Search This Blog

Tuesday, 11 December 2012

Be There Routed IP addressing with a Cisco 1841 Router

Be There have started to change how they offer public IP addressing in 2012 and now offer correctly subnetted IP blocks. This does mean however that you have to change your configuration as the end user, this is how to change the configuration for a Cisco 1841 router.

DHCP on the ATM0/0/0.1 Interface


Be There have changed how you assign the IP address to the ATM interface, now this is assigned via DHCP and this IP address is not the IP that you will use for your site, this is the IP address that is used to provide the routed IP to you. So now you need to use the command

ip address dhcp

Zone Based Firewall and DHCP

Now the first issue you will run into is that the Zone Based Firewall is unlikely to be set to allow DHCP on the ATM interface. The ATM interface is going to be on your outside zone so we need to create two class maps to define the traffic as follows

1. ATM interface makes a DHCP request
2. ATM interface receives a DHCP reply

I have created two class maps for this, both contain a match for UDP ports 67 and 68

class-map type inspect match-any cmap-router-to-O2-dhcp
match protocol bootps
match protocol bootpc

class-map type inspect match-any cmap-O2-dhcp-to-router
match protocol bootps
match protocol bootpc

Policy Map

Once you have defined the class maps for DHCP you will need to allow the traffic into the router and out from the router, this involves the self zone and the outzone. DHCP traffic is a broadcast protocol so this is going to be sent over the PVC to the local Exchange and therefore we will not be inspecting this traffic, we need to pass this traffic in the Zone Based Firewall. Below I have my policy maps for Outzone to Self and Self to Outzone.

Outzone to Self

policy-map type inspect pmap-internet-to-router
class type inspect cmap-O2-dhcp-to-router
pass log
class type inspect cmap-router-remote-access-protocols

This policy map inspects the traffic from Be There to the router and passes this and also logs this so I can see the traffic in the syslog to help in troubelshooting. The next inspection is my class map to allow SSH access to the router. You must here match the DHCP traffic first otherwise the ZBF will drop the traffic as not matching, ZBF rules are processed in order so you need to get your DHCP rule in first.

Self to Outzone

policy-map type inspect pmap-router-to-internet
class type inspect cmap-router-to-O2-dhcp
pass log
class type inspect cmap-router-to-internet

This policy map is the reverse and allows the router to send DHCP requests to Be There.

DHCP Process


Now when we shutdown the ATM0/0/0.1 Interface and the enable the interface a DHCP request will take place and this is shown above. You can see the ZBF passing the packets for DHCP in the log and that we have been assigned an IP addres on the ATM0/0/0.1 interface.

DHCP injected route


A new route is injected into the Cisco routing table for this circuit and this is shown in the config as a static route to the gwateway with a cost of 254. The cost of 254 is high so if you have another static router this will take precedence and this route will be used as the last resort.

Using your IP Block


Your real routed IP block can now be used, this is achieved by configuring the Cisco to PAT out of the ATM0/0/0.1 Interface and this will use the first IP address in the block. For other services you can now create static NAT translations as shown above with one of the public IPs you have. This example is based on a Dual DSL router so these NAT translations will only function when the router has the default route to our Be There circuit.

Accessing the Router


If you want to access the router via SSH for example you will need to know the DHCP IP address and this will change each time the ATM interface is enabled so it make sense to assign one of the public IP addresses to the router. This can be done by creating a sub interface on the Fast Ethernet interface and assigning this a new VLAN ID, this places this interface in its own VLAN and if we assign no ZBF zone then this will be seen as the SELF zone and the rules to and from this zone will apply.

Now you will be able to SSH to this IP address and the rules you have for Outzone to Self and Self to Outzone will apply.

Notification when a DSL Circuit does down


It is pretty handy to know if one of your DSL circuits is offline so you can use the IP SLA feature for this and track a ping to an IP out of one interface only, if the pring drops then you can then tell the router to clear the NAT translations and to inform you the circuit went down. I will not go into the full IP SLA here but for the notification you can use the event manager feature in Cisco Adavnced IOS.

Here you can see I have used event manager to note when my IP SLA Track 1 is down, when this occurs I can automatically clear the IP NAT translations and then send an email to our helpdesk to inform the team that the DSL circuit is offline.

No comments:

Post a Comment