cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3665
Views
0
Helpful
9
Replies

Cisco 837 as ADSL2+ router

damiankwest
Level 1
Level 1

Hey guys, I hope someone can answer a few questions I have and see about fixing a configuration I'm having issues with!

I have a situation where I have ADSL2+ with a couple of additional IP Addresses, unfortunately my current router doesn't support NAT Translation properly, nor does it support additional IP's on the same interface .. so my solution was to bridge the current router (Netgear DGN2000) and push it into a Cisco 837 which I have laying around for no apparent reason.

My idea was to bring up the Ethernet0 interface as a LAN interface and the Ethernet2 as a WAN interface and route traffic between them, however I'm having issues getting the WAN to authenticate properly - I have never does PPPoE authentication on a Cisco before, let alone when I'm not using the ATM0/Dialer0 interfaces to do so!

My configuration is attached as it is, I wasn't sure if I needed to configure my real-world IP Address in the Ethernet2 interface, or the Dialer0 interface would take care of that for me? I used the configuration tips in (http://www.cisco.com/en/US/docs/routers/access/800/819/software/configuration/Guide/9ppp_e_nat.html) to configure what I have now but wasn't sure if it would work on a different device.

The last things is, I read somewhere that the Ethernet interfaces on the 837 were 10Mbit only - would this mean that if I push my ADSL2+ link through it, I wouldn't be able to get faster than that? Or would it disregard this as I'm physically connecting through a FastEthernet port?

Thanks for any assistance you can give me on this.

1 Accepted Solution

Accepted Solutions

Hi Damian,

Your configuration has following problems:

  1. The routing is deactivated (I wonder how did it happen) so the router is not a router at all. Correct this by adding the ip routing and ip cef to your global configuration.
  2. The VPDN is activated unnecessarily. Remove the VPDN configuration altogether by entering the no vpdn-group TPG and no vpdn enable in your global configuration.
  3. Remove the NAT configuration from the Ethernet2 interface - as this interface is not IP-enabled, configuring IP NAT is useless. Enter the no ip nat outside in the Ethernet2 configuration.
  4. On the Ethernet2 interface, try removing the pppoe enable command. This command activates the PPPoE server functionality which is useless, as you are a client. The only necessary command with respect to PPPoE is the client configuration you already have present thanks to the pppoe-client dial-pool-number 1 command - that command should stay on Ethernet2.
  5. On Dialer1 interface, add the ip tcp adjust-mss 1452 command to make sure TCP sessions do not create oversized segments requiring fragmentation. Also add the ip nat outside command, as it is the Dialer1 interface that is the IP-enabled interface facing the outside world.
  6. On Dialer1 interface, the dialer-group and ppp authentication commands are unnecessary and should not be present. The first command defines a list of "interesting traffic" that can cause a dialer to dial a number but this is relevant only for dialed technologies such as analog modems or ISDN, not in PPPoE. The second command actually causes that you require your ISP to authenticate to you in certain cases, and this is wrong. Therefore, issue the following commands in Dialer1 configuration:
    1. no dialer-group 1
    2. no ppp authentication chap pap callin
  7. Remove the ip route 10.0.0.0 255.0.0.0 Dialer1 static route, and replace it with ip route 0.0.0.0 0.0.0.0 Dialer1 - I assume that you want all internet connectivity to go through the Dialer interface.
  8. Remove the ip nat inside source list Internal interface Ethernet2 overload and replace it with ip nat inside source list Internal interface Dialer1 overload - it is the Dialer1's IP address you are hiding your internal network behind.

Try making these changes and test your connectivity again. If it still fails please post your then-current config.

Best regards,

Peter

View solution in original post

9 Replies 9

damiankwest
Level 1
Level 1

Alright, so silly me posted a WORKING configuration thinking that it wasn't working, it's been a long day.

So I have the PPPoE interface up, however I can't get connection out to the internet at all, I'm wondering what I'm missing in this regard?

If I do a ping, then configure to go from dialer1 to 8.8.8.8 it times out without success.

If I do a ping to 10.0.0.15 (another machine on my network) it works fine.

