Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


2091 posts

Uber Geek
+1 received by user: 848


Topic # 95610 9-Jan-2012 13:57
Send private message quote this post

Hi All,
I've got a Cisco 857 in use at home - currently doing NAT and working fine.

I am keen to try out a half-bridge setup to my firewall box to muck around. I understand that it's a waste of an awesome device etc.. just want to have a play.

I have done a bunch of reading and I can't find a definitive guide. I understand I need to use half bridge (with the 857 handling the PPPoA auth), but I can't find an example config (unless you count examples using isdn/serial interfaces/pppoe etc)

Do you just need to bridge Dialer0 and vlan1?
How does the firewall get the IP passed on? DHCP?

Keen for anyone with experience to post their experiences and a possible config.

(Just to be clear I'm fine with networking concepts and using the cli, just need some help with this particular situation).

Thanks! 

Create new topic
455 posts

Ultimate Geek
+1 received by user: 128


  Reply # 566605 9-Jan-2012 19:17
Send private message quote this post

Be aware that in Cisco world half bridging refers to bridging ethernet frames and nothing like what it is commonly understood to mean here on Geekzone.  "ppp bridge ip" will not get you anywhere.

That said, I expect you probably can make this work as Cisco make a pretty flexible routing platform.  The only caveat I'd say is you'll likely need a static IP.

Off the top of my head I'd try the following

1. Set your dialler interface to be unnumbered.
2. Add a static default via the dialler interface
3. Create a small subnet around your static IP.  You might get away with a /31 eventually but start out with a /24 to keep things simple.
4. Pick another IP in that subnet and assign it to the ethernet interface of your 857
5. On the firewall configure the static IP as the external interface IP and the IP of the router as your default gateway.



2091 posts

Uber Geek
+1 received by user: 848


  Reply # 566620 9-Jan-2012 19:55
Send private message quote this post

thanks now those documents make a lot more sense - doesn't really help the situation though!
 

1984 posts

Uber Geek
+1 received by user: 133

Trusted

  Reply # 566674 9-Jan-2012 22:03
Send private message quote this post

Try setting it up as a full bridge, then you can enter PPPoE details in your firewall and hope the Cisco converts that to PPPoA. Full bridge means your firewall always knows what its public IP is if its dynamic because doesnt have to wait for DHCP lease to expire. I have an ancient modem setup for bridge and been far more reliable than its original use as NAT router.




Qualified in business, certified in fibre, stuck in copper, have to keep going  ^_^

319 posts

Ultimate Geek
+1 received by user: 8


  Reply # 2112600 23-Oct-2018 09:48
Send private message quote this post

wasabi2k: Hi All,
I've got a Cisco 857 in use at home - currently doing NAT and working fine.

I am keen to try out a half-bridge setup to my firewall box to muck around. I understand that it's a waste of an awesome device etc.. just want to have a play.

I have done a bunch of reading and I can't find a definitive guide. I understand I need to use half bridge (with the 857 handling the PPPoA auth), but I can't find an example config (unless you count examples using isdn/serial interfaces/pppoe etc)

Do you just need to bridge Dialer0 and vlan1?
How does the firewall get the IP passed on? DHCP?

Keen for anyone with experience to post their experiences and a possible config.

(Just to be clear I'm fine with networking concepts and using the cli, just need some help with this particular situation).

Thanks! 

 

@wasabi2k - did you ever manage to sort this out?  I've found myself in the exact same situation and I've got an 800 series Cisco adsl modem/router that I would like to do a PPOA to PPPOE bridge like the Draytek Vigor modems can do. The reason I don't use a Draytek is the chipset is not very compatible with the Broadcom chipset in my DSLAM so I get really slow sync speeds.  The Cisco is broadcom so I get a full 2mbps better sync speed.  Any tips would be most appreciated!


319 posts

Ultimate Geek
+1 received by user: 8


  Reply # 2113887 25-Oct-2018 15:37
Send private message quote this post

Thanks - that is helpful, but that link looks like it was for an ADSL connection for a non-NZ telco so I'm a little bit stumped on trying to adapt that configuration for the network here.

 

Namely, I think the PVC setting is 0/100 and I believe the encapsulation is VC MUX and I'm not quite sure how to set the encapsulation correctly as aal5mux requires extra variables set than aal5snap.

 

Would I use something like

 

encapsulation aal5mux pppoe group global

 

Do I need to create other settings in the config to accommodate the aal5mux settings?  Remember, I don't want this cisco to do anything other than handle the modem duties and I want my device behind it to handle the authentication over PPPOE.


2063 posts

Uber Geek
+1 received by user: 342

Lifetime subscriber

  Reply # 2113954 25-Oct-2018 16:47
Send private message quote this post

This is my ATM config on my 837 (not configured to bridge though).

 

interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
ip addr inarp
!
!


319 posts

Ultimate Geek
+1 received by user: 8


  Reply # 2116228 29-Oct-2018 14:15
Send private message quote this post

Well...I'm still stuck.  Can't seem to get it to work. I can't use your suggestions above because I'm looking to bridge through to my cisco Meraki device which needs to do the PPP dialing.

 

I the config below, but keep getting this error whenever my Meraki starts trying to dial a PPPOE

 

Oct 29 00:04:59.783: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM0.1

 

Building configuration...

 

Current configuration : 1548 bytes
!
! Last configuration change at 00:04:31 UTC Mon Oct 29 2018
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
ip cef
!
!
!
!

 


!
!
!
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid C897VA-K9 sn FGL182923FZ
!
!
vtp mode transparent
!
!
!
!
!
controller VDSL 0
!
vlan 11
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
bridge-group 11
pvc 0/100
encapsulation aal5mux pppoe group global
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
switchport access vlan 11
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan11
no ip address
bridge-group 11
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
bridge 11 protocol ieee
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end


319 posts

Ultimate Geek
+1 received by user: 8


  Reply # 2121229 7-Nov-2018 07:08
Send private message quote this post

Spyware:

 

This is my ATM config on my 837 (not configured to bridge though).

 

interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
ip addr inarp
!
!

 

 

@spyware well, I've given up on the bridge setup as everything I have tried has failed and can't get an answer on the cisco forums either.  Having some issues still just configuring this thing in standard PPPOA with NAT for ADSL, though. Would you mind sharing your full config with me (without your passwords, of course!).  Feel free to PM it to me if you prefer?

 

Thanks!


2063 posts

Uber Geek
+1 received by user: 342

Lifetime subscriber

  Reply # 2121248 7-Nov-2018 08:36
Send private message quote this post

887VA-K9 running on Spark ADSL since 2011.

 


Building configuration...

 

Current configuration : 4854 bytes
!
! Last configuration change at 10:14:55 UTC Sat Jul 9 2011 by administrator
! NVRAM config last updated at 10:14:56 UTC Sat Jul 9 2011 by administrator
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 887VAK9
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$dxxxxqZKPu3RxxxxKezbtqUQG0
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1359307773
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1359307773
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-1359307773
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
D291F04A BF340D57 36232772 71AD3BB8 E7225AFA 6B4889C5 DE03E9F9 F6C03613
DD367AA8 EFA2928F 184BA1BF 1F5BDC
quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.120
ip dhcp excluded-address 192.168.1.135 192.168.1.254
!
ip dhcp pool LAN_addresses
import all
network 192.168.1.0 255.255.255.0
dns-server 202.27.158.40
default-router 192.168.1.254
!
!
ip cef
ip domain name rosslab.com
ip name-server 202.27.158.40
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FGL152425RK
!
!
username administrator privilege 15 password 0 xxxxxx4321
!
!
!
!
controller VDSL 0
operating mode adsl2+
!
!
!
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxx address 203.xxx.yyy.zzz no-xauth
!
!
crypto ipsec transform-set WORKVPN esp-3des esp-sha-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 203.xxx.yyy.zzz
set transform-set WORKVPN
match address INT_TRAFFIC
!
!
!
!
!
interface Ethernet0
no ip address
ip virtual-reassembly in
no fair-queue
hold-queue 100 out
!
interface ATM0
no ip address
ip flow ingress
ip nat outside
ip virtual-reassembly in
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
ip addr inarp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxxxxx.xadsl@xtra.co.nz password 0 1234abcd
crypto map VPN_MAP
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-cache timeout active 5
ip flow-export source ATM0
ip flow-export version 9
ip flow-export destination 192.168.1.65 9996
ip flow-top-talkers
top 1
sort-by packets
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INT_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended NAT_ADDRESSES
remark CCP_ACL Category=16
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
logging esm config
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address NAT_ADDRESSES
!
snmp-server community public RO
snmp-server ifindex persist
!
control-plane
!
banner motd ^C
My new router
^C
!
line con 0
exec-timeout 30 0
password xxxxxx
logging synchronous
no modem enable
line aux 0
line vty 0 4
password xxxxxx
logging synchronous
login local
transport input ssh
!
sntp server 117.18.82.8
end

 

 


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.