Cisco CPE on the NBN with Internode

There is a myriad of Customer Premises Equipment (CPE) deployed on the NBN from various vendors such as Cisco. Though somewhat dated, Internode has an online ADSL configuration guide for Cisco routers.

This article outlines a modern generic Cisco IOS configuration for Internode NBN services. This configuration includes dual stack IPv4/IPv6 autoconfiguration, firewall, local caching DNS, time synchronisation and IPv4 network address translation (NAT) functionality.

In the configurations below, the GigabitEthernet0/0 interface is connected to the local area network (LAN). Replace FDFF:FFFF:FFFF::/48 with your own locally unique prefix as per RFC4193. Also ensure that you replace all usernames, passwords and RSA key fingerprints in the configurations below with your own values.

If you are configuring the router for the first time, connect a serial cable to the router's console port. The default settings for the console port are 9600 baud, 8 data bits, no parity, 1 stop bit and no flow control. Use a terminal emulator like cu(1):

cu -l /dev/tty.usbmodem1a21 -s 9600

or screen(1):

screen /dev/ttyACM0 9600

Connecting via Ethernet

NBN delivered to end users via FTTP or HFC technology require CPE routers to connect via ethernet. The wide area network (WAN) interface is GigabitEthernet0/1.

The complete config file can be downloaded from here.

  1 !
  2 version 15.8
  3 no service pad
  4 service tcp-keepalives-in
  5 service tcp-keepalives-out
  6 service timestamps debug datetime msec localtime show-timezone
  7 service timestamps log datetime msec localtime show-timezone
  8 service password-encryption
  9 service sequence-numbers
 10 !
 11 hostname router
 12 !
 13 security authentication failure rate 3 log
 14 no logging console
 15 enable secret cisco

Line 11: Give your router a name.
Line 13: Log repeated login failures.
Line 14: Disable writing log messages to the console. Flooding the console with logs may make your router unusable.
Line 15: Set an enable password for elevated privileges. Replace "cisco" with your password.

 16 !
 17 aaa new-model
 18 !
 19 aaa authentication login default local-case
 20 aaa authorization exec default local 
 21 !
 22 aaa session-id common

Lines 17-20: Use the credentials stored locally on the router for authentication and authorization.

 23 clock timezone ACST 9 30
 24 clock summer-time ACDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00

Lines 23-24: Set timezone and summer-time.

 25 !
 26 no ip source-route
 27 !
 28 !

Line 26: Disable IPv4 source routing.

 29 !
 30 ip dhcp pool vlan1
 31  network 192.168.1.0 255.255.255.0
 32  domain-name local
 33  dns-server 192.168.1.1 
 34  default-router 192.168.1.1 
 35 !
 36 no ip bootp server
 37 ip host router.local 192.168.1.1 FDFF:FFFF:FFFF::1

Lines 30-34: Enable DHCP and set IPv4 network parameters that will be provided to clients. This router is the local DNS server.
Line 36: Do not respond to BOOTP requests.
Line 37: Add name to address mapping for this router.

 38 ip cef
 39 ipv6 flowset
 40 ipv6 unicast-routing
 41 ipv6 dhcp pool vlan1
 42  dns-server FDFF:FFFF:FFFF::1
 43  domain-name local
 44 !
 45 ipv6 cef
 46 !

Line 38 & 45: Enable Cisco Express Forwarding for IPv4 and IPv6.
Line 39: Set flow label for IPv6 traffic originating from this router.
Line 40: Enable IPv6 routing.
Lines 41-43: Enable DHCPv6 and set IPv6 parameters that will be provided to clients. This router is the local DNS server.

 47 parameter-map type ooo global
 48  tcp reassembly queue length 1024
 49  tcp reassembly memory limit 2048
 50 !

Lines 47-49: Set the maximum number of packet fragments and maximum memory usage for packet reassembly. The router will reassemble the complete packet so that it can be inspected by the firewall.

