Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1720
Views
0
Helpful
8
Replies

Cisco 877W router and external ADSL modem

alan.morris
Level 1
Level 1

‎12-04-2014 11:58 AM - edited ‎03-05-2019 06:54 AM

Cisco 877W router and external ADSL modem

In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.


The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.


The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.

If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-2
!
aaa group server radius rad_eap
 server 192.168.253.1 auth-port 1812 acct-port 1813
 server 192.168.253.1 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_2 local
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2834265337
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2834265337
 revocation-check none
 rsakeypair TP-self-signed-2834265337
!
!
crypto pki certificate chain TP-self-signed-2834265337
 certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
dot11 syslog
!
dot11 ssid GuestAP
   vlan 101
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 113B162712001F4A2D2B25
!
dot11 ssid LanAP
   vlan 100
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   mbssid guest-mode
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.252.1 192.168.252.8
ip dhcp excluded-address 192.168.252.15 192.168.252.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.252.0 255.255.255.0
   domain-name XXX.Local
   dns-server xxx.xxx.xxx.xxx
   default-router 192.168.252.254
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name XXX.Local
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip reflexive-list timeout 120
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
username administrator privilege 15 secret 5 £££££££££££££££££££££
!
!
class-map type inspect match-any IN_to_OUT_CLASS
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any OUT_to_IN_CLASS
 match protocol https
 match protocol smtp extended
class-map type inspect match-any DMZ_to_IN_CLASS
 match protocol http
 match protocol https
 match protocol smtp extended
!
!
policy-map type inspect DMZ_to_IN_POL
 class type inspect DMZ_to_IN_CLASS
  inspect
 class class-default
  drop log
policy-map type inspect IN_to_OUT_POL
 class type inspect IN_to_OUT_CLASS
  inspect
 class class-default
  drop log
policy-map type inspect OUT_to_IN_POL
 class type inspect OUT_to_IN_CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
 service-policy type inspect OUT_to_IN_POL
zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
 service-policy type inspect IN_to_OUT_POL
zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
 service-policy type inspect IN_to_OUT_POL
zone-pair security DMZ_TO_IN source DMZ destination INSIDE
 service-policy type inspect DMZ_to_IN_POL
!
bridge irb
!
!
interface Loopback0
 no ip address
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet0
 description Outside Interface (PPPoE)
!
interface FastEthernet1
 description Inside Interface
 switchport access vlan 10
!
interface FastEthernet2
 description Inside Interface
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet3
 description Inside Interface
 switchport access vlan 10
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 no ip route-cache cef
 no ip route-cache
!
 encryption vlan 100 mode ciphers aes-ccm tkip
!
 encryption vlan 101 mode ciphers aes-ccm tkip
!
 ssid GuestAP
!
 ssid LanAP
!
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2437
 station-role root
!
interface Dot11Radio0.100
 description LanAP
 encapsulation dot1Q 100
 no ip route-cache
 no cdp enable
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
!interface Dot11Radio0.101
! description GuestAP
! encapsulation dot1Q 101
! no ip route-cache
! no cdp enable
! bridge-group 1
! bridge-group 1 subscriber-loop-control
! bridge-group 1 spanning-disabled
! bridge-group 1 block-unknown-source
! no bridge-group 1 source-learning
! no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ES_LAN$
 no ip address
 ip virtual-reassembly
 pppoe enable group global
 pppoe-client dial-pool-number 1
 bridge-group 1
!
interface Vlan10
 no ip address
 ip virtual-reassembly
 bridge-group 10
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security OUTSIDE
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname XXXXXXX
 ppp chap password 7 xxxxxxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
interface Dialer0
 no ip address
!
interface BVI10
 description Inside Interface
 ip address 192.168.253.254 255.255.255.0
 ip access-group 101 in
 ip helper-address 192.168.253.1
 ip nat inside
 ip virtual-reassembly
 zone-member security INSIDE
!
interface BVI1
 description DMZ Interface
 ip address 192.168.252.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security DMZ
!
ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
!
ip access-list extended DMZ_to_IN_POL
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended Inside_Clients_NAT
 remark SDM_ACL Category=2
 permit ip 192.168.253.0 0.0.0.255 any
!
logging 192.168.253.10
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.253.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.253.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
access-list 101 deny   tcp any host 192.168.253.254 eq telnet
access-list 101 deny   tcp any host 192.168.253.254 eq 22
access-list 101 deny   tcp any host 192.168.253.254 eq www
access-list 101 deny   tcp any host 192.168.253.254 eq 443
access-list 101 deny   tcp any host 192.168.253.254 eq cmd
access-list 101 deny   udp any host 192.168.253.254 eq snmp
access-list 101 permit ip any any
access-list 199 permit ip any host 10.1.1.1
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
banner login C Border Router

!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 privilege level 15
 length 0
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
sntp server xxx.xxx.xxx.xxx
end

Labels:
0 Helpful
8 Replies 8

ghostinthenet
Level 7
Level 7

‎12-04-2014 04:45 PM

As a note, the 877W is fully ADSL2+ capable. You just have to make sure that the latest DSL modem firmware is installed in the flash. I have a number of them in a DMVPN configuration that I support and they work just fine.

That said, combining a bridge group with a PPPoE configuration on an interface may not work. If you really need to do this, you could try putting the PPPoE client on the BVI interface instead, but I'm not sure how well that will work.

can you clarify what you're trying to accomplish by this? Are you trying to allow wireless clients to engage their own PPPoE sessions with the ISP?

0 Helpful

alan.morris
Level 1
Level 1
In response to ghostinthenet

‎12-05-2014 05:17 AM

Hi Jody, thanks your reply.

Firstly regarding the 877 adsl2+ capability I understand that earlier models (such as mine) do not fully support this standard (annex M?) even using the latest firmware. By using an external ADSL2+ capable modem I have doubled the maximum connect speeds.

What I am trying to achieve are two WAPs, one with just outbound access (Guests) the other with full LAN access.

The rather annoying thing is that at one point I had this working, even I think over a router restart or two! But I cant seem to get back to that point!

Regards,

0 Helpful

ghostinthenet
Level 7
Level 7
In response to alan.morris

‎12-05-2014 04:12 PM

If you've got annex M, that's a different story and requires a different model. It isn't really newer or older, just different. In any case, now I get why you're using an external device.

What happened when you tried applying the PPPoE client to the BVI instead of the physical interface?

0 Helpful

alan.morris
Level 1
Level 1
In response to ghostinthenet

‎12-06-2014 04:11 AM

Jody, Thanks again,

Sorry, meant to mention that in previous reply. It is not possible to add the PPOE client to the BVI, its not an available command in that context.

What really gets me is that this was working for some time - even over reload, It all want haywire when I was fiddling around with the smtp extended filtering and then when I reverted to an older config that didn't work either. I know that this doesn't make much sense, but somehow/somewhere something has changed.

Regards,

0 Helpful

ghostinthenet
Level 7
Level 7
In response to alan.morris

‎12-07-2014 06:55 AM

It's hard to say what went wrong without having the working configuration to work from. That said, what if we give it what it's asking for and provide a dummy dial string?

0 Helpful

alan.morris
Level 1
Level 1
In response to ghostinthenet

‎12-10-2014 08:55 AM

Hi Jody,
Apologies delay in replying. I have done the following:
Made two of the FE ports vlan1,BVI1 (for LAN traffic)
Left one port as VLAN10 as the pppoe client conected to the externalmodem
Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
I have DHCP configured to serve the DMZ  addresses.
This all works for LAN clients and also works for a client attachedto that physical DMZ port.
When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.

I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.

If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.

I cannot add another VLAN due to the 2 vlan limit in this image.

Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.

Think I am about to give upon this.

Regards,

0 Helpful

alan.morris
Level 1
Level 1
In response to alan.morris

‎01-30-2015 06:20 AM

I have had another go at this. On the assumption that I had lost touch with reality concerning the original config, I have reworked this now. I have configured one wireless sub interface on a bridge group with the inside network vlan and configured the other wireless sub interface as a routed interface. In this way I can use the 2nd available vlan on the 877 for the pppoe connection. If anyone is interested is this please post a reply to that effect.

0 Helpful

aronwarner11
Level 1
Level 1

‎07-31-2019 02:08 AM

This is really great to see that you are explaining this code properly. The solution you are providing is good. I also Solve Netgear Router Password Issues from your solution. All credit goes to you and it's really a well-explained code. But here I have modified some of the things which are not available for my router.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card