01-17-2014 07:56 AM - edited 03-04-2019 10:06 PM
Hello, I need to config a Cisco 892 for internet access with vdsl backup. Our client took the unmanaged service, so now we have to config the cisco ourselves, but we have no experience with cisco. Can somebody please help me?
This is what they gave me from info:
To do:
- router config must be provided with a unique username and password (VDSL)
- router config should be saved
- router should be rebooted after config
Public LAN: 195.130.150.168 /29 (LAN range used forboth connections)
COAX Gateway: 213.224.20.169
WAN IP: 213.224.25.170 255.255.255.252
VDSL Gateway: 213.224.10.1
Coax is connected to GE0 and VDSL to FE8
Config that must be added to config:
interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
!
Routing: Coax and vdsl use eBGP as routing protocol
BGP AS client for coax and vdsl: 64719
BGP ISP 6848
BGP neighbour ISP
VDSL: 213.224.10.1 Important: config eBGP multihop for this neighbour)
CFN: 213.224.20.169
ip route 213.224.10.1 255.255.255.255 Dialer1
Redundancy: use BGP local preference attribute to determine primary route (Coax should be primary)
this is what I have now:
hostname ciscotrius
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1134945738
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1134945738
revocation-check none
rsakeypair TP-self-signed-1134945738
!
!
crypto pki certificate chain TP-self-signed-1134945738
quit
ip cef
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
no ip address
spanning-tree portfast
!
interface FastEthernet5
no ip address
spanning-tree portfast
!
interface FastEthernet6
no ip address
spanning-tree portfast
!
interface FastEthernet7
no ip address
spanning-tree portfast
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 213.224.20.170 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 195.130.150.169 255.255.255.248
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
no cdp enable
!
router bgp 64719
bgp log-neighbor-changes
neighbor 213.224.10.1 remote-as 6848
neighbor 213.224.10.1 ebgp-multihop 255
neighbor 213.224.20.169 remote-as 6848
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 213.224.10.1 255.255.255.255 Dialer1
!
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
no cdp run
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end
I know I ask a lot but it would help me so much :-)
01-18-2014 04:22 AM
Hello, Brecht.
Could you provide connectivity diagram with all the IP-addresses?
Per my understanding you have 3 tasks:
Configuration for PPPoE on Fe8 (if it's there) should be:
int fe8
pppoe enable
pppoe-client dial-pool-number 1
interface Dialer1 // remove your interface first
ip address nego
encapsulation ppp
dialer pool 1
dialer persistent
ppp chap hostname LOGIN
ppp chap password 0 PASSWORD
ip flow ingress
no ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
G0 configuration looks fine (but remove all pppoe commands).
BGP configuration needs correction:
ip as-path access-list 1 permit ^$
route-map BGP_VSDL_OUT permit 10
match as-path 1
// "just in case" strip all the transit routes
set as-path prepend 64719 64719 64719
route-map BGP_COAX_OUT permit 10
match as-path 1
// "just in case" strip all the transit routes
router bgp 64719 //add commands
network 195.130.150.168 mask 255.255.255.248
neighbor 213.224.10.1 route-map BGP_VDSL_OUT out
neighbor 213.224.20.169 route-map BGP_COAX_OUT out
neighbor 213.224.20.169 weight 100 // I would use weight instead of LP (as we have a single router)
You don't need "ip nat inside" on VLAN1, neigther "ip nat outside" on any interface.
I have no idea how will you be managing the router without ssh.
Why do you have "adjust-mss" on VL1 interface?
01-18-2014 09:24 AM
Hello,
You are correct. I don't have a connectivity diagram. Al I have is what I posted here.
As for the "adjust-mss" on VL1 I have no idea.I just altered the default config. Can I leave everythin out and start from 0 with only the code I need?
I have never configured a cisco before, you ar being a great help!
So my G0 but I need to remove the pppoe lines, is my Vlan1 correct?
