BT Infinity on Cisco Router: Read This First!

BT Infinity – BT’s implementation of Fibre-To-The-Cabinet (FTTC) is great, especially when you compare it to standard broadband. Sadly the same cannot be said for their provided router (the HomeHub) which is useless, and happens to use your bandwidth to provide a publicly accessible hotspot for any pleb to come along and use. This guide will talk you through setting up a Cisco router to take the place of the HomeHub and teach you how to avoid some of the pitfalls that may otherwise blight your installation.

First of all, you need to understand the hardware you have and what you will be replacing it with. BT will supply and install you both a modem which is a small white box that connects to the VDSL outlet of your telephone point, and the HomeHub which is your wireless router; as shown in the photos below.


It is possible to replace both the modem and the router with Cisco hardware by purchasing a Cisco HWIC-1VDSL card. However this presents two problems, first, you run the risk of them not playing nice with BT’s network and breaching BT’s ToS which seem to suggest that you may not replace their modem. Some people have however managed to do this, although the cost is prohibitive; a HWIC-1VDSL I found on eBay (See below) was about £300 for the card alone. Finally the use of this card restricts you to the Cisco x900 series routers which are massively expensive to buy, and even more so if you want the advanced feature sets.

The setup for this discussion is a Cisco 1921 router with 2 onboard Gigabit Ethernet ports and a Cisco 1252 b/g/n Aironet. The physical and topological configurations are shown in the following diagram. The VDSL line from BT’s DSLAM terminates into the DSL port of the modem. An Ethernet cable then runs from the LAN1 port of the modem to the first gigabit Ethernet port of the router. A second cable then runs from the second gigabit Ethernet port on the router to the Ethernet port of the access point.

When this is all wired into place, it should look something like this:



You’ll notice that the whole setup sits on the shelf of a small coffee table just inside the front door of the house where it is situated. The reason for this (rather than it being neatly installed in a cupboard somewhere) is that there is a problem with the Infinity system that BT fail to explain in their advertising. In a traditional ADSL setup, your drop cable from your telecoms provider terminates at the NTE5 box (The master socket) somewhere in your house – usually a living room or hallway, but from here you can then run extension cables to slave points throughout the property. With BT Infinity you can’t do this since the NTE5 faceplate is replaced by a VDSL faceplate which can’t be extended via the building wiring. The alternative, as was the case with the previous Cisco installation job (Link) is to run the connection between the modem and the router via Ethernet. If however you want to keep all your equipment in the same place, then the best thing to do would be to extend the drop cable to your comms rack and terminate it into a NTE5 there so that when BT perform the installation, everything is in place in the rack.

Now that the hardware is in place, the router and wireless access point need to be configured. The first pitfall that you may encounter is if you attempt to establish a connection using a standard Ethernet configuration on your WAN port; in this case your router will simply fail to connect since unlike the Virgin Media modem which handles the authentication, the BT modem does not, you have to do this this via PPPoE. The second pitfall is much trickier to diagnose and resolve. Once you think you have successfully configured everything, you’ll be able to get online… But only to some things – Google will work for instance, as will Skype, but most websites will not. The reason for this is that packets are being returned out of sequence and are being dropped, causing connections to fail. The solution to this problem is careful adjustments of the MTUs on the interfaces.

We’ll begin by configuring the 1921. As always, it is important to remember that this is not a full production-class configuration, rather it is a guide which will give internet connectivity and can be refined further. From the console, enter the terminal configuration mode:

First we want to encrypt the stored passwords which cannot be hashed; also, we’ll enable tcp-keepalives in order to improve the reliability of remote connections; finally we’ll set the routers hostname To do this, we want to issue the following commands:

service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out

hostname internet_router

Next we need to set up our IP address space, DHCP pool and name servers; we’ll also give the router a domain name at this stage. To do this we want to exclude the IP address of the router and the access points using the “ip dhcp excluded-address” command. The dhcp pool needs to be given a name, an address space, the default gateway and the IP addresses of the DNS servers that will be issued to clients. In this case we’ll use one of BT’s servers and the Google DNS server. The domain name is set using “ip domain name” and the routers name servers set using “ip name-server”. Name servers are not strictly necessary, but allow DNS lookups to take place from the router. The commands now look something like this:

ip dchp excluded-address 192.168.1.1 192.168.1.2

ip dhcp pool main_dhcp_pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 194.74.65.68 8.8.8.8
exit

ip domain name testnet
ip name-server 194.76.65.68
ip name-server 8.8.8.8

This configuration is intended to have a reasonable degree of security, so we’ll set up user accounts and SSH access at this stage. to create a administrative user account the syntax is “username [username] privilege 15 secret [password]”. Looking at the configuration as it is saved, the password component of the user account will now be stored as a MD5 hash. The command to enable SSH is “crypto key generate rsa” and then follow the on screen prompts. This article contains more information on the process of enabling SSH (Link). Finally we’ll restrict SSH to clients using version 2 only since SSH1 is considered broken, we do with “ip ssh version 2”.

crypto key generate rsa
… [specify key strength]
ip ssh version 2

The final non-connectivity-related stage is to configure the access parameters. We do this by configuring the access lines to the router. We have three modes of access: Console, Aux, and vty lines. For each of these we will issue the “login local” command meaning the user must log in, the “logging synchronous” command which stops console messages interrupting user input. For the vty lines we want to also issue the “transport input ssh” which means that the use can only log in remotely via SSH and not using telnet which is insecure. It is worth noting that this router has 1371 vty lines (0-1370), the router will convert these to two blocks of lines (0-4 and 5-1370) since the first block is to preserve compatability with older routers. The config will resemble the following:

line con 0
logging synchronous
login local
exit

line aux 0
logging synchronous
login local
exit

line vty 0 1370
logging synchronous
login local
transport input ssh
exit

Now we move onto the core component of the router, setting up the interfaces, access lists and routing. We’ll begin by setting up the WAN port that connects to the modem. The configuration for this is very simple, but there are two big things which can trip you up if you’re not careful. The first is that unlike with Virgin Media, the modem does not handle the network authentication, this is left to the router and is done via PPPoE. The second issue which is much less discussed and is much harder to diagnose is that if the MTU (Packet size) values are not adjusted then the connection will be virtually unusable. Beginning with the basics, the interface requires no IP address, automatic speed and duplex settings and a packet size of 1452. Finally, we need to enable PPPoE using the global group and Dialer Pool 1; this is all done with the following commands:

int gi0/0
no ip address
speed auto
duplex auto

ip tcp adjust-mss 1452

pppoe enable group global
pppoe-client dial-pool-number 1
exit

We also need to configure the LAN interface which requires a fixed IP, NAT and a modified packet size; we’ll also enable virtual-reassembly inbound with the following commands:

int gi0/1
ip address 192.168.1.1 255.255.255.0

ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1350

duplex auto
speed auto
exit

While the router can now talk to upstream and downstream devices, it will be unable to authenticate, get a WAN IP address or do any of the other things needed to establish a connection. Therefore what we need to do is set up a psuedo-interface called Dialer1 which handles setting up a WAN connection. We want the connection to negotiate an IP address, be on the outside of the NAT and use an inbound ACL. We also need to adjust the MTU to 1492 and provide authentication details. For the authentication we will supply details for both CHAP and PAP, although you may be able to avoid using PAP. The commands are as follows:

interface dialer1
ip address negotiated

ip access-group 101 in

no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly in
no cdp enable

encapsulation ppp
dialer pool 1

ppp chap hostname bthomehub@btbroadband.com
ppp chap password 0 bthomehub@btbroadband.com
ppp pap sent-username bthomehub@btbroadband.com password 0 bthomehub@btbroadband.com

exit

This is everything the router needs to make a connection to the internet. All that is now left to do is allow traffic to flow and make the various interfaces talk to each other. Let’s start with NAT, which needs both a command to enable it, and an access list to control what goes where. We want to tell the router to NAT traffic to the inside interface from the Dialer interface according to ACL #1. The overload parameter at the end of the NAT command is important since this allows multiple LAN connections to share the internet. Forget this and you won’t be able to use the internet. This is done with the following commands:

ip nat inside source list 1 interface Dialer1 overload
access-list 1 remark INTERNET-ACCESS
access-list 1 permit 192.168.1.0 0.0.0.255

