12-20-2021 04:27 AM
Hello there-I've had a provider switch from dedicated /29 with static upstream routing to PPPoE with the insistence that we don't now have a next hop. There's a huge language barrier between me and the provider so I need to go through an intermediary so I'm trying to get all my ducks in a row before going back to them. I'm presuming I should be getting a next hop via the PPPoE link, and I *believe* I've established it, but I can't sort out where the IP should be applied and how to configure the routing/nat rules.
sh caller ip Line User IP Address Local Number Remote Number <-> Vi2 e14yhnaka-sseu000400 \ - - <unknown phone in !! sh caller ip Line User IP Address Local Number Remote Number <-> Vi2 e14yhnaka-sseu000400 \ - - <unknown phone in !!! sh caller Active Idle Line User Service Time Time vty 10 xxx VTY 00:53:22 00:00:00 Vi2 e14xxxxxx-sseu000400 \ PPPoE 00:16:05 00:00:05 !!! interface GigabitEthernet8 description Internet ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto media-type rj45 no cdp enable pppoe enable group global pppoe-client dial-pool-number 1 !!! interface Dialer1 ip address negotiated ip mtu 1472 ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxXXX@xxx.xx ppp chap password 7 xxxXXXxxx ppp ipcp route default ppp ipcp address accept
That caller is definitely connected and packets are passing, leading me to believe the PPPoE connection is established, but I'm not getting anything in the show caller ip section, am not seeing any routes to pppoe and don't know what else I should be looking for to confirm/connect myself upstream at this point...
The provider says I should have that entire /29 to myself, and I've assigned myself the first IP therein, but I'm not used to not having a peer IP to point traffic at, and am wondering if I'm missing some sort of PPPoE peer. I've tried to assign the public IP to the Dialer1 interface instead, but that didn't give me any success.
Solved! Go to Solution.
02-10-2022 06:19 AM
Ok, in the end it turned out I needed to configure the PPPoE config on Dialer1 and then call it out as an 'unnumbered' interface, with the IP/subnet living on the physical external interface, Gi8:
interface Dialer1 mtu 1492 ip unnumbered GigabitEthernet8 ip mtu 1472 ip nat outside ip virtual-reassembly in zone-member security OUTSIDE encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 ppp authentication chap callin ppp chap hostname xxxx@xxx.xxx ppp chap password 7 xxxxxxx ppp ipcp route default ppp ipcp address accept interface GigabitEthernet8 ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto media-type rj45 no cdp enable pppoe enable group global pppoe-client dial-pool-number 1
12-20-2021 06:08 AM - last edited on 02-10-2022 05:44 PM by Translator
Hello,
the config doesn't look right. You have a zone based firewall (or not) ? Either way, post the full output of
sh run
...
12-20-2021 07:22 AM
Indeed, am running a ZBF, with DMVPN for access back to the rest of our network. No VRFs and DMVPN running on Tunnel100. Rough config here:
interface Tunnel100 tunnel source GigabitEthernet8 interface ATM0 no ip address shutdown no atm ilmi-keepalive interface GigabitEthernet8 ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto media-type rj45 no cdp enable policy-map type inspect PM_INSIDE_TO_self class class-default pass policy-map type inspect PM_self_TO_INSIDE class class-default pass policy-map type inspect PM_self_TO_OUTSIDE class type inspect CM_CRYPTO pass class type inspect CM_DHCP pass class type inspect CM_self_TO_OUTSIDE inspect class class-default drop policy-map type inspect PM_INSIDE_TO_OUTSIDE class type inspect CM_INSIDE_OUTSIDE_INSPECT inspect class type inspect CM_PROTOCOL_GRE pass class class-default drop log zone security OUTSIDE zone security INSIDE zone security GUEST zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect PM_INSIDE_TO_OUTSIDE zone-pair security GUEST_TO_OUTSIDE source GUEST destination OUTSIDE service-policy type inspect PM_GUEST_TO_OUTSIDE zone-pair security OUTSIDE_TO_self source OUTSIDE destination self service-policy type inspect PM_OUTSIDE_TO_self zone-pair security INSIDE_TO_self source INSIDE destination self service-policy type inspect PM_INSIDE_TO_self zone-pair security self_TO_INSIDE source self destination INSIDE service-policy type inspect PM_self_TO_INSIDE zone-pair security self_TO_OUTSIDE source self destination OUTSIDE service-policy type inspect PM_self_TO_OUTSIDE ip nat inside source list NAT_RANGE interface GigabitEthernet8 overload ip access-list standard NAT_RANGE permit 172.x.x.x 0.0.0.15 permit 172.x.x.x 0.0.0.255 permit 192.168.x.0 0.0.0.255 ip route 0.0.0.0 0.0.0.0 Dialer1
12-20-2021 09:49 AM - last edited on 02-10-2022 05:45 PM by Translator
Hello,
what is the inside of the ZBF, the tunnel ? Post the full running config
(sh run)
...
