frazer.network

Tag: fiber

  • Cisco 1000 series full fiber (FTTP) basic configuration guide

    Please follow the below guide to securely terminate a fiber (FTTP) broadband service on a Cisco C1117-4P router.

    This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.

    The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.

    This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.

    Cisco 1000 series router (FTTP)

    Prerequisites

    Please populate the below, ready to merge into the main config.

    Enable password = #ENABLE_PASSWORD#

    Login username = #USERNAME#

    Login password = #PASSWORD#

    Console and VTY fallback password = #FALLBACKPASSWORD#

    Broadband username = #BROADBAND_USERNAME#

    Broadband password = #BROADBAND_PASSWORD#

    Configuration Steps

    1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).

    An enable secret is required following the first boot. Enter your enable password below.

    cisco-enable-secret-1

    The following will now be displayed:

    cisco-enable-secret-2

    As we don’t want to save anything at this stage, I would enter 0 when prompted. This should allow us to start with a blank config.


    Finally, if prompted to enter the initial config, type ‘no’.

    2 – Enter global configuration mode and apply general ‘best practice’ fixups

    service sequence-numbers
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service tcp-keepalives-in
    service tcp-keepalives-out
    service password-encryption
    logging buffered 10240000
    login on-success log
    login on-failure log
    clock timezone GMT 0 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
    no ip http server
    no ip http secure-server
    no ip http authentication local
    ntp server 134.226.81.3
    hostname R1

    3 – Define login credentials and secure remote access

    ! Login credentials
    enable secret 0 #ENABLE_PASSWORD#
    username #USERNAME# privilege 15 secret 0 #PASSWORD#
    ip domain name cisco.router
    crypto key generate rsa general-keys modulus 4096


    ! Secure console and VTY lines
    ip access-list standard SECURE_VTY
    10 permit 192.168.1.0 0.0.0.255
    exit


    line con 0
    password #FALLBACKPASSWORD#
    login local
    session-timeout 15
    exit


    line vty 0 15
    password #FALLBACKPASSWORD#
    login local
    transport input ssh
    access-class SECURE_VTY in
    session-timeout 15
    exit

    4 – Configure Zones and ACLs to support stateful packet inspection

    ! Configure Zones
    zone security OUTSIDE
    zone security INSIDE
    exit

    ! Configure ACLs to match traffic.
    ip access-list extended ACL_ZBFW_INSIDE_TO_OUTSIDE
    10 permit ip any any
    exit
    ip access-list extended ACL_ZBFW_ROUTER_TO_OUTSIDE
    10 permit ip any any
    exit

    ! Configure class-maps to match ACLs.
    class-map type inspect match-any CM_ZBFW_INSIDE_TO_OUTSIDE
    match access-group name ACL_ZBFW_INSIDE_TO_OUTSIDE
    exit
    class-map type inspect match-any CM_ZBFW_ROUTER_TO_OUTSIDE
    match access-group name ACL_ZBFW_ROUTER_TO_OUTSIDE
    exit

    ! Configure policy maps to reference class maps.
    policy-map type inspect PM_ZBFW_ROUTER_TO_OUTSIDE
    class type inspect CM_ZBFW_ROUTER_TO_OUTSIDE
    inspect
    class class-default
    exit
    exit

    policy-map type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
    class type inspect CM_ZBFW_INSIDE_TO_OUTSIDE
    inspect
    class class-default
    exit
    exit

    ! Configure Zone pairs to reference policy-maps.
    zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
    service-policy type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
    zone-pair security ROUTER_TO_OUTSIDE source self destination OUTSIDE
    service-policy type inspect PM_ZBFW_ROUTER_TO_OUTSIDE

    5 – Configure LAN interface and enable DHCP

    ! Configure VLAN 1 interface and DHCP
    interface Vlan1
    description ### LAN DEFAULT GATEWAY ###
    ip address 192.168.1.254 255.255.255.0
    ip nat inside
    zone-member security INSIDE
    no shutdown
    exit


    ip dhcp excluded-address 192.168.1.0 192.168.1.10
    ip dhcp excluded-address 192.168.1.240 192.168.1.254
    ip dhcp pool VLAN_1
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.254
    dns-server 1.1.1.1 8.8.8.8
    exit


    ! Configure built-in switchports
    interface range gi0/1/0-3
    description ### ACCESS PORT ###
    switchport
    switchport mode access
    switchport access vlan 1
    spanning-tree portfast
    no shutdown
    exit

    6 – Configure PPPoE interface

    interface GigabitEthernet0/0/0
    description ### PPPoE INTERFACE – TO ISP FIBER MODEM ###
    no ip address
    negotiation auto
    pppoe enable
    pppoe-client dial-pool-number 1
    no cdp enable
    no shutdown
    exit

    7 – Configure Dialer interface and default route

    ! Dialer interface
    interface Dialer1
    description ### OUTSIDE INTERFACE ###
    mtu 1492
    ip address negotiated
    no ip redirects
    no ip unreachables
    ip nat outside
    zone-member security OUTSIDE
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname #BROADBAND_USERNAME#
    ppp chap password 0 #BROADBAND_PASSWORD#
    ppp ipcp route default
    ppp ipcp address accept
    no shutdown
    exit

    ! Default route
    ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL

    8 – Configure outbound NAT (Dynamic PAT)

    ! NAT ACL
    ip access-list extended NAT
    permit ip 192.168.1.0 0.0.0.255 any
    exit


    ! NAT Rule
    ip nat inside source list NAT interface dialer1 overload
    end

    9 – Verify the configuration works

    ! Confirm ISP has assigned an IP address to the router.

    show ip int brief

    show ip int brief

    ! Test a ping to Google

    ping 8.8.8.8

    ping google

    10 – Verify and save the configuration

    ! Verify running-config and ensure all of the above commands have been applied.

    show run

    ! Save running-config to NVRAM

    copy running-config startup-config

    – or

    wr

    11 – Conclusion

    You should now have a working broadband connection with a router that has been secured for local management.

    At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.

    (The fallback password will only ever be used in the event the local username is removed in error).

    The ZBFW configuration is very basic, if you intend to configure site-site VPNs you will likely need to add an OUTSIDE -> Self zone with bespoke rules to permit inbound connectivity from the remote peer. A policy-map can be configured to either ‘inspect’ or ‘pass’ packets, I have found ‘pass’ for protocols such as IKE/ESP can prevent common problems.

    For convenience, please find copy of running-config below:

    frazer_network_Cisco_C1117-4P_FTTP_config_exampleDownload