source list nat-list interface Ethernet0/0/0 overload
--> ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0 dhcp
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
--> no ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
!
snmp-server community thepoint RO
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
--> no access-list 1 permit 0.0.0.1 255.255.255.0
!
control-plane
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password xxxxxx
login
transport input none
!
scheduler allocate 20000 1000
!
end

View solution in original post

pieterh · ‎11-18-2021

do i overlook an "ip routing" statement ?

Georg Pauwen · ‎11-18-2021

Hello,

make the changes marked in bold:

Using 5380 out of 262136 bytes
!
! Last configuration change at 22:38:06 UTC Wed Nov 17 2021 by thepoint
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname thepoint
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
enable password xxxxx
!
no aaa new-model
memory-size iomem 5
service-module wlan-ap 0 bootimage autonomous
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool admin
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.1.1
!
!
!
ip cef
no ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
license udi pid CISCO1941W-N/K9 sn FGL163823NB
hw-module ism 0
!
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.1.0 255.255.255.0
!
object-group network vpn_remote_subnets
any
!
username thepoint privilege 15 secret 5 xxxxx
!
redundancy
!
controller VDSL 0/0/0
operating mode vdsl2
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
crypto isakmp policy 1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface wlan-ap0
no ip address
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
no ip address
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0/0
switchport mode trunk
no ip address
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
cdp enable
!
interface Ethernet0/0/0
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
--> zone-member security WAN
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1412
load-interval 30
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet0/0/0 overload
--> no ip nat inside source list nat-list interface Ethernet0/0/0 overload
--> ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0 dhcp
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
--> no ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
!
snmp-server community thepoint RO
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
--> no access-list 1 permit 0.0.0.1 255.255.255.0
!
control-plane
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password xxxxxx
login
transport input none
!
scheduler allocate 20000 1000
!
end

karlosthehat · ‎11-18-2021

Hi there,

Thanks for the replies! You are correct that there was no ip route, but I have made all of the suggested changes with no luck.

WAN shows connected, VDSL has synced and I have an IP address but none of my VLAN's can access the internet. I can ping remote servers successfully from Ethernet0/0/0 and 192.168.1.1, so this is definitely a routing issue.

I have tidied up the config and will post below

Any more ideas? Thanks!

Using 3457 out of 262136 bytes
!
! Last configuration change at 22:00:53 UTC Thu Nov 18 2021 by thepoint
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname thepoint
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxxxxxxxx
enable password xxxxxxxxxxxxx
!
no aaa new-model
memory-size iomem 5
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool admin
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
ip domain name thepoint.com
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941W-N/K9 sn FGL163823NB
hw-module ism 0
!
!
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username thepoint privilege 15 secret 5 xxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
operating mode vdsl2
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
!
!
crypto isakmp policy 1
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface wlan-ap0
no ip address
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface Wlan-GigabitEthernet0/0
switchport mode trunk
no ip address
shutdown
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
cdp enable
!
interface Ethernet0/0/0
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security WAN
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0 dhcp
!
!
!
snmp-server community thepoint RO
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password xxxxxxxxx
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

karlosthehat · ‎11-18-2021

Success! It turns out I hadn't configured any firewall policies yet (d'oh!). So the routing was all good, just being blocked by the firewall. Here are the changes I made:

ip nat inside source list 1 interface Ethernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0 dhcp
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
!
!
!
snmp-server community thepoint RO
access-list 1 permit 192.168.1.0 0.0.0.255

Thanks again for your help, much appreciated.