Upgrade VDSL modem firmware on a Cisco 880 Series Router

Firstly transfer the new firmware to your router’s flash memory using tftp. Next enter config mode and type:

router(config)# controller vdsl 0

Then type the following command at the prompt, where YOUR_FIRMWARE is the name of the firmware file that you transferred to flash e.g. vdsl.bin-A2pv6C035d_d23j which is the recommended firmware for BT ADSL in the UK.

router(config-controller)# firmware filename flash:YOUR_FIRMWARE

Refs:

Cisco BT xDSL Product Bulletin

A2pv6C035d_d23j Firmware Release Notes

 

Upgrade flash memory in a Cisco 877 Router

Undo the 2 screws on the back on the router as shown:

Opening the case of a Cisco 877 Router

 

Then undo the 3 screws securing the protective metal case beneath:

Accessing the flash and RAM slots in a Cisco 877 router

 

Swap the flash memory for the new larger bit:

Swapping the flash memory

 

Replace the case, plug in the power, connect the router to your computer using a console cable, and then power it on.

Fire up hyperterm or some similar program and connect to the router. It may complain about an inconsistent sector list in flashfs on boot up, and will also tell you that there is no bootable IOS image file in the flash memory. Once you are at the ROMMON prompt issue the following command:

format flash:

click ‘y’ and press enter to confirm the format operation

Once the format is complete, connect a LAN patch lead from you computer to the router. Assign an IP address to the LAN adapter of your computer such as 192.168.1.1/24. Fire up a bit of TFTP server software on your computer, such as Cisco TFTP server, or Solarwinds TFTP server

At the rommon prompt type the following,  making sure you assign an IP address to the router that is in the same subnet as the IP that you assigned your computer, e.g.

IP_ADDRESS=192.168.1.254

then assign a subnet mask:

IP_SUBNET_MASK=255.255.255.0

then a default gateway:

DEFAULT_GATEWAY=192.168.1.254

then a TFTP server (i.e. the IP address you assigned your computer’s LAN adapter):

TFTP_SERVER=192.168.1.1

and finally the filename of the IOS image that you want to transfer back on to your router

TFTP_FILE=c870-advsecurityk9-mz.124-15.T12.bin

If you want to review the variables that you have set above any time just type:

set

Next issue the tftpdnld command to copy the IOS image to the flash memory of your router using tftp:

tftpdnld

Click ‘y’ to continue. This will take a few minutes. After that reboot the router and you’re done:

reset

 

 

 

Allow telnet, SSH, or HTTPS remote management on a Cisco 800 series using a Zone Based Firewall

I have recently installed some Cisco 877 routers at some of our branch offices, and wanted to allow remote management of these devices from the LAN at our central location over the VPN. With the Zone based firewall enabled there is no access allowed to the ‘Self’ zone from remote locations by default, as you would expect. This process is pretty straightforward when you are using Cisco PIX or ASA firewalls as you can use the management-access inside command, and then easily define which subnets you want to be able to access which remote management tools. There is no equivalent command when using an IOS router, so you need to configure the appropriate access list, class map, and policy map

In this example the site to site VPN is already configured as is the zone based firewall which was configured by SDM. The following subnets are defined for the LANs at each location:

192.168.1.0/24 – This is the head office LAN subnet which I want to allow access to the remote router over the VPN tunnel

192.168.2.0/24 – This is the branch office LAN subnet which is attached to the Cisco 877

The ip address of the 877 router at the branch office is:

192.168.2.254

Firstly, create an access list to define which services you want to allow access to, from the head office subnet:

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 22

This allows SSH access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq telnet

This allows telnet access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 443

This allows HTTPS access from the 192.168.1.0/24 subnet to the router

Next, create the following class maps:

router(config)# class-map type inspect match-any remote-manage

router(config-cmap)# match access-group name remote-manage

router(config)# class-map type inspect match-any router-access

router(config-cmap)# match class-map remote-manage

Finally, add this policy map

router(config)# policy-map type inspect sdm-permit

router(config-pmap)#class type inspect router-access

router(config-pmap-c)# inspect

You should now be able to telnet, SSH and use SDM to access the router from the head office subnet. If you need to allow any other subnets or hosts to access the router remotely simply add them to the access-list you created earlier. It could be that you want to allow SSH access to the external Internet facing IP of the router which you could do by adding the following (where X.X.X.X is the external IP of the router):

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp any host X.X.X.X eq 22

This would allow any Internet host to access the external IP of the router using SSH, although it would be preferable to lock this down to specific IP addresses or subnets that you already own.

Upgrading the adsl modem firmware on Cisco 877W router

In order to ensure compatibility and stability with your ISPs equipment in the exchange, it is at times necessary to upgrade the adsl modem firmware on your Cisco router. Download the appropriate firmware for your router (in this case a Cisco 877W). It is essential you get the correct version so take care to make sure you have the correct one. Some older updates can be found here:

ftp://ftp.cisco.com/pub/access/800/

You will need a Cisco Smartnet subscription to get the latest firmware.

Once you have downloaded the firmware (in this case adsl_alc_20190_4.0.018.bin), you need to rename the file to adsl_alc_20190.bin

Telnet into your router and check the current firmware version by running the command:

show dsl interface

From the output of the command you can see under the ‘Operation FW’ section it shows the current firmware file and version, and also that under the ‘FW Source’ it shows the location as embedded.

Next we need to copy the new firmware file to the flash memory on the router using tftp. You can use the Cisco tftp server software to do this. or alternatively download Solarwinds free tftp server software.

Place the firmware file you renamed earlier into the tftp servers root directory and then issue the following command on your router:

copy tftp flash 

fill in the ip address for your tftp server and the source and destination filename adsl_alc_20190.bin

issue the reload command to restart your router:

reload

Once your router is back up telnet into it again and run the following command again to see the result:

show dsl interface

As you can see the ‘Operation FW’ now shows the new firmware version, and the ‘FW Source’ as external. If for any reason you have a problem with the updated firmware, you can easily roll back to the embedded version by deleting the adsl_alc_20190.bin from the routers flash memory.

This can be done by issuing the following command:

delete adsl_alc_20190.bin

When asked to confirm the file deletion just press ‘Enter’