Is there are any part of your config already working ?
12-23-2021 07:58 AM
Yes, the config was working perfectly (DMVPN, external ssh access, NAT, tunnels, ZBF, etc) until the provider changed their circuit delivery. Again, in the past we had a /29 with a gateway defined, now they've given us a PPPoE config with no gateway nor peer address to connect to and I'm trying to shoehorn this into the existing config. Uplink is via Gi8, with Tunnel100 being our DMVPN connection (again, working prior to the provider changes). I am attaching a sanitized config, but the ZBF and DMVPN config was fine, I'm just trying to get the PPPoE config setup properly now...
12-23-2021 08:31 AM - last edited on 02-10-2022 05:49 PM by Translator
Hello,
I am not really sure I fully understand what you are running into. If you don't have a default gateway, you just specify the outgoing interface in your default route.
Try the config below (important parts marked in bold)"
config-register 0x2102
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname YOKVPN01
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.157-3.M7.bin
boot system flash:c800-universalk9-mz.SPA.156-3.M6a.bin
warm-reboot
boot-end-marker
!
no shell processing
aqm-register-fnf
!
security authentication failure rate 10 log
logging buffered 4096
logging rate-limit 5 except critical
no logging console
no logging monitor
!
aaa new-model
!
aaa authentication password-prompt LOCAL_Password:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
process cpu threshold type total rising 40 interval 300
service-module wlan-ap 0 bootimage autonomous
!
no ip source-route
no ip gratuitous-arps
ip options drop
!
ip nbar protocol-pack flash:/pp-adv-isrg2-154-3.M2-20-15.0.0.pack
!
no ip bootp server
ip domain timeout 1
ip cef
no ipv6 cef
!
parameter-map type ooo global
tcp reassembly queue length 512
tcp reassembly memory limit 8192
tcp reassembly alarm off
!
multilink bundle-name authenticated
!
cts logging verbose
license feature MEM-8XX-512U1GB
license udi pid C897VAM-W-E-K9 sn FCZ181892MJ
license accept end user agreement
!
archive
log config
logging enable
!
redundancy
!
controller VDSL 0
lldp run
!
