I recently decided to look for a replacement for the crappy white OpenReach modem that was installed as part of my Sky Fibre Unlimited Pro FTTC connection. The problem was that I didn’t want to fork out for an expensive VDSL2 modem to find I couldn’t get it working with the silly MER authentication used by Sky to try and prevent you from using your own router.
Luckily, a Cisco 887v a became available to test with before I took the plunge and bought one. I started googling and couldn’t find one success case of using this router with Sky’s service. Undeterred, I started to tinker and eventually got it working….
Before you begin you will need your mac address, user-id and password. I won’t cover how to obtain these in this post as I provided steps (steps 1 to 7) to obtain them in an earlier post.
Once you have your mac, username and password, you will need to use them to create three bits of information.
MAC: <0000.0000.0000> (remove the :’s and place a . after every four characters)
Hostname: <username>|<password>
Client-ID: <hexadecimal string of Hostname> (A converter is available here.)
I won’t go into any other configuration in this post, just the interface configuration.
First of all you want to disable the ATM interface as it shared a physical interface with the VDSL controller.
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
The VDSL modem should automatically connect to the DSLAM. You can check it’s progress by using “show controller vdsl 0”.
When the VDSL modem connects it brings interface Ethernet0 up. Eth0 is a virtual port but is used as your outside interface. OpenReach encapsulate traffic for different ISPs in Vlans. In the case of Sky it is Vlan 101 so you need to use a sub interface of Eth0.
interface Ethernet0
mac-address <mac>
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex <client-id in hex>
ip dhcp client hostname <username>|<password>
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in
Thats it. I’ll post my full config below which includes some basic NAT. It doesn’t include any security though. And no, you don’t need a dialer interface!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-K9 sn FCZ1633C05Z
license boot module c880-data level advipservices
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
mac-address <mac>
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex <client-id>
ip dhcp client hostname <username>|<password>
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 1
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NATACL interface Ethernet0.101 overload
!
ip access-list standard NATACL
permit 192.168.1.0 0.0.0.255
!
logging esm config
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
!
end
I can’t get this to work. Please see a debug from VDSL below:
Router#
Apr 4 19:01:44.603: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:01:54.603: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:01:59.335: mbx VDSL 0: vdsl_msg_rcv_isr, Desc@ 5FA : hdr= E004, total len= 28, msg len= 28, @618
Apr 4 19:01:59.335: mbx VDSL 0: vdsl_msg_rcv_isr, Notification msg type 4, len= 28
Apr 4 19:01:59.335: mbx VDSL 0: vdsl_process_msg_rcv, First message (1) : addr= 0x618, dest= 0x0xEE1AF00, len= 28 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
Apr 4 19:01:59.335: 4294967242x 55x 16x 127x 4294967272x 4294967212x 4294967288x 00x 00x 00x 00x
Apr 4 19:01:59.335: mbx VDSL 0: vdsl_process_msg_rcv, Last message (2) : addr= 0x618, dest= 0xEE1AF1C, len= 28
Apr 4 19:01:59.335: mbx VDSL 0: vdsl_msg_rcv_complete, call msg 4 rx handler, err= 0, len= 28, 0xEE1AF00
Apr 4 19:02:04.635: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:02:14.635: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:02:24.635: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:02:29.375: mbx VDSL 0: vdsl_msg_rcv_isr, Desc@ 604 : hdr= E004, total len= 28, msg len= 28, @618
Apr 4 19:02:29.375: mbx VDSL 0: vdsl_msg_rcv_isr, Notification msg type 4, len= 28
Apr 4 19:02:29.375: mbx VDSL 0: vdsl_process_msg_rcv, First message (1) : addr= 0x618, dest= 0x0xEE1AF00, len= 28 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
