cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4228
Views
0
Helpful
16
Replies

Config Cisco 892-K9

brechtmulti1
Level 1
Level 1

                   Hello, I need to config a Cisco 892 for internet access with vdsl backup. Our client took the unmanaged service, so now we have to config the cisco ourselves, but we have no experience with cisco. Can somebody please help me?

This is what they gave me from info:

To do:

- router config must be provided with a unique username and password (VDSL)

- router config should be saved

- router should be rebooted after config

Public LAN: 195.130.150.168 /29 (LAN range used forboth connections)

COAX Gateway: 213.224.20.169

WAN IP: 213.224.25.170 255.255.255.252

VDSL Gateway: 213.224.10.1

Coax is connected to GE0 and VDSL to FE8

Config that must be added to config:

interface Dialer1

  ip address negotiated

  ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap callin

!

Routing: Coax and vdsl use eBGP as routing protocol

BGP AS client for coax and vdsl: 64719

BGP ISP 6848

BGP neighbour ISP

VDSL:      213.224.10.1 Important: config eBGP multihop for this neighbour)

CFN:        213.224.20.169

ip route 213.224.10.1 255.255.255.255 Dialer1

Redundancy: use BGP local preference attribute to determine primary route (Coax should be primary)

this is what I have now:

hostname ciscotrius

!

boot-start-marker

boot config usbflash0:CVO-BOOT.CFG

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-1134945738

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1134945738

revocation-check none

rsakeypair TP-self-signed-1134945738

!

!

crypto pki certificate chain TP-self-signed-1134945738

        quit

ip cef

!

!

!

!

!

!

!

!

no ip domain lookup

ip domain name yourdomain.com

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

no ipv6 cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

spanning-tree portfast

!

interface FastEthernet3

no ip address

spanning-tree portfast

!

interface FastEthernet4

no ip address

spanning-tree portfast

!

interface FastEthernet5

no ip address

spanning-tree portfast

!

interface FastEthernet6

no ip address

spanning-tree portfast

!

interface FastEthernet7

no ip address

spanning-tree portfast

!

interface FastEthernet8

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 213.224.20.170 255.255.255.252

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 195.130.150.169 255.255.255.248

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap callin

no cdp enable

!

router bgp 64719

bgp log-neighbor-changes

neighbor 213.224.10.1 remote-as 6848

neighbor 213.224.10.1 ebgp-multihop 255

neighbor 213.224.20.169 remote-as 6848

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip route 213.224.10.1 255.255.255.255 Dialer1

!

access-list 1 permit 10.10.10.0 0.0.0.7

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny   ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip any any

no cdp run

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

!

end

I know I ask a lot but it would help me so much :-)

16 Replies 16

Hello, Brecht.

Could you provide connectivity diagram with all the IP-addresses?

Per my understanding you have 3 tasks:

  • configure PPPoE client (correct?) on Fe8;
  • configure Ethernet on G0;
  • configure BGP for public LAN.

Configuration for PPPoE on Fe8 (if it's there) should be:

int fe8

pppoe enable

pppoe-client dial-pool-number 1

interface Dialer1  // remove your interface first

ip address nego

encapsulation ppp

dialer pool 1

dialer persistent

ppp chap hostname LOGIN

ppp chap password 0 PASSWORD

ip flow ingress

no ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly in

G0 configuration looks fine (but remove all pppoe commands).

BGP configuration needs correction:

ip as-path access-list 1 permit ^$

route-map BGP_VSDL_OUT permit 10

match as-path 1

// "just in case" strip all the transit routes

set as-path prepend 64719 64719 64719

route-map BGP_COAX_OUT permit 10

match as-path 1

// "just in case" strip all the transit routes


router bgp 64719 //add commands

network 195.130.150.168 mask 255.255.255.248

neighbor 213.224.10.1 route-map BGP_VDSL_OUT out

neighbor 213.224.20.169 route-map BGP_COAX_OUT out

neighbor 213.224.20.169 weight 100 // I would use weight instead of LP (as we have a single router)

You don't need "ip nat inside" on VLAN1, neigther "ip nat outside" on any interface.

I have no idea how will you be managing the router without ssh.

Why do you have "adjust-mss" on VL1 interface?

Hello,

You are correct. I don't have a connectivity diagram. Al I have is what I posted here.

As for the "adjust-mss" on VL1 I have no idea.I just altered the default config. Can I leave everythin out and start from 0 with only the code I need?

I have never configured a cisco before, you ar being a great help!

So my G0 but I need to remove the pppoe lines, is my Vlan1 correct?

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime

service timestamps log datetime

service password-encryption

logging mon 6

loggin con 3

ip domain name ! follow customer domain name

ip access-l ext COAX_WAN_IN

remark anti-spoofing ACL

deny   ip 195.130.150.168 0.0.0.7 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip host 255.255.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit tcp host 213.224.20.169 host 213.224.20.170 eq 179

remark permit SSH access from Internet if needed!

permit tcp any host 213.224.20.170 eq 22

deny   ip any any

interface GigabitEthernet0

description COAX connection

ip address 213.224.20.170 255.255.255.252

ip access-group COAX_WAN_IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip inspect DEFAULT100 out

ip virtual-reassembly in

duplex auto

speed auto

interface VLAN1

description Customer routable LAN

ip address 195.130.150.169 255.255.255.248

ip access-group 100 in

ip virtual-reassembly in

ip verify unicast source rea rx ! this will block private address leak

no ip proxy-arp

no ip redir

ip unreach

ip tcp adjust-mss 1452

no ip http server ! this will stop http access to the device

crypto key gen rsa modu 2048

ip ssh ver 2

ip access-list sta QUIET_MODE

permit 195.130.150.168 0.0.0.7

login delay 3

login quiet-mode access-class QUIET_MODE

login block-for 180 attempts 3 within 180

username admin priv 15 password use_strong_password_here

line vty 0 15

login local

transport ssh

no access-class 23 in

---

PS: I would also rate-limit ICMP and SSH traffic destined to the router (CoPP). And configure NTP.

PS2: I would recommend customer to use private addresses for VL1, and assign public addresses per host - this would allow them to use all 8 addresses instead of 5 (currently available).

PS3: customer will also need to allow some inbound connections like SMTP, WWW and etc. in this case I would replace CBAC with ZBFW as it's more flexible and would allow to build DMZ-like solution. If this kind of security is not needed, then why do we use CBAC?

Thank you again! So if I add the two configs, I should have a full working config, am I correct?

The customeronly needs 1 public address.

Is there a way to open all ports in and out so that al the management happens on the firewall?

To open all the ports:

  • remove "ip inspect DEFAULT100 out" from G0 and Dialer interfaces;
  • tune ACL

ip access-l ext COAX_WAN_IN

no deny ip any any

permit ip any any

PS: if they are doing everything on the firewall, I would recommend to use private subnet as a transit between firewall and router. In this case firewall will be able to do all the NAT and public IP-address assignment.

Hello,

The coax works but when I pull out the coax,the VDSL doesn't take over. Also this morning I had to reload my config.

Our ISP says that the PPPoE session is live,but it won't take over.

When I reloaded the config I had these messages on the console:

ciscotrius#

*Jan 21 09:41:31: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to do wn

*Jan 21 09:41:53: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

*Jan 21 09:41:56: %BGP-3-NOTIFICATION: sent to neighbor 213.224.12.1 passive 6/0 (CEASE: unknown subcode) 0 bytes

*Jan 21 09:43:00: %BGP-3-NOTIFICATION: sent to neighbor 213.224.25.169 4/0 (hold time expired) 0 bytes

This is my current config:

!

! Last configuration change at 13:50:56 UTC Mon Jan 20 2014 by cisco

version 15.2

service tcp-keepalives-out

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname ciscotrius

!

boot-start-marker

boot config usbflash0:CVO-BOOT.CFG

boot-end-marker

!

!

logging buffered 51200 warnings

logging console errors

logging monitor informational

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-1134945738

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1134945738

revocation-check none

rsakeypair TP-self-signed-1134945738

!

!

crypto pki certificate chain TP-self-signed-1134945738

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

ip cef

!

!

!

!

 

!

!

!

!

no ip domain lookup

ip domain name yourdomain.com

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

no ipv6 cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

license udi pid CISCO892-K9 sn FCZ175291D4

!

!

username cisco privilege 15 password 7 0822455D0A16

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

spanning-tree portfast

!

interface FastEthernet3

no ip address

spanning-tree portfast

!

interface FastEthernet4

no ip address

spanning-tree portfast

!

interface FastEthernet5

no ip address

spanning-tree portfast

!

interface FastEthernet6

no ip address

spanning-tree portfast

!

interface FastEthernet7

no ip address

spanning-tree portfast

!

interface FastEthernet8

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0

description COAX connection

ip address 213.224.25.170 255.255.255.252

ip access-group COAX_WAN_IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip inspect DEFAULT100 out

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Vlan1

description Customer routable LAN

ip address 195.130.157.169 255.255.255.248

ip access-group 100 in

no ip redirects

no ip proxy-arp

ip verify unicast source reachable-via rx

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip flow ingress

ip inspect DEFAULT100 out

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp authentication chap callin

ppp chap hostname WBA1575824

ppp chap password 7 03530E53550C714D1A0B4A5242135A0F54

no cdp enable

!

