Help with relationship wrt Ethernet & Dialer interfaces in VDSL config

DazOG · ‎05-24-2024

Hi

Hoping someone can help.

I recently purchased a NIM-VAB-A card to go in our ISR4451, with the goal of eliminating an ISP's insecure unmanaged router. I have configured this following various guides online, and it is working from a connectivity point of view, I can ping the internet from the router.

The problem I've got is that I don't understand the relationship between the Dialer interface, and the required Ethernet and subinterface with VLAN tagging.

Here is the pertient parts of my config as it currently is:

interface Ethernet0/2/0
  mtu 1508
  no ip address
  no negotiation auto
  no mop enabled
!
interface Ethernet0/2/0.101
  encapsulation dot1Q 101
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no cdp enable
  pppoe enable group global
  pppoe-client dial-pool-number 1
  pppoe-client ppp-max-payload 1500
!
interface Dialer0
  ip address negotiated
  ip nbar protocol-discovery ipv4
  ip nat outside
  zone-member security OUTSIDE
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication chap pap callin
  ppp chap hostname VDSLHOSTNAME
  ppp chap password 0 VDSLPASSWORD
  ppp ipcp address required
  ip virtual-reassembly
!

Here are my issues:

I don't know which of the interfaces I should have the no ip redirects, no ip unreachables and no ip proxy-arp. Both Dialer and Ethernet interfaces, including the subinterface, accept the commands. I don't know where these commands would be redundant.
I currently have zone-member security OUTSIDE on the Dialer interface. Is this correct? Should it be on the Ethernet0/2/0.101 subinterface instead, or Ethernet0/2/0, or both? All three? I haven't tested internal hosts connectivity yet, I have only verified the router can ping the Internet, which isn't affected by this (not "self").
I have no mop enabled on the Ethernet0/2/0 interface, but I don't know if this is correct, or whether it should be on the Dialer interface instead (or as well as). The command is not accepted on the Ethernet subinterface.
Is ip nbar protocol-discovery ipv4 in the right place, on the Dialer interface?

I am hoping someone can explain to me the relationship between these interfaces. I've tried to find out online, but the guides I've found don't really go into why commands are on one interface and not another, in this scenario. I want to avoid redundant or misplaced config entries if I can avoid it, even if the config "works".

Thanks in advance!

Giuseppe Larosa · ‎05-24-2024

Hello @DazOG ,

logical interface Dialer0 is the only that will get an IP address via IPCP on the PPPoE negotiation phase.

The ethernet interface and its subinterface provides the physical layer and L2 encapsulation :

physical layer ethernet

L2 encapsulation is 802.1Q with VLAN ID 101. Also it invokes the PPPoE client for

1) the commands should be applied to the Dialer0 only as the other two are in lower OSI layers.

2) >> I currently have zone-member security OUTSIDE on the Dialer interface. Is this correct?

It can be correct but with Zone Based Firewall you need to configure appropriate security policies of type inspect between zone pairs for example between "INSIDE" and "OUTSIDE"

3) >> I have no mop enabled on the Ethernet0/2/0 interface

You can ignore this it should be related to a protocol used in LAN segments

4) Yes the command is the right place as explained above

Hope to help

Giuseppe

DazOG · ‎05-24-2024

Thanks.

As far as the ZBFW config goes, I already have an internal VLAN that has zone-member security INSIDE on, with associated pairings, etc. This all works ok. I've seen some configs put the zone-member security INSIDE on the Ethernet0/2/0.101 subinterface, but I don't think those configs used VLANs?

Giuseppe Larosa · ‎05-24-2024

Hello @DazOG ,

you have to test it. if you assign a zone to the eth0/2/0.101 subif I would suppose to use zone "OUTSIDE" for it as in the Dialer0 interface.

Hope to help

Giuseppe