HI Peter,

Yes, you understood me correctly.  Your assumptions are correct.  I've got a selection of modem only and modems with routing.  The ISP's are deterrent and support PPPoA and PPPoE.  

Thanks,

Doug

Hi Doug,

Okay, perfect :)

Would it be possible for you to post your current configuration of the 887 router after removing all sensitive information? It would help me very much to suggest the needed changes to the configuration. I can do it without seeing your config but that would require me to do it in a very general way, not tailored for your current addressing etc.

Best regards,
Peter

Thanks Peter,

Just a few nots about the config.  I've setup Dialer1 ready for VDSL as the new line being installed is VDSL.  The telco is supplying a new VDSL modem only this could probably be plug into one of the LAN ports and be set as the primary link is that possible.

SE-RT-01#sh run
Building configuration...

Current configuration : 5413 bytes
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SE-RT-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ****
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3340949772
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3340949772
 revocation-check none
 rsakeypair TP-self-signed-3340949772
!
!

!
ip domain name ****
ip name-server 192.168.20.201
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn ****
!
!
username **** privilege 15 secret 5 ****
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 7
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPNUSERS
 key ****
 dns 192.168.20.201
 domain ****
 pool VPN-POOL
 acl VPNSPLIT
!
!
crypto ipsec transform-set **** esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map ****
 reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 1 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
!
interface Ethernet0.101
 encapsulation dot1Q 101
 shutdown
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 20
 no ip address
!
interface FastEthernet3
 switchport access vlan 20
 no ip address
!
interface Vlan1
 description TEMP_INTERFACE
 no ip address
 ip nat inside
 ip virtual-reassembly in
 shutdown
!
interface Vlan20
 description Coporate_LAN
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 description BT ADSL
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname username@isp.com
 ppp chap password 0 Password
 crypto map MAP-OUTSIDE
!
interface Dialer1
 description BT VDSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 shutdown
 dialer pool 1
 ppp authentication pap chap ms-chap callin
 ppp ipcp address accept
 no cdp enable
 crypto map MAP-OUTSIDE
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT
 deny   ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended VPNSPLIT
 permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
banner login ^C
***************************************************************************

This Router is the property of ****

Unauthorized access to this router is prohibited

This router is managed and supported by ****

If you are not authorized you are obligated to disconnect now!

***************************************************************************
^C
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
 transport output telnet ssh
!
!
end

SE-RT-01#

Hi Peter,

Hope you are well.  Just wondering if you have managed to have a look at my config?

Thanks,

Doug

Hi Doug,

Sorry for the delay - this week turned out to be more busy than I anticipated.

Okay, the configuration looks good for the most part. There are two main issues:

1. Both the old DSL and the new VDSL connections are configured for dialer pool 1. This is not correct because this makes them indistinguishable to the Dialer interfaces. You want Dialer0 to be tied to the old DSL only and Dialer1 to be tied to the VDSL only. To accomplish this, rewrite the Ethernet0.101 configuration as follows:
   
   interface Ethernet0.101
    encapsulation dot1q 101
    pppoe-client dial-pool-number 2
   
   Specifically, remove and do not put back the pppoe enable group global command - this one starts a PPPoE server feature while you are only a client, not a server.
   
   In addition, on Dialer 1, remove the dialer pool 1 command and replace it with dialer pool 2.
    
2. The Ethernet0 is probably just a 10Mbps interface, and you would want higher speeds with VDSL. In order to move the configuration to one of the FastEthernet interfaces, you would delete the entire Ethernet0.101 subinterface and then proceed as follows:
   
   vlan 101
    name BT_VDSL
    exit
   !
   no spanning-tree vlan 101 ! May not be supported
   !
   interface FastEthernet0
    switchport mode trunk
    switchport trunk allowed vlan 101
   !
   interface Vlan101
    pppoe-enable dial-pool-number 2
    no shutdown
   
   The requirement to change the dialer pool command on Dialer1 to 2 still holds.

After this is accomplished, further modification of the configuration would basically deal with making the VDSL to be the primary link, and to perform NAT correctly based on what link is being currently used:

no ip nat inside source list NAT interface Dialer0 overload
no ip route 0.0.0.0 0.0.0.0 Dialer0
!
route-map NAT_Old_DSL permit 10
 match ip address NAT
 match interface Dialer0
!
route-map NAT_VDSL permit 10
 match ip address NAT
 match interface Dialer1
!
ip nat inside source route-map NAT_Old_DSL interface Dialer0 overload
ip nat inside source route-map NAT_VDSL interface Dialer1 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0 2

Please be sure to backup your current configuration before making these changes. Let me know if they worked!

Best regards,
Peter

Thanks Peter!

My current nat rule is call NAT I take it all I need to do is delete it and make two new ones like the below?

ip access-list extended NAT_VDSL
 deny   ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 any

ip access-list extended NAT_Old_DSL
 deny   ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 any

Remote access VPN would stay unmodified?

ip access-list extended VPNSPLIT
 permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255

This command ip route 0.0.0.0 0.0.0.0 Dialer0 2 the "2" that dictate it's used when the VDSL is down?

Hi Doug,

My current nat rule is call NAT I take it all I need to do is delete it and make two new ones like the below?

No, that would not be correct. Follow my configuration from the previous post precisely and exactly. Your suggestion would just create two ACLs with identical contents. The point of my configuration is to create two route-maps that further tighten down the NAT operation, making the NAT pay attention not only to the ACL (which stays unmodified) but also to the output interface, and select the proper IP address for address translation based on what interface the packets go out.

The configuration snippet I have posted is tailored to be copy-and-pasted into your current configuration.

Remote access VPN would stay unmodified?

Yes.

This command ip route 0.0.0.0 0.0.0.0 Dialer0 2 the "2" that dictate it's used when the VDSL is down?

The number "2" is called an administrative distance, and it defines the preference of the static route. If not specified, it equals to 1, and lower is better. So with my suggested configuration change, the path through Dialer1 will be preferred, and only if Dialer1 is entirely down, the default route through Dialer0 will take over.

Best regards,
Peter

Excellent thanks for clearing that up for me.  Much appropriated Peter I'll be sure to let you know how it goes on Saturday.

Hi Peter,

Small problem I've got when I try try to run this command switchport trunk allowed vlan 101 I get this error SE-RT-01(config-if)#switchport trunk allowed vlan 101 Command rejected: Bad VLAN allowed list. You have to include all default vlans, e.g. 1-2,1002-1 005.

Any suggestions?

Thanks,

Doug

Hi Doug,

Your IOS or the switch built into the router is apparently one of the older types that requires the list of built-in VLANs to be always allowed on every trunk.

Therefore, replace the offending command

switchport trunk allowed vlan 101

with

switchport trunk allowed vlan 1,101,1002-1005

The remaining part of the configuration remains unchanged.

Best regards,
Peter

Thanks,

I added in that command however, Dialer1 isn't connecting anymore.  I added my vlan 20 that is used for all data as we don't use vlan 1 on the network.  I tried it with and with out 20

switchport trunk allowed vlan 1,101,1002-1005

Thanks

Doug

Doug,

You will of course need to move the cable from the Ethernet0 to the FastEthernet0 port because now the PPPoE client for Dialer1 is bound to send its frames out through VLAN 101, and the only port in VLAN 101 is the FastEthernet0.

Please do not add any other VLANs to the list of VLANs I have defined before. Specifically, remove the VLAN 20 you have added there. You have to keep in mind that you do not want your VLANs to leak directly into your ISPs network which is exactly what you do if you allow that VLAN on the FastEthernet0 interface. Your VLANs must stay contained inside your internal network, and only the packets from these VLANs will be routed across (not switched). The sequence is: From internal VLANs out to Dialer1, which in turn uses PPPoE client running on interface Vlan101, which in turn sends out its frames through ports in VLAN101, which is only the FastEthernet0.

Best regards,
Peter

Thanks Peter,

I took vlan 20 out of the command however it didn't work.  I set the native vlan on fastethernet 0 to 101 and it now working.

the other problem is the fail over isn't working currently we are on the VDSL line : ) but when I simulate an outage such as power to the modem being lost.  The PC's error when they try to access web pages.