05-24-2024 02:12 AM - edited 05-24-2024 02:13 AM
Hi
Hoping someone can help.
I recently purchased a NIM-VAB-A card to go in our ISR4451, with the goal of eliminating an ISP's insecure unmanaged router. I have configured this following various guides online, and it is working from a connectivity point of view, I can ping the internet from the router.
The problem I've got is that I don't understand the relationship between the Dialer interface, and the required Ethernet and subinterface with VLAN tagging.
Here is the pertient parts of my config as it currently is:
interface Ethernet0/2/0
mtu 1508
no ip address
no negotiation auto
no mop enabled
!
interface Ethernet0/2/0.101
encapsulation dot1Q 101
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
pppoe-client ppp-max-payload 1500
!
interface Dialer0
ip address negotiated
ip nbar protocol-discovery ipv4
ip nat outside
zone-member security OUTSIDE
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname VDSLHOSTNAME
ppp chap password 0 VDSLPASSWORD
ppp ipcp address required
ip virtual-reassembly
!
Here are my issues:
I am hoping someone can explain to me the relationship between these interfaces. I've tried to find out online, but the guides I've found don't really go into why commands are on one interface and not another, in this scenario. I want to avoid redundant or misplaced config entries if I can avoid it, even if the config "works".
Thanks in advance!
05-24-2024 05:37 AM
Hello @DazOG ,
logical interface Dialer0 is the only that will get an IP address via IPCP on the PPPoE negotiation phase.
The ethernet interface and its subinterface provides the physical layer and L2 encapsulation :
physical layer ethernet
L2 encapsulation is 802.1Q with VLAN ID 101. Also it invokes the PPPoE client for
1) the commands should be applied to the Dialer0 only as the other two are in lower OSI layers.
2) >> I currently have zone-member security OUTSIDE on the Dialer interface. Is this correct?
It can be correct but with Zone Based Firewall you need to configure appropriate security policies of type inspect between zone pairs for example between "INSIDE" and "OUTSIDE"
3) >> I have no mop enabled on the Ethernet0/2/0 interface
You can ignore this it should be related to a protocol used in LAN segments
4) Yes the command is the right place as explained above
Hope to help
Giuseppe
05-24-2024 06:59 AM
Thanks.
As far as the ZBFW config goes, I already have an internal VLAN that has zone-member security INSIDE on, with associated pairings, etc. This all works ok. I've seen some configs put the zone-member security INSIDE on the Ethernet0/2/0.101 subinterface, but I don't think those configs used VLANs?
05-24-2024 07:17 AM - edited 05-24-2024 07:18 AM
Hello @DazOG ,
you have to test it. if you assign a zone to the eth0/2/0.101 subif I would suppose to use zone "OUTSIDE" for it as in the Dialer0 interface.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide