Sky Fibre Unlimited Pro on a Cisco 887VA

I recently decided to look for a replacement for the crappy white OpenReach modem that was installed as part of my Sky Fibre Unlimited Pro FTTC connection. The problem was that I didn’t want to fork out for an expensive VDSL2 modem to find I couldn’t get it working with the silly MER authentication used by Sky to try and prevent you from using your own router.

Luckily, a Cisco 887v a became available to test with before I took the plunge and bought one. I started googling and couldn’t find one success case of using this router with Sky’s service. Undeterred, I started to tinker and eventually got it working….

Before you begin you will need your mac address,  user-id and password. I won’t cover how to obtain these in this post as I provided steps (steps 1 to 7) to obtain them in an earlier post.

Once you have your mac, username and password, you will need to use them to create three bits of information.

MAC:             <0000.0000.0000> (remove the :’s and place a . after every four characters)
Hostname:    <username>|<password>
Client-ID:      <hexadecimal string of Hostname> (A converter is available here.)

I won’t go into any other configuration in this post, just the interface configuration.

First of all you want to disable the ATM interface as it shared a physical interface with the VDSL controller.

interface ATM0
no ip address
shutdown
no atm ilmi-keepalive

The VDSL modem should automatically connect to the DSLAM. You can check it’s progress by using “show controller vdsl 0”.

When the VDSL modem connects it brings interface Ethernet0 up. Eth0 is a virtual port but is used as your outside interface. OpenReach encapsulate traffic for different ISPs in Vlans. In the case of Sky it is Vlan 101 so you need to use a sub interface of Eth0.

interface Ethernet0
mac-address <mac>
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex <client-id in hex>
ip dhcp client hostname <username>|<password>
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in

Thats it. I’ll post my full config below which includes some basic NAT. It doesn’t include any security though. And no, you don’t need a dialer interface!

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-K9 sn FCZ1633C05Z
license boot module c880-data level advipservices
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
mac-address <mac>
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex <client-id>
ip dhcp client hostname <username>|<password>
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 1
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NATACL interface Ethernet0.101 overload
!
ip access-list standard NATACL
permit 192.168.1.0 0.0.0.255
!
logging esm config
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
!
end

 

42 thoughts on “Sky Fibre Unlimited Pro on a Cisco 887VA”

  1. I can’t get this to work. Please see a debug from VDSL below:

    Router#
    Apr 4 19:01:44.603: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:01:54.603: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:01:59.335: mbx VDSL 0: vdsl_msg_rcv_isr, Desc@ 5FA : hdr= E004, total len= 28, msg len= 28, @618
    Apr 4 19:01:59.335: mbx VDSL 0: vdsl_msg_rcv_isr, Notification msg type 4, len= 28
    Apr 4 19:01:59.335: mbx VDSL 0: vdsl_process_msg_rcv, First message (1) : addr= 0x618, dest= 0x0xEE1AF00, len= 28 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
    Apr 4 19:01:59.335: 4294967242x 55x 16x 127x 4294967272x 4294967212x 4294967288x 00x 00x 00x 00x
    Apr 4 19:01:59.335: mbx VDSL 0: vdsl_process_msg_rcv, Last message (2) : addr= 0x618, dest= 0xEE1AF1C, len= 28
    Apr 4 19:01:59.335: mbx VDSL 0: vdsl_msg_rcv_complete, call msg 4 rx handler, err= 0, len= 28, 0xEE1AF00
    Apr 4 19:02:04.635: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:02:14.635: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:02:24.635: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:02:29.375: mbx VDSL 0: vdsl_msg_rcv_isr, Desc@ 604 : hdr= E004, total len= 28, msg len= 28, @618
    Apr 4 19:02:29.375: mbx VDSL 0: vdsl_msg_rcv_isr, Notification msg type 4, len= 28
    Apr 4 19:02:29.375: mbx VDSL 0: vdsl_process_msg_rcv, First message (1) : addr= 0x618, dest= 0x0xEE1AF00, len= 28 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
    Apr 4 19:02:29.375: 4294967242x 55x 16x 127x 4294967272x 4294967212x 4294967288x 00x 00x 00x 00x
    Apr 4 19:02:29.375: mbx VDSL 0: vdsl_process_msg_rcv, Last message (2) : addr= 0x618, dest= 0xEE1AF1C, len= 28
    Apr 4 19:02:29.375: mbx VDSL 0: vdsl_msg_rcv_complete, call msg 4 rx handler, err= 0, len= 28, 0xEE1AF00
    Apr 4 19:02:34.663: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:02:44.663: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:02:54.663: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:02:59.415: mbx VDSL 0: vdsl_msg_rcv_isr, Desc@ 60E : hdr= E004, total len= 28, msg len= 28, @618
    Apr 4 19:02:59.415: mbx VDSL 0: vdsl_msg_rcv_isr, Notification msg type 4, len= 28
    Apr 4 19:02:59.415: mbx VDSL 0: vdsl_process_msg_rcv, First message (1) : addr= 0x618, dest= 0x0xEE1AF00, len= 28 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
    Apr 4 19:02:59.415: 4294967242x 55x 16x 127x 4294967272x 4294967212x 4294967288x 00x 00x 00x 00x
    Apr 4 19:02:59.415: mbx VDSL 0: vdsl_process_msg_rcv, Last message (2) : addr= 0x618, dest= 0xEE1AF1C, len= 28
    Apr 4 19:02:59.415: mbx VDSL 0: vdsl_msg_rcv_complete, call msg 4 rx handler, err= 0, len= 28, 0xEE1AF00
    Apr 4 19:03:04.695: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:03:14.691: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
    Apr 4 19:03:24.691: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE

    Any help would be appreciated.

    Like

  2. Hi,

    I have followed your guide to the letter, extract the Sky username and password using wireshark and cannot get internet access from the 887.

    I originally had the 887 running as an adsl modem, but the clien had the line upgraded to fibre over copper.

    Below is my config with relevant bits removed!

    Would appareciate so guidance please!!!

    controller VDSL 0
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    mac-address xxxx.xxxx.d116
    no ip address
    ip tcp adjust-mss 1452
    !
    interface Ethernet0.101
    encapsulation dot1Q 101
    ip dhcp client request classless-static-route
    ip dhcp client client-id hex 53616D70736F6E5F527472
    ip dhcp client hostname xxxxxxxxxx@skydsl|c56c3e46
    ip address dhcp
    no ip redirects
    no ip proxy-arp
    ip flow ingress
    ip flow egress
    ip nat outside
    no ip virtual-reassembly in
    ip tcp adjust-mss 1452
    !
    interface ATM0
    description SKYBB-ADSL-LLU
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly in
    shutdown
    no atm ilmi-keepalive
    !
    interface ATM0.1 point-to-point
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    shutdown
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    description Link_to_24Port
    switchport mode trunk
    no ip address
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    no ip address
    !
    interface FastEthernet3
    no ip address
    !
    interface Vlan1
    description Client_VLan
    ip address 192.168.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    !
    interface Vlan5
    ip address 192.168.15.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    !
    interface Vlan15
    no ip address
    !
    interface Dialer1
    description OUTSIDE$FW_OUTSIDE$
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname xxxxxxxxxxx@skydsl
    ppp chap password 0 xxxxxxxxx
    no cdp enable
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    ip dns server
    ip nat inside source list NATACL interface Ethernet0.101 overload
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    ip access-list standard NATACL
    permit 192.168.0.0 0.0.255.255
    !
    dialer-list 1 protocol ip permit

    Like

  3. Are you getting a sold “CD” light on the router?

    I’d probably start by deleting the ATM0.1 interface and Dialer1. I’m not sure how the controller in this router will react to having the dialer on there even though the ATM interfaces are shutdown.

    Like

  4. I have got one of these from an old shop we have taken over, I would love to replace my Sky ADSL SR102 with this it looks great, it is an 887VAGW+7-E-K9 but I havn’t got a clue on programming it, if anyone has a step by step guide I’d really appreciate it, I have got my user name and password off Sky.

    Like

  5. I have an issue with my router not syncing, not sure what’s the issue. The router works fine on my girlfriends ADSL connection (well syncs anyway). I’ve tried a blank config and it still won’t sync. What firmware version are you using?

    Like

    1. Hi,

      I’m running Version 15.1(3)T2 with controller firmware version 140729_1209-4.02L.03.A2pv6C039m.d24h.

      I did have a few issues with sync when I tried to upgrade IOS to a newer version. I’m waiting to get my hands on a second 887va to test with before upgrading my main one.

      Let me know if you need a copy of the firmware I’m running.

