Solved: Configuration help on new install

gtuccio · ‎09-02-2017

I am introducing an 891FW router into my network in order to build a subnet "behind" it. "Up stream" from it is an ARRIS TG1682 router provide me from my cable provider. It is an integrated router providing service for internet connectivity, set-top box function and 2.4/5.0 wifi. It connects by RG60 cable to street service and has a fixed public IP address and gateway address to the ISP. It has 4 gigabit interfaces. It is my desire to keep this in place for all the personal household stuff

The 891FW is also an integrated router. It has 3 WAN gateway interface options (FE, ISDN and GE). It has a pod of ethernet LAN gigabit interfaces (G0-G7).

I connected WAN G8 to one of the interface ports on the ARRIS. I connected LAN G7 on the 891FW to my unmanaged, simple, netgear gigabit switch on my network. On my network I have a domain controller (Windows 2012 R2) that is DHCP enabled.

I have enabled DHCP on ARRIS router. Its IP address 10.0.0.1 subnet mask of 255.0.0.0.

I have enabled DHCP on Windows 2012 R2 server. It's address 10.0.1.2 mask of 255.255.255.0

I have disabled DHCP on 891FW router. Its IP address (on WAN G8) 10.0.1.1, mask 255.255.255.0.

I have spent days on this and here are my conclusions:

From 891FW, I can ping 10.0.0.1, I canNOT ping anything in the subnet of 10.0.1.0

From my domain controller, 10.0.1.2 I canNOT ping 10.0.1.1 and I canNOT ping 10.0.0.1

I can see some activity on LAN G7 when I sho ip int G7.

It seems like any PING attemps from my 10.0.1.0 subnet to 10.0.1.1 or 10.0.0.1 can't pass LAN G7 to WAN G8 on the 891FW. I am sure the WAN G8 to ARRIS LAN connection is working. Naturally, I have tried to put an IP address on G7 however 891FW prohibits this as G7 is a level 2 interface. Because I cannot affix an IP address to the LAN interfaces (G7 for example) I can't configure this router in the classical IOS/CLI fashion. I would assume that addressing the WAN G8 interface would be sufficient. Seemingly, it is not.

How should I proceed from here?

gtuccio · ‎09-14-2017

It's working! I changed nothing on the Arris. There was no LAN-segment option as I said. I tried a virtual server/port-forwarding option but it didn't do anything.

So I focused on the NAT angle you mentioned and went back to ICND1 (CCNA course) and the section on NAT and PAT where I found some really cool commands and an exercise that was specifically this problem.

First, configured static NAT on VLAN1: ip nat inside

Second, configured static NAT on G8: ip nat outside

Then, access-list 10 permit 10.0.1.0 0.0.0.255

Then, ip nat inside source list 10 interface g8 overload

It works, I can access the inside address on VLAN1 10.0.1.1 and the outside address on G8 10.0.0.2 (as before) and beyond. I can ping 10.0.0.1 (Arris) and 8.8.8.8 and get internet etc.

What do you think? Is this solved? You ok with PAT? I think having only the one address 10.0.0.2 (qualified by port number) might be keeping Arris happy??? That might be a stretch.

Open to comments.

View solution in original post

Georg Pauwen · ‎09-03-2017

Hello,

Gigabit8 is connected to your Arris, so it needs an IP address from the same address space as your Arris.

On your 891, you have a default VLAN interface, VLAN 1. That has to have an IP address in the same address space as your Windows machine (10.0.1.0/24).

If your Arris has network 10.0.0.0/8, you need to disable DHCP and manually assign an IP address.

Here is what it could look like:

Arris (LAN 10.0.2.1/24) --> 891 (G8 10.0.2.2/24) (VLAN 1 10.0.1.1/24)

Post the configuration of your 891, we can than fill in the bits and pieces...

gtuccio · ‎09-05-2017

Interesting. I had initially started with this idea and later ditched it. Don't remember why. Arris is presently 10.0.0.1/8. I would assign the Cisco 891FW 10.0.0.2 static address. Was thinking about changing Arris to 10.0.0.1/24 to narrow that subnet. I know 10.x.x.x is a class A address and offers /8 but I think it should be /24 since this subnet only uses 10.0.1.0.

Connect WAN G8 from Cisco to Arris LAN port and assign 10.0.0.2/24 address to that interface. Then config VLAN1 to have its own address of 10.0.1.1/24. That will be the gateway for subnet 10.0.1.0. My domain controller on that subnet is 10.0.1.2/24, so that works good. I'm curious to see how you "assign" one of the 891FW LAN physical, L2 interfaces, to the VLAN1. This is obviously the way to get an IP address on what would otherwise be an interface (L2) that is refusing an IP address.

Below is the current config (thank you):

Current configuration : 2392 bytes
!
! Last configuration change at 14:29:04 UTC Tue Sep 5 2017
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname FL-RTR-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license udi pid C891FW-A-K9 sn FTX184783U9
!
!
username admin privilege 15 secret 5 $1$bjQF$hMgjich.e.Ie9PdF4Z.4//
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
description Link to Subnet SW1
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN to ARRISGW
ip address 10.0.1.1 255.255.255.0
ip access-group 10 in
ip access-group 10 out
ip helper-address 10.0.0.1
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
no ip address
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip default-network 10.0.1.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip route 10.0.0.0 255.0.0.0 GigabitEthernet8 10.0.0.1 name fl-rtr-1
ip route 10.0.1.0 255.255.255.0 10.0.0.1
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎09-05-2017

Hello,

assuming that your ARRIS has IP addess 10.0.0.1/24, here is what the configuration should look like. You don't need any NAT on the Cisco, since the ARRIS will take care of that (make sure it NATs all the address spaces configured on your Cisco). I have added a DHCP pool to the configuration, so the devices connected to GigabitEthernet0 thru 7 willl get an IP address in the 10.0.1.0/24 address range. Interface VLAN 1 will function as the default gateway for the subnet; all GigabitEthernet interfaces (0 thru 7) by default belong to VLAN 1:

Current configuration : 2392 bytes
!
! Last configuration change at 14:29:04 UTC Tue Sep 5 2017
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname FL-RTR-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
ip cef
no ipv6 cef
!
ip dhcp excluded-address 10.0.1.1 10.0.1.2
!
ip dhcp pool LAN
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
multilink bundle-name authenticated
!
license udi pid C891FW-A-K9 sn FTX184783U9
!
username admin privilege 15 secret 5 $1$bjQF$hMgjich.e.Ie9PdF4Z.4//
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
description Link to Subnet SW1
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN to ARRISGW
ip address 10.0.0.2 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
ip address 10.0.1.1 255.255.255.0
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

gtuccio · ‎09-05-2017

Cool. I was unaware that G0-G7 by default belong to VLAN1. That's important. And, I WAS able to assign the IP address to VLAN1 after first having to clean up the ip routes I had put out there (I deleted those and used only the one you gave me). I was getting a conflict error with one of the static routes otherwise. I also took the liberty of cleaning up the config a little. Not sure how much farther I can go. At 10.0.1.2, I have a domain controller (Windows Server 2012 R2) for 10.0.1.0 subnet and dhcp IS enabled there. I need DHCP on the Server for my Active Directory, etc work/experiments. There will be only one connection at G0-G7 (to connect to my interior switch on 10.0.1.0 subnet). So, I would like to disable DHCP on the router. As far as Arris is concerned, I want to keep DHCP enabled there for the 10.0.0.1/24 network (that will be the personal network). I will create a few static addresses to really lockdown MAC addresses. I will of course establish a static address for the CISCO router at 10.0.1.1.

Below is the config as it stands now:

Current configuration : 2300 bytes
!
! Last configuration change at 19:23:46 UTC Tue Sep 5 2017
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname FL-RTR-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.2
!
ip dhcp pool lan
 network 10.0.1.0 255.255.255.0
 default-router 10.0.1.1
 dns-server 8.8.8.8 8.8.4.4
 lease infinite
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C891FW-A-K9 sn FTX184783U9
!
username admin privilege 15 secret 5 $1$bjQF$hMgjich.e.Ie9PdF4Z.4//
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 description Link to Subnet SW1
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description WAN to ARRISGW
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface Wlan-GigabitEthernet8
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 no ip address
!
interface Vlan1
 ip address 10.0.1.1 255.255.255.0
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

I've attached the output of the sho ip route command (see attached file). I have not reconnected the router into the network yet. Not sure how/if that will affect the output of this command. Should I have a gateway of last resort? And, if so, should it be 10.0.1.1 or 10.0.0.1? My guess is 10.0.1.1 (the router).

Georg Pauwen · ‎09-05-2017

Hello,

config looks good. If you don't need the DHCP on the Cisco, simply delete to DHCP pool with:

Router(config)#no ip dhcp pool lan

De gateway of last resort actually IS the 0.0.0.0 0.0.0.0 10.0.0.1 route, it means all traffic coming from the Cisco will be sent to the ARRIS.

gtuccio · ‎09-08-2017

Georg, my apologies for this late response. I live in Tampa and am preparing for hurricane Irma AND trying to get my corporate taxes (on extension) done before 9/15. I hope to turn my attentions to the router very soon. I am excited to try all your ideas.

I will respond again as soon as possible.

GT

Georg Pauwen · ‎09-09-2017

Hello,

adding a Cisco router to your network is probably the least of your concerns now. Stay safe over there. I happen to know Tampa very well, I have friends in the Forest Hills area, off W. Busch. I went to school in Gainesville, and I am also a Bucs fan...

Either way, I am just thinking: do you need the ARRIS at all ? And is it an option to connect the Cisco directly to your ISP ?

gtuccio · ‎09-13-2017

Hey George. Almost there but still have a problem:

Arris is 10.0.0.1 255.255.255.0

Arris has a reservation of 10.0.0.2 255.255.255.0 for the Cisco router and it shows "online"

Below is the config for the Cisco router

From my 10.0.1.2 server and from my 10.0.1.43 PC I can ping:

10.0.1.2

10.0.1.1 (VLAN1)

10.0.0.2 (G8)

But I cannot ping 10.0.0.1 (or 8.8.8.8 for that matter) and therefor have no i/net access from 10.0.1.0 subnet. Everything looks right. Do you see anything?

Current configuration : 2119 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname FL-RTR-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!

ip dhcp excluded-address 10.0.1.1 10.0.1.2
!

ip cef
no ipv6 cef
!

multilink bundle-name authenticated
!

license udi pid C891FW-A-K9 sn FTX184783U9
!
!
username admin privilege 15 secret 5 $1$bjQF$hMgjich.e.Ie9PdF4Z.4//
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
description Link to Subnet SW1
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN to ARRISGW
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
ip address 10.0.1.1 255.255.255.0
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

--------------------------------------------

FL-RTR-2#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.0.0.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.0.0/24 is directly connected, GigabitEthernet8
L        10.0.0.2/32 is directly connected, GigabitEthernet8
C        10.0.1.0/24 is directly connected, Vlan1
L        10.0.1.1/32 is directly connected, Vlan1
FL-RTR-2#

-------------------------------------------

FL-RTR-2#sho arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 10.0.0.1                6   5ce3.0ec6.5cf9 ARPA   GigabitEthernet8
Internet 10.0.0.2                -   f07f.06b2.1413 ARPA   GigabitEthernet8
Internet 10.0.0.38               8   5aef.6890.b20c ARPA   GigabitEthernet8
Internet 10.0.0.39               8   a4d1.d283.1674 ARPA   GigabitEthernet8
Internet 10.0.1.1                -   f07f.06b2.1400 ARPA   Vlan1
Internet 10.0.1.2                1   842b.2b79.502b ARPA   Vlan1
Internet 10.0.1.43               0   0025.64e8.1ecc ARPA   Vlan1
Internet 10.0.1.46             205   f07f.06b2.1414 ARPA   Vlan1
Internet 10.0.1.49               2   0004.f296.a0fa ARPA   Vlan1
Internet 10.0.1.100            175   0025.64e8.1ecc ARPA   Vlan1
FL-RTR-2#

gtuccio · ‎09-14-2017

PS comments:

- the Arris address of 10.0.0.1 has a mask of 255.255.255.0. Is that preventiing traffic from 10.0.1.0 subnet?

- the Arris is set "routing with NAT addressing". Are there NAT commands we've overlooked?

- any routing commands required on the Cisco router?

By the way, to answer your question, I'd like to keep the Arris for the "primary" network for a few reasons. It drives the house net (set top boxes, family and tv wireless,etc), local catv provider supports it, it isolates my subnet, and I like the exercise as far as my sandbox is concerned.

Georg Pauwen · ‎09-14-2017

Hello,

first of all I hope you didn't get too wet, and that you did not suffer property damage...

Either way, the problem now is likely with the ARRIS. Does the ARRIS have an option to add networks (to be NATted) and static routes ? If so, you need to add a static route from the ARRIS for network 10.0.1.0/24 pointing to the Cisco (10.0.0.2), and also make sure that the network on the Cisco (10.0.1.0/24) is NATted.

I have found the attached user manual, and here is what I think needs to be done:

Go to LAN Setup (page 55) and add the new subnet 10.0.1.0/24 to the 'LAN Segment' section. Once you have added the network, and since you have 'Routed Subnet NAT Enabled' checked off, the new segment should be NATted, too...

https://www.liwest.at/fileadmin/templates/main/liwest/media/pdf_content/rund-um-Betreuung/ARRIS_Router_Setup_Web_GUI_UG.pdf

gtuccio · ‎09-14-2017

Can't do it George. Very good idea and thanks for the incredible work but that software is not the same as mine. Close but not exact. No LAN segment. No way to add a LAN segment or even update the guy to a newer version.

what about the port forwarding or DMZ features?

gtuccio · ‎09-14-2017

Standby George. Think I got it. Wait to you see this. Want to test something first. Looks good.

gtuccio · ‎09-14-2017

It's working! I changed nothing on the Arris. There was no LAN-segment option as I said. I tried a virtual server/port-forwarding option but it didn't do anything.

So I focused on the NAT angle you mentioned and went back to ICND1 (CCNA course) and the section on NAT and PAT where I found some really cool commands and an exercise that was specifically this problem.

First, configured static NAT on VLAN1: ip nat inside

Second, configured static NAT on G8: ip nat outside

Then, access-list 10 permit 10.0.1.0 0.0.0.255

Then, ip nat inside source list 10 interface g8 overload

It works, I can access the inside address on VLAN1 10.0.1.1 and the outside address on G8 10.0.0.2 (as before) and beyond. I can ping 10.0.0.1 (Arris) and 8.8.8.8 and get internet etc.

What do you think? Is this solved? You ok with PAT? I think having only the one address 10.0.0.2 (qualified by port number) might be keeping Arris happy??? That might be a stretch.

Open to comments.

Georg Pauwen · ‎09-16-2017

Hello,

actually, your solution is great ! What you are doing is double NAT, you are basically translating the new 10.0.1.0/24 network into the network the ARRIS already NATs.

By the way, is that a Comcast provided device by any chance ? I am just asking because I think Comcast updates the software on the ARRIS modems, which kind of dumb them down and severely limit the configuration options. The idea is that this should make it easier for their customer service to troubleshoot...

Either way, these scenarios come up quite frequently here in this forum, I'll keep your solution in mind !