Cisco 877 (800 serie) config CityConnect

[gregorybe]

Beste,

Onlangs zijn we hier bij ons geswitcht naar CityConnect, ik krijg echter onze cisco maar niet ingesteld,

Hieronder een deel van mijn config.
(niet gerelateerde dingen werden weggelaten)

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
service sequence-numbers
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
!
ip tcp synwait-time 10
no ip bootp server
bridge irb
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address dhcp hostname beankens
pvc 8/35
encapsulation aal5snap
ip nat outside
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip classless
!
ip http server
ip http authentication local
ip dns server
!
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
end


Indien iemand de fout kan aanduiden of indien iemand die beschikt over een cisco i.c.m. CityConnect zijn/haar config kan posten, zou dat zeer handig zijn.

Alvast bedankt.
M.v.g.

[Sasuke]

Cityconnect verwacht/vereist een bridged protocol voor de connectie, probeer eens met onderstaande code te implementeren in jouw config (niet zomaar overnemen he).

Code: Selecteer alles

bridge irb
!
!
interface ATM0
 description --- Dommel CityConnect ---
 no ip address
 ip virtual-reassembly
 no ip route-cache
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5snap
  protocol ip inarp
 !
 dsl operating-mode auto
 bridge-group 1
 hold-queue 224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip
 !
 broadcast-key change 60
 !
 !
 ssid <whatever>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description --- Internal LAN ---
 no ip address
 bridge-group 1
 hold-queue 100 out
!
interface BVI1
 description --- Bridging Interface ---
 no ip address
!
bridge 1 protocol ieee
bridge 1 route ip

Success ...

[gregorybe]

Een vraagje, is het niet
pvc 8/35 ipv 0/35?

(ik probeer het morgen)
Alvast bedankt.
m.v.g.

[dupondje]

Zoiezo is het inderdaad 8/35

[Sasuke]

Oeps, was inderdaad 8/35 ( config is een uittreksel van eentje met een ISDN adsl modem), maar blijkbaar is het opgelost ? Je hebt de bridged config overgenomen een aangepast ? Misschien interessant om de volledige config te posten voor andere mensen met cisco routers in de toekomst.

Grtz,
Sasuke

[gregorybe]

Hieronder een basic werkende config voor Dommel CityConnect (BE) en Telfort (NL):

(ik heb wel niet gewerkt met een extra BVI interface, zoals Sasuke voorstelde,
je kan dus eventueel een extra BVI interface aanmaken als je een draadloze Cisco zou hebben, om dan LAN en WLAN aan elkaar te koppelen (bridgen is hier niet het juiste woord).)

Code: Selecteer alles

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
enable secret <enable-wachtwoord-hier>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.241 10.10.10.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server 10.10.10.1 
!
!
no ip bootp server
ip name-server 193.109.184.72
ip name-server 193.109.184.75
ip ssh time-out 60
ip ssh authentication-retries 4
!
!
crypto pki trustpoint TP-self-signed-4008809079
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4008809079
 revocation-check none
 rsakeypair TP-self-signed-4008809079
!
crypto pki certificate chain TP-self-signed-4008809079
 certificate self-signed 01
 <key weggelaten>
  quit
!
username admin privilege 15 secret <admin-wachtwoord>
!
! 
!
bridge irb
!
!
interface ATM0
  description Fysieke ADSL (ATM) Interface
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto 
!
interface ATM0.1 point-to-point
  description ATM Routed Bridge Encapsulation (RBE) Subinterface t.b.v. Internet
  ip address dhcp
  ip access-group 101 in
  ip nat outside
  ip virtual-reassembly
  no snmp trap link-status
  atm route-bridged ip
  pvc 8/35 
   encapsulation aal5snap
   protocol ip inarp
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip dns server
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 permit tcp any any established
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 remark DNS In and Out
access-list 101 permit udp any eq domain any eq domain
access-list 101 permit udp any eq domain any gt 1023
access-list 101 remark DHCP client requests
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip any any log
!
control-plane
!
line con 0
  login local
  no modem enable
  transport output telnet
line aux 0
  login local
  transport output telnet
line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
!
end

Ik post later mijn volledige config die ik gebruik, deze is beter beveiligd en heeft wat extra opties.

Bedankt voor de snelle reactie.
Met vriendelijke groet,
Gregory B.

[algey]

Hieronder een basic werkende config voor Dommel CityConnect (BE) en Telfort (NL):

Ik post later mijn volledige config die ik gebruik, deze is beter beveiligd en heeft wat extra opties.

Hi Gregory,

Ik zie geen ip route statement in je configuratie, zoals

Code: Selecteer alles

ip route 0.0.0.0 0.0.0.0 <next hop>

Wil je svp voor de duidelijkheid je hele config posten?

Thanks, Alge

[gregorybe]

Excuses, ik heb nog geen tijd gehad om mijn config te vervolledigen/op te kuisen.
zodra dit gebeurd is post ik hem hier, hieronder de config die ik eerst gebruikte en werkt, ip route komt er niet in voor.

Code: Selecteer alles

!* cisco.domainnaam.be.CiscoConfig
!* IP Address : 10.10.10.1
!* Community  : privatestring
!* Downloaded 22/12/2009 21:51:05 by SolarWinds Config Transfer Engine Version 5.5.0

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$x/XR$fIxJz0em8/UelFkb255tQ0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.241 10.10.10.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server 10.10.10.1 
!
!
no ip bootp server
ip domain name domainnaam.be
ip name-server 193.109.184.72
ip name-server 193.109.184.75
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4008809079
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4008809079
 revocation-check none
 rsakeypair TP-self-signed-4008809079
!
!
crypto pki certificate chain TP-self-signed-4008809079
 certificate self-signed 01
  <key weggelaten>
  quit
username admin privilege 15 secret <ww>
!
! 
!
bridge irb
!
!
interface ATM0
 description Fysieke ADSL (ATM) Interface
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description ATM Routed Bridge Encapsulation (RBE) Subinterface t.b.v. Internet
 ip address dhcp
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 no snmp trap link-status
 atm route-bridged ip
 pvc 8/35 
  encapsulation aal5snap
  protocol ip inarp
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip dns server
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 permit tcp any any established
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 remark DNS In and Out
access-list 101 permit udp any eq domain any eq domain
access-list 101 permit udp any eq domain any gt 1023
access-list 101 remark DHCP client requests
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip any any log
snmp-server community privatestring RW
!
control-plane
!
banner login Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 194.78.18.221 prefer
end

[Tomsworld]

Excuses, ik heb nog geen tijd gehad om mijn config te vervolledigen/op te kuisen.
zodra dit gebeurd is post ik hem hier, hieronder de config die ik eerst gebruikte en werkt, ip route komt er niet in voor.

Ip route is niet nodig je zal zien dat je de default route krijgt door de dhcp aanvraag/antwoord.

Je kan ze er wel zetten.

[algey]

Ip route is niet nodig je zal zien dat je de default route krijgt door de dhcp aanvraag/antwoord.

Je kan ze er wel zetten.

Hi!

Bedankt voor jullie antwoorden.
Ja, ik was er intussen al achtergekomen dat het niet nodig was als je via dhcp je ip-nummer krijgt.
Ik heb nu een soortgelijke config in mijn 877w als Gregory (met een ATM0.1 sub-interface die naar VLan1 routeert) en hij draait als een zonnetje. Vervolgens wil ik nog even CBAC uitproberen.

Ik loop eigenlijk nog met 1 vraag rond: kan je Dot11Radio0 sub-interface zodanig aktiveren dat hij IP-nummers uit hetzelfde netwerk als Vlan 1 uitdeelt?

Groet, Alge

[gregorybe]

Mijn uiteindelijke config (met firewall regels, NTP, OpenDNS, en SSH toegang vanaf buitanaf op poort 822)

(Verbeteringen zijn uiteraard welkom)


* WAN IP: DHCP (ATM0.1 point-to-point)
* LAN Router IP: 10.10.10.1
* DHCP Range: 10.10.10.10 10.10.10.240
* DNS Server forwarding requests to OpenDNS
* NTP Server forwarding requests to 81.246.92.140 and 212.68.213.7 (be.pool.ntp.org ip's)
* Timezone Paris
* Incoming ACL: 101
* Outgoing ACL: 100
* SSH via WAN on port 822
* SNMP Private string: privateString
* SNMP Public string: publiekeString
* Logging previous 300 console commands

Code: Selecteer alles

!* cisco-axelius.axelius.be.CiscoConfig
!* IP Address : 10.10.10.1
!* Community : privateString
!* Downloaded 21/03/2010 19:07:58 by SolarWinds Config Transfer Engine Version 5.5.0
!
! Last configuration change at 19:06:47 Paris Sun Mar 21 2010 by admin
! NVRAM config last updated at 19:06:53 Paris Sun Mar 21 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco-axelius
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ...
!
no aaa new-model
!
resource policy
!
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.241 10.10.10.254
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name axelius.be
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto pki trustpoint TP-self-signed-4008809079
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4008809079
revocation-check none
rsakeypair TP-self-signed-4008809079
!
!
crypto pki certificate chain TP-self-signed-4008809079
certificate self-signed 01
30820250 ...
quit
username admin privilege 15 secret 5
archive
log config
logging enable
logging size 300
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
description Fysieke ADSL (ATM) Interface
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Subinterface t.b.v. Internet
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 8/35
encapsulation aal5snap
protocol ip inarp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822
ip dns server
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=17
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit udp host 212.68.213.7 eq ntp any eq ntp
access-list 101 permit udp host 81.246.92.140 eq ntp any eq ntp
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit tcp any any eq 822
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip any any
snmp-server community privateString RW
snmp-server community publiekeString RO
snmp-server location Hasselt
snmp-server contact GregoryBE
!
control-plane
!
banner login Authorized access only!
Gretech Configured router. Unauthorized access will be logged.
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179862
ntp master
ntp server 81.246.92.140 prefer
ntp server 212.68.213.7
end

http://gretech.be/blog/index.php/2010/0 ... hcp-adsl2/

[algey]

Hallo Gregory,

Code: Selecteer alles

ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822

Ik snap deze regel niet helemaal: interface Dialer0 in een route-bridged ip configuratie..?

Gr, Algey