Cisco 877, How To enable SDM

This is more a landing page for more notes to follow(?) [and for Security Nerds, yes its an old "toxic Smurf stew" of moldy old software stirred together to support this, but packaged up in a nice virtual machine and used purely for management (not surfing the high-seas of Randsome ware Pirates) its an acceptable use-case.. chill..]

A few things (I really like) about a "real router".. modular upgradability (RAM and Flash)  as hardware costs come down and needs increase. True dedicated IOS focused on WAN LAN routing functions with "best in class" hardware, designed from the start with proper thermal footprint cooling considerations.. proven designs that are tested over a long time, on-going development and support for baseline features.. without going off the deep-end suffering from product feature creep, or over promising on poorly delivered features. Ancient structured configuration methodology over serial, telnet and ssh consoles (all available), true industry standard "Syslog" and "SNMP v2" capability.. supported gui, and a long.. long.. line of available production quality and tested firmware images, for the router and the peripheral WAN cards. And.. most important.. not "prophylactically" locked down for "your safety!"

I bought a nearly out of support (Dec 20, 2016) Cisco 877 router and retrofitted it to max out its RAM and Flash memory and deduced how to enable one of the many "next generation" user interfaces Cisco was promoting last decade. 

They're long gone now, nearly buried and "all but" abandonned, but like ancient cities or temples hidden away and forgotten.. I'm hoping the 800 series ADSL routers can perform the task of a wan to lan router with a reasonable NAT firewall much better than something orders of magnitude cheaper and plain too weak for the purpose of providing stable DSL service. I'm not totally ignorant of iptables, ipchains or ios access-lists, but a simple gui to help cut through the memory fog will be a welcome respite.

fwiw - Firefox 3.5.7, IE8, java 1.4.12-20 [ all available online for resurrection in a google search engine near you ] will run the SDM properly on XP, here in 11/2016 - but IOS evolved beyond SDM support when it was replaced with Cisco-CP and any IOS image after c870-advipservicesk9-mz.124-20.T.bin lost the ability to support the SDM gui write changes to the running config in the gui memory space back to the 877 and possibly other routers. 

[Note:] Windows 7 and later, or "modern" Firefox or Internet Explorer, even Chrome simply cannot be reconfigured sufficently to support running SDM. I did get fairly far with an experiment in doing this, however the overlapping layers of security and intrusion prevention circutry inside these software products "hides" or otherwise disabled so much of the SDM java applets that it just wasn't feasibly practical to use Win7 and any "modern" browser to run SDM. -- for one thing the "Additional Task" panel under Configuration was totally unresponsive and disabled.. this forms the "core" of the purpose of SDM which is the tool used to manage the overall Run Configuration for the router.

It makes sense this "would happen" since the SDM was retired by that time. SDMs virtue however is it will work with Cisco 1700 series routers where Cisco-CP began its life supporting the "newer" Cisco 1800 series routers. 

The [Reset] switch at the back of the 800 series routers will [not only] wipe the startup and running configs of the 800 routers, but also [restore + re-configure] the default VLAN and LAN/WAN ports, with a static IP address ( and pre-configure a "one time use" Level 15 enabled username and password.. so you can hook up a LAN cable to the "Reset/Pre-configured" router and statically configure your Laptop/PC ethernet port to and immediately login (using telnet or ssh)  without needing a serial cable (or you "can" add a logical IP to the existing interface of your laptop and stay connected "simultaneously" to both your previous local LAN subnet and the routers pseudo-temporary subnet). 

This is  "important"  because the LAN switch ports on the back of the 877 and presumably all of the 800 series are by default VLAN capable and enabled, so rather "unintuitively" you can't just assign IP addresses direct to those interfaces (frustrating to say the least for any hack half-way experienced with Cisco IOS products) rather you have to "know" you must create or manage the VLAN interfaces to which the FastEthernet interfaces are granted "switchport access" and assign the IP addresses to the pseudo-VLAN interfaces which represent their domains...sigh.. facepalm.. what were they thinking in a consumer grade product.. {anyway get over it..} .. just know, its easier to start out with a ready-made template and default security context with a running-config by "using the Reset button.. Luke!" and you don't even need a usb-to-serial converter cable.

[Note:] Know this, the documentation and some of the SDM dialog text refer to the Cisco 877 as having the SDM applets "already" onboard the flash drive of the router. This is not always so, especially for a refurbished, or "somewhat used/abused" router (not "fresh" from the box) that has had its flash mangled or maligned by CLI users.. often they throw things away to make space, or in the case of a flash upgrade don't even have an IOS image until its tftp loaded using the bootstrap monitor. 

Manually loading the SDM applets onto the router using tftp isn't documented or supported as far as I could see.. so your best option is to download the full SDM from Cisco for free and use its windows installer to perform a Local PC install (only) of the SDM. then use the Local PC SDM to "bootstrap" connecting to a "Reset to factory default Preconfigured" router, to change the one-time-use password. Then you can re-run the windows installer for SDM and perform an "Install to Router (only)" install in order to get the SDM applets re-loaded on to the routers flash drive.

"trust your Nose" if your router doesn't have that "New Car Smell" and smells a little bit more like a roaming Gnome.. expect to have to bootstrap your router with the PC "two-Step" dance.

If you have installed SDM on the PC it can connect to the static router IP and walk you through changing the one-time-use username and password to something more secure. 

Uploading SDM to the router works with the older (but still "compatible" with SDM image)    870-advipservicesk9-mz.124-20.T.bin  but does not work with later IOS images.. 

The router just spins saying "Connecting" and then "fails to connect" and never allows the SDM installer from the PC to finish the task of uploading the SDM express "mini-java applets" to the routers flash drive.. the older image  does  allow the SDM installer to connect, then presents choices for what components to upload and completes this mission.