Real Life Cisco 877 ADSL, VPN & Wireless Configurations

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I have been really busy work wise recently and have seen that more and more people have been taking there ICND1 and ICND2 exams recently.

One of the things I found hardest when transitioning my knowledge of the CCNA to the practical implementation was the following:

- ADSL setup
- Wireless Configuration
- VPN Configuration
- Access Lists

Therefore, I have taken a bit of timeout to put together a couple of real world configurations that I have installed recently. There is a step by step explanation of the most poignant parts, with my notes being in red.

Cisco 877 ADSL Wireless Router

This is installed in a Branch Office, the customer uses a Hosted Mail Service, but the same configuration would apply if you use a Smart Host in an Exchange environment.

I separate out the LAN and Wireless LAN and create VLAN’s for the traffic so if needed in the future, I can apply more granular control.

Current configuration : 7020 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <Cisco 877 Wireless>
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$.Nun$TtKIksU7V2hyGOhLAPfEI0
!
aaa new-model
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-561390702
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-561390702
revocation-check none
rsakeypair TP-self-signed-561390702
!
!
crypto pki certificate chain TP-self-signed-561390702
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363133 39303730 32301E17 0D303230 33303130 30303830
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 31333930
37303230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B80286CA 15F5B971 582568B5 5BBFD14A CA3B8C58 8141E04E E8557637 48EFCD59
726D06F8 537CEBCE 891EF10B 7EF332DE B2B4C19A 8CF4AD6B 00D55974 EDC782B8
63B4EE98 601757CA 8D5F7AE9 18E740EA DB89E9F1 1B231A55 323E48BB E5AC90DB
B732DA58 6E4F7F25 305D38C9 6E9A1237 33B62747 4A453010 32AB8ABC D3B8A0ED
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821774 74646570 6F74732E 74746465 706F7473 2E636F2E 756B301F
0603551D 23041830 16801497 6BBE2B19 E5483052 F516B9D2 08072036 C2AACE30
1D060355 1D0E0416 0414976B BE2B19E5 483052F5 16B9D208 072036C2 AACE300D
06092A86 4886F70D 01010405 00038181 0083212E 0F95DFDF F683D743 617D48FB
8915EEEE F940D32E 28D9A099 61701B5A 7586D9A3 BA9E033D 1A1F1483 64FA161B
1476D712 A3C9D4BC 345B80B8 C0EFF9CA 05B110EA 2AA4AA71 5C476D04 8ED9F294
0676AC29 29C2B112 FD52692A FC401078 CB43AD03 211C9F15 3D5A306F 6CF75341
EDF06FAC 241FD8E6 F2877CF6 EB396B54 96
quit
dot11 syslog
dot11 vlan-name WLAN vlan 2
!

Assign SSID, specify the VLAN for the SSID to work on. Authentication open means we are allowing any device to connect (not applying any MAC address filtering), guest mode means that the SSID is being broadcast.

dot11 ssid <SSID Name>
vlan 2
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <Pre Shared Key>
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.2
ip dhcp excluded-address 192.168.1.121 192.168.1.254
ip dhcp excluded-address 192.168.0.1 192.168.0.2
ip dhcp excluded-address 192.168.0.121 192.168.0.254
!

Separated out the LAN and Wireless LAN’s DHCP Scope

ip dhcp pool lan_dhcp
network 192.168.0.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 192.168.0.1
!
ip dhcp pool wlan_dhcp
network 192.168.1.0 255.255.255.0
dns-server 208.67.222.222 208.67.222.222
default-router 192.168.1.1
!
!
no ip domain lookup
ip domain name <Domain Name>
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
!
!
username admin privilege 15 secret 5 $1$sZ7F$CfLyee9odpCviBecKFBcw.
!
!
archive
log config
hidekeys
!
!
!
!
!

ADSL Settings

interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!

Using WPA Wireless Encryption method, specifying which VLAN it is for.

interface Dot11Radio0
no ip address
!
encryption vlan 2 mode ciphers tkip
!
ssid <SSID Name>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!

Sub Wireless Interface, with Access List LANTraffic being applied and this also the inside for NAT

interface Dot11Radio0.2
description WLAN
encapsulation dot1Q 2
ip address 192.168.1.1 255.255.255.0
ip access-group LANTraffic in
ip nat inside
ip virtual-reassembly
no cdp enable
!

Ethernet Interfaces, with Access List LANTraffic being applied and this also the inside for NAT

interface Vlan1
description LAN
ip address 192.168.0.1 255.255.255.0
ip access-group LANTraffic in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!

External Interface, with Access List outside-in being applied, also the outside for NAT and this is where you can specify a fixed public IP address.

interface Dialer1
ip address negotiated
ip access-group outside-in in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname <Broadband User Name>
ppp chap password 7 <Broadband Password>
!
ip forward-protocol nd

Sends all traffic out the External Interface

ip route 0.0.0.0 0.0.0.0 Dialer1
!

I turn off the GUI interfaces (common this is Cisco!)

no ip http server
no ip http secure-server

Access List NAT is being overloaded on the Dialer 1 (external IP Address) to allow one to many connections from the internal LAN to the internet.

ip nat inside source list NAT interface Dialer1 overload

The client only has one Public IP Address due to this we have to specify the individual Port Numbers as well we are NATing to more than one internal IP Address. If I can, I always create a one to one NAT rule then apply an Access List to the Outside Interface to control traffic flow.

ip nat inside source static tcp 192.168.0.13 5633 <Public IP Address> 5633 extendable
ip nat inside source static udp 192.168.0.13 5633 <Public IP Address> 5633 extendable
ip nat inside source static tcp 192.168.0.13 5634 <Public IP Address> 5634 extendable
ip nat inside source static udp 192.168.0.13 5634 <Public IP Address> 5634 extendable
ip nat inside source static tcp 192.168.0.115 5800 <Public IP Address> 5800 extendable
ip nat inside source static tcp 192.168.0.115 5900 <Public IP Address> 5900 extendable
!

This Access List controls what LAN traffic is allowed out externally. SMTP, POP3 and IMAP4 are locked down to specific Public IP Address, this is so that if a PC on the internal network gets a malware/virus infection the Public IP Address won’t get blacklisted and the customer’s mail flow won’t be affected. Normally I would only allow the Exchange Server IP Address(s) out, but this is a Hosted Mail Solution so the whole W/LAN needs access.

ip access-list extended LANTraffic
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq smtp
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq smtp
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq smtp
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq smtp
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq smtp
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq smtp
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq pop3
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq pop3
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq pop3
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq pop3
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq pop3
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq pop3
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq 143
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq 143
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq 143
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq 143
permit tcp 192.168.0.0 0.0.0.255 host <Public IP Address> eq 143
permit tcp 192.168.1.0 0.0.0.255 host <Public IP Address> eq 143
deny tcp any any eq smtp
deny tcp any any eq pop3
deny tcp any any eq 143

This part of the Access List states that only traffic generated from the internal LAN may be allowed back in again, which helps prevent rogue access and spoofing.

permit ip 192.168.0.0 0.0.0.255 any reflect tcptraffic
permit ip 192.168.1.0 0.0.0.255 any reflect tcptraffic
evaluate tcptraffic

This Access List is stating which LAN IP Addresses are allowed to be NAT’d

ip access-list extended NAT
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any

This Access List tells traffic coming in from the internet where to go for certain ports.

ip access-list extended outside-in
permit icmp any any
permit tcp any eq 5633 host 192.168.0.13 eq 5633
permit udp any eq 5633 host 192.168.0.13 eq 5633
permit tcp any eq 5634 host 192.168.0.13 eq 5634
permit udp any eq 5634 host 192.168.0.13 eq 5634
permit tcp any eq 5800 host 192.168.0.115 eq 5800
permit tcp any eq 5900 host 192.168.0.115 eq 5900
permit ip any any
!
no cdp run
!
!
!
control-plane
!
banner motd ^C##### No Unauthorised Access #####^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 <Password>
transport input ssh
!
scheduler max-task-time 5000
end

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Cisco 877 ADSL Router Site To Site VPN

