Cisco 3825 Router and NME-16ES-1G-P - WAN connection

bruce · ‎08-07-2017

I am having a problem similar to that discussed in this post: https://supportforums.cisco.com/discussion/12145641/cisco-3825-router-and-nme-16es-1g-p

Here is what I wanted to do:

Have the two native gig ports, plus the one that is on the NME-16ES-1G-P act as connections to 3 ports of our internal infrastructure, ie one to the wireless AP, one to switch in office part one, one to switch in office part 2.

Then, I thought I could use one of the Fa ports on the card to function as the WAN connection. Per the article above, it seems it's a LOT more complicated than I thought, as it seems I couldn't have the same LAN pool of IPs spread across all 3 ports.

My original main problem was that while I've configured "normal" routers before, I've never before dealt with one that had a separate cpu and routing engine in the card. I don't understand how to address those ports from the router's os.

If anyone could provide some clarity for me that would be great. CAN I do what I want to? If so, how?

Thanks in advance!

Georg Pauwen · ‎08-07-2017

Hello,

the GigabitEthernet port on the ES module is used for the (layer 3) connection between the router and the switch module.

Can you draw up what you want your physical setup should look like ?

Have a look at the document below for reference:

https://www.cisco.com/c/en/us/support/docs/interfaces-modules/network-modules/82288-es-mod-config.html

bruce · ‎08-08-2017

Here's the diagram you asked for. And yes, I gathered as much about the gig link to the switch module. What I didn't understand is how to manage the traffic through there. And is it possible to have a DHCP server hand out internal IPs across all the ports, 100 and 1000, that are not the WAN port.

Georg Pauwen · ‎08-08-2017

Hello,

since you want to have the same address space across all three interfaces, the only way I can think of is using a bridge group. The thing I am not sure about is if you can have the GigabitEthernet port on the ES module as part of a bridge group on the router...

Either way, the config should look something like below.

Router Module

bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface GigabitEthernet0/0
description Link to Wireless AP
bridge-group 1
!
interface GigabitEthernet0/1
description Link to Switch 1
bridge-group 1
!
interface GigabitEthernet1/0
description Internal Link to Switch Module
ip address 192.168.30.1 255.255.255.252
!
interface BVI 1
ip address 10.10.10.1 255.255.255.0
!
interface vlan 10
bridge-group 1
!

Switch Module

interface gigabitethernet 1/0/1
description Link to Switch 2
switchport access vlan 10
!
interface gigabitethernet 1/0/2
description Internal Link to Router
no switchport
ip address 192.168.30.2 255.255.255.252

Georg Pauwen · ‎08-09-2017

Hello,

have you tried the BVI ? At the very least, you can bridge both the GigabitEthernet 0/0 and 0/1 interfaces. DHCP works fine with a BVI (that means, you can specify the IP address of the BVI as the default router in your DHCP pool.

If you connect the switches (switch 1 and 2) to both ports, make sure the connecting ports on the switch are not trunk ports, but access ports.

So the configuration would look like this:

ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool VLAN10
network 10.10.10.0/24
default-router 10.10.10.1
lease 30
!
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface GigabitEthernet0/0
description Link to Switch 1
bridge-group 1
!
interface GigabitEthernet0/1
description Link to Switch 2
bridge-group 1
!
interface GigabitEthernet1/0
description Internal Link to Switch Module
ip address 192.168.30.1 255.255.255.252
!
interface BVI 1
ip address 10.10.10.1 255.255.255.0

Switch 1

interface GigabitEthernet0/0
description Uplink to Router Module
switchport moode access
switchport access vlan 10

Switch 2

interface GigabitEthernet0/0
description Uplink to Router Module
switchport moode access
switchport access vlan 10

Sam Smiley · ‎08-08-2017

The NME-16ES-1G-P is essentially the same thing as the 3825 + a stand alone 3750. Given this scenario it would be best for you to connect your 3 LAN ports to the NME-16ES-1G-P, create VLANs within the NME-16ES-1G-P as needed.

When you insert the NME-16ES-1G-P into the route you will notice that it adds a third gigabit interface, GigabitEthernet1/0. For all practical purposes this is a virtual interface that connects the router to the NME-16ES-1G-P. You will also notice in the NME-16ES-1G-P that it too has a second gigabit interface, GigabitEthernet1/0/2. This is again a virtual interface that is designed to connect to the router virtual interface.

This configuration is no different that having the 3825 with a stand alone 3750 connected by an Ethernet cable. The configuration is the same. Given this you can create the VLANs you need to separate your AP, Switch 1 & Switch 2 as needed. If you haven't worked with the Cisco modules before it can be an odd thing to work with. I have attached the manual for the NME-16ES-1G-P, this should give you some more insight.

Regards,
Sam

bruce · ‎08-08-2017

Hi Sam,

The thing is, it's not an ESW, it's an ES card, which means it actually has a physical 1gig port on it in addition to the 16 T100 ports.

The 3825 only has 2 native ports, which are gig. So you can see maybe why I'm a bit confused as to how to make it all work together. In addition to the card ports being managed separately.

Sam Smiley · ‎08-09-2017

This sounds more like an ESW card than it does the ES, the ESW did come with a gigabit Ethernet port in some models. If it is an ES card a show run should show the interfaces like Georg posted:

interface GigabitEthernet0/0 <-- physical interface
description Link to Wireless AP
bridge-group 1
!
interface GigabitEthernet0/1 <-- physical interface
description Link to Switch 1
bridge-group 1
!
interface GigabitEthernet1/0 <-- virtual interface
description Internal Link to Switch Module
ip address 192.168.30.1 255.255.255.252

You will not see the 16 fast Ethernet interfaces in the config of the 3825, since it is an ES card, you will only see the two physical interfaces and GiganitEthernet1/0. If you have an ESW you would be all set, you can turn the ESW ports into routed ports. Please share the show ver & show run from your 3825.

Regards,
Sam

bruce · ‎08-09-2017

Here it is, in all its glory. I've edited out some of the long stretches of "!" for brevity's sake.

Router1>show ver

Cisco IOS Software, 3800 Software (C3825-SPSERVICESK9-M), Version 12.4(18a), RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Compiled Mon 24-Mar-08 20:32 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)

AzzimovRouter1 uptime is 5 days, 17 hours, 56 minutes

System returned to ROM by power-on

System image file is "flash:c3825-spservicesk9-mz.124-18a.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3825 (revision 1.2) with 221184K/40960K bytes of memory.

Processor board ID FHK1234F1L0

3 Gigabit Ethernet interfaces

1 terminal line

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

62720K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2142

Router1>

------------------------

Router1#show run

Building configuration...

Current configuration : 1611 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router1

!

boot-start-marker

boot-end-marker

!

enable secret ##

enable password ##

!

no aaa new-model

no ip routing

no ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.1.1

ip dhcp excluded-address 10.0.1.1 10.0.1.2

!

ip dhcp pool DHCP

network 10.0.1.0 255.255.255.0

default-router 10.0.1.1

dns-server 8.8.4.4

!

no ip domain lookup

voice-card 0

no dspfarm

!

interface GigabitEthernet0/0

description LAN

ip address 10.0.1.1 255.255.255.0

ip nat inside

no ip route-cache

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet0/1

description WAN

ip address IP

ip nat outside

no ip route-cache

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet1/0

ip address 10.0.1.2 255.255.255.0

no ip route-cache

!

ip default-gateway 208.85.113.169

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip nat inside source list LAN-Addresses interface GigabitEthernet0/1 overload

!

ip access-list standard LAN-Addresses

permit 10.0.0.0 0.255.255.255

!

control-plane

!

line con 0

line aux 0

line 66

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

password ###

login

!

scheduler allocate 20000 1000

!

end

Sam Smiley · ‎08-09-2017

OK that does help a lot. You do have three gigabit Ethernet interfaces in the router; gi0/0, gi0/1 & gi1/0. I believe that you are of the perception that gi1/0 is the gigabit interface on the network module...it is not. Interface gi0/0 and gi1/0 cannot be on the same network. The three interfaces in the router are routed ports, the simple meaning of this is that each must be a member of separate networks. The gigabit Ethernet interface on the ES is managed through the console of the ES module. To get to this console you issue the following command.

service−module gigabitEthernet 1/0 session

This will get you into the ES module where you can issue standard IOS commands. Once in the ES module you will notice GigabitEthernet 1/0/1, this is the gigabit connection on the ES module. GigabitEthernet 1/0/2 must be in the same LAN as GigabitEthernet1/0 in the 3825. If you issue a show cdp neighbor command you will see a similar output to this indicating that gi0/1 on the router is connected to gi1/0/2 on the switch:

Router1#show cdp neighbors
Capability Codes: R − Router, T − Trans Bridge, B − Source Route Bridge
S − Switch, H − Host, I − IGMP, r − Repeater, P − Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
Lab−2811 Gi 1/0 157 R NME−16ES−1G Gi 1/0/2

To make what you want work you will need a minimum of 4 networks:

Network one: 3825 gi0/0 (WAN)
Network two: 3825 gi0/1 (WAN)
Network three: 3825 gi1/0 & NM-ES gi1/0/1
Network four: VLAN assigned to all 16 FastEthernet ports on the NM-ES. (LAN)

Once you create these networks you can attach up to 16 devices to the NM-ES, you can segment the network further if you need to through VLANs.

The ES module is not designed for what you want to do outside of the original recommendation I made of connection the two switches and AP to the ES module, creating VLANs and routing through the ES module. You cannot look at the 3825 and NM-ES as one device, they are in fact two devices on the network even though they may be in one chassis.

I have attached configs of a 2821 with a NM-16ES in hopes that you will better understand the relationship of the NM with the router. It simply has to be treated as two devices.

Regards,
Sam

Richard Burts · ‎08-09-2017

Thanks for posting the config. I would point out two things that I notice (which are not directly related to your original question but are things that you should address).

- the config register is set to 0x2142. The result is that when the router reboots it will NOT use the startup config and you will be starting from scratch. The normal value for the config register for this router would be 0x2102.

- you have configured no ip routing. This is typically done when you want to use bridge groups on the router. The use of IRB as suggested by Georg is a better way to get bridge groups working. With no ip routing it will be quite challenging to have an effective WAN connection.

Perhaps if you post the output of show inventory it would give us a better insight into what we are working with.

HTH

Rick

HTH

Rick

Richard Burts · ‎08-09-2017

While I way making my response Sam posted his response which gives a good explanation of the hardware situation and makes my suggestion of show inventory not needed. I agree that his suggestion of connecting the AP and the switches on the ES card makes a lot of sense.

My comments about config register and ip routing still stand.

HTH

Rick

HTH

Rick

bruce · ‎08-09-2017

First Rick: Yes, I had to put it into that mode to do password recovery. It's a second-hand unit. Now that I've set my own passwords and saved the config, I should be able to run the same command that set it this way, but with the number you supplied, and all will be ok, yes?

IP Routing is the same thing. There was stuff left over from previous owner etc. I hadn't started on that because I was uncertain of how to set up the rest of it yet.

Sam: So at the base of this, the simple answer is that the two native ports cannot be used to hand out LAN IPs because they are essentially ONLY WAN ports (routable). I've googled, but am still not sure, is there any sort of card I can add to this thing to give me GIG LAN ports that can be connected to switches and APs? At this point I don't think the ES card is useful at all, as far as I can tell.

Richard Burts · ‎08-09-2017

Knowing that it was previously owned equipment does help explain the config register and the ip routing. 0x2142 is typically the result of doing password recovery. There is a simple command in global config mode to set the correct value of 0x2102 (a frequent issue is that sometimes people forget the 0x part of the value and just set it to 2102).

I do not want to be overly picky about terminology, but we need to be careful when we talk about "LAN ports" on the router. The native Ethernet ports can certainly hand out LAN IPs. Or can hand out WAN IPs. There is not anything on the router native Ethernet that is essentially LAN or WAN. They can do either depending on how you configure them. The important thing is that both of the native Ethernet interfaces are routed ports by default and one of the things that means is that you can not have IP addresses in the same subnet on the interfaces.

HTH

Rick

HTH

Rick

Sam Smiley · ‎08-09-2017

Richard answered the question about the WAN/LAN ports, as any physical port on the router can be used for either. The ES won't do what you want however the ESW may very well do it. With the ESW all of the interfaces can be used as switchports or routed ports through the IOS of the router. It doesn't act as two devices with the ESW. The only thing I do not know for sure is where you can used the Gigabit port on the ESW the same as you can the FastEthernet ports. My ESW does not have the gigabit port. This should satisfy your need for a single gigabit port, any more than that I would suggest adding a gigabit switch to the mix.

There are few options for gigabit ports on the ISRG1 devices, I've attached the big book of modules that will work with these routers.

Regards,
Sam