Solved

How to configure Cisco Router 1921 with two ADSL2+ Wic

Posted on 2013-05-19
14
1,679 Views
Last Modified: 2016-02-25
Hello all,

we are purchasing a Cisco router 1921 with 2 x ADSL2+ WIC cards.

This router has two gigabit ports, and we would like to link 1 port to 1 card. We plan to bridge this router with a Sophos UTM to do the authentication part.

So how do we present each card on a separate interface?
0
Comment
Question by:WorkingItOut
  • 7
  • 6
14 Comments
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
You can't bridge the ADSL cards/circuits to a GigabitEthernet port if you want the Sophos UTM to do the PPP authentication.  The ADSL port on the router must do that via a Dialer interface.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
One way to do it would be to link each of the DSL interfaces to a separate Virtual Routing and Forwarding (VRF) instance so that each would have its own default route to the DSL link. The previous expert is correct in that having the Sophos UTM do the PPPoE authentication would be problematic at best though. In similar circumstances, I have configured the Cisco to handle the PPPoE authentication and the NAT. The UTM can still be used on the internal network, but would simply bridge or route its traffic to the Cisco without handling authentication or NAT.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
That's usually the way I'd do it too.  There are so many problems with bridging the ADSL via a router due to the things you have to do to get it to work that it's just not reliable most of the time.  As jodylemoine said, using VRF might be one option and would completely separate the two circuits, although it will require the ADSL ports to do the PPP termination and it will also mean you can't do anything like policy routing in the future if you want to use the ADSL lines as failovers for eachother.

Having said that, if you really want to do bridge the PPP to the UTM you 'might' be able to do something like the example below, but it depends on how the ADSL is presented to your router.  If the ADSL encapsulation type is aal5mux, this doc might help...

http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_pppoeoa_aal5mux.html

If the encapsulation is aal5snap, you could try something like this...

conf t
no ip routing
!
interface atm0
 no ip address
 no ip directed-broadcast
 no atm ilmi-keepalive
 no shut
 pvc <8/35>                           (change this to suit the PVC settings specified by the ISP)
  encapsulation aal5snap
 !
 bridge-group 1
!
interface GigabitEthernet0
 no ip address
 no ip directed-broadcast
 bridge-group 1
 no shut
!
bridge 1 protocol ieee
!
end

Open in new window

0
 

Author Comment

by:WorkingItOut
Comment Utility
Ok thank you very much for your help everyone, The reason why I want the UTM in bridge is so that the WEB ip address is present to each interface of the UTM.

The recommend config for the UTM is to have the UTM doing the NAT translations and routing etc.

Could I still configure the cisco router to do the authentication and then forward the address to the UTM interface?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Absolutely.  That's pretty much what we've both said.  That makes the ADSL so much easier to deal with.

You can do a 1-1 NAT on each ADSL interface to make the UTM interfaces visible to the outside world via the 1921.
0
 

Author Comment

by:WorkingItOut
Comment Utility
Excellent - have you got an example config for me that I could use. The confusing part is the two ADSL2 WIC's and how to link them thats my struggle as most guides show just how to configure the 1 wic to single port.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
What encapsulation type is your ADSL?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:WorkingItOut
Comment Utility
Encapsulation
- PPPoA VCMUX (pppoa with aaL5MUX)
- PPPOE/LLC
NOTE: We recommend using PPPoA/VC Mux as it tends to be (theoretically) a little faster for customers though both should work fine
 
 Authentication method: CHAP
ADSL1:   G.DMT (This modulation will only allow speeds up to 8Mb/s
ADSL2+:  Select ADSL2+ or Auto
 
VPI (Virtual path identifier)
8
 
VCI (Virtual channel identifier)
35
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Ok if you 'can' use PPPoE (even though it might be slightly slower) you could try this...

conf t
no ip routing
!
interface atm0
 no ip address
 no ip directed-broadcast
 no atm ilmi-keepalive
 no shut
 pvc <8/35>
  encapsulation aal5mux
 !
 bridge-group 1
!
interface GigabitEthernet0
 no ip address
 no ip directed-broadcast
 bridge-group 1
 no shut
!
interface atm1
 no ip address
 no ip directed-broadcast
 no atm ilmi-keepalive
 no shut
 pvc <8/35>
  encapsulation aal5mux
 !
 bridge-group 2
!
interface GigabitEthernet1
 no ip address
 no ip directed-broadcast
 bridge-group 2
 no shut
!
bridge 1 protocol ieee
bridge 2 protocol ieee
!
end

Open in new window

0
 

Author Comment

by:WorkingItOut
Comment Utility
Ok - I don't see any dialer for the username or passwords? Disn't you say it's better to have the router do the username and password and do 1 to 1 Nat or something?

Thank you for your help greatly appreciate it
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Apologies I went on a bit of a tangent there and gave you something to try which might help bridge the PPPoE to the UTM.

However, I've just re-read the thread and this bit makes your idea a bit tricky...

Ok thank you very much for your help everyone, The reason why I want the UTM in bridge is so that the WEB ip address is present to each interface of the UTM.
I don't know why I didn't pick-up on that before, but that's quite a challenge as you'll have 2 gateways to the internet, however the UTM will only use one default gateway at a time.

For example, if you have your UTM configured as follows...
UTM Port 1 - IP 35.98.192.2 with gateway 35.98.192.1
UTM Port 2 - IP 184.67.5.20 with gateway 184.67.5.16

...clients on the internet trying to get to 35.98.192.2 can see the page if the default route on the UTM is 35.98.192.1, but they won't be able to see the UTM on 184.67.5.20.  This is because the return traffic to the client from the UTM will only ever go out of port 1 if 35.98.192.1 is the default route (unless you use static routes or BGP).

So, I can give you a config which will let you NAT the ADSL to the UTM, but it will only help for one ADSL link at a time and not both.

Make sense?
0
 

Author Comment

by:WorkingItOut
Comment Utility
yes it makes sense what your saying. However, the UTM will be doing "uplink balancing".

Which will balance outgoing traffic across the two ADSL links intern downloading on the line it balanced out from, of course there are some sites/applications which need a static connection, so UTM has options to create static rules and also automatically.

I still think your idea of letting the Cisco router establish the connection would be good. That way if the UTM is restarted or whatever the links stay on-line.

If you can show show the config for the recommend way that you mentioned above - this will be helpful and ill test both ways to see which way works best :)
0
 

Accepted Solution

by:
WorkingItOut earned 0 total points
Comment Utility
Router#show startup-config
Using 3931 out of 262136 bytes
!
! Last configuration change at 16:31:55 EST Wed May 29 2013 by cisco
version 15.2
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname CISCO-ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 PASSWORD
!
no aaa new-model
clock timezone EST 10 0
!
ip cef
!
!
!
ip vrf UTM1
rd 29:100
route-target export 29:100
route-target import 29:100
!
ip vrf UTM2
rd 29:101
route-target export 29:101
route-target import 29:101
!
ip dhcp excluded-address 10.10.10.1
!
!
!
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-326077609
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-326077609
revocation-check none
rsakeypair TP-self-signed-326077609
!
!
crypto pki certificate chain TP-self-signed-326077609
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO1921/K9 sn abc123
!
!

!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
!
controller VDSL 0/1/0
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Connected to UTM WAN 1
ip vrf forwarding UTM1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip vrf forwarding UTM2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
shutdown
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
!
!
interface Ethernet0/1/0
no ip address
shutdown
!
interface Dialer1
ip vrf forwarding UTM1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname username@internet.com
ppp chap password 7 1111111111
no cdp enable
!
interface Dialer2
ip vrf forwarding UTM2
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 1
ppp authentication chap callin
ppp chap hostname username@internet.com
ppp chap password 7 1111111111
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT1 interface Dialer1 vrf UTM1 overload
ip nat inside source list NAT2 interface Dialer2 vrf UTM2 overload
ip route vrf UTM1 0.0.0.0 0.0.0.0 Dialer1
ip route vrf UTM2 0.0.0.0 0.0.0.0 Dialer2
!
ip access-list extended NAT1
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended NAT2
permit ip 192.168.2.0 0.0.0.255 any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 27.122.117.0 0.0.0.255
access-list 23 permit 203.161.135.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Router#

Open in new window

0
 

Author Closing Comment

by:WorkingItOut
Comment Utility
Used third party to create config
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now