01-19-2014 12:04 AM
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
logging mon 6
loggin con 3
ip domain name ! follow customer domain name
ip access-l ext COAX_WAN_IN
remark anti-spoofing ACL
deny ip 195.130.150.168 0.0.0.7 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp host 213.224.20.169 host 213.224.20.170 eq 179
remark permit SSH access from Internet if needed!
permit tcp any host 213.224.20.170 eq 22
deny ip any any
interface GigabitEthernet0
description COAX connection
ip address 213.224.20.170 255.255.255.252
ip access-group COAX_WAN_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
interface VLAN1
description Customer routable LAN
ip address 195.130.150.169 255.255.255.248
ip access-group 100 in
ip virtual-reassembly in
ip verify unicast source rea rx ! this will block private address leak
no ip proxy-arp
no ip redir
ip unreach
ip tcp adjust-mss 1452
no ip http server ! this will stop http access to the device
crypto key gen rsa modu 2048
ip ssh ver 2
ip access-list sta QUIET_MODE
permit 195.130.150.168 0.0.0.7
login delay 3
login quiet-mode access-class QUIET_MODE
login block-for 180 attempts 3 within 180
username admin priv 15 password use_strong_password_here
line vty 0 15
login local
transport ssh
no access-class 23 in
---
PS: I would also rate-limit ICMP and SSH traffic destined to the router (CoPP). And configure NTP.
PS2: I would recommend customer to use private addresses for VL1, and assign public addresses per host - this would allow them to use all 8 addresses instead of 5 (currently available).
PS3: customer will also need to allow some inbound connections like SMTP, WWW and etc. in this case I would replace CBAC with ZBFW as it's more flexible and would allow to build DMZ-like solution. If this kind of security is not needed, then why do we use CBAC?
01-19-2014 02:59 AM
Thank you again! So if I add the two configs, I should have a full working config, am I correct?
The customeronly needs 1 public address.
Is there a way to open all ports in and out so that al the management happens on the firewall?
01-19-2014 08:55 AM
To open all the ports:
ip access-l ext COAX_WAN_IN
no deny ip any any
permit ip any any
PS: if they are doing everything on the firewall, I would recommend to use private subnet as a transit between firewall and router. In this case firewall will be able to do all the NAT and public IP-address assignment.
01-21-2014 01:50 AM
Hello,
The coax works but when I pull out the coax,the VDSL doesn't take over. Also this morning I had to reload my config.
Our ISP says that the PPPoE session is live,but it won't take over.
When I reloaded the config I had these messages on the console:
ciscotrius#
*Jan 21 09:41:31: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to do wn
*Jan 21 09:41:53: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Jan 21 09:41:56: %BGP-3-NOTIFICATION: sent to neighbor 213.224.12.1 passive 6/0 (CEASE: unknown subcode) 0 bytes
*Jan 21 09:43:00: %BGP-3-NOTIFICATION: sent to neighbor 213.224.25.169 4/0 (hold time expired) 0 bytes
This is my current config:
!
! Last configuration change at 13:50:56 UTC Mon Jan 20 2014 by cisco
version 15.2
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname ciscotrius
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
logging console errors
logging monitor informational
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1134945738
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1134945738
revocation-check none
rsakeypair TP-self-signed-1134945738
!
!
crypto pki certificate chain TP-self-signed-1134945738
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip cef
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FCZ175291D4
!
!
username cisco privilege 15 password 7 0822455D0A16
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
no ip address
spanning-tree portfast
!
interface FastEthernet5
no ip address
spanning-tree portfast
!
interface FastEthernet6
no ip address
spanning-tree portfast
!
interface FastEthernet7
no ip address
spanning-tree portfast
!
interface FastEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
description COAX connection
ip address 213.224.25.170 255.255.255.252
ip access-group COAX_WAN_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description Customer routable LAN
ip address 195.130.157.169 255.255.255.248
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip verify unicast source reachable-via rx
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip flow ingress
ip inspect DEFAULT100 out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname WBA1575824
ppp chap password 7 03530E53550C714D1A0B4A5242135A0F54
no cdp enable
!