 51 username cisco privilege 15 secret cisco
 52 !
 53 redundancy
 54 !
 55 !

Line 51: Create credentials for accessing this router. Replace "username cisco" with your desired username and "secret cisco" with your password. If "privilege 15" is omitted then the enable password from line 15 will be required for full privileges.

 56 !
 57 ip tcp ecn
 58 ip tcp selective-ack
 59 ip tcp path-mtu-discovery
 60 !

Lines 57-59: Enable modern IP features for traffic originating from this router.

 61 policy-map type inspect in-out
 62  class class-default
 63   inspect
 64 !
 65 zone security inside
 66 zone security outside
 67 zone-pair security in-out source inside destination outside
 68  service-policy type inspect in-out
 69 ! 
 70 !

Line 61: Create a firewall policy labeled in-out.
Lines 62-63: This policy will inspect all traffic and allow return traffic.
Lines 65-66: Create the security zones.
Lines 67-68: Specify that traffic from the inside zone to the outside zone will be inspected by the in-out policy defined in line 61. Traffic between zones for which no policy exists, such out outside to inside, will be dropped. To fine tune the firewall consult the Cisco Security Configuration Guide.

 71 !         
 72 !
 73 interface Loopback0
 74  no ip address
 75  ipv6 address NODE-PD ::1/128
 76  ipv6 address FDFF:FFFF:FFFF::1/128
 77 !

Line 75: Assign an IPv6 address derived from the Internode assigned IPv6 prefix to the router's internal Loopback interface.
Line 76: Assign a locally unique IPv6 address to the router's internal. This will allow connectivity prior to receiving a prefix from Internode.

 78 interface GigabitEthernet0/0
 79  ip address 192.168.1.1 255.255.255.0
 80  ip dns view-group internal
 81  ip nat inside
 82  ip virtual-reassembly in
 83  zone-member security inside
 84  duplex auto
 85  speed auto
 86  ipv6 address NODE-PD 0:0:0:1::/64 eui-64
 87  ipv6 address FDFF:FFFF:FFFF:1::/64 eui-64
 88  ipv6 nd other-config-flag
 89  ipv6 nd router-preference High
 90  ipv6 nd ra dns server FDFF:FFFF:FFFF::1
 91  ipv6 dhcp server vlan1 rapid-commit
 92  ipv6 virtual-reassembly in
 93 !

Line 79 & 87: Assign IPv4 and IPv6 local addresses to the LAN interface.
Line 86: Assign a globally unique IPv6 address derived from the Internode assigned prefix.
Line 80: DNS queies arriving on this interface will be evaluated by the nternal view-list.
Line 81: Perform Network Address Translation (NAT) on IPv4 traffic from this interface to the outside.
Line 82 & 92: Reassemble packet fragments prior to forwarding.
Line 83: This interface is connected to the inside security zone.
Line 88: Indicate in router advertisements that DHCPv6 is available for other IPv6 network parameters. These parameters are configured in lines 41-43 and are required for clients that do configure DNS servers from router advertisements as per RFC5006 .
Line 89: Indicate in router advertisements that this router is the highest priority default route.
Line 90: Indicate in router advertisements that this router is the DNS server for this network as per RFC5006 .
Line 91: Enable the DHCPv6 server in this interface.

 94 interface GigabitEthernet0/1
 95  description --- Ethernet to NBN ---
 96  no ip address
 97  duplex auto
 98  speed auto
 99  pppoe enable
100  pppoe-client dial-pool-number 1
101  no cdp enable
102 !

Line 94: This is the WAN link to Internode.

Lines 99-100: Enable PPPoE on this interface and assign it to pool 1.
Line 101: Disable Cisco Discovery Protocol on this interface.

103 interface Dialer1
104  mtu 1492
105  ip address negotiated
106  no ip proxy-arp
107  ip nat outside
108  ip virtual-reassembly in
109  zone-member security outside
110  encapsulation ppp
111  ip tcp adjust-mss 1452
112  dialer pool 1
113  no cdp enable
114  ipv6 address autoconfig default
115  ipv6 nd ra suppress all
116  ipv6 tcp adjust-mss 1432
117  ipv6 dhcp client pd NODE-PD rapid-commit
118  ipv6 virtual-reassembly in
119  ppp chap hostname username@internode.on.net
120  ppp chap password password
121  ppp ipcp dns request
122  ppp ipcp route default
123 !

Line 103: Create a virtual Dialer interface.
Line 110 & 112: Enable PPP encapsulation and put the interface in pool 1. Lines 112 and 100 link the physical and virtual interfaces.
Line 104: Set the MTU to ethernet MTU minus PPPoE header size.
Line 105 & 114: Set the IPv4 & IPv6 address on this interface via IPCP and IPv6CP.
Line 106: Disable proxy arp on this interface.
Line 107: This is the outside NAT interface.
Line 108 & 118: Reassemble packet fragments prior to forwarding.
Line 109: This interface is connected to the outside security zone.
Line 111 & 116: Reduce the TCP Maximum Segment Size (MSS) for connections traversing this interface due to the lower MTU. This is more efficient than fragmentation and path MTU discovery, but only works for TCP.
Line 115: Disable all router advertisements including in response to solicitations.
Line 117: Obtain an IPv6 prefix from Internode using the router's DHCPv6 client and label it NODE-PD.
Lines 119-120: Authenticate your PPP session using the credentials supplied by Internode.
Lines 121-122: Obtain upstream DNS server addresses and default route via IPCP and IPv6CP.

124 no ip http server
125 ip http access-class 2
126 ip http authentication aaa
127 no ip http secure-server
128 ip http timeout-policy idle 60 life 86400 requests 10000
129 !

Line 124 & 127: Disable the HTTP server.

130 ip dns view none
131  no domain lookup
132  no dns forwarding
133 ip dns view default
134  domain name local
135 ip dns view-list internal
136  view default 10
137 ip dns view-list external
138  view none 10
139 ip dns server view-group external
140 ip dns server
141 ip dns primary local soa ns.local hostmaster.example.com

Lines 130-138: Configure two DNS views. The none view will be presented to external queries and the default view to internal queries. In the none view, the DNS server will respond with SERVFAIL to all queries.
Line 139: The default view-list is external. This prevents your router being an open recursive resolver.
Line 140: Enable the DNS server.
Line 141: Configure a local zone for which this router is authoritative. Queries in this zone will not be forwarded to other name servers. Replace hostmaster.example.com with your email address substituting "." in place of the "@". The example hostmaster.example.com corresponds to the email address hostmaster@example.com.

142 ip nat inside source route-map dsl interface Dialer1 overload

Line 142: Enable NAT on IPv4 traffic between the inside and outside interfaces that matches route-map dsl on line 152.

143 ip ssh version 2
144 ip ssh pubkey-chain
145   username cisco
146    key-hash ssh-rsa FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
147 ip ssh server algorithm mac hmac-sha2-256
148 ip ssh server algorithm encryption aes256-ctr
149 ip ssh server algorithm authentication publickey
150 ip ssh client algorithm encryption aes256-ctr
151 !

Line 143: Enable the SSH server on this router.
Lines 144-146: Configure RSA fingerprints for each user. Replace "username cisco" with your username from line 51. Replace "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" with the MD5 fingerprint of your private RSA key which can be obtained from your host with the command:
```
ssh-keygen -E md5 -lf ~/.ssh/id_rsa | awk -F ' |:' '{ for (i=3; i<NF-1; i++) printf toupper($i); print " " $(NF-1) }'
```
If you do not have a RSA public/private keypair then create it first with ssh-keygen(1).
Lines 147-148: Only allow hmac-sha2-256 message authentication and aes256-ctr encryption to clients.
Line 149: Enable only public key authentication to this SSH server. This line also disables password based authentication. Only the keys that have their fingerprints specified with the key-hash statement(s) above will be permitted access to this router over SSH.
Line 150: Only use aes256-ctr encryption when connecting to other SSH servers from this router.

152 route-map dsl
153  match interface Dialer1
154 !

Line 152-153: Match all traffic on the Dialer1 interface. This is used to identify IPv4 traffic to NAT on line 142.

155 access-list 1 remark VTY Access-class list
156 access-list 1 permit 192.168.1.0 0.0.0.255
157 access-list 2 remark HTTP Access-class list
158 access-list 2 permit 192.168.1.0 0.0.0.255
159 !

Line 156: Specify IPv4 addresses from which users will be able to log into the router.

160 !         
161 !
162 ipv6 access-list vty
163  permit ipv6 FE80::/10 any
164  permit ipv6 FDFF:FFFF:FFFF::/48 any
165  permit ipv6 2001:DB8:A:B00::/56 any

Lines 162-165: Specify IPv6 addresses from which users will be able to log into the router.

166 !
167 control-plane
168 !
169 line con 0
170  transport preferred none
171 line aux 0
172 line vty 0 4
173  access-class 1 in
174  ipv6 access-class vty in
175  transport preferred none
176  transport input ssh
177 !

Line 170 & 175: Do not use any "preferred" transport to establish outgoing connections. This prevents annoying DNS lookups for mistyped commands.
Lines 173-174: Allow remote connections from addresses specified in access-list 1 on line 156 and access-list vty on line 162.
Line 176: Only allow remote login using SSH.

178 no ntp allow mode control
179 ntp update-calendar
180 ntp server ntp.internode.on.net
181 ntp server ipv6 ntp.internode.on.net
182 !
183 end

Line 178: Disable all NTP control packets to this router.
Line 179: Periodically update the router hardware clock with the time obtained from NTP.
Lines 180-181: Set a NTP server that this router will sync to. Only one of these lines is required.

Connecting via DSL

NBN Fibre-to-the-Node (FTTN) connections are provisioned using VDSL2 technology. Cisco routers can terminate a FTTN connection if they are equipped with a EHWIC-VA-DSL-M or NIM-VAB-M module.

The module is configured through the statements below which replace the statements under the GigabitEthernet0/1 interface on lines 94-101 above. Cisco IOS 15.6(3)M or later router firmware is required for FTTN compatibility

The WAN interface FTTN is Ethernet0/0/0 which corresponds to the physical port on the VDSL module labeled VDSLoPOTS.

The complete configuration file can be downloaded from here.

  1 !
  2 controller VDSL 0/0/0
  3  sra
  4 !
  5 interface ATM0/0/0
  6  no ip address
  7  shutdown
  8 !
  9 interface Ethernet0/0/0
 10  description --- VDSL to NBN ---
 11  no ip address
 12  pppoe enable
 13  pppoe-client dial-pool-number 1
 14 !

Lines 2-3: Enable Seamless Rate Adaption (SRA)
Lines 5-7: Disable ADSL1/2/2+ mode.
Line 9: This is the VDSL2 WAN link to Internode.
Lines 12-13: Enable PPPoE on this interface and assign it to pool 1 which will link this physical interface to the virtual Dialer1 PPP interface on lines 103-122 above.

Useful IOS Commands

enable: Change the privilege level.
show logging: Show router logs.
show interfaces gigabitEthernet 0/0: Show interface information.
show controller vdsl 0/0/0: Show VDSL line status and statistics.
show pppoe session all: Show PPPoE session status and statistics.
show ipv6 neighbors detail: Show NDP information.
show policy-firewall session: Show current firewall sessions.
show ntp status: Show NTP synchronisation information.
show ip dns statistics: Show IOS DNS server information.
show hosts: Show local DNS cache entries.
show ip nat translations: Show IPv4 NAT translations.
show processes cpu history: Show router CPU utilisation.
show license: Show license information.