      Dan

      Like

  6. Hi Dan, Thanks for replying. Just downgraded to that IOS and confirmed I was running the same modem firmware, still getting no sync…Im lost! Ran debug vdsl 0 daemon all and debug vdsl 0 mailbox error:

    Jan 25 22:33:33.487: VDSL 0: vdsl line state : fullinit
    Jan 25 22:33:40.499: VDSL 0: SM_LINE_DOWN boolean event
    Jan 25 22:33:42.507: VDSL 0: vdsl line state : discovery
    Jan 25 22:33:42.507: VDSL 0: SM_LINE_TRAIN boolean event
    Jan 25 22:33:42.507:     vdsl_daemon_sm VDSL 0: during state training, got event 17(line_training)
    Jan 25 22:33:42.507: @@@ vdsl_daemon_sm VDSL 0: training -> training
    Jan 25 22:33:51.519: VDSL 0: SM_LINE_DOWN boolean event 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
    Jan 25 22:33:58.195:  4294967242x 55x 16x 127x 4294967268x 4294967180x 4294967288x 00x 00x 00x 00x
    Jan 25 22:34:24.527: VDSL 0: vdsl line state : discovery
    Jan 25 22:34:24.527: VDSL 0: SM_LINE_TRAIN boolean event
    Jan 25 22:34:24.527:     vdsl_daemon_sm VDSL 0: during state training, got event 17(line_training)
    Jan 25 22:34:24.527: @@@ vdsl_daemon_sm VDSL 0: training -> training 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
    Jan 25 22:34:28.195:  4294967242x 55x 16x 127x 4294967268x 4294967180x 4294967288x 00x 00x 00x 00x
    Jan 25 22:34:35.535: VDSL 0: vdsl line state : fullinit
    Jan 25 22:34:43.547: VDSL 0: SM_LINE_DOWN boolean event
    Jan 25 22:34:44.555: VDSL 0: vdsl line state : discovery
    Jan 25 22:34:44.555: VDSL 0: SM_LINE_TRAIN boolean event
    Jan 25 22:34:44.555:     vdsl_daemon_sm VDSL 0: during state training, got event 17(line_training)
    Jan 25 22:34:44.555: @@@ vdsl_daemon_sm VDSL 0: training -> training

    Ignore the firmware version here, I forgot to take a grab of the one you mentioned:

    Router#sh controllers vdSL 0
    Controller VDSL 0 is DOWN

    Daemon Status:           Establishing Link 

                            XTU-R (DS)              XTU-C (US)
    Chip Vendor ID:         ‘BDCM’                   ‘BDCM’
    Chip Vendor Specific:   0x0000                   0xA41B
    Chip Vendor Country:    0xB500                   0xB500
    Modem Vendor ID:        ‘CSCO’                   ‘    ‘
    Modem Vendor Specific:  0x4602                   0x0000
    Modem Vendor Country:   0xB500                   0x0000
    Serial Number Near:    FCZ16069492 887VA-K9 15.1(3)T  
    Serial Number Far:     
    Modem Version Near:    15.1(3)T
    Modem Version Far:     0xa41b

    Modem Status:            Unknown 
    DSL Config Mode:         AUTO 
    Trained Mode:             
    TC Mode:                 UNKNOWN 
    Selftest Result:         0x00 
    DELT configuration:      disabled 
    DELT state:              not running 
    Trellis:                 OFF                      OFF

    Full inits:             0
    Failed full inits:      13
    Short inits:            0
    Failed short inits:     1

    Firmware        Source          File Name (version)
    ——–        ——          ——————-
    VDSL            user config     flash:vdsl.bin (10)

    Modem FW  Version:      110802_1752-4.02L.03.A2pv6C035d.d23j
    Modem PHY Version:      A2pv6C035d.d23j

    Training Log :  Stopped
    Training Log Filename : flash:vdsllog.bin

    Like

    1. Have you shut the atm interace down? If it is getting a sync on an adsl line but not VDSL line then i would assume the ADSL modem is taking priority over the VDSL controller. I beleive the 887Va has an onboard ADSL modem and the VDSL comtroller is a daughterboard, but they share the same physical port.

      Like

  7. The ATM interface was shutdown, it was very odd. I plugged a Draytek VDSL router into my connection earlier to test it and that came up fine, then plugged in the 887 and it worked first time (don’t remember changing anything…). Updated the IOS to Version 15.2(4)M7 (latest I can go to with my DRAM) and all is working fine…very strange!
    Thanks for your help on this, your config was also very handy!

