Using the Cisco 800 Series (for example Cisco 857) as a home router
Hello. Some time ago I was tormented with connecting my home network to the Internet and decided my question in a rather complicated but reliable way. While the information is not very outdated, I consider it appropriate to share it, because I spent a lot of time searching and analyzing data all over the internet to reach the goal.
The problem was this. The provider provides a PPPoE connection, I bought a white IP, I actively use the Internet, including to raise my services under the so-called “pet projects”. My first Zyxel router worked for several years and ordered to live long. Bought in return, the same died faster. Then I tried other various Chinese crafts from the nearest store, the last one was TP-Link TD-W8151N. It worked well until decent incoming activity started through NAT, after which it hung up and stopped responding. I got sick of it, and I bought a Cisco 857 router written off somewhere in America via eBay.
The point of using Cisco 800 is that it is still semi-industrial equipment, it is quite reliable and has a great resource. So it turned out. The device earned and for 3 years did not show a single problem, it just worked and did not require any intervention.
Characteristics of Cisco 857 are:
')
Specifically, my router is designed for ADSL lines that still live in Russia, but I think it will be relevant for Ethernet, it’s even easier there (no need to lift the ATM interface). There is also a version without Wi-Fi. Modern versions of the 800th series support 802.11 networks with newer ones than miserable 802.11g, although I also have enough of it.
Below is a setup log with explanations. In general, a Cisco device is a peculiar thing, and now is not as popular as it used to be. Customization can cause confusion for an unprepared user. I was lucky, in my youth I managed to connect the access network of a mobile operator for 3 months, so I still learned a couple of tits comics and remembered something.
First you need to connect to the router. It must be reset by the [seller] to the default settings and not have a password. We connect via the console using the COM port via the supplied cable: 9600 baud, 8 data bits, 1 stop bit, no parity.
In the factory setting, the device is named as Router, as seen on the command line:
Switch to privileged mode using the enable command:
The invitation changes to
Delete the existing configuration in the flash memory:
Reboot the router:
We are waiting for the router to reboot, watching the boot process in the console window.
We refuse the offer to make the initial setting:
Go to the privileged mode.
You can see the version:
You can see the current configuration:
Go to configuration mode:
Give your name to the router:
Set password encryption:
We set a password to enter the privileged mode (without this, configuration via the terminal will not work):
Create an admin (not really needed, but let it be for order):
Allow access via telnet.
First, create an access list (let's call it terminal), which will allow access only from the local network:
Now we look, how many there are lines of the terminal:
How much did he say there is available? 0-4? means
Also, as unnecessary, we disable the ability to control the router via SDM, as well as the CDP protocol:
Enable Eth0 port:
Eth0 is not a full-fledged interface, it is just a switch that hangs on vlan 1, let's go into it:
Ask him a description:
Now you can simply ask him the address and turn it on (simultaneously raising the NAT), for example:
But it will not give the opportunity to work with the network via Wi-Fi.
Therefore, if Wi-Fi is required, we will not do this - instead, it is required to make a bridge by placing your vlan in it.
We continue to configure vlan:
We construct a bridge (the numbering starts from 1, as in the case of vlan)
Configure the bridge, in particular, immediately indicate that you need NAT:
Finish configuring the LAN interface:
Save the settings and reboot:
Now the console can be disconnected. The router is available via telnet (port 21st) at the specified IP from the local network stuck into the Eth0 port. The same address will be the default gateway address on the local network. Now we proceed to setting up the connection to the provider. Connect through the terminal via LAN, enter the password <my_password>, switch to configuration mode.
Ask him a description:
Set the work parameters:
You need to find out from your provider the VPI / VCI values ​​and specify them:
If necessary, we specify encapsulation (usually suitable by default, check with the provider), for example:
Specify that the selected pvc will be used for the PPPoE connection:
Complete the configuration of the selected ATM line:
Since it is necessary to raise the PPPoE client, the dialer interface (numbering from 0) is configured, which will have Internet access:
IP address, select automatic, enable NAT:
It is necessary to carefully set the size of the packages, this is important (otherwise we are waiting for brakes and glitches):
Specify the PPP protocol and put it in the dialer pool:
Ask him the authentication mode and credentials (all this needs to be learned from the provider):
Turn on the Internet:
After a while, the DSL line indicators should light up and a little later the PPP indicator.
Finish configuring the external interface:
Do not forget to specify the default route to the interface dialer 0:
Now we will configure NAT, first of all we will create the list of access to the Internet (we will call it internet):
We set NAT on the interface dialer 0 (LAN was previously marked as inside, and Internet as outside):
Internet from LAN should work now.
If you need to forward a port from the Internet to the LAN, then this is done like this:
Go to Wi-Fi.
You need to enable it and create a subinterface (without this it will not work), which should be placed in the previously configured vlan with a bridge:
Connection encryption parameters (it should be noted that the hardware is quite old and new methods do not support):
Set your SSID and access key:
Turn on Wi-Fi and create a subinterface that will enter the bridge:
At this stage, the WLAN-interface should rise, access through it will be similar to access via LAN.
If necessary, we configure DHCP (sometimes useful if there is no dedicated server).
To begin with (if necessary) we exclude the addresses reserved for other purposes.
For example, to obtain addresses dynamically from the range [192.168.0.129 - 192.168.0.192], it would be like this:
Next, create a DHCP pool:
You can also enable SNMP to collect diagnostic data from the device.
First of all, as usual, you need an access list:
Actually setting the SNMP itself:
It is useful to set some time server so that the clock on the router goes correctly:
Finally, let's set up a DNS server so that from the router you can ping by name, and not only by IP:
Exit configuration mode, save settings, reboot:
The following metrics are available for collecting data via SNMP:
For visualization, I usually use the snmpmon.exe program.
The problem was this. The provider provides a PPPoE connection, I bought a white IP, I actively use the Internet, including to raise my services under the so-called “pet projects”. My first Zyxel router worked for several years and ordered to live long. Bought in return, the same died faster. Then I tried other various Chinese crafts from the nearest store, the last one was TP-Link TD-W8151N. It worked well until decent incoming activity started through NAT, after which it hung up and stopped responding. I got sick of it, and I bought a Cisco 857 router written off somewhere in America via eBay.
The point of using Cisco 800 is that it is still semi-industrial equipment, it is quite reliable and has a great resource. So it turned out. The device earned and for 3 years did not show a single problem, it just worked and did not require any intervention.
Characteristics of Cisco 857 are:
')
- 1 port POTS (ADSL)
- 4 Ethernet ports 100 Mbps FD
- Wi-Fi 2.4 GHz 802.11g
- COM port for console
- Normal support for Telnet, SNMP, etc.
- Decent chassis, external power supply and hope for a long life without a glitch
Specifically, my router is designed for ADSL lines that still live in Russia, but I think it will be relevant for Ethernet, it’s even easier there (no need to lift the ATM interface). There is also a version without Wi-Fi. Modern versions of the 800th series support 802.11 networks with newer ones than miserable 802.11g, although I also have enough of it.
Below is a setup log with explanations. In general, a Cisco device is a peculiar thing, and now is not as popular as it used to be. Customization can cause confusion for an unprepared user. I was lucky, in my youth I managed to connect the access network of a mobile operator for 3 months, so I still learned a couple of tits comics and remembered something.
About firmware upgrade
The current IOS version for the Cisco 800 Series at the time of writing is 12.4. It is highly recommended to reflash with an older one, as some things may not be supported or work incorrectly. The process of flashing is described in the manual on the router, the process will require a TFTP server on the local network and a configured LAN interface.
First you need to connect to the router. It must be reset by the [seller] to the default settings and not have a password. We connect via the console using the COM port via the supplied cable: 9600 baud, 8 data bits, 1 stop bit, no parity.
In the factory setting, the device is named as Router, as seen on the command line:
Router> Switch to privileged mode using the enable command:
Router>enable The invitation changes to
Router# Delete the existing configuration in the flash memory:
Router#erase startup-config Reboot the router:
Router#reload We are waiting for the router to reboot, watching the boot process in the console window.
We refuse the offer to make the initial setting:
Would you like to enter the initial configuration dialog? [yes/no]: no Go to the privileged mode.
Router>enable You can see the version:
Router#show version You can see the current configuration:
Router#show run Go to configuration mode:
Router#configure terminal Give your name to the router:
Router(config)#hostname <my_hostname> Set password encryption:
my_hostname(config)#service password-encryption We set a password to enter the privileged mode (without this, configuration via the terminal will not work):
my_hostname(config)#enable secret <my_password> Create an admin (not really needed, but let it be for order):
my_hostname(config)#username admin privilege 15 password 0 <my_password> Allow access via telnet.
First, create an access list (let's call it terminal), which will allow access only from the local network:
my_hostname(config)#ip access-list standard terminal my_hostname(config-std-nacl)#permit 192.168.0.0 0.0.0.255 my_hostname(config-std-nacl)#exit Now we look, how many there are lines of the terminal:
my_hostname(config)#line vty ? How much did he say there is available? 0-4? means
my_hostname(config)#line vty 0 4 my_hostname(config)#access-class terminal in my_hostname(config-line)#password <my_password> my_hostname(config-line)#login my_hostname(config-line)#exit Also, as unnecessary, we disable the ability to control the router via SDM, as well as the CDP protocol:
my_hostname(config)#no ip http server my_hostname(config)#no ip http secure-server my_hostname(config)#no cdp run Enable Eth0 port:
my_hostname(config)#interface fastethernet 0 my_hostname(config-if)#no shutdown my_hostname(config-if)#exit Eth0 is not a full-fledged interface, it is just a switch that hangs on vlan 1, let's go into it:
my_hostname(config)#interface vlan 1 Ask him a description:
my_hostname(config-if)#description LAN Now you can simply ask him the address and turn it on (simultaneously raising the NAT), for example:
my_hostname(config-if)#ip address 192.168.0.1 255.255.255.0 my_hostname(config-if)#ip nat inside my_hostname(config-if)#no shutdown But it will not give the opportunity to work with the network via Wi-Fi.
Therefore, if Wi-Fi is required, we will not do this - instead, it is required to make a bridge by placing your vlan in it.
We continue to configure vlan:
my_hostname(config-if)#no ip address my_hostname(config-if)#ip virtual-reassembly We construct a bridge (the numbering starts from 1, as in the case of vlan)
my_hostname(config-if)#bridge-group 1 my_hostname(config-if)#bridge-group 1 spanning-disabled Configure the bridge, in particular, immediately indicate that you need NAT:
my_hostname(config-if)#interface BVI1 my_hostname(config-if)#ip address 192.168.0.1 255.255.255.0 my_hostname(config-if)#ip nat inside my_hostname(config-if)#ip virtual-reassembly Finish configuring the LAN interface:
my_hostname(config-if)#exit Save the settings and reboot:
my_hostname#write my_hostname#reload Now the console can be disconnected. The router is available via telnet (port 21st) at the specified IP from the local network stuck into the Eth0 port. The same address will be the default gateway address on the local network. Now we proceed to setting up the connection to the provider. Connect through the terminal via LAN, enter the password <my_password>, switch to configuration mode.
my_hostname>enable my_hostname#configure terminal ATM-: my_hostname(config)#interface atm 0 Ask him a description:
my_hostname(config-if)#description ADSL line Set the work parameters:
my_hostname(config-if)#no ip address You need to find out from your provider the VPI / VCI values ​​and specify them:
my_hostname(config-if)#pvc 0/35 If necessary, we specify encapsulation (usually suitable by default, check with the provider), for example:
my_hostname(config-if-atm-vc)#encapsulation aal5snap Specify that the selected pvc will be used for the PPPoE connection:
my_hostname(config-if-atm-vc)#pppoe-client dial-pool-number 1 Complete the configuration of the selected ATM line:
my_hostname(config-if-atm-vc)#exit Since it is necessary to raise the PPPoE client, the dialer interface (numbering from 0) is configured, which will have Internet access:
my_hostname(config-if)#interface dialer 0 my_hostname(config-if)#description Internet IP address, select automatic, enable NAT:
my_hostname(config-if)#ip address negotiated my_hostname(config-if)#ip nat outside It is necessary to carefully set the size of the packages, this is important (otherwise we are waiting for brakes and glitches):
my_hostname(config-if)#ip mtu 1492 my_hostname(config-if)#ip tcp adjust-mss 1452 Specify the PPP protocol and put it in the dialer pool:
my_hostname(config-if)#encapsulation ppp my_hostname(config-if)#dialer pool 1 Ask him the authentication mode and credentials (all this needs to be learned from the provider):
my_hostname(config-if)#ppp authentication pap callin my_hostname(config-if)#ppp pap sent-username <my_ppp_login> password <my_ppp_password> Turn on the Internet:
my_hostname(config-if)#interface atm 0 my_hostname(config-if)#no shutdown After a while, the DSL line indicators should light up and a little later the PPP indicator.
Finish configuring the external interface:
my_hostname(config-if)#exit Do not forget to specify the default route to the interface dialer 0:
my_hostname(config)#ip route 0.0.0.0 0.0.0.0 dialer 0 Now we will configure NAT, first of all we will create the list of access to the Internet (we will call it internet):
my_hostname(config)#ip access-list standard internet my_hostname(config-std-nacl)#permit 192.168.0.0 0.0.0.255 my_hostname(config-std-nacl)#exit We set NAT on the interface dialer 0 (LAN was previously marked as inside, and Internet as outside):
my_hostname(config)#ip nat inside source list internet interface dialer 0 overload Internet from LAN should work now.
If you need to forward a port from the Internet to the LAN, then this is done like this:
my_hostname(config)#ip nat inside source static tcp 192.168.0.2 80 interface dialer 0 80 Go to Wi-Fi.
You need to enable it and create a subinterface (without this it will not work), which should be placed in the previously configured vlan with a bridge:
my_hostname(config)#interface dot11radio 0 my_hostname(config-if)#description WLAN Connection encryption parameters (it should be noted that the hardware is quite old and new methods do not support):
my_hostname(config-if)#encryption vlan 1 mode ciphers tkip Set your SSID and access key:
my_hostname(config-if)#ssid <my_ssid> my_hostname(config-if-ssid)#authentication open my_hostname(config-if-ssid)#authentication key-management wpa my_hostname(config-if-ssid)#guest-mode my_hostname(config-if-ssid)#wpa-psk ascii 0 <my_key> my_hostname(config-if-ssid)#exit Turn on Wi-Fi and create a subinterface that will enter the bridge:
my_hostname(config-if)#no shutdown my_hostname(config-if)#interface dot11radio 0.1 my_hostname(config-subif)#encapsulation dot1q 1 native my_hostname(config-subif)#no cdp enable my_hostname(config-subif)#bridge-group 1 my_hostname(config-subif)#exit my_hostname(config-if)#exit At this stage, the WLAN-interface should rise, access through it will be similar to access via LAN.
If necessary, we configure DHCP (sometimes useful if there is no dedicated server).
To begin with (if necessary) we exclude the addresses reserved for other purposes.
For example, to obtain addresses dynamically from the range [192.168.0.129 - 192.168.0.192], it would be like this:
my_hostname(config)ip dhcp excluded-address 192.168.0.1 192.168.0.128 my_hostname(config)ip dhcp excluded-address 192.168.0.193 192.168.0.254 Next, create a DHCP pool:
my_hostname(config)ip dhcp pool dhcp my_hostname(dhcp-config)#import all my_hostname(dhcp-config)#network 192.168.0.0 255.255.255.0 my_hostname(dhcp-config)#default-router 192.168.0.1 my_hostname(dhcp-config)#dns-server <my_dns_server> my_hostname(dhcp-config)#lease infinite my_hostname(dhcp-config)#exit You can also enable SNMP to collect diagnostic data from the device.
First of all, as usual, you need an access list:
my_hostname(config)#ip access-list standard snmp-public my_hostname(config-std-nacl)#permit 192.168.0.0 0.0.0.255 my_hostname(config-std-nacl)#exit Actually setting the SNMP itself:
my_hostname(config)#snmp-server community public RO snmp-public It is useful to set some time server so that the clock on the router goes correctly:
my_hostname(config)#sntp server 78.140.251.2 Finally, let's set up a DNS server so that from the router you can ping by name, and not only by IP:
my_hostname(config)#ip name-server 77.88.8.1 Exit configuration mode, save settings, reboot:
my_hostname(config)#exit my_hostname#write my_hostname#reload The following metrics are available for collecting data via SNMP:
- 1.3.6.1.4.1.9.2.1.56.0 (CPU Load)
- 1.3.6.1.2.1.2.2.1.10.18 (PPP InOctets)
- 1.3.6.1.2.1.2.2.1.16.18 (PPP OutOctets)
For visualization, I usually use the snmpmon.exe program.
Source: https://habr.com/ru/post/434990/
All Articles