Baby jumbo frames on VDSL by XS4ALL

Last week I acquired a new modem because the old one supplied by the provider was acting strange and I wanted it. The new modem is a Cisco 887VA router equipped with a VDSL2/ADSL2+ interface so that it could replace the previous Fritz!box. A day after I had finished the setup I noticed some unusual things which eventually led to the conclusion that packet fragmentation was occurring. In my search for an answer I learned that the Point-to-Point protocol (PPP) needs 8 bits which need to be subtracted from the default MTU of 1500. So configuring an MTU size of 1492 for the Dialer0 interface and altering the max segment size ‘ip tcp adjust-mss 1452’ on the internal VLAN interface did the trick.

But, then I stumbled upon a service page of my provider stating (in Dutch):

RFC4638 wordt ondersteund op ons netwerk. Dit betekent dat u als klant een MTU van 1500 kunt gebruiken als uw router RFC4638 ondersteunt.

So it’s possible to use a MTU size of 1500 if the router is able to do so. In the past I have played with MTU sized 9000 (called Jumbo frames), so 1512 is a baby.

It took some time to figure out how, but eventually came up with the following:

interface Ethernet0
 mtu 1512
 no ip address
interface Ethernet0.6
 encapsulation dot1Q 6
 pppoe enable group global
 pppoe-client dial-pool-number 1
 pppoe-client ppp-max-payload 1500
interface Dialer0
 no mtu 1492
interface Vlan2
 no ip tcp adjust-mss 1452

Want to follow the PPP negotiation proces, then execute to following (in enable mode):

debug ppp negotiation
clear ppp all
show logging

Time to test!

$ ping -c 3 -s 1472
PING ( 1472(1500) bytes of data.
1480 bytes from ( icmp_seq=1 ttl=61 time=6.18 ms
1480 bytes from ( icmp_seq=2 ttl=61 time=6.23 ms
1480 bytes from ( icmp_seq=3 ttl=61 time=5.96 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.966/6.128/6.234/0.116 ms

Upgrade Cisco IOS on the 877W

Cisco LogoYesterday it struck me I was using a less secure wireless setup while the more secure was just a simple configuration change away. While adjusting the configuration I noticed the software version was pretty dated because my last IOS update (12.4.24T1) was from May 2009. To stay current I decided to upgrade my home router.

12.4.24T8 is the latest IOS in the 12.4T series. This version was released on 19 September 2012. I don’t have enough flash capacity to store the new 15.1.4 release, so I will stick with the 12.4.24 release. So I downloaded c870-advipservicesk9-mz.124-24.T8.bin from Cisco.

I have described the steps below so it will be a walk in the park next time.

Read More

Improve wireless security on the 877W

cisco-877w-frontI just discovered my three year old Cisco wireless router was configured to do WPA encryption instead of the more secure WPA2 version, which is the standard nowadays. WPA uses TKIP (Temporal Key Integrity Protocol) while WPA2 is capable of using TKIP or the more advanced AES algorithm. Doing a search on Google it appears it’s just a IOS configuration option.


interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers tkip


interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm

If the option is not there, your IOS version does not support it. I’m currently using: C870 Software, Version 12.4(24)T1 (c870-advipservicesk9-mz.124-24.T1.bin).