class-map type inspect match-any CM_GUEST_OUTSIDE_INSPECT
match protocol dns
match protocol http
match protocol https
match protocol ftp
match protocol tcp
match protocol udp
class-map type inspect match-any CM_self_TO_OUTSIDE
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any CM_OUTSIDE_TO_self
match access-group name MGMT_ACCESS_EXTERNAL
class-map match-any CM_QOS_QUEUE_CRITICAL_DATA
match dscp af11 af12 af13 cs2 af21 af22 af23
class-map match-any CM_QOS_QUEUE_INTERACTIVE_VIDEO
match dscp cs4 af41 af42 af43
class-map match-any TROJAN
match protocol attribute category trojan
class-map match-any CM_QOS_QUEUE_SCAVENGER
match dscp cs1
class-map match-any CM_QOS_QUEUE_VOICE
match dscp ef
class-map match-any CM_QOS_QUEUE_STREAMING_VIDEO
match dscp af31 af32 af33 cs5
class-map match-any P2P
match protocol attribute sub-category p2p-file-transfer
match protocol attribute sub-category p2p-networking
class-map match-any CM_QOS_QUEUE_NET_CTRL
match dscp cs6
class-map type inspect match-any CM_PROTOCOL_GRE
description Permit GRE traffic via ACL
match access-group name GRE
class-map type inspect match-any CM_DHCP
match protocol bootpc
match protocol bootps
class-map type inspect match-any CM_INSIDE_OUTSIDE_INSPECT
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol h323
match protocol smtp
match protocol skinny
match protocol sip
match protocol sip-tls
match protocol l2tp
match protocol pptp
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any CM_QOS_QUEUE_CALL_SIGNALING
match dscp cs3
class-map type inspect match-any CM_CRYPTO
match access-group name CRYPTO_ACCESS
!
policy-map type inspect PM_INSIDE_TO_self
class class-default
pass
policy-map type inspect PM_self_TO_INSIDE
class class-default
pass
policy-map type inspect PM_self_TO_OUTSIDE
class type inspect CM_CRYPTO
pass
class type inspect CM_DHCP
pass
class type inspect CM_self_TO_OUTSIDE
inspect
class class-default
drop
policy-map type inspect PM_OUTSIDE_TO_self
class type inspect CM_CRYPTO
pass
class type inspect CM_DHCP
pass
class type inspect CM_OUTSIDE_TO_self
inspect
class class-default
drop
policy-map PM_QOS_WAN_QUEUE
class CM_QOS_QUEUE_INTERACTIVE_VIDEO
bandwidth remaining percent 30
random-detect dscp-based
class CM_QOS_QUEUE_STREAMING_VIDEO
bandwidth remaining percent 10
random-detect dscp-based
class CM_QOS_QUEUE_NET_CTRL
bandwidth remaining percent 5
class CM_QOS_QUEUE_CALL_SIGNALING
bandwidth remaining percent 4
class CM_QOS_QUEUE_CRITICAL_DATA
bandwidth remaining percent 25
random-detect dscp-based
class CM_QOS_QUEUE_SCAVENGER
bandwidth remaining percent 1
class CM_QOS_QUEUE_VOICE
priority level 1
police cir percent 10
class class-default
bandwidth remaining percent 25
random-detect
policy-map type inspect PM_INSIDE_TO_OUTSIDE
class type inspect CM_INSIDE_OUTSIDE_INSPECT
inspect
class type inspect CM_PROTOCOL_GRE
pass
class class-default
drop log
policy-map LAN_POLICY
class P2P
drop
class TROJAN
drop
policy-map type inspect PM_GUEST_TO_OUTSIDE
class type inspect CM_GUEST_OUTSIDE_INSPECT
inspect
class class-default
drop log
policy-map POLICY_TRANSPORT_1
class class-default
shape average 50000000
service-policy PM_QOS_WAN_QUEUE
!
zone security OUTSIDE
description Internet facing Interface
zone security INSIDE
description inside user data network
zone security GUEST
description Inside Guest data network without access to PQ
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM_INSIDE_TO_OUTSIDE
zone-pair security GUEST_TO_OUTSIDE source GUEST destination OUTSIDE
service-policy type inspect PM_GUEST_TO_OUTSIDE
zone-pair security OUTSIDE_TO_self source OUTSIDE destination self
service-policy type inspect PM_OUTSIDE_TO_self
zone-pair security INSIDE_TO_self source INSIDE destination self
service-policy type inspect PM_INSIDE_TO_self
zone-pair security self_TO_INSIDE source self destination INSIDE
service-policy type inspect PM_self_TO_INSIDE
zone-pair security self_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PM_self_TO_OUTSIDE
!
