Solved: Connecting a Laptop To EdgeRouter

zekebashi · ‎01-08-2020

Hello,

One of our vendors is trying to perform bandwidth and traffic performance testing. They have completed their testing by attaching various end-point devices to the access-layer, dist-layer, and core layer switches in our infra. The vendor is requesting to connect their laptop directly to our edge-router.

We currently have an ASR1001 router which has one physical port with 3 sub-interfaces(1.1.1.1; 2.2.2.1; 3.3.3.1) connected directly a trunk port (802.1q; VL1000; VL2000; VL3000) on an edge-switch and a default gateway to our ISP. Our firewall has a physical port configured with a port-channel (VL1000: 1.1.1.2; VL2000: 2.2.2.2; VL3000:3.3.3.2) directly connected to the same edge-switch and a default gateway 0/0 to 1.1.1.1).

The question what is the configuration required to connect a laptop directly to a pyhiscal port on the ASR1001 router?

Much appreciated.

Best, ~zK

paul driver · ‎01-08-2020

Hello

@zekebashi wrote:

Will this method cause any impact to the ingress/egress traffic on the edge router? This is a production edge router for a major organization!

No it wont, you are just enabling NAT on the wan/spare interfaces its not intrusive, However I would say any change on a production router would need to go through change control so its best for all concerned you have a change window scheduled

example:
interface GigabitEthernet0/0/1
ip nat outside
exit

Interface GigabitEthernet0/0/4

description spare router port

ip address 192.168.1.1 255.255.255.252

ip nat inside

access-list 1 permit 192.168.1.0 0.0.0.3
ip nat inside source list 1 interface GigabitEthernet0/0/1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Richard Burts · ‎01-17-2020

zK

Thank you for the clarification. Based on what you have told us I would repeat what I said in my previous response: based on what we have been told it should not have an impact on the production network if you use a spare interface to connect a PC, and if you configure ip nat inside, ip nat outside, and address translation with an access list that specifically permits only that PC address to be translated.

Having said that I would also say that since this is a production network for a major organization I would proceed with caution. There is some possibility that there is some aspect that we have not considered that could cause an impact. For example is it possible that the volume of test traffic from the PC could impact production traffic? Is it possible that something in the test traffic could trigger some security policy in the provider network? Ultimately you and your management must evaluate the benefits of performing these tests against the (remote) possibility that it could impact the production traffic and decide whether to proceed with this testing.

HTH

Rick

HTH

Rick

View solution in original post

Seb Rupik · ‎01-08-2020

Hi there,

What is the subnet mask of V1000 ?

If it is small than /29 then you should be able accommodate the test laptop in addition to the router and firewall interfaces. Simply configure a switchport in mode access on VLAN1000 on the edge switch, assign the laptop an IP (eg 1.1.1.3) and connect it there. That should give it sufficient connectivity and placement.

cheers,

Seb.

zekebashi · ‎01-08-2020

Thanks for the input, Seb!

The requirement is to connect the Laptop directly to the edge router (ASR1001) and not to the edge-switch (this was already done).

I can connect the laptop to the edge-router and assign it a public IP address; however, I am not sure what the proper configuration on the router is.

Is there a way to create a L2 interface on the ASR1001? Ref: https://www.cisco.com/c/en/us/td/docs/wireless/asr_900/feature/guides/evc.html

Seb Rupik · ‎01-08-2020

hmm OK, looking through the documentation I have come up with this:

!
interface Gi0/0/0.1000
   service instance 1 ethernet
     encapsulation dot1q 1000
     bridge-domain 1
!
interface Gi0/0/1
  service instance 1 ethernet
    encapsulation untagged
    bridge-domain 1
!
interface BDI1
   ip address 1.1.1.1 255.255.255.x 
!

Then connect the laptop to Gi0/0/1 . you will need to remove the IP from gi0/0/0.1000 .

paul driver · ‎01-08-2020

hello

why dont you just nat on the spare port?

interface xx

description spare router port

ip address 192.168.1.1 255.255.255.252

ip nat inside

int xx

description wan port

ip nat outside
exit

access-list 1 permit 192.168.1.0 0.0.0.3

ip nat inside source list 1 interface (wan)

laptop ip =192.168.1.2 255.255.255.252

gateway=192.168.1.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zekebashi · ‎01-08-2020

Will this method cause any impact to the ingress/egress traffic on the edge router? This is a production edge router for a major organization!

Here is the ports configuration (using bogus IP addresses) and your recommended configuration. Is this correct?

Edge-Rtr:

Gi0/0/0.4000

description Internet Out_01

ip address 1.1.1.1 255.255.254.0

!

Gi0/0/0.4003

description Internet Out_02

ip address 2.2.2.1 255.255.255.0

!

Gi0/0/0.4004

description Internet Out_03

ip address 3.3.3.1 255.255.255.0

!

GigabitEthernet0/0/1

description Internet Link To ISP

ip address 100.100.100.100 255.255.255.248

!

GigabitEthernet0/0/4

description spare router port

ip address 1.1.1.100 255.255.255.254

ip nat inside

!

access-list 1 permit 1.1.1.100 255.255.255.254

!

ip nat inside source list 1 interface Gi0/0/0.4000

!

\\\

Laptop ip = 1.1.1.101 255.255.255.254

GW = 1.1.1.1

paul driver · ‎01-08-2020

Hello

@zekebashi wrote:

Will this method cause any impact to the ingress/egress traffic on the edge router? This is a production edge router for a major organization!

No it wont, you are just enabling NAT on the wan/spare interfaces its not intrusive, However I would say any change on a production router would need to go through change control so its best for all concerned you have a change window scheduled

example:
interface GigabitEthernet0/0/1
ip nat outside
exit

Interface GigabitEthernet0/0/4

description spare router port

ip address 192.168.1.1 255.255.255.252

ip nat inside

access-list 1 permit 192.168.1.0 0.0.0.3
ip nat inside source list 1 interface GigabitEthernet0/0/1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zekebashi · ‎01-08-2020

Outstanding!

Thanks for the input, Paul!

Much appreciated.

Best, ~zK

zekebashi · ‎01-21-2020

@paul driver, Hello, Paul, your recommended solution worked perfectly. I implemented the change last Fri it worked as expected.

Thank you for your valuable input.

Much appreciated.

Best, ~zK

zekebashi · ‎01-15-2020

@paul driver Hi Paul,

I've some concerns regarding configuring the "ip nat outside" on the port connected to out ISP/Carrier. We are currently using BGP peering with our ISP using that port. Would configuring the "ip nat outside" impact/nat the traffic traversing this port? In your example below, you give it a desc as "wan port"!

int xx

description wan port

ip nat outside
exit

Thanks in advance.

Best, ~zK

Richard Burts · ‎01-15-2020

zK

There are things about your environment that we do not know and that impacts our ability to give good advice. So can you provide clarification on some points? Is there any address translation configured on any interfaces of your ASR? If there is no address translation on your ASR then where is the translation done? Is it on your firewall? Does your ISP provide the translation?

In general I would advise that if there is currently no address translation configured on your ASR then configuring address translation using ip nat outside on the interface to the ISP and ip nat inside on the interface used for the test PC, and address translation configured using an access list that identified specifically the traffic from the test PC should not have any impact on your production traffic. But if this is a production router for a major organization, I would certainly advise having someone who has better visibility into the specifics of the environment review the implications of making these changes.

HTH

Rick

HTH

Rick

zekebashi · ‎01-15-2020

Hi Richard,

No, we are not using the ASR for any address translation. We are using our Firewall to perform NAT'ng.

Yes, this a prod router for a major org.

The specifics are as I mentioned in my original post:

- We are using ASR1001 and peering with our ISP (BGP) for Internet access

- We are using one physical interface on ASR and configured with a public IP address (G0/0/1= 100.100.100.2/29) , which is use to peer with our ISP (100.100.100.1/29) ------ This is the "Outside Interface"

- The ASR has a physical interface(G0/0/0) configured with 3 sub-interfaces(G0/0/0.1000 =1.1.1.1/23; G0/0/0.2000 =2.2.2.1/24; and G0/0/0.3000 = 3.3.3.1/24) --- This is the "Inside Interface" which connects to the Internet edge switch

- The ASR's G0/0/0 (Inside Interface) connects directly to a trunk port on the Internet edge switch (802.1q: VL1000; VL2000; VL3000)

- On the ASR, we have a default route to the ISP's address 0/0 --- 100.100.100.1

- We have a FW configured with a physical interface (802.1q: VL1000; VL2000; VL3000) and connected directly to same Internet edge switch as the ASR

- On the FW, we have a default route to 0/0 100.100.100.2, which is one of the sub-interfaces on the ASR: G0/0/1= 100.100.100.2/29

- We have all the NAT'ng configured on our FW

I hope this helps.

Best, ~zK

Richard Burts · ‎01-17-2020

zK

Thank you for the clarification. Based on what you have told us I would repeat what I said in my previous response: based on what we have been told it should not have an impact on the production network if you use a spare interface to connect a PC, and if you configure ip nat inside, ip nat outside, and address translation with an access list that specifically permits only that PC address to be translated.

Having said that I would also say that since this is a production network for a major organization I would proceed with caution. There is some possibility that there is some aspect that we have not considered that could cause an impact. For example is it possible that the volume of test traffic from the PC could impact production traffic? Is it possible that something in the test traffic could trigger some security policy in the provider network? Ultimately you and your management must evaluate the benefits of performing these tests against the (remote) possibility that it could impact the production traffic and decide whether to proceed with this testing.

HTH

Rick

HTH

Rick

zekebashi · ‎01-21-2020

@Richard Burts. Hi, Rich, I implemented the change last Fri and tested the connectivity from the laptop out to the Internet. It worked like a charm. Thanks so much for your time, input, and patience.

Much appreciated.

Best, ~zK

Richard Burts · ‎01-21-2020

zK

I am glad that our responses have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

HTH

Rick

HTH

Rick