router bgp 64719

bgp log-neighbor-changes

network 195.130.157.168 mask 255.255.255.248

neighbor 213.224.12.1 remote-as 6848

neighbor 213.224.12.1 ebgp-multihop 255

neighbor 213.224.12.1 route-map BGP_VDSL_OUT out

neighbor 213.224.25.169 remote-as 6848

neighbor 213.224.25.169 weight 100

neighbor 213.224.25.169 route-map BGP_COAX_OUT out

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip as-path access-list 1 permit ^$

!

ip nat log translations syslog

ip nat inside source list 1 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 213.224.25.169

ip route 213.224.12.1 255.255.255.255 Dialer1

!

ip access-list standard QUIET_MODE

permit 195.130.157.168 0.0.0.7

!

ip access-list extended COAX_WAN_IN

remark anti-spoofing ACL

deny ip 195.130.157.168 0.0.0.7 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip host 255.255.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit tcp host 213.224.25.169 host 213.224.25.170 eq bgp

!

access-list 1 permit 195.130.157.0 0.0.0.248

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any

access-list 101 permit ip 195.130.157.0 0.0.0.248 any

no cdp run

!

route-map BGP_COAX_OUT permit 10

match as-path 1

!

route-map BGP_VSDL_OUT permit 10

match as-path 1

set as-path prepend 64719 64719 64719

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

!

end

I would suggest to make sure that VDSL works fine.

Check if interface gets IP-address - "sh ip int br" + "sh int di1"

Remove "ip inspect DEFAULT100 out" and "dialer-group 1" from Di1 interface.

You don't need the command "ppp authentication chap callin" - it could be an issue.

If Di1 is up and has IP-address, then try to ping/trace to BGP peer.

To troubleshoot BGP you need "sh ip bgp summ" to see status of bgp peers and "sh ip bgp" to check what announces was accepted from peers.

IF Di1 is up, ping successful, but BGP is down - try to add "neighbor 213.224.12.1 update-source Di1"

PS: you need to remove "access-class 23 in" from "line vty 0 15".

PS2: you don't need "ip route 0.0.0.0 0.0.0.0 213.224.25.169" as routes should be learnt via BGP!

PS3: I would suggest you to ask provider for password change (for PPPoE) as it was presented in your config.

PS4: remove command "ip nat inside source list 1 interface GigabitEthernet0 overload" - we were discussing that you don't need NAT.

Hello, i still need to do the troubleshooting of BGP but now I can't open port 5060 and 5090? I thought everything was open? On the firewall the portforwarding is ok as it works for other ports. Also the ISP blocks no ports

Please post output of the following commands:

  • sh ip int br
  • sh int di1
  • sh ip route
  • sh ip bgp summ
  • sh ip bgp
  • sh ip bgp nei 213.224.12.1
  • sh ip bgp 213.224.25.169
  • sh access-l

Not clear what do you mean" portforwarding is ok", as far as you have no NAT nor security solutons.

"sh runn int di1"

"sh runn int G0/0"

"sh runn int vl1"

" sh ip nat stat"

I mean portforwarding on the firewall. I also opened ports 9000-9049 and they give no problem, only 5060 and 590

Hello.

5060 belongs to SIP.

You might have faced an issue with SIP protocol and not firewall.

I know, it's for our pbx. But the cisco isn't the problem here I guess?

To check 892 for the issue show us:

"sh runn int di1"

"sh runn int G0/0"

"sh runn int vl1"

" sh ip nat stat"

I would suggest to configure cahce-flow and check if the traffic is in cache.


ciscotrius#sh runn int Dialer1
Building configuration...

Current configuration : 305 bytes
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip flow ingress
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname WBA1575824
ppp chap password 7 03530E53550C714D1A0B4A5242135A0F54
no cdp enable
end

ciscotrius#sh runn int GigabitEthernet0
Building configuration...

Current configuration : 320 bytes
!
interface GigabitEthernet0
description COAX connection
ip address 213.224.25.170 255.255.255.252
ip access-group COAX_WAN_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
end

ciscotrius#sh runn int Vlan1
Building configuration...

Current configuration : 227 bytes
!
interface Vlan1
description Customer routable LAN
ip address 195.130.157.169 255.255.255.248
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip verify unicast source reachable-via rx
ip tcp adjust-mss 1452
end

ciscotrius#sh ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
Inside interfaces:
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0 refcount 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
ciscotrius#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco