dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7640

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

[Config] Me again. New router, no DSL link. A simple question this time.

I can't believe this. It's easier to earn a Ph.D than it is to gather the info and configure this thing.

I've been through nearly everything, believe me. (In case you want a history, there are two previous Cisco forum threads still here). Cisco TAC has been great. The engineer asked me to identify the DSLAM in the CO late Monday night. But so far, CenturyLink has only told me that it is, "chassis type: Cisco 6160 (8 PT 6160 ADC A)." I suspect that means the DSLAM chassis is a 6160, capacity is 8 lines, annex A (or ADC frame A). But it doesn't tell me the brand and the model number of the line card. Yes, I asked. Who knows how long it might take for CenturyLink to tell me. It must be a state secret...

So, one solution is to connect the Actiontec 701D to the Cisco 867VAE-K9 and use the Actiontec as the ATU-R (since I know it connects).

If I connect the Actiontec to the Cisco router can someone at Cisco then telnet (or something) into the router to help with the configuration? That might be a first step.

Thanks.
aryoba
MVM
join:2002-08-22

aryoba

MVM

If you have OOB setup, the Cisco TAC engineer can remote access to help you further

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

And what is OOB? (Unless it's a joke for a sound like "oooooobb")
wxmanmichael

wxmanmichael

Premium Member

OK, so "ooooobb" is OOB is "out of bounds," and it's already configured on the router. BUT it requires a land line so that I could use it to make a voice call. But the only thing available on the POTS line is ADSL. Like most people, I use a cell phone for voice calls (although I hate cell phone service: sounds very bad, loses calls. lots more).

So, aside from re-provisioning my voice service (and waiting for CenturyLink to turn up service), any other options? We've really made a mess of telecommunications (unless you want to use "aps" to play games and send baby pictures...)
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to wxmanmichael

MVM

to wxmanmichael
Here's Cisco's datasheet on the 6160 if you're interested.

So basically you want to have the actiontec do the DSL modem, and the 867 to route-only? Config-wise, it's not
impossible to do, even for a cisco n00b... there's quite alot of examples to crib from.

Regards
aryoba
MVM
join:2002-08-22

aryoba to wxmanmichael

MVM

to wxmanmichael
said by wxmanmichael:

OK, so "ooooobb" is OOB is "out of bounds,"

Actually it is Out Of Band since it is just used as network management and not used as actual data passing
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to wxmanmichael

Premium Member

to wxmanmichael
I recall the two recent threads but I'm having trouble figuring out exactly what you want to do. Can we (I) have an executive summary and maybe some ascii art diagrams so we (I) can understand what EXACTLY you want to achieve.

Option 1
LAN >>> 867 >>> ActionTec >>> Internet
 

Or...

Option 2
LAN >>> 867 >>> Internet
 

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael to aryoba

Premium Member

to aryoba
Yeah, I was just kidding!!
wxmanmichael

wxmanmichael to markysharkey

Premium Member

to markysharkey
Thanks, Markysharkey. This has been a months-long issue. The first router (an 867VAE-K9) burned up the first day. (Let all the white smoke out...). The second one required about a month of conversation and experiements with Hellfire and aryoba along with the TAC to discover that it, too, didn't seem to be passing packets.

This one (the third) isn't cooperating either, but it's time to consider that I simply don't have the skills or experience to configure it. As I noted, the engineer at Cisco suggested discovering the brand name of the DSLAM but although it's a Cisco 6160, the chipset requires knowledge of the line card(s) in the chassis. Barring that, my best solution is probably using the integrated ATU-R in the 867VAE-K9 and using the Actiontec 701D that remains the CPE to CenturyLink's DSLAM.

I'll send a copy of my potential network diagram within an hour and that may help.

Thanks.
wxmanmichael

wxmanmichael to HELLFIRE

Premium Member

to HELLFIRE
I'll admit, Hellfire, it's not my best solution but right now my tires are flinging mud and I'm not moving anywhere. If I "bypass" the integral ATuU-R in the 867VAE-K9 I can still use IOS to do all the operations needed (and then some). But then I can also move ahead with other network configuration tasks. Otherwise, the Cisco is a nice-looking metal box with a solid power-on light and a flashing "DSL link" light and not link to that goofy DSLAM.

If I thought it would help, I'd stand on my head, sacrifice a small animal, and sing "Inna Godda da Vita" backwards.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to wxmanmichael

Premium Member

to wxmanmichael
Why use the ATU-R at all if the ActionTec is in there?
In fact, let me go further. DON'T use the ADSL/VDSL port on the 867 if the ActionTec is in there. Here's what to do.
Connect the ActionTec router to port 0 of the 867
Connect Port 1 of the 867 to your internal LAN (I assume you have a managed switch in there).
On the 867, do this:
Router(config)#int vlan 1
Router(config-if)#ip address dhcp (this will come from the ActionTec router)
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#int fa 0
Router(config-if)#switchport mode access
Router(config-if)#switchport access vlan 1 (not actually required, but for the sake of completeness.)
Router(config-if)#exit
Router(config)#vlan 10
Router(config-vlan)#exit
Router(config)#int fa 1
Router(config-if)#switchport mode access
Router(config-if)#switchport access vlan 10
Router(config-vlan-if)#exit
Router(config)#int vlan 10
Router(config-if)#ip add 192.168.10.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip access-list extended NAT
Router(config-ext-acl)#permit ip any any (yes this is lazy!)
Router(config-ext-acl)#exit
Router(config)#ip nat inside source list NAT int vlan 1 overload
Router(config)#ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x is the private IP address of the ActionTec router.
Router(config)#end
Router#copy run start
 

On your switch, whatever ports you want to have internet access, put them in to VLAN 10, INCLUDING the port that connects to the router. You could also put any port from fa2 and above in to VLAN 10 on the 867 and they will work too.
If you need a DHCP server for VLAN 10, here's how:

Router(config)#ip dchp pool Internet (Internet is just a name. You can call it anything you want)
Router(dhcp-config)#network 192.168.10.0 255.255.255.0
Router(dhcp-config)#lease 7 (1 day is the default)
Router(dhcp-config)#dns-server 8.8.8.8 4.2.2.1 (or whatever DNS servers you want)
Router(dhcp-config)#default-router 192.168.10.1
Router(dhcp-config)#import all
Router(dhcp-config)#end
Router(config)#ip dhcp excluded-address 192.168.10.1 (this stops the routers own IP address being given out.
Router(dhcp-config)#end
Router#copy run start
 

I did this today but using an 887 to route 5 VLAN's off to the internet via a cheapo ISP supplied router, and it's also what I do at home for my lab.

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

Thanks Markysharkey! I'll give this a try within the next few hours! This is probably the easiest solution and bypasses all the issues revolving around that DSLAM. When and if CenturyLink ever tells me which line card is in that DSLAM, maybe I can use the integral ATU-R.

And by the way, I know the identity of the line card is in their OSS database because I used to analyze OSS software. But someone at CenturyLink would have to LOOK to find it!
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

But it's been a month! OK, great that you know about the DSLAM but I am yet to come across any ISP that a Cisco ATU won't connect to. This should be a 20 minute job. Good luck charging a client a months config work for an internet connection!!!
Get this done, get it working. Then we can move on to multiple VLAN configs on the same hardware. Then you can introduce policy based routing or CBAC or ZBFW or VoIP or anything you want. You can even do Cisco VPN's but you'll need a DynDNS on the ActionTec for that.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to wxmanmichael

MVM

to wxmanmichael
Best of luck with things wxmanmichael See Profile.

Now that I think about it and the whole white smoke with the last 867, we should've just tried making it a router and skipped the DSL portion of things...

....oh well, the path not taken...

To add my 00000010bits to things, I'd go with what markeysharkey suggested, but if the Actiontec is getting
the public IP address, don't set NAT'ing on the 867VAE -- double NAT is a performance drain and I know some apps
are VERY sensitive to NAT as it is.

Regards
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

I'm going to disagree (in the best possible way) with Hellfire on this. YES, NAT is a drain, but on a bog standard DSL circuit where less than 16Mb/s is common, it won't matter. BUT, throw in some ZBFW or PBR and you may well start to see performance drops.
And so far I have not come across anything sensitive to the double NAT config, and I get busy with some pretty flaky apps in my line of work. BUT, that doesn't mean they aren't out there...
markysharkey

markysharkey to wxmanmichael

Premium Member

to wxmanmichael
Click for full size
And I got bored, so here's a picture...
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

said by markysharkey:

I'm going to disagree (in the best possible way) with Hellfire on this.

So long as you're disagreeing with me for the right / legitimate reasons, I'm cool with it.

As tubbynet See Profile would say, I like to troll this place for fun and games, but I do not nor do I claim to know everything.

Regards

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael to markysharkey

Premium Member

to markysharkey
Click for full size
network4.jpg
Click for full size
network3.jpg
OK, guys. Each of you know more than I know! Here are two drawings, Markysharkey, that I drew some time ago for aryoba and Hellfire when then discussed network design with me. (You can see both threads still up in the Cisco forum. I think they will agree this has been bloody...).

The network3.jpg drawing is where I started while the network4.jpg is the potential drawing.

To provide a little bit of background: I am a meteorologist running a SOHO and nearly all my work is consulting. I run several numerical weather forecasting models on those Linux boxes on the private subnetwork. The other stuff is public IP addresses. I connect to my ISP (a local one: Visi here in Minneapolis) and they provide the 208.42.28.40/29 block. The private subnet are all static numbers and flow through the SNAT/DNAT/dnsmasq/iptables machine labeled as "Edge Machine"
The telcomm is CenturyLink (before that it was Qwest, etc.) using PPPoA, AAL5MUX, PAP (only a hunch based on the ISP), VPI/VCI 0/32, etc.

I've been using ADSL here in this CO since it was first offered and I've burned up more "modems" than I can tell you.

Hopefully, this will be helpful, not confusing. And I really don't know the reason why the Cisco 867VAE-K9 won't link to that #$$^&*() DSLAM after all that time!

If you want it, I'll send the current configuration and the latest diagnostics. In fact, I've never configured the LAN side of the router!
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

OK, so if you've never configured the LAN side then my configs will work, save for the fact you need to create VLAN 10 in your LAN and put all your interfaces in to VLAN 10.
If the ActionTec router is working and giving you internet access then you don't need to touch that either, so there's no chance of breaking it.
Also you need to back off the tech side. You've been massively over thinking it and following advice that, whilst god, is inappropriate for what you want to do.
Get this going first then we can look at DMZ's and wireless and whatever else you need on drawing 4.

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

cisco_config···2014.zip
2,953 bytes
Config and Diagnostics July 10 pm
Good advice. Nothing too technical, just part of the stuff in my head. Believe, me, if you ask something about the "Federalist Papers" or ancient Persian history, I probably have the answer. If you ask me where I left my keys, I probably don't know!

I'll add the current running-configuration screens along with a few diagnostic screens as well.

Thanks guys. I still don't understand why the DSLAM is so close but still so far away!
wxmanmichael

wxmanmichael to markysharkey

Premium Member

to markysharkey
Let me clarify things: the LAN side, right now, is configured using iptables and Netfilter along with the Actiontec. But the LAN side is configured on the 867VAE-K9.
wxmanmichael

wxmanmichael to markysharkey

Premium Member

to markysharkey
I just read that PPP must be enabled on both interfaces (i.e., ATU-R and ATU-C) and the Layer 3 protocols, e.g., IP are negotiated. Does this mean the ATU-R needs a switchport command? Or is the Dialer, ATM0, POTS port on the 867VAE-K9 already configured for Layer 3?
wxmanmichael

wxmanmichael to HELLFIRE

Premium Member

to HELLFIRE
BTW, Hellfire, I agree that double NATting is less than a good idea, at least theoretically. This is the CenturyLink 1860's (as in, "When Lincoln was President...") ADSL. At least in this CO there's nothing else available. (What a way to run a telecom).

So, we're gonna be careful and avoid something fancy right now. Besides, "they're" re-writing Netfilter so it will be much more flexible. By putting that together with EEM I could have a very flexible network. And I thought learning C, C++, and C# was a waste of time...
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to wxmanmichael

Premium Member

to wxmanmichael
said by wxmanmichael:

I just read that PPP must be enabled on both interfaces (i.e., ATU-R and ATU-C) and the Layer 3 protocols, e.g., IP are negotiated. Does this mean the ATU-R needs a switchport command? Or is the Dialer, ATM0, POTS port on the 867VAE-K9 already configured for Layer 3?

How many ADSL cables with RJ11's do you have?
If it's just 1, plug it in to the ActionTec router and forget EVERYTHING you just said...
said by wxmanmichaeltheoverthinker! :

I agree that double NATting is less than a good idea, at least theoretically.

Theory be damned. I have at least 5 medium to high use networks deployed in the last 6 months using "double NAT" as the ISP will not allow "foreign" equipment to connect to their networks (and even spoofing MAC addresses has failed on at least two of these) so my experience and empirical data says unless you're VERY unlucky, it's a non-issue.

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

It's always a very good idea to retain a tight grip on theory since without it you're flying blind without insight. Without insight no one can be creative since creativity depends on knowledge accumulated over time.

Anyway, I have a few questions you can clarify for me. You put "ip address dhcp (this will come from the ActionTec router)" into your script. I guess I could research it, but since I'm not using DHCP anywhere in my network, since all the addresses are IP statically-assigned, and since the ISP provides me with a block of IP addresses (x.x.x.41 through x.x.x.45), my only hunch is that the DHCP is required for the initial negotiation with the DSLAM. Am I right?

Then if the initial negotiation is done between the Actiontec and the DSLAM, the 867VAE-K9 wouldn't be a part of the DHCP. Am I right? After all, the 867VAE-K9 follows the Actiontec.

Third question, The list of interfaces includes a "Vlan1," but no vlan 10. Do you mean "vlan 10" as "vlan 1"? If not, what's the difference between them?

Last group of questions: You include this in the script: "On your switch, whatever ports you want to have internet access, put them in to VLAN 10, INCLUDING the port that connects to the router. You could also put any port from fa2 and above in to VLAN 10 on the 867 and they will work too."
Which of the physical ports is Vlan10? Is it simply one assigned from the physical ports FastEthernet0 through FastEthernet3?

Finally, currently there is an UNmanaged switch on the opposite side of the so-called "edge machine" that runs Netfilter, iptables, SNAT, DNAT, and dnsmasq. So the current order is "Actiontec, edge machine, unmanaged switch." Does that make any difference?

Believe me, I would not, "...charge a client a months config work for an internet connection!!!" It's not my line of work. But there are some important pieces of knowledge missing from this router-DSLAM configuration. I can't find them and this must be unique enough so that TAC, aryoba, and Hellfire couldn't find them either. Under those conditions, I'm not about to hire myself out to solve anyone's problems other than meteorolgical ones.

Thanks.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to wxmanmichael

MVM

to wxmanmichael
said by wxmanmichael:

You put "ip address dhcp (this will come from the ActionTec router)" into your script...my only hunch is that the DHCP is required for the initial negotiation with the DSLAM.

said by wxmanmichael:

Then if the initial negotiation is done between the Actiontec and the DSLAM, the 867VAE-K9 wouldn't be a part of the DHCP. Am I right? After all, the 867VAE-K9 follows the Actiontec.

Router(config)#int vlan 1
Router(config-if)#ip address dhcp (this will come from the ActionTec router)
 

This has NOTHING to do with the DSLAM. This is simply the 867VAE's interface VLAN1 saying to the world "hey, I need an IP address,
gimme one." As markysharkey See Profile indicated, the Actiontec's internal DHCP server should supply an address to the 867VAE then.
said by wxmanmichael:

Third question, The list of interfaces includes a "Vlan1," but no vlan 10. Do you mean "vlan 10" as "vlan 1"? If not, what's the difference between them?

VLAN1 is default on pretty much any IOS router... you can add more VLANs according to needs, which is what markysharkey See Profile 's proposal was. Make sense?
said by wxmanmichael:

You include this in the script: "On your switch, whatever ports you want to have internet access, put them in to VLAN 10, INCLUDING the port that connects to the router. You could also put any port from fa2 and above in to VLAN 10 on the 867 and they will work too."
Which of the physical ports is Vlan10? Is it simply one assigned from the physical ports FastEthernet0 through FastEthernet3?

VLANs are a LOGICAL construct, the FE0 to FE3 interfaces on the 867VAE are the PHYSICAL ones, and can be assigned to a vlan like so

router#config t
int fe0
switchport mode access
switchport access vlan [vlan#]
 
said by wxmanmichael:

Finally, currently there is an UNmanaged switch on the opposite side of the so-called "edge machine" that runs Netfilter, iptables, SNAT, DNAT, and dnsmasq. So the current order is "Actiontec, edge machine, unmanaged switch." Does that make any difference?

I'd have to dredge up your original thread, but I'd almost swear we went thru this about the 867VAE being a DSL modem and the "edge
machine" being the iptables / NAT box. If you keep the edge machine there and have it still do NAT and add the 867VAE in you could
potentially have a triple NAT situation -- ie. the Actiontec, "edge machine" AND the 867VAE all do NAT.

Think we said it before, design the network to YOUR needs. _IF_ all you want is a config where the actiontec is the DSL modem
and the 867VAE routes / NATs, that's what markysharkey See Profile gave ya.

Hope that helps out somewhat.

Regards

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

Thanks, Hellfire. It's what I suspected with every question. Usually I ask questions with an answer in mind (theory, but essential). I needed to fill in the blanks so that I don't start simply following instructions blindly. It's a personality fault on my part, but it's proven to be helpful over the years.

I'll have to check the negotiation process, but apparently the DSLAM must be assigning an IP address on its own (and that's available in the Actiontec as a "Gateway" address along with another "IP address," neither of which is part of the x.x.x.40/29 block). The Actiontec identifies 208.42.0.20 as the "gateway" and 208.42.61.91 as "IP address." Unless the second one is an edge device at the ISP, they must be in the DNS server here in the region somewhere.

You can see why I might be confused by this. I have a block assigned to me. Then there are two IP addresses coming from somewhere I can't identify. The Actiontec is configured a dhcp server. (In fact, dhcp doesn't appear anywhere along the route.)

Yes, I see the "triple NAT" threat and I want complete control over the NAT anywhere in my network. Too many NAT options only makes packet paths exceedingly difficult and unneccearily complex. I also understand that a vlan is a logical construction, but the only way I know that is from my exposure to vlan theory. How one assigns vlan numbers on the 867VAE-K9 has been missing to this point.

That's also the reason for specifying FE0 through FE3 as physical interfaces. Knowing I can configure vlans of any number is also not specified in the Cisco materials.

Finally, the whole approach regarding using the Actiontec in any way is only because I can't seem to get the 867VAE-K9 to link to the DSLAM and I am no closer to knowing why that fails. I doubt that Cisco's equipment is at fault. There is a missing piece (or pieces) that allow the cheapo Actiontec to link but that need to be configured manually in the 867VAE-K9. I'm not trying to be difficult. Using the Actiontec is a fall-back option in the face of missing information.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

said by wxmanmichael:

Usually I ask questions with an answer in mind (theory, but essential).

Ask question with an open mind. Having an answer in mind WILL lead you down the sort of blind alley you find yourself in, and HAS caused you to massively over think what is a simple, tried and 100% empirically proved working solution.

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

Aah, although your method is simple and straightforward provisioning the router through PPPoA and Dialer interface, i.e., using the ATU-R internal to the router, is still missing something. I'm not questioning your method, Markysharkey, but the configuration through POTS and the internal "modem" is missing something vital.

Although using the Actiontec may be the only working solution it still bypasses the 867VAE-K9's internals. The router's reliability is what attracted me in the first place. So, understanding which device provides two IP addresses would solve the issue. Using the Actiontec by itself I can see those two addresses in the configuration screens. One is noted as the "gateway" (obviously it isn't mine here, that's 208.42.28.46). The first "mystery" IP address is 208.42.0.20. The other "mystery address" is: 208.42.61.91. Both of them, using whois, are owned by the ISP (Visi). The second one, 208.42.61.91 is probably their edge router and most likely is responsible for issuing my block of addresses.

In other words, one termination point is here (my gateway) and the other termination point is at Visi. So, negotiating involves a RADIUS server (AAA) at Visi and passes through the DSLAM in my CO but tunnels from Visi to my location, probably using L2TP.

In other words, if I change my preconceptions things begin to make more sense. That "expecting an answer," is the critical point since the theory influences how I see the path from there to here. If the Cisco examples are built with the idea that CenturyLink is both SP ISP, then CenturyLink's equipment generates the IP addresses. If not, then I'm getting my IP addresses from Visi. Negotiating with the DSLAM may not get me anywhere to a AAA that can validate my account.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to wxmanmichael

MVM

to wxmanmichael
said by wxmanmichael:

So, understanding which device provides two IP addresses would solve the issue. Using the Actiontec by itself I can see those two addresses in the configuration screens. One is noted as the "gateway" (obviously it isn't mine here, that's 208.42.28.46). The first "mystery" IP address is 208.42.0.20. The other "mystery address" is: 208.42.61.91. Both of them, using whois, are owned by the ISP (Visi). The second one, 208.42.61.91 is probably their edge router and most likely is responsible for issuing my block of addresses.

Question, what's the subnet masks on those IP addresses?

ARIN reports those ranges as owned by VISI, which may or may not have something to do with Centurylink.

So question now is what you want to do, and where you want to go from here? I suspect that when
you plug something into the Actiontec's LAN interfaces, it'll get a 10.0.0.0/8, 172.16.0.0/12 or
192.168.0.0/16 address, am I right?

Regards