Cisco 877W comms problem - Page 2

athol · ‎12-03-2005

Hi I have been struggling with a configuration problem for some time, and I am sure that I missing something simple, but at the moment is it beyond me. The issue is this. I have been given a Cisco 877W ADSL wireless router to use at home. I have the ADSL stuff working and I have the wireless half working. The position of the router is that it is sitting between the internet and a linux firewall/webserver, a l2 managed switch (Intel 460) 24 port switch which has 2 vlans on it one the default and the other running dot1q back to F2 on the router. What I am attempting to do is have my sons friends connect via the wireless interface and have the data travel back through the vlan to the firewall where I am running smnp and traffic shapping. From the inside of the network I can ping everything this includes the wireless attached laptops. my problem is that using the laptop connected to the wireless interface I can ping it'self, the dhcp gateway and the IP of the dialer0 interface I am not able to ping anything else. dot1q is enabled and the vlan is linked back to the dotradio 0.2 sub interface. I am currently using trunking on the router although I have also tried to bridging the interface as well. I can ping directly from the router through to hte switch and I have also unplugged the cable upon which vlan2 travels. This action causes ping to fail so I beleive that the vlan is ok, howerver I have not had any success at all up to this point. Can anyone out there help me please ?

Thank you

Athol Reid

Georg Pauwen · ‎12-11-2005

Hello Athol,

have a look at this configuration (changed somewhat from the previous), basically what I did was bridge the wireless DOT interface to a BVI, and also add the command ´switchport mode trunk´ to the FastEthernet interface on the router where your switch is connected to.

You might want to make a backup first of the current configuration before putting this one in...)

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname ADSLW-ROUTER

boot-start-marker

boot-end-marker

logging buffered 52000 debugging

!

no aaa new-model

!

--> bridge irb

!

resource policy

!

clock timezone PCTime 12

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.49

ip dhcp excluded-address 10.10.10.100 10.10.10.254

!

ip dhcp pool wireless-1

import all

network 10.10.10.0 255.255.255.0

domain-name reid.co.nz

dns-server 203.109.252.42 203.109.252.42

default-router 10.10.10.1

!

no ip bootp server

no ip domain lookup

ip domain name reid.co.nz

ip name-server 203.109.252.43

ip name-server 203.109.252.42

ip ssh time-out 60

ip ssh authentication-retries 2

ip ddns update method sdm_ddns1

DDNS both

no spanning-tree vlan 1

no spanning-tree vlan 2

!

--> This is the interface where your switch is connected to

-->interface FastEthernet3

--> switchport mode trunk

-->no ip address

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.2 point-to-point

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

interface FastEthernet2

switchport mode trunk

!

interface Dot11Radio0

no ip address

ssid ADSLW-1

vlan 2

authentication open

guest-mode

!

-->interface Dot11Radio0.2

-->encapsulation dot1Q 2

-->bridge-group 2

-->bridge-group 2 subscriber-loop-control

-->bridge-group 2 spanning-disabled

-->bridge-group 2 block-unknown-source

-->no bridge-group 2 source-learning

-->no bridge-group 2 unicast-flooding

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_OUTSIDE$

ip address 192.168.100.254 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description $FW_INSIDE$

ip address 172.16.11.14 255.255.255.0

ip nat inside

ip virtual-reassembly

fair-queue 2 256 0

!

interface Dialer0

ip ddns update sdm_ddns1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname USERID

ppp chap password 7 PASSWORD

ppp pap sent-username USERID password

!

interface BVI2

-->ip address 10.10.10.1 255.255.255.0

-->ip policy route-map dotradio0.2

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 remark From Vlan1 to outside

access-list 2 permit any

dialer-list 1 protocol ip permit

snmp-server community public RO

no cdp run

route-map dotradio0.2 permit 10

match ip address 1

set ip next-hop 172.16.100.4

!

-->bridge 2 route ip

!

control-plane

!

end

Let me know if this somehow works better...

Regards,

GP

athol · ‎12-11-2005

Hi Georg

Thanks for the Conf I include the new one below:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname ADSLW-ROUTER

boot-start-marker

boot-end-marker

logging buffered 52000 debugging

no aaa new-model

resource policy

clock timezone PCTime 12

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.49

ip dhcp excluded-address 10.10.10.100 10.10.10.254

!

ip dhcp pool wireless-1

import all

network 10.10.10.0 255.255.255.0

domain-name reid.co.nz

dns-server 203.109.252.42 203.109.252.42

default-router 10.10.10.1

!

no ip bootp server

no ip domain lookup

ip domain name reid.co.nz

ip name-server 203.109.252.43

ip name-server 203.109.252.42

ip ssh time-out 60

ip ssh authentication-retries 2

ip ddns update method sdm_ddns1

DDNS both

!

no spanning-tree vlan 1

no spanning-tree vlan 2

!

bridge irb

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.2 point-to-point

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

switchport mode trunk

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

ssid ADSLW-1

vlan 2

authentication open

guest-mode

!

world-mode dot11d country NZ both

speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

channel 2462

station-role root

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no snmp trap link-status

no cdp enable

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_OUTSIDE$

ip address 192.168.100.254 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description $FW_INSIDE$

ip address 172.16.11.14 255.255.255.0

ip nat inside

ip virtual-reassembly

fair-queue 2 256 0

!

interface Dialer0

ip ddns update sdm_ddns1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

!

interface BVI2

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map dotradio0.2

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.100.252 222 interface Dialer0 222

ip nat inside source static tcp 192.168.100.252 4899 interface Dialer0 4899

ip nat inside source static tcp 192.168.100.252 443 interface Dialer0 443

!

access-list 1 remark From Wireless to dialer 0

access-list 1 remark SDM_ACL Category=18

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 101 remark From vlan 1 to outside

access-list 101 remark SDM_ACL Category=2

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community public RO

no cdp run

route-map dotradio0.2 permit 10

match ip address 1

set ip next-hop 172.16.100.4

!

control-plane

!

bridge 2 route ip

OK what happened was that once the conf was in there was no comms between 10.10.10.1 and anything and no translation on the dialer 0. Once this was done I am back to where I was prior to any changes. can't think of anything else at this point

Kind Regards

Athol Reid

Georg Pauwen · ‎12-11-2005

Hello Athol,

not good...

I´ll check again, and let you know.

Regards,

GP

Georg Pauwen · ‎12-11-2005

Hello Athol,

did you actually have the ´switchport mode trunk´ command configured on your FastEthernet 2 interface already, that is, before I sent you the last configuration ? I am thinking that you might need to add ´switchport trunk encapsulation dot1q´, since you are connecting to a non-Cisco switch, and since the default trunking mode on Cisco is ISL (which is Cisco-proprietary)...

Regards,

GP

athol · ‎12-11-2005

Hi Georg

Yes you are right, I shall reloasd and advise.

Kind Regards

Athol reid

athol · ‎12-11-2005

Hi Georg

Ok I removed all trunking commands and started again. Still no joy.

Kind Regards

Athol Reid

Georg Pauwen · ‎12-11-2005

Hello Athol,

sorry for the misunderstanding, what I meant to say was: make sure that the trunking is configured:

interface FastEthernet2

switchport trunk encapsulation dot1

switchport mode trunk

Regards,

GP

athol · ‎12-12-2005

Hi Georg

Sorry it was the way I worded my reply to you. Your instructions were fine. I removed then reinserted the commands to make sure I started at the beginning again. I note that the command is "switchport trunk encapsulation dot1" rather than "dot1q" can you confirm this is correct please? In the mean time I shall input the commands given. I have now done this and when I run "sh run int fast 2" command all I get back is :

interface FastEthernet2

switchport mode trunk

There is not indication that encapsulation has been accepted do you know if this is correct ?

At the moment I can ping the 10.10.10.0 network, Translation is working on the dialer 0 interface and I can ping the 192.168.100.254 interface.

I am wondering is there any way to tell if encapsulation is actually working ?

for info only: I have been given a cisco catalyst 500 express switch to use for fault finding. but I do not want to introduce any new problems at this point so I shall not be using this unless you indicate that it will be ok.

Kind Regards

Athol Reid

Georg Pauwen · ‎12-12-2005

Hello Athol,

ok...

Can you put the configuration back to what it was when you had connectivity except for the VLAN 2 clients, then add one of the VLAN 2 clients directly to one of the FastEthernet ports on your router (and put that port in VLAN 2 with the ´switchport access vlan 2´ command) ? Does that client then have connectivity ?

Regards,

GP

athol · ‎12-12-2005

Hi Georg

I changed the config back and after testing connectivity I then got my wifes pc (I'm in trouble) changed the IP address to 172.16.11.25 and put it directly off FastEthernet 3 put in the command under interface FastEthernet 3 "switchport access vlan 2"

I am sorry to report that it has not worked. I have included the relevant parts of the conf below

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

switchport mode trunk

!

interface FastEthernet3

switchport access vlan 2

!

interface Dot11Radio0

no ip address

!

ssid ADSLW-1

vlan 2

authentication open

guest-mode

!

world-mode dot11d country NZ both

speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

channel 2462

station-role root

!

interface Dot11Radio0.2

encapsulation dot1Q 2

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map dotradio0.2

no snmp trap link-status

no cdp enable

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_OUTSIDE$

ip address 192.168.100.254 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description $FW_INSIDE$

ip address 172.16.11.14 255.255.255.0

ip nat inside

ip virtual-reassembly

fair-queue 2 256 0

bridge-group 2

bridge-group 2 spanning-disabled

Kind Regards

Athol Reid

Georg Pauwen · ‎12-13-2005

Hello Athol,

can you try and take the bridge-group commands off interface Vlan 2 ?

interface Vlan2

description $FW_INSIDE$

ip address 172.16.11.14 255.255.255.0

ip nat inside

ip virtual-reassembly

fair-queue 2 256 0

-->no bridge-group 2

-->no bridge-group 2 spanning-disabled

Basically, what I am trying to do is isolate the problem to one piece of equipment, which in your case I think might be the switch. If we can prove that a PC connected directly to the router on Vlan 2 works, the only piece of equipment that is left is the switch...

Regards,

GP

athol · ‎12-13-2005

Hi Georg

I removed all reference to bridging and I put FastEthernet 3 into vlan 2 and connected a workstation direct to FastEthernet 3 port and was able to ping from the 10.10.10.0 network that computer

Kind Regards

Athol

Georg Pauwen · ‎12-14-2005

Hello Athol,

I have a feeling we are getting stuck...

Can you contact me offline ? If you have Skype, my ID is 'solutionfindershelpdesk', if you have MSN, my ID is helpdesk@solutionfinders.nl'. Otherwise, my email address is helpdesk@soltuionfinders.nl...

Regards,

GP