Cisco C1101 with Watchguard cluster

RikSpijkers · ‎03-13-2023

Dear community,

I have a WG M270 cluster and would like to connect to the outside world via a Cisco C1101-4P.
The WG cluster (active/passive mode) has network w.x.y.130 assigned to the ports that go to the Cisco.
Our network is w.x.y.129/28 (so we have 16 addresses available). At this moment, I have internet access from the
Cisco router (I am able to ping to 8.8.8.8) but with my current configuration I don't have internet available through the
WG cluster. Does anyone have an idea how to get w.x.y.130 on both GigabitEthernet0/1/0 and GigabitEthernet0/1/1 ports
(so in case of failover one or the other port is used by the Watchguard)?

Thanks!

My config is as follows;

version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname VB-RTR-01
!
boot-start-marker
boot-end-marker
!
!
enable password 7 132D20343315552B78161217347B392D3D0406584B
!
no aaa new-model
!
!
ip dhcp pool ipv4-dhcp-pool
import all
origin ipcp
lease 3
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
vtp mode transparent
multilink bundle-name authenticated
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
spanning-tree vlan 1 priority 61440
!
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Fiber
no ip address
ip mtu 1492
ip nat outside
ip tcp adjust-mss 1412
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
description To Customer LAN
ip address dhcp
no ip proxy-arp
ip nat inside
ip verify unicast source reachable-via rx allow-self-ping
ip route-cache same-interface
load-interval 30
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp mtu adaptive
ppp authentication pap callin
ppp pap sent-username REMOVED FOR PRIVACY PURPOSES
ppp ipcp dns request
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 121 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 121 permit ip any any
dialer-list 1 protocol ip permit
!
!
snmp-server community CiscoRTR RO
!
!
control-plane
!
banner login ^CCAccess for authorized users only. Please enter your username and password. Unauthorized access will be reported!^C
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end

mlund · ‎03-16-2023

I have no experience with C1101, but a few things to try. First your network is not w.x.y.129/28 it is w.x.y.128/28. So your available addresses are 129-142. I suggest to configure the inside interface with a fix address, for example w.x.y.129/28, this address is then used as default-gateway for your inside computers. Then you change your nat source list from access-list 121 to a number between 1-99, for example access-list 21 permit w.x.y.128/28. Because many reports that there are problems with nat and access-list using any any.

For the backup interface, I'm not sure what C1101 supports, so I give two example. First, if you wan't to use vlan 1, then you have to make the g0/1/0 and g0/1/1 a switchport, I think it's a routed port by default. This is done with the command "switchport" followed by "switchport mode access" under respective interface. If this is not supported, you can try to remove interface vlan1, and configure a "interface BVI 1" instead. Complete configuration is explained here by @peter.paluch

https://community.cisco.com/t5/switching/bvi-what-is-it-and-what-are-its-uses/td-p/2373489

RikSpijkers · ‎03-16-2023

Hi mlund,
Thanks for your reply. I am just out of the server room and found the solution myself The configuration is as follows:

ip dhcp pool ipv4-dhcp-pool
import all
origin ipcp
dns-server 195.121.1.34 195.168.1.66
lease 3
!
spanning-tree extend system-id
spanning-tree vlan 1 priority 61440
!
interface GigabitEthernet0/0/0
description Fiber
no ip address
ip mtu 1492
ip nat outside
ip tcp adjust-mss 1412
load-interval 30
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
description To Customer LAN
ip address pool ipv4-dhcp-pool
no ip proxy-arp
ip nat inside
ip verify unicast source reachable-via rx allow-self-ping
ip access-group 99 out
ip route-cache same-interface
load-interval 30
!
interface Dialer1
ip unnumbered Vlan1
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp mtu adaptive
ppp authentication pap callin
ppp pap sent-username xxxxxxxx password xxxxxxx
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp address accept
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 121 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!