Config Cisco 892-K9 - Page 2

brechtmulti1 · ‎01-17-2014

Hello, I need to config a Cisco 892 for internet access with vdsl backup. Our client took the unmanaged service, so now we have to config the cisco ourselves, but we have no experience with cisco. Can somebody please help me?

This is what they gave me from info:

To do:

- router config must be provided with a unique username and password (VDSL)

- router config should be saved

- router should be rebooted after config

Public LAN: 195.130.150.168 /29 (LAN range used forboth connections)

COAX Gateway: 213.224.20.169

WAN IP: 213.224.25.170 255.255.255.252

VDSL Gateway: 213.224.10.1

Coax is connected to GE0 and VDSL to FE8

Config that must be added to config:

interface Dialer1

ip address negotiated

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap callin

!

Routing: Coax and vdsl use eBGP as routing protocol

BGP AS client for coax and vdsl: 64719

BGP ISP 6848

BGP neighbour ISP

VDSL: 213.224.10.1 Important: config eBGP multihop for this neighbour)

CFN: 213.224.20.169

ip route 213.224.10.1 255.255.255.255 Dialer1

Redundancy: use BGP local preference attribute to determine primary route (Coax should be primary)

this is what I have now:

hostname ciscotrius

!

boot-start-marker

boot config usbflash0:CVO-BOOT.CFG

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-1134945738

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1134945738

revocation-check none

rsakeypair TP-self-signed-1134945738

!

crypto pki certificate chain TP-self-signed-1134945738

quit

ip cef

!

no ip domain lookup

ip domain name yourdomain.com

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

no ipv6 cef

!

multilink bundle-name authenticated

!

redundancy

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

spanning-tree portfast

!

interface FastEthernet3

no ip address

spanning-tree portfast

!

interface FastEthernet4

no ip address

spanning-tree portfast

!

interface FastEthernet5

no ip address

spanning-tree portfast

!

interface FastEthernet6

no ip address

spanning-tree portfast

!

interface FastEthernet7

no ip address

spanning-tree portfast

!

interface FastEthernet8

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 213.224.20.170 255.255.255.252

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 195.130.150.169 255.255.255.248

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap callin

no cdp enable

!

router bgp 64719

bgp log-neighbor-changes

neighbor 213.224.10.1 remote-as 6848

neighbor 213.224.10.1 ebgp-multihop 255

neighbor 213.224.20.169 remote-as 6848

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 213.224.10.1 255.255.255.255 Dialer1

!

access-list 1 permit 10.10.10.0 0.0.0.7

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any

no cdp run

!

control-plane

!

mgcp profile default

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

end

I know I ask a lot but it would help me so much :-)

Vasilii Mikhailovskii · ‎01-22-2014

Remove command "ip nat inside source list 1 interface GigabitEthernet0 overload" - we were discussing that you don't need NAT.

And check the content of ACL 100.

Per my understanding you need to remove

pppoe enable group global

pppoe-client dial-pool-number 1

from G0/0 interface.

Check output of "sh ip cache flow" for your 5060 ports (and known IP-addresses).

Check logg (sh logg) for any abnormal events.

Check "sh ip int vl1" for any dropped packets (by RPF).

brechtmulti1 · ‎01-22-2014

Problem with firewall, replaced the device and now everything works