Hieronder mijn eigen configuratie om een Cisco 897VA-B met IOS 15 op een bonded (pair bonding) VDSL lijn aan te sluiten:
- Internet-only
- Vereist advanced IP services licentie voor Zone-Based Firewall
- Basis firewall voor IPv4 en IPv6
- Ondersteunt MTU van 1508 op VLAN (er zit een bug in de Cisco implementatie die ook de MTU van de Dialer interface instelt op 1508, zie hier voor meer info)
- Let erop dat je eerst de Dialer interface configureert en dan pas de Ethernet 0.6 VLAN interface
Feedback/verbeteringen altijd welkom! Hieronder de config:
ip dhcp excluded-address 192.168.178.1 192.168.178.10
!
ip dhcp pool LAN
import all
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 185.93.175.43 185.232.98.76
lease 0 2
!
no ip domain lookup
ip cef
no ipv6 source-route
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool ISP_PREFIX
dns-server 2A10:3780:2:52:185:93:175:43
dns-server 2A10:3780:2:53:185:232:98:76
!
controller VDSL 0
operating mode vdsl2
line-mode bonding
sync mode itu
sra
!
class-map type inspect match-any ALL-TRAFFIC
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any ALLOW-ICMP-FROM-INTERNET
match access-group name ALLOW-ICMPv4-ACL
match access-group name ALLOW-ICMPv6-ACL
!
policy-map type inspect I-2-O-POLICY
class type inspect ALL-TRAFFIC
inspect
class class-default
drop
policy-map type inspect O-2-I-POLICY
class type inspect ALLOW-ICMP-FROM-INTERNET
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security I2O source INSIDE destination OUTSIDE
service-policy type inspect I-2-O-POLICY
zone-pair security O2I source OUTSIDE destination INSIDE
service-policy type inspect O-2-I-POLICY
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
!
interface Ethernet0.6
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 1
pppoe-client ppp-max-payload 1508
!
interface GigabitEthernet0
no ip address
!
interface Vlan1
ip address 192.168.178.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
ip tcp adjust-mss 1452
ipv6 address ISP_PREFIX ::1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server ISP_PREFIX rapid-commit
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security OUTSIDE
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ipv6 address autoconfig default
ipv6 enable
ipv6 verify unicast reverse-path
ipv6 dhcp client pd ISP_PREFIX
ppp authentication pap chap callin
ppp chap hostname fake@freedom.nl
ppp chap password 0 1234
ppp pap sent-username fake@freedom.nl password 0 1234
ppp ipcp dns request
!
ip nat inside source list ACL_NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard ACL_NAT
permit 192.168.178.0 0.0.0.255
ip access-list standard MGMT
permit 192.168.178.0 0.0.0.255
!
ip access-list extended ALLOW-ICMPv4-ACL
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any timestamp-request
permit icmp any any timestamp-reply
deny ip any any
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 route ::/0 Dialer1
!
ipv6 access-list ALLOW-ICMPv6-ACL
permit icmp any any destination-unreachable
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any parameter-problem
permit icmp any any echo-request
permit icmp any any echo-reply
deny ipv6 any any