871

Leave a comment Posted on Tech articles

Cisco 871 PPPoE

Несколько примеров настройки PPPoE на интерфейсе Ethernet на различных Cisco 8xx-серии.

Первый вариант рабочего примера для 12.4:

vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe

bba-group pppoe global

interface Ethernet1
no ip address
duplex auto
pppoe enable group global
pppoe-client dial-pool-number 1

interface Dialer0
mtu 1492
ip address negotiated
no ip proxy-arp
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname pik
ppp chap password 0 password
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit

bba-group pppoe global создается автоматически (при protocol pppoe), в ней конфигурируются специфические настройки для pppoe.

Ставить на эзер «ip address dhcp» нет смысла, так как принцип назначения ип следующий:

pppoe-server на стадии IPCP (negotiat’а или NCP) в CONFACK пакете отправляет ip адрес, который он берет либо от NAS’а либо из локальных настроек.

IP назначается Dialler интерфейсу, от которого клонятся Virtual-Access’ы.

Ether выбирает Dialer’ы из dial-pool’а который указывается в конфигурации.

Еще один вариант:

c871.pav.ru#sh run
Building configuration...

Current configuration : 2087 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c871
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$N7No$0kcQbJdzAdPDsyJLm9Nlv/
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
vpdn enable
!
vpdn-group 1
!
!
!
!
username artem secret 5 $1$Rhi5$tOD3VzqcQewDkJMZ85Ymi.
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key izm_pav address 213.33.х.х no-xauth
!
!
crypto ipsec transform-set new-set esp-3des esp-md5-hmac
!
crypto map VPNtunnel 10 ipsec-isakmp
set peer 213.33.x.x
set transform-set new-set
set pfs group2
match address 101
!
!
bba-group pppoe global
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname host
ppp chap password 0 pass
crypto map VPNtunnel
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list ACL_NAT interface Dialer0 overload
!
ip access-list extended ACL_NAT
deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password vty_pass
login
transport input telnet ssh
!
scheduler max-task-time 5000
end

Третий вариант рабочей конфигурации с Cisco 881. Работает у меня, но без настройки vpdn.

c88115#sh run
Building configuration...

Current configuration : 6637 bytes
!
! Last configuration change at 13:05:40 MSK Fri Dec 16 2011 by ...
! NVRAM config last updated at 13:09:23 MSK Fri Dec 16 2011 by ...
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c88115
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-3.T.bin
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
clock timezone MSK 4 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-pulse-20111205
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-pulse-20111205
revocation-check none
rsakeypair TP-self-signed-pulse-20111205
!
!
crypto pki certificate chain TP-self-signed-pulse-20111205
certificate self-signed 01
30820241 308201EB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
!........................................................................
quit
ip source-route
!
!
!
!
ip dhcp pool 10
network 10.52.15.0 255.255.255.128
default-router 10.52.15.126
dns-server 10.50.10.1 10.50.10.2 208.67.222.222 208.67.220.220 8.8.8.8 8.8.4.4
!
ip dhcp pool 20
network 10.52.15.128 255.255.255.128
default-router 10.52.15.254
dns-server 10.50.10.1 10.50.10.2 208.67.222.222 208.67.220.220 8.8.8.8 8.8.4.4
option 242 ascii "MCIPADD=10.50.20.1,MCPORT=1719,HTTPSRVR=10.50.10.160"
!
!
ip cef
no ip domain lookup
ip domain name domain.org
ip inspect name inout tcp timeout 43200
ip inspect name inout udp timeout 43200
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-K9 sn FCZ1523CXXX
license boot module c880-data level advipservices
!
!
archive
log config
hidekeys
!
!username ....
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TrSet esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN_Profile
set transform-set TrSet
!
!
!
!
!
!
interface Loopback1
ip address 192.168.221.15 255.255.255.255
!
interface Loopback2
ip address 192.168.222.15 255.255.255.255
!
interface Tunnel1
ip address 192.168.201.15 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication NPF_101
ip nhrp map multicast 123.45.67.89
ip nhrp map 192.168.201.1 123.45.67.89
ip nhrp network-id 100001
ip nhrp holdtime 300
ip nhrp nhs 192.168.201.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100001
tunnel protection ipsec profile VPN_Profile
!
interface Tunnel2
ip address 192.168.202.15 255.255.255.0
ip mtu 1400
ip nhrp authentication NPF_102
ip nhrp map 192.168.202.1 123.45.67.89
ip nhrp network-id 100002
ip nhrp holdtime 300
ip nhrp nhs 192.168.202.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Dialer1
tunnel destination 123.45.67.89
tunnel key 100002
!
interface FastEthernet0
shutdown
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
no ip address
ip virtual-reassembly in
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.52.15.126 255.255.255.128
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 10.52.15.254 255.255.255.128
!
interface Dialer1
ip address negotiated
ip access-group FromInet in
ip mtu 1492
ip nat outside
ip inspect inout out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxx
no cdp enable
!
router ospf 1
network 10.52.15.0 0.0.0.127 area 1
network 192.168.201.0 0.0.0.255 area 1
!
router ospf 2
network 10.52.15.128 0.0.0.127 area 2
network 192.168.202.0 0.0.0.255 area 2
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map nonat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended FromInet
permit icmp any any
permit tcp any any eq 22
permit esp host 123.45.67.89 any
permit gre host 123.45.67.89 any
permit udp host 123.45.67.89 any
permit ip host 123.45.67.89 any
ip access-list extended nonat-toHQ
deny ip 10.52.15.0 0.0.0.127 10.50.0.0 0.0.255.255
deny ip 10.52.15.0 0.0.0.127 10.52.0.0 0.0.255.255
permit ip 10.52.15.0 0.0.0.127 any
!
logging esm config
access-list 1 permit 10.52.15.0 0.0.0.127
no cdp run

!
!
!
!
route-map nonat permit 10
match ip address nonat-toHQ
!
snmp-server community pulse-snmp RO
snmp-server host 10.50.10.190 version 2c pulse-snmp
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 60 0
login local
transport input ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp peer 192.168.201.1
end

KhantyMansiysk-c881-15#