I'm new to the routing side of things, not sure exactly what I need to do in order to make things route out to the internet after the internet connection is up and running - or even if I have to route to interface Dialer1 (or) Ethernet2

Any help with this would be greatly appreciated

Hi Damian,

Your configuration has following problems:

  1. The routing is deactivated (I wonder how did it happen) so the router is not a router at all. Correct this by adding the ip routing and ip cef to your global configuration.
  2. The VPDN is activated unnecessarily. Remove the VPDN configuration altogether by entering the no vpdn-group TPG and no vpdn enable in your global configuration.
  3. Remove the NAT configuration from the Ethernet2 interface - as this interface is not IP-enabled, configuring IP NAT is useless. Enter the no ip nat outside in the Ethernet2 configuration.
  4. On the Ethernet2 interface, try removing the pppoe enable command. This command activates the PPPoE server functionality which is useless, as you are a client. The only necessary command with respect to PPPoE is the client configuration you already have present thanks to the pppoe-client dial-pool-number 1 command - that command should stay on Ethernet2.
  5. On Dialer1 interface, add the ip tcp adjust-mss 1452 command to make sure TCP sessions do not create oversized segments requiring fragmentation. Also add the ip nat outside command, as it is the Dialer1 interface that is the IP-enabled interface facing the outside world.
  6. On Dialer1 interface, the dialer-group and ppp authentication commands are unnecessary and should not be present. The first command defines a list of "interesting traffic" that can cause a dialer to dial a number but this is relevant only for dialed technologies such as analog modems or ISDN, not in PPPoE. The second command actually causes that you require your ISP to authenticate to you in certain cases, and this is wrong. Therefore, issue the following commands in Dialer1 configuration:
    1. no dialer-group 1
    2. no ppp authentication chap pap callin
  7. Remove the ip route 10.0.0.0 255.0.0.0 Dialer1 static route, and replace it with ip route 0.0.0.0 0.0.0.0 Dialer1 - I assume that you want all internet connectivity to go through the Dialer interface.
  8. Remove the ip nat inside source list Internal interface Ethernet2 overload and replace it with ip nat inside source list Internal interface Dialer1 overload - it is the Dialer1's IP address you are hiding your internal network behind.

Try making these changes and test your connectivity again. If it still fails please post your then-current config.

Best regards,

Peter

You are a legend Peter! I understood all of what you said too, amazing. A couple of notes:

  1. The guide I went through said to put in vpdn - but you were right, once I deleted it, the connection dropped and then came straight back up.
  2. After doing the no pppoe enable, I had to re-do the pppoe-client command as it had removed itself.
  3. Thanks with the routing tips, this is what I was missing, I wasn't sure about the Dialer1 vs. Ethernet2 parts, or the correct ip ranges to route - it all makes a lot more sense now!

I just did a full reboot of everything to ensure it comes back up and it has! Success!

Unfortunately I've tested the internet connection and I am only getting 10mbit which is a bit sucky as my ADSL2+ modem actually connects at 20mbit! I thought this might be the case as the eth0/eth2 interfaces are only 10mbit, but I was hoping it would bypass this as it's physically using the fe1/fe4 ports.

Anyway, there's one more slight error that's coming up constantly - and was before the changes were made as well:

- Vi1 PPP: Outbound cdp packet dropped

I read somewhere that this had to do with the MTU packet size, which I think is what you correct with the ip tcp adjust-mss 1452 command?

Thanks for your help with this, I really appreciate it!

Hi Damian,

It's so good to know you got it running!

The guide I went through said to put  in vpdn - but you were right, once I deleted it, the connection dropped  and then came straight back up.

I am surprised at the guide. The VPDN does not seem to be relevant at all to this configuration. Perhaps it was relevant in some ancient IOS versions but with your IOS version and newer, it most certainly is not required - just as you've seen for yourself. A pure and clean PPPoE client is what you need - and what you get by the single pppoe-client command.

After doing the no pppoe enable, I had to re-do the pppoe-client command as it had removed itself.

Okay. Then it's IOS-enforced behavior.

Unfortunately I've tested the internet connection and I am only getting  10mbit which is a bit sucky as my ADSL2+ modem actually connects at  20mbit! I thought this might be the case as the eth0/eth2 interfaces are  only 10mbit, but I was hoping it would bypass this as it's physically  using the fe1/fe4 ports. 

Hmmm. This may be difficult to solve - this depends whether the connection between the 100Mbps 4-port switch in the router and the CPU itself is running on 10 or 100 Mbps. This router is quite old; it may have lots of bottlenecks.

Are you able to download a newer IOS for your router? The latest IOS version for 837 router is c837-k9o3sy6-mz.124-15.T14.bin - this version should theoretically allow us to access individual ports of the FastEthernet switch in configuration, possibly putting them into different VLANs. I would like to see if we could get an improvement if we did the configuration on interface Vlan instead of physical interfaces in your configuration (though, to be honest, I strongly doubt there will be any difference - the bottleneck is not caused by the name of the interface in the configuration but rather by physical construction of the router).

