Bridge with 878 behind dualwan router

Unanswered Question

Hello,

I try ton configure one 878 Cisco router as a transparent router behind a dualwan Linksys router.

I've added these in the configuration of the 878 :

no ip routing

!

interface Vlan1

no ip address

no ip directed-broadcast

bridge-group 1

!

interface ATM0.1

no ip address

no ip directed-broadcast

pvc 8/35

encapsulation aal5snap

!

bridge-group 1

!

ip classless

!

bridge 1 protocol ieee

In the dualwan router, I've set the interface to auto-ip. But this interface never gets the SDSL public ip address.

What is going wrong?

Thanks in advance for help,

Kind regards,

Guy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Paolo Bevilacqua Sat, 05/12/2007 - 06:20

Hi,

change the atm like this:

int atm0.1

no pvc 8/35

no bridge-group 1

int atm 0/1.1 point-to-point

pvc 8/35

bridge-group 1

encapsulation aal5snap

You can also give the router an IP addres if you configure "ip routing", "bridge irb", and "interface bvi1".

Can I ask you why do you need the linksys router at all ? The 878 has many ports and can probably do all what the linksys does.

Thank for your help.

The command int atm 0/1.1 point-to-point was refused at char /. I replace it by int atm 0.1 point-to-point. Is it right ? The encapsulation aal5snap then gives also an error. What is going wrong ?

Answer to your 2nd question : We intend to install a dualwan configuration, with use of a specific interface for specific port (ex. SMTP always to interface 1) Our ISP (easynet.be) promised to help us configure this router, but they now drop us.

Guy

mohammedmahmoud Sat, 05/12/2007 - 23:30

Hi,

As Paolo said, but i think that the bridge group should be under the interface:

interface atm 0.1 point-to-point

bridge-group 1

pvc 8/35

encapsulation aal5snap

Make sure that you are entering the "encapsulation aal5snap" under the PVC.

HTH,

Mohammed Mahmoud.

Under the PVC the command succeed. But the bridge still refuses to work. I've reloaded the default config from my ISP and added these commands :

no ip routing

!

interface Vlan1

no ip address

no ip directed-broadcast

bridge-group 1

!

interface atm 0.1 point-to-point

no ip address

no ip directed-broadcast

bridge-group 1

!

interface atm 0.1 point-to-point

pvc 8/35

encapsulation aal5snap

!

ip classless

!

bridge 1 protocol ieee

but it is still down.

Any solution ?

Guy

mohammedmahmoud Sun, 05/13/2007 - 00:18

Hi,

I've tested it and it worked fine:

interface atm 0.1 point-to-point

bridge-group 1

bridge-group 1 spanning-disabled

pvc 8/35

encapsulation aal5snap

Please make sure that it is done as above.

HTH,

Mohammed Mahmoud.

How is possible to verify that the bridge is OK ?

Could it be that the ISP check the MAC-Adress ? Do i have to clone the mac address in the dualwan router ?

Here is the full config. Perhaps something else conflicting ?

version 12.3

no service pad

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service linenumber

service sequence-numbers

!

hostname ineo-21029

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 ...

!

username ...

username ...

username ...

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

ip subnet-zero

no ip routing

no ip cef

no ip dhcp use class

!

!

ip name-server 212.x.x.51

ip name-server 212.x.x.52

ip port-map ms-sql port 1433

no ftp-server write-enable

isdn switch-type basic-net3

!

!

!

!

controller DSL 0

mode atm

line-term cpe

line-mode 2-wire line-zero

dsl-mode shdsl symmetric annex B

line-rate auto

!

!

!

!

interface BRI0

no ip address

no ip route-cache

shutdown

isdn switch-type basic-net3

!

interface ATM0

description === to PE/Router ====

no ip address

ip accounting output-packets

no ip route-cache

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description $ES_WAN$

no ip route-cache

pvc 8/35

oam-pvc manage 5

oam-pvc manage cc end direction both

oam retry 3 3 1

oam retry cc end 3 3 30

encapsulation aal5snap

!

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

description $FW_INSIDE$

no ip address

ip nat inside

ip virtual-reassembly

no ip route-cache

bridge-group 1

!

interface Dialer1

description $FW_OUTSIDE$

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp chap hostname [email protected]

ppp chap password xxx

ppp pap sent-username [email protected] password 7 ....

!

ip classless

!

ip http server

no ip http secure-server

!

access-list 113 remark ... VTY access restriction ...

access-list 113 remark SDM_ACL Category=17

access-list 113 permit ip 212.x.x.0 0.0.0.255 any

access-list 113 permit ip host 207.162.193.254 any

access-list 113 permit ip host 212.100.160.37 any

access-list 113 permit ip 192.168.2.0 0.0.0.255 any

access-list 113 deny ip any any

dialer-list 1 protocol ip permit

!

control-plane

!

bridge 1 protocol ieee

banner login ^CINEO SDSL router.

Any intrusion will be prosecuted.^C

!

line con 0

exec-timeout 120 0

no modem enable

transport preferred all

transport output all

stopbits 1

line aux 0

transport preferred all

transport output all

line vty 0 4

access-class 113 in

exec-timeout 0 0

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

end

Paolo Bevilacqua Sun, 05/13/2007 - 03:42

Hi,

the configuration seems right. You can do "show interfaces", "show bridge-group 1" to check the router is passing packets. There is no need for MAC cloning, as the router in this case is passing them unchanged already. Also do "show controllers" and "show atm pvc" to check on these things.

It seems like the ISP does PPPoE, why don't you terminate that on the 877 with NAT? Then you can do more or less do what you wanted, with static NAT configuration.

The original config of the ISP was

interface ATM0

description === to PE/Router ====

no ip address

ip accounting output-packets

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description $ES_WAN$

pvc 8/35

oam-pvc manage 5

oam-pvc manage cc end direction both

oam retry 3 3 1

oam retry cc end 3 3 30

encapsulation aal5mux ppp dialer

dialer pool-member 1

I think it says the ISP does PPPoA and not PPPoE. Is it right ?

In the bridge config, should i use "encapsulation aal5snap" or "encapsulation aal5mux ppp dialer" ?

Guy

Paolo Bevilacqua Sun, 05/13/2007 - 04:38

Hi,

Yes from the configuration above it appears that ISP is using PPPoA and not PPPoE. Does this configuration work ?

The thing is that you cannot bridge PPPoA to the ethernet, it must be terminated in the router, as the configuration you was given indicates.

You can probably have things working terminating the PPP in the 877 and doing NAT there as I was saying before, else ask the ISP to change encapsulation to rfc1481, if you want to bridge to the LAN (I would not reecomend this as you would need another router anyway).

Paolo Bevilacqua Sun, 05/13/2007 - 06:09

How many subnets the provider gave you? if you have one separated for LAN, you do not even need NAT.

Dual-nat may even work, but you will need to configure some static mapping on the 877 just like you do port forwarding on the linksys.

However the best would be you do NAT /FW and everything on the 877, and connect you systems directly there. Again you would need static mappings per above. But, you will also be able to configure QoS for the upload direction, and many more advanced things that only a cisco router does.

Our provider gives us only one public IP. That's all.

Before trying to configure the 878 as a bridge, we tried dual nat : port forwarding from the public ip to the internal interface of the 878. Then, port forwarding from the wan interface of the Linksys to the private network. But this does not work.

That'a why we try to transform 878 as a transparent router. Everything on the wan should be forwarded to the inside interface, and vice versa.

Any suggestion is welcome,

Guy

Paolo Bevilacqua Sun, 05/13/2007 - 07:22

Hi,

The problem is that PPPoA does not carry ethernet addresses, necessary to be bridged. So you must terminate it in the 877.

For dual-nat to work correctly, you must forward to the address of linksys, not to router internal interface. First of course verify that you can navigate from behind linksys as well.

Still not clear to me what prevents you from connecting directly to the 877 and not using the linksys.

When i tried dualnat, the nat in the 877 was correctly set up from de wan interface to the wan1 interface of the Linksys. But unfortunately, it never works.

Why do we want to use 2 router ?

- we want to use 3 routers in order to implement a backup line.

- the 878 is "too difficult" for us. Our ISP does not help us anymore. The idea is to manage the Linkys but not the 878 once it is configured as transparent.

Paolo Bevilacqua Sun, 05/13/2007 - 08:38

Hi,

On cisco with NAT, you can do debugs to find pout why things don't work. It is a professional router, designed to do exactly the thing of things you want, dual-line, forward to ports, etc. If you want to use as a bridge ask the ISP to change encapsulation and you should be able to.

It is not "difficult" to use, but reasonably the job must be given to a person that at least has an idea of what he's doing. Most partners/resellers are like that.

Paolo Bevilacqua Tue, 05/15/2007 - 08:37

You need an "advanced ip services" image to configure up to 4 vlans on the 87x LAN ports. To access such image, at minimum software download access to CCO is required with a support contract, and features upgrade license.

Your cisco reseller should be able to provide you with both.

Actions

This Discussion