Cisco routers with German VDSL2

Submitted by davidc on Thu, 05/12/2013 - 16:55

Customers wishing to use their own router with VDSL2 (FTTC) services in Germany are hampered by the CPE not supporting PPPoE passthrough, as Telekom limits the line to 1 PPPoE session. The CPE therefore needs to be replaced entirely. This article describes how to extract the login information from an O2 Homebox and then configure a Cisco router as a replacement CPE.

German VDSL2 Providers

I selected O2 for my new VDSL2 line, based partly on price and partly on previous good experience with Alice ADSL (now owned by O2 Telefonica). In actual fact, the underlying line in most cases terminates in a Telekom street-side DSLAM and is handed over (maybe using L2TP) to O2 in Frankfurt, as evidenced by the traceroute. This would be quite annoying if it wasn't for the fact that most of my traffic is heading west anyway.

As Telekom own most of the VDSL2 infrastructure, much the following information probably applies to all VDSL2 providers in Germany.

O2 Homebox

The O2 Homebox is a dreadful beast. There are a number of models of rebadged Arcadyan devices, with custom O2 firmware. Successive firmware updates have gradually removed more and more capabilities. These updates are delivered over the wire and are not optional.

On the plus side, O2's idea of removing a feature is simply to remove the menu option. The HTML pages usually still exist. Nowadays, when you visit the router's webpage, you can do nothing but view the status - but some options such as port forwarding are still available if you know the relevant URL (/port_forwarding.htm in this case). PPPoE pass-through was disabled in the same way - you can still access the page, but due to aforementioned Telekom session limit, it still won't work.

Nevertheless, the Homebox is atrocious, and its lack of SIP ALG alone necessitated its replacement.

PPPoE Login Details

O2 will not tell you your PPPoE login details. However, the same O2 technician who informed me of the Telekom PPPoE session limit also told me - unofficially - that it would be possible to use my own router if I could extract the PPPoE login using information on the Internet.

The Arcadyan IAD Decrypter by hph allows you to decrypt the Homebox's config file, and provides information on how to do so.

A recent firmware update has led to the PPPoE details being removed from the configuration file - apparently even though O2 are aware they provide a terrible (and overpriced) router, they still want to force a bad customer experience by preventing you from replacing it. You can still get the details by extracting them using a TTL-level serial cable, but fortunately in my case I had a backup of the config prior to this latest update.

Other routers and other VDSL2 providers will have other CPE that will require other methods; fortunately there is a good deal of relevant information on the Internet.

Compatible VDSL2 Modems

It is important to note that VDSL2 in Germany is over ISDN - namely it uses a frequency plan that allows it to coexist with ISDN. I couldn't find a diagram for VDSL2, but this diagram shows the equivalent difference in the available frequencies for ADSL Annex A (over POTS) and Annex B (over ISDN).

Actually, the ISDN frequencies aren't even used with O2, because the telephone ports on the router are provided using VoIP instead. However, they still use the "over ISDN" frequency plan, and this important difference means that you need a different modem for VDSL2-over-ISDN than for VDSL2-over-POTS, so for example my 887VAMG from the UK would not sync.

I ended up using a 1921 for expandability, with a EHWIC-VA-DSL-B VDSL2-over-ISDN interface card. Any modular ISR G2 router (1900/2900/3900) supporting EHWICs will do, but the 1800/2800/3800 series do not support EHWICs.

An 866V-series or 886V-series would also work fine (note that 866/886 are over ISDN, 867/887 are over POTS).

On the 800-series the interface and controller are Ethernet0 and VDSL 0 respectively. On a modular router, the interface and controller will depend on the slot, and the numbers will correspond with each other. In my examples below, they are Ethernet0/1/0 and VDSL 0/1/0 respectively.

Configuration

A lot of the documentation on the Internet and on Cisco's website refers to configuring VPDN to use the PPPoE client. However this is no longer necessary as of IOS 12.4T and the relevant commands do not work. My configuration below is from IOS 12.4T; if you are using an earlier version then you can refer to Cisco's PPPoE client documentation for the differences.

First, enable the controller and interface which probably defaulted to shutdown. Note that, unusually, a space is required before the number after "controller VDSL". You can also shutdown the ATM interface if it isn't already, as this is only used for ADSL.

controller VDSL 0/1/0
 no shutdown
interface Ethernet0/1/0
 no shutdown
interface ATM0/1/0
 shutdown

The "Ethernet" interface is a virtual interface on top of the VDSL controller (no, it doesn't really operate at 10Mbps, but if you are running a routing protocol, you will need to manually specify a bandwidth command to get the right metric).

It does support dot1q trunking, and Telekom-based services are actually on VLAN 7, so you need to create a subinterface, enable PPPoE and assign it to a dialer pool:

interface Ethernet0/1/0.7
 encapsulation dot1Q 7
 pppoe enable group global
 pppoe-client dial-pool-number 1

Next, simply create a dialer interface and configure it with PPP as normal. Telekom uses CHAP, and you have to make authentication of the remote end optional as they do not authenticate.

interface Dialer1
 ip address negotiated
 dialer pool 1
 dialer-group 1
 encapsulation ppp
 ppp authentication chap optional
 ppp chap hostname yourusername@yourlogindomain
 ppp chap password yourpassword
 no cdp enable
 mtu 1492
 ip tcp adjust-mss 1452

Note that I have reduced the MTU to 1492 to account for the additional 8 bytes of PPPoE header. I am also having the router amend the MSS in TCP SYN packets accordingly, rather than relying on the hosts to do pMTUd.

Finally, you will want a default route:

ip route 0.0.0.0 0.0.0.0 Dialer1

As of 12.3(11)T and 12.4T, you can instead choose to have IOS install a default route once IPCP negotiation has completed. The advantage of this is that the route tracks the actual state of the PPPoE connection, rather than the spoofed dialer interface state:

interface Dialer1
 ppp ipcp route default

Testing

With any luck, Dialer1 will come up and receive an IP address (sh ip int Dialer1) and you will be able to ping from the router just fine.

First troubleshooting step is to ensure there is actually DSL sync, using show controllers VDSL 0/1/0. In this case you can see that the line is synced at 81Mbps/23Mbps (don't get too excited - this is capped at the head-end).

w23-gw#sh controllers vdsl 0/1/0
Controller VDSL 0/1/0 is UP
 
Daemon Status:           <b>Up</b>
 
[snip]
 
Modem Status:            <b>TC Sync (Showtime!)</b>
DSL Config Mode:         AUTO
Trained Mode:            G.993.2 (VDSL2) Profile 17a
 
[snip]
 
Line Attenuation:         0.0 dB                  0.0 dB
Signal Attenuation:       0.0 dB                  0.0 dB
Noise Margin:            11.5 dB                 12.9 dB
Attainable Rate:        81688 kbits/s            23293 kbits/s
Actual Power:            13.6 dBm                - 4.9 dBm
 
[snip]

Debug DSL sync issues using debug vdsl 0/1/0 ....

If you have sync, the next step is to debug PPPoE authentication using debug pppoe .... Note that if you are not seeing any PPPoE response at all from the other side, then you are probably not using the right dot1q tag.

Other notes

Using the same method as above, you can extract the VoIP login details if you wish to use your own SIP device. This also reveals that O2's NTP server is time.sip.alice-voip.de, so you can use this on your router as follows, assuming you have DNS configured or are receiving it via IPCP:

ntp update-calendar
ntp server time.sip.alice-voip.de

The O2 Homebox is a dreadful beast. There are a number of models of rebadged Arcadyan devices, with custom O2 firmware. Successive firmware updates have gradually removed more and more capabilities. These updates are delivered over the wire and are not optional.