far0921kmk
asked on
Configuring routing and ACL for Cisco 891 router
Dear experts,
A Happy New Year to all.
I need to configure a Cisco router with a little urgency.
I however have a very poor knowledge about it so I would be grateful if someone could guide me for how to configure it.
Product: C891 (GE WAN x1 (Gi8), GE switchport x8 (Gi0 - 7))
Internet connectivity: 1Gbps internet line
Public IP: IP8 (114.22.169.80/29, Gateway address 114.22.169.81)
LAN IP: 192.168.1.0/24
<Desired configuration>
What I have done so far is as per attached. As you can see, totally without routing and ACL lines:-(.
Please let me know about any lacking information for support. Thank you so much in advance for your co-operation.
Current configuration : 2395 bytes
!
! Last configuration change at 18:59:35 JST Tue Dec 27 2016
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c891
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$CvAQ$oACJ9G8q3zwmUzv45n 1o91
enable password 7 121A25193C5B185C222A362D72
!
no aaa new-model
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.161 192.168.1.254
!
ip dhcp pool guest
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 61.112.122.97 61.112.122.1
lease 7
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FJ-K9 sn FGL1926243F
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
switchport access vlan 1000
no ip address
!
interface GigabitEthernet1
switchport access vlan 1000
no ip address
!
interface GigabitEthernet2
switchport access vlan 1000
no ip address
!
interface GigabitEthernet3
switchport access vlan 1000
no ip address
!
interface GigabitEthernet4
switchport access vlan 1000
no ip address
!
interface GigabitEthernet5
switchport access vlan 1000
no ip address
!
interface GigabitEthernet6
switchport access vlan 1000
no ip address
!
interface GigabitEthernet7
switchport access vlan 1000
no ip address
!
interface GigabitEthernet8
ip address 114.22.169.82 255.255.255.248
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan1000
ip address 192.168.1.254 255.255.255.0
no autostate
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end
A Happy New Year to all.
I need to configure a Cisco router with a little urgency.
I however have a very poor knowledge about it so I would be grateful if someone could guide me for how to configure it.
Product: C891 (GE WAN x1 (Gi8), GE switchport x8 (Gi0 - 7))
Internet connectivity: 1Gbps internet line
Public IP: IP8 (114.22.169.80/29, Gateway address 114.22.169.81)
LAN IP: 192.168.1.0/24
<Desired configuration>
- DHCP enabled for wired and wireless clients
- NAT between a video conferencing system (LAN IP: 192.168.1.250) and one of the public IP addresses allocated to the VC (Public IP: 114.22.169.83).
- Any other communication can be statically routed to a gateway.
- Deny SSH, telnet from outside and any other basic vulnerable protocols.
What I have done so far is as per attached. As you can see, totally without routing and ACL lines:-(.
Please let me know about any lacking information for support. Thank you so much in advance for your co-operation.
Current configuration : 2395 bytes
!
! Last configuration change at 18:59:35 JST Tue Dec 27 2016
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c891
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$CvAQ$oACJ9G8q3zwmUzv45n
enable password 7 121A25193C5B185C222A362D72
!
no aaa new-model
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.161 192.168.1.254
!
ip dhcp pool guest
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 61.112.122.97 61.112.122.1
lease 7
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FJ-K9 sn FGL1926243F
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
switchport access vlan 1000
no ip address
!
interface GigabitEthernet1
switchport access vlan 1000
no ip address
!
interface GigabitEthernet2
switchport access vlan 1000
no ip address
!
interface GigabitEthernet3
switchport access vlan 1000
no ip address
!
interface GigabitEthernet4
switchport access vlan 1000
no ip address
!
interface GigabitEthernet5
switchport access vlan 1000
no ip address
!
interface GigabitEthernet6
switchport access vlan 1000
no ip address
!
interface GigabitEthernet7
switchport access vlan 1000
no ip address
!
interface GigabitEthernet8
ip address 114.22.169.82 255.255.255.248
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan1000
ip address 192.168.1.254 255.255.255.0
no autostate
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end
ASKER
Hi Garry-G,
Thank you so much for your post.
I will try the given configuration tomorrow. In the meanwhile I would like to ask you about the ip route.
Since my DHCP config is for machines to have 192.168.1.254 as a default gateway, ip route should be below?
ip route 192.168.1.254 255.255.255.0 114.22.169.82
Thank you so much for your post.
I will try the given configuration tomorrow. In the meanwhile I would like to ask you about the ip route.
Since my DHCP config is for machines to have 192.168.1.254 as a default gateway, ip route should be below?
ip route 192.168.1.254 255.255.255.0 114.22.169.82
Not quite ...
ip route 0.0.0.0 0.0.0.0 114.22.169.81
The route is defined with the destination (0.0.0.0 with 0 netmask is the default route), and the gateway, which is your upstream router, thus .81 and not your own IP.
ASKER
Hi Gerry-G,
Ahh thank you so much. With your kind explanation I now understand a little about the default route.
I will configure this tomorrow remotely (the router is currently connected to my desktop through console) and the will try the physical setup on-site.
Thank you again.
Ahh thank you so much. With your kind explanation I now understand a little about the default route.
I will configure this tomorrow remotely (the router is currently connected to my desktop through console) and the will try the physical setup on-site.
Thank you again.
ASKER
I meant Garry-G, sorry!
ASKER
Hi Garry-G,
I placed the C891 router - DHCP and internet connection for both wired and wireless machines work great so thank you so much!
One thing not working is the Video Conferencing system (Polycom) connection. I cannot ping or trace an external Polycom test IP.
The current config is as follows, do you see what seems to be missing or incorrect? I have modified the ACL names a little;-.
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c891
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$CvAQ$oACJ9G8q3zwmUzv45n 1o91
enable password 7 121A25193C5B185C222A362D72
!
no aaa new-model
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.161 192.168.1.254
!
ip dhcp pool guest
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 61.112.122.97 61.112.122.1
lease 7
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FJ-K9 sn FGL1926243F
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
switchport access vlan 1000
no ip address
!
interface GigabitEthernet1
switchport access vlan 1000
no ip address
!
interface GigabitEthernet2
switchport access vlan 1000
no ip address
!
interface GigabitEthernet3
switchport access vlan 1000
no ip address
!
interface GigabitEthernet4
switchport access vlan 1000
no ip address
!
interface GigabitEthernet5
switchport access vlan 1000
no ip address
!
interface GigabitEthernet6
switchport access vlan 1000
no ip address
!
interface GigabitEthernet7
switchport access vlan 1000
no ip address
!
interface GigabitEthernet8
ip address 114.22.169.82 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan1000
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
no autostate
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat pool VC_OUTSIDE 114.22.169.83 114.22.169.83 netmask 255.255.255.0
ip nat inside source list LAN interface GigabitEthernet8 overload
ip nat inside source list VC pool VC_OUTSIDE overload
ip route 0.0.0.0 0.0.0.0 114.22.169.81
!
ip access-list standard LAN
deny 192.168.1.250
permit 192.168.1.0 0.0.0.255
ip access-list standard PolycomVC
permit 192.168.1.250
!
!
access-list 23 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
access-class 23 in
password 7 08226C40274911401A0A1E016B
login
transport input all
!
scheduler allocate 20000 1000
!
end
I placed the C891 router - DHCP and internet connection for both wired and wireless machines work great so thank you so much!
One thing not working is the Video Conferencing system (Polycom) connection. I cannot ping or trace an external Polycom test IP.
The current config is as follows, do you see what seems to be missing or incorrect? I have modified the ACL names a little;-.
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c891
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$CvAQ$oACJ9G8q3zwmUzv45n
enable password 7 121A25193C5B185C222A362D72
!
no aaa new-model
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.161 192.168.1.254
!
ip dhcp pool guest
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 61.112.122.97 61.112.122.1
lease 7
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FJ-K9 sn FGL1926243F
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
switchport access vlan 1000
no ip address
!
interface GigabitEthernet1
switchport access vlan 1000
no ip address
!
interface GigabitEthernet2
switchport access vlan 1000
no ip address
!
interface GigabitEthernet3
switchport access vlan 1000
no ip address
!
interface GigabitEthernet4
switchport access vlan 1000
no ip address
!
interface GigabitEthernet5
switchport access vlan 1000
no ip address
!
interface GigabitEthernet6
switchport access vlan 1000
no ip address
!
interface GigabitEthernet7
switchport access vlan 1000
no ip address
!
interface GigabitEthernet8
ip address 114.22.169.82 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan1000
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
no autostate
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat pool VC_OUTSIDE 114.22.169.83 114.22.169.83 netmask 255.255.255.0
ip nat inside source list LAN interface GigabitEthernet8 overload
ip nat inside source list VC pool VC_OUTSIDE overload
ip route 0.0.0.0 0.0.0.0 114.22.169.81
!
ip access-list standard LAN
deny 192.168.1.250
permit 192.168.1.0 0.0.0.255
ip access-list standard PolycomVC
permit 192.168.1.250
!
!
access-list 23 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
access-class 23 in
password 7 08226C40274911401A0A1E016B
login
transport input all
!
scheduler allocate 20000 1000
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Garry-G,
Thank you so much for your prompt reply!
I've modified that line and everything started working as wished. Allow me to run the router for whole day tomorrow before closing this question. Again, thank you very much!!!!
Thank you so much for your prompt reply!
I've modified that line and everything started working as wished. Allow me to run the router for whole day tomorrow before closing this question. Again, thank you very much!!!!
Do you own 114.22.169.82 255.255.255.248 range?
If so.. you NAT configuration is not good.
You basically use just 2 IP address from whole range .82 & .83 and .84 - .86 will never be used.
If so.. you NAT configuration is not good.
You basically use just 2 IP address from whole range .82 & .83 and .84 - .86 will never be used.
That is correct - anyway, unless there are specific servers that need their "own" IPs, or unless there are hundreds of concurrent users, using a single IP for the general Internet access should not cause any problems. I would rather be concerned by the fact that according to the author this is a 1G line ... and a 890 series router will most likely NOT be able to fully forward that amount of traffic ... it is officially rated for about 50Mbps in total, and that is based on CEF and without additional features like VPN etc. ...
See this Document for rates: https://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf (somewhat aged, but 890 is already contained)
See this Document for rates: https://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf (somewhat aged, but 890 is already contained)
using a single IP for the general Internet access should not cause any problems.Except in the case that there are too many sessions - then there will no be possibility to switch to another address and continue "business as usual".
;)
890 series can take around 120 - 150Mb of traffic on WAN - interface itself is 1Gb. If you check Cisco testing it will show much smaller number 50Mb, but with small data packets (64bytes).
Check question for comparation.
In real world router have throughput of 60Mb in Cisco testing 15.36Mb, but sure it will slow down as configuration gets complex.
In real world router have throughput of 60Mb in Cisco testing 15.36Mb, but sure it will slow down as configuration gets complex.
For a somewhat more detailed performance comparison, see this document ... http://www.anticisco.ru/pubs/ISR_G2_Perfomance.pdf ... not too much newer, but a lot more detailed with different scenarios. So, in theory, based on the pps values, the router SHOULD deliver up to a total of 1400 Mbps (/2 for duplex), though even with just the NAT/PAT features used (which is the case here), it drops down to the 75Mbps range ...
The "too many sessions" is why I mentioned the number of users ... based on this CPE device, I would not expect the author to be using it in a large enterprise environment, but rather small to medium commercial area ... having 65k sessions active at the same time would probably be unusual, but if any problems would occur, one could always define a new pool with multiple IPs, similar to the Voice gateway, to allow for multiple external IPs to be used.
The "too many sessions" is why I mentioned the number of users ... based on this CPE device, I would not expect the author to be using it in a large enterprise environment, but rather small to medium commercial area ... having 65k sessions active at the same time would probably be unusual, but if any problems would occur, one could always define a new pool with multiple IPs, similar to the Voice gateway, to allow for multiple external IPs to be used.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much and my apologies for my reply being late as I had to wait and see a few days to confirm things are working well - and it is working well. I only have a less than 80 users and this line is as you can see for the guests and users' personal devices. So the actual number of users should be around 40 or so.
Thank you again for your great support Garry-G, and next time when I need to configure the router I will keep in mind for what Jovic advised.
Thank you again for your great support Garry-G, and next time when I need to configure the router I will keep in mind for what Jovic advised.
DHCP setup ought to be working already;
for NAT, add the appropriate entries to the interfaces and the actual NAT rule:
Open in new window
In order to allow routing to the outside for the rest of the machines, you need to add more NAT:Open in new window
As for the ACL, without outside->inside NAT, you already have an implicit access control ... except access to the router itself, which you can fix with an access group on the VTY ...Open in new window
(I hope I did not add too many typos, didn't try entering the above in an actual router ;) )