I've had a Cisco 887 Router lying around gathering dust for a while and thought I'd put it to use as a VDSL Modem, replacing the existing Openreach box. In theory this will give me more visibility on line stats allowing me to do more logging and troubleshooting.
I tried it a while ago but had some MTU issues so it was banished back into storage. My ISP, Plusnet support 'Baby Jumbos' of 1508 Bytes which allows for a 1500 Byte frame + 8 Bytes of PPPoE overhead, so this time I configured the relelvant interfaces with a 1508 Byte MTU and its working nicely.
The configuration is pretty basic, partly due to limitations of the router. Ethernet0 (The DSL port) has a subinterface for Vlan 101 which is required by the VDSL infrastructure supplied by Plusnet / BT. Vlans 1 and 101 are transparently bridged to allow PPPoE passthrough, and I've added an IP on the bridge for management with some access lists for security.
The configuration is below. I can't make any guarantees it will work or it's secure, and I've redacted some of the sensitive information. Hopefully someone will find it useful or make suggestions for improvements.
! Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1) ! NAME: "887VA", DESCR: "887VA chassis, Hw Serial#: FCZ1650C2WR, Hw Revision: 1.0" ! PID: CISCO887VA-K9 , VID: V02, SN: FCZ1650C2WR ! ! ! ! Last configuration change at 00:49:24 UTC Tue Jan 31 2017 ! NVRAM config last updated at 00:49:29 UTC Tue Jan 31 2017 ! NVRAM config last updated at 00:49:29 UTC Tue Jan 31 2017 version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname [Redacted] ! boot-start-marker boot-end-marker ! ! enable secret 4 [Redacted] ! no aaa new-model memory-size iomem 10 crypto pki token default removal timeout 0 ! ! ip source-route ! ! ! ! ! no ip cef ip domain name [Redacted] ip name-server [Redacted] ip name-server [Redacted] no ipv6 cef ! ! license [Redacted] ! ! vtp mode transparent username admin privilege 15 secret 4 [Redacted] ! controller VDSL 0 operating mode vdsl2 modem 0 modem ukfeature ! vlan 101 ! ip ssh time-out 30 ip ssh authentication-retries 5 ip ssh version 2 ip ssh pubkey-chain username admin quit ! ! ! bridge irb ! ! ! ! interface Ethernet0 mtu 1508 no ip address ip access-group 20 in no ip route-cache ! interface Ethernet0.101 encapsulation dot1Q 101 ip access-group 20 in no ip route-cache bridge-group 1 ! interface ATM0 no ip address no ip route-cache shutdown no atm ilmi-keepalive ! interface FastEthernet0 mtu 1508 no ip address ! interface FastEthernet1 mtu 1508 no ip address ! interface FastEthernet2 mtu 1508 no ip address ! interface FastEthernet3 mtu 1508 no ip address ! interface Vlan1 no ip address bridge-group 1 ! interface BVI1 mtu 1508 ip address 192.168.15.1 255.255.255.252 ip access-group 10 in ! ip default-gateway 192.168.15.2 ip forward-protocol nd no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 BVI1 192.168.15.2 ! access-list 10 permit 172.18.0.0 0.0.0.255 access-list 10 permit 172.19.0.0 0.0.0.255 access-list 10 permit 172.17.0.0 0.0.0.255 access-list 10 permit 10.0.97.0 0.0.0.255 access-list 10 permit 10.0.128.0 0.0.31.255 access-list 10 permit 192.168.15.0 0.0.0.3 access-list 20 deny 0.0.0.0 0.255.255.255 access-list 20 deny 10.0.0.0 0.255.255.255 access-list 20 deny 100.64.0.0 0.63.255.255 access-list 20 deny 127.0.0.0 0.255.255.255 access-list 20 deny 169.254.0.0 0.0.255.255 access-list 20 deny 172.16.0.0 0.15.255.255 access-list 20 deny 192.0.0.0 0.0.0.255 access-list 20 deny 192.0.2.0 0.0.0.255 access-list 20 deny 192.168.0.0 0.0.255.255 access-list 20 deny 198.18.0.0 0.1.255.255 access-list 20 deny 198.51.100.0 0.0.0.255 access-list 20 deny 203.0.113.0 0.0.0.255 access-list 20 deny 224.0.0.0 15.255.255.255 access-list 20 deny 240.0.0.0 15.255.255.255 ! ! ! ! snmp-server community public RO bridge 1 protocol ieee bridge 1 route ip ! line con 0 logging synchronous line aux 0 line vty 0 4 login local transport input ssh ! end
N.B I formatted the above with hilite.me
I'm just about to do something similar, but due to a limitation on my firewall I'm keen for the Cisco to do the PPP hardwork.. do you know if you can get the Cisco to do the dial-in and just hand me a public IP on the other side?
ReplyDeleteHi, I'm afraid I don't know. I'm not much of a Cisco expert, this was just bodged together from a couple of other guides online and I've since got rid of the router so I can't take a look.
ReplyDeleteMy hunch is you wouldn't be able to do what you're trying to achieve with a single IP address, as the IP usually terminates on the device handling the PPPoE, which in your case would be the Cisco.
It looks like if your ISP gives you another subnet, you can use 'half-bridging' so one IP terminates on the PPP device, and the rest of the subnet is passed to a router behind it - https://rscc.co.uk/cisco-857-half-bridge-mode/
I hope that helps.
Thanks for your article I was struggling with a VDSL config, I thought I was managing fine as I converted from an 1801 with the wan on ethernet and an old DSLAM to convert the VDSL.
ReplyDeleteI configured int eth0.101 and the Dialler added an MTU 1492 which refused to go. The key was modem ukfeature in the controller config to stop that happening.