Anyway, there's one more slight error that's coming up constantly - and was before the changes were made as well:

- Vi1 PPP: Outbound cdp packet dropped

This is absolutely normal. The PPP protocol negotiates with the other party which protocols are allowed over the PPP link. Check out the show interface output for interfaces Dialer1 and Vi1 - look for something like:

  Encapsulation PPP, LCP Open

  Listen: CDPCP

  Open: IPCP, loopback not set

This output tells you that the IP protocol has been negotiated on the link by both parties (IPCP stands for IP Control Protocol which is the negotiation protocol for enabling the use of IP over a PPP link). However, the CDP Control Protocol, or CDPCP, is only in the Listen state, saying that your router has suggested that CDP is also carried over the PPP link but the other endpoint has not agreed to that. This means that CDP is not allowed to be carried over this link, and that is the reason why you see CDP packets being dropped - because CDP has not been negotiated by both endpoints of this PPP session. This is quite common for CDP: PPPoE access concentrators at your ISP are configured not to send CDP packets to individual customers, or they are from different manufacturer than Cisco and do not speak CDP at all.

I read somewhere that this had to do with the MTU packet size

Not in this case, I believe - CDP packets are not that big to exceed the MTU of 1492 bytes. They are dropped because CDP has not been negotiated for use of the link - see the explanation above.

which I think is what you correct with the ip tcp adjust-mss 1452 command?

Well, this command applies only to TCP sessions passing through the Dialer1 interface, and it causes both endpoints of a TCP session to send TCP segments of no more than 1452 bytes in the segment body. It does not apply to other types of traffic - UDP, ICMP, IP, all these are unaffected by this command.

Best regards,

Peter

Thanks again for that Peter! Explanations are fantastic for future reference. I have tried to update the firmware in the device, however when I do it comes up 'not enough space on device'. The firmware is about 12.6MB and it seems the flash size is only 12.3MB!

I took a quick look at the other filesystems on the device and the flash is the biggest one. I guess it just wasn't meant to be in the case, lol. But not to worry, I really wanted to see if I could make this work but I might just see if I can find another router I can play with. I definitely learnt a lot trying to give this one a go, as well as your insightful notes on each part I was doing wrong.

If you have any suggestions on how I can update the firmware, fantastic, if not don't worry too much, it'll be more just for testing purposes anyway

Thanks again Peter!

Hi Damian,

Perhaps you could try the c837-k9o3y6-mz.124-15.T14.bin or c837-k9o3sy6-mz.124-25d.bin images and see if they fit into your FLASH. Both should be feature-rich enough for your needs.

Best regards,

Peter

Hey Peter,

I hope you don't mind that I piggy-back on this post. I ended up giving the 837 the flick just due to the speed - From what I read it was the hardware holding the speed back, so I didn't bother updating anything more.

I have now got myself a 857W which I am 99% through configuring, however I'm having a couple of issues with routing (again, not my strong suite). ADSL2+ connects, LAN connects, from the Cisco I can ping both the internal network and the external network, from outside of the network my NAT rules work, however from inside the network I can't get to the internet.

I have double checked the configuration with a few other configurations and I can't seem to find any reason why it would be doing what it's doing, I was hoping you (or someone else) would be able to give me what I'm sure is a simple command I'm missing!

I have tried with / without an access list on the Vlan1 but I can't get my head around it :\

Below is my Cisco 857W configuration, thanks

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NIC-GW01

!

boot-start-marker

boot-end-marker

!

enable secret 5 ..

!

no aaa new-model

!

resource policy

!

!

!

ip cef

!

!

!

username admin privilege 15 secret 5 ..

!

!

!

!

!

interface ATM0

description Interface to the external network

no ip address

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip mtu 1492

no snmp trap link-status

pvc 8/35

  oam-pvc 0

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

!

interface Vlan1

description Connection to Internal network

ip address 10.0.0.1 255.0.0.0

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

ppp chap hostname damiankwest

ppp chap password 0 ..

ppp pap sent-username damiankwest password 0 ..

!

interface Dialer1

no ip address

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

no ip http secure-server

ip nat inside source list Internal interface Dialer1 overload

ip nat inside source static tcp 10.0.0.16 25 x.x.x.x 25 extendable

ip nat inside source static tcp 10.0.0.20 80 x.x.x.x 80 extendable

ip nat inside source static tcp 10.0.0.16 443 x.x.x.x 443 extendable

ip nat inside source static tcp 10.0.0.17 3389 x.x.x.x 3389 extendable

ip nat inside source static tcp 10.0.0.16 3389 x.x.x.x 3390 extendable

!

ip access-list extended Internal

permit ip 10.0.0.0 0.255.255.255 any

!

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login local

!

scheduler max-task-time 5000

end

damiankwest
Level 1
Level 1

Wait, I figured it out. lol

I was using Dialer0 as the dialer, but referencing Dialer1 in my NAT rules

Thanks for the help!

Damian,

Congratulations - you got it working perfectly!

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: