Cisco 877 and creating aditional VLAN's

Answered Question

Hi All

It appears from reading the blurb on the 877 model that the ability to create extra VLAN's (other than VLAN1) depends on the IOS ordered.

It appears that only 1 VLAN is supported unless you have the Advanced IP services/Advanced IP Enterprise IOS.

(see http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/prod_qas0900aecd8028a982.html)

Is the ability to create extra VLAN's required to be able to connect an 877 to the internet via ADSL and have it provide DHCP addresses to my inside hosts or can I use VLAN1 as my interface for my inside IP addresses (assigned via DHCP) and dialer1 will have my public IP address (statically/dynamically assigned).

I ask because in a configuration provided by my ISP (see snippet), they suggest assigning the public IP address to interface VLAN1 and then tying this to the Dialer1 interface with the "ip unnumbered Vlan1" statement.

+++++ Configuration snippet +++++

!

interface Vlan1

ip address XXXXXX 255.255.255.252 ! PUBLIC ADDRESS FOR LINE

ip tcp adjust-mss 1400

!

interface Dialer1

ip unnumbered Vlan1

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1400

+++++ End of snippet +++++

So my proposed amended configuration would look like this,

+++++ My Proposed configuration +++++

ip dhcp pool Vlan1

network 192.168.1.0/24

default-router 192.168.1.1

dns-server <IP of ISP DNS Server>

!

ip dhcp excluded-address 192.168.1.1

!

interface Vlan1

ip nat inside

ip address 192.168.1.1 255.255.255.0

!

interface Dialer1

ip nat outside

ip address XXXXXX 255.255.255.252 ! PUBLIC ADDRESS FOR LINE

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname eircom

ppp chap password 7 xxxxxxxxxxxxxxxxx

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

+++++ End of my proposed Configuration +++++

Best Regards & TIA,

Michael

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 8 years 11 months ago

> I thought that once a connection was established from with my internal subnet towards the internet

> all return would come over this connection. Is this not the case?

Yes, they will return over than connection but the packet will be inspected by any ACL on that interface (dialer1). If you have a deny ip any any all connections will be dropped.

You can configure Reflexive ACLs if you want external connections to be allowed only when requested from the inside.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm

HTH,

__

Edison.

Correct Answer by Edison Ortiz about 8 years 11 months ago

> Can I just ask if it would be advised to apply an inbound "deny IP any any" ACL

> to the dialer1 interface to prevent access to the router from the Internet?

A deny ip any any will block all return traffic from the internet hence breaking the connection.

For security, I recommend placing an access-class under the vty lines and only allow your internal subnet to telnet to this router.

For instance

access-list 5 permit 192.168.1.0 0.0.0.255

!

line vty 0 15

access-class 5 in

Another suggestion is blocking icmp requests from the internet, for instance:

access-list 100 deny icmp any eq echo any

access-list 100 permit ip any any

interface dialer1

ip access-group 100 in

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.

Hi Edison

Yet again thank you for the response and link.

The ADSL line connects to a physical port labeled "ADSL" which I assume is ATM0 in the routers configuration.

This is the first time I have ever looked into manually configuring ADSL and I found the fact the in the configuration provided by the ISP the assigned the public IP address to VLAN1 and then tied that to the Dialer1 interface. Especially after reading that the 877 only supports a single VLAN unless you have the advanced IP services or advanced enterprise IOS, as I don't see how I could then configure the router to provide IP addresses to my inside hosts via DHCP.

I think I have it straight in my head now the configuration I need.

Again thanks a million for your time and patience.

Best Regards,

Michael

Edison Ortiz Sat, 02/16/2008 - 20:52

Post back with the outcome, I'll be interested to hear how it went.

Good luck.

Hi Edison

Cheers for all your help. I don't have my 877w yet, but I do have an old 837 ADSL router at home. So I had a go at setting this up and I have managed to get it up on the internet and providing my laptop with private (rfc 1918) addresses via DHCP.

Once I connect to the 837 using a patch lead I can surf the net. I am writing this message while connected to the 837 :)

The links you provided were of great help with getting this up and running.

Best Regards & again Many Thanks,

Michael

Edison Ortiz Sun, 02/17/2008 - 14:41

Excellent news Michael, hopefully your work on this setup help other lurkers :)

__

Edison.

Hi Edison

Cheers. It felt good when I loaded my first web page via the 837 :)

Can I just ask if it would be advised to apply an inbound "deny IP any any" ACL to the dialer1 interface to prevent access to the router from the Internet?

Also for any lurkers who are curious about the configuration that I ended up with, here it is. I have added a few comments and "x"ed out the passwords and public IP addresses, but you will receive this information from your own ISP's. This worked on a Cisco 837 with IOS 12.2.

======= Start of Config ============

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname keeleym

!

logging queue-limit 100

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx

!

username all

ip subnet-zero

ip name-server xxx.xxx.xxx.xxx !ISP DNS Server

!

!Exclude from DHCP the IP address assigned to the E0 interface

ip dhcp excluded-address 192.168.1.254

!

!I am serving the subnet 192.168.1.0/24 to my inside hosts

ip dhcp pool inside-net

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server xxx.xxx.xxx.xxx !ISP DNS Server

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

interface Ethernet0

ip address 192.168.1.254 255.255.255.0

ip nat inside

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

!

!CHAP Hostname is provided by your ISP

ppp chap hostname xxxxxxxxxxxxxxxxxxx

!

!CHAP Password is provided by your ISP

ppp chap password 7 xxxxxxxxxxxxxxxxxxxxx

!

!Configure NAT for your inside subnet IP addresses

ip nat inside source list 1 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

! Permit all addresses on your inside subnet

!This access list is used to configure NAT

access-list 1 permit 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 0 0

password 7 xxxxxxxxxxxxxxxxxxxx

logging synchronous

login

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 5 0

password 7 xxxxxxxxxxxxxxxxxxxxxx

login

length 0

!

scheduler max-task-time 5000

!

end

======== End of Config ==============

Best Regards,

Michael

Correct Answer
Edison Ortiz Sun, 02/17/2008 - 16:42

> Can I just ask if it would be advised to apply an inbound "deny IP any any" ACL

> to the dialer1 interface to prevent access to the router from the Internet?

A deny ip any any will block all return traffic from the internet hence breaking the connection.

For security, I recommend placing an access-class under the vty lines and only allow your internal subnet to telnet to this router.

For instance

access-list 5 permit 192.168.1.0 0.0.0.255

!

line vty 0 15

access-class 5 in

Another suggestion is blocking icmp requests from the internet, for instance:

access-list 100 deny icmp any eq echo any

access-list 100 permit ip any any

interface dialer1

ip access-group 100 in

Hi Edison

Once again, thanks you for you advice. Much apreciated.

I thought that once a connection was established from with my internal subnet towards the internet all return would come over this connection. Is this not the case?

My aim was to stop anybody on the Internet who happens upon my IP address, sending any type of traffic to the router.

Best Regards & again many thanks,

Michael

Correct Answer
Edison Ortiz Mon, 02/18/2008 - 07:12

> I thought that once a connection was established from with my internal subnet towards the internet

> all return would come over this connection. Is this not the case?

Yes, they will return over than connection but the packet will be inspected by any ACL on that interface (dialer1). If you have a deny ip any any all connections will be dropped.

You can configure Reflexive ACLs if you want external connections to be allowed only when requested from the inside.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm

HTH,

__

Edison.

Actions

This Discussion