cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2864
Views
0
Helpful
9
Replies

Routing on Cisco 2921

Waqas Butt
Level 1
Level 1

ISP Provided a Managed Services Router 800 Series configured with Static Public IP and two IP DHCP Pool for our Fixed & Wireless LAN (10.10.10.0/32 - LAN & 10.10.11.0/32 - Wi-fi).

I have Cisco 2921/k9 to put behind this Managed Services Router 800 Series and all LAN Clients should route from 2921.

Any Suggestions on the configuration... i dont have any access on Managed Services Router (Blocked by ISP).

 

Internet<<<<<<(Cisco 800 - ISP Managed Services Router )  << - >>  (Cisco 2921) <<< - >>> LAN Users

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Hello

 


ip dhcp pool LAN-WIFI
   network 10.10.10.0 /24
   network 10.10.11.0 /24 secondary
     override default-router 10.10.11.254
   default-router 10.10.10.254
  dns-server 8.8.8.8 8.8.8.8.4
  lease 0 12

ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.11.254


ip inspect name CBAC inspect tcp
ip inspect name CBAC inspect udp
ip inspect name CBAC inspect icmp

ip access-list extended inbound-wan-traffic
deny ip any any

 

int y/y -(public wan ip and interfce)
ip addres x.x.x.x y.y.y.y
no shut
ip nat enable
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
ip access-group inbound-wan-traffic IN
ip inspect CBAC out


int x.x (Lan interface)
no shut
ip nat enable

int x/x.10
Description LAN-Users
encapsulation dot1Q 10
ip addres 10.10.10.254 255.255.255.0
no shut
ip nat enable

int x/x.11
Description WLAN-Users
encapsulation dot1Q 11
ip addres 10.10.11.254 255.255.255.0
no shut
ip nat enable


ip route 0.0.0.0 0.0.0.0 x.x.x.x (public wan ip next hop)

access-list 10 permit 10.10.10.0.0.0.254.255
ip nat source list 10 interface (wan interface) overload

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

9 Replies 9

Leo Laohoo
Hall of Fame
Hall of Fame

What is the exact model of 800 router and what is your WAN speed? 

 

Why can't you remove the 800 and use the more-powerful 2921 instead?

ISP Managed Services Router is Cisco 887 VA (ADSL) and WAN speed is 20 Mbps.

We cannot remove this Managed Services Router, however 2921 is newly purchased with CME and we like to configure this 2921 as DHCP for LAN Users and Internet services.

 

WAN speed is 20 Mbps.

887 and 20 Mbps speed?  Is this Upload & Download 20 Mbps?  Because I think you're ISP has just "double crossed" you. 

 

880 is rated at 25.6 Mbps.  The value of 25.6 Mbps is expressed in a single-directional data traffic:  Either Upload OR Download.   Cisco 1941 can do 40 Mbps in both direction and with encryption.  880 can only do about 15 Mbps upload and 15 Mbps download and without encryption.  

Leo the download is 20 Mbps and 1 Mbps upload... the problem needs to be fixed here is to configure the 2921 as gateway to my LAN... as ISP blocked the configuration and i can only obtain ip dynamically from 800 as 10.10.10.0/32 subnet.

Hello

 


ip dhcp pool LAN-WIFI
   network 10.10.10.0 /24
   network 10.10.11.0 /24 secondary
     override default-router 10.10.11.254
   default-router 10.10.10.254
  dns-server 8.8.8.8 8.8.8.8.4
  lease 0 12

ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.11.254


ip inspect name CBAC inspect tcp
ip inspect name CBAC inspect udp
ip inspect name CBAC inspect icmp

ip access-list extended inbound-wan-traffic
deny ip any any

 

int y/y -(public wan ip and interfce)
ip addres x.x.x.x y.y.y.y
no shut
ip nat enable
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
ip access-group inbound-wan-traffic IN
ip inspect CBAC out


int x.x (Lan interface)
no shut
ip nat enable

int x/x.10
Description LAN-Users
encapsulation dot1Q 10
ip addres 10.10.10.254 255.255.255.0
no shut
ip nat enable

int x/x.11
Description WLAN-Users
encapsulation dot1Q 11
ip addres 10.10.11.254 255.255.255.0
no shut
ip nat enable


ip route 0.0.0.0 0.0.0.0 x.x.x.x (public wan ip next hop)

access-list 10 permit 10.10.10.0.0.0.254.255
ip nat source list 10 interface (wan interface) overload

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I will implement this on 2921 and let you know guys..

Thanks for the help!

hi guys,

I little help required as i am already through with this issue...

i have successfully configured my own 2921 to work with ISP router with IP NAT, Internet is working for all my LAN Users. CONFIGURATION OF 2921 Attached.

After connecting the VPN from outside to managed services router... i am able to reach my 2921 (10.10.10.100)  using telnet.. but unable to access Internal LAN interface which is (10.10.100.1) on-wards.... 

ISP Managed Router (10.10.10.1)  >>>>>>>>>> (10.10.10.100) MY Router (2921) (10.10.100.1)>>>>>>>>>>DHCP Users (10.10.100.21 to 100)

Please give suggestions and advise if i need to so some more settings on 2921.

or what should i ask ISP to include what configuration in their managed services router.... they already include the below in access list.

access-list 10 permit 10.10.100.0 0.0.0.255

Regards,

Waqas

 

Reza Sharifi
Hall of Fame
Hall of Fame

You need a default route on the 2921 to point to the next-hop (the ip address of the 800 router). This way all traffic coming from your internal vlans use the default route to get out to Internet. You also need one interface on the 2921 that connects to your internal switch.  Since you have multiple vlans (voice and data) you need to trunk that interface to the switch with sub-interfaces and also trunk the switch side.

Question, you said

ISP Provided a Managed Services Router 800 Series configured with Static Public IP

but you are showing private IPs (10.10.10.0/32 - LAN & 10.10.11.0/32 - Wi-fi)

So did the provider give public IPs or you are using private?

What is the IP address of the interface that connects to the 800 router?

Can you provide "sh run" from your 2921 router?

HTH

 

He has one public address the way I read it.

The provider has given him two private scopes (for which he has the subnet incorrect!)

Martin