    Like

  8. Hi, mind giving me a hand? Struggeling to get mine to connect.

    version 15.1
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname internet_router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    enable secret 4 ###########
    !
    no aaa new-model
    !
    no ipv6 cef
    ip source-route
    ip cef
    !
    !
    !
    ip dhcp excluded-address 192.168.1.1 192.168.1.30
    !
    ip dhcp pool home
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.254
    dns-server 90.207.238.97 8.8.8.8
    !
    !
    no ip domain lookup
    ip domain name home
    ip name-server 90.207.238.97
    ip name-server 8.8.8.8
    multilink bundle-name authenticated
    !
    crypto pki token default removal timeout 0
    !
    !
    license udi pid CISCO1921/K9 sn FCZ163591RB
    license boot module c1900 technology-package datak9
    !
    !
    !
    redundancy
    !
    !
    controller VDSL 0/0/0
    !
    ip ssh version 2
    !
    !
    !
    !
    !
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    !
    interface GigabitEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface GigabitEthernet0/1
    ip address 192.168.1.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1350
    duplex auto
    speed auto
    !
    interface ATM0/0/0
    no ip address
    shutdown
    no atm ilmi-keepalive
    !
    interface Ethernet0/0/0
    mac-address ####.####.####
    no ip address
    !
    interface Ethernet0/0/0.101
    encapsulation dot1Q 101
    ip dhcp client request classless-static-route
    ip dhcp client client-id hex ##################
    ip dhcp client hostname ##################
    ip address dhcp
    no ip redirects
    no ip proxy-arp
    ip flow ingress
    ip flow egress
    ip nat outside
    no ip virtual-reassembly in
    !
    interface Dialer1
    no ip address
    shutdown
    !
    ip forward-protocol nd
    !
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list INTERNET_ACCESS interface Ethernet0/0/0.101 overload
    ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0.101
    ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1
    !
    access-list 1 remark INTERNET-ACCESS
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip 255.0.0.0 0.255.255.255 any
    access-list 101 deny ip 224.0.0.0 7.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny udp any any range 33400 34400
    access-list 101 permit icmp any any net-unreachable
    access-list 101 permit icmp any any host-unreachable
    access-list 101 permit icmp any any port-unreachable
    access-list 101 permit icmp any any packet-too-big
    access-list 101 permit icmp any any administratively-prohibited
    access-list 101 permit icmp any any source-quench
    access-list 101 permit tcp any any established
    access-list 101 permit udp any any
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    login
    transport input all
    !
    scheduler allocate 20000 1000
    end

    Like

    1. Hello,

      Which version of IOS and modem firmware do you have? I have tested a few versions and had issues with some of them. You can find them out with “show version” and “show controller vddl 0”

      Cheers.

      Like

  9. I tried the guide out. For some reason I can’t get my router to work The vdsl connection worked as a get a solid light under cd and can see information about the line sppeed and connection. The problem is that the router can’t get an IP from the ISP. The login details I retrived from wireshark worked on a different router. I can’t work out why my cisco router can’t IP address. Please could you try helping me? Below is my config:

    Using 3202 out of 262136 bytes
    !
    ! Last configuration change at 20:00:19 UTC Tue Aug 18 2015 by richard21
    !
    version 15.5
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname richard1
    !
    boot-start-marker
    boot-end-marker
    !
    !

    !
    aaa new-model
    !
    !
    aaa authentication login default local
    !
    !
    !
    !
    !
    aaa session-id common
    ethernet lmi ce
    bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
    service-module wlan-ap 0 bootimage autonomous
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !

    !
    ip dhcp excluded-address 192.168.1.1 192.168.1.4
    !
    ip dhcp pool NET.POOL
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 8.8.8.8 8.8.4.4
    !
    !
    !
    ip domain name richardrouter
    ip cef
    no ipv6 cef
    !
    !
    !
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    cts logging verbose

    !
    !

    !
    !
    !
    !
    !
    controller VDSL 0
    !
    ip ssh version 2
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    shutdown
    no atm ilmi-keepalive
    !
    interface Ethernet0
    mac-address
    no ip address
    !
    interface Ethernet0.101
    encapsulation dot1Q 101
    ip dhcp client request classless-static-route
    ip dhcp client client-id hex <I used the user name and password in hex? 4B6B724851357A335758
    ip dhcp client hostname user@skydsl|pass
    ip address dhcp
    no ip redirects
    no ip proxy-arp
    ip flow ingress
    ip flow egress
    ip nat outside
    no ip virtual-reassembly in
    !
    interface FastEthernet0
    no ip address
    shutdown
    !
    interface FastEthernet1
    no ip address
    speed 100
    no cdp enable
    spanning-tree portfast
    !
    interface FastEthernet2
    no ip address
    shutdown
    !
    interface FastEthernet3
    no ip address
    shutdown
    !
    interface Wlan-GigabitEthernet0
    switchport mode trunk
    no ip address
    !
    interface wlan-ap0
    ip unnumbered Vlan1
    !
    interface Vlan1
    ip address 192.168.1.1 255.255.255.0
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1412
    no autostate
    !
    interface Vlan4
    no ip address
    ip tcp adjust-mss 1412
    !
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    !
    !
    ip nat inside source list 1 interface Dialer1 overload
    ip nat inside source list NATACL interface Ethernet0.101 overload
    ip nat inside source list nat-list interface Dialer2 overload
    ip route 192.168.1.0 255.255.255.0 Vlan1
    !
    ip access-list standard NATACL
    permit 192.168.1.0 0.0.0.255
    !
    dialer-list 1 protocol ip permit
    !
    snmp-server community public RO
    access-list 1 permit 192.168.1.0 0.0.0.255
    !
    !
    !
    control-plane
    !
    !
    !
    mgcp behavior rsip-range tgcp-only
    mgcp behavior comedia-role none
    mgcp behavior comedia-check-media-src disable
    mgcp behavior comedia-sdp-force disable
    !
    mgcp profile default
    !
    !
    !
    !
    !
    !
    !
    line con 0
    no modem enable
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    stopbits 1
    line vty 0 4
    privilege level 15
    password
    transport input ssh
    !
    scheduler allocate 20000 1000
    !
    end

    This is how e0.101 appears after a complete boot:

    Ethernet0.101 is up, line protocol is up
    Hardware is VDSL_ETHERNET, address is <removed?
    Internet address will be negotiated using DHCP
    MTU 1500 bytes, BW 5998 Kbit/sec, DLY 1600 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation 802.1Q Virtual LAN, Vlan ID 101.
    ARP type: ARPA, ARP Timeout 04:00:00
    Keepalive set (10 sec)
    Last clearing of "show interface" counters never

    I'm running ios c800-universalk9-mz.SPA.155-2.T. Maybe I'm doing something wong.

    Like

    1. Hi,

      Did you try the online username/password generator I linked to? I know some people have had varying results from the wireshark method.

      Cheers.

      Like

  10. Hi there

    Bit late to the party here but I utilised your excellent pfsense tutorial and have been using that method for over a year and its worked great but now I want to get rid of the openreach modem as well.

    I have a 887V-K9 (IOS 15.1) which has successfully brought up the VDSL connection, the issue I am having is the same as the poster above – DHCP, the router cannot assign an ip from the DHCP server.

    I used the exact same details I used for the pfsense box for the following:

    client-id –> This is the Hostname in hex (directly copied from the string in pfsense, so this would therefore contain all of the hex chars up to the first “@” symbol but not including the @)

    client hostname –> This I just again copied the string I used on my pfsense box, so everything AFTER the @ sign and all in ascii, not hex with the “pipe” symbol included, is this correct?

    I looked at the above posters config and he has the entire string hostname@user|pass in the “ip dhcp client hostname” entry but you do not. I’m assuming his is wrong?

    Anyway, any ideas? I would have thought the values from my pfsense WAN port config would carry over and work fine with no additional conversion needed. Am I wrong?

    Cheers

    Like

    1. Hey,

      It’s been a while since I used the 887VA to obtain a DHCP address from Sky and handle routing. As I remember, the hostname should be | and the client ID should be the hex equivalent of |, or at least that’s what I was using.

      I can give it a go tomorrow and let you know how I did it. I current only use the 887VA to bridge between the VDSL and an Apple Airport Extreme so the 887 doesn’t actually get an IP from Sky at the minute. I posted something about that setup too
      here.

      Let me know if you manage to get this working.

      Like

  11. Hello Dan, Many thanks for your tutorial. Is this the only way Sky will work with a Cisco router. My cisco 867 was working fine with ADSL until the switchover to fibre. I thought we still need to use the same settings as for the adsl, but just shut down the atm0 interface?

    regards

    Like

    1. I can’t really comment on Sky’s ADSL offering as I have never used it. I no longer use their VDSL product either. The last time I did though I had to mimic the MAC and hostname if the supplied Sky router. The username and password might be harder to obtain now that the Sky router has a built in VDSL modem.

      Sorry I couldn’t be more help.

      Like

      1. Well, that barrier has been overcome. I have the username et al which I was using for a long long time. the SKY box is still the same.

        Like

    1. I did this with a Sky SR102 router a few years ago. You need to plug one of the LAN ports of the SR102 into the openreach fibre modem and then the interface of the Sky router shows the WAN MAC. I don’t know how this would work on newer Sky routers to be honest as I’ve now switched to EE.

      Like

  12. Hi Dan, thanks for your guide. I used it successfully to get connectivity with my 867VAE. Not really being a Cisco person the thing I would like assistance with is securing my WAN connection. Obviously I want outbound connectivity but I want to block any attempts to connect to the router from outside but not stop the connection from establishing. Is there a simple guide to do this using named ACL.

    Like

    1. Sorry Cliff,

      I don’t check my comments frequently enough, apparently. I hope you got this sorted.

      This is a pretty tricky question to answer with a generic answer. As far as I remeber, ACL’s are checked before nat outside-inside translation so an ACL to block all traffic will block the legitimate client traffic too. It’s pretty rare I deal with NAT in IOS to be honest.

      I would recommend you follow this post on basic router security: https://community.cisco.com/t5/security-documents/basic-router-security/ta-p/3149516. It’s a pretty good starter for ten.

      Dan

      Like

      1. Hi Dan, funny I was only taking a look here myself again recently! I went back to using the Sky router for a while as I wasn’t using the home lab so didn’t need the segregated LAN config. Well I started a new job and I needed to get the home lab running again. Rather than use the Cisco again I got a Draytek Vigor 2862. Turn out that isn’t currently compatible with the Sky IP v6 implementation. Draytek support asked for traces the other week which I provided, so fingers crossed they get it sorted. Thanks again Cliff

        Like

      2. I am also trying to get ipv6 working on the WAN side, and I am certain that it should be a dead easy config.

        No luck yet, as there is obviously no direct translation of ipv4 to ipv6 commands.

        Like

      3. I don’t know how Sky handle their v6 address allocation. If they use prefix delegation you could try something like:

        ipv6 unicast-routing
        !
        Interface Ethernet0.101
        ipv6 address dhcp rapid-commit
        ipv6 dhcp client pd V6-FROM-SKY
        ipv6 address V6-FROM-SKY ::1:0:0:0:1/64
        ipv6 enable
        !
        interface vlan200
        ipv6 address V6-FROM-SKY ::2:0:0:0:1/64
        ipv6 nd other-config-flag
        ipv6 nd router-preference High
        ipv6 dhcp server IPV6DHCP
        ipv6 virtual-reassembly in
        ipv6 enable
        !
        ipv6 dhcp pool IPV6DHCP
        dns-server 2001:4860:4860::8888
        dns-server 2001:4860:4860::8844

        I don’t have a clue if that will work and I can’t test since I’m not with Sky. I’d look into some filtering or firewall rules before you implement this as well. Let me know if you get anywhere.

        Like

    2. If you block inbound ping to WAN interface, connection may not establish in first place. Atleast for me!

      I use zone based inbuilt firewall for free!:

      class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
      description Allowed_Protocol_From_INSIDE_to_OUTSIDE
      match protocol https
      match protocol dns
      match protocol udp
      match protocol tcp
      match protocol pop3
      match protocol smtp
      match protocol icmp
      match access-group name INSIDE-TO-OUTSIDE
      class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
      match access-group name OUTSIDE-TO-INSIDE
      !
      policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
      class type inspect INSIDE-TO-OUTSIDE-CLASS
      inspect
      class class-default
      drop
      policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
      class type inspect OUTSIDE-TO-INSIDE-CLASS
      pass
      class class-default
      drop log
      !
      zone security INSIDE
      zone security OUTSIDE

      zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
      service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
      zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
      service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

      !
      interface Ethernet0.101
      description * SSBB vlan*
      encapsulation dot1Q 101
      ip dhcp client request classless-static-route
      ip dhcp client client-id hex jhhhjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
      ip dhcp client hostname duck
      ip address dhcp
      no ip redirects
      no ip proxy-arp
      ip nat outside
      ip virtual-reassembly in
      zone-member security OUTSIDE
      no cdp enable
      !

      interface Vlan200
      ip address 192.168.111.1 255.255.255.0
      no ip proxy-arp
      ip nat inside
      ip virtual-reassembly in
      zone-member security INSIDE

      ip access-list extended INSIDE-TO-OUTSIDE
      permit tcp 192.168.1.0 0.0.0.255 any eq www
      permit tcp 192.168.1.0 0.0.0.255 any eq pop3
      permit icmp 192.168.1.0 0.0.0.255 any
      ip access-list extended OUTSIDE-TO-INSIDE
      permit icmp any 192.168.1.0 0.0.0.255

      Liked by 1 person

  13. Dear All,

    1: Any ideas on how to use this router 887/867VAE in pure bridge mode, so that the Cisco modem is totally transparent. The purpose is to use a firewall after the Cisco modem, else there would be double NATTING problem.

    2: Is the configuration for getting the public address as an ipv6 address different?
    Please share the config or thoughts.

    thanks

    Like

      1. Cheers Dan

        SKY is ipv6 only since late 2016 for the customers using their own modems. I was just trying to keep up with times and move to ipv6 myself if I can..

        Like

  14. Hello Dan

    I am pretty new in Networking, so please go easy with me? I have an old Cisco 867VAE K 9 router, and want to implement this with my Sonicwall Firewall to the LAN. I do not want the problem of double-natting, so please advice on following:

    1: Ensuring that the Cisco 867 works invisible, in essence like a modem. How do I do that?

    2: How would I connect the firewall to the Cisco 867?

    Ta

    Mel

    Like

    1. Hi Mel.

      Assuming the 867 is similar to the 887, I wrote a post about bridging between the sky fibre connection and an Ethernet port, which is where you would connect your firewall to the router. This setup essentially makes the router transparent to the firewall. Just search for Sky Fibre on this site and you should find the post.

      Cheers,

      Dan

      Like

      1. Hello Dan

        Thank you

        Would the WAN interface of my firewall also need to have .101 vlan set? Or do I just leave everything on dynamic?

        I can see following options for ip add:

        DHCP
        PPoE
        PPTP
        Static
        L2TP

        Forgive me, as I am a newbie

        Like

      2. No, you shouldn’t need a vlan tag on your firewall.

        It used to be DHCP. You can check out the post I wrote on using pfSense with Sky, which details how I had it working with the Cisco 887 configured to bridge and a firewall to do everything else.

        Honestly though, that was five years ago, and it’s been three years since I’ve used Sky broadband so something might have changed.

        Good luck.

        Like

  15. Thanks Dan,

    question here?:

    “ipv6 dhcp client pd V6-FROM-SKY”

    The pd V6 from SKY part, is this an actual config or a fairly accurate recommendation?

    2: I have forgotten by now, why I wanted ipv6 on WAN side in first place since my home network is still all ipv4. Any point then?

    best

    Himanshu

    Like

    1. I’m going from memory Himanshu. It might not even be supported on the 887, I haven’t checked. Pd is for prefix delegation, which is Sky delegating a v6 Network to your router to give out to clients on its inside interface.

      There’s no reason not to run v6 alongside v4 if you can get it working. V6 does away with NAT which is cool. You will need to maintain v6 and v4 firewall rules though.

      Dan

      Like

  16. Trying to configure 867VAE in Bridge mode.

    Hmmm

    doesnt make sense!

    VDSL COntroller down? Tried both vdsl and auto mode

    HS-ROUTER#sh controllers vdsl 0
    Controller VDSL 0 is ADMINDOWN

    Daemon Status: NA

    XTU-R (DS) XTU-C (US)
    Chip Vendor ID: ‘BDCM’ ‘ ‘
    Chip Vendor Specific: 0x0000 0x0000
    Chip Vendor Country: 0xB500 0x0000
    Modem Vendor ID: ‘CSCO’ ‘ ‘
    Modem Vendor Specific: 0x4602 0x0000
    Modem Vendor Country: 0xB500 0x0000
    Serial Number Near: dwjdjwdjwjd
    Serial Number Far:
    Modem Version Near: 15.5(1)
    Modem Version Far:

    Modem Status: Idle

    DSL Config Mode: AUTO
    Trained Mode:

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.