Re: Cisco 877, 1483, IRB, Static IP, NAT, Help!!!

Phillip Pacier · ‎01-03-2011

Good afternoon. I posted this regarding an 857W many months ago and was never able to get it to work; in fact, I was told it would not work due to the limitation on VLANs, so I stopped trying. I now own an 877W, and have been told this should work. I have ADSL with 8 static IP addresses (non-congtiguous - go figure), served via RFC-1483 bridging. That means no username or password or anything - just a negotiation process. I have been operating for a long time in pure bridge mode, and everything does work, however, it seems a waste for this unit to sit there and just bridge the connection. I would like to actually get it to do some routing! Nothing I have tried works, and none of the tutorials on integrated bridging and routing seem to work either. Here is the scenario:

Available WAN IP addresses: 11.22.33.99, 11.22.33.166 - 11.22.33.172

Gateway: 11.22.33.1

What I would like to do is hold the 11.22.33.99 address at the 877 and use it for DHCP, WLan, IPv6 tunnel endpoint, etc. I would then want the other addresses (166-172) bridged over the FastEthernet interface to do what I want with them. I'm not sure how to make this work. For starters, here is my working configuration for pure RFC-1483 bridging and DHCP handling of the LAN:

#show run
Building configuration...

Current configuration : 1640 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname whatever
!
boot-start-marker
boot-end-marker
!
enable secret 5 whatever
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.250 192.168.1.255
!
ip dhcp pool dhcp1
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.100
   default-router 192.168.1.100
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
username whatever
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
!
dsl operating-mode auto
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip virtual-reassembly
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

Phillip Remaker · ‎02-02-2011

It will be a little messy to route with a non-contiguous address space.

Will you also need to NAT, or do you only use the static address space?

What is the goal of routing versus bridging?

If you want to route, you can lie to the ATM side and say you are sending bridged packets when you are really routing, This is the RBE feature, "Routed, Bridge Encapsulation" http://www.cisco.com/en/US/docs/ios/12_1t/12_1t2/feature/guide/dtatmrbe.html

Setting the "atm route-bridge ip" command on the ATM interface allows you to treat it as a routed interface, and the packets will be sent out as "bridge encapsulated" and the DSL provider will never know you are routing.

In that case, you would need something like

ip route 0.0.0.0 0.0.0.0 11.22.33.1

ip route (rolled up subnet of 11.22.33.xx) (mask) 11.22.33.1 !summary route for missing nets

ip route 11.22.33.1 255.255.255.255 ATM0

And then you would want to route the available addresses to approriate places on your network.

It all gets a bit tricky, depending on what you want to accomplish, especially since setting up roting may end up comsuming some of your addresses for the ATM interface and the Ethernet interfaces.

Phillip Pacier · ‎02-02-2011

Hello, and thank you for taking the time to reply. I usually have to find complicated ways of doing things, but here is the method to my madness. I have this powerful router that I want to use! I want to transfer the routing functions away from my Windows 2003 Server and onto the 877 (or 2620, which I now have). I want the 877 to be my IPv6 tunnel endpoint, and handle DHCP for the internal LAN for those boxes that will not receive a public IP address. For this to happen, the 877 will need a public IP from my pool. There is the routing side of things. Then, I want to pass the other 7 public IP addresses on to the FastEthernet ports and my switch for direct assignment to other boxes. I thought IRB would be the way to go, and maybe it is but I just am not doing it correctly. It was also suggested that I employ static NAT for the other 7 addresses, or even 802.1q trunk ports to send them directly to the NICs on the other machines.

Hopefully that helps you understand my plan. And if this becomes easier with my 2620, let's set it up on that! Thanks very much for your help.

-Phil

Phillip Remaker · ‎02-02-2011

You can do a mix of routed and bridged and NAT traffic on the same box.There are really a lot of options.

You can set the BVI interface to one of your global addresses with a mask that spans your whole allocated space and then you can than add individual host static routes for the "holes" in that list back out the ATM or assume you will never need to talk to those addresses. You can add a secondary address (or another VLAN) for RFC1918 addresses. You cam make the ATM its own IP address by making it in RBE mode - I think it can even be unnumbered relative to the bvi.

Static NAT is a possibility, as is 802.1q. Lots of options, depending on your vision. Static NAT is probably the easiest if you just want to project external addresses to internal boxes. What kind of services will those boxes run?

And IPv6 has lots of options. Cisco added 6rd support in 15.1(3)T, which can give you instant IPv6 if you use a provider like Comcast in the US.

Phillip Pacier · ‎02-02-2011

OK - I have a LAN which we will call 192.168.1.0/24. Every machine in my network has an address from this pool, assigned statically, or via DHCP (for things like my wireless devices). Therefore, every machine can communicate internally using the LAN addresses. This might be important because it will not be necessary to ensure that the machines can communicate with each other via the WAN addresses. I have 8 WAN addresses. Hold one at the router, that leaves seven. Four of them are sent to my Windows 2003 Server box, which runs a multitude of server programs, web servers, FTP, ham radio applications, and the like. I am using two more on other systems that I don't want to necessary route through my Windows server. I often have more than 8 devices running on the network, so I can't get away with just using the WAN IPs for everything.

I don't like that all of my WLAN devices, or anything that I plug in that receives a LAN IP via DHCP has to route through the Windows box. That is why I want to set up one WAN IP on the Cisco so it can route and not Windows. The Cisco would also be a much more effective firewall than the Windows box would be, so I think it is sounding more like a job for static NAT. I've been teaching myself IOS for a year, but this is still a little too complex and a bit over my head

I'm going to be moving everything over to the 2620 router, which is slightly different, but offers the same possibilities, if not more than the 877. I sure appreciate your help and guidance.

-Phil

Phillip Remaker · ‎02-02-2011

The simplest thing to do would be to use all RFC1918 internally, and use static NAT to allow outside reachability and overload NAT for "outbound only" traffic.

Select one address (you can even use the address of the router itself) to be the "overload" NAPT (Network Address and Port Translation) shared address, and then map the other addresses with static NAT maps.

You can use the RFC1918 addresses for your DNS, and the router NAT will take care of doing the DNS translation.

See http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml for some NAT basics.

You should still bridge the wireless and ethernet into the irb, but use the ATM as a routed interface by using the RBE feature.