Hi, We are a small ISP and have a setup in place with the local cable company for terminating their users via L2TP for Internet access. However they have just announced to us that they are moving to a DOCSIS 3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, and can now only offer PPTP for terminating with us. We have already begun replacing our Cisco 7206VXR LNS devices with Cisco ASR 1Ks and as you will be aware the older 7206 can do both L2TP and PPTP, whereas the ASR1k can do only L2TP. I do not have any experience in the cable arena, but from what I have read in the DOCSIS standards, each version has maintained backwards compatibility, therefore I am very surprised our CableCo has claimed they cannot do PPPoE/L2TP anymore. The CMTS they are currently using is a Cisco, and now they are moving to a new ARRIS CMTS. I have not been able to find any information on this device and what it can do or not. With the ASR1K marked as the natural upgrade path for LNS functions, therefore I cannot believe that it is not fully compatible with DOCSIS 3.0. From what I can tell the only way to accommodate the new CMTS PPTP connections will be to terminate them on the legacy 7206VXR, which at the end of the day is a backwards step. I would greatly appreciate if anyone can give me any pointers and/or suggestions on this matter, so I can understand it and move it forward. FYI: The driver for the CMTS upgrades is to offer higher bandwidth access speeds 15mb-20mb. Thank you.
On Mon, 30 Jul 2012 08:33:51 -0400, iptech <iptech@northrock.bm> wrote:
3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, and can now only offer PPTP for terminating with us.
As I recall from my reading of "the standard", there's nothing in there to prevent any tunneling on top of the DOCSIS bridged ethernet. I suspect this is not a "standard" problem but an ISP problem... their new hardware doesn't support PPPoE/L2TP, it's an additional license, or they don't know how (or unwilling) to configure it. (I'm assuming the PPPoE is between you and the customer, and L2TP is between your network and the cable network. i.e. L2TP is how your customers are brought to you from the cable network.) I have no documentation on ARRIS either, so I don't know what they can/cannot do.
Hey Ricky, Yes that is the exact setup, the cableco bring the customer to us via L2TP, and now want to do PPTP only. I will keep digging on the ARRIS, which I have been told is a C4 system. Although their website doesnt show much tech specs. They are pushing for the L3 option since their CMTS will now be a hop in the path between the customer and us, instead of L2 transparent. Suggestions? Thanks, On 7/31/2012 5:19 PM, Ricky Beam wrote:
On Mon, 30 Jul 2012 08:33:51 -0400, iptech <iptech@northrock.bm> wrote:
3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, and can now only offer PPTP for terminating with us.
As I recall from my reading of "the standard", there's nothing in there to prevent any tunneling on top of the DOCSIS bridged ethernet.
I suspect this is not a "standard" problem but an ISP problem... their new hardware doesn't support PPPoE/L2TP, it's an additional license, or they don't know how (or unwilling) to configure it.
(I'm assuming the PPPoE is between you and the customer, and L2TP is between your network and the cable network. i.e. L2TP is how your customers are brought to you from the cable network.)
I have no documentation on ARRIS either, so I don't know what they can/cannot do.
to elaborate on Valdis' reply, stick a fork in pptp, it is done. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ On Tue, Jul 31, 2012 at 3:13 PM, iptech <iptech@northrock.bm> wrote:
Hey Ricky,
Yes that is the exact setup, the cableco bring the customer to us via L2TP, and now want to do PPTP only.
I will keep digging on the ARRIS, which I have been told is a C4 system. Although their website doesnt show much tech specs.
They are pushing for the L3 option since their CMTS will now be a hop in the path between the customer and us, instead of L2 transparent.
Suggestions?
Thanks,
On 7/31/2012 5:19 PM, Ricky Beam wrote:
On Mon, 30 Jul 2012 08:33:51 -0400, iptech <iptech@northrock.bm> wrote:
3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, and can now only offer PPTP for terminating with us.
As I recall from my reading of "the standard", there's nothing in there to prevent any tunneling on top of the DOCSIS bridged ethernet.
I suspect this is not a "standard" problem but an ISP problem... their new hardware doesn't support PPPoE/L2TP, it's an additional license, or they don't know how (or unwilling) to configure it.
(I'm assuming the PPPoE is between you and the customer, and L2TP is between your network and the cable network. i.e. L2TP is how your customers are brought to you from the cable network.)
I have no documentation on ARRIS either, so I don't know what they can/cannot do.
-- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Hi iptech As others have said, early Cisco CMTS could do full bridging and/or PPPoE termination, but newer gear is typically L3 style only. For wholesale, the cableco could do one of these : * L2 solution : Change your customers to configured as DOCSIS BSoD L2VPN, and deliver you one dot1q VLAN per customer. You can continue to use PPPoE with this config (sessions landing directly on your LNS). Gotcha: don't know about Arris, but Cisco caps you at 4K VLANs per chassis which means this solution doesn't scale all that well. * L2 solution : Change your customers to be setup as DOCSIS BSoD L2VPN, and deliver you one MPLS pseudowire per customer. You can continue to use PPPoE with this config (sessions landing directly on your LNS). Gotcha: don't know about Arris, but Cisco caps you at 16K pw per chassis which means this solution only provides moderate scaling. Also you have to somehow terminate all these pw (which are "xconnect"s in Cisco-speak). * L3 soution : change your customers to land on a dedicated bundle and VRF. Apply policy based routing to force-forward all the CPE traffic up a VLAN to you. If you want to be able to authenticate/count/shape then you probably need to terminate this traffic as IPoE (Use a dedicated BNG, or maybe you could try Cisco ISG). Cableco would provide the DHCP for the CM, you would provide the DHCP for the CPE. CMTS would insert CM MAC as option 82 so you know which CPE belongs to which CM/customer. * L3 solution : last option is to do what they proposed. I would probably still implement this with a dedicated bundle and VRF. But rather than having to land the sessions as IPoE, you can now have them come in as PPTP. This allows you to authenticate/count/shape via your LNS. Hope that helps, Michael.
Hey Michael, Thanks for the feedback. From the scenarios below, I think that option 3 would be more feasible, i.e BSoD L2VPN, via pw. Our max expected number of sessions would not exceed 10k, so probably not an hw limiting issue for us. For option 4, we cannot accommodate this, as we are moving to ASR1K, which does not support PPTP, only L2TP. I am reading through the DOCSIS L2VPN specification to understand the model better. Thanks, On 7/31/2012 9:03 PM, Michael Bowe wrote:
Hi iptech
As others have said, early Cisco CMTS could do full bridging and/or PPPoE termination, but newer gear is typically L3 style only.
For wholesale, the cableco could do one of these :
* L2 solution : Change your customers to configured as DOCSIS BSoD L2VPN, and deliver you one dot1q VLAN per customer. You can continue to use PPPoE with this config (sessions landing directly on your LNS). Gotcha: don't know about Arris, but Cisco caps you at 4K VLANs per chassis which means this solution doesn't scale all that well.
* L2 solution : Change your customers to be setup as DOCSIS BSoD L2VPN, and deliver you one MPLS pseudowire per customer. You can continue to use PPPoE with this config (sessions landing directly on your LNS). Gotcha: don't know about Arris, but Cisco caps you at 16K pw per chassis which means this solution only provides moderate scaling. Also you have to somehow terminate all these pw (which are "xconnect"s in Cisco-speak).
* L3 soution : change your customers to land on a dedicated bundle and VRF. Apply policy based routing to force-forward all the CPE traffic up a VLAN to you. If you want to be able to authenticate/count/shape then you probably need to terminate this traffic as IPoE (Use a dedicated BNG, or maybe you could try Cisco ISG). Cableco would provide the DHCP for the CM, you would provide the DHCP for the CPE. CMTS would insert CM MAC as option 82 so you know which CPE belongs to which CM/customer.
* L3 solution : last option is to do what they proposed. I would probably still implement this with a dedicated bundle and VRF. But rather than having to land the sessions as IPoE, you can now have them come in as PPTP. This allows you to authenticate/count/shape via your LNS.
Hope that helps, Michael.
On Mon, 30 Jul 2012 09:33:51 -0300, iptech said:
3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, and can now only offer PPTP for terminating with us.
"Hi ISP, meet Moxie Marlinspike. Moxie, meet ISP. I think you two have something to discuss..."
participants (5)
-
iptech -
Kyle Creyts -
Michael Bowe -
Ricky Beam -
valdis.kletnieks@vt.edu