Cisco 897 tinkering

Introduction

Usually these blog posts are about me solving a problem. And this is no exception, however I'm afraid I'm going to throw a bit of opinion in here as well this time.

So, what's this all about? This beauty right here:

(Images found on ebay)

These boxes are exceptional home routers - supporting 8x 1gbps LAN switch ports (4 of which are PoE capable with the correct daughter board and power supply), fiber or copper WAN (ethernet) and V/ADSL connections excellent for standard broadband connections. Note: The V/ADSL options are part of the 897VA model.

Here is a short list of the pros and cons which I've observed:

Pros:

  • Compact
  • Low power (maximum is 60W typically they use <15W)
  • Silent (fanless)
  • 8x LAN 1G switchports
  • PoE Capable
  • Wide variety of WAN connectivity options
  • Easy peasy 12v power connection - not some horrible 19v thing
  • Supports SSL VPN
  • Supports DMVPN

Cons:

  • You'll probably have to "modify" a computer power supply connector to power it (I can never find the PSUs)
  • Throughput hits an approximate 500mbps bottleneck with NAT overload (see below)
  • No integrated wireless (Available in the 897VA-W models (but I don't have one))
  • Gets fairly warm

Speedtest result - more on this later.

Problem #1

Heat. I've got mine in a cupboard with another router, an access point and a server. If someone ever does a survey of my building it's going to look like I'm growing "herbs".

Granted, the contribution of the 897 is not a great deal in comparison to something like the server, however if I can get it a bit cooler and ease power consumption in a single step then why not!

My home internet connection uses a 1G copper connection, I have a RJ-45 faceplate right in the cupboard that the Gig8 routed port connects directly into. I have no need for the V/ADSL connection.

One of my observations was that the CD (carrier detection) light for the VDSL controller remained blinking and attempting to establish a connection. The surface on the router where the port is located was also noticeably warm.

Solution #1

So, what does any engineer do in such a situation? They take it apart of course! My knowledge of other Cisco products taught me that such a module (the VDSL controller) exists for the ISR G2 series of routers in the form of an EHWIC (EHWIC-VA-DSL-A):

These are removable, so, perhaps the card inside the router is removable too? Sure enough, it is!

The VDSL controller is a daughter board mounted on the main board of the router. The board is held in place by 3 screws and has a reasonably large protruding heatsink which has a thermal pad in direct contact with the outer casing.

That's mine...right after I pulled it out.

Turns out, that the router doesn't seem to miss the board at all. After removing the board, it fired straight up and began functioning normally. Now the router runs much cooler, and I have a new ornament on my desk.

If you're using the router for it's ADSL / VDSL capabilities, don't pull it out, you might find that you actually needed it.

Problem #2

Now, you may not agree with me so much on this one because I'm being greedy. But, I like to get what I pay for.

I pay for a 1gbps symmetric internet connection. i.e. In theory I can get 1gbps download and upload. Greedy? Absolutely.

Now here's the actual problem - the router is the bottleneck of this connection. Ironically, the router provided by the ISP is actually capable of delivering the full 1gbps speed (or around 800-900mbps when I tested it). The problem with the 897 is that the CPU is just not powerful enough to forward traffic at the rates that I want. It'll handle about 500mbps before it hits 100% utilisation. (See speedtest picture above)

So, why don't I just use the ISPs router (forwardly referred to as "plastic junk")? Well, I like the feature set provided by the 897, I use the SSL VPN and DMVPN extensively. Now while I could attach the 897 to the side of my network as a sort of "services" platform there are a number of difficulties:

  • I don't like using a crappy plastic web managed piece of junk
  • Port forwarding for GRE, ESP, IPSec is problematic because of support (they're not all L4 ports but you get my point)
  • Reverse routing - The plastic junky thing has to be able to be programmed with routes back towards the services router in order for clients using the plastic junk as the default gateway. Of course, with this particular model, that's not supported.

Solution #2

Well....there isn't one.

I've yet to find something which can replace the 897 in this case and I'll have to live with the ~500mbps that the 897 can provide.

My best possible consideration was to use the Cisco CSR1000v virtual router. But, the problem with this is I do not trust my ESXi server implicitly. I do not like to rely on it for my internet connection.

In attempt to hybrid these two I considered using HSRP towards my LAN and WAN in order to use the CSR1000v as a primary router and the 897 as a fallback should the ESXi server experience difficulties by altering the HSRP priorities. The problem with this approach is it requires an additional IP address (at least one additional) from the ISP, who were unwilling to provide this. I even thought of trying to use NAT46 if they supported IPv6, but alas, they did not.

So, in conclusion I've stuck with the 897. It is a fantastic platform and I can actually live with the 500mbps it can provide (very little actually reaches this anyway, most of the time the uploading server is not capable of keeping up - steam services are however an exception).

I'm still looking for something to solve this problem and provide the functionality of the 897, but short of an ASR1000 series router I don't think I'm going to find something. Considering that the cupboard in question is actually in my bedroom, an ASR1000 would cook and deafen me within a couple of days. I think I'll pass, not to mention I don't fancy spending a few thousand pounds on a router!