Link to home
Start Free TrialLog in
Avatar of WorkingItOut
WorkingItOut

asked on

How to configure Cisco Router 1921 with two ADSL2+ Wic

Hello all,

we are purchasing a Cisco router 1921 with 2 x ADSL2+ WIC cards.

This router has two gigabit ports, and we would like to link 1 port to 1 card. We plan to bridge this router with a Sophos UTM to do the authentication part.

So how do we present each card on a separate interface?
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

You can't bridge the ADSL cards/circuits to a GigabitEthernet port if you want the Sophos UTM to do the PPP authentication.  The ADSL port on the router must do that via a Dialer interface.
One way to do it would be to link each of the DSL interfaces to a separate Virtual Routing and Forwarding (VRF) instance so that each would have its own default route to the DSL link. The previous expert is correct in that having the Sophos UTM do the PPPoE authentication would be problematic at best though. In similar circumstances, I have configured the Cisco to handle the PPPoE authentication and the NAT. The UTM can still be used on the internal network, but would simply bridge or route its traffic to the Cisco without handling authentication or NAT.
That's usually the way I'd do it too.  There are so many problems with bridging the ADSL via a router due to the things you have to do to get it to work that it's just not reliable most of the time.  As jodylemoine said, using VRF might be one option and would completely separate the two circuits, although it will require the ADSL ports to do the PPP termination and it will also mean you can't do anything like policy routing in the future if you want to use the ADSL lines as failovers for eachother.

Having said that, if you really want to do bridge the PPP to the UTM you 'might' be able to do something like the example below, but it depends on how the ADSL is presented to your router.  If the ADSL encapsulation type is aal5mux, this doc might help...

http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_pppoeoa_aal5mux.html

If the encapsulation is aal5snap, you could try something like this...

conf t
no ip routing
!
interface atm0
 no ip address
 no ip directed-broadcast
 no atm ilmi-keepalive
 no shut
 pvc <8/35>                           (change this to suit the PVC settings specified by the ISP)
  encapsulation aal5snap
 !
 bridge-group 1
!
interface GigabitEthernet0
 no ip address
 no ip directed-broadcast
 bridge-group 1
 no shut
!
bridge 1 protocol ieee
!
end

Open in new window

Avatar of WorkingItOut
WorkingItOut

ASKER

Ok thank you very much for your help everyone, The reason why I want the UTM in bridge is so that the WEB ip address is present to each interface of the UTM.

The recommend config for the UTM is to have the UTM doing the NAT translations and routing etc.

Could I still configure the cisco router to do the authentication and then forward the address to the UTM interface?
Absolutely.  That's pretty much what we've both said.  That makes the ADSL so much easier to deal with.

You can do a 1-1 NAT on each ADSL interface to make the UTM interfaces visible to the outside world via the 1921.
Excellent - have you got an example config for me that I could use. The confusing part is the two ADSL2 WIC's and how to link them thats my struggle as most guides show just how to configure the 1 wic to single port.
What encapsulation type is your ADSL?
Encapsulation
- PPPoA VCMUX (pppoa with aaL5MUX)
- PPPOE/LLC
NOTE: We recommend using PPPoA/VC Mux as it tends to be (theoretically) a little faster for customers though both should work fine
 
 Authentication method: CHAP
ADSL1:   G.DMT (This modulation will only allow speeds up to 8Mb/s
ADSL2+:  Select ADSL2+ or Auto
 
VPI (Virtual path identifier)
8
 
VCI (Virtual channel identifier)
35
Ok if you 'can' use PPPoE (even though it might be slightly slower) you could try this...

conf t
no ip routing
!
interface atm0
 no ip address
 no ip directed-broadcast
 no atm ilmi-keepalive
 no shut
 pvc <8/35>
  encapsulation aal5mux
 !
 bridge-group 1
!
interface GigabitEthernet0
 no ip address
 no ip directed-broadcast
 bridge-group 1
 no shut
!
interface atm1
 no ip address
 no ip directed-broadcast
 no atm ilmi-keepalive
 no shut
 pvc <8/35>
  encapsulation aal5mux
 !
 bridge-group 2
!
interface GigabitEthernet1
 no ip address
 no ip directed-broadcast
 bridge-group 2
 no shut
!
bridge 1 protocol ieee
bridge 2 protocol ieee
!
end

Open in new window

Ok - I don't see any dialer for the username or passwords? Disn't you say it's better to have the router do the username and password and do 1 to 1 Nat or something?

Thank you for your help greatly appreciate it
Apologies I went on a bit of a tangent there and gave you something to try which might help bridge the PPPoE to the UTM.

However, I've just re-read the thread and this bit makes your idea a bit tricky...

Ok thank you very much for your help everyone, The reason why I want the UTM in bridge is so that the WEB ip address is present to each interface of the UTM.
I don't know why I didn't pick-up on that before, but that's quite a challenge as you'll have 2 gateways to the internet, however the UTM will only use one default gateway at a time.

For example, if you have your UTM configured as follows...
UTM Port 1 - IP 35.98.192.2 with gateway 35.98.192.1
UTM Port 2 - IP 184.67.5.20 with gateway 184.67.5.16

...clients on the internet trying to get to 35.98.192.2 can see the page if the default route on the UTM is 35.98.192.1, but they won't be able to see the UTM on 184.67.5.20.  This is because the return traffic to the client from the UTM will only ever go out of port 1 if 35.98.192.1 is the default route (unless you use static routes or BGP).

So, I can give you a config which will let you NAT the ADSL to the UTM, but it will only help for one ADSL link at a time and not both.

Make sense?
yes it makes sense what your saying. However, the UTM will be doing "uplink balancing".

Which will balance outgoing traffic across the two ADSL links intern downloading on the line it balanced out from, of course there are some sites/applications which need a static connection, so UTM has options to create static rules and also automatically.

I still think your idea of letting the Cisco router establish the connection would be good. That way if the UTM is restarted or whatever the links stay on-line.

If you can show show the config for the recommend way that you mentioned above - this will be helpful and ill test both ways to see which way works best :)
ASKER CERTIFIED SOLUTION
Avatar of WorkingItOut
WorkingItOut

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Used third party to create config