Solved: Re: Cisco ISR 897 arp issue (I guess)

RokasK · ‎04-09-2021

Hello,

I have virgin media fiber coming to virgin hub 3 in (modem mode) and from hub connected to 897 isr "GE WAN" port which comes up as Gi8 port. The problem is that any website takes about 5 seconds to start loading and I have very weird ARP table. I tried to Implement no ip proxy-arp on gi8 but no difference.

Please find confirmation and arp table

Georg Pauwen · ‎04-09-2021

Hello,

make the changes marked in bold:

Current configuration : 5809 bytes
!
! Last configuration change at 19:33:17 UTC Tue Apr 6 2021 by noname
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco_isr
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$wyMt$1Di1CSiiQTzThkCvExLLl0
!
no aaa new-model
ethernet lmi ce
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.5
ip dhcp excluded-address 10.10.10.3
ip dhcp excluded-address 10.10.10.7
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.17
ip dhcp excluded-address 10.10.10.18
ip dhcp excluded-address 10.10.10.19
ip dhcp excluded-address 10.10.10.20
ip dhcp excluded-address 10.10.10.21
ip dhcp excluded-address 10.10.10.22
ip dhcp excluded-address 10.10.10.23
ip dhcp excluded-address 10.10.10.24
ip dhcp excluded-address 10.10.10.25
ip dhcp excluded-address 10.10.10.4
!
ip dhcp pool cvo-pool
--> no import all
network 10.10.10.0 255.255.255.224
default-router 10.10.10.1
--> dns-server 8.8.8.8 4.2.2.2
lease 0 2
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 1.1.1.1
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid C897VAG-LTE-GA-K9 sn FCZ194393LQ
!
vtp mode transparent
username noname privilege 15 secret 5 $1$/gNb$r3Rs2Dhf0v6U1JpfAENv20
!
controller VDSL 0
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface Cellular0
no ip address
encapsulation slip
shutdown
dialer in-band
dialer string lte
!
interface Cellular1
no ip address
encapsulation slip
!
interface Ethernet0
no ip address
!
interface GigabitEthernet0
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
no ip address
duplex full
speed 1000
!
interface GigabitEthernet4
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip dhcp client request tftp-server-address
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.224
--> no ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet8 overload
--> no ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp
!
--> no access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 10.10.10.0 0.0.0.31
--> no access-list 1 permit 10.0.0.0 0.255.255.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
line 8
no exec
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

View solution in original post

paul driver · ‎04-13-2021

Hello
Try making the rtr itself to be a dns server for client requests as such it will then will forward to the ISP dns for resolution, Also I see you hae cbac enabled for specific service ports but you also have default tcp/udp/icmp enable for inspection so suggest you trim the inspection list down.

no ip name-server 8.8.8.8
no ip name-server 1.1.1.1

no access-list 1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet8

no ip inspect name DEFAULT100 ftp
no ip inspect name DEFAULT100 h323
no ip inspect name DEFAULT100 netshow
no ip inspect name DEFAULT100 rcmd
no ip inspect name DEFAULT100 realaudio
no ip inspect name DEFAULT100 rtsp
no ip inspect name DEFAULT100 esmtp
no ip inspect name DEFAULT100 sqlnet
no ip inspect name DEFAULT100 streamworks
no ip inspect name DEFAULT100 tftp
no ip inspect name DEFAULT100 vdolive

access-list 1 permit 10.10.10.0 0.0.0.31
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp
ip dns server

ip dhcp pool cvo-pool
default-router 10.10.10.1
dns-server 10.10.10.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎04-09-2021

Hello,

make the changes marked in bold:

Current configuration : 5809 bytes
!
! Last configuration change at 19:33:17 UTC Tue Apr 6 2021 by noname
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco_isr
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$wyMt$1Di1CSiiQTzThkCvExLLl0
!
no aaa new-model
ethernet lmi ce
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.5
ip dhcp excluded-address 10.10.10.3
ip dhcp excluded-address 10.10.10.7
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.17
ip dhcp excluded-address 10.10.10.18
ip dhcp excluded-address 10.10.10.19
ip dhcp excluded-address 10.10.10.20
ip dhcp excluded-address 10.10.10.21
ip dhcp excluded-address 10.10.10.22
ip dhcp excluded-address 10.10.10.23
ip dhcp excluded-address 10.10.10.24
ip dhcp excluded-address 10.10.10.25
ip dhcp excluded-address 10.10.10.4
!
ip dhcp pool cvo-pool
--> no import all
network 10.10.10.0 255.255.255.224
default-router 10.10.10.1
--> dns-server 8.8.8.8 4.2.2.2
lease 0 2
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 1.1.1.1
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid C897VAG-LTE-GA-K9 sn FCZ194393LQ
!
vtp mode transparent
username noname privilege 15 secret 5 $1$/gNb$r3Rs2Dhf0v6U1JpfAENv20
!
controller VDSL 0
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface Cellular0
no ip address
encapsulation slip
shutdown
dialer in-band
dialer string lte
!
interface Cellular1
no ip address
encapsulation slip
!
interface Ethernet0
no ip address
!
interface GigabitEthernet0
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
no ip address
duplex full
speed 1000
!
interface GigabitEthernet4
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip dhcp client request tftp-server-address
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.224
--> no ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet8 overload
--> no ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp
!
--> no access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 10.10.10.0 0.0.0.31
--> no access-list 1 permit 10.0.0.0 0.255.255.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
line 8
no exec
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

RokasK · ‎04-09-2021

Doesn’t work at all now

Richard Burts · ‎04-11-2021

I do not know an answer about why it takes 5 seconds for web sites to start loading. And as long as the web sites do load I believe that this is a non-problem. I do know why you have such a weird arp table. This is due to your static default route

ip route 0.0.0.0 0.0.0.0 GigabitEthernet8

When a static route just points to the outbound interface then IOS assumes that all destinations reached by this route are locally connected. When the outbound interface is Ethernet then the result is that the router will arp for EVERY remote destination. So every remote destination for which your router has forwarded traffic is now in your arp table. (and perhaps the very large arp table might have something to do with slow loading of web pages ???)

The typical solution for this issue is to also specify a next hop address in addition to specifying the outbound interface. I believe the suggestion from Georg about specifying dhcp in addition to the outbound interface would be good in your situation (since with dhcp the next hop address may not be obvious).

I am not sure why it did not work at all after making the changes that Georg suggests, but my guess is that it has to do with this suggestion

--> no access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 10.10.10.0 0.0.0.31
--> no access-list 1 permit 10.0.0.0 0.255.255.255

My experience with IOS is that if you try that last command the result is that the complete access list 1 is removed. If that is what happened then nat on the router stops working - and Internet does not work. You might check the output of show run (or perhaps of show access-list) and see if access list 1 exists in the config. I appreciate his attempt to clean up the access list. But in terms of getting things to work it is not necessary.

HTH

Rick

RokasK · ‎04-11-2021

I edited my answer because I understand now that the next hop is DHCP and the mask for internal dhcp was the problem

Richard Burts · ‎04-11-2021

Thanks for the update. Does this indicate that now it is working?

HTH

Rick

paul driver · ‎04-13-2021

Hello
Try making the rtr itself to be a dns server for client requests as such it will then will forward to the ISP dns for resolution, Also I see you hae cbac enabled for specific service ports but you also have default tcp/udp/icmp enable for inspection so suggest you trim the inspection list down.

no ip name-server 8.8.8.8
no ip name-server 1.1.1.1

no access-list 1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet8

no ip inspect name DEFAULT100 ftp
no ip inspect name DEFAULT100 h323
no ip inspect name DEFAULT100 netshow
no ip inspect name DEFAULT100 rcmd
no ip inspect name DEFAULT100 realaudio
no ip inspect name DEFAULT100 rtsp
no ip inspect name DEFAULT100 esmtp
no ip inspect name DEFAULT100 sqlnet
no ip inspect name DEFAULT100 streamworks
no ip inspect name DEFAULT100 tftp
no ip inspect name DEFAULT100 vdolive

access-list 1 permit 10.10.10.0 0.0.0.31
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp
ip dns server

ip dhcp pool cvo-pool
default-router 10.10.10.1
dns-server 10.10.10.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎04-13-2021

Hello
Can you please remove my suggestion as a an excepted solution if it did not resolve your issue?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul