Solved: LTE and DSL Connection

abc1235 · ‎03-09-2022

Hallo,

I have 2 routers, one using the Dialer interface as the uplink to DSL and another cellular 0/2/0 (LTE Router C1126). The one with the dialer interface works perfectly but the one with a cellular 0/2/0 does not (unless I twitch the ip route which I would like to avoid because once the router is set at the customer's premises and they have to restart it, then it definitely won't come up again)

Cellular0/2/0 x.x.x.x YES IPCP up up
Cellular0/2/1 unassigned YES unset administratively down down
ATM0/3/0 unassigned YES unset down down
Ethernet0/3/0 unassigned YES unset down down
Loopback0 x.x.x.x YES manual up up
Tunnel100 x.x.x.x YES manual up down
Tunnel200 x.x.x.x YES manual up down

Since the cellular interface is getting an IP address, what could be the reason the tunnels are not coming up?

R1#sh int tunnel100
Tunnel100 is up, line protocol is down
Hardware is Tunnel
Description: TUNNEL-TO-DMVPN-HUB-MUC13
Internet address is x.x.x.x/24
MTU 9972 bytes, BW 100 Kbit/sec, DLY 10000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate mode reg down
Tunnel source x.x.x.x (Cellular0/2/0)
Tunnel Subblocks:
src-track:
Tunnel100 source tracking subblock associated with Cellular0/2/0
Set of tunnels with source Cellular0/2/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
Key 0x64, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "DMVPN-PROFILE-1")
Last input never, output 00:00:46, output hang never
Last clearing of "show interface" counters 00:19:46
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
78 packets output, 10600 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

I understand that when I configure an interface with vrf command, the ipv4/6 will be removed to prevent duplicating addresses. However, after that how do I, again, get an ip address without configuring a static IP?

For more context, this is the dialer interface that is working:

interface Dialer1
bandwidth 1000
bandwidth receive 18000
vrf forwarding INTERNET
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 7 xxx
ppp pap sent-username xxx
service-policy output WAN-EDGE-4-CLASS

And the cellular interface is as below:

Router#sh run int cell0/2/0
Building configuration...

Current configuration : 67 bytes
!
interface Cellular0/2/0
ip address negotiated
ipv6 enable
end

Thanks.

Regards,

Joy

Georg Pauwen · ‎03-10-2022

Hello,

I see. That explains it better...

You already have an IP SLA. Basically, you need something to generate traffic. Try to add the IP SLA below to your configuration:

ip sla 2
icmp-echo 8.8.8.8
vrf INTERNET
threshold 500
timeout 1000
frequency 4
!
ip sla schedule 2 life forever start-time now

View solution in original post

Georg Pauwen · ‎03-09-2022

Hello,

--> The one with the dialer interface works perfectly but the one with a cellular 0/2/0 does not (unless I twitch the ip route which I would like to avoid because once the router is set at the customer's premises and they have to restart it, then it definitely won't come up again)

It is unclear what your topology looks like. You have two routers...at the same site, different sites ? Post a diagram of your topology showing how the devices are connected, and what works, and what does not...

abc1235 · ‎03-09-2022

Hello @Georg Pauwen Thanks for the prompt response.

Currently what is on the customer's site is an ISR that uses a dialer interface. So, I would like to replace this in future with an ISR that uses a cellular interface as its DSL connection. But until now, I have not been able to get the LTE router (for testing) to work properly.

Georg Pauwen · ‎03-09-2022

Hello,

it is difficult to figure out what your topology looks like, do you have a diagram ? I see a DMVPN tunnel ? The LTE router is a C1126 ? Post at the very least the full running configuration of the LTE router...

abc1235 · ‎03-09-2022

Attached is the topology. The ISR that I am testing with is a C1126 LTE router. Below is the runnig config:

no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition INTERNET
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!!
aaa new-model
!
!
aaa group server tacacs+ TACACS-ISE
server name SUS-ISE-01-LP
server name SUS-ISE-02-LP
!
aaa group server radius RADIUS-ISE
server name SUS-ISE-01-LP
server name SUS-ISE-02-LP
!
!
!
!
aaa server radius dynamic-author
client xxx server-key 7 xxx
client xxx server-key 7 xxx
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ip domain lookup
ip domain name stadtulm.lan
!
ip dhcp pool webuidhcp
!
!
!
login on-failure log
login on-success log
ipv6 unicast-routing
!
!
!
!
!
subscriber templating
!
!
!
!
vtp domain DMVPN-SPOKE
vtp mode transparent
!
!
multilink bundle-name authenticated
!
access-session mac-move deny

!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 4096
!
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
dot1x system-auth-control
errdisable recovery cause all
errdisable recovery interval 360
!

!
!
redundancy
mode none
!
!
!
controller Cellular 0/2/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
!
!
!
vlan internal allocation policy ascending
!
vlan 100
name SU-INTRANET
!
vlan 251
name SU-VOICE
!
vlan 300
name SU-WLAN
!
vlan 804
name SU-GLT
!
vlan 805
name SU-MGMT
!
vlan 806
name SU-AP-MGMT
!
!
!
!---------------------------------------!
! QoS !
!---------------------------------------!
!
class-map match-any REALTIME
match dscp ef
match dscp cs5
match dscp cs4
!
class-map match-any CRITICAL-DATA
match dscp af41 af42 af43
match dscp af31 af32 af33
match dscp af21 af22 af23
match dscp af11 af12 af13
!
class-map match-any CONTROL
match dscp cs6
match dscp cs3
match dscp cs2
!
policy-map WAN-EDGE-4-CLASS
class REALTIME
priority level 1 percent 10
class CONTROL
bandwidth 100
class CRITICAL-DATA
bandwidth 100
!
!
!-----------------------------------------------!
! Identity Based Networking Services (802.1x) !
!-----------------------------------------------!
!
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!
!---------------------------------------!
! Zone Based Firewall Config !
!---------------------------------------!
!
ip access-list extended KITA-NETWORKS
remark Kita Netze fuer Zone Based Firewall
permit ip any xxx
permit ip any xxx
!
class-map type inspect match-all KITA
match access-group name KITA-NETWORKS
!
policy-map type inspect TRAFFIC-POLICY
class type inspect KITA
drop
class class-default
pass
!
zone security DMVPN
zone security INTRANET
zone security GLT
zone security MGMT
!
zone-pair security DMVPN->GLT source DMVPN destination GLT
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->INTRANET source DMVPN destination INTRANET
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->MGMT source DMVPN destination MGMT
service-policy type inspect TRAFFIC-POLICY
zone-pair security GLT->DMVPN source GLT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security INTRANET->DMVPN source INTRANET destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security MGMT->DMVPN source MGMT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
!
!
!
!
!---------------------------------------!
! DMVPN Config !
!---------------------------------------!
!
crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key -3$q.,:3L#8L7zjm"NxSQ64K"1Cp638t75:zg$S#KzA52/rp8f9E)zQ.8.LNP")
!
crypto ikev2 keyring DMVPN-KEYRING-2
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key EiVbw/2#7$4$ibClS:WVRmGn4wGE3deXZ:teBjUL\J,uZU-,l&dV6gUU6\4u8f
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1
match fvrf INTERNET
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-1
identity local address xxx
dpd 40 5 on-demand
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-2
match fvrf INTERNET
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-2
identity local address xxx
dpd 40 5 on-demand
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE-1
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1
!
crypto ipsec profile DMVPN-PROFILE-2
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-2
!
!
!
!-------------------------------------------------------!
! Management Loopback !
!-------------------------------------------------------!
!
interface Loopback0
description ROUTER-MGMT
ip address xxx

!
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular 0/2/0

interface Tunnel100
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I1
ip nhrp network-id 100
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular 0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-1
no shutdown
!
!
! DMVPN Tunnel Interface Richtung HUB Rathaus
interface Tunnel200
description TUNNEL-TO-DMVPN-HUB-RTH
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I2
ip nhrp network-id 200
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular 0/2/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-2
no shutdown

!
interface range GigabitEthernet0/1/0-2
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
no access-session closed
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
no shutdown
!
!
!
interface GigabitEthernet0/1/3
description UPLINK-ACCESSPOINT
switchport trunk native vlan 806
switchport trunk allowed vlan 300,806
switchport mode trunk
spanning-tree portfast trunk
no shutdown
!
interface Wlan-GigabitEthernet0/1/4
shutdown

interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address xxx
ip helper-address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
no shutdown
!
interface Vlan251
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
no shutdown
!
interface Vlan300
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan804
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security GLT
no autostate
no shutdown
!
interface Vlan805
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
no shutdown
!
interface Vlan806
ip address xxxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
no shutdown
!
!
!
!
router bgp 65500
bgp router-id xxx
bgp log-neighbor-changes
neighbor MUC-HUB peer-group
neighbor MUC-HUB remote-as 65500
neighbor MUC-HUB timers 20 60
neighbor RTH-HUB peer-group
neighbor RTH-HUB remote-as 65500
neighbor RTH-HUB timers 20 60
neighbor xxx peer-group RTH-HUB
neighbor xxx peer-group MUC-HUB
!
address-family ipv4
bgp redistribute-internal
redistribute connected route-map RM-REDIST-CONNECTED-TO-BGP
neighbor MUC-HUB send-community
neighbor MUC-HUB next-hop-self all
neighbor MUC-HUB weight 50000
neighbor MUC-HUB soft-reconfiguration inbound
neighbor RTH-HUB send-community
neighbor RTH-HUB next-hop-self all
neighbor RTH-HUB weight 50000
neighbor RTH-HUB soft-reconfiguration inbound
neighbor xxx activate
neighbor xxx activate
distance bgp 201 19 250
exit-address-family
!
!
ip access-list standard SNMP-MGMT
remark Erlaube SNMP Zugriff aus MGMT Zone
permit xxx 5
!
ip access-list extended SSH-MGMT
remark Erlaube SSH Zugriff aus MGMT Zone
permit tcp xxx any eq 22
!
ip radius source-interface Loopback0
logging source-interface Loopback0
logging host 172.30.3.21
logging host 172.30.3.22
logging buffered 50000

Georg Pauwen · ‎03-09-2022

Hello,

something isn't right. or I might be missing something: where is the Cellular interface ?

abc1235 · ‎03-09-2022

Oh, sorry, here you go:

!
interface Cellular0/2/0
vrf forwarding INTERNET
ip address negotiated
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!

Georg Pauwen · ‎03-09-2022

Hello,

there is no 'ip nat inside' ? The entire NAT configuration is missing ? There is no dialer-list either ? The Cellular interface has no ZBF zone ?

It looks like a lot of basic stuff is missing from your configuration...

JimWicks · ‎03-09-2022

you have got multiple layers of functions where errors could be occurring, I'd suggest you start simple and check that your WAN link is working within the VRF so "show ip route vrf INTERNET" and make sure that looks correct, then "ping vrf INTERNET 8.8.8.8" and ensure you get a response..................if you are routing everything over protected GRE tunnel then you won't need the NAT-outside statement on the Cellular interface, so get rid of that before you start testing.

If the cellular connectivity looks OK above, then for the GRE interface state then you'll need to check to see if IPSec is actually trying to connect to the other side "debug crypto" for both ikev2 and ipsec.

abc1235 · ‎03-09-2022

Hallo @Georg Pauwen and @JimWicks

I had deleted a few lines from the running configs because I thought the issue was only in the cellular interface. Here is the actual config:

!
version 16.10
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service call-home
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition INTERNET
description Front Door VRF fuer Internet Interface
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 50000
enable secret 5 x
!
aaa new-model
!
!
aaa group server tacacs+ TACACS-ISE
server name SUS-ISE-01-LP
server name SUS-ISE-02-LP
!
aaa group server radius RADIUS-ISE
server name SUS-ISE-01-LP
server name SUS-ISE-02-LP
!
aaa authentication login VTY group TACACS-ISE local
aaa authentication login CONSOLE group TACACS-ISE local
aaa authentication enable default group TACACS-ISE none
aaa authentication dot1x default group RADIUS-ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group TACACS-ISE local if-authenticated
aaa authorization exec CONSOLE group TACACS-ISE local
aaa authorization commands 15 VTY group TACACS-ISE local if-authenticated
aaa authorization commands 15 CONSOLE group TACACS-ISE local
aaa authorization network default group RADIUS-ISE
aaa accounting update periodic 15
aaa accounting identity default start-stop group RADIUS-ISE
!
!
!
!
!
aaa server radius dynamic-author
client x server-key 7 x
client x server-key 7 x
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
!
!
!
no ip domain lookup
ip domain name stadtulm.lan
!
ip dhcp pool webuidhcp
!
!
!
login on-failure log
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
vtp domain DMVPN-SPOKE
vtp mode transparent
!
!
multilink bundle-name authenticated
!
!
access-session mac-move deny
!
!
crypto pki trustpoint TP-self-signed-x
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-x
revocation-check none
rsakeypair TP-self-signed-x
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
*truncated*
!

