dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2833
share rss forum feed

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com

[Config] Configuration 867VAE-K9 PPPoA CenturyLink

Another tale of woe! I live in suburban Minneapolis and I've had CenturyLink (Qwest, NW Bell) DSL since it was put in (1995?). I've had DSL "Modems" and routers up to this point but when the last one crashed (and a after series of dismal retail experiences) I bought a Cisco 867VAE-K9. I'm familiar with the various protocols and technologies but IOS is organized poorly on Cisco's site, so there doesn't appear to be a standard reference for IOS Mvs. 15.2 T.

So, I need someone's assistance. I am a meteorolgist and operate a consulting business from home. Behind the ATU-R and the router are two subnets: one a standard private one: 192.168.x.x and a block of public ones: 208.42.x.x leased from Visi, a local ISP. The CenturyLink service is PPPoA and consists of 5 numbers plus the gateway number towards the ISP.

I've done my searching through duckduckgo and on this site but I'm still missing a few unknown pieces. I also have an edge machine behind the ATU-R/router running iptables with SNAT and DNAT and DNSmasq. Does anyone have further suggestions or a configuration that I could be modify?

My current router configuration:

Building configuration...

Current configuration : 4137 bytes
!
! Last configuration change at 16:59:51 GMT Thu May 15 2014 by wxmanmichael
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname mrciscorouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
wan mode dsl
clock timezone GMT 0 0
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
!
no ip domain lookup
ip domain name induswx.com
ip cef
no ipv6 cef
!
!
!
!
crypto pki trustpoint TP-self-signed-3714588134
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3714588134
revocation-check none
rsakeypair TP-self-signed-3714588134
!
!
crypto pki certificate chain TP-self-signed-3714588134
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373134 35383831 3334301E 170D3134 30343233 32303135
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313435
38383133 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B6FF 844E434A 9D17AB81 6E5AA344 F19377A4 2D78153E 6FC434CF 54BC1AB6
AFC046D8 24457124 A207D864 742D421C 95F56A0B B4633701 C557F789 4CE883EE
4ED41425 BD6C0F07 72538F0D 7144C9BB 44CE2E36 8F8C7FBD 453F72F3 65837C54
A3A7D29D C735B433 21EFEF81 F60121DC CEB37FFA 9BC259A0 51773464 15B44243
3CFF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 148DC983 BB650D8C 011388F0 E96AA909 B0E87576 31301D06
03551D0E 04160414 8DC983BB 650D8C01 1388F0E9 6AA909B0 E8757631 300D0609
2A864886 F70D0101 05050003 818100AC AA223B61 00C4C6A3 4365EE2A 768BB8CB
08B7552F 9EA90281 492B2D4A 235A822E 92F491D8 49327DB7 6830E721 6AC684A7
89793941 03A7B6BB B172183D 4B8B75EC 3F97955D 1EE1C836 55848699 4A3C8A17
BC8467CA D9F2D88D B051433F 7404C6C1 8A2B629E DA23901C B8201312 672C1990
C3479C97 36106868 3D075B5D B4746D
quit
!
!
username wxmanmichael privilege 15 secret 5 $1$tarA$ctEAOCCA8.JG1itr/EE0S/
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.1 point-to-point
ip address 208.42.38.45 255.255.255.248
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 2
no ip address
!
interface FastEthernet1
switchport access vlan 3
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description $ETH_LAN$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Dialer1
description ADSL dialer to Visi
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 2
ppp authentication pap callin
ppp pap sent-username Rgt3rx3 password 0 t083xu8q
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard mikesmessfilter
permit any
!
access-list 23 permit 10.10.10.0 0.0.0.7
mac-address-table aging-time 16
no cdp run
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 60000 1000
!
end

Thanks very much.

Michael Allen

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Certain things I noticed

* Why do you put your block of IP under the ATM point-to-point interface? From your configuration, it seems that you need this block to be the NAT/PAT-ed IP address
* I only see partial NAT/PAT configuration. Is there a reason why?
* Your configuration seems to use PPP Dialer Group 2 but none is found
* Some TCP MSS adjustment seems to be in need
* You don't need the default route statement since your ppp ipcp route default takes care of it
* You may need to pass down the DNS info to local machines through the LAN DHCP process

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
Thanks aryoba. The most brief answer is "Because my inexperience with Cisco IOS leaves me lost.. For example, in answer to your first question re: NAT IP addresses, using the router to perform NAT seems to be a duplication of effort since I have already have configured SNAT/DNAT on the edge machine. I don't understand why NAT IP addresses are necessary on the router in addition to the iptables SNAT/DNAT.

But that's an assumption on my part. Does the router pass packets through it if I choose NAT any? If I begin to configure a NAT list it appears to add a layer of complication.

Your last suggestion is probably well-taken, too. The local networks (here) only use DNS organization. The function of dnsmasq is to route those static local IP addresses. The PPPoA results in a block of assigned 5 IP addresses, which are static (as I understand it).

If I stubbed my foot on my own ignorance, is there a general reference I can consult for clarification? Using duckduckgo or Google seems to turn up little I can use.

Thanks for your help so far.

Michael

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Oops. That's "if I choose NAT only," not "NAT any." My mistake.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Oops again. The "NAT any" was a reference to part of the IOS command appearing to pass all packets. My mistake again.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
To follow up after aryoba's e-mail, I cleared the old configuration (with the assumption that some of the parameters I entered would intrude in my configuration) and I will research aroba's comments by searching here as well as through duckduckgo. If there is some hidden benefactor with a PPPoA CenturyLink configuration that could be modified, I would appreciate it.

Thanks for the help so far.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
After reading aryoba's initial comment and question, another question comes to mind. The ATU-R/router has at least 8 interfaces, possibly more. Because the ATU-R uses an RJ-11 POTS port, I wonder which interface refers to that RJ-11.

If that is the ATM0 interface, and the service is PPPoA PAP, then is that the interface labeled with the "gateway" IP address from the ISP?

Sorry, but I could really use a reference that is better organized. If Cisco has one or there's a book out there, please let me know.

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to wxmanmichael
First off, welcome to the forum, and welcome to Cisco, so...

said by wxmanmichael:

so there doesn't appear to be a standard reference for IOS Mvs. 15.2 T.

I find Cisco's site pretty well organized, it's just knowing what you're after. Are you looking for details
between M and T code, or are you looking for the command reference? If the latter, try here

said by wxmanmichael:

So, I need someone's assistance.

said by wxmanmichael:

Does anyone have further suggestions or a configuration that I could be modify?

...so begs the question, "what are you trying to do wiht the 867, exactly?" Based on the supplied config,
it's setup for an internal DHCP server for the 10.10.10.x network and DG 10.10.10.1. There's an outside
interface that's requesting a public IP via PPPoA, but as aryoba See Profile notes, you've got an incomplete
NAT configuration, and another 208.42.x.x address configured as well.

I'll repeat again... "what are you trying to do with the 867, exactly?" Do you want it to route / NAT,
or do you just need it to be a xDSL modem, while your SNAT / DNAT device does the NAT / firewall duties?

There's the forum FAQ here you can peruse for configs to crib. There's also this useful xDSL config guide
from Cisco; not sure if that's what you're after.

My 00000010bits

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
From your description; it sounds like you have an edge machine configured as SNAT/DNAT box, which sits between the 867 router and your local machines (i.e. PC, servers, printers). You may post your network diagram to clarify.

In regards of NAT, I assume you want to keep the edge machine as the SNAT/DNAT box while the 867 router will just route (no NAT/PAT on the router). Am I correct so far?

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to HELLFIRE
Thanks for the reply. No, DHCP is not on the horizon, nor anywhere else. The private network side configures a cluster computer with a number of Linux (Scientific Linux) boxes as well as servers and associated hardware related to the weather forecasting activity.

The public side of the network maintains a WiFi router, several laptops, cell phones, and another server.

So, what I need to do is to furnish xDSL to the public and the private sides of the network, simply put.

In the meantime I'll check out the references you've given me.

By the way, I like the Cisco equipment very much, in fact, I don't know why it's taken me this long to buy some of it. But the site would be better-served if it offered a tree-like approach. The 12.2, 12.3, 15.x have references scattered across the various equipment offerings, and although the various devices offer data sheets and very good instructions for initial installation, what is daunting about the site(s) is finding references helping to pull iequipment and software into coherent wholes. On the other hand, the days of paper manuals are long gone, so I'm more than happy to use the flexibility and power that is part of Cisco boxes and software. Thanks again and hopefully I've provided enough info. to give you a few handles.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to HELLFIRE
I just started to pick through the text, hellfire, and found some useful hints in the text. The reference to "10.10.10.x network and DG 10.10.10.1" obviously led you and aryoba in the wrong direction. That's my fault since neither of the those networks are used or will be used here. The "incomplete NAT configuration" is also my fault and it results from not knowing how to avoid using NAT on the router. As I noted to aryoba, an edge machine behind the router uses iptables with DNAT/SNAT and dnsmasq so using NAT on the router is another layer I don't need.

However, the 208.42.x.x is the IP addresses of the block of 5 static usable addresses from the ISP and CenturyLink. Private addresses are routed from them.

On the other hand, not only is the "Command References" URL helpful, so is the "useful xDSL config guide." Perhaps this is confusing since up to this point I've use retail Actiontec ATU-R/gateways (as well as about 5 or 6 others.) The NICs on the Linux boxes and the Windows boxes use the same network theory but how engineers choose to design the interfaces differs.

Thanks again. I'll stay with it if you will.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to aryoba
Yes, aryoba, that's about the gist of it.

I have one xDSL line using POTS carrying ATM that plugs into the POTS port on the ATU-R side of the Cisco 867. That is part of the 5 block of the 208.42.x.x public address leased from the ISP and CenturyLink. That is assigned using PPPoA. The LAN side of the router, then, has two subnetworks: one of them is the private 192.168.0.0 network for the cluster computer and several servers. That is used for numerical weather forecasting, among other things. That private subnetwork is on the back of the edge machine running iptables, dnsmasq, and SNAT/DNAT.

The public network IP addresses remaining should go (at least I hope they can go...) through a different ethernet port on the 867 and then supply a WiFi router, several laptops, cell phones, and other "stuff."

So, in view of that, I'm attempting to configure two networks. The router is essential since I need it as a gateway device between those two subnetworks. Hopefully I'm being clear enough to provide you with essential information. There are undoubtedly different ways to configure the networks, and I'm open to suggestions. Hopefully the work required for the iptables, SNAT/DNAT, dnsmasq will be useful. That's why I wanted to avoid the use of NAT/PAT on the 867.

I'll keep reading. Your suggestion re: TPC MSS was a good one. I'll address that tomorrow and I'll keep reading. One final, simple question: the POTS RJ-11 interface must be the one Cisco knows as "ATM0." Am I right or have I misunderstood something?

Thanks again.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
If the 10.10.10.x subnet is not used anywhere in the private network (and never will), then let's remove it out of picture (at least for now).

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
The 192.168.0.0 private network; will it need access to the Internet or will it need to communicate with IP-based machines over the Internet? If yes, then this private network has to use the 208.42.x.x Public address once the traffic leaves your network out to the Internet via NAT/PAT.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
The Public network and the Private network; are they currently communicating with each other? Do you wish to have these two networks not to communicate or to see each other? If yes, then setting up the Public network as DMZ totally separate with the Private network is needed.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
You mentioned that an edge device currently does SNAT/DNAT. Does it mean the device translate the 192.168.0.0 private network into 208.42.x.x or different address? You may need to clarify your network assignment.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
As a side note, I must say that you being a meteorologist are pretty savvy with network stuff. I'm sure you have been gone through a lot of pain to be at your skill level, which has been a great job. Hats off to you

In regards of router configuration, I say it is about 70 to 80% complete. Fortunately there are handful season network professional hanging here who will help you to set the router up. Once all of the network design and requirement are clarified, I'm sure it will be smooth sailing moving forward

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to wxmanmichael
said by wxmanmichael:

So, what I need to do is to furnish xDSL to the public and the private sides of the network

said by wxmanmichael:

The public network IP addresses remaining should go (at least I hope they can go...) through a different ethernet port

on the 867 and then supply a WiFi router, several laptops, cell phones, and other "stuff."

said by wxmanmichael:

That's why I wanted to avoid the use of NAT/PAT on the 867.

Okay that clarifies, but not by much. I can say that as you've found out, the ATM interface can take an IP address
assignment. Also the 867VAE should have two routed GE ports (they can have an IP address assigned to them) and
4 FE ports, which as far as I know are switched interfaces (the VLAN SVI can have an IP address assigned, but not
the actual interface).

said by wxmanmichael:

what is daunting about the site(s) is finding references helping to pull iequipment and software into coherent wholes.

Once you know the actual class or piece of equipment you'll be working on, going under that and searching for
"configuation examples" usually is where you want to be.

Best thing right now, a) as aryoba See Profile mentioned, an actual diagram with the layout of your equipment and (proposed)
addressing would help us visualize things, b) backup your existing config, issue an "erase start" then a "reload" to the
867 and start fresh, just so you don't have unneeded config bits lying around.

After that we can go from there.

Regards

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to aryoba
Wow! So much help. Thanks Aryoba. the 192.168.0.0 private network, because it includes the cluster machines communicating with each other while the numerical models are running, needs to communicate with IP-based machines over the Internet. The caveat with these is their need to download (lots of) raw data during the processing cycle (for each of he models). The raw data comes from servers on the East Coast (primarily in Maryland) and sometimes in Europe. After download the data is parsed then runs in the model.

Your point, then, is that NAT/PAT is essential for the packets to leave/enter (or enter/leave) using the 208.42.x.x. public network. iptables was a pain to configure but at least it's similar to NAT/PAT. I guess I'll learn another scripting language!

I'll keep following. Thanks again.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to aryoba
Yeah, I was guessing that was the case. Looking at a graphic copy of the network as it stands now strongly suggests the DMZ layout. The edge machine should be the DMZ, etc. That's reasonable, even for a ip network neophyte like me. And it's the only protection for the entire network since the DMZ acts as its own router.

At least, the DMZ as its own router seems reasonable. If I've got it wrong, let me know.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to aryoba
If I could only have you here in Minneapolis! BTW, I read some of your comments on various fora (or is that now "forums"?). It's very impressive.

That's correct. That is, the edge device doing SNAT/DNAT translates the 192.168.0.0 onto the 208.42.x.x network. Essential it does three functions: it acts as a router between the two subnetworks; it provides local DNS using dnsmasq, and iptables acts as a firewall.

And by "clarifying my network assisgnment" you mean for you, the reader, or for myself, the neophyte? Or, of course, for both us, particularly me!

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to wxmanmichael
said by wxmanmichael:

And by "clarifying my network assisgnment" you mean for you, the reader, or for myself, the neophyte? Or, of course, for both us, particularly me!

For everyone... let's just say the whole spiel about right hand and left hand applies, ESPECIALLY in IT.

Put another way, if no one understands what you want, no one can help you out.

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
The cluster machines within 192.168.0.0 Private network; how are they communicating with IP-based machines over the Internet? Do they need some GRE tunnel, IPSec tunnel, or a simple clear text (no tunnel and no encryption)?

If some tunnel is needed, then I'm sure the other end (the IP-based machines the clusters communicate to) needs to verify the 208.42.x.x network represents your network over the Internet; in addition to some specific encryption or tunnel setup.

aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit
reply to wxmanmichael
said by wxmanmichael:

Yeah, I was guessing that was the case. Looking at a graphic copy of the network as it stands now strongly suggests the DMZ layout. The edge machine should be the DMZ, etc. That's reasonable, even for a ip network neophyte like me. And it's the only protection for the entire network since the DMZ acts as its own router.

At least, the DMZ as its own router seems reasonable. If I've got it wrong, let me know.

DMZ design is highly suggested since you don't want to mix up Private and Public networks. However it is a little bit challenging setup when you have the DMZ on the 867 router while the edge machine already does SNAT/DNAT to the same 208.42.x.x network.

Should you keep the edge machine to do the SNAT/DNAT, both DMZ and Private network then sit behind the machine. You will then need additional firewall or router to separate the DMZ and Private network; which the firewall also sits behind the edge machine.

Note that you may not need such firewall if the edge machine has firewall feature that can setup DMZ. When this is the case, the Public network can sit in the DMZ while the Private network stay as it is.

If you consider the 867 router to do the NAT/PAT, then you can terminate the DMZ on the router with complicated setup. The edge machine will stop doing SNAT/DNAT but can stay doing other things as existing setup allows. The Private network also can stay behind the edge machine as it is now.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to wxmanmichael
said by wxmanmichael:

If I could only have you here in Minneapolis!

I'm nowhere near Minneapolis, however some folks here I'm sure live close by

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to HELLFIRE
I drew the layout and left the links out but included the IP addressing scheme. That helps me think through the issues and it will help you visualize the equipment here. The DMZ is a great idea. I've considered a two-box DMZ layout and sketched one. I'll draw it using software and attach it in several versions. Do you have a preference for the graphics format? I will post it tomorrow, probably afternoon. (Saturday)

aryoba
Premium,MVM
join:2002-08-22
kudos:4
If you have a network diagram, then simply post it directly (no attachment, no links to open or to download). A simple JPG format will do.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
and here's the diagram, at least the prospective one:

/root/emailproject/Network2.jpg or, maybe,

/root/emailproject/Network2.jpg

Nope, that only produces the link, too. All my graphics software is one a Linux system and although it's saved as a .jpg file, every time it arrives like this. That means I'll need to research one more poorly documented piece of software to paste it here.

This is what drives me crazy: a Web-dominated slapdash documentation process.

Excuse the rant.

wxmanmichael
Premium
join:2014-05-15
Minneapolis, MN
Reviews:
·VISI.com
reply to aryoba
Click for full size
Network
Looks like an attachment is the best I can do.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Looking at the diagram, it seems that you wish to terminate the Public network at the router while keeping the edge machine doing SNAT/DNAT. Since the router also has to do DNAT (PAT) for the Public network to be able to go out to the Internet, the router configuration (and perhaps the edge machine's configuration as well) will be a little bit complicated.

The complicated parts are the following

* Breaking up the 208.42.x.x. ISP-assigned network into smaller sizes; Sizes 1, 2, 3 (and perhaps 4)
* Size 1 is for the Private (prospective) network, Size 2 is for DMZ, Size 3 is for Public network
* Depending on the edge machine's setup, there might be a need for Size 4 just for the machine interface towards the router
* The router will handle the Size 3 208.42.x.x network as part of its PAT mechanism
* The edge machine handles the Sizes 1, 2 (and 4) 208.42.x.x network as part of its SNAT/DNAT mechanism
* There will be specific router configuration part to omit the SNAT/DNAT of sizes outside Size 3