IEOC - INE's Online Community

Good Evening all

I shall soon be attemting to connect to the voice lab via a wireless dsl connection, over which I have no adminstrative control. Nat occurs at the wireless dsl router, and assigns addresses in the 192.168.1.0/24 network.

I am intending to connect to the lab, as detailed in the voice rack rental guide appendix a, using a c2811 router, connecting the f0/0 interface into a transparent wireless bridge, so that the f0/0 interface will be assigned a dhcp address in the previously mentioned 192.168.1.0/24 range

My question is - will the easyvpn connection work through a connection which is translated, or will the connection only work if the f0/0 interface has an externally routable address.

Regards

NM

Hi NorthernMonkey,

How far north are you?

Nat is not a problem at all for EzVPN. The only thing that would prevent you is if you ISP blocked UDP 500 or UDP 4500. Other than that, you should be fine.

Thanks,

I'm about 55 degrees North.

After getting annoyed by whiring fans, I've replaced the c2811 with an 877, and the switch with a 3560-8, to give a totally silent lab.

Connection to the test VPN from my PC is sucessful, and I can now study til late without annoying the better half :)

Hopefully I'll be able to connect to the lab tomorrow.

Thanks

NM

That's fairly far north. Farthest I've been is Anchorage - so maybe 63 degrees? I digress.

I don't think the 877 router will allow you full VPN capabilities. Allow me to explain.

We use 2 VPNs on top of one another. EzVPN is IPSec based, and allows for the first tunnel. Then (and this is optional but REALLY nice) we run L2TPv3 over top of the EzVPN. This is what we call our L2VPN, and it allows for your phones to appear (via CDP and every other method) as if they were directly connected to your various rack site's switches. It is outlined in Section 4 and Appendix A of our Voice Rack Rental Access Guide.

Anyhow, I don't believe the 8xx series allows specifically the "dot1q tunneling ethertype 0x9100" command on the inside tunneled interface. Check, maybe that 877 does. I know the 831 doesn't. Having your phones look exactly as they do when you sit for Cisco's exam (they use this exact method at all testing facilities) makes the whining fans worth listening to. Or at least worth buying a can of WD40 or else getting a few fan replacements. They are cheap, actually.

MTC,

I've found the 87x series of routers significantly more functional than the 83x series.

It is possible to traffic shape on a tunnel interface on an 877, which I have been able to use in the past to allow Ip phones to operate sucessfully on the end of lower bandwidth DSL links, functionality which doesnt exist on the 837.

The config seems to have been sucessfully applied, however, I've yet to test.

interface Vlan3
 no ip address
 dot1q tunneling ethertype 0x9100
 xconnect 177.177.177.2 123 pw-class QinQ-XCONNECT
end

Cheers

NM

Great!

LMK how you get on with the testing.

The 877 does not accept the command mtu 1508 on the FE interfaces, only allowing a max of 1500, while running 12.4 Adv IP serv, however I also had the same error on an 1841, until I upgraded to 15.1T. I dont have an 870 15.1T advipserv ios to hand, but it is possible that this may be available on a new SW version

NM