Using the CISCO 827(IOS) Router with a Cistron Broadband ADSL connection.
** PLEASE READ THE COMPLETE DOCUMENT FIRST, AND MAKE SURE YOU UNDERSTAND WHAT
YOU ARE DOING!! **
(Parts of this set-up could cause unwanted side effects for you and
or the ISP and the customers of this ISP - I am not responsible in any way for
Faults made during the implementation of the things mentioned in this DOCUMENT.
This solution is tested and proven to be working IF implemented as mentioned in
this document!)
Just like other IPS's in Holland Cistron is
using ADSL Bridges to connect your PC to the Internet. Nothing is wrong with
this set-up... But if you want to do more (like using NAT on the box connecting
you to the internet and/or use DHCP to configure your local clients) Cisco has
a nice solution (Cisco 827 router (RFC1483 compliant device)).
My preferred set-up:
Be a DHCP-Client on the ADSL (ISP) interface.
Use NAT to connect MORE clients to the ADSL connection.
Make use of DHCP to configure the (local) clients connected to the Ethernet
interface.
Simple? While building this configuration I ran into some 'small' problems.
But was able to solve these and build a working configuration!
(Problems like the DHCP server trying to configure the 'BVI' (bridge virtual
interface) not with a Cistron, but a local IP address. or The routing/NAT over
the BRIDGE set-up).
The actual config.
(Only printed the important parts to make things work securing the set-up
and possible other things are up to you!)
(Verify all the information (DNS server settings of the ISP are valid at the
moment I updated this document, The ISP could have changed them after I published
this document on my homepage))
(All text printed in ITALIC style are CISCO commands, Non ITALIC
is extra information!)
hostname Router
ip subnet-zero
no ip domain-lookup
ip dhcp pool DHCP
network 192.168.100.0 255.255.255.0
dns-server 195.64.68.28 195.64.65.25
default-router 192.168.100.254
lease 0 0 15
ip route 0.0.0.0 0.0.0.0 195.64.x.x 254
bridge irb
interface Ethernet0
ip address 192.168.100.254 255.255.255.0
ip nat inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
bundle-enable
dsl operating-mode auto
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
mac-address 0000.bec6.bec8 (*1)
ip address dhcp
ip nat outside
ip nat inside source list 1 interface BVI1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 195.64.x.x 254
no ip http server
access-list 1 permit 192.168.100.0 0.0.0.255
bridge 1 protocol ieee
bridge 1 route ip
bridge 1 address 0004.27fd.63ab discard (*2)
Simple? Ok.... some explanation on this example :-)
Since we are partly bridging and also want to use the 'BVI1'
interface to take care of the actual bridging in this configuration. The 'BRIDGE
IRB' in this configuration is vital (without this you are not able to
create the BVI interface... The things configured on the ATM0
interface are standard for the CISTRON network (these settings might differ if
using the 827 with an other ISP with an RFC1483 compatible set-up!).
Putting the ATM0 interface in the BRIDGE-GROUP 1 takes care of
the BRIDGING part in this configuration, and the Bridge Virtual Interface (BVI)
is the interface we need to configure with an IP address. Advice from CISTRON
is to use DHCP for this. So we do this with the 'IP ADDRESS DHCP'
command while configuring the 'BVI 1' interface. One nasty default of
this interface is it using a RANDOM mac-address.... This random-mac
address assignment is a bad idea because the ISP used this mac-address to assign
an ip address to the router. (Might cause a long timeout when it changes
(reload of the router can cause this) and it will take some time at the side of
the ISP to flush and relearn the NEW mac-address... (During this period you
will not get an other IP address assigned to you via DHCP!). So... this is why
we use a MANUAL assigned MAC-ADDRESS on the 'BVI1' interface. (Tip. make
sure you assign this MAC-ADDRESS before you make the INTERFACE active otherwise
you will be waiting for a few hours for the ISP te relearn your MAC-ADDRESS!) (*1)
Because you assign this mac-address by hand, make sure the mac-address you
choose is not in use with the ISP by any other router/user. This will result in
a conflict situation between the 2 devices/users (at least on of the devices
will not work!)… (and do NOT use the MAC-ADDRESS from this document, as other
users MIGHT already done this?)
