cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1199
Views
10
Helpful
9
Replies

interface-based bridging on 891 ISR?

obi
Level 1
Level 1

I'd put this on the getting started board, but it's too weird:

I'm deploying to a site that will have a single ISP-assigned address. This connection will be used by users on the LAN for standard internet access, and by two dedicated multicast sources. ISP has provided two mcast group addrs and a pimv2 RP address.

With nat-outside turned off on the WAN interface, the router appears as a pim neighbor on the upstream router, but regular internet connections don't work through the switch ports.

Turn nat-outside on, connectivity is restored, but the pim relationship is broken (neighbor disappears upstream).

I've got a cheap soho gateway that could easily handle NAT for the LAN connections. Would possible to assign an interface to only that device, and somehow bypass the need for NAT in the router?

thanks

1 Accepted Solution

Accepted Solutions

Okay, this is where I'm confused, and may be the cause of the issue. You have a route map matching everything, so here's what I want you to try and possibly fix the issue:

ip access-list extended NAT_ACL

permit ip 10.10.10.0 0.0.0.255 any

deny   ip any any

route-map MAP_ACL permit 10

match ip address NAT_ACL

!

See if that fixes the issue. You have an acl to tie the internal subnets for natting, but you don't have it applied to your route map. The router defaults to natting everything because the route-map is permitting everything that's coming through it.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

I don't think putting another device in the mix should be necessary. Is the rp a public address? Can you post your nat config?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Thanks for the fast reply! RP is hosted at the ISP. A little backstory: the only reason for the Cisco is that nothing else I could find in the price range supported pim. Otherwise it would have just been the little netgear gw.

Here's the relevant-looking chunk from the config:

interface FastEthernet8

description ILIGHT

ip address xx.xx.201.100 255.255.255.0

ip pim sparse-mode

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description INTERNAL NETWORK

ip address 10.10.10.1 255.255.255.0

ip pim sparse-mode

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

!

!

ip pim rp-address 199.8.216.31

ip pim send-rp-announce FastEthernet8 scope 16

ip pim send-rp-discovery scope 16

ip mroute 0.0.0.0 0.0.0.0 xx.xx.201.97

ip msdp peer xx.xx.201.97

ip msdp cache-sa-state

ip nat inside source route-map MAP_ACL interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 xx.xx.201.97

!

ip access-list extended NAT_ACL

permit ip 10.10.10.0 0.0.0.255 any

deny   ip any any

!

access-list 23 permit 10.10.10.0 0.0.0.7

no cdp run

!

!

!

!

route-map MAP_ACL permit 10

!

Message was edited by: OBRIAN CHILDS (to mask IPs)

I labbed this up and I don't lose peering when enabling nat. Can you post the rest of your route-map being used for natting? I'm assuming that the only thing there is that you're matching on the NAT_ACL. Have you tried updating the ios on the router?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Thanks again for chasing this, John!

Version is 12.4(22r)YB3. Also, the setup (I'm not native to cisco or routing) is a mashup of first getting pim out, then finding out there would only be one LAN address and scrambling to get commodity access up. I'm hoping I've missed something obvious.

Here's what I paste after doing a factory reset:

en

conf t

!------------------------GLOBAL

ip multicast-routing

ip pim rp-address 199.8.216.31

ip route 0.0.0.0 0.0.0.0 199.8.201.97!     <<----------------UNIQUE

ip mroute 0.0.0.0 0.0.0.0 199.8.201.97!    <<----------------UNIQUE

hostname ITHOR

ip name-server 8.8.8.8

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!------------------------WAN

interface f8

ip address 199.8.201.100 255.255.255.0!  <<----------------UNIQUE

Description ILIGHT

ip nat outside

ip pim sparse-mode

ip multicast-routing

!------------------------LAN

interface vlan1

Description INTERNAL NETWORK

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip pim sparse-mode

no shutdown

!------------------------OTHER

ip access-list exten NAT_ACL

permit ip 10.10.10.0 0.0.0.255 any

deny ip any any

route-map MAP_ACL

ip nat inside source route-map MAP_ACL interface fa8 overload

interface range f0-7

no shutdown

no banner exec

no banner login

end

wr

No problem! Can you post the running config in its entirety? Remove passwords, logins, and addressing information...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

In all its glory. Currently: yes to inet access, no to showing as a pim neighbor upstream.

ITHOR#sh running-conf

Building configuration...

Current configuration : 4248 bytes

! Last configuration change at 18:21:44 UTC Thu Aug 29 2013 by cisco

! NVRAM config last updated at 18:06:03 UTC Thu Aug 29 2013 by cisco

! NVRAM config last updated at 18:06:03 UTC Thu Aug 29 2013 by cisco

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ITHOR

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-63307560

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-63307560

revocation-check none

rsakeypair TP-self-signed-63307560

!

crypto pki certificate chain TP-self-signed-63307560

certificate self-signed 01

  30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36333330 37353630 301E170D 31333038 32393138 30333139

  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53

  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D363333 30373536

  3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100CCE8

  B4A6FF6D B2229931 519302F9 4A401302 D264F085 D864B35F 794DADB7 B158A1A4

  39E14911 0B972824 662C1C2E DE19EC25 B6EAB0F0 517FDCCB 773F0CF3 DB0F19D5

  7372A257 45CD3265 2840D01E 98503611 D581B824 8261AF85 8FADF6CA 7785B71D

  81F64295 76AFF090 C53890CD 6B8E33C6 E45BAFE3 DE9D38C9 C0F61AD3 BBE30203

  010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304

  18301680 14885E66 10B89547 1E13804C E8127BA4 0FC97F83 3C301D06 03551D0E

  04160414 885E6610 B895471E 13804CE8 127BA40F C97F833C 300D0609 2A864886

  F70D0101 05050003 8181005B 3C38EF12 963A4BC9 AC9C93FE 8B2A8AF5 4627CBE0

  BCC0A071 FA0ED92E E5010F15 B212FD9D F720622D 9D41CEF5 86962DCE 5E772083

  A4AF1F7B FE03873A 46C750B1 8E899D1D 1263787B 320F7416 9DA8EAB6 F73C7A7F

  C5D29E94 BD24813F 8EEB6779 497061AC 8F54F28B C8465C35 F353360A 4F63926E

  26FCB8C2 F90EFC4B 289523

        quit

!

ip source-route

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip multicast-routing

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO891-K9 sn FTX163886MG

!

username XX privilege 15 secret 4 XX

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

description ILIGHT

ip address xx.xx.201.100 255.255.255.0

ip pim sparse-mode

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

description INTERNAL NETWORK

ip address 10.10.10.1 255.255.255.0

ip pim sparse-mode

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip pim rp-address xx.xx.216.31

ip mroute 0.0.0.0 0.0.0.0 xx.xx.201.97

ip nat inside source route-map MAP_ACL interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 xx.xx.201.97

!

ip access-list extended NAT_ACL

permit ip 10.10.10.0 0.0.0.255 any

deny   ip any any

!

access-list 23 permit 10.10.10.0 0.0.0.7

no cdp run

!

route-map MAP_ACL permit 10

!

control-plane

!

mgcp profile default

!

line con 0

login local

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

end

ITHOR#

Okay, this is where I'm confused, and may be the cause of the issue. You have a route map matching everything, so here's what I want you to try and possibly fix the issue:

ip access-list extended NAT_ACL

permit ip 10.10.10.0 0.0.0.255 any

deny   ip any any

route-map MAP_ACL permit 10

match ip address NAT_ACL

!

See if that fixes the issue. You have an acl to tie the internal subnets for natting, but you don't have it applied to your route map. The router defaults to natting everything because the route-map is permitting everything that's coming through it.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

THAT DID IT!

Thank you so much. This thing's been kicking my ass for a week.

(and double thanks for the description of what was happening)

Never a problem...glad to help

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco