VDSL ATM Bridging mode to router

jbrown129 · ‎09-07-2022

I'm upgrading from my crappy old TP-Link, which didn't support SOS or ROC. Anyway I got my hands on a second hand Cisco C1117-4P for a good price so I've decided to use that. They were often sold to Telstra Business customers in Australia and I'm getting the feeling the reason we're seeing secondhand ones now is because those sites probably have FTTP now. Sadly for my area that's not going to happen for some time.

I started by upgrading it to the latest recommended version of IOS-XE Bengaluru-17.6.3a and I upgraded the VDSL inteface firmware which now sits on A2pv6F039x8.d26d.

In the past when I had a Cisco 877 (back in the days of ADSL2+) which ran IOS 12.4, I had that configured in bridge mode with BVI.

!
bridge irb
!
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
!
bridge-group 1
!
!
interface BVI1
ip address 192.168.0.1 255.255.255.252
no ip route-cache
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

Since then I've got myself a OPNsense DEC3840 Rack Security Appliance which I have all my LAN side networking set up on. I wanted it to do all my routing with the OPNsense appliance and just use the ATM VDSL link on my Cisco C1117 ISR. I also do some VLAN routing there with a privacy VPN like this.

Apparently the C1117 only supports BDI and bridging the WAN isn't possible, that is if I understand that correctly. I looked about and can't find much.

What options do I have?

I really don't need the ISR to do the routing, in fact the main reason I got it was to have a dedicated management interface that doesn't require NAT rules, ie can have a static route to a specific IP, and so that I can expose synchronization statistics via SNMP for monitoring. In the past on the Cisco 877 I had Cacti templates. that was quite useful when a line fault appeared, I would have evidence of when that occurred to show my retail service provider.

The plan is to have a management link from GigabitEthernet0/0/0 into my switch and a link from GigabitEthernet0/1/0 to my OPNSense box. My config so far is:

!
! Last configuration change at 18:18:54 UTC Tue Sep 13 2022 by admin
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname cisco.rt2
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.03a.SPA.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
!
aaa session-id common
ip options drop
!
!
!
!
!
!
!
ip name-server {{ censored }}
ip domain name home.arpa
ip dhcp excluded-address 192.168.1.0 192.168.1.4
!
ip dhcp pool dhcp-1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool opnsense
host 192.168.1.2 255.255.255.0
hardware-address {{ censored }}
dns-server {{ censored }}
default-router 192.168.1.1
!
!
!
login on-success log
ipv6 icmp error-interval 50 20
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
license udi pid C1117-4P sn {{ censored }}
memory free low-watermark processor 70173
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 {{ censored }}
!
redundancy
mode none
!
controller VDSL 0/2/0
operating mode vdsl2
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Management port
ip address 192.168.2.1 255.255.255.0
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1/0
no cdp enable
!
interface GigabitEthernet0/1/1
no cdp enable
!
interface GigabitEthernet0/1/2
no cdp enable
!
interface GigabitEthernet0/1/3
no cdp enable
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
!
interface ATM0/2/0.1 point-to-point
!
interface Ethernet0/2/0
description Internet Interface
ip dhcp client request classless-static-route
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip access-group WAN4_IN in
no negotiation auto
ipv6 address dhcp
ipv6 address pd-ipv6 ::1/64
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd pd-ipv6
ipv6 traffic-filter WAN6_IN in
!
interface Vlan1
description Local Area Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ipv6 address pd-ipv6 ::1:0:0:0:1/64
ipv6 enable
ip virtual-reassembly
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip nat inside source list NATACL interface Ethernet0/2/0 overload
ip route 192.168.2.0 255.255.255.0 192.168.2.2
ip route 192.168.30.0 255.255.255.0 192.168.2.2 2
ip route 192.168.31.0 255.255.255.0 192.168.2.2 2
ip ssh version 2
ip scp server enable
!
!
ip access-list standard NATACL
10 permit 192.168.1.0 0.0.0.255
ip access-list standard SNMPACL
10 permit 192.168.50.253
20 permit 192.168.50.252
30 deny any
ip access-list standard WAN4_IN
!
ip access-list extended SSH_ACL
10 permit tcp 192.168.30.0 0.0.0.255 any eq 22
20 permit tcp 192.168.31.0 0.0.0.255 any eq 22
30 permit tcp 192.168.2.0 0.0.0.255 any eq 22
40 deny tcp any any eq 22
!
!
snmp-server community public RO SNMPACL
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class SSH_ACL in
privilege level 15
transport input ssh
line vty 5 14
access-class SSH_ACL in
privilege level 15
transport input ssh
!
!
!
!
!
!
end

Any tips to get this working would be appreciated.

The other problem I had was that call-home keeps turning on because of smart licensing. This guide says its as easy as no license smart enable however that seems to be reversed when I reboot. I'm pretty sure the base license should be enough.