This is installed in a Branch Office, the customer has a Site to Site VPN configured to the two external Public IP Address (different circuits) so that if Head Office have a failure, this router will automatically failover and use the alternate Public IP Address for the Site to Site VPN.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <Cisco 877>
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$aJSt$TX8X459MR/fl60d9aQi1N1
!
aaa new-model
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2197863876
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2197863876
revocation-check none
rsakeypair TP-self-signed-2197863876
!
!
crypto pki certificate chain TP-self-signed-2197863876
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313937 38363338 3736301E 170D3032 30333031 30303036
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31393738
36333837 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009FAF 0C3E7690 BD0A1E86 AFF8BA7F 875F4D4C F3A82307 FD207874 FC7A42F4
9649DC35 6E6FF92E 3E8C825F BB04A261 6381E527 22E3178C 68E525FA 4C0499DE
6C329886 8A36E293 4F9C2315 514B8CBD D547721A F1CD221F 2E0B4EFD 1DA7A246
183C61C5 445999F6 DA9D16C7 AF431F03 C4C93190 E58D332F 4034A9A1 DC659B0B
1BA30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1461D122 32F506B1 8EF06440 95693030 8F70B7B7
13301D06 03551D0E 04160414 61D12232 F506B18E F0644095 6930308F 70B7B713
300D0609 2A864886 F70D0101 04050003 81810001 11E70F15 55AD4C45 625E796D
93C768B8 3C90BFBC 88158010 E642E5F8 983B4624 BD58952B D6065088 9BEECCEA
A397BFDD C8C82167 F982BFED 6E2AB8D4 63256316 D1B9C03B B3C90B9A 3F2F13C7
899BFD5B F95910C2 4EA938A1 68FFB469 521F4C2B D30E3203 5C5B7C62 8D14667B
256AC177 46E2399C 2A55CB72 92B5C591 9C9E58
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.29.8.1 10.29.8.99
ip dhcp excluded-address 10.29.8.10
!
ip dhcp pool dhcppool
import all
network 10.29.8.0 255.255.255.0
default-router 10.29.8.10
dns-server 10.29.0.3 10.29.0.201
update arp
!
!
no ip domain lookup
ip domain name <Domain Name>
!
!
!
username admin privilege 15 secret 5 $1$SGdn$ptsJdg2BBECP1zKN1ZGlD1
!
!

This is where we specify the Transform Set (ISAKMP Policy), specifying Phase 1 (which is DES, as they have a poor internet connection and we need to reduce payload for the VPN) and Phase 2 (which is MD5), that we are using a Pre Shared Key and what the Public IP Addresses are that we are connecting to.

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key <Pre Shared Key> address <Public IP Address> no-xauth
crypto isakmp key <Pre Shared Key> address <Public IP Address> no-xauth
!
!
crypto ipsec transform-set <Transform Set Name> esp-des esp-md5-hmac
!
crypto map <Map Name> 10 ipsec-isakmp
set peer <Public IP Address>
set peer <Public IP Address>
set transform-set <Transform Set Name>

This tells the Crypto Map which Access List to use when sending traffic over the VPN

match address newcastlevpn
!
archive
log config
hidekeys
!
!
!
!
!

ADSL Settings

interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!

Ethernet Interfaces, with Access List LANTraffic being applied and this also the inside for NAT

interface Vlan1
ip address 10.29.8.10 255.255.255.0
ip access-group lantraffic in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!

External Interface, with Access List outside-in being applied, also the outside for NAT and this is where you I have fixed public IP address.

You need to specify the Crypto Map name so that External Interface knows that it can accept VPN connections.
interface Dialer0
ip address <Public IP Adddress> 255.255.255.252
ip access-group outside-in in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <Broadband User Name>
ppp chap password 7 <Broadband Password>
crypto map <Map Name>
!
ip forward-protocol nd

Sends all traffic out the External Interface

ip route 0.0.0.0 0.0.0.0 Dialer0
!

I turn off the GUI interfaces (common this is Cisco!)

no ip http server
no ip http secure-server


Access List NAT is being overloaded on the Dialer 1 (external IP Address) to allow one too many connections from the internal LAN to the internet.

Also this is where we tell the Access List NAT not to NAT any traffic from our LAN to the external LAN.

ip nat inside source list NAT interface Dialer0 overload
!
ip access-list extended NAT
deny ip 10.29.8.0 0.0.0.255 10.29.0.0 0.0.0.255
permit ip 10.29.8.0 0.0.0.255 any

This part of the Access List states that only traffic generated from the internal LAN may be allowed back in again, which helps prevent rogue access and spoofing.

ip access-list extended lantraffic
permit ip 10.29.8.0 0.0.0.255 any reflect tcptraffic
evaluate tcptraffic

This Access List tells the Crypto Map which traffic to pass over the Site to Site VPN Tunnel
ip access-list extended newcastlevpn
permit ip 10.29.8.0 0.0.0.255 10.29.0.0 0.0.0.255

This Access List specifies which traffic is allowed in the External Interface.

ip access-list extended outside-in
permit icmp any any
permit ip 10.29.0.0 0.0.0.255 10.29.8.0 0.0.0.255
permit ip 10.29.8.0 0.0.0.255 any
permit ip any any
!
no cdp run
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 <Password>
transport input ssh
!
scheduler max-task-time 5000
end

 

Thanks Craigie, great guide - a while back I attempted to replace one of our 837's with an 877 but for the life of me I couldn't get the VPN tunnel working.

I'll compare with your config next week and hopefully find out where I was going wrong

 

How did you get on mate?

 

Sorry bud I still haven't managed to get round to it due to a few other problems taking priority - if not tomorrow I'll try early next week and let you know how I get on.

Cheers

 

Hi Craigie,

Do you have a basic config for an 877W that will just get me connected to my service provider (B.T.Broadband) and the internet. Just to get me started. I can then look into other possibilities with this router.

 

It really pisses me off in CCNA, that they teach you 'real world' things, but forget, that CCNA in 99% will work with 800 series routers...

Configuration of these devices is a part of CCNP. So stupid! Is it really more important to know how to configure frame relay? dont think so...

Take a look here
http://certforums.com/forums/showthread.php?t=19952

or use google...

 

Uh... what? Not sure what is the point you're trying to make here...

Umm... yes, it IS important... particularly so if you are working with Frame Relay in your real-world job. Just because YOU have never worked with it doesn't mean that others do not.

 

I think the point he is trying to make is that he thinks more CCNA students will come across configuring an 800 series router than configuring Frame Relay.

 

Ooookay... so configure an 800-series router. I don't understand why that would be a problem... they work pretty much the same as every other router Cisco has.

 

Ahahahahaa... come on... Have you seen at least one 8xx Cisco router? This is a layer2+layer3 device, usually with a wireless built-in. It requires much more configuration and applied in a different way, that they teach in CCNA...

My point is: I uderstand, that Frame Relay is important. The same is with going through all details of OSI model... great... but after that you arrive on site as a CCNA, they give you 800 series router (as it is a device for SMALL companies, so should not require a lot of configurationa and knowledge) and.... CCNA guy has no idea how to configure it to make it work! On CCNA they do not even mention (!!!!!!!!!!!!!) about xDSL interfaces and how to configure 800 series devices...

In my opinion its stupid

 

Yes, in fact, I have... and it's really not that much different. Not if you've worked with Cisco devices.

If you want to learn how to configure wireless, that's what the CCNA Wireless is for.

So you scoff at old technologies like Frame Relay, and yet you bring up xDSL? ahahahahahhahah!

I stand behind my previous point: configuring an 800-series router is not that much different.

You say "they give you 800 series router". Okay... YOU might have gotten an 800-series router... but you cannot assume that EVERYONE uses them. They don't... most companies use what they have.

Then don't certify. Cisco obviously feels that it's not that important to teach the specifics of THAT particular router model.

 

From what i have seen of along my Cisco studies, is that Cisco dont want to put their eggs all in one basket......
If they put all of the "popular" topics in the CCNA and missed out some of the fundamentals then the market would get flooded with "paper" CCNA's and it would take the value of the qualification away as they would not know half as much as a CCNA does with the current topics and not many people would go on to do the CCNP either!!

Although i found it frustrating that some topics were not covered in the CCNA (DSL, Full VPN Config etc) i got on with my studies and BEFORE I got to site, when they sent me to install a 877, i read up on it and played around with the config in my spare time which then enabled me to configure it properly and NOT look like a "CCNA who doesnt know what he's doing"!

The 8xx routers are really not that much different to the ones mentioned in the CCNA!!

I am now studying the route exam for my CCNP which is keeping me busy and most importantly... Interested! Unlike lower level Microsoft qualifications, the Cisco qualifications actualy feel like they have a bit of substance behind them and if they were any different i think it would be a crying shame!!!!

Thanks for listening to my early morning Rant!
Jon

 

Ok... will not argue..

Too late, I am CCNA already ;-)

But my point is that Cisco created 800 series routers for small/medium size companies and does not prepare to configure them! Do you have to get CCNP to learn it? I will still say, that 8xx routers are very popular and if Cisco decided to introduce these topics into CCNA, it would be very good!

I know that CCNA prepares very well for general networking, but... well... you know a lot about everything, but you are not able to configure a SMALL OFFICE router??? And pls dont tell me that after CCNA you can do it... you can, but will spend a lot of time inside Cisco docs and online trying to figure out what the hell ATM interface is.

I prefer MS way: if you are MCSA you know to configure a server for SMALL office, MCSE - big office.

After CCNA - you know a little about everything, but the truth is that NOONE will allow u to configure FR or OSPF if u are CCNA only, so I would prefer to get some xDSL knowledge instead of details of DR & BDR of OSPF... which I will never ever have a chance to use in a real life as CCNA

 

I can't help but lol at this thread.

 

How so? Do you not learn how to configure an interface with an IP address? Do you not learn how to configure static routing? RIP? OSPF? EIGRP? Do you not learn how to ping, trace, telnet, SSH? Do you not learn about how to configure ACLs, NAT, DNS, and DHCP? Of course you do.

But, for the record, Cisco says that the CCNA is for people who work in medium-sized networks... not little-bitty networks. Per their site:

Cisco Certified Network Associate (CCNA®) validates the ability to install, configure, operate, and troubleshoot medium-size route and switched networks, including implementation and verification of connections to remote sites in a WAN.

No... the CCNP deals with larger networks, not smaller.

To learn how to configure an 800-series router, you have pretty much everything you need - and then some! - with the CCNA. Those things that they don't teach you, you can learn on your own, or get them in another course. For example, if you want to learn how to configure wireless, perhaps the CCNA Wireless exam would be helpful.

But... they already do. It's quite obvious you're on a rant and not listening to what we're saying...

Absolutely you can do it! Or, at least, you should be able to do it. If you are not, you need to revisit your study methods.

If you don't know what an ATM interface is, you didn't study hard enough... it's on pages 525-527 of the CCENT/ICND1 book by Cisco Press... right next to all the DSL (pp. 519-523) stuff you're whining about.

Umm... that's not "MS way". If you have a small office, you don't really need the MCSA. The MCSA is designed for people with 6 months of experience in a multi-server, multi-site, 250+ user environment. That's not "small".

Someone has filled your head with a lot of misinformation, and that's unfortunate.

I disagree. Few companies will allow you to configure FR or OSPF if you are CCNA with no experience whatsoever... but if you have the CCNA and experience, they'll certainly allow you to do so. I was allowed to, and I'm sure others on here were as well.

 

Ok I think this is the problem... Cisco advertises all certificates to be 'real world', so I would expect to put FULL small business router in CCNA!!!

Well... take a better look at CCNP and you will see, that they teach you in CCNP track how to configure xDSL routers... not in CCNA !

You were very lucky... 99% would not allow to do it


And remember: we are talking about a CCNA person, not like you with 100 other certs, you have already forgotten how it is to be a fresh CCNA??? I remember and I saw that they had not prepared me to work in a real world ;-)

 

^^ This. Nothing truly prepares you for "real world" but the "real world".

That said... the CCNA contains more than enough for you to configure the 800-series router... assuming you're not just using the GUI-based configuration tool... which, if you're using that, you're already starting out the wrong way.