# ADSL, ADSL 2, ADSL 2+  και  Broadband Hardware > Cisco  ADSL modems και routers >  Cisco 877 RFC1483 Bridge

## Kapnos

Γεια σας,

έχω ένα Cisco 877 και ένα Mikrotik RB2011UAS. Θέλω να βάλω το 877 σε 1483 Bridge και να κλείσω όλες τις υπηρεσίες όπως firewall κλπ, να χρησιμοποιείται δηλαδή μόνο σαν modem, και να αναλάβει όλη τη διαχείρηση της σύνδεσης το Mikrotik.

----------


## SfH

Δεν είναι δύσκολο. Ανοίγεις IRB , φτιάχνεις ένα bridge-group και κάνεις μέλη του το vlan και το atm pvc . Καλό είναι να είναι ξεχωριστό από το vlan που θα χρησιμοποιείς για management/άλλους σκοπούς , για να μη φεύγουν τα broadcast/unknown unicast προς τον bras του provider. Αν θες βοήθεια σε κάποιο συγκεκριμένο βήμα, απλά ρώτα  :Smile:

----------


## Kapnos

Γενικά δεν ξέρω πολλά από cisco, το συγκεκριμένο το είχα στήσει πριν κάποια χρόνια μέσω SDM, οπότε αν μπορείς να βοηθήσεις περισσότερο.  :Smile: 
Firewall, NAT κλπ πώς τα κλείνω; Η δεν χρειάζεται κάνοντας την παραπάνω διαδικασία;

----------


## arisgr

Ευκαιρια να μας διαφωτισει ο SFH μιας και εγω δεν ξερω πολλα επι του θεματος  :Smile: 
Γιατι πρεπει να εχουμε IRB?
Τα παρακατω δεν αρκουν?




> int atm0.1
> bridge-group 1
> int vlan 1
> bridge-group 1
> exit
> no ip routing
> bridge 1 protocol ieee


Δεν θα εχουμε IPs, ολα θα γινονται στο  Mikrotiκ

----------


## SfH

Το nat δε θα κάνει τίποτα με το παλιό configuration. Περί firewall, ανάλογα το πώς το είχες ρυθμίσει, μπορεί να χρειαστεί να το κλείσεις .




> Γιατι πρεπει να εχουμε IRB?
> Τα παρακατω δεν αρκουν?


Αρκούν αν είσαι διατεθειμένος να κλείσεις για τα καλά το ip routing .

----------


## Kapnos

Λοιπόν έχω το ακόλουθω config


```
Using 6428 out of 131072 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco_syntax
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ********
!
no aaa new-model
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
!
crypto pki trustpoint TP-self-signed-160210503
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-160210503
 revocation-check none
 rsakeypair TP-self-signed-160210503
!
!
crypto pki certificate chain TP-self-signed-160210503
 certificate self-signed 01 nvram:IOS-Self-Sig#6.cer
dot11 syslog
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name domain.local
ip name-server 208.67.222.222
ip name-server 8.8.8.8
!
!
!
username admin privilege 15 secret 5 **********
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  inspect
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
  pass
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0  54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname user@otenet.gr
 ppp chap password 7 *********
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.3.0 255.255.255.0 192.168.2.201
ip route 192.168.4.0 255.255.255.0 192.168.2.201
ip route 192.168.6.0 255.255.255.0 192.168.2.201
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.240 8888 interface Dialer0 8888
!
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
```

Θέλω να αλλάξω την IP σε 192.168.102.100, να απενεργοποιήσω NAT, Firewall και ό,τι άλλο δεν χρειάζεται, να βάλω το cisco σε RFC1483 Bridge ώστε να συνδέομαι με το Mikrotik μέσω PPPoE στο internet, να απενεργοποιήσω το wireless και τέλος αν είναι εύκολο να ενεργοποιήσω DHCP Server στο 192.168.102.0/24 με εύρος 192.168.102.60-70 για να μπορώ εύκολα και γρήγορα να κουμπώνω πάνω του κάποιο pc για να το διαχειρίζομαι.

----------


## nkladakis

λοιπόν νομίζω οτι αυτό θα σου κάνει την δουλεια:

bridge irb
bridge 1 protocol ieee
 bridge 1 route ip
!
interface ATM0.1 point-to-point
 description PC6, RFC1483 Bridging
 no ip directed-broadcast
 pvc 8/35
  encapsulation aal5snap
 !
 bridge-group 1
!
interface BVI 1
 ip address 192.168.102.100 255.255.255.0
!
interface Vlan1
 description $HWIC 4ESW$
 bridge-group 1
 no ip address
!
interface Dialer0
shut

!
interface Dot11Radio0
bridge-group 1

----------


## Kapnos

Αυτά που τα βάζω; Μέσα στο Configuration Professional στο configuration editor και κάνω merge with running config;

----------


## Kapnos

Εντάξει βρήκα άκρη, δουλεύει μια χαρά. Ήθελα να ρωτήσω από το παρακάτω config τι δεν χρειάζομαι για να το πετάξω; Όπως NAT, Firewall, ACL κλπ;


```
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco_preprint
!
boot-start-marker
boot system flash:/c870-advipservicesk9-mz.124-24.T8.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 ***
!
no aaa new-model
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
!
crypto pki trustpoint TP-self-signed-1336459282
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1336459282
 revocation-check none
 rsakeypair TP-self-signed-1336459282
!
!
crypto pki certificate chain TP-self-signed-1336459282
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31333336 34353932 3832301E 170D3032 30333031 30303038 
  31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33333634 
  35393238 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81008AA5 72B0DCF2 BCF56D98 2F30D9F9 D89B1389 9CB71B21 5ADEECD1 2E44EB5E 
  EF8F2C52 3425DF93 E076F291 DC77D6BD DE506062 6DF1B2B6 D8947C7C 6A1B6CFC 
  71317503 C844B34E 37CA6248 4C894128 AACFD733 3DFCBEA0 36DB1F84 3B7394BE 
  95F6977D D0841B3F 34F491F1 E38AB430 E1BB0D86 DE970435 241517F7 8FCC5E4D 
  B57F0203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603 
  551D1104 21301F82 1D636973 636F5F70 72657072 696E742E 652D7468 65737361 
  6C69612E 6772301F 0603551D 23041830 168014D4 9A491AAA 03246331 6240CFD3 
  5AF3232F 2B15C930 1D060355 1D0E0416 0414D49A 491AAA03 24633162 40CFD35A 
  F3232F2B 15C9300D 06092A86 4886F70D 01010405 00038181 0007291B 3816CB56 
  A571DF96 BDF9FE8C A224B40E 95D2E7C4 C0048BD5 64EF64D9 A7596154 4328163D 
  44AE3EC2 958FE4A5 3EEA9128 B8D2FE23 FD688015 D37C032B 90EBA5A7 0005B5EE 
  B9652885 2FB4B034 35AA73CE C3AC0217 90619920 2ACBF160 996FFEB1 5B43E150 
  A60EEFB4 B9B1E19A 8F096E03 FEACC092 46E69ABB AB9208D6 99
  	quit
dot11 syslog
dot11 vlan-name WiFi vlan 2
no ip source-route
!
!
ip dhcp excluded-address 192.168.101.1 192.168.101.59
ip dhcp excluded-address 192.168.101.71 192.168.101.254
!
ip dhcp pool 101x
   import all
   network 192.168.101.0 255.255.255.0
!
!
ip cef
no ip bootp server
ip domain name ***
ip name-server 192.168.101.100
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 ***
! 
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  inspect 
 class type inspect sdm-insp-traffic
  inspect 
 class type inspect sdm-protocol-http
  inspect 
 class type inspect SDM-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description PC6, RFC1483 Bridging
 pvc 8/35 
  encapsulation aal5snap
 !
 bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description $HWIC 4ESW$
 no ip address
 bridge-group 1
!
interface Dialer0
 no ip address
 shutdown
 bridge-group 1
!
interface BVI1
 ip address 192.168.101.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.180.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.180.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
```

----------


## arisgr

Βγαλε μονο τα προφανη:
ZBF και NAT
Εγω οτιδηποτε αλλο δεν θα το πειραζα, δεν κερδιζεις και κατι.

----------


## Kapnos

ZBF? Που είναι αυτό;

----------


## arisgr

Ειναι τα παρακατω



> class-map type inspect match-any sdm-cls-insp-traffic
>  match protocol cuseeme
>  match protocol dns
>  match protocol ftp
>  match protocol h323
>  match protocol https
>  match protocol icmp
>  match protocol imap
>  match protocol pop3
> ...

----------

