====== Cisco ADSL & 877 router ====== ===== Background ===== {{networking:cisco877.png?200 |Cisco 877}} My [[http://www.rainsbrook.co.uk/networking/cisco/adsl/index.html|1720]] router with the wic1-adsl card served me well, I cannot think of any outages I had which required a reboot of my router, a few were line related, but the 1720 recovered well. However over time a few limitations became apparent, the wic1-adsl supports ADSL ver.1 only and the 1720 cannot support a next generation adsl modem WIC which supports ADSL2. Also, in order to get a pure ipv6 interface, I needed to add in a 10 MB/s WIC card. The cost of a modular router such as a 1800 series rack mount with the WIC2-ADSL2 card is prohibitive, but the 877 router combines all these in one box and they are available from ebay at sensible cost. The drawing below shows how this fits into my network. As I have a separate firewall, NAT is not run on the 877. {{rb:no50firewall.png?400|}} ===== IOS image ===== The IOS image loaded on the router was c870-advsecurityk9-mz.124-4.T2.bin, but this does not support IPv6, after some research, c870-advipservicesk9-mz.124-15.T5.bin seemed a good choice and at 18Mb in size it fitted in my flash. See the [[http://www.rainsbrook.co.uk/networking/cisco/adsl/index.html|1720]] page for instructions on loading a .bin image to a Cisco router. ===== VLAN configuration ===== After several months operation, the next steps were to experiment with some ipv6 connectivity and set up a VPN to other locations. The 877 has four ethernet ports on the rear. One of these connects to my firewall with ipv4, one is designated for ipv6 only and another is for the local VPN address. The usual way to assign ipaddresses to physical ethernet switch ports is to create a vlan and add the ethernet port in to that vlan. The vlan interface then has the ipaddress assigned to it. The 877 seems to require an additional step to make this work. During my vlan config work, I saw the message "Access VLAN 2 does not exist. Please add it to vlan database". I thought vlans were created when an "interface vlan2" was issued. After the config was complete, I was unable to ping off the 877 to another device. The interfaces were as follows:- 877#sh ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0 unassigned YES unset up up FastEthernet1 unassigned YES unset up down FastEthernet2 unassigned YES unset up up FastEthernet3 unassigned YES unset up up ATM0 unassigned YES NVRAM up up Vlan1 www.xxx.yyy.zzz YES NVRAM up up Vlan2 unassigned YES NVRAM up down Vlan3 192.168.6.1 YES NVRAM up down The line of concern was "Vlan3 192.168.6.1 YES NVRAM up down" showing that I had a physical link but no logical connection. After a few false routes of enquiry, I found that I needed to create a vlan database with:- 877#vlan database 877(vlan)#vlan 2 name ipv6 VLAN 2 modified: Name: ipv6 877(vlan)#vlan 3 name "VPN local interface" VLAN 3 added: Name: VPN local interface 877(vlan)#apply APPLY completed. 877(vlan)#exit APPLY completed. Exiting.... 877# Please note that spaces in the name above need to be quoted. After entering this, the line protocol was up and I could see:- 877#show vlan-switch brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0, Fa3 2 ipv6 active Fa1 3 VPN local interface active Fa2 More importantly, I could ping a connected device. ===== Running Config (no NAT) ===== 877adsl2#sh running-config Building configuration... Current configuration : 2399 bytes ! ! No configuration change since last restart ! version 12.4 no service pad service timestamps debug datetime service timestamps log datetime service password-encryption ! hostname 877adsl2 ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 $1$V0.E$3guessme!XQT46rw71 ! no aaa new-model ! resource policy ! clock timezone GMT 0 clock summer-time BST recurring 4 Sun Mar 1:00 4 Sun Oct 2:00 ip cef ! ! ! ! ip domain list mydomain.co.uk ip domain name mydomain.co.uk ip name-server 8.8.8.8 ip name-server 8.8.4.4 ! ipv6 unicast-routing ipv6 cef ipv6 multicast-routing ! ! interface ATM0 no ip address no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto dsl enable-training-log hold-queue 224 in ! interface FastEthernet0 description Internet LAN to firewall ! interface FastEthernet1 description IPv6 interface switchport access vlan 2 ! interface FastEthernet2 description VPN connection switchport access vlan 3 ! interface FastEthernet3 description Internet access ipv4 ! interface Vlan1 description Internet LAN ip address 81.187.218.249 255.255.255.248 ! interface Vlan2 no ip address ipv6 enable ! interface Vlan3 description VPN local interface ip address 192.168.6.1 255.255.255.0 ! interface Dialer0 description WAN link to AAISP ip address negotiated encapsulation ppp dialer pool 1 dialer-group 1 ipv6 enable ipv6 traffic-filter adsl-ipv6 in ppp chap hostname isp@me ppp chap password 7 guessmetoo!32E377B6260 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! no ip http server no ip http secure-server ! access-list 23 permit ww.xx.yy.zzz log access-list 23 deny any log dialer-list 1 protocol ip permit snmp-server community mystring RO 23 snmp-server location whereami snmp-server contact whoami@mudomain.co.uk ! ! ipv6 route ::/0 Dialer0 ! ! control-plane ! banner login ^CC No Access ^C banner motd ^CCC WARNING: No Access ^C ! line con 0 password 7 0828TopSecret!!5D42 login no modem enable line aux 0 line vty 0 4 access-class 23 in password 7 07NoAccessAllowed!0 login transport input all ! scheduler max-task-time 5000 ntp clock-period 17175169 ntp server 213.179.228.1 ntp server 195.56.55.177 ntp server 131.234.137.24 ! ! end 877adsl2#