frazer.network

Tag: VDSL

  • Cisco 1000 series VDSL (FTTC) basic configuration guide

    Please follow the below guide to securely terminate a VDSL (FTTC) broadband service on a Cisco C1117-4P router.

    This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.

    The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.

    This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.

    Cisco C1117-4P router

    Prerequisites

    Please populate the below, ready to merge into the main config.

    Enable password = #ENABLE_PASSWORD#

    Login username = #USERNAME#

    Login password = #PASSWORD#

    Console and VTY fallback password = #FALLBACKPASSWORD#

    Broadband username = #BROADBAND_USERNAME#

    Broadband password = #BROADBAND_PASSWORD#

    Configuration Steps

    1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).

    An enable secret is required following the first boot. Enter your enable password below.

    cisco-enable-secret-1

    The following will now be displayed:

    cisco-enable-secret-2

    As we don’t want to save anything at this stage, I would enter 0 when prompted. This should allow us to start with a blank config.


    Finally, if prompted to enter the initial config, type ‘no’.

    2 – Enter global configuration mode and apply general ‘best practice’ fixups

    service sequence-numbers
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service tcp-keepalives-in
    service tcp-keepalives-out
    service password-encryption
    logging buffered 10240000
    login on-success log
    login on-failure log
    clock timezone GMT 0 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
    no ip http server
    no ip http secure-server
    no ip http authentication local
    ntp server 134.226.81.3
    hostname R1

    3 – Define login credentials and secure remote access

    ! Login credentials
    enable secret 0 #ENABLE_PASSWORD#
    username #USERNAME# privilege 15 secret 0 #PASSWORD#
    ip domain name cisco.router
    crypto key generate rsa general-keys modulus 4096


    ! Secure console and VTY lines
    ip access-list standard SECURE_VTY
    10 permit 192.168.1.0 0.0.0.255
    exit


    line con 0
    password #FALLBACKPASSWORD#
    login local
    session-timeout 15
    exit


    line vty 0 15
    password #FALLBACKPASSWORD#
    login local
    transport input ssh
    access-class SECURE_VTY in
    session-timeout 15
    exit

    4 – Configure Zones and ACLs to support stateful packet inspection

    ! Configure Zones
    zone security OUTSIDE
    zone security INSIDE
    exit

    ! Configure ACLs to match traffic.
    ip access-list extended ACL_ZBFW_INSIDE_TO_OUTSIDE
    10 permit ip any any
    exit
    ip access-list extended ACL_ZBFW_ROUTER_TO_OUTSIDE
    10 permit ip any any
    exit

    ! Configure class-maps to match ACLs.
    class-map type inspect match-any CM_ZBFW_INSIDE_TO_OUTSIDE
    match access-group name ACL_ZBFW_INSIDE_TO_OUTSIDE
    exit
    class-map type inspect match-any CM_ZBFW_ROUTER_TO_OUTSIDE
    match access-group name ACL_ZBFW_ROUTER_TO_OUTSIDE
    exit

    ! Configure policy maps to reference class maps.
    policy-map type inspect PM_ZBFW_ROUTER_TO_OUTSIDE
    class type inspect CM_ZBFW_ROUTER_TO_OUTSIDE
    inspect
    class class-default
    exit
    exit

    policy-map type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
    class type inspect CM_ZBFW_INSIDE_TO_OUTSIDE
    inspect
    class class-default
    exit
    exit

    ! Configure Zone pairs to reference policy-maps.
    zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
    service-policy type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
    zone-pair security ROUTER_TO_OUTSIDE source self destination OUTSIDE
    service-policy type inspect PM_ZBFW_ROUTER_TO_OUTSIDE

    5 – Configure LAN interface and enable DHCP

    ! Configure VLAN 1 interface and DHCP
    interface Vlan1
    description ### LAN DEFAULT GATEWAY ###
    ip address 192.168.1.254 255.255.255.0
    ip nat inside
    zone-member security INSIDE
    no shutdown
    exit


    ip dhcp excluded-address 192.168.1.0 192.168.1.10
    ip dhcp excluded-address 192.168.1.240 192.168.1.254
    ip dhcp pool VLAN_1
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.254
    dns-server 1.1.1.1 8.8.8.8
    exit


    ! Configure built-in switchports
    interface range gi0/1/0-3
    description ### ACCESS PORT ###
    switchport
    switchport mode access
    switchport access vlan 1
    spanning-tree portfast
    no shutdown
    exit

    6 – Configure PPPoE interface and sub-interface

    interface Ethernet0/2/0
    description ### VDSL CONTROLLER ###
    no ip address
    no negotiation auto
    no shutdown

    interface Ethernet0/2/0.101
    encapsulation dot1Q 101
    pppoe enable group global
    pppoe-client dial-pool-number 1
    no shutdown

    7 – Configure Dialer interface and default route

    ! Dialer interface
    interface Dialer1
    description ### OUTSIDE INTERFACE ###
    mtu 1492
    ip address negotiated
    no ip redirects
    no ip unreachables
    ip nat outside
    zone-member security OUTSIDE
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname #BROADBAND_USERNAME#
    ppp chap password 0 #BROADBAND_PASSWORD#
    ppp ipcp route default
    ppp ipcp address accept
    no shutdown
    exit

    ! Default route
    ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL

    8 – Configure outbound NAT (Dynamic PAT)

    ! NAT ACL
    ip access-list extended NAT
    permit ip 192.168.1.0 0.0.0.255 any
    exit


    ! NAT Rule
    ip nat inside source list NAT interface dialer1 overload
    end

    9 – Verify the configuration works

    ! Confirm phone line has synced with modem. (You want to see a modem status of TC Sync and downstream/upstream channels as below).
    show controllers vdsl 0/2/0

    show controllers vdsl 0/2/0

    ! Confirm ISP has assigned an IP address to the router.

    show ip int brief

    show ip int brief

    ! Test a ping to Google

    ping 8.8.8.8

    ping google

    10 – Verify and save the configuration

    ! Verify running-config and ensure all of the above commands have been applied.

    show run

    ! Save running-config to NVRAM

    copy running-config startup-config

    – or

    wr

    11 – Conclusion

    You should now have a working broadband connection with a router that has been secured for local management.

    At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.

    (The fallback password will only ever be used in the event the local username is removed in error).

    The ZBFW configuration is very basic, if you intend to configure site-site VPNs you will likely need to add an OUTSIDE -> Self zone with bespoke rules to permit inbound connectivity from the remote peer. A policy-map can be configured to either ‘inspect’ or ‘pass’ packets, I have found ‘pass’ for protocols such as IKE/ESP can prevent common problems.

    For convenience, please find copy of running-config below:

    frazer_network_Cisco_C1117-4P_FTTC_config_exampleDownload

  • Cisco 887 VDSL (FTTC) basic configuration guide

    Please follow the below guide to securely terminate a VDSL (FTTC) broadband service on a Cisco 887 router.

    This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.

    The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.

    This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.

    cisco-887-router

    Prerequisites

    Please populate the below, ready to merge into the main config.

    Enable password = #ENABLE_PASSWORD#

    Login username = #USERNAME#

    Login password = #PASSWORD#

    Console and VTY fallback password = #FALLBACKPASSWORD#

    Broadband username = #BROADBAND_USERNAME#

    Broadband password = #BROADBAND_PASSWORD#

    Configuration Steps

    1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).

    If prompted to enter the initial config, type ‘no’.

    2 – Enter global configuration mode and apply general ‘best practice’ fixups

    service sequence-numbers
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service tcp-keepalives-in
    service tcp-keepalives-out
    service password-encryption
    logging buffered 1024000
    login on-success log
    login on-failure log
    clock timezone GMT 0 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
    no ip http server
    no ip http secure-server
    ntp server 134.226.81.3
    hostname R1

    3 – Define login credentials and secure remote access

    ! Login credentials
    enable secret 0 #ENABLE_PASSWORD#
    username #USERNAME# privilege 15 secret 0 #PASSWORD#
    ip domain-name cisco.router
    crypto key generate rsa general-keys modulus 4096

    ! Secure console and VTY lines
    ip access-list standard SECURE_VTY
    10 permit 192.168.1.0 0.0.0.255
    exit

    line con 0
    password #FALLBACKPASSWORD#
    login local
    session-timeout 15
    exit

    line vty 0 15
    password #FALLBACKPASSWORD#
    login local
    transport input ssh
    access-class SECURE_VTY in
    session-timeout 15
    exit

    4 – Configure LAN interface and enable DHCP

    ! Configure VLAN 1 interface and DHCP
    interface Vlan1
    description ### LAN DEFAULT GATEWAY ###
    ip address 192.168.1.254 255.255.255.0
    ip nat inside
    no shutdown
    exi    t

    ip dhcp excluded-address 192.168.1.0 192.168.1.10
    ip dhcp excluded-address 192.168.1.240 192.168.1.254
    ip dhcp pool VLAN_1
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.254
    dns-server 1.1.1.1 8.8.8.8
    exit

    ! Configure built-in switchports
    interface range fa0-3
    description ### ACCESS PORT ###
    switchport mode access
    switchport access vlan 1
    spanning-tree portfast
    exit

    5 – Configure outside ACL, stateful packet inspection and PPPoE interfaces

    ! Configure dialer interface ACL
    ip access-list extended FIREWALL_IN
    permit icmp any any echo-reply
    permit icmp any any time-exceeded
    permit icmp any any unreachable
    permit udp host 134.226.81.3 eq 123 any
    deny ip any any
    exit

    ! Configure CBAC
    ip inspect name CBAC tcp
    ip inspect name CBAC udp
    ip inspect name CBAC icmp

    ! Configure PPPoE interface and bind to dialer.

    interface Ethernet0
    no ip address
    no shutdown
    exi    t

    interface Ethernet0.101
    encapsulation dot1Q 101
    pppoe enable group global
    pppoe-client dial-pool-number 1
    no shutdown
    exit

    6 – Configure Dialer interface and default route

    ! Dialer interface

    interface Dialer1
    description ### OUTSIDE INTERFACE ###
    mtu 1492
    ip address negotiated
    ip access-group FIREWALL_IN in
    no ip redirects
    no ip unreachables
    ip nat outside
    ip inspect CBAC out
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname #BROADBAND_USERNAME#
    ppp chap password 0 #BROADBAND_PASSWORD#
    ppp ipcp route default
    ppp ipcp address accept
    no shutdown
    exit

    ! Default route

    ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL

    7 – Configure outbound NAT (Dynamic PAT)

    ! NAT ACL
    ip access-list extended NAT
    permit ip 192.168.1.0 0.0.0.255 any
    exit

    ! NAT Rule
    ip nat inside source list NAT interface dialer1 overload
    end

    8 – Verify the configuration works

    ! Confirm phone line has synced with modem. (You want to see a modem status of TC Sync and downstream/upstream channels as below).

    show controllers vdsl 0

    ! Confirm ISP has assigned an IP address to the router.

    show ip int brief

    ! Test a ping to Google

    ping 8.8.8.8

    9 – Verify and save the configuration

    ! Verify running-config and ensure all of the above commands have been applied.

    show run

    ! Save running-config to NVRAM

    copy running-config startup-config

    – or

    wr

    10 – Conclusion

    You should now have a working broadband connection with a router that has been secured for local management.

    At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.

    (The fallback password will only ever be used in the event the local username is removed in error).

    For convenience, please find copy of running-config below:

    frazer_network_Cisco_887_Config_ExampleDownload