Equipment Support > Hardware By Brand > Cisco > [Config] Cisco 1921 and HWIC-1VDSL

reply to john51

Re: [Config] Cisco 1921 and HWIC-1VDSL

Here you go:

Controller VDSL 0/0/0 is UP

Daemon Status: Up

XTU-R (DS) XTU-C (US)
Chip Vendor ID: 'BDCM' 'BDCM'
Chip Vendor Specific: 0x0000 0xA1B7
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'CSCO' 'BDCM'
Modem Vendor Specific: 0x4602 0xA1B7
Modem Vendor Country: 0xB500 0xB500
Serial Number Near: FOC151311CY 1921/K9 15.0(1)M
Serial Number Far:
Modem Version Near: 15.0(1)M
Modem Version Far: 0xa1b7

Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2)
TC Mode: PTM
DELT configuration: disabled
DELT state: not running
Trellis: ON ON
Line Attenuation: 0.0 dB 0.0 dB
Signal Attenuation: 0.0 dB 0.0 dB
Noise Margin: 23.3 dB 23.4 dB
Attainable Rate: 109436 kbits/s 32426 kbits/s
Actual Power: 12.3 dBm -12.6 dBm
Per Band Status: D1 D2 D3 U0 U1 U2 U3
Line Attenuation(dB): 1.9 4.8 12.2 0.1 5.2 7.4 N/A
Signal Attenuation(dB): 1.9 4.8 12.2 0.0 N/A 6.3 N/A
Noise Margin(dB): 23.4 23.3 23.3 23.3 N/A 23.4 N/A
Total FECS: 0 0
Total ES: 0 0
Total SES: 0 0
Total LOSS: 0 0
Total UAS: 0 0
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0

Full inits: 0
Failed full inits: 0
Short inits: 0
Failed short inits: 0

Firmware Source File Name (version)
-------- ------ -------------------
VDSL embedded VDSL_LINUX_DEV_01212008 (1)

Modem FW Version: 090929_1033-4.02L.01.AvC011b.d21j1
Modem PHY Version: AvC011b.d21j1

DS Channel1 DS Channel0 US Channel1 US Channel0
Speed (kbps): 0 39998 0 10000
Reed-Solomon EC: 0 0 0 0
CRC Errors: 0 0 0 0
Header Errors: 0 0 0 0
Interleave (ms): 0 0 0 0
Actual INP: 0 0 0 0

Training Log : Stopped
Training Log Filename : flash:vdsllog.bin

Cisco1#

Thanks to all for the help thus far!

Just had a problem logging onto Internet banking and ip's webpage...
added a line ip tcp adjust-mss 1350 to g0/0 (lan facing)

I saw this on another config, by the way.

Now faster than old provider's hardware 31.5 up, 6.3 down.

reply to john51
Faster's always good, how fast were you getting with the ISP supplied gear, and how stable is
the connection? Nothing like running multiple streams of traffic for several hours on end
and seeing if anything chokes or not

Regards

I spoke too soon!!!
I have now got an apparent dns resolution problem, i.e. https are fine, but domain names won't open in I.E 8 with Bitdefender AV, enabled or no..

I have read up a little on adjust-mss, and ip mtu and tried various settings, including increasing mtu on the lan nic, to no avil.

Is it possible that I need a vlan both sides of the router?

Do I possibly need a static route to lan facing g0/0?

regards

reply to john51

I'll reply fully soon re the mtu, but also a problem is that a Netgear
WG302 is not working properly with the cisco setup. (via Netgear Gig switch)
It recieves an address via dhcp, but is not reachable by wireless devices for data, although it can be logged onto, I think I need to try it with a fixed ip when I get a minute.
I will try to explain the browser problem again. It appears to be only with Google.uk. The anti-virus programme (bitdefender) annotates sites as safe, but, suggested sites fromr a google search will not open if selected from ordinary text, but if selected from the ticked area, ie http, or https addresses they will open.
This does not apply to Amazon ads regardless of how they appear, or suggested sites via Yahoo search engine which also work. As you can see, I have large gaps in my knowledge!

No rush, guys, I've got a lot to do on my site.

Happy New Year everyone!!

reply to john51
I should imagine you can use an MSS of 1452. With PPPoE you typically end up with a useable MTU of 1492, as 8 additional bytes are required for PPPoE headers. Then, adjusting for 40 bytes of IP headers, you should be able to run 1452 bytes of payload through.

The lower you drop your MSS, the more packets your data has to be broken up into, which could have performance "implications".

reply to john51
Add the following global command...ip tcp path-mtu-discovery

Remove the MTU & all the mss statements & the 'ip unreachables' on the Dialer. Then find your MTU with the ping -f command. Put the new MTU on your Dialer interface. Add the MSS statement after subtracting 48 from the MTU you found.

Why does the WAN interface have a .101 sub-interface?

Read the entire thread... a VLAN tag is required on the VDSL interface.

I'll be able to report a bit more soon, and I have tried to date all that has been suggested, but it's still only Google searches that are affected.I see no mention of Google in the commands that appeared after the security audit, but plenty of Yahoo which works as a search engine. Maybe I should strip out all the security lock-down and try it again?

reply to john51
Not that it's overly useful but:

Remove your default route and put this under your dialer:

ppp ipcp route default

FWIW, I'm using the same router with VDSL2 as well, but I'm not using an HWIC (supplied modem).

I have two VLAN's setup, a few IPsec tunnels....etc, so my config is a bit more complex than yours.

Hi,
I finally got there, but had to use the classic firewall. But:
I tried all combinations of MTU/MSS settings to start with, and tried all the suggestions on those from you folks, but still google search result links refused to open, no other search engines were affected.

I have managed 37 up and 8.5 down bandwidth, but speedtest isn't working well at the moment (might be the firewall!!)

I could probably edit the zone firewall if I knew what I was doing!

Here's the bones of the current config:

nterface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
no routing dynamic
!
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no mop enabled
!
!
interface Ethernet0/0/0.101
encapsulation dot1Q 101
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip inspect CCP_MEDIUM out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 7 00161C13105E
ppp pap sent-username bthomehub@btbroadband.com password 7 010109114F0E
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
!
ip forward-protocol nd
!
ip http server
ip http access-class 2
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
!
logging trap debugging
access-list 1 permit any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 permit udp host 194.72.9.38 eq domain any
access-list 101 permit udp host 62.6.40.178 eq domain any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
no cdp run

!
!
!
!
!
control-plane
!
!
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
password 7 03035A090A0A70
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Thanks all, for your help.

reply to john51
Can you share the lines of config that have "ip inspect" in them. I can take a quick boo at it.
For ZBFW, I'd check the FAQ, or some of the more experienced members of the board may be able
to help.

Regards

reply to john51
I'd probably use this config as a guide for classic firewall config.

I've also customized my config options as follows

ip inspect log drop-pkt
ip inspect udp idle-time 15
ip inspect hashtable-size 8192
ip inspect dns-timeout 2
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect tcp block-non-session
ip inspect tcp max-incomplete host 25 block-time 120
ip inspect tcp reassembly timeout 2
ip inspect tcp reassembly alarm on
 

Thanks!
I've copied the pdf version as well as yours.
Ignore the bit about the videos and email, I think they are just to big.

Regards,

reply to john51
I would try removing the firewall config and ACL from your dialer and LAN interfaces and see what happens - first step when troubleshooting these kinds of issues. And you dont really need them, its just adding complexity where it isnt necessary.

Once you remove them, do your connectivity and speed tests again, and compare the results. Then enable one, and re-do your tests and compare. Lather, rinse, repeat, until you work out which one is causing the issues. Then work on working out why and how to fix it.

(topic move) [Config] Cisco 1921 and HWIC-1VDSL