Now to make the NAT thing work you have to assign the IN and OUTside to your NAT set-up. The BVI1 interface will be user as the 'OUTSIDE' of your NAT set-up and the ETHERNET0 will be used as the 'INSIDE'. ('ip nat inside' and 'ip nat outside' commands in the example).
The 'ip nat inside source list 1 interface BVI1 overload' command is used to make the actual NAT configuration work, only traffic coming from the local subnet will be allowed to travel through the outside interface... (See 'access-list 1 permit' entry in the configuration (you must adapt these if you use an other ip range for your local network (same ip subnet as used on the Ethernet0 interface!!)
Now tell the BRIDGE to use the IEEE protocol 'bridge 1 protocol ieee' and allow ip routing on the bridge 'bridge 1 route ip'
!! The default route entry 'ip route 0.0.0.0 0.0.0.0 195.64.x.x 254' will be created automatically when the IP assignment via DHCP done on the BVI interface. So you DO NOT put this in yourself!!
At this moment you have a working configuration without a DHCP server for your local network, enabling the interfaces should be enough to make the set-up work. But using DHCP makes live on the network simpler because you do not have to configure the interfaces by hand.
A simple DHCP set-up.
ip dhcp pool DHCP
network 192.168.100.0 255.255.255.0
dns-server 195.64.68.28 195.64.65.25
default-router 192.168.100.254
lease 0 0 15
This DNS set-up enables the assignment of the IP range 192.168.100.0 (with
a netmask of 255.255.255.0). Some options like the assignment of the DNS
servers of the ISP You can extract while you get your ip address assigned from
the ISP.
To see this info:
use the 'debug dhcp detail' while you are enabled on the console of
the router.
type 'conf t'
type 'interface bvi 1'
type 'shutdown' to shut the interface and
type 'no shutdown' to enable the interface again.
While shutting down the interface, you released the DHCP assigned address...
Enabling it should refresh/renew the LEASE......
Because you are 'DEBUGGING' the dhcp process (detailed) you should see some
info flashing over your screen.....
Look for something like this:
DHCP: Scan: Subnet Address Option: 255.255.255.0
DHCP: Scan: DNS Name Server Option: 195.64.68.28, 195.64.65.25
DHCP: Scan: Domain Name: adsl.cistron.nl
And now you know what DNS servers the ISP is using for the CLIENTS.....
(you see those addresses in the DNS-OPTION 'dns-server' example...
**BUT**
By putting in and enabling this DHCP part on this config you run into a problem!!!
Since the new DHCP server on your CISCO box is now responding to the BVI
interface DHCP request you will not get a connection to the internet working.
Again a trick to work around this is to deny ALL traffic from the LOCAL
interface in the BRIDGE-GROUP.
By putting in the ETHERNET0 local MAC-ADDRESS in a bridge discard statement NO
traffic from the LOCAL ETHERNET interface will be able to reach the BVI located
IN the bridge group.
(*2) 'bridge 1 address 0004.27fd.63ab discard' be sure to
replace this MAC-ADDRESS with the one from your local Ethernet interface.
(Putting in any other than the local MAC-ADDRESS will make the DHCP server
respond to the BVI interface requesting an IP address!!!!! you might also annoy
some SYS-ADMINS with the ISP (and this is ONE thing you do not want to DO :-) (DON’T
forget this peace because I already got reactions from different people forgetting
this piece in the configuration. (or not putting in the correct mac-address…..
resulting in non-working configurations!) RTFM does work :o)
Last reminder:
Because of some bug’s in the Cisco IOS I can advise to use the 12.2(8)T5
release, older versions seem to break after some day’s of operation (box dies,
power cycle required)
When finished, you should have a bare-working configuration for your CISCO-827 (Other ADSL equipped boxes (IOS driven) should also work quite similar)
Response is always appreciated, positive or negative…. Hint’s, Tips or where to deliver the
apple-pie my email: hermanb@xs4all.nl
:-)
Mind this info is compiled from a working situation (I installed several boxes
like this and all work great!) on the Cistron network already for the company I
work for…)
Will do installs later this your using other (BBNed Powered) ISP’s….