license boot level appxk9
license boot level securityk9
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 4096
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
dot1x system-auth-control
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause port-mode-failure
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause oam-remote-failure
errdisable recovery cause psp
errdisable recovery interval 360
!
!
!
redundancy
mode none
!
!
!
crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key -x
!
!
crypto ikev2 keyring DMVPN-KEYRING-2
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key EiVbw/2#7$4$ibClS:WVRmGn4wGE3deXZ:teBjUL\J,uZU-,l&dV6gUU6\4u8f
!
!
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address x
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-1
dpd 40 5 on-demand
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-2
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address x
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-2
dpd 40 5 on-demand
!
!
controller Cellular 0/2/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
controller VDSL 0/3/0
!
!
vlan internal allocation policy ascending
!
vlan 100
name SU-INTRANET
!
vlan 251
name SU-VOICE
!
vlan 300
name SU-WLAN
!
vlan 804
name SU-GLT
!
vlan 805
name SU-MGMT
!
vlan 806
name SU-AP-MGMT
!
track 1 ip sla 1 reachability
delay down 5
!
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
!
class-map match-any REALTIME
match dscp ef
match dscp cs5
match dscp cs4
class-map type inspect match-all KITA
match access-group name KITA-NETWORKS
class-map match-any CRITICAL-DATA
match dscp af41 af42 af43
match dscp af31 af32 af33
match dscp af21 af22 af23
match dscp af11 af12 af13
class-map match-any CONTROL
match dscp cs6
match dscp cs3
match dscp cs2
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!
policy-map type inspect TRAFFIC-POLICY
class type inspect KITA
drop
class class-default
pass
policy-map WAN-EDGE-4-CLASS
class REALTIME
priority level 1 percent 10
class CONTROL
bandwidth 100
class CRITICAL-DATA
bandwidth 100
!
!
zone security DMVPN
zone security INTRANET
zone security GLT
zone security MGMT
zone-pair security DMVPN->GLT source DMVPN destination GLT
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->INTRANET source DMVPN destination INTRANET
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->MGMT source DMVPN destination MGMT
service-policy type inspect TRAFFIC-POLICY
zone-pair security GLT->DMVPN source GLT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security INTRANET->DMVPN source INTRANET destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security MGMT->DMVPN source MGMT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
!
!
!
!
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE-1
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1
!
crypto ipsec profile DMVPN-PROFILE-2
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-2
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description ROUTER-MGMT
ip address x
!
interface Tunnel100
ip address x
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I1
ip nhrp network-id 100
ip nhrp nhs x nbma x multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-1
!
interface Tunnel200
ip address x
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I2
ip nhrp network-id 200
ip nhrp nhs x nbma x multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-2
!
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/1
description UPLINK-ACCESSPOINT
switchport trunk native vlan 806
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
spanning-tree portfast trunk
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/2
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
!
interface GigabitEthernet0/1/3
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy output WAN-EDGE-4-CLASS
!
interface Wlan-GigabitEthernet0/1/4
shutdown
!
interface Cellular0/2/0
description INTERNET-UPLINK-VIA-LTE
bandwidth 1000
bandwidth receive 18000
vrf forwarding INTERNET
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface ATM0/3/0
no ip address
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/3/0
no ip address
no negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address x
ip helper-address x
ip helper-address x
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan251
ip address x
ip helper-address x
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan300
description SU-WLAN
ip address x
ip helper-address x
ip helper-address x
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan804
ip address x
no ip redirects
no ip proxy-arp
zone-member security GLT
no autostate
!
interface Vlan805
ip address x
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
interface Vlan806
ip address x
ip helper-address x
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
router bgp 65500
bgp router-id x
bgp log-neighbor-changes
neighbor MUC-HUB peer-group
neighbor MUC-HUB remote-as 65500
neighbor MUC-HUB timers 20 60
neighbor RTH-HUB peer-group
neighbor RTH-HUB remote-as 65500
neighbor RTH-HUB timers 20 60
neighbor x peer-group RTH-HUB
neighbor x peer-group MUC-HUB
!
address-family ipv4
bgp redistribute-internal
redistribute connected route-map RM-REDIST-CONNECTED-TO-BGP
neighbor MUC-HUB send-community
neighbor MUC-HUB weight 50000
neighbor MUC-HUB next-hop-self all
neighbor MUC-HUB soft-reconfiguration inbound
neighbor RTH-HUB send-community
neighbor RTH-HUB weight 50000
neighbor RTH-HUB next-hop-self all
neighbor RTH-HUB soft-reconfiguration inbound
neighbor x activate
neighbor x weight 50000
neighbor x activate
neighbor x weight 50000
distance bgp 201 19 250
exit-address-family
!
ip forward-protocol nd
ip ftp source-interface Loopback0
ip ftp username x
ip ftp password 7 x
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Cellular0/2/0 overload
ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0
ip tacacs source-interface Loopback0
!
!
ip access-list standard SNMP-MGMT
remark Erlaube SNMP Zugriff aus MGMT Zone
permit x 0.0.255.255
!
ip access-list extended KITA-NETWORKS
remark Kita Netze fuer Zone Based Firewall
permit ip any x 0.0.0.255
permit ip any x 0.0.0.255
ip access-list extended SSH-MGMT
remark Erlaube SSH Zugriff aus MGMT Zone
permit tcp x 0.0.255.255 any eq 22
!
ip radius source-interface Loopback0
ip sla 1
icmp-echo x source-interface Tunnel100
ip sla schedule 1 life forever start-time now
kron occurrence DailyClearIntDialer1 at 3:00 recurring
policy-list clearIntDi1
!
kron occurrence DailyClearCryptoSession at 3:03 recurring
policy-list clearcrypto
!
kron policy-list clearIntDi1
cli clear interface Dialer 1
!
kron policy-list clearcrypto
cli clear crypto session
!
logging source-interface Loopback0
logging host x
logging host x
dialer-list 1 protocol ip permit
!
!
route-map RM-REDIST-CONNECTED-TO-BGP permit 10
description Redistributiere dedizierte Interfaces in den BGP Prozess
match interface Loopback0 Vlan100 Vlan251 Vlan300 Vlan804 Vlan805 Vlan806
!
snmp-server group GROUP-RO v3 priv read V3READ-ALL
snmp-server group GROUP-RW v3 priv read V3READ-ALL write V3WRITE-ALL
snmp-server group ArpGuardUser v3 priv
snmp-server group ArpGuardGroup v3 priv write ArpGuardView
snmp-server group ArpGuardGroup v3 priv context vlan- match prefix write ArpGuardView
snmp-server view V3READ-ALL iso included
snmp-server view V3WRITE-ALL iso included
snmp-server view ArpGuardView iso included
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps stpx root-inconsistency loop-inconsistency
snmp-server host x version 3 priv ArpGuardUser
snmp-server host x version 3 priv ArpGuardUser
snmp-server host x version 3 priv ArpGuardUser
snmp-server host x MUC-IPL
snmp-server host x RTH-IPL
snmp ifmib ifindex persist
!
tacacs server SUS-ISE-01-LP
address ipv4 x
key 7 x
tacacs server SUS-ISE-02-LP
address ipv4 x
key 7 x
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server SUS-ISE-02-LP
address ipv4 x auth-port x acct-port x
key 7 x
!
radius server SUS-ISE-01-LP
address ipv4 x auth-port x acct-port x
key 7 x
!
!
control-plane
!
line con 0
exec-timeout 0 0
login authentication CONSOLE
transport input none
stopbits 1
line vty 0 4
access-class SSH-MGMT in vrf-also
exec-timeout 30 0
authorization commands 15 VTY
authorization exec VTY
login authentication VTY
length 0
transport input ssh
!
ntp source Loopback0
ntp server x
!
!
!
!
event manager applet Neustart-5s-Pingverlust
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Dialer1"
action 4.0 cli command "shutdown"
action 5.0 cli command "no shutdown"
action 6.0 cli command "exit"
!
end

Thanks,

Joy

Georg Pauwen · ‎03-09-2022

Hello,

you have NAT (outside) configured on the cellular interface, but no nat inside anywhere, and your NAT statement points to a non-existing access list (1). What are you trying to accomplish ?

In any case, the cellular interface needs to be part of the same zone (zone-member security DMVPN). Do you get an IP address on the cellular interface at all ?

abc1235 · ‎03-09-2022

Hallo @Georg Pauwen. I had changed the NATting to:

ip nat inside source list SNMP-MGMT interface Cellular0/2/0 overload

but the cellular interface doesn't automatically come up or even get an ip address.

What I want to accomplish is that when I turn off the router and turn it back on, the cellular 0/2/0 interface should automatically come up but as it is, with the current configs, cellular interface only gets an ip address when I twitch the ip route (purely on trial and error basis) and the tunnels are in up/up state.

ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0

ip route 0.0.0.0 0.0.0.0 Cellular0/2/0

no ip route 0.0.0.0 0.0.0.0 Cellular0/2/0

I will try to put the interface in the same zone when I have access to the router in the morning.

Georg Pauwen · ‎03-09-2022

Hello,

before anything else, your cellular interface needs to get an IP address, that is before anything else can happen. Possibly you need some sort of authentication, which means you will need to bind a dialer interface to the cellular. Can you check if the cell provider is requiring any credentials ?

abc1235 · ‎03-10-2022

Hi @Georg Pauwen. Do you mean that the cellular interface should have an ip address before starting the configuration? When the router has no configuration, the cellular interface gets an ip address and is in up/up state until, I configure with vrf forwarding INTERNET, then it loses its IP address after which it doesn't get an ip address again. Here is the cellular interface before the config:

GigabitEthernet0/1/7 unassigned YES unset down down
Cellular0/2/0 10.163.77.124 YES IPCP up up
Cellular0/2/1 unassigned YES unset administratively down down
ATM0/3/0 unassigned YES unset administratively down down
Ethernet0/3/0 unassigned YES unset administratively down down
Vlan1 192.168.1.1 YES TFTP up down

Also, when I add the cellular interface into the same zone, it still doesn't come up.

Regards,

Joy

Georg Pauwen · ‎03-10-2022

Hello,

I see. That explains it better...

You already have an IP SLA. Basically, you need something to generate traffic. Try to add the IP SLA below to your configuration:

ip sla 2
icmp-echo 8.8.8.8
vrf INTERNET
threshold 500
timeout 1000
frequency 4
!
ip sla schedule 2 life forever start-time now