Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco 876 pppoe with bridged modem

Hello sirs,

Im new to this so please forgive my ignorance,i have a cisco 876 router running advipservicesk9-mz.124-15.T17 ios,my adsl2+ line is Pstn so i figured i could use this router with a zyxel modem in bridged mode,after much frustration and search over the web i finaly got it to work,i also used Cisco CCP to apply a zone firewall in low mode since i know very little about firewalls,im posting my configuration below and i would appreciate any feedback as to whether is correct or not and also is there a way to create a second Vlan so that the zyxel modem would be accessed through a different network that of my primary vlan?

Thanks in advance

Building configuration...

Current configuration : 9546 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Kerberos

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-15.T17.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

logging console critical

enable secret 5 $1$26AC$XdfeeI/jEufq7z71fGib..

!

aaa new-model

!

!

aaa authentication login default local enable

aaa authentication login clientauth local

aaa authentication login local_authen local

aaa authorization exec local_author local

aaa authorization network groupauthor local

!

!

aaa session-id common

clock timezone Athens 2

!

crypto pki trustpoint TP-self-signed-2038751039

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2038751039

revocation-check none

rsakeypair TP-self-signed-2038751039

!

!

crypto pki certificate chain TP-self-signed-2038751039

certificate self-signed 01

  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32303338 37353130 3339301E 170D3134 30323033 31373433

  31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333837

  35313033 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D75B 9761DA15 E795851C 4019BE5D B9A3EB77 DB917493 CAECE885 EB7DD2E7

  77C7ADBE 644319A3 8A4D87D5 D3AFA9A1 9CF9D7C6 0EE25F06 349FDB95 D05D999F

  1860CA4E 0B0E9188 ADD87800 603CFDF4 44B91064 CD0E3FA9 81EF1A8F C852B781

  E083ED39 58D91081 639A8067 8E692FDC 6E09F420 837B33DD CF564DBA 54B1CDF2

  97F90203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603

  551D1104 16301482 124B6572 6265726F 732E6368 616F732E 636F6D30 1F060355

  1D230418 30168014 816950C6 34F3AFC1 6F4C7A32 3F77A6AD CBBD521E 301D0603

  551D0E04 16041481 6950C634 F3AFC16F 4C7A323F 77A6ADCB BD521E30 0D06092A

  864886F7 0D010104 05000381 81007F04 AADCCD51 E5A40D72 5AE6C04C 20ED53C6

  3546F182 6DA245E5 7C1198E2 FEB4F95D 7440C752 56236EB3 C0A3AD94 667499A5

  BBEC2C5F ABADA946 F5F609B7 9FC9EBF3 CEEC63F2 E1449E14 B75D898B D61CCC29

  42F60E54 0E81A601 FE4AFF81 256AF987 A68477E0 0372714F 00769659 94E7AFEA

  ED3C42A3 8DF1862C 9B7FDEBF BAB0

      quit

dot11 syslog

no ip source-route

ip cef

!

!

!

!

no ip bootp server

ip domain name chaos.com

!

multilink bundle-name authenticated

!

!

username babz privilege 15 password 7 110D000B16011F15

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class class-default

policy-map type inspect ccp-permit

class class-default

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

!

!

interface Null0

no ip unreachables

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

ip route-cache flow

shutdown

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0

description ADSL WAN Interface

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 192.168.1.200 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

pppoe enable group global

!

interface Dialer1

description ADSL WAN Dialer$FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

ip route-cache flow

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp chap hostname *****************************

ppp chap password 7 *********************

ppp ipcp dns request

ppp ipcp route default

!

ip forward-protocol nd

!

!

ip http server

ip http access-class 7

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation finrst-timeout 120

ip nat inside source list 1 interface Dialer1 overload

!

no logging trap

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 7 remark HTTP Access-class list

access-list 7 remark CCP_ACL Category=1

access-list 7 permit 192.168.1.230

access-list 7 permit 192.168.1.0 0.0.0.255

access-list 7 deny   any

access-list 8 remark CCP_ACL Category=2

access-list 8 permit 192.168.1.0 0.0.0.255

access-list 9 remark CCP_ACL Category=2

access-list 9 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq telnet

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq 22

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq www

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq 443

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq cmd

access-list 101 deny   tcp any host 192.168.1.200 eq telnet

access-list 101 deny   tcp any host 192.168.1.200 eq 22

access-list 101 deny   tcp any host 192.168.1.200 eq www

access-list 101 deny   tcp any host 192.168.1.200 eq 443

access-list 101 deny   tcp any host 192.168.1.200 eq cmd

access-list 101 deny   udp any host 192.168.1.200 eq snmp

access-list 101 permit ip any any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip host 192.168.1.230 any

no cdp run

!

!

!

!

control-plane

!

banner login ^CC

+-------------------------------------------------------+

|                                                       |

|                     CHAOS                             |

|                                                       |

|                                                       |

|                                                       |

+-------------------------------------------------------+

| UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE AND        |

| ATTACHED NETWORKS IS STRICTLY PROHIBITED.             |

| You must have explicit permission to access or        |

| configure this device. All activities performed on    |

| this device may be logged or monitored without further|

| notice, and the resulting logs may be used as evidence|

| in court.                                             |

| Any unauthorized use of the system is unlawful, and   |

| may be subject to civil and/or criminal penalties.    |

+-------------------------------------------------------+

^C

!

line con 0

login authentication local_authen

no modem enable

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Cisco 876 pppoe with bridged modem

Hi,

you can't make it a L3 routed port so  if you have ios 15 you can do an intra zone policy with ZBF  or you can maybe put a L2 access-list if it is possible on this platform but I'm not sure it is.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
27 REPLIES

Cisco 876 pppoe with bridged modem

Anyone??

Purple

Cisco 876 pppoe with bridged modem

Hi,

for second vlan:

-on interface where a device in this vlan is connected:

int f1/x

switchport access vlan x

-create the SVI:

int vlan 2

ip address 192.168.2.254 255.255.255.0

-make this interface part of inside zone

int vlan 2

zone-member security in-zone

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Hello Akain,i tried your example

int vlan 2

ip address 10.10.10.2 255.255.255.0

interface fae0

switchport access vlan 2

but then pppoe drops ,i tried restarting the dialer interface but it gets no ip from ISP

Purple

Cisco 876 pppoe with bridged modem

Hi,

I forgot to edit ACL for NAT:

access-list 1 permit 10.10.10.0 0.0.0.255

This should have no impact on dialer interface getting an IP as you only changed the LAN.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Hi again,

Yet the same thing happens as soon a i enter switchport access vlan2 on ethernet0(thats the interface that the dialer uses to pppoe) the connection drops :S

Purple

Cisco 876 pppoe with bridged modem

Hi,

of course this is on another interface not the one connected to the bridged modem

I hadn't remarked you had done this before.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Cisco 876 pppoe with bridged modem

So what you are saying is that this interface Fae0 thats on the bridged modem cannot change vlan? it must be always on 192.168.1.200?

Ive done this because my modem(zyxel) is a single port and im trying to maintain access on it but have it on a different network than my lan

Purple

Cisco 876 pppoe with bridged modem

You're running PPPoE on this interface and so this is the dialer interface which gets an IP from PPP and this is your outside interface.

your vlan interface is for L3 access for clients  connected to L2 ports in the corresponding VLAN, these are the inside Interfaces

Oh and I realize I forgot still one thing, you have to enable nat with ip nat inside on the corresponding interface vlan

otherwise traffic won't get natted, I forgot lots of basic stuffs when replying for this thread(I'm a little bit tired  these days and I reply too fast without making my brain work  )

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Thank you very much for your input,what you mention makes absolute sense,what i cannot understand is why if i leave the config as it is ,i have access to the bridged modem through Fae0(dialer interface)

Purple

Cisco 876 pppoe with bridged modem

Hi,

which config, the one you had before?

What don't you understand ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Yes the one i posted above,with that configuration im able to access the zyxel,through fae0,the same port that dialer1 uses,is the port thats connected to the zyxel,im sorry if my questions seem stupid but im trying to learn and have no previous experience on cisco routers

Purple

Cisco 876 pppoe with bridged modem

I don't understand exactly what you want to know ?

Could you clarify please.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Hello and thnanks again for spending time to help out,

look

c876(192.168.1.200)ethernet0---------->zyxel(192.168.100) in bridged mode thats how its connected,what i dont understand is why i  can still access the zyxel web interface, ethernet0 on the 876 is supposed to be dialers interface and it works that way just fine ,but it also works as a lan interface..

Purple

Cisco 876 pppoe with bridged modem

Hi,

µok so all 4 ethernet ports on the 876 are switch ports so are you sure your zyxel is indeed bridging because the dialer interface should be linked to a L3 port as far as I know.

Can you provide following output:

-sh ip int br

-sh ip route

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Cisco 876 pppoe with bridged modem

yes offcourse im sure,its on bridge mode and i have internet, heres the output..

Kerberos#sh ip int

Kerberos#sh ip interface brie

Interface                  IP-Address      OK? Method Status                Prot               ocol

ATM0                       unassigned      YES NVRAM  administratively down down              

BRI0                       unassigned      YES NVRAM  administratively down down              

BRI0:1                     unassigned      YES unset  administratively down down              

BRI0:2                     unassigned      YES unset  administratively down down              

Dialer1                    62.1.59.176     YES IPCP   up                    up                

FastEthernet0              unassigned      YES unset  up                    up                

FastEthernet1              unassigned      YES unset  administratively down down              

FastEthernet2              unassigned      YES unset  administratively down down              

FastEthernet3              unassigned      YES unset  up                    up                

NVI0                       unassigned      YES unset  administratively down down              

Virtual-Access1            unassigned      YES unset  up                    up                

Vlan1                      192.168.1.200   YES NVRAM  up                    up                

Kerberos#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 213.16.246.30 to network 0.0.0.0

     213.16.246.0/32 is subnetted, 1 subnets

C       213.16.246.30 is directly connected, Dialer1

C    192.168.1.0/24 is directly connected, Vlan1

     62.0.0.0/32 is subnetted, 1 subnets

C       62.1.59.176 is directly connected, Dialer1

S*   0.0.0.0/0 [1/0] via 213.16.246.30

My pc is connected to ethernet3 oon c876 eth2 and eth1 are shutdown and eth0 is connected to the zyxel,and i can access the zyxel(192.168.1.100)    

Purple

Cisco 876 pppoe with bridged modem

Hi,

ok so it seems correct but you said that you could  communicate with the zyxel from the 876 ?

Can you show me that by pinging it after doing this:

enable

conf t

access-list 199 permit icmp any any

service timestamp debug uptime

logging buffer 7

do clear log

do debug ip pack deta 199

Then do your ping to zyxel and issue following command: do sh log

hit enter to get all and post output

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Kerberos#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.


    Console logging: level critical, 0 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 99 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

    Trap logging: disabled

Log Buffer (4096 bytes):
.92.36.124 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000364: 14:45:08: IP: s=84.92.36.124 (Dialer1), d=192.168.1.250 (Vlan1), len 123                                , dropped by inspect
000365: 14:45:08:     ICMP type=3, code=3
000366: 14:45:12: IP: tableid=0, s=79.160.77.241 (Dialer1), d=192.168.1.250 (Vla                                n1), routed via FIB
000367: 14:45:12: IP: s=79.160.77.241 (Dialer1), d=192.168.1.250 (Vlan1), len 12                                3, dropped by inspect
000368: 14:45:12:     ICMP type=3, code=3

000420: 14:45:54:     ICMP type=11, code=0
000421: 14:45:56: IP: tableid=0, s=112.198.111.142 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000422: 14:45:56: IP: s=112.198.111.142 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000423: 14:45:56:     ICMP type=3, code=0
000424: 14:46:00: IP: tableid=0, s=79.161.66.79 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000425: 14:46:00: IP: s=79.161.66.79 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect
000426: 14:46:00:     ICMP type=3, code=13
000427: 14:46:01: IP: tableid=0, s=180.234.250.77 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000428: 14:46:01: IP: s=180.234.250.77 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000429: 14:46:01:     ICMP type=3, code=3
000430: 14:46:01: IP: tableid=0, s=68.43.230.66 (Dialer1), d=62.1.59.176 (Dialer1), routed via RIB
000431: 14:46:01: IP: s=68.43.230.66 (Dialer1), d=62.1.59.176 (Dialer1), len 123, rcvd 3
000432: 14:46:01:     ICMP type=3, code=1
000433: 14:46:01: IP: s=68.43.230.66 (Dialer1), d=62.1.59.176, len 123, dropped by local inspect
000434: 14:46:01:     ICMP type=3, code=1
000435: 14:46:02: IP: tableid=0, s=60.50.113.139 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000436: 14:46:02: IP: s=60.50.113.139 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000437: 14:46:02:     ICMP type=3, code=3
000438: 14:46:03: IP: tableid=0, s=41.87.108.2 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000439: 14:46:03: IP: s=41.87.108.2 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000440: 14:46:03:     ICMP type=3, code=1
000441: 14:46:06: IP: tableid=0, s=95.150.180.104 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000442: 14:46:06: IP: s=95.150.180.104 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000443: 14:46:06:     ICMP type=3, code=1
000444: *Feb 12 22:55:24.016 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 1695: 14:45:21:     ICMP type=8, code=0
.248.160.35 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000446: 14:46:10: IP: s=66.248.160.35 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect
000447: 14:46:10:     ICMP type=3, code=3   ICMP type=0, code=0
000399: 14:45:22: IP: tableid=0, s=60.241.169.192 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000400: 14:45:22: IP: s=60.241.169.192 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000401: 14:45:22:     ICMP type=3, code=1
000402: 14:45:23: IP: tableid=0, s=109.228.87.167 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000403: 14:45:23: IP: s=109.228.87.167 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000404: 14:45:23:     ICMP type=3, code=3
000405: 14:45:23: IP: tableid=0, s=91.119.71.28 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000406: 14:45:23: IP: s=91.119.71.28 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect
000407: 14:45:23:     ICMP type=3, code=13
000408: *Feb 12 22:54:47.256 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 16
000409: 14:45:45: IP: tableid=0, s=86.163.47.171 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000410: 14:45:45: IP: s=86.163.47.171 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000411: 14:45:45:     ICMP type=3, code=1
000412: 14:45:49: IP: tableid=0, s=94.113.247.45 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000413: 14:45:49: IP: s=94.113.247.45 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000414: 14:45:49:     ICMP type=3, code=3

is that correct?

Cisco 876 pppoe with bridged modem

im sorry here it is again....

Kerberos#ping 192.168.1.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/24 ms

Kerberos#sh log

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level critical, 0 messages logged, xml disabled,

                     filtering disabled

    Monitor logging: level debugging, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging:  level debugging, 376 messages logged, xml disabled,

                     filtering disabled

    Logging Exception size (4096 bytes)

    Count and timestamp logging messages: disabled

    Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

    Trap logging: disabled

Log Buffer (4096 bytes):

0, s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000528: 14:47:47: IP: s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), len 80, dropped by inspect

000529: 14:47:47:     ICMP type=3, code=1

000530: 14:47:50: IP: tableid=0, s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000531: 14:47:50: IP: s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), len 80, dropped by inspect

000532: 14:47:50:     ICMP type=3, code=1

000533: *Feb 12 22:57:08.852 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 16

000534: 14:47:53: IP: tableid=0, s=192.168.1.250 (Vlan1), d=194.219.227.2 (Dialer1), routed via FIB

000535: 14:47:53: IP: s=62.1.59.176 (Vlan1), d=194.219.227.2 (Dialer1), g=213.16.246.30, len 201, forward

000536: 14:47:53:     ICMP type=3, code=3

000537: 14:47:54: IP: tableid=0, s=46.33.213.218 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000538: 14:47:54: IP: s=46.33.213.218 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

000539: 14:47:54:     ICMP type=3, code=3

000540: 14:47:55: IP: tableid=0, s=24.199.188.2 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000541: 14:47:55: IP: s=24.199.188.2 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

000542: 14:47:55:     ICMP type=3, code=3

000543: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000544: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000545: 14:47:55:     ICMP type=8, code=0

000546: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000547: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000548: 14:47:55:     ICMP type=0, code=0

000549: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000550: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000551: 14:47:55:     ICMP type=8, code=0

000552: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000553: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000554: 14:47:55:     ICMP type=0, code=0

000555: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000556: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000557: 14:47:55:     ICMP type=8, code=0

000558: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000559: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000560: 14:47:55:     ICMP type=0, code=0

000561: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000562: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000563: 14:47:55:     ICMP type=8, code=0

000564: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000565: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000566: 14:47:55:     ICMP type=0, code=0

000567: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000568: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000569: 14:47:55:     ICMP type=8, code=0

000570: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000571: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000572: 14:47:55:     ICMP type=0, code=0

000573: 14:47:56: IP: tableid=0, s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000574: 14:47:56: IP: s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), len 76, dropped by inspect

000575: 14:47:56:     ICMP type=3, code=1

000576: 14:47:58: IP: tableid=0, s=71.20.125.203 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000577: 14:47:58: IP: s=71.20.125.203 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

000578: 14:47:58:     ICMP type=3, code=3

Purple

Cisco 876 pppoe with bridged modem

Hi,

the firewall is dropping it now let's do another test

enable

clear log

ping x.x.x.x so Vlan1  where x.x.x.x is the zyxel IP

sh log

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Kerberos#clear log

Kerberos#clear logging

Clear logging buffer [confirm]

Kerberos#ping 192.168.1.100

Kerberos#ping 192.168.1.100 so

Kerberos#ping 192.168.1.100 source vla

Kerberos#ping 192.168.1.100 source vlan 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms

Kerberos#sh log

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level critical, 0 messages logged, xml disabled,

                     filtering disabled

    Monitor logging: level debugging, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging:  level debugging, 7537 messages logged, xml disabled,

                     filtering disabled

    Logging Exception size (4096 bytes)

    Count and timestamp logging messages: disabled

    Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

    Trap logging: disabled

Log Buffer (4096 bytes):

n1), routed via FIB

004861: 15:09:14: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

004862: 15:09:14:     ICMP type=8, code=0

004863: 15:09:14: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

004864: 15:09:14: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

004865: 15:09:14:     ICMP type=0, code=0

004866: 15:09:14: IP: tableid=0, s=114.229.202.185 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004867: 15:09:14: IP: s=114.229.202.185 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004868: 15:09:14:     ICMP type=3, code=3

004869: 15:09:15: IP: tableid=0, s=188.51.127.15 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004870: 15:09:15: IP: s=188.51.127.15 (Dialer1), d=192.168.1.250 (Vlan1), len 68, dropped by inspect

004871: 15:09:15:     ICMP type=3, code=1

004872: 15:09:15: IP: tableid=0, s=1.196.229.203 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004873: 15:09:15: IP: s=1.196.229.203 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect

004874: 15:09:15:     ICMP type=3, code=3

004875: 15:09:16: IP: tableid=0, s=83.180.172.220 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004876: 15:09:16: IP: s=83.180.172.220 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004877: 15:09:16:     ICMP type=3, code=3

004878: 15:09:16: IP: tableid=0, s=41.57.98.223 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004879: 15:09:16: IP: s=41.57.98.223 (Dialer1), d=192.168.1.250 (Vlan1), len 86, dropped by inspect

004880: 15:09:16:     ICMP type=3, code=3

004881: 15:09:17: IP: tableid=0, s=62.233.182.240 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004882: 15:09:17: IP: s=62.233.182.240 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004883: 15:09:17:     ICMP type=3, code=3

004884: 15:09:17: IP: tableid=0, s=66.176.201.210 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004885: 15:09:17: IP: s=66.176.201.210 (Dialer1), d=192.168.1.250 (Vlan1), len 68, dropped by inspect

004886: 15:09:17:     ICMP type=3, code=1

004887: *Feb 12 23:18:35.383 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 16

004888: 15:09:19: IP: tableid=0, s=147.30.16.8 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004889: 15:09:19: IP: s=147.30.16.8 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004890: 15:09:19:     ICMP type=3, code=3

004891: 15:09:20: IP: tableid=0, s=69.157.103.90 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004892: 15:09:20: IP: s=69.157.103.90 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004893: 15:09:20:     ICMP type=3, code=1

004894: 15:09:20: IP: tableid=0, s=83.53.230.8 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004895: 15:09:20: IP: s=83.53.230.8 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004896: 15:09:20:     ICMP type=3, code=3

004897: 15:09:20: IP: tableid=0, s=38.107.218.2 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004898: 15:09:20: IP: s=38.107.218.2 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004899: 15:09:20:     ICMP type=3, code=3

004900: 15:09:20: IP: tableid=0, s=122.2.135.105 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004901: 15:09:20: IP: s=122.2.135.105 (Dialer1), d=192.168.1.250 (Vlan1), len 96, dropped by inspect

004902: 15:09:20:     ICMP type=11, code=0

004903: 15:09:21: IP: tableid=0, s=2.71.126.85 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004904: 15:09:21: IP: s=2.71.126.85 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004905: 15:09:21:     ICMP type=3, code=3

004906: 15:09:21: IP: tableid=0, s=118.160.44.163 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004907: 15:09:21: IP: s=118.160.44.163 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004908: 15:09:21:     ICMP type=3, code=3

004909: 15:09:21: IP: tableid=0, s=89.132.6.46 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004910: 15:09:21: IP: s=89.132.6.46 (Dialer1), d=192.168.1.250 (Vlan1)

Purple

Cisco 876 pppoe with bridged modem

Hi,

can  you connect a laptop to f3 for example and give it 192.168.1.199 mask 255.255.255.0 df gw= 192.168.1.100(vlan 1) and try to ping the zyxel from it.

As they are in same subnet the pc shouldn't use the vlan interface and  the packets will be just L2 switched.

we shouldn't see any debug if we do this now:

enable

conf t

ip access-list extended 199

no 10

10 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.200 echo

do clear log

Do the test and issue the command: do sh log

Then if it works it means that indeed we can have a dialer linked to L2 interface but that is not good practice for me.

Can you try to change this port to L3 like this

int f0

no switchport

I'm not sure it can be done on this platform though

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Cisco 876 pppoe with bridged modem

Yes indeed i can ping the zyxel from a laptop like you described,i dont like it either to be honest ,it confuses me alot

im trying giving the command on Fast ethernet0 ... and it asks for 

Kerberos(config-if)#no switchport acc
Kerberos(config-if)#no switchport access ?
  vlan  Set VLAN when interface is in access mode

i issued

#no switchport access vlan 1 on interface fae0 but had no effect i still can access the zyxel

Purple

Cisco 876 pppoe with bridged modem

Hi,

Can't you do simply no switchport, what does "no switchport ?"  tells you ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Kerberos#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Kerberos(config)#int

Kerberos(config)#interface fa

Kerberos(config)#interface fastEthernet 0

Kerberos(config-if)#no sw

Kerberos(config-if)#no switchport

% Incomplete command.

if i put ?  its asks

Kerberos(config-if)#no switchport ?

  access    Set access mode characteristics of the interface

  mode      Set trunking mode of the interface

  priority  Set 802.1p priorities

  trunk     Set trunking characteristics of the interface

  voice     Voice appliance attributes

Kerberos(config-if)#no switchport

Cisco 876 pppoe with bridged modem

Well it works its ok ,i just wanted to see it there was a way to isolate port Eth0 from rest of the Lan interfaces,

Purple

Cisco 876 pppoe with bridged modem

Hi,

you can't make it a L3 routed port so  if you have ios 15 you can do an intra zone policy with ZBF  or you can maybe put a L2 access-list if it is possible on this platform but I'm not sure it is.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Cisco 876 pppoe with bridged modem

Well i will try the above you mentioned and will post any results in the future

Thanks alot for spending your time to help

cheers!!

675
Views
28
Helpful
27
Replies
CreatePlease login to create content