FTTC with a Cisco VDSL router

[Note] I’ve recently started a network consultancy business, head over to Optimus Networks to get in touch.

I recently learned that the Cisco 887VA packs a dual technology modem that supports not only ADSL2+ but VDSL2, the technology that supports FTTC (Fibre To The Cabinet), more commonly known as BT Infinity.

Excited at the prospect of removing the Openreach modem from my over-heating cupboard / home comms room, I set about building the config and was surprised to find FTTC to be very similar in delivery to a Etherflow Etherway. The similarity being that the circuit is delivered with a vlan tag, that is 101. The authentication is done via CHAP/PPPOE, see my previous posts on how to get an Ethernet connection established from an Ethernet port on a router or an ASA.

There is no ATM configuration as per ADSL, the VDSL modem is tied to the Ethernet0 interface and must be bound to a dialer carrying the PPPOE configuration. Also, since the service arrives tagged, an Ethernet0.101 sub-interface must be configured and bound to the dialer.

Here is the config :

controller VDSL 0 !## TELL THE ROUTER WE WILL BE USING VDSL MODE

interface Ethernet0
no ip address !## SEE THE DIALER

interface Ethernet0.101 !## EVERYTHING IS TAGGED IN VLAN 101, SO WE MUST USE A SUB INTERFACE
encapsulation dot1Q 101
pppoe-client dial-pool-number 1

interface ATM0 !## NO NEED FOR THIS
no ip address
shutdown
no atm ilmi-keepalive

interface Dialer0
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname YOUR_LOGIN
ppp chap password 0 YOUR_PASSWORD
ppp ipcp dns request
ppp ipcp route default !## GRAB YOUR 0.0.0.0/0 ROUTE FROM PPPOE

In-case of issues or slow performance, I believe the FTTC MSAN equipment will fall back to ADSL2+ mode if required so check you have specified VDSL mode as per the 1st line of the config if you have any trouble. Not that I’ve had any issues.

Also, in-case you are wondering what speed your line is capable of, since BT recently announced 80Mbps downstream for new or renewing customers, the VDSL stats show a good amount of detail including a headline reading for your line. I was pleasantly surprised..

Router#sh controllers VDSL 0
Attainable Rate: 102056 kbits/s 33192 kbits/s

According to these numbers I’ve lost a whole 2Mbps downstream, a previous reading showed 104Mbps. I wonder if the nice weather we’ve had this week had an effect on the cable? Damn you physics! šŸ˜‰

FTTC – Cisco PPPoE router config

A sample Fibre To The Cabinet Cisco router config for PPPoE assuming you have the standard BT Openreach modem. Generated from an 1800 series router.

interface FastEthernet0
description FTTC
no ip address
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 1

interface Dialer0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp ipcp dns request
ppp ipcp route default

Cisco ASA / BT Fiber To The Cabinet (FTTC) PPPoE config

I’m lucky enough to be in one of the few UK areas to have BT’s latest broadband offering – Fiber To The Cabinet or FTTC.

When the BT Openreach engineer decides to turn up, he will install a Huawei modem which hands off your public IP address (or subnet if you so choose) via PPPoE to your router of preference. Being a networking geek I chose a Cisco ASA 5505 firewall.

Below is a basic command-line config, I’ll get working on some ASDM screenshots soon for those who prefer the GUI (not my thing). Note the MTU size, for PPPoE overhead we need to trim 8 bytes off the 1500 Ethernet standard leaving 1492.

interface Vlan10
nameif outside
security-level 0
pppoe client vpdn group BTFTTC
ip address pppoe
!
mtu outside 1492
!
vpdn group BTFTTC request dialout pppoe
vpdn group BTFTTC localname [email protected]
vpdn group BTFTTC ppp authentication chap
vpdn username [email protected] password *ppp password*

IPSEC – Site to site VPN

crypto isakmp policy <N> * N = priority, lower preferred

authentication pre-share
encryption <3DES/AES/DES> * AES preferred
group <1/2/5> * Diffie Hellman group
hash <MD5/SHA>
lifetime <T> * in Seconds

crypto isakmp key <0/6> <KEY> address 1.1.1.1

crypto ipsec transform-set <TRANS NAME> esp-aes esp-sha-hmac

mode <TUNNEL/TRANSPORT>

crypto ipsec security-association lifetime <T>

access-list 123 permit ip <SOURCE NET> <SOURCE WILDCARD> <DEST NET> <DEST WILDCARD>

crypto map <MAP NAME> <SEQ> ipsec-isakmp

match address 123
set peer <REMOTE ADDR>
set transform-set <TRANS NAME>

int dial0 <OUTSIDE IF>

crypto-map <MAP NAME>

Notes :

QM_IDLE = Good!

MM_NO_STATE = Phase 1 (*IKE problem) – Check public incoming ACL’s

MM_KEY_EXCH = Bad peer address or key problem

On public facing inbound ACL’s allow :

ESP – Protocol 50

AH – Protocol 51

IKE – UDP port 500

Tacacs+

Enable aaa (beware disables current auth methods) :

aaa new-model

Define tacacs+ server :

tacacs-server host 1.2.3.4
tacacs-server key 0null0

Define aaa authentication method for ‘VTY’ group :

aaa authentication login VTY group tacacs+

Apply to telnet lines :

line vty 0 5
login authentication VTY