gleixnerd
Goto Top

PPPoE configuration on cisco router

Hi,

I have a cisco ISR4321 router with OS 17.02.01r and a zyxel VMG3006-D70A modem.

I want to use the modem on a ADSL 16Mbit link with a fixed IPv4 address from ISP. The modem is in modem mode by default. That means, that all packets that come to the DSL port will be forwarded to port 2-4. The modem is connected to the dsl port and the status on the webinterface of the modem is "connected", I can also see the up-/download speed. Then I connected the cisco router to the modem port 4. The port on the router is port GigabitEthernet 0/0/0.
With the show pppoe commands and so on I see that it is not up and running. Even the IP-Address is not assigned automatically. (Should I see that?)

Attached you can find my router configuration, but I cant figure out what I made wrong. I had a template configuration from an old colleague who is not in our company anymore, from which I tried to configure this setup.

It would be very helpfull if someone can help or assist here. If I shall provide some logs etc. pls tell me.

Thank you very much and best regards

gleixnerd


version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname static3tsg-rt01
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 9 XXX
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
!
ip domain name XXX
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2440242732
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2440242732
 revocation-check none
 rsakeypair TP-self-signed-2440242732
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
!
no license feature hseck9
license udi pid ISR4321/K9 sn FDO261629VN
license boot level securityk9
memory free low-watermark processor 69596
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 XXX
!
redundancy
 mode none
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description Internet static IP
 no ip address
 no ip proxy-arp
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 ip address 192.168.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Dialer1
 ip address negotiated
 no ip proxy-arp
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname XXX@t-online.de
 ppp chap password 0 XXX
 ppp pap sent-username XXX@t-online.de password 0 XXX
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
ip access-list extended 120
 10 permit ip 192.168.1.0 0.0.0.255 any
 20 deny   ip any any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 120 in
 exec-timeout 120 0
 transport input telnet ssh
!

Content-Key: 3921339321

Url: https://administrator.de/contentid/3921339321

Printed on: April 12, 2024 at 23:04 o'clock

Member: aqui
Solution aqui Apr 03, 2024 updated at 19:54:16 (UTC)
Goto Top
From the dialer port ppp user credentials it looks like its a European VDSL connection. You hopefully have on the radar that nearly every EU provider used a VLAN tagged VDSL connection?! In terms of the German T-Com its VLAN ID 7 which your port config is missing in case your external modem did NO tagging.
With an external modem you have to first clarify if your modem is providing the VLAN 7 tag or if the router must do this in case the modem cannot provide the tag.

The other 2 important issues are the missing NAT (address translation to the Internet) and the correspondent dialer list and overload command as well as the missing MTU setting on the PPPoE port.
The German T-Com (in case its a T-Com connection?!) did not support CHAP in the PPP authorisation so you can omit that. On top of thatl the PPP DNS and default route requests are missing so that the PPP link will fail.
Also you can omit the IP related settings on the physiacl port. They all belong to the mapped Dialer interface only.
So a bunch or configuration issues which prevents the PPPoE connection from working correctly. 🤔

Assuming this is a German T-Com connection and your modem is providing the mandatory VLAN 7 tag, a correct configured Dialer interface should look like this:
!
interface GigabitEthernet0/0/0
 description Internet static IP
 no ip address
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer0
 description VDSL PPPoE Internet Interface
 ip address negotiated
 mtu 1492
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username 001234567890123456780001@t-online.de password 1234567
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default 
!
interface GigabitEthernet0/0/1
 description Local LAN 
 ip address 192.168.1.254 255.255.255.0
 ip nat inside 
 ip tcp adjust-mss 1452 
!
ip nat inside source list 120 interface Dialer0 overload
!
dialer-list 1 protocol ip list 120
!
access-list 120 permit ip 192.168.1.0 0.0.0.255 any 

In case your external modem does no VLAN tagging for the PPPoE connection itself you need the router to do this. This requires some change at the physical interface to work with an 802.1q tagged VLAN subnet.
interface GigabitEthernet0/0/0
 description Internet static IP
 no ip address
 no cdp enable
!
interface GigabitEthernet0/0/0.7
 description VDSL Internet Verbindung - VLAN 7 tagged
 encapsulation dot1Q 7
 pppoe enable group global
 pppoe-client dial-pool-number 1
! 