interface Loopback0
ip address x.x.x.x 255.255.255.255
!
interface Tunnel100
bandwidth 50000
ip address 192.168.x.x 255.255.254.0
no ip redirects
ip mtu 1440
ip nbar protocol-discovery
ip nhrp authentication earphone
ip nhrp network-id 100
ip nhrp nhs dynamic nbma x.x.x.x
ip nhrp nhs dynamic nbma x.x.x.x
ip nhrp nhs dynamic nbma x.x.x.x
ip nhrp nhs dynamic nbma x.x.x.x
zone-member security INSIDE
ip tcp adjust-mss 1360
nhrp group RS_GROUP_50MBPS
tunnel source GigabitEthernet8
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DMVPN_IKEV2_IPSEC_PROFILE
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
--> no interface Dialer1
mtu 1492
ip address negotiated
ip mtu 1472
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxx@xxx.xxx
ppp chap password 7 xxxxxx
ppp ipcp route default
ppp ipcp address accept
!
interface GigabitEthernet0
switchport access vlan 10
switchport voice vlan 15
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
switchport access vlan 60
switchport trunk native vlan 60
switchport trunk allowed vlan 1,2,60,70,90,1002-1005
switchport mode trunk
no ip address
power inline never
!
interface GigabitEthernet8
ip address x.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
media-type rj45
no cdp enable
service-policy output POLICY_TRANSPORT_1
--> no pppoe enable group global
--> no pppoe-client dial-pool-number 1
!
interface Wlan-GigabitEthernet8
switchport trunk native vlan 10
switchport mode trunk
no ip address
!
router bgp 6xxxx
bgp log-neighbor-changes
timers bgp 10 30 30
neighbor DMVPN_US peer-group
neighbor DMVPN_US remote-as 1xxx
neighbor DMVPN_US local-as 6xxxx no-prepend replace-as
neighbor DMVPN_UK peer-group
neighbor DMVPN_UK remote-as 2xxxx
neighbor DMVPN_UK local-as 6xxxx no-prepend replace-as
neighbor x.x.x.x peer-group DMVPN_US
neighbor x.x.x.x peer-group DMVPN_US
neighbor x.x.x.x peer-group DMVPN_UK
neighbor x.x.x.x peer-group DMVPN_UK
!
address-family ipv4
network x.x.x.x mask 255.255.255.255
network x.x.x.x mask 255.255.254.0
neighbor DMVPN_US soft-reconfiguration inbound
neighbor DMVPN_US prefix-list DENY_DEFAULT_ROUTE in
neighbor DMVPN_US route-map DMVPN_SPOKE_IN in
neighbor DMVPN_UK soft-reconfiguration inbound
neighbor DMVPN_UK prefix-list DENY_DEFAULT_ROUTE in
neighbor DMVPN_UK route-map DMVPN_SPOKE_IN in
neighbor x.x.x.x activate
neighbor x.x.x.x activate
neighbor x.x.x.x activate
neighbor x.x.x.x activate
exit-address-family
!
address-family ipv4 multicast
exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip bgp-community new-format
ip community-list standard US_ROUTES permit 1xxx:100
ip community-list standard UK_ROUTES permit 2xxxx:100
ip community-list standard UK_PREF_ROUTES permit 2xxxx:200
ip community-list standard UK_DEFAULT_ROUTE permit 2xxxx:999
ip community-list standard US_DEFAULT_ROUTE permit 1xxx:999
ip community-list standard UK_ONLY_ROUTES permit 2xxxx:300
ip as-path access-list 100 permit ^17493$
sort-by bytes
!
ip dns view default
domain timeout 1
ip nat inside source list NAT_RANGE interface GigabitEthernet8 overload
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list standard NAT_RANGE
permit
ip access-list standard SNMP_RO
permit
deny any
ip access-list standard SNMP_RO
permit
deny any
!
ip access-list extended ADMIN_ACCESS
permit tcp host x.x.x.x any eq 22
!
ip access-list extended CRYPTO_ACCESS
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
ip access-list extended GRE
remark Allow GRE (used by PPTP)
permit gre any any
ip access-list extended MGMT_ACCESS_EXTERNAL
permit icmp any any echo-reply
permit icmp x.x.0.0 0.0.255.255 any echo
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
permit icmp any any host-unreachable
permit icmp any any time-exceeded
permit tcp x.x.0.0 0.0.255.255 any eq 22
deny ip any any
!
ip prefix-list DENY_DEFAULT_ROUTE permit 0.0.0.0/0 ge 1
logging trap warnings
logging origin-id hostname
logging source-interface Loopback0
ipv6 ioam timestamp
!
route-map DMVPN_SPOKE_IN permit 10
match community US_DEFAULT_ROUTE
set local-preference 200
!
route-map DMVPN_SPOKE_IN permit 15
match community UK_DEFAULT_ROUTE
set local-preference 200
!
route-map DMVPN_SPOKE_IN permit 20
match community UK_PREF_ROUTES
set local-preference 200
!
route-map DMVPN_SPOKE_IN permit 30
description By default use US hubs
match community US_ROUTES
!
route-map DMVPN_SPOKE_IN permit 40
match community UK_ROUTES
set local-preference 50
!
snmp-server ifindex persist
snmp-server trap-source Loopback0
snmp-server location location
snmp-server contact Network Engineering & Operations - network@proquest.com
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps bfd
snmp-server enable traps bgp
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps hsrp
snmp-server enable traps cpu threshold
access-list 100 remark Permit DHCP Traffic through packet spoof filter
access-list 100 permit udp any eq bootps any eq bootpc
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
logging synchronous
no modem enable
transport preferred none
line aux 0
logging synchronous
transport preferred none
line vty 0 4
logging synchronous
transport preferred none
transport input ssh
transport output telnet ssh
line vty 5 15
logging synchronous
transport preferred none
transport input ssh
transport output telnet ssh
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
!
scheduler allocate 20000 1000
ntp update-calendar
!
end
12-29-2021 07:33 AM - last edited on 02-10-2022 05:49 PM by Translator
I'm not clear if I'm missing something from the provider, but I have the following:
-PPPoE username/password
-/29 for me to assign as my WAN IP
Removing Dialer1 and the PPPoE config will fail to have this connect and, as I don't have a next hop, I won't have anywhere to go. My thought was to configure Dialer1 with the PPPoE config and then set Dialer1 as my next hop, but I'm unclear about two things:
-where to put the WAN IP: on Dialer1 or Gi8
-why when I configured things as above and got an initial PPPoE connection I never got a proper connection or any upstream traffic when setting Dialer1 as my next hop.
From what I understand I don't need an IP for the PPPoE peer in order to establish the connection, but shouldn't I expect to get one once it establishes so my router knows where to send traffic? As I am getting a /29 for my WAN IP range I suppose I don't need to configure my interfaces to get their IP from DHCP, but I'm still not clear on what the correct config should be for this type of setup. Additionally unfortunately I am not on-site and therefore I need to gather plans before I am able to test them.
02-10-2022 06:19 AM
Ok, in the end it turned out I needed to configure the PPPoE config on Dialer1 and then call it out as an 'unnumbered' interface, with the IP/subnet living on the physical external interface, Gi8:
interface Dialer1 mtu 1492 ip unnumbered GigabitEthernet8 ip mtu 1472 ip nat outside ip virtual-reassembly in zone-member security OUTSIDE encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 ppp authentication chap callin ppp chap hostname xxxx@xxx.xxx ppp chap password 7 xxxxxxx ppp ipcp route default ppp ipcp address accept interface GigabitEthernet8 ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto media-type rj45 no cdp enable pppoe enable group global pppoe-client dial-pool-number 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide