Sign in to follow this  
Followers 0
Sunfish

Cisco 88xVA – A home router on steroids

7 posts in this topic

Intro – There has to be a reason…

 

…for writing this. And yes, there are even a few of them.

 

The main motivation is the fact that most of the books and documentation out there only deal with isolated scenarios. Documentation just describes single features but not how to put all those pieces together.

 

What I mean by this? Let's say you want to set up a VPN between your Cisco home router and your iPhone so that you can connect to your internal network from any place, any time. Setting up a VPN if Dial-up connections with NAT and dynamic ip addresses come into play is a completely different story compared to the clean lab scenarios described in the books and documentation.

 

Hence the target is to configure all those features on a single router so that they work together turning this poor little device into an all-in-one Swiss army knife - a router on steroids.

 

As a funny sidenote one of our most respected TE's wrote some time ago that the 800 series routers were not suitable for CCNA/CCNP studies. He was probably referring to the older models but the newer 88x and 89x ISR routers are pretty amazing and contain almost everything you need. Many companies use them nowadays for smaller branch offices or home workers that require secure access to company ressources.

 

When I moved from the good old ADSL (running on a 1841 router) to VDSL with IPTV I noticed that I really got a bit rusty on R&S and security. During the last 2 years or so I focused on nothing but enterprise-class VoIP (read large CUCM clusters and the like) so that setting up my new 88xVA router gave me a quick refresher on many other things and I wanted to use this chance to share the results of this process.

 

Some of you might remember that I wanted to go for the CCNA/CCNP Voice track as part of my shifted job focus. However, I gave up all certification plans for the time being. Simply no one cares whether or not I'm certified as long as I can do the job...

 

Finally, this is not a single post but the starting point for a series of posts. Each post will deal with a certain aspect or add some specific feature to the step-by-step growing configuration. At least some posts might appear in other sections of this forum as they specifically relate to security or R&S, for example.

 

This thread will serve as the anchor point for this project with links to the upcoming posts and it will be updated accordingly from time to time.

 

 

The protagonist: A Cisco 88xVA router

 

The 88xVA routers do not only provide VDSL connectivity but also include an internal 4-port switch module. 2 of these ports can be upgraded to PoE.

 

The bad news about these routers is the fact that they require activation keys for some of the advanced functionalities.

 

You can buy these routers either with an Advanced Security or Advanced IP Services license. The latter one is required e.g. for IPTV via multicast. The purpose of other licenses like SSLVPN or Content-filtering is pretty obvious.

 

This project is based on the following hard- and software:

  • Cisco 88xVA router
  • Advanced IP Services license
  • SSLVPN license
  • IPS service license
  • Content-filtering license
  • IOS: c880data-universalk9-mz.152-1.T1.bin

Before you ask: Yes, I bought the necessary licenses and service contracts and no, I will not share the IOS files or IPS signatures as I expect everyone to respect the copyrights.

 

 

The task list

 

The configuration of my home router keeps growing so that I break it into smaller parts, each focusing on a specific task or feature. Most of them are up-and-running already but some are still pending, i.e. on my to-do list until I have some time to implement them.

 

This task list does not necessarily reflect the order of appearance and might be subject to change.

  • Part 1: Base configuration
    the starting point to get the router up and running - DONE
  • Part 2: VDSL base configuration
    we need access to the internet, don't we? - DONE
  • Part 3: Management tasks
    there is always something to update or monitor - DONE
  • Part 4: DSL advanced configuration – Dyndns and kron jobs
    getting a new ip address every 24 hours requires us to take some action - DONE
  • Part 5: VDSL advanced configuration – IPTV via multicast
    probably somewhat specific to my ISP but definitely interesting - DONE
  • Part 6: IP inspection and access-lists
    improving the security beyond NAT/PAT - coming up next...
  • AAA base configuration
    setting the foundation for the VPN features
  • Easy VPN Server
    it's cool to access my network from anywhere, anytime, even from my iPhone
  • SSL-VPN Server
    some customers' networks do not allow standard VPN, so we need a second option
  • Gateway redundancy with HSRP
    didn't I tell you that I have 2 of these babies...?
  • Routing with EIGRP
    ...and some other routers and lab networks behind those?
  • IPS configuration
    not yet implemented
  • Content Filtering
    not yet implemented
  • AAA with RADIUS integration
    not yet implemented
  • VPN with certificate based authentication
    not yet implemented

There are also some other features like ZBF that I may or may not implement at some point, depending on my mood and time... wink.png

 

 

Call for action

 

This forum is all about sharing knowledge! I am pretty sure that there is room for optimization and integrating other features into this configuration.

 

So let us know what you think, what features you are interested in, your experience, etc.

 

Of course, the current task list is based on my personal preferences but I am always interested in testing and labbing new stuff!

 

 

Disclaimer

 

The information and configuration is provided on an "as is" basis and you use it totally at your own risk.

All rights reserved. If you want to copy parts of it, I expect you at least to mention the source, setting a link back to this original post.

Edited by Sunfish
0

Share this post


Link to post
Share on other sites

The combined configuration we have covered so far in the first 5 parts without any comments:

 

88xVA#
!
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
!
service password-encryption
!
hostname 88xVA
!
boot-start-marker
boot system flash:c880data-universalk9-mz.152-1.T1.bin
boot system flash:c880data-universalk9-mz.151-4.M1.bin
boot-end-marker
!
logging buffered 100000 informational
no logging console
enable secret Sadikhov!2011
!
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp excluded-address 192.168.10.70 192.168.10.254
!
ip dhcp pool LocalPool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254 192.168.10.10 4.2.2.2 4.2.2.3
domain-name sadikhov.local
!
ip domain lookup source-interface Dialer0
ip domain name sadikhov.local
ip name-server 4.2.2.2
ip name-server 4.2.2.3
ip multicast-routing
ip ddns update method MyDDNSMethod
HTTP
 add http://MyUserName:MyPassword@<s>/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval minimum 0 1 0 0

!
username Sunfish privilege 15 secret Router-on-steroids
!
controller VDSL 0
firmware filename flash:vdsl.bin-A2pv6C035d_d23j
!
ip ssh rsa keypair-name SSHKEY
ip ssh version 2
!
interface Ethernet0
no ip address
no ip route-cache
no shutdown
!
interface Ethernet0.7
description VDSL Internet Connection - VLAN 7
encapsulation dot1Q 7
no ip route-cache
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet0.8
description VDSL IPTV-Subinterface - VLAN 8
encapsulation dot1Q 8
ip dhcp client broadcast-flag clear
ip address dhcp
ip mtu 1400
ip pim sparse-mode
no ip route-cache
ip igmp version 3
ip igmp query-interval 15
ip igmp proxy-service
!
interface ATM0
no ip address
shutdown
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
description Connection to the IPTV media receiver
no ip address
spanning-tree portfast
!
interface Vlan1
description Internal LAN
ip address 192.168.10.254 255.255.255.0
ip pim sparse-mode
ip nat inside
ip igmp helper-address 172.31.127.254
ip igmp version 3
ip igmp explicit-tracking
ip igmp query-interval 15
ip igmp proxy-service
no shutdown
!
interface Dialer0
description VDSL Internet Dial-Up Connection
bandwidth 10048
bandwidth receive 51390
ip ddns update hostname MyHost.dyndns.org
ip ddns update MyDDNSMethod host members.dyndns.org
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip pim sparse-mode
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
ip igmp version 3
ip igmp query-interval 15
ip igmp proxy-service
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname YourUsername@YourISP.com
ppp chap password YourPassword
ppp ipcp dns request
ppp ipcp mask request
no cdp enable
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
ip pim rp-address 172.31.127.254
ip nat inside source list EXTNAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended EXTNAT
permit ip any any
!
kron policy-list ClearDialer0
cli clear interface Dialer 0
!
kron occurrence DisconnectISP at 4:30 recurring
policy-list ClearDialer0
!
logging host 192.168.10.10 session-id hostname
dialer-list 1 protocol ip permit
!
snmp-server community sadikhov RW
snmp-server community sadikhovro RO
snmp-server trap-source Vlan1
snmp-server host 192.168.10.10 version 2c sadikhov
!
line con 0
exec-timeout 0 0
password cisco123
login
logging synchronous
line aux 0
line vty 0 4
exec-timeout 20 0
password cisco123
login local
logging synchronous
transport input ssh
!
ntp logging
ntp master 5
ntp update-calendar
ntp server 192.168.10.10 source Vlan1 iburst
!
end

88xVA#

Remember that the SSH keys were generated with the command "crypto key generate rsa usage-keys modulus 1024 label SSHKEY" in this example.

This post gets updated whenever I finished a new part of the configuration.

Details, comments and explanations can be found in the threads that cover the configuration of the individual features.

Edited by Sunfish
0

Share this post


Link to post
Share on other sites

...updated to combined configuration with the snippets from Part 4.

0

Share this post


Link to post
Share on other sites

No specific reason except for the fact that Cisco has a tendency to ask "did you try our latest and greatest version already?" whenever I run into any problems. As mentioned in the previous part I had to upgrade to the latest firmware to get rid of some stability problems and Cisco recommended not to run it with older IOS versions.

 

The configuration should work with any 15.x version without problems, probably with 12.4(24)T as well. I won't recommend older versions due to the SSLVPN part. I started playing with SSLVPN pretty much from the very beginning, i.e. 12.4(9)T if I remember correctly. A nightmare...

The Cisco ISR G2 series routers like the 88xVA routers use DTLS by default since 15.1(2)T which greatly improves the performance of SSLVPN connections, while DTLS is disabled on older routers.

 

So if you want to use the SSLVPN feature on the newer routers, I recommend to use 15.1T or newer. If not, then there is no need to worry and you can easily stay with 12.4T if you like.

0

Share this post


Link to post
Share on other sites

yup, I figured the SSLVPN part. I just wasn't sure about the 15.2.T I'm still with 15.1Ms wherever I can.

Thank

0

Share this post


Link to post
Share on other sites

...updated to combined configuration with the snippets from Part 5.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0