Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
3
Replies

DHCP pull to sub-interface instead of FE 0/0

commandlinekid
Level 1
Level 1

‎06-06-2018 12:36 PM - edited ‎03-08-2019 03:16 PM

I currently have a 2621 with ethernet plugged into FE0/0. It all works fine with FE 0/0 pulling a DHCP (fake address) and sub interfaces (for instance) fe 0/1.4 where I have a /28 assigned.

 

But I need to now Pull (from a new ISP because they won't route it to the WAN address) the first IP in my /28. But to make this work on my router, so I can keep all my sub-interfaces working (that then go to my Cisco switch).....I would need to pull dhcp "through" FE 0/0 to ..... FE 0/1.4. See I want 0/1.4 to still be the "first IP address on the /28 subnet" Even though.... I need to now "pull that first address."

 

Is this possible? Thanks.

Joe

 

Labels:
0 Helpful
3 Replies 3

commandlinekid
Level 1
Level 1

‎06-06-2018 02:44 PM - edited ‎06-06-2018 02:54 PM

I'll answer my own question. 

 

To recap: I have a real /28 assigned to my router through a bridged cable modem (no authentication) with a new cable provider. BUT they won't route the subnet to me. Instead they have the first IP of the subnet "hanging off their router" and not routing the /28 to me. So what I need to do is make my FE0/0 a bridge, then make my virual interface FE0/1.4 (you can use FE0/1 or whatever if you're not using a VLAN switch) Also into a bridge and let the devices hanging off THAT VLAN (or port or whatever you're doing)... see the FIRST IP in the subnet OVER AT the CABLE ISP....and NOT in my router. Meaning I am not "holding the /28 subnet" but I am making two ports on my 2621 router into bridges and Forwarding those packets only.  FYI: Nat works fine assigning one of my new /28 IPs (real IP) to a "BVI" interface I created below, and also my cryptomap assigned to that but I haven't tested it yet. Overall...seems good I think.

 

1.) This works.

2.) Seems fine so far.

3.) I know it's "a bandaid" and not proper routing. It upsets me to have to do this but I'm thankful the solution exists.

 

Note: Before I had a "Dialer" interface that was attached to FE 0/0. Now, with this new setup and no need for authentication with the new ISP, essentially everything I had on Dialer is now on BVI32. That means now NAT outside, cryptomap, rate stuff, etc. Put it all on BVI32. SO if you don't have a Dialer but have a bunch of stuff on FE 0/0 (your most outward facing WAN port), you might want to put it on the new BVI32 you're going to create.

 

Here are the instructions:

https://www.akadia.com/services/bridged_cisco_router.html

 

TEXT BACKUP FOR POSTERITY:

 

IN CASE that link above goes away, here is the "final config" they show in the html itself. So you can get everything you need from it. Don't forget to turn on "bridge irb"  if it doesn't set right away. Turn on no ip redirects, and bridge 32 route ip ....but it's all in the text below. You just may need to do some of it manually if it barfs because you did something before the other thing...

 

 

Complete Configuration File

Here is the complete configuration file:

!
version 12.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname c2621
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$elmZ$4.EfdgcLJz7MNUffP4HHA0
enable password 7 045C05030632
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name Ethernet_HSZ ftp timeout 3600
ip inspect name Ethernet_HSZ tcp timeout 3600
ip inspect name Ethernet_HSZ http java-list 51 timeout 3600
ip inspect name Ethernet_HSZ smtp timeout 3600
ip inspect name Ethernet_HSZ udp timeout 15
ip inspect name Ethernet_HSZ cuseeme timeout 3600
ip inspect name Ethernet_HSZ h323 timeout 3600
ip inspect name Ethernet_HSZ rcmd timeout 3600
ip inspect name Ethernet_HSZ realaudio timeout 3600
ip inspect name Ethernet_HSZ streamworks timeout 3600
ip inspect name Ethernet_HSZ vdolive timeout 3600
ip inspect name Ethernet_HSZ sqlnet timeout 3600
ip inspect name Ethernet_HSZ tftp timeout 30
ip inspect name Ethernet_BVI smtp timeout 3600
ip inspect name Ethernet_BVI tcp timeout 3600
ip inspect name Ethernet_BVI udp timeout 15
ip audit notify log
ip audit po max-events 100
bridge irb
!
interface FastEthernet0/0
 description DMZ
 no ip address
 duplex auto
 speed auto
 bridge-group 32
!
interface FastEthernet0/1
 description HSZ
 ip address 192.168.138.1 255.255.255.0
 ip access-group 102 in
 ip access-group 103 out
 ip nat inside
 ip inspect Ethernet_HSZ in
 duplex auto
 speed auto
!
interface Ethernet1/0
 description Internet
 no ip address
 bridge-group 32
!
interface BVI32
 ip address 194.246.125.195 255.255.255.240
 ip access-group 150 in
 no ip redirects
 ip nat outside
 ip inspect Ethernet_BVI in
!
ip nat inside source list 101 interface BVI32 overload
ip classless
ip route 0.0.0.0 0.0.0.0 194.246.125.193
no ip http server
!
logging trap debugging
logging facility user
logging 192.168.138.21
!
! Disabling NAT between HSZ and DMZ for some hosts
!
access-list 101 deny   tcp host 192.168.138.28 194.246.125.192 0.0.0.15
access-list 101 deny   tcp host 192.168.138.21 194.246.125.192 0.0.0.15
access-list 101 deny   tcp host 192.168.138.15 194.246.125.192 0.0.0.15
access-list 101 deny   udp host 192.168.138.28 194.246.125.192 0.0.0.15
access-list 101 deny   udp host 192.168.138.21 194.246.125.192 0.0.0.15
access-list 101 deny   udp host 192.168.138.15 194.246.125.192 0.0.0.15
access-list 101 permit ip 192.168.138.0 0.0.0.255 any
!
! Extended Access-Lists
!
access-list 102 permit ip 192.168.138.0 0.0.0.255 any
access-list 102 deny   ip any any log
access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.28 eq domain
access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.15 eq domain
access-list 103 permit udp 194.246.125.192 0.0.0.15 host 192.168.138.28 eq domain
access-list 103 permit udp 194.246.125.192 0.0.0.15 host 192.168.138.15 eq domain
access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.28 eq smtp
access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.15 eq smtp
access-list 103 permit tcp host 194.246.125.196 host 192.168.138.21 eq 22
access-list 103 permit tcp host 194.246.125.196 host 192.168.138.28 eq 143
access-list 103 permit tcp host 194.246.125.196 host 192.168.138.15 eq www
access-list 103 deny   icmp any any log
access-list 103 deny   ip any any log
access-list 150 permit udp any any eq domain
access-list 150 permit udp any eq domain any range 1000 65000
access-list 150 permit tcp any any eq domain
access-list 150 permit tcp any eq domain any range 1000 65000
access-list 150 permit tcp 194.246.125.192 0.0.0.15 eq www any
access-list 150 permit tcp 194.246.125.192 0.0.0.15 eq smtp any
access-list 150 permit tcp 194.246.125.192 0.0.0.15 range 1000 65000 any eq smtp
access-list 150 permit tcp any 194.246.125.192 0.0.0.15 eq smtp
access-list 150 permit udp 194.246.125.192 0.0.0.15 range 1000 65000 any eq ntp
access-list 150 permit udp any 194.246.125.192 0.0.0.15 eq ntp
access-list 150 permit tcp host 194.246.125.196 eq 22 any
access-list 150 permit tcp host 194.246.125.196 host 192.168.138.21 eq 22
access-list 150 permit tcp host 194.246.125.196 host 192.168.138.28 eq 143
access-list 150 permit tcp host 194.246.125.196 host 192.168.138.15 eq www
access-list 150 permit tcp host 194.246.125.196 eq 443 any
access-list 150 permit tcp host 194.246.125.196 eq 3970 any
access-list 150 permit tcp host 194.246.125.196 eq 7777 any
access-list 150 permit tcp host 194.246.125.196 eq 7778 any
access-list 150 deny   icmp any any log
access-list 150 deny   ip any any log
bridge 32 protocol ieee
 bridge 32 route ip
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password 7 030F5A070D
 login
!
end

 

 

keywords: RCN, Spectrum, Time Warner, Arris, cable modem, ip address, bridge, subnet, routing

0 Helpful

paul driver
VIP
VIP

‎06-06-2018 03:35 PM

Hello

That was a quite confusing query -  can you elaborate a bit more please?

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

commandlinekid
Level 1
Level 1
In response to paul driver

‎06-06-2018 03:39 PM

I think I found the answer and posted it in line.

If I'm wrong though please let me know. Thanks.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card