Apr 4 19:02:29.375: 4294967242x 55x 16x 127x 4294967272x 4294967212x 4294967288x 00x 00x 00x 00x
Apr 4 19:02:29.375: mbx VDSL 0: vdsl_process_msg_rcv, Last message (2) : addr= 0x618, dest= 0xEE1AF1C, len= 28
Apr 4 19:02:29.375: mbx VDSL 0: vdsl_msg_rcv_complete, call msg 4 rx handler, err= 0, len= 28, 0xEE1AF00
Apr 4 19:02:34.663: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:02:44.663: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:02:54.663: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:02:59.415: mbx VDSL 0: vdsl_msg_rcv_isr, Desc@ 60E : hdr= E004, total len= 28, msg len= 28, @618
Apr 4 19:02:59.415: mbx VDSL 0: vdsl_msg_rcv_isr, Notification msg type 4, len= 28
Apr 4 19:02:59.415: mbx VDSL 0: vdsl_process_msg_rcv, First message (1) : addr= 0x618, dest= 0x0xEE1AF00, len= 28 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
Apr 4 19:02:59.415: 4294967242x 55x 16x 127x 4294967272x 4294967212x 4294967288x 00x 00x 00x 00x
Apr 4 19:02:59.415: mbx VDSL 0: vdsl_process_msg_rcv, Last message (2) : addr= 0x618, dest= 0xEE1AF1C, len= 28
Apr 4 19:02:59.415: mbx VDSL 0: vdsl_msg_rcv_complete, call msg 4 rx handler, err= 0, len= 28, 0xEE1AF00
Apr 4 19:03:04.695: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:03:14.691: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Apr 4 19:03:24.691: ipc VDSL 0: vdsl_mbx_interrupt_handler, Interrupt: KEEP_ALIVE
Any help would be appreciated.
LikeLike
Can you post the output of “show controller vdsl 0” please?
LikeLike
Hi,
I have followed your guide to the letter, extract the Sky username and password using wireshark and cannot get internet access from the 887.
I originally had the 887 running as an adsl modem, but the clien had the line upgraded to fibre over copper.
Below is my config with relevant bits removed!
Would appareciate so guidance please!!!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
mac-address xxxx.xxxx.d116
no ip address
ip tcp adjust-mss 1452
!
interface Ethernet0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 53616D70736F6E5F527472
ip dhcp client hostname xxxxxxxxxx@skydsl|c56c3e46
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface ATM0
description SKYBB-ADSL-LLU
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description Link_to_24Port
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Client_VLan
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan5
ip address 192.168.15.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan15
no ip address
!
interface Dialer1
description OUTSIDE$FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxx@skydsl
ppp chap password 0 xxxxxxxxx
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list NATACL interface Ethernet0.101 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard NATACL
permit 192.168.0.0 0.0.255.255
!
dialer-list 1 protocol ip permit
LikeLike
Are you getting a sold “CD” light on the router?
I’d probably start by deleting the ATM0.1 interface and Dialer1. I’m not sure how the controller in this router will react to having the dialer on there even though the ATM interfaces are shutdown.
LikeLike
I have got one of these from an old shop we have taken over, I would love to replace my Sky ADSL SR102 with this it looks great, it is an 887VAGW+7-E-K9 but I havn’t got a clue on programming it, if anyone has a step by step guide I’d really appreciate it, I have got my user name and password off Sky.
LikeLike
I have an issue with my router not syncing, not sure what’s the issue. The router works fine on my girlfriends ADSL connection (well syncs anyway). I’ve tried a blank config and it still won’t sync. What firmware version are you using?
LikeLike
Hi,
I’m running Version 15.1(3)T2 with controller firmware version 140729_1209-4.02L.03.A2pv6C039m.d24h.
I did have a few issues with sync when I tried to upgrade IOS to a newer version. I’m waiting to get my hands on a second 887va to test with before upgrading my main one.
Let me know if you need a copy of the firmware I’m running.
Dan
LikeLike
Hi Dan, Thanks for replying. Just downgraded to that IOS and confirmed I was running the same modem firmware, still getting no sync…Im lost! Ran debug vdsl 0 daemon all and debug vdsl 0 mailbox error:
Jan 25 22:33:33.487: VDSL 0: vdsl line state : fullinit
Jan 25 22:33:40.499: VDSL 0: SM_LINE_DOWN boolean event
Jan 25 22:33:42.507: VDSL 0: vdsl line state : discovery
Jan 25 22:33:42.507: VDSL 0: SM_LINE_TRAIN boolean event
Jan 25 22:33:42.507: vdsl_daemon_sm VDSL 0: during state training, got event 17(line_training)
Jan 25 22:33:42.507: @@@ vdsl_daemon_sm VDSL 0: training -> training
Jan 25 22:33:51.519: VDSL 0: SM_LINE_DOWN boolean event 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
Jan 25 22:33:58.195: 4294967242x 55x 16x 127x 4294967268x 4294967180x 4294967288x 00x 00x 00x 00x
Jan 25 22:34:24.527: VDSL 0: vdsl line state : discovery
Jan 25 22:34:24.527: VDSL 0: SM_LINE_TRAIN boolean event
Jan 25 22:34:24.527: vdsl_daemon_sm VDSL 0: during state training, got event 17(line_training)
Jan 25 22:34:24.527: @@@ vdsl_daemon_sm VDSL 0: training -> training 00x 04x 11x 02x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 00x 42x
Jan 25 22:34:28.195: 4294967242x 55x 16x 127x 4294967268x 4294967180x 4294967288x 00x 00x 00x 00x
Jan 25 22:34:35.535: VDSL 0: vdsl line state : fullinit
Jan 25 22:34:43.547: VDSL 0: SM_LINE_DOWN boolean event
Jan 25 22:34:44.555: VDSL 0: vdsl line state : discovery
Jan 25 22:34:44.555: VDSL 0: SM_LINE_TRAIN boolean event
Jan 25 22:34:44.555: vdsl_daemon_sm VDSL 0: during state training, got event 17(line_training)
Jan 25 22:34:44.555: @@@ vdsl_daemon_sm VDSL 0: training -> training
Ignore the firmware version here, I forgot to take a grab of the one you mentioned:
Router#sh controllers vdSL 0
Controller VDSL 0 is DOWN
Daemon Status: Establishing Link
XTU-R (DS) XTU-C (US)
Chip Vendor ID: ‘BDCM’ ‘BDCM’
Chip Vendor Specific: 0x0000 0xA41B
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: ‘CSCO’ ‘ ‘
Modem Vendor Specific: 0x4602 0x0000
Modem Vendor Country: 0xB500 0x0000
Serial Number Near: FCZ16069492 887VA-K9 15.1(3)T
Serial Number Far:
Modem Version Near: 15.1(3)T
Modem Version Far: 0xa41b
Modem Status: Unknown
DSL Config Mode: AUTO
Trained Mode:
TC Mode: UNKNOWN
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Trellis: OFF OFF
Full inits: 0
Failed full inits: 13
Short inits: 0
Failed short inits: 1
Firmware Source File Name (version)
——– —— ——————-
VDSL user config flash:vdsl.bin (10)
Modem FW Version: 110802_1752-4.02L.03.A2pv6C035d.d23j
Modem PHY Version: A2pv6C035d.d23j
Training Log : Stopped
Training Log Filename : flash:vdsllog.bin
LikeLike
Have you shut the atm interace down? If it is getting a sync on an adsl line but not VDSL line then i would assume the ADSL modem is taking priority over the VDSL controller. I beleive the 887Va has an onboard ADSL modem and the VDSL comtroller is a daughterboard, but they share the same physical port.
LikeLike
The ATM interface was shutdown, it was very odd. I plugged a Draytek VDSL router into my connection earlier to test it and that came up fine, then plugged in the 887 and it worked first time (don’t remember changing anything…). Updated the IOS to Version 15.2(4)M7 (latest I can go to with my DRAM) and all is working fine…very strange!
Thanks for your help on this, your config was also very handy!
LikeLike
Hi, mind giving me a hand? Struggeling to get mine to connect.
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname internet_router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 ###########
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool home
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 90.207.238.97 8.8.8.8
!
!
no ip domain lookup
ip domain name home
ip name-server 90.207.238.97
ip name-server 8.8.8.8
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FCZ163591RB
license boot module c1900 technology-package datak9
!
!
!
redundancy
!
!
controller VDSL 0/0/0
!
ip ssh version 2
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1350
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0/0/0
mac-address ####.####.####
no ip address
!
interface Ethernet0/0/0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex ##################
ip dhcp client hostname ##################
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in
!
interface Dialer1
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list INTERNET_ACCESS interface Ethernet0/0/0.101 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0.101
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1
!
access-list 1 remark INTERNET-ACCESS
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 255.0.0.0 0.255.255.255 any
access-list 101 deny ip 224.0.0.0 7.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny udp any any range 33400 34400
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit tcp any any established
access-list 101 permit udp any any
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
LikeLike
Hello,
Which version of IOS and modem firmware do you have? I have tested a few versions and had issues with some of them. You can find them out with “show version” and “show controller vddl 0”
Cheers.
LikeLike
I tried the guide out. For some reason I can’t get my router to work The vdsl connection worked as a get a solid light under cd and can see information about the line sppeed and connection. The problem is that the router can’t get an IP from the ISP. The login details I retrived from wireshark worked on a different router. I can’t work out why my cisco router can’t IP address. Please could you try helping me? Below is my config:
Using 3202 out of 262136 bytes
!
! Last configuration change at 20:00:19 UTC Tue Aug 18 2015 by richard21
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname richard1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.4
!
ip dhcp pool NET.POOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name richardrouter
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
mac-address
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex <I used the user name and password in hex? 4B6B724851357A335758
ip dhcp client hostname user@skydsl|pass
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
speed 100
no cdp enable
spanning-tree portfast
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface wlan-ap0
ip unnumbered Vlan1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Vlan4
no ip address
ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list NATACL interface Ethernet0.101 overload
ip nat inside source list nat-list interface Dialer2 overload
ip route 192.168.1.0 255.255.255.0 Vlan1
!
ip access-list standard NATACL
permit 192.168.1.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
privilege level 15
password
transport input ssh
!
scheduler allocate 20000 1000
!
end
This is how e0.101 appears after a complete boot:
Ethernet0.101 is up, line protocol is up
Hardware is VDSL_ETHERNET, address is <removed?
Internet address will be negotiated using DHCP
MTU 1500 bytes, BW 5998 Kbit/sec, DLY 1600 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 101.
ARP type: ARPA, ARP Timeout 04:00:00
Keepalive set (10 sec)
Last clearing of "show interface" counters never
I'm running ios c800-universalk9-mz.SPA.155-2.T. Maybe I'm doing something wong.
LikeLike
Hi,
Did you try the online username/password generator I linked to? I know some people have had varying results from the wireshark method.
Cheers.
LikeLike
Hi there
Bit late to the party here but I utilised your excellent pfsense tutorial and have been using that method for over a year and its worked great but now I want to get rid of the openreach modem as well.
I have a 887V-K9 (IOS 15.1) which has successfully brought up the VDSL connection, the issue I am having is the same as the poster above – DHCP, the router cannot assign an ip from the DHCP server.
I used the exact same details I used for the pfsense box for the following:
client-id –> This is the Hostname in hex (directly copied from the string in pfsense, so this would therefore contain all of the hex chars up to the first “@” symbol but not including the @)
client hostname –> This I just again copied the string I used on my pfsense box, so everything AFTER the @ sign and all in ascii, not hex with the “pipe” symbol included, is this correct?
I looked at the above posters config and he has the entire string hostname@user|pass in the “ip dhcp client hostname” entry but you do not. I’m assuming his is wrong?
Anyway, any ideas? I would have thought the values from my pfsense WAN port config would carry over and work fine with no additional conversion needed. Am I wrong?
Cheers
LikeLike
Hey,
It’s been a while since I used the 887VA to obtain a DHCP address from Sky and handle routing. As I remember, the hostname should be | and the client ID should be the hex equivalent of |, or at least that’s what I was using.
I can give it a go tomorrow and let you know how I did it. I current only use the 887VA to bridge between the VDSL and an Apple Airport Extreme so the 887 doesn’t actually get an IP from Sky at the minute. I posted something about that setup too
here.
Let me know if you manage to get this working.
LikeLike
Hello Dan, Many thanks for your tutorial. Is this the only way Sky will work with a Cisco router. My cisco 867 was working fine with ADSL until the switchover to fibre. I thought we still need to use the same settings as for the adsl, but just shut down the atm0 interface?
regards
LikeLike
I can’t really comment on Sky’s ADSL offering as I have never used it. I no longer use their VDSL product either. The last time I did though I had to mimic the MAC and hostname if the supplied Sky router. The username and password might be harder to obtain now that the Sky router has a built in VDSL modem.
Sorry I couldn’t be more help.
LikeLike
Well, that barrier has been overcome. I have the username et al which I was using for a long long time. the SKY box is still the same.
LikeLike
The MAC?: Are you using the MAC of the LAN port or the DSL port of the original Sky router? thanks
LikeLike
I did this with a Sky SR102 router a few years ago. You need to plug one of the LAN ports of the SR102 into the openreach fibre modem and then the interface of the Sky router shows the WAN MAC. I don’t know how this would work on newer Sky routers to be honest as I’ve now switched to EE.
LikeLike
Hi Dan, thanks for your guide. I used it successfully to get connectivity with my 867VAE. Not really being a Cisco person the thing I would like assistance with is securing my WAN connection. Obviously I want outbound connectivity but I want to block any attempts to connect to the router from outside but not stop the connection from establishing. Is there a simple guide to do this using named ACL.
LikeLike
Sorry Cliff,
I don’t check my comments frequently enough, apparently. I hope you got this sorted.
This is a pretty tricky question to answer with a generic answer. As far as I remeber, ACL’s are checked before nat outside-inside translation so an ACL to block all traffic will block the legitimate client traffic too. It’s pretty rare I deal with NAT in IOS to be honest.
I would recommend you follow this post on basic router security: https://community.cisco.com/t5/security-documents/basic-router-security/ta-p/3149516. It’s a pretty good starter for ten.
Dan
LikeLike
Hi Dan, funny I was only taking a look here myself again recently! I went back to using the Sky router for a while as I wasn’t using the home lab so didn’t need the segregated LAN config. Well I started a new job and I needed to get the home lab running again. Rather than use the Cisco again I got a Draytek Vigor 2862. Turn out that isn’t currently compatible with the Sky IP v6 implementation. Draytek support asked for traces the other week which I provided, so fingers crossed they get it sorted. Thanks again Cliff
LikeLike
I am also trying to get ipv6 working on the WAN side, and I am certain that it should be a dead easy config.
No luck yet, as there is obviously no direct translation of ipv4 to ipv6 commands.
LikeLike
I don’t know how Sky handle their v6 address allocation. If they use prefix delegation you could try something like:
ipv6 unicast-routing
!
Interface Ethernet0.101
ipv6 address dhcp rapid-commit
ipv6 dhcp client pd V6-FROM-SKY
ipv6 address V6-FROM-SKY ::1:0:0:0:1/64
ipv6 enable
!
interface vlan200
ipv6 address V6-FROM-SKY ::2:0:0:0:1/64
ipv6 nd other-config-flag
ipv6 nd router-preference High
ipv6 dhcp server IPV6DHCP
ipv6 virtual-reassembly in
ipv6 enable
!
ipv6 dhcp pool IPV6DHCP
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
I don’t have a clue if that will work and I can’t test since I’m not with Sky. I’d look into some filtering or firewall rules before you implement this as well. Let me know if you get anywhere.
LikeLike
If you block inbound ping to WAN interface, connection may not establish in first place. Atleast for me!
I use zone based inbuilt firewall for free!:
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface Ethernet0.101
description * SSBB vlan*
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex jhhhjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
ip dhcp client hostname duck
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
no cdp enable
!
interface Vlan200
ip address 192.168.111.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.1.0 0.0.0.255 any eq www
permit tcp 192.168.1.0 0.0.0.255 any eq pop3
permit icmp 192.168.1.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.1.0 0.0.0.255
LikeLiked by 1 person
Nice config. Thanks for sharing. Hopefully this will help Cliff if he hasn’t sorted something by now.
LikeLike
Hi Himanshu, many thanks for your input, I’m tempted to dig out the Cisco again and give it a try.
LikeLike
Thank you for this, have my 887va now running well.
LikeLiked by 1 person
Dear All,
1: Any ideas on how to use this router 887/867VAE in pure bridge mode, so that the Cisco modem is totally transparent. The purpose is to use a firewall after the Cisco modem, else there would be double NATTING problem.
2: Is the configuration for getting the public address as an ipv6 address different?
Please share the config or thoughts.
thanks
LikeLike
Hey Himanshu. I actually have a post on bridging at the following link: https://danjmcintyre.com/2014/03/09/cisco-887va-vdsl-ethernet-bridge-on-sky-fibre-unlimited-pro/
I’m not sure on the IPv6 config. I haven’t been a Sky customer for four years now and they didn’t support IPv6 properly back then. I assume it’s a moot point if you are looking to bridge to a firewall though.
LikeLike
Cheers Dan
SKY is ipv6 only since late 2016 for the customers using their own modems. I was just trying to keep up with times and move to ipv6 myself if I can..
LikeLike
Hello Dan
I am pretty new in Networking, so please go easy with me? I have an old Cisco 867VAE K 9 router, and want to implement this with my Sonicwall Firewall to the LAN. I do not want the problem of double-natting, so please advice on following:
1: Ensuring that the Cisco 867 works invisible, in essence like a modem. How do I do that?
2: How would I connect the firewall to the Cisco 867?
Ta
Mel
LikeLike
Hi Mel.
Assuming the 867 is similar to the 887, I wrote a post about bridging between the sky fibre connection and an Ethernet port, which is where you would connect your firewall to the router. This setup essentially makes the router transparent to the firewall. Just search for Sky Fibre on this site and you should find the post.
Cheers,
Dan
LikeLike
Hello Dan
Thank you
Would the WAN interface of my firewall also need to have .101 vlan set? Or do I just leave everything on dynamic?
I can see following options for ip add:
DHCP
PPoE
PPTP
Static
L2TP
Forgive me, as I am a newbie
LikeLike
No, you shouldn’t need a vlan tag on your firewall.
It used to be DHCP. You can check out the post I wrote on using pfSense with Sky, which details how I had it working with the Cisco 887 configured to bridge and a firewall to do everything else.
Honestly though, that was five years ago, and it’s been three years since I’ve used Sky broadband so something might have changed.
Good luck.
LikeLike
Thanks Dan,
question here?:
“ipv6 dhcp client pd V6-FROM-SKY”
The pd V6 from SKY part, is this an actual config or a fairly accurate recommendation?
2: I have forgotten by now, why I wanted ipv6 on WAN side in first place since my home network is still all ipv4. Any point then?
best
Himanshu
LikeLike
I’m going from memory Himanshu. It might not even be supported on the 887, I haven’t checked. Pd is for prefix delegation, which is Sky delegating a v6 Network to your router to give out to clients on its inside interface.
There’s no reason not to run v6 alongside v4 if you can get it working. V6 does away with NAT which is cool. You will need to maintain v6 and v4 firewall rules though.
Dan
LikeLike
Trying to configure 867VAE in Bridge mode.
Hmmm
doesnt make sense!
VDSL COntroller down? Tried both vdsl and auto mode
HS-ROUTER#sh controllers vdsl 0
Controller VDSL 0 is ADMINDOWN
Daemon Status: NA
XTU-R (DS) XTU-C (US)
Chip Vendor ID: ‘BDCM’ ‘ ‘
Chip Vendor Specific: 0x0000 0x0000
Chip Vendor Country: 0xB500 0x0000
Modem Vendor ID: ‘CSCO’ ‘ ‘
Modem Vendor Specific: 0x4602 0x0000
Modem Vendor Country: 0xB500 0x0000
Serial Number Near: dwjdjwdjwjd
Serial Number Far:
Modem Version Near: 15.5(1)
Modem Version Far:
Modem Status: Idle
DSL Config Mode: AUTO
Trained Mode:
LikeLike
Have you tried a no shutdown on controller vdsl 0?
LikeLike
Just posted a parallel reply DAN
LikeLike
Hey Dan,
Found this after a bit of Google searching. Just wanted to say a massive thank you as your config worked a treat and I got it right the very first time.
I had a Cisco 887VA knocking around spare and when I had my Sky ADSL upgraded to FTTC/VDSL the other day I suddenly realised that my Draytek 2830n was no longer going to help.
I applied your config and boom show IP CEF shows me a Sky IP as a next hop! I can now ping out.
You might want to edit the bit where you have to input the user and password or at least emphasise that there are no spaces between the separator and the strings:
user|password
I got it wrong the first time on the converter and on the config by doing this:
user | password (there is a space on either side of the separator). This way is wrong and won’t work.
Thanks again for your hard work here.
LikeLike