Now we want to secure the connection so that people can’t just waltz into the network from the internet and start snooping around. This is what the inbound ACL is designed to prevent. First of all we’ll deny the reserved private-address spaces and two hosts which will never be seen in the wild 0.0.0.0 and 255.255.255.255. We also want to block the UDP port range 33400 to 34400 in order to stop traceroute working beyond the network edge. Next, we want to permit some ICMP packets in that allow us to understand what is happening with the traffic, but not enough to allow attackers to exploit the network. We want to enable the ICMP services net-unreachable, host-unreachable, port-unreachable, packet-too-big, administratively-prohibited, source-quench, ttl-exceeded, and echo-reply. Finally we want to allow established TCP and UDP communications, leaving everything else not specifically allowed in the denied state. The ACL therefore looks like this:

access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 255.0.0.0 0.255.255.255 any
access-list 101 deny ip 224.0.0.0 7.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny udp any any range 33400 34400
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any established
access-list 101 permit udp any any

The very last step is to set a couple of static routes to make the Router Route! Since the network is so simple, there is little point in applying a routing protocol, so two static routes, one for each interface is fine:

ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 gi0/1

As for the configuration of the wireless access point, this is a topic for another day. As such what is included below is a config that works, although I make no guarantees as to how secure, reliable or efficient it is:

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname xxxxxxxxxxxxxxxx

no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx

no aaa new-model
ip domain name xxxxxxxx

ip ssh version 2
login block-for 600 attempts 5 within 60
login delay 1
login on-failure log every 10
login on-success log

dot11 ssid xxxxxxxxxxx
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxx
!
dot11 ssid xxxxxxxxxxx
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxx

power inline negotiation prestandard source

crypto pki trustpoint TP-self-signed-68175988
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-68175988
revocation-check none
rsakeypair TP-self-signed-68175988

crypto pki certificate chain TP-self-signed-68175988
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxx
quit

username xxxxxxxxxxx privilege 15 secret 5 xxxxxxxxxx

bridge irb

interface Dot11Radio0
no ip address
no ip route-cache

encryption mode ciphers aes-ccm

ssid xxxxxxxxxxxx

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel width 40-above
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

interface Dot11Radio1
no ip address
no ip route-cache

encryption mode ciphers aes-ccm

ssid xxxxxxxxxxx

no dfs band block
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel width 40-above
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled

interface BVI1
ip address 192.168.1.2 255.255.255.0
ip mtu 1350
no ip route-cache

no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

line con 0
logging synchronous
login local
transport output ssh

line vty 0 4
logging synchronous
login local
transport input ssh
transport output ssh

line vty 5 15
logging synchronous
login local
transport input ssh
transport output ssh

Share

39 Comments

  1. Frankie

    You should be able to do this without any MTU/MSS adjustment and leaving defaults (MTU1500) as the BT modem supports ‘baby jumbos’ as does your 1921. That’s how I have it working.

    Reply
  2. Sparky

    I’d just like to say thank you ever so much!

    You’ve helped me along the way getting my Cisco 1912 setup with my EE fiber line. Been playing around with it for the last few days but this has been a gem of a guide!

    Just wanted to say thanks.

    Reply
  3. Callam McMillan (Post author)

    Frankie,

    Without an MTU/MSS adjustment, internet access was patchy to non-existent. Skype connected fine, as did the Google homepage. If you tried using Google or accessing any other website however, the browser would simply sit there trying to load the page – without success.

    Once the MTU/MSS values were adjusted per the guide above, full connectivity was restored.

    Reply
  4. james

    Thanks for the article. I’m considering a similar set-up. I wondered what speeds you are achieving with this configuration? Do you reach the Infinity line speed?

    Reply
  5. Callam McMillan (Post author)

    Yes, this setup allows you to reach your maximum line speeds. I am running a Cisco 3845 at home on a fibre package offering 72/19 and I regularly get this.

    I hope this helps

    Reply
  6. SGS

    With the correct IOS image on the 2921 you can use the following commands for mini jumbos, allowing you to pass full size packets (I use this config successfully with c1900-universalk9-mz.SPA.153-2.T1):

    int gi0/0
    no ip tcp adjust-mss 1452
    mtu 1508
    pppoe-client ppp-max-payload 1500

    int gi0/1
    no ip tcp adjust-mss 1350
    mtu 1500

    Reply
  7. Callam McMillan (Post author)

    Thanks for that SGS. I will try it next time I rebuild my configuration. I’m not sure if a few extra bytes per packet will make a huge amount of difference to my connection speed, but it seems a shame to waste bandwidth.

    Reply
  8. james

    I’ve gone ahead and bought a 1941 to set up something similar to this, so thanks for the guide and the reassurance about the speeds. I’m just planning my deployment now, but one thing is confusing me. What is the best way to, for example, allow access to a host from the outside. I can statically map the port, I believe, but do I also have to add an entry to the inbound ACL (101 in your example)?

    Reply
  9. james

    I’ve gone ahead and bought a 1941 to set up something similar to this, so thanks for the guide and the reassurance about the speeds. I’m just planning my deployment now, but one thing is confusing me. What is the best way to, for example, allow access to a webserver from the outside. I can statically map the port, I believe, but what to do about the inbound ACL (101 in your example)?

    Reply
  10. Callam McMillan (Post author)

    Hi James, I’m glad you’ve found this useful. In answer to your question, if you’re happy with the port forwarding then all you need to do is punch a hole in your ACL from the Internet to your web server on the desired port. Assuming your web server is at 10.20.30.40 and responds on port 80 then the command you want is:

    permit tcp any host 10.20.30.40 eq 80

    This will allow traffic through to your router so it can forward it to your web server. Hope this helps.

    Reply
  11. james

    Hi Callam, this post, and your answers, have been a great help. Your suggested configuration

    permit tcp any host 10.20.30.40 eq 80

    is what I imagined also. However, I’m having trouble understanding how this works.

    IP 10.20.30.40 is in the local LAN behind the NAT. I’m wondering if the packet from the Internet that the ACL receives will reference this address, or if it will be addressed to the public IP instead. I’ve a suspicion that the ACL will be checked first, that is before the static NAT is applied, and so this rule won’t match?

    Reply
  12. Callam McMillan (Post author)

    James, you are quite correct to be confused because I have just spotted my mistake! The above example only works when the address of the web server is known such as on a WAN. On the Internet you will have at least one public IP address that you wish your web server to respond to. You then need to permit traffic directed at that address.

    Your rule would therefore be:
    permit TCP any host [public IP] eq 80

    Working through the process step by step we have:
    1. Traffic arrives at Port 80 of your public IP.
    2. As it matches the rule, it is allowed into the router.
    3. A NAT rule changes the packets destination to the local address of your web server.
    4. Your routing rules then send the packet where it needs to go.

    Again, I hope this helps and please reply if you want any more help.

    Reply
  13. James

    Callam, it is a relief that I wasn’t going completely mad. It is quite an involved configuration as I’m just starting out with Cisco kit. Thanks for the clear explanation.

    I did a bunch of research on this yesterday – the problem I have with your suggested rule is that my public IP is dynamic, since BT won’t give residential customers static IPs. So, I would have to change the ACLs every time my IP changes, which isn’t desirable. The advice I found is to simply use an any/any rule ( see comment from Rolande in http://www.dslreports.com/forum/r8421366-access-list-for-interface-with-dynamic-IP- ):

    permit TCP any any eq 80

    This seems to be “less secure” than specifying the public IP, but as there is only one public IP, and as there then follows a NAT, I believe it should be OK.

    It would be interesting to hear your thoughts.

    Reply
  14. Callam McMillan (Post author)

    James, that’s an interesting conundrum. Yes, using an any any rule would would work. While technically it would be less secure it shouldn’t actually matter for all practical intents and purposes.

    If you are looking for absolute stability then I would consider the above to be good enough. If you like to experiment though, perhaps you should take a look at the following: https://supportforums.cisco.com/document/66011/asa-using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting – It was intended for the ASA devices, and I don’t know if it will work on IOS.

    If you set this up, then you can get yourself a dynamic DNS domain name from someone such as no-ip.org (This isn’t production class, but neither are non-static addresses.) Then you can use your domain name in the ACL.

    Of course, a third way, if it possibly applies to you is to look at an alternate ISP. I am using Plusnet’s version of BT infinity which is as fast as BTs, cheaper than BTs, and I got a static IP for them for a one off fee of five pounds. It also allows me to map a domain name back to my private IP.

    Reply
  15. James Bowler

    Great guide!

    I have a 2811 Cisco router that I would like to use and I cant get it to work. I dont think its the configuration you have supplied but the setting on the TalkTalk Router.
    So I type in my TalkTalk router address, 192.168.1.1 and I hit the login screen then, the Summary screen and I selet advanced and hit ok. Then I select Basic, then WAN, now there are three WAN Connection names in a small table:
    Name Connection Type Connection Status IP Address Enable
    nas_0_38 PPPoA Connected 79.XX.XX.XX 1
    nas_0_65 Bridge Connected 1
    ttyUSB0. PPP Pending Disconnect 1

    Each one has a setting that can be adjusted, please could you provide instructions for this bit.
    Thanks

    Reply
  16. Callam McMillan (Post author)

    Hi James,

    I’ve just read your problem and I’m a bit confused. From the sounds of it, you’re trying to connect your Cisco router through a TalkTalk ADSL router? If that’s the case, then this config isn’t going to work.

    Drop me an email at callam@callammcmillan.com and I’ll try and give you a hand if you’re interested.

    C

    Reply
  17. James

    Hello, I did email you just after I posted the last message and I got message sent failure back about 10 minutes later. Ill try again, please email me, I know email can be funny sometimes.

    Thanks

    James

    Reply
  18. Callam McMillan (Post author)

    James,

    I’ve replied to your email. We’ll continue this conversation in private.

    Callam

    Reply
  19. Gordon

    another option rather than a load of acl’s is to run a zone based firewall if your ios version supports it

    Reply
  20. Callam McMillan (Post author)

    Gordon, you’re absolutely right, and if you’ve done CCNA Security and know what you’re doing, then I would fully encourage you to do that.

    Sadly, I haven’t done any Cisco certs, and this is the only way I know how to do it (as I am sure applies to 90%+ of people that read this article.) Every time I have tried building a zone based firewall, I always find stuff like asynchronous Javascript stops working.

    Reply
    1. Tormod Macleod

      found this blog REALLY useful. so i thought i’d chip in
      and offer my ZBF config for anyone wanting to have a go

      i have three zones. Inside, Outside and the Self zone
      first we define an acl for traffic from-to each combination as below

      ip access-list extended Inside-Outside-Inspect-ACL
      remark permit LAN clients to the internet
      permit ip 172.30.10.0 0.0.0.255 any
      ip access-list extended Inside-Self-Inspect-ACL
      remark LAN clients administering the router through ssh
      permit tcp 172.30.10.0 0.0.0.255 host 172.30.10.1 eq 22
      ip access-list extended Inside-Self-Pass-ACL
      remark stateless DHCP requests from LAN clients
      permit udp any any eq bootps
      ip access-list extended Outside-Inside-Inspect-ACL
      remark remote access VPN clients to matthew ssh
      permit tcp 172.30.11.0 0.0.0.255 host 172.30.10.10 eq 22
      remark remote access VPN clients to matthew rdp
      permit tcp 172.30.11.0 0.0.0.255 host 172.30.10.10 eq 3389
      remark remote access VPN clients to matthew vnc
      permit tcp 172.30.11.0 0.0.0.255 host 172.30.10.10 eq 5900
      ip access-list extended Outside-Self-Inspect-ACL
      remark remote access VPN clients phase one traffic
      permit udp any any eq isakmp
      remark remote access VPN clients phase two traffic (NAT-T)
      permit udp any any eq non500-isakmp
      remark remote access VPN clients phase two traffic
      permit esp any any
      remark remote access VPN clients administering the router through ssh
      permit tcp 172.30.11.0 0.0.0.255 host 172.30.10.1 eq 22
      ip access-list extended Self-Inside-Inspect-ACL
      remark allow ICMP from router to LAN clients for DHCP check
      permit icmp host 172.30.10.1 172.30.10.0 0.0.0.255 echo
      ip access-list extended Self-Inside-Pass-ACL
      remark stateless DHCP responses to LAN clients
      permit udp any eq bootps any
      ip access-list extended Self-Outside-Inspect-ACL
      remark NTP requests to configured server
      permit udp any host 82.219.4.30 eq ntp
      remark NTP requests to configured server
      permit udp any host 178.79.160.57 eq ntp
      remark NTP requests to configured server
      permit udp any host 193.62.22.74 eq ntp
      remark NTP requests to configured server
      permit udp any host 193.62.22.82 eq ntp
      remark NTP requests to configured server
      permit udp any host 193.62.22.90 eq ntp
      remark NTP requests to configured server
      permit udp any host 193.62.22.98 eq ntp
      remark remote access VPN clients phase one traffic
      permit udp any eq isakmp any
      remark remote access VPN clients phase two traffic (NAT-T)
      permit udp any eq non500-isakmp any
      remark remote access VPN clients phase two traffic
      permit esp any any

      then create a class-map which references each acl
      make them all inspect type

      class-map type inspect match-any Inside-Self-Inspect-Class
      match access-group name Inside-Self-Inspect-ACL
      class-map type inspect match-any Self-Inside-Inspect-Class
      match access-group name Self-Inside-Inspect-ACL
      class-map type inspect match-any Inside-Self-Pass-Class
      match access-group name Inside-Self-Pass-ACL
      class-map type inspect match-any Self-Inside-Pass-Class
      match access-group name Self-Inside-Pass-ACL
      class-map type inspect match-any Inside-Outside-Inspect-Class
      match access-group name Inside-Outside-Inspect-ACL
      class-map type inspect match-any Outside-Inside-Inspect-Class
      match access-group name Outside-Inside-Inspect-ACL
      class-map type inspect match-any Self-Outside-Inspect-Class
      match access-group name Self-Outside-Inspect-ACL
      class-map type inspect match-any Outside-Self-Inspect-Class
      match access-group name Outside-Self-Inspect-ACL

      then create a poicymap for each zone combination and reference the class-maps
      just be careful when configuring the pass class-maps as dhcp won’t work if you get this wrong
      apply the pass classes first in each applicable policy and set the section to pass
      followed by inspect classes and default drop

      policy-map type inspect Inside-Outside-PolicyMap
      class type inspect Inside-Outside-Inspect-Class
      inspect
      class class-default
      drop log
      policy-map type inspect Outside-Inside-PolicyMap
      class type inspect Outside-Inside-Inspect-Class
      inspect
      class class-default
      drop log
      policy-map type inspect Self-Outside-PolicyMap
      class type inspect Self-Outside-Inspect-Class
      inspect
      class class-default
      drop log
      policy-map type inspect Outside-Self-PolicyMap
      class type inspect Outside-Self-Inspect-Class
      inspect
      class class-default
      drop log
      policy-map type inspect Inside-Self-PolicyMap
      class type inspect Inside-Self-Pass-Class
      pass
      class type inspect Inside-Self-Inspect-Class
      inspect
      class class-default
      drop log
      policy-map type inspect Self-Inside-PolicyMap
      class type inspect Self-Inside-Pass-Class
      pass
      class type inspect Self-Inside-Inspect-Class
      inspect
      class class-default
      drop log

      declare your zones
      you don’t have to declare self as it’s built in

      zone security Outside
      zone security Inside

      then define which policy-map is dealing with each zone combination

      zone-pair security Inside-Outside source Inside destination Outside
      service-policy type inspect Inside-Outside-PolicyMap
      zone-pair security Outside-Inside source Outside destination Inside
      service-policy type inspect Outside-Inside-PolicyMap
      zone-pair security Outside-Self source Outside destination self
      service-policy type inspect Outside-Self-PolicyMap
      zone-pair security Self-Outside source self destination Outside
      service-policy type inspect Self-Outside-PolicyMap
      zone-pair security Inside-Self source Inside destination self
      service-policy type inspect Inside-Self-PolicyMap
      zone-pair security Self-Inside source self destination Inside
      service-policy type inspect Self-Inside-PolicyMap

      finally, declare which interfaces are in which zone
      i’m using an 871w so i added the dialer to the Outside zone
      and the BVI to the Inside zone

      interface Dialer1
      ip address negotiated
      no ip unreachables
      ip mtu 1492
      ip nat outside
      ip virtual-reassembly in
      zone-member security Outside
      encapsulation ppp
      dialer pool 1
      ppp authentication chap callin
      ppp chap hostname *************
      ppp chap password 7 *************
      crypto map VPN
      !
      interface BVI1
      ip address 172.30.10.1 255.255.255.0
      ip nat inside
      ip virtual-reassembly in
      zone-member security Inside
      ip tcp adjust-mss 1350

      hope this helps

      Reply
  21. Ash

    Hi,

    Did you have any luck on getting this to work with TalkTalk?

    I was previously on BT Infinity and my 887VA worked fine, TalkTalk doesn’t seem to want to play 🙁

    Reply
  22. Franchesca Nixon

    Hi there,
    i found your post very interesting and having a 2811 handy i’m thinking of giving this a go, what would be an acceptable ios to use on the 2811 for security and compatibility with connecting to the BT modem, at the moment it has 12.4.24.

    I too are with plus-net and i’m finding their router to be a pain and often thought of hooking up a cisco to do the job properly..

    regards fran

    Reply
  23. Callam McMillan (Post author)

    Hi Fran,

    12.4.24 should be an acceptable operating system for getting online. It’s a bit dated now, but if that’s all you have access to, then go for it.

    From there, and depending on your prior experience, start small and build up what you ask of the router over time.

    Feel free to ask for more help here, and let us know how you got on.

    Cheers,
    Callam

    Reply
  24. Alan

    Callum

    We are trying to get an ASA 5505 working connected to an ECI BT VDSL modem. The ASA is doing the PPPoE authentication but the speeds are lower than expected – only 5-8Mbits up/dn.

    I think it is to do with duplex MTU and MSS settings but as we can’t access the ECI modem we can’t check and the ISP is relucctant to ask BT!?

    I have tried different duplex and MTU sizes but the MSS has always been 1380. The MTU is currently 1490. These seemed to give the best performance as much as possible. We know the line is capable of going as high at 40Mbit dn.

    Advice appreciated

    Alan

    Reply
  25. Rohit

    Hi Callum,

    Thanks for uploading such a gr8 guide for configuring the router with BT infinity connection.

    Question:
    we got the BT connection with 8 static ip addresses. With the above configurations i am able to connect and access internet and also able to connect with other sites using DMVPN. But i am not able to utilize the static ip addresses – i have created the NAT rules and assigned public ip to internal ips and also created respective ACL for outside too, but i am unable to connect to any of them from outside.

    Can you please put some light on it in case we need to perform few more things in case we want to use the ip range assigned to us.

    best wishes.

    Reply
  26. router to router configuration in cisco packet tracer

    Hey there great blog! Does running a blog like this require a large amount of work?
    I’ve very little knowledge of programming however I had been hoping to start
    my own blog soon. Anyway, if you have any suggestions or tips for new blog owners please share.

    I know this is off subject however I simply needed to ask.
    Kudos!

    Reply
  27. bit.ly

    You might demand a new modem and buy a hub that is new.
    I highly recommend the Netgear WNDR4300 – excellent range/velocity and most significantly may have DD-WRT installed.
    Research ddwrt, in case you do wind up getting any
    new router/device. It is a far more flexible (and lets me handle me and my 4 room mates links manner better than default option applications).

    Reply
    1. Callam McMillan (Post author)

      Interesting. I’ve always been aware of the DD-WRT suite, but have never actually used it. At the moment I’m playing with the pfSense software, which turns ordinary x86/x64 hardware into a high power router. My concern with things such as DD-WRT are that while the software may be good, you have to flash it to mediocre hardware. Plus, if you buy it new, you’re likely to void your warranty.

      Reply
  28. Rob

    Great post, helped a lot to sort out my 867, a bit more complicated because I had to configure a VLAN for the internal network and not a dedicated adapter but this post got me on the right path.

    Just for info, I’ve been having all sorts of fun with MTUs on my PlusNet PPPoE broadband. I had the “ip tcp adjust-mss” commands you’ve listed above on my VLAN and the Gigabyte adapter that was bound to the dialar and this would cause sound clipping on YouTube videos. If I removed “ip tcp adjust-mss” from all but the dialer interface then YouTube would work but I’d have issues with other services. The compromise I got to work was just have the “ip tcp adjust-mss” command on the VLAN and that works perfectly. It been a very long time since I used Cisco (think dial-up and 64k leased lines).

    For info this was my final configuration.

    interface GigabitEthernet1
    description INTERNET
    no ip address
    ip access-group 101 in
    duplex auto
    speed auto
    pppoe-client dial-pool-number 1
    !
    interface Vlan100
    ip address 192.168.254.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    !
    interface Dialer1
    ip address negotiated
    no ip unreachables
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    dialer pool 1
    ppp chap hostname user@name.com
    ppp chap password 7 password
    ppp pap sent-username user@name.com
    no cdp enable

    Hopefully this’ll help someone else in the future.

    Thanks again
    Rob

    Reply
  29. Lee P

    A great read – I posted something very similar on the BT Community care forums a few years ago where I worked with Cisco TAC to address the throughput and DNS / loading issues (and where the MSS came up).

    I’ve just moved onto FTTP with a 1941 router and getting disappointing results.
    Throughput on the BT Hub 6 (cabled) is in the region of 204mb/sec which is fantastic.

    When using a combination of this and the minijumbo frames (1500/1508 byte) config, I’m peaking out at approx 96mb/sec…!

    Any ideas?

    interface Gig0/0
    description DATA-LAN
    ip address xx.xx.xx.xx 255.255.255.0
    ip accounting output-packets
    mtu 1500
    ip flow ingress
    ip nat inside
    duplex auto
    speed auto
    !
    interface Gig0/1
    description ONT FTTP
    ip address dhcp
    ip accounting output-packets
    ip flow egress
    ip nat outside
    no ip virtual-reassembly
    mtu 1508
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client ppp-max-payload 1500
    pppoe-client dial-pool-number 1
    no routing dynamic
    !
    interface Dialer1
    description WAN-Dialer
    ip address negotiated
    ip flow ingress
    ip nat outside
    no ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp chap hostname bthomehub@btbroadband.com
    ppp chap password 0 bthomehub@btbroadband.com
    ppp pap sent-username bthomehub@btbroadband.com password 0 bthomehub@btbroadband.com
    !
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    ip nat inside source list 199 interface Dialer1 overload

    access-list 199 permit ip xx.xx.xx.xx 0.0.0.255 an

    Interfaces coming up at Gig/Full and showing the correct MTU. I can ping out with large sized packets (non fragmented). Very odd!

    All other infrastructure remains in place (3750X switches, AP’s and controllers) to discount those from being the issue with the BT Hub 6.

    Reply
    1. Callam McMillan (Post author)

      Hi Lee,

      I’m afraid this is a little beyond my capability to diagnose, but hopefully one of the readers may be able to share a solution with you.

      Callam

      Reply
    2. Adrian England

      Flat out, the 1941 will do approx 150Mbps, without any processing according to Cisco. Your running NAT, NBAR will impact on that. HTH

      Reply
      1. Callam McMillan (Post author)

        Adrian,

        That’s a useful reply, thank you. Is there any chance you can share the link to the routing speeds of the newer routers? My one is a few years out of date now.

        Callam

        Reply
  30. Lewis

    Just wanted to say a big “Thanks”!

    I used this guide in conjunction with your ADSL over POTS config to get a 881W-K9 router working with an open reach modem (with modded firmware to accept the ADSL line instead of VDSL)

    I’m studying for my CCENT/CCNA and this was a great project to practice what I’d learned.

    Reply
  31. Charles

    Hi Callam,
    Firstly, thanks for taking the time to write this up. I have a cisco 887 with built in VDSL modem and was abole to use some of this config to get me running.

    I have a question regarding access list 101. Why do yo block all private IP addresses? I haven’t got much of an access list on my setup and am curious as to whether this is an entry point for an attack? I didn’t think you would be able to receive any traffic from private IP’s. Also, I’ve always been under the illusion that NAT gives a degree of protection as any random packets would be dropped unless the port is specifically forwarded.

    I am not a Cisco expert, just studying for my CCNA. So these may be daft questions, but I’m interested to hear your thoughts.

    Reply
  32. Xpertdevs

    I’d just like to say thank you ever so much!

    You’ve helped me along the way getting my Cisco 1912 setup with my EE fiber line. Been playing around with it for the last few days but this has been a gem of a guide!

    Just wanted to say thanks.

    Reply
  33. rardlaria

    i am from Italy hello. Can you help me translate? /rardor

    Reply
  34. Nba2K20

    I couldn’t refrain from commenting. Well written!

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *