Solved: Re: Cisco 877 router - Allow PING/SSH to BVI interface via DSL link

xianglind · ‎09-26-2017

Hi There,

I am trying to configure a cisco 877 router, with DSL bridge mode. I want to create an IP interface on the router that allows user to ping or ssh to it over the internet via DSL interface.

I have the following config: I can ssh to BVI interface via local FE port, however, users on the other end of the network (over ADSL network) is not able to ping the BVI IP address.

Could you please help me check if the config is correct?

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CardaxTest
boot-start-marker
boot-end-marker
enable secret 0 cisco
no aaa new-model
resource policy
ip cef
ip domain name cardax.com
crypto key generate
1024
ip ssh version 2
username cisco privilege 15 secret 0 cisco

bridge irb

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/109
encapsulation aal5snap
!

dsl operating-mode auto
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!

interface Vlan1
no ip address
bridge-group 1
!

interface BVI1
ip address <<IP_address Mask>>
ip virtual-reassembly
!

ip route 0.0.0.0 0.0.0.0 ATM0
ip route <<Network_address Mask>> BVI1
!
no ip http server
no ip http secure-server
!

control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password cisco
login
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000

Georg Pauwen · ‎09-26-2017

Hello,

the BVI IP address needs to be the default gateway for all your clients. The below config should allow your server and LAN clients to ping the BVI:

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CardaxTest
boot-start-marker
boot-end-marker
enable secret 0 cisco
no aaa new-model
resource policy
ip cef
ip domain name cardax.com
crypto key generate
1024
ip ssh version 2
username cisco privilege 15 secret 0 cisco
!
bridge irb
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/109
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
ip address 10.11.146.240 255.255.254.0
ip virtual-reassembly
!
interface Dialer0
description --- Internet ADSL ---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname
ppp chap password
!
ip nat inside source list 1 interface Dialer0 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0

no ip http server
no ip http secure-server
!

control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password cisco
login
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000

View solution in original post

Georg Pauwen · ‎09-26-2017

Hello,

with your current configuration, your router is not set up for Internet access at all. What do you want to accomplish, to have the BVI get the public IP address ?

Below is a configuration that should at least give you Internet access. Try to establish that first...

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CardaxTest
boot-start-marker
boot-end-marker
enable secret 0 cisco
no aaa new-model
resource policy
ip cef
ip domain name cardax.com
crypto key generate
1024
ip ssh version 2
username cisco privilege 15 secret 0 cisco
!
bridge irb
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/109
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
ip address <<IP_address Mask>>
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description --- Internet ADSL ---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname
ppp chap password
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 22
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 192.168.1.0

no ip http server
no ip http secure-server
!

control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password cisco
login
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000

xianglind · ‎09-26-2017

Thank you for your reply. the purpose is to use this modem to carry some traffic from LAN interface to a server in the network. I don't need internet access, at least not to the public internet.

So I have some devices connects to FE port on the 877, and 877 connects to a DSLAM, then the DSLAM connects to a server.

I just want to configure a simple bridge, and asign an IP address to the 877 for troubleshooting purpose. So ppl at server end can ssh or ping the 877.

At the moment, the end device talks to the server OK. Server can ping end devices behind the 877, but cannot ping 877's IP addresss.

Georg Pauwen · ‎09-26-2017

Hello,

understood. So basically, the BVI is your layer 3 interface. What is the IP address you have assigned to the BVI ? Is that in the same address space as the server and the LAN devices ?

xianglind · ‎09-26-2017

IP address on BVI is 10.11.146.240/23 and server and LAN device IP are within the same subnet.

Georg Pauwen · ‎09-26-2017

Hello,

the BVI IP address needs to be the default gateway for all your clients. The below config should allow your server and LAN clients to ping the BVI:

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CardaxTest
boot-start-marker
boot-end-marker
enable secret 0 cisco
no aaa new-model
resource policy
ip cef
ip domain name cardax.com
crypto key generate
1024
ip ssh version 2
username cisco privilege 15 secret 0 cisco
!
bridge irb
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/109
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
ip address 10.11.146.240 255.255.254.0
ip virtual-reassembly
!
interface Dialer0
description --- Internet ADSL ---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname
ppp chap password
!
ip nat inside source list 1 interface Dialer0 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0

no ip http server
no ip http secure-server
!

control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password cisco
login
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000

xianglind · ‎09-26-2017

Hi Georg,

I have tested my config in lab, and it seems to be working. i am able to ping the BVI interface from DSLAM side.

But in real network, we have some firewalls and routers in place between server. Probably it's once of those devices blocking the traffic. :)

Thanks a lot for your help,

Xianglin