Cisco – How to Configure Cisco 877 ADSL

adslciscorouting

I'm a unix systems engineer and my network background is not so strong; I need a help to do the last touch-up to a cisco 877.

I've substituted our adsl router (a simple home router provided by the provider) with this cisco and I've a couple of question.

I done the conf after a long walking on google, and the connectivity from office to internet works fine.

Now I need to use the publics IP: we have some public IP (a /29 net) and with the old router these IPs were forwarded directly to the internal firewall for the management (routing, natting, ecc. ecc.).

The internal firewall mounts on its interfaces these IPs, so I need to forward the traffic from internet, through the router, directly there.

The second question is: what is the BVI interface?

On the router I've 4 eth interfaces, but hte internat IP is configured on the BVI interface. Why? What is it?
Can I use it like a VLAN, attaching/detaching interfaces?

Can I create a VLAN, to use on a different net some of these interfaces?

Here the conf:

xelerc001#sh run
Building configuration...

Current configuration : 3533 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xelerc001
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 ddddddddddddddddddddddddddd
! 
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode adsl2+ 
!
interface ATM0.1 point-to-point
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname xxxuserxxx
 ppp chap password 7 XXX00PASSWORD00XX
 ppp pap sent-username xxxuserxxx password 7 XXX00PASSWORD00XX
!
interface BVI1
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password 7 XXpasswordXX
 login
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

xelerc001#

Thanks to all in advance,
Regards

Best Answer

1) Have you asked your ISP to route the /29 public net to the dialer0 address that is assigned to your router via PPP\IPCP(Internet Protocol Control Protocol)?

Once that is done then route the /29 via a static route towards your firewall it's best to have an interconnect between your internet router and firewall which has public addressing. (I've answered this based on the details you've provided so hopefully I'm not off target with my answer here)

2) BVI is 'bridged virtual interface' it is the IRB(Integrated Routing and Bridging) functionality provided by IOS to allow a VLAN to span a router when you have disconnected VLAN domains or have some special requirement to bridge vlans\routed interfaces together in your network. Have a read of >> http://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html

3) You need an 'Advanced IP services' IOS image on the 877 series to be able to create multiple vlans and associated SVIs. Otherwise the base IOS image only allows one routed SVI which by default is Vlan 1. This is the vlan all switchports belong to by default when in L2 switchport mode.

HTH.

Related Solutions

Cisco – PPPoA ADSL Configuration with external modem on Cisco 891

Technically, you're doing PPPoEoA.

The VC Mux part will have to be set on the modem, as that's the only thing that has access to the ATM layer. If you had a dsl interface in the router, you'd do:

blue-gw#show run int atm0.1
Building configuration...

Current configuration : 131 bytes
!
interface ATM0.1 point-to-point
 bandwidth 6000
 pvc dsl 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
end

Other devices will vary.

Cisco ASA Routing Issue

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10