I decided to finally go ahead and get some Cisco gear!
To start off nice and easy, I elected to get some devices that would prove useful at home. To that end, I decided to get two Cisco 870 Series Integrated Services Routers. These would allow for me to experiment more with IOS out of college as well as providing some more security related services for Dad. Namely, a site-to-site VPN linking home with the office.
Researching the correct type of router is essential. The Eircom 12meg business broadband package we're on uses the Annex-M specification so after a bit of searching and reading I found the Cisco 877 ISR. It comes in 3 flavours: Annex-M, Wireless and Standard. I went for the Annex-M capable device. Model Number: CISCO877-M-K9
I'll be detailing more of the configuration in future posts but for now I'll deal with some DSL and basic configuration.
ATM Interface:
Nothing mad really here on ATM0. No IP address is configured. I did disable the redirects & unreachables as recommended by various Cisco Support Community forums posts I'd read. Doing so protects the control plane from WAN DOS attacks. Disabling proxy-arp as sometimes it can be used to impersonate another host and intercept traffic.
IP Flow Ingress is a command associated with Cisco's NetFlow. NetFlow seems to primarily concerned with collecting data about IP traffic which can be then sent to a NetFlow server. I'll be staying away from that for the time being, so for now I'll just configure the port as an ingress port.
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
ATM Point-to-Point Subinterface:
We configure a subinterface on ATM0 that acts as the connection point to Eircom's BRAS. It's here that we configure some of our Eircom specific settings. Namely, our PVC values. Since this is a DSL connection we're making we also need to configure some settings for our dialer which we'll be configuring next!
interface ATM0.1 point-to-point
description Link to Eircom DSL
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
Dialer Interface:
Now! Time for the fun stuff! Here we configure a virtual Dialer interface. This will be the interface which will be treated as the external facing WAN interface. You can configure your IP address statically, however for my testing purposes I left it to be negotiated dynamically. Some similar commands here as compared to the ones above. Some new ones too though!
ip inspect <CBAC_Policy_Name> out
This is a command associated with the Context Based Access Control firewall in the IOS Advanced Security image. These operate somewhat similarly to reflexive ACLs but with even more packet analysis (stateful firewall). CBAC allows for dynamic editing of the firewall ACLs so that traffic returning to a host on the network can get back in. In this command we associate a CBAC policy with the traffic flow on a specific interface. In this case, we apply CBAC to the outgoing traffic on Dialer0.
ip nat outside
Since I'm using NAT-Overload (Port Address Translation) I configured the port as an outside interface for my NAT rules.
Last but not least we move onto the PPP settings setting the encapsulation along the way! We then associate the interface with a dialer-group and a dialer-pool of '1'. This finished the dialer config that we set in ATM0.1 above.
Finally we set the PPP Authentication method and settings. Eircom uses CHAP authentication with a generic username/password combo of "eircom" and "broadband1".
interface Dialer0description OUTSIDE_INTERFACEip address negotiatedip access-group DENY_ALL inno ip redirectsno ip unreachablesno ip proxy-arpip flow ingressip inspect <CBAC_Policy_Name> outip nat outsideipip virtual-reassemblyencapsulation pppdialer pool 1dialer-group 1ppp authentication chap callinppp chap hostname eircomppp chap password broadband1
I also applied an access-group of DENY_ALL on incoming traffic to Dialer0. This stops all the bad bad peoplez from getting in!
ip access-list extended DENY_ALL
deny ip any any
NAT-Overload (Port Address Translation):
I may as well continue on to setting the PAT settings. Nothing fancy going on here really. We configure NAT-Overload on Dialer0 with an ACL of 1. I've also gone and configured a static port map. This maps the WAN IP Address on port 22 to an internal IP of your choosing to port 22 on that machine. The extendable command is added due to the fact that I'll have a few static maps going to the same local address. For more info on the extendable parameter, click here. It may be overkill! I could be misinterpreting the documentation. It seems to work though! :-D
Finally I'll stick in a basic ACL configuration. This allows the subnet 192.168.1.0 to PAT off Dialer0.
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp <AN_IP_ADDRESS> 22 Dialer0 22 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
Default Route:
I'm probably skipping a bit but I'm guessing people can configure their own VLAN interfaces! We need to dump in a default route so that our traffic goes out to Di0.
Standard default route configuration. Nothing to see here!
ip route 0.0.0.0 0.0.0.0 Dialer0
Miscellaneous Stuff!!
I figured I'd add in some extra stuff I set up that I reckon is essential/handy.
DNS Server:
We can't route traffic to the internetz without some DNS! Configure DNS Server on the router and add in Eircom's DNS primary and secondary DNS servers. You can change these if you like.
ip dns server
ip name-server 213.94.190.194
ip name-server 213.94.190.236
DHCP Server:
DHCP is handy too! Created an example pool called INTERNAL_MACHINES on 192.168.1.0/24. You can push out default router and DNS settings on here too. If you have multiple pools, the router will push out the DHCP settings that suit the IP address on the VLAN you're on. Since the 877 acts more like a L3 switch, you need to configure VLAN interfaces rather than apply IP addresses to the port.
ip dhcp pool INTERNAL_MACHINES
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.254
NTP:
NTP is something I figured I'd need when I start messing with my VPNs. I set it up to preferably sync with Apple's European time servers but you can sync it up with any other NTP or SNTP server of your choosing.
clock timezone GMT 0
ntp source Dialer0
ntp master
ntp server time.euro.apple.com prefer
ntp server europe.pool.ntp.org source Dialer0
Exeunt:
I've left a few bits out! I'm hoping to read a bit more about CBAC and maybe give that a post all of it's own. I'm pretty sure that copying this configuration as it's pasted here now won't get you a properly functional router so you'll have to figure a bit out yourself! The DSL stuff will work as is. You wouldn't be able to use it though! :-D
More to follow! Do point out any mistakes if you see em! This blog post turned out to be WAY longer than expected!