Additional important points which should be corrected in your config!:
  • With ppp ipcp route default the default route is automatically requested from the provider and the static route ip route 0.0.0.0 0.0.0.0 Dialer1 is not necessary anymore and should be deleted form the config. For PPP that is a much better option to propagate the default route. ppp ipcp dns request sets the PPPoE provided DNS server.
  • The "20 deny ip any any" statement in the ACL 120 is default and can be omitted
  • It is higly insecure to let the HTTP server active on the router which is exposed to the internet. Due to the recent security breach CVE-2023-20198 which makes unpatched Cisco routers vulnerable by HTTP the HTTP and HTTPS servers should always be disabled with no!!
  • You should activate service password-encryption and should never use unencrypted passwords. Always use scrypt style passwords. See HERE for further details!

Take a look at the local Cisco router tutorial which describes all the steps in detail. Unfortunately in German, but a translator may help here. face-wink
Member: shadynet
shadynet Apr 03, 2024 updated at 19:14:43 (UTC)
Goto Top
You have to configure your dialer-group on Gi0/0/0.7

Edit: @aqui was a bit faster, the Zyxel VMG3006 usually does not provide tagging, so the router has to be configured correctly.
Member: aqui
aqui Apr 03, 2024 updated at 19:33:25 (UTC)
Goto Top
That is not correct! face-sad Please take a look into the modems manual. Like all other modems on the market the Zyxel VMG3006 can do the mandatory VDSL tagging too!
Under Network setting-> Broadband -> Add/Edit new WAN Interface" it can be set without an problems if you want the modem to do the VDSL VLAN tagging:
zyxvlan
Member: gleixnerd
gleixnerd Apr 04, 2024 at 07:08:34 (UTC)
Goto Top
Hi everyone,

at first thank you all for your help.

It is true, that I have a german Telekom link. I just wrote in english for more answers. But it is an ADSL link with 16Mbit/s donwload speed, not a VDSL link in case that makes a difference?

I saw on the zyxel webinterface, that I can tag the traffic so I will try that.

I will try out your recommended configuration changes and give a report.

Best regards
gleixnerd
Member: aqui
aqui Apr 04, 2024 updated at 08:18:20 (UTC)
Goto Top
But it is an ADSL link with 16Mbit/s donwload speed, not a VDSL link in case that makes a difference?
Nope, that does'nt matter. All modems are hybrid modems and work with both ADSL and VDSL.
The Cisco only "sees" the PPPoE traffic which is plain Ethernet on his site.

For further investigations you can also activate the debugger with debug pppoe packets and debug pppoe events to watch the PPPoE control traffic with the provider DSLAM. That also shows you and verifies if the modem is working properly and passes PPPoE traffic from the router.
Keep in mind that you need to issue a term mon command in case you are connected via Telnet or SSH and not directly on the serial console. Otherwise debug or console messages will not be forwarded to Telnet or SSH connections!
Member: gleixnerd
gleixnerd Apr 04, 2024 at 10:39:17 (UTC)
Goto Top
Okay good to know thanks.

Do I need NAT when I just want to make a vpn ipsec tunnel to a remote station?

Best regards
gleixnerd
Member: gleixnerd
gleixnerd Apr 04, 2024 at 14:32:52 (UTC)
Goto Top
UPDATE:

I changed the configuration regarding your example configuration and it is working. Now I will install a zone based FW and then I should be ready for the VPN implementation.

Again thank you very much for your help

Best regards
gleixnerd
Member: aqui
aqui Apr 04, 2024 at 16:49:58 (UTC)
Goto Top
Do I need NAT when I just want to make a vpn ipsec tunnel to a remote station?
No, in this case NAT is not needed of course.
and it is working.
Congrats! 👏👍
Now I will install a zone based FW and then I should be ready for the VPN implementation.
All steps for both functions you'll find in the above Cisco Tutorial including a client VPN with all onboard VPN clients (L2TP).
If your VPN is a site2site VPN you'll find additional tutorials here and here.
Member: gleixnerd
gleixnerd Apr 05, 2024 at 07:29:34 (UTC)
Goto Top
Perfect, I already read through your cisco tutorial and it helped me a lot for a kind of basic knowledge.
Thank you

Best regards
gleixnerd