01-17-2014 07:56 AM - edited 03-04-2019 10:06 PM
Hello, I need to config a Cisco 892 for internet access with vdsl backup. Our client took the unmanaged service, so now we have to config the cisco ourselves, but we have no experience with cisco. Can somebody please help me?
This is what they gave me from info:
To do:
- router config must be provided with a unique username and password (VDSL)
- router config should be saved
- router should be rebooted after config
Public LAN: 195.130.150.168 /29 (LAN range used forboth connections)
COAX Gateway: 213.224.20.169
WAN IP: 213.224.25.170 255.255.255.252
VDSL Gateway: 213.224.10.1
Coax is connected to GE0 and VDSL to FE8
Config that must be added to config:
interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
!
Routing: Coax and vdsl use eBGP as routing protocol
BGP AS client for coax and vdsl: 64719
BGP ISP 6848
BGP neighbour ISP
VDSL: 213.224.10.1 Important: config eBGP multihop for this neighbour)
CFN: 213.224.20.169
ip route 213.224.10.1 255.255.255.255 Dialer1
Redundancy: use BGP local preference attribute to determine primary route (Coax should be primary)
this is what I have now:
hostname ciscotrius
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1134945738
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1134945738
revocation-check none
rsakeypair TP-self-signed-1134945738
!
!
crypto pki certificate chain TP-self-signed-1134945738
quit
ip cef
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
no ip address
spanning-tree portfast
!
interface FastEthernet5
no ip address
spanning-tree portfast
!
interface FastEthernet6
no ip address
spanning-tree portfast
!
interface FastEthernet7
no ip address
spanning-tree portfast
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 213.224.20.170 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 195.130.150.169 255.255.255.248
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
no cdp enable
!
router bgp 64719
bgp log-neighbor-changes
neighbor 213.224.10.1 remote-as 6848
neighbor 213.224.10.1 ebgp-multihop 255
neighbor 213.224.20.169 remote-as 6848
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 213.224.10.1 255.255.255.255 Dialer1
!
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
no cdp run
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end
I know I ask a lot but it would help me so much :-)
01-22-2014 01:57 AM
Remove command "ip nat inside source list 1 interface GigabitEthernet0 overload" - we were discussing that you don't need NAT.
And check the content of ACL 100.
Per my understanding you need to remove
pppoe enable group global
pppoe-client dial-pool-number 1
from G0/0 interface.
Check output of "sh ip cache flow" for your 5060 ports (and known IP-addresses).
Check logg (sh logg) for any abnormal events.
Check "sh ip int vl1" for any dropped packets (by RPF).
01-22-2014 05:29 AM
Problem with firewall, replaced the device and now everything works
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide