[cisco-nas] Bonded PPPoE over bridged DSL lines with multilink PPP
Joe Mays
jfmays at launchpad.win.net
Mon Mar 28 12:53:53 EDT 2011
Okay, I got this to work, for a given value of working. Adding ppp
multilink to the virtual template on the 7206 and removing the minimum
links entry on the 2600 led to the connection coming up with both ends
showing both links bundled into one MLP bundle, and I was able to ping
both directions across the bundle fine. Unfortunately, inexplicably,
the 2600, which had its default route set to "ip route 0.0.0.0 0.0.0.0
Dialer1" began ignoring the default route. It could ping the local
lan, could ping the 7206, but given an IP address that was not
directly connected, it would respond no route to host.
This is close to working. Can anyone offer any ideas about what might
have been causing this?
----- Original Message -----
From: "Joe Mays" <jfmays at launchpad.win.net>
To: <cisco-nas at puck.nether.net>
Sent: Saturday, March 19, 2011 2:26 AM
Subject: [cisco-nas] Bonded PPPoE over bridged DSL lines with
multilink PPP
Okay. At one end is a 2620 running 12.3(15) IPBase, with a 4NME card.
At the other is a 7206. Between them are three DSL lines, all running
in bridged mode. Two are bonded together between the DSL modem and the
DSLam, so essentially, we have two long Ethernet lines, plugged into
ports ethernet1/0 and ethernet1/1 on the 2620.
/--------C1 ~~~~\
A ~~~~~~~ B< > D
\========C2 ~~~~/
A (Cisco 7206, FE2/0)
B (Zhone Bitstorm)
~ (ethernet link)
- (single DSL line)
= (bonded DSL lines)
D (Cisco 2620, 4NME card, E1/0 and E1/1)
Essentially it all seems to work, turning it up with one port binds
virtual access 1 to the multilink PPP connection. But when both ports
on turned up on the 2620, it binds the second port, but then the
second port begins to go up and down and massive packet loss starts
occuring. It's not the DSL line, we tried both lines separately in
port 1, but work great. It's not the port, the same problem occurs if
we using ethernet1/2 as the second port, instead of E1/1. I was just
guessing at the config to make this work and I may have done it
completely wrongly.
Cisco 2620 config....
Current configuration : 1388 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Quickcash
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxx.
!
aaa new-model
!
!
aaa authentication login default local
aaa accounting delay-start
aaa session-id common
ip subnet-zero
ip cef
!
!
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
username admin password 0 xxxxxxxx
!
!
!
interface FastEthernet0/0
ip address xxx.24.2.89 255.255.255.248
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet1/1
no ip address
shutdown
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet1/2
no ip address
shutdown
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
interface Dialer1
ip address xxx.24.12.100 255.255.255.0
ip mtu 1420
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username quickcash1 password 0 xxxxxxxx
ppp multilink
ppp multilink links minimum 2
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
line con 0
line aux 0
line vty 0 4
transport preferred none
transport input telnet
!
!
end
Cisco 7206 Config....
Current configuration : 11227 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gw1.armplc
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxx
!
aaa new-model
!
!
aaa group server radius WinAuthAcct
server xxx.24.27.48 auth-port 1812 acct-port 1813
server xxx.24.27.49 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication ppp default local group WinAuthAcct
aaa authorization exec default local none
aaa authorization network default local group WinAuthAcct
if-authenticated
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting network default start-stop broadcast group WinAuthAcct
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip telnet source-interface Loopback100
ip tftp source-interface Loopback100
ip domain list win.net
ip domain name win.net
ip name-server xxx.24.27.3
ip name-server xx.235.0.25
ip name-server xxx.24.27.4
!
no ip bootp server
pppoe-forwarding
!
!
!
!
!
!
!
!
!
!
!
username admin secret 5 xxxxxxxx
username quickcash1 password 0 xxxxxxxx
!
!
controller T3 6/0
!
!
bba-group pppoe global
virtual-template 1
!
bba-group pppoe global1
virtual-template 2
!
!
interface Loopback100
description gw1.armplc.win.net loopback interface
ip address 216.24.30.16 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet1/0
ip address xxx.24.8.1 255.255.255.0
duplex full
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip address xxx.24.12.193 255.255.255.192
pppoe enable group global
no snmp trap link-status
!
interface FastEthernet1/0.3
encapsulation dot1Q 3
ip tcp adjust-mss 1360
pppoe enable group global1
no snmp trap link-status
!
interface FastEthernet1/0.16
encapsulation dot1Q 16
no snmp trap link-status
!
interface FastEthernet1/0.17
encapsulation dot1Q 17
no snmp trap link-status
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface Serial3/0
description Armory Place CO to Heyburn
bandwidth 44210
ip address 216.24.28.246 255.255.255.252
ip route-cache flow
dsu bandwidth 44210
framing c-bit
cablelength 50
serial restart-delay 0
no cdp enable
!
interface Serial3/1
no ip address
shutdown
dsu bandwidth 44210
framing c-bit
cablelength 10
serial restart-delay 0
!
interface Serial4/0
no ip address
shutdown
dsu bandwidth 44210
framing c-bit
cablelength 10
serial restart-delay 0
!
interface ATM5/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Virtual-Template1
ip unnumbered FastEthernet1/0.2
ip tcp adjust-mss 1360
peer default ip address pool pppoepool
ppp authentication pap chap
!
interface Virtual-Template2
mtu 1400
ip unnumbered FastEthernet1/0.3
peer default ip address pool pppoepool
ppp mtu adaptive
ppp authentication pap chap
!
router ospf 5150
log-adjacency-changes
area 0 authentication message-digest
summary-address 216.24.9.0 255.255.255.128
redistribute connected subnets route-map ospf-redistrib
redistribute static subnets route-map ospf-redistrib
passive-interface default
no passive-interface FastEthernet1/0
no passive-interface Serial3/0
no passive-interface Loopback100
network 24.235.0.0 0.0.31.255 area 0
network 216.24.0.0 0.0.63.255 area 0
!
ip local pool pppoepool 216.24.12.100 216.24.12.180
ip classless
ip route 0.0.0.0 0.0.0.0 Serial3/0
ip route 216.24.2.88 255.255.255.248 216.24.12.100
ip route 216.24.35.91 255.255.255.255 216.24.12.100
no ip http server
!
!
!
ip access-list standard allow-our-nets
permit 216.24.0.0 0.0.63.255
permit 24.235.0.0 0.0.31.255
!
ip access-list extended in-block-all-smtp-nb
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-nb
remark -- Same as out-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-smtp-nb
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-dangerously-allow-all
permit ip any any
ip access-list extended in-permitlog-smtp
remark -- This one is used to see who we need to not apply blocksmtp
to.
remark -- It is functionally identical to in-block-nb.
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp syn log-input
permit tcp any any eq smtp
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-all-smtp-nb
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-nb
remark -- Same as in-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-smtp-nb
permit tcp 216.24.27.0 0.0.0.255 eq smtp any
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-dangerously-allow-all
permit ip any any
ip access-list extended out-permitlog-smtp
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip radius source-interface Loopback100
logging source-interface Loopback100
!
route-map ospf-redistrib permit 10
match ip address allow-our-nets
!
snmp-server trap-source Loopback100
!
radius-server attribute nas-port format c
radius-server dead-criteria tries 2
radius-server host 216.24.27.201 auth-port 1645 acct-port 1646
radius-server host 216.24.27.202 auth-port 1645 acct-port 1646
radius-server host 216.24.27.203 auth-port 1645 acct-port 1646
radius-server host 216.24.27.204 auth-port 1645 acct-port 1646
radius-server host 216.24.27.205 auth-port 1645 acct-port 1646
radius-server host 216.24.27.206 auth-port 1645 acct-port 1646
radius-server host 216.24.27.207 auth-port 1645 acct-port 1646
radius-server host 216.24.27.208 auth-port 1645 acct-port 1646
radius-server host 216.24.27.209 auth-port 1645 acct-port 1646
radius-server host 216.24.27.200 auth-port 1645 acct-port 1646
radius-server retry method reorder
radius-server transaction max-tries 3
radius-server retransmit 0
radius-server timeout 3
radius-server deadtime 2
radius-server key m00c0w6809
radius-server vsa send accounting
radius-server vsa send authentication
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 60 0
logging synchronous
transport preferred none
transport input telnet
!
!
end
--
"The problem with our concept of mind is that we confuse our own kind
of self-awareness with thinking in general. Self-awareness is an
attribute of certain kinds of social animals. Why should a mind be
self-aware? It's enough it's world-aware. If it isn't socially
connected to other minds, it doesn't need social filters or
self-modeling. It's self-making, self-sufficient. It embodies and
acts. A world-aware mind is just one step closer to God than you and
I."
-- Greg Bear, "Slant"
----------------------------------------------------------------------
----------
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
More information about the cisco-nas
mailing list