router bgp 64719
bgp log-neighbor-changes
network 195.130.157.168 mask 255.255.255.248
neighbor 213.224.12.1 remote-as 6848
neighbor 213.224.12.1 ebgp-multihop 255
neighbor 213.224.12.1 route-map BGP_VDSL_OUT out
neighbor 213.224.25.169 remote-as 6848
neighbor 213.224.25.169 weight 100
neighbor 213.224.25.169 route-map BGP_COAX_OUT out
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip as-path access-list 1 permit ^$
!
ip nat log translations syslog
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 213.224.25.169
ip route 213.224.12.1 255.255.255.255 Dialer1
!
ip access-list standard QUIET_MODE
permit 195.130.157.168 0.0.0.7
!
ip access-list extended COAX_WAN_IN
remark anti-spoofing ACL
deny ip 195.130.157.168 0.0.0.7 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp host 213.224.25.169 host 213.224.25.170 eq bgp
!
access-list 1 permit 195.130.157.0 0.0.0.248
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 101 permit ip 195.130.157.0 0.0.0.248 any
no cdp run
!
route-map BGP_COAX_OUT permit 10
match as-path 1
!
route-map BGP_VSDL_OUT permit 10
match as-path 1
set as-path prepend 64719 64719 64719
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end
01-21-2014 02:36 AM
I would suggest to make sure that VDSL works fine.
Check if interface gets IP-address - "sh ip int br" + "sh int di1"
Remove "ip inspect DEFAULT100 out" and "dialer-group 1" from Di1 interface.
You don't need the command "ppp authentication chap callin" - it could be an issue.
If Di1 is up and has IP-address, then try to ping/trace to BGP peer.
To troubleshoot BGP you need "sh ip bgp summ" to see status of bgp peers and "sh ip bgp" to check what announces was accepted from peers.
IF Di1 is up, ping successful, but BGP is down - try to add "neighbor 213.224.12.1 update-source Di1"
PS: you need to remove "access-class 23 in" from "line vty 0 15".
PS2: you don't need "ip route 0.0.0.0 0.0.0.0 213.224.25.169" as routes should be learnt via BGP!
PS3: I would suggest you to ask provider for password change (for PPPoE) as it was presented in your config.
PS4: remove command "ip nat inside source list 1 interface GigabitEthernet0 overload" - we were discussing that you don't need NAT.
01-21-2014 11:48 PM
Hello, i still need to do the troubleshooting of BGP but now I can't open port 5060 and 5090? I thought everything was open? On the firewall the portforwarding is ok as it works for other ports. Also the ISP blocks no ports
01-21-2014 11:56 PM
Please post output of the following commands:
Not clear what do you mean" portforwarding is ok", as far as you have no NAT nor security solutons.
"sh runn int di1"
"sh runn int G0/0"
"sh runn int vl1"
" sh ip nat stat"
01-22-2014 12:23 AM
I mean portforwarding on the firewall. I also opened ports 9000-9049 and they give no problem, only 5060 and 590
01-22-2014 01:14 AM
Hello.
5060 belongs to SIP.
You might have faced an issue with SIP protocol and not firewall.
01-22-2014 01:19 AM
I know, it's for our pbx. But the cisco isn't the problem here I guess?
01-22-2014 01:31 AM
To check 892 for the issue show us:
"sh runn int di1"
"sh runn int G0/0"
"sh runn int vl1"
" sh ip nat stat"
I would suggest to configure cahce-flow and check if the traffic is in cache.
01-22-2014 01:39 AM
ciscotrius#sh runn int Dialer1
Building configuration...
Current configuration : 305 bytes
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip flow ingress
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname WBA1575824
ppp chap password 7 03530E53550C714D1A0B4A5242135A0F54
no cdp enable
end
ciscotrius#sh runn int GigabitEthernet0
Building configuration...
Current configuration : 320 bytes
!
interface GigabitEthernet0
description COAX connection
ip address 213.224.25.170 255.255.255.252
ip access-group COAX_WAN_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
end
ciscotrius#sh runn int Vlan1
Building configuration...
Current configuration : 227 bytes
!
interface Vlan1
description Customer routable LAN
ip address 195.130.157.169 255.255.255.248
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip verify unicast source reachable-via rx
ip tcp adjust-mss 1452
end
ciscotrius#sh ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
Inside interfaces:
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
ciscotrius#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide