02-16-2008 08:50 AM - edited 03-07-2019 12:27 AM
Hi All
It appears from reading the blurb on the 877 model that the ability to create extra VLAN's (other than VLAN1) depends on the IOS ordered.
It appears that only 1 VLAN is supported unless you have the Advanced IP services/Advanced IP Enterprise IOS.
(see http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/prod_qas0900aecd8028a982.html)
Is the ability to create extra VLAN's required to be able to connect an 877 to the internet via ADSL and have it provide DHCP addresses to my inside hosts or can I use VLAN1 as my interface for my inside IP addresses (assigned via DHCP) and dialer1 will have my public IP address (statically/dynamically assigned).
I ask because in a configuration provided by my ISP (see snippet), they suggest assigning the public IP address to interface VLAN1 and then tying this to the Dialer1 interface with the "ip unnumbered Vlan1" statement.
+++++ Configuration snippet +++++
!
interface Vlan1
ip address XXXXXX 255.255.255.252 ! PUBLIC ADDRESS FOR LINE
ip tcp adjust-mss 1400
!
interface Dialer1
ip unnumbered Vlan1
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
+++++ End of snippet +++++
So my proposed amended configuration would look like this,
+++++ My Proposed configuration +++++
ip dhcp pool Vlan1
network 192.168.1.0/24
default-router 192.168.1.1
dns-server <IP of ISP DNS Server>
!
ip dhcp excluded-address 192.168.1.1
!
interface Vlan1
ip nat inside
ip address 192.168.1.1 255.255.255.0
!
interface Dialer1
ip nat outside
ip address XXXXXX 255.255.255.252 ! PUBLIC ADDRESS FOR LINE
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname eircom
ppp chap password 7 xxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
+++++ End of my proposed Configuration +++++
Best Regards & TIA,
Michael
Solved! Go to Solution.
02-17-2008 04:42 PM
> Can I just ask if it would be advised to apply an inbound "deny IP any any" ACL
> to the dialer1 interface to prevent access to the router from the Internet?
A deny ip any any will block all return traffic from the internet hence breaking the connection.
For security, I recommend placing an access-class under the vty lines and only allow your internal subnet to telnet to this router.
For instance
access-list 5 permit 192.168.1.0 0.0.0.255
!
line vty 0 15
access-class 5 in
Another suggestion is blocking icmp requests from the internet, for instance:
access-list 100 deny icmp any eq echo any
access-list 100 permit ip any any
interface dialer1
ip access-group 100 in
02-18-2008 07:12 AM
> I thought that once a connection was established from with my internal subnet towards the internet
> all return would come over this connection. Is this not the case?
Yes, they will return over than connection but the packet will be inspected by any ACL on that interface (dialer1). If you have a deny ip any any all connections will be dropped.
You can configure Reflexive ACLs if you want external connections to be allowed only when requested from the inside.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm
HTH,
__
Edison.
02-16-2008 04:15 PM
What physical port are you using to connect to the DSL line on the router?
You can certainly enter the static IP under the dialer1. Dialer1 is a logical interface derived from a physical interface which is usually ATM.
Here is a PPPoE configuration with Static IP.
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a799.shtml
HTH,
___
Edison.
02-16-2008 04:52 PM
Hi Edison
Yet again thank you for the response and link.
The ADSL line connects to a physical port labeled "ADSL" which I assume is ATM0 in the routers configuration.
This is the first time I have ever looked into manually configuring ADSL and I found the fact the in the configuration provided by the ISP the assigned the public IP address to VLAN1 and then tied that to the Dialer1 interface. Especially after reading that the 877 only supports a single VLAN unless you have the advanced IP services or advanced enterprise IOS, as I don't see how I could then configure the router to provide IP addresses to my inside hosts via DHCP.
I think I have it straight in my head now the configuration I need.
Again thanks a million for your time and patience.
Best Regards,
Michael
02-16-2008 08:52 PM
Post back with the outcome, I'll be interested to hear how it went.
Good luck.
02-17-2008 02:10 PM
Hi Edison
Cheers for all your help. I don't have my 877w yet, but I do have an old 837 ADSL router at home. So I had a go at setting this up and I have managed to get it up on the internet and providing my laptop with private (rfc 1918) addresses via DHCP.
Once I connect to the 837 using a patch lead I can surf the net. I am writing this message while connected to the 837 :)
The links you provided were of great help with getting this up and running.
Best Regards & again Many Thanks,
Michael
02-17-2008 02:41 PM
Excellent news Michael, hopefully your work on this setup help other lurkers :)
__
Edison.
02-17-2008 03:11 PM
Hi Edison
Cheers. It felt good when I loaded my first web page via the 837 :)
Can I just ask if it would be advised to apply an inbound "deny IP any any" ACL to the dialer1 interface to prevent access to the router from the Internet?
Also for any lurkers who are curious about the configuration that I ended up with, here it is. I have added a few comments and "x"ed out the passwords and public IP addresses, but you will receive this information from your own ISP's. This worked on a Cisco 837 with IOS 12.2.
======= Start of Config ============
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname keeleym
!
logging queue-limit 100
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
username all
ip subnet-zero
ip name-server xxx.xxx.xxx.xxx !ISP DNS Server
!
!Exclude from DHCP the IP address assigned to the E0 interface
ip dhcp excluded-address 192.168.1.254
!
!I am serving the subnet 192.168.1.0/24 to my inside hosts
ip dhcp pool inside-net
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server xxx.xxx.xxx.xxx !ISP DNS Server
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
!
!CHAP Hostname is provided by your ISP
ppp chap hostname xxxxxxxxxxxxxxxxxxx
!
!CHAP Password is provided by your ISP
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxx
!
!Configure NAT for your inside subnet IP addresses
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
! Permit all addresses on your inside subnet
!This access list is used to configure NAT
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxxxx
logging synchronous
login
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 5 0
password 7 xxxxxxxxxxxxxxxxxxxxxx
login
length 0
!
scheduler max-task-time 5000
!
end
======== End of Config ==============
Best Regards,
Michael
02-17-2008 04:42 PM
> Can I just ask if it would be advised to apply an inbound "deny IP any any" ACL
> to the dialer1 interface to prevent access to the router from the Internet?
A deny ip any any will block all return traffic from the internet hence breaking the connection.
For security, I recommend placing an access-class under the vty lines and only allow your internal subnet to telnet to this router.
For instance
access-list 5 permit 192.168.1.0 0.0.0.255
!
line vty 0 15
access-class 5 in
Another suggestion is blocking icmp requests from the internet, for instance:
access-list 100 deny icmp any eq echo any
access-list 100 permit ip any any
interface dialer1
ip access-group 100 in
02-18-2008 12:31 AM
Hi Edison
Once again, thanks you for you advice. Much apreciated.
I thought that once a connection was established from with my internal subnet towards the internet all return would come over this connection. Is this not the case?
My aim was to stop anybody on the Internet who happens upon my IP address, sending any type of traffic to the router.
Best Regards & again many thanks,
Michael
02-18-2008 07:12 AM
> I thought that once a connection was established from with my internal subnet towards the internet
> all return would come over this connection. Is this not the case?
Yes, they will return over than connection but the packet will be inspected by any ACL on that interface (dialer1). If you have a deny ip any any all connections will be dropped.
You can configure Reflexive ACLs if you want external connections to be allowed only when requested from the inside.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm
HTH,
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide