PPPoE configuration on cisco router
Hi,
I have a cisco ISR4321 router with OS 17.02.01r and a zyxel VMG3006-D70A modem.
I want to use the modem on a ADSL 16Mbit link with a fixed IPv4 address from ISP. The modem is in modem mode by default. That means, that all packets that come to the DSL port will be forwarded to port 2-4. The modem is connected to the dsl port and the status on the webinterface of the modem is "connected", I can also see the up-/download speed. Then I connected the cisco router to the modem port 4. The port on the router is port GigabitEthernet 0/0/0.
With the show pppoe commands and so on I see that it is not up and running. Even the IP-Address is not assigned automatically. (Should I see that?)
Attached you can find my router configuration, but I cant figure out what I made wrong. I had a template configuration from an old colleague who is not in our company anymore, from which I tried to configure this setup.
It would be very helpfull if someone can help or assist here. If I shall provide some logs etc. pls tell me.
Thank you very much and best regards
gleixnerd
I have a cisco ISR4321 router with OS 17.02.01r and a zyxel VMG3006-D70A modem.
I want to use the modem on a ADSL 16Mbit link with a fixed IPv4 address from ISP. The modem is in modem mode by default. That means, that all packets that come to the DSL port will be forwarded to port 2-4. The modem is connected to the dsl port and the status on the webinterface of the modem is "connected", I can also see the up-/download speed. Then I connected the cisco router to the modem port 4. The port on the router is port GigabitEthernet 0/0/0.
With the show pppoe commands and so on I see that it is not up and running. Even the IP-Address is not assigned automatically. (Should I see that?)
Attached you can find my router configuration, but I cant figure out what I made wrong. I had a template configuration from an old colleague who is not in our company anymore, from which I tried to configure this setup.
It would be very helpfull if someone can help or assist here. If I shall provide some logs etc. pls tell me.
Thank you very much and best regards
gleixnerd
version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname static3tsg-rt01
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 9 XXX
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
!
ip domain name XXX
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2440242732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2440242732
revocation-check none
rsakeypair TP-self-signed-2440242732
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
!
no license feature hseck9
license udi pid ISR4321/K9 sn FDO261629VN
license boot level securityk9
memory free low-watermark processor 69596
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 XXX
!
redundancy
mode none
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Internet static IP
no ip address
no ip proxy-arp
negotiation auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Dialer1
ip address negotiated
no ip proxy-arp
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXX@t-online.de
ppp chap password 0 XXX
ppp pap sent-username XXX@t-online.de password 0 XXX
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
ip access-list extended 120
10 permit ip 192.168.1.0 0.0.0.255 any
20 deny ip any any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 120 in
exec-timeout 120 0
transport input telnet ssh
!
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 3921339321
Url: https://administrator.de/en/pppoe-configuration-on-cisco-router-3921339321.html
Ausgedruckt am: 25.12.2024 um 01:12 Uhr
9 Kommentare
Neuester Kommentar
From the dialer port ppp user credentials it looks like its a European VDSL connection. You hopefully have on the radar that nearly every EU provider used a VLAN tagged VDSL connection?! In terms of the German T-Com its VLAN ID 7 which your port config is missing in case your external modem did NO tagging.
With an external modem you have to first clarify if your modem is providing the VLAN 7 tag or if the router must do this in case the modem cannot provide the tag.
The other 2 important issues are the missing NAT (address translation to the Internet) and the correspondent dialer list and overload command as well as the missing MTU setting on the PPPoE port.
The German T-Com (in case its a T-Com connection?!) did not support CHAP in the PPP authorisation so you can omit that. On top of thatl the PPP DNS and default route requests are missing so that the PPP link will fail.
Also you can omit the IP related settings on the physiacl port. They all belong to the mapped Dialer interface only.
So a bunch or configuration issues which prevents the PPPoE connection from working correctly. 🤔
Assuming this is a German T-Com connection and your modem is providing the mandatory VLAN 7 tag, a correct configured Dialer interface should look like this:
In case your external modem does no VLAN tagging for the PPPoE connection itself you need the router to do this. This requires some change at the physical interface to work with an 802.1q tagged VLAN subnet.
Additional important points which should be corrected in your config!:
Take a look at the local Cisco router tutorial which describes all the steps in detail. Unfortunately in German, but a translator may help here.
With an external modem you have to first clarify if your modem is providing the VLAN 7 tag or if the router must do this in case the modem cannot provide the tag.
The other 2 important issues are the missing NAT (address translation to the Internet) and the correspondent dialer list and overload command as well as the missing MTU setting on the PPPoE port.
The German T-Com (in case its a T-Com connection?!) did not support CHAP in the PPP authorisation so you can omit that. On top of thatl the PPP DNS and default route requests are missing so that the PPP link will fail.
Also you can omit the IP related settings on the physiacl port. They all belong to the mapped Dialer interface only.
So a bunch or configuration issues which prevents the PPPoE connection from working correctly. 🤔
Assuming this is a German T-Com connection and your modem is providing the mandatory VLAN 7 tag, a correct configured Dialer interface should look like this:
!
interface GigabitEthernet0/0/0
description Internet static IP
no ip address
negotiation auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
description VDSL PPPoE Internet Interface
ip address negotiated
mtu 1492
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username 001234567890123456780001@t-online.de password 1234567
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
!
interface GigabitEthernet0/0/1
description Local LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
!
ip nat inside source list 120 interface Dialer0 overload
!
dialer-list 1 protocol ip list 120
!
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
In case your external modem does no VLAN tagging for the PPPoE connection itself you need the router to do this. This requires some change at the physical interface to work with an 802.1q tagged VLAN subnet.
interface GigabitEthernet0/0/0
description Internet static IP
no ip address
no cdp enable
!
interface GigabitEthernet0/0/0.7
description VDSL Internet Verbindung - VLAN 7 tagged
encapsulation dot1Q 7
pppoe enable group global
pppoe-client dial-pool-number 1
!
Additional important points which should be corrected in your config!:
- With ppp ipcp route default the default route is automatically requested from the provider and the static route ip route 0.0.0.0 0.0.0.0 Dialer1 is not necessary anymore and should be deleted form the config. For PPP that is a much better option to propagate the default route. ppp ipcp dns request sets the PPPoE provided DNS server.
- The "20 deny ip any any" statement in the ACL 120 is default and can be omitted
- It is higly insecure to let the HTTP server active on the router which is exposed to the internet. Due to the recent security breach CVE-2023-20198 which makes unpatched Cisco routers vulnerable by HTTP the HTTP and HTTPS servers should always be disabled with no!!
- You should activate service password-encryption and should never use unencrypted passwords. Always use scrypt style passwords. See HERE for further details!
Take a look at the local Cisco router tutorial which describes all the steps in detail. Unfortunately in German, but a translator may help here.
You have to configure your dialer-group on Gi0/0/0.7
Edit: @aqui was a bit faster, the Zyxel VMG3006 usually does not provide tagging, so the router has to be configured correctly.
Edit: @aqui was a bit faster, the Zyxel VMG3006 usually does not provide tagging, so the router has to be configured correctly.
That is not correct! Please take a look into the modems manual. Like all other modems on the market the Zyxel VMG3006 can do the mandatory VDSL tagging too!
Under Network setting-> Broadband -> Add/Edit new WAN Interface" it can be set without an problems if you want the modem to do the VDSL VLAN tagging:
Under Network setting-> Broadband -> Add/Edit new WAN Interface" it can be set without an problems if you want the modem to do the VDSL VLAN tagging:
But it is an ADSL link with 16Mbit/s donwload speed, not a VDSL link in case that makes a difference?
Nope, that does'nt matter. All modems are hybrid modems and work with both ADSL and VDSL.The Cisco only "sees" the PPPoE traffic which is plain Ethernet on his site.
For further investigations you can also activate the debugger with debug pppoe packets and debug pppoe events to watch the PPPoE control traffic with the provider DSLAM. That also shows you and verifies if the modem is working properly and passes PPPoE traffic from the router.
Keep in mind that you need to issue a term mon command in case you are connected via Telnet or SSH and not directly on the serial console. Otherwise debug or console messages will not be forwarded to Telnet or SSH connections!
Do I need NAT when I just want to make a vpn ipsec tunnel to a remote station?
No, in this case NAT is not needed of course.and it is working.
Congrats! 👏👍Now I will install a zone based FW and then I should be ready for the VPN implementation.
All steps for both functions you'll find in the above Cisco Tutorial including a client VPN with all onboard VPN clients (L2TP).If your VPN is a site2site VPN you'll find additional tutorials here and here.