Configure Cisco ASA 5505 for XS4all (FTTH)

    Stefan Peters

Hello welcome to my new blog on the new site https://www.microcloud.nl

This BLOG is about configuring a Cisco ASA 5505 device for a Fiber To The Home connection in The Netherlands. Last week I have migrated from OnsBrabantNet to XS4all. Despite the patching issues in the POP after 4 days it finally works.

XS4all providers a FRITZBOX “modem” to connect the home network to the Fiber connection. The FRITZBOX does the PPPoE authentication, wireless, DHCP etc. Despite the fact that this “modem” works pretty well, I want to replace it with my Cisco ASA as soon as possible. The FIRTZBOX doesn’t provide VLAN support or Access Lists. My former ISP (OnsBrabantNet) delivered a UTP connection on the “Packetfront”. I just configured the Outside Interface on the Cisco ASA with my static PUBLIC IP and everything works well.

Unfortunately, XS4all doesn’t do that. We need to use PPPoE to make it work. And although XS4all provides a static IP, it will be provided by DHCP.

On the website of XS4all I found some hints on how to get this to work.

  • Internet, dot1q VLAN 6. Use PPPoE for IPv4 and IPv6. (My Cisco ASA doesn’t support PPPoE for IPv6 using Prefix Delegation, it needs ASA Software 9.6 or higher, the ASA5505 doesn’t go higher then 9.2.x)
  • For IPTV use dot1q VLAN4 and bridge this to network ports.

Source page XS4all: https://www.xs4all.nl/service/diensten/internet/installeren/modem-instellen/hoe-kan-ik-een-ander-modem-dan-fritzbox-instellen.htm

Used equipment:

  • Cisco ASA 5505 (ASA version 9.2(4)28 and ASDM version 7.6(2))
  • DLINK DSG-1100-16 (16 port managed Gbit switch, running firmware: 1.10.005)
  • Fiber To The Home connected XS4all Fiber to UTP connection a.k.a. “NT”
  • XS4all provided Set Top Box for television. It needs power, network and HDMI or SCART cable to connect to the TV.

My subscription is 80Mbit/80Mbit. The ports of the ASA max on 100Mbit so this shouldn’t be any problem.

At first, I connected the UTP cable from the NT directly to Eth0/0 of the Cisco ASA and configured the ASA. Unfortunately, this resulted in a slow download speed of around 50Mbit, instead of around 80Mbit. The NT does support 100Mbit connection but seem to punish me for the lower NIC speed of the Cisco ASA.

So, I connected the NT directly to my DLINK switch and TAGGED the VLAN6 there.

It is now possible to connect the IPTV STB to the managed switch using an untagged VLAN4 port, or TRUNK the VLAN4 to the Cisco ASA and use an untagged VLAN4 port over there. Personally, I use only the IPTV in the managed switch for two reasons:

  • The connection from the Switch is 100Mbit, 80Mbit of those can be used for Internet breakout. The IPTV bandwidth in top of the Internet speed. If you trunk them to the 100Mbit port, only 20Mbit is spare for the TV, if the TV uses more then the 20Mbit, the maximum speed of the Internet will go down.
  • It is more likely that I need to reboot the Cisco ASA for new configuration then my DLINK switch, and when the IPTV STB are connected to the Cisco ASA during reboot the IPTV will go offline for a few minutes. The VLAN4 bridging does not have to be performed by the Cisco ASA and can be done perfectly by my DLINK Switch.

In this BLOG I used the terminology TAGGED and UNTAGGED. For Cisco switches or Cisco settings on the Cisco ASA it translates like this:

UNTAGGED -> Native VLAN
TAGGED -> TRUNK with one or more VLANs, and one Native VLAN (Untagged)

As in Cisco land there can only be one Native VLAN per port, some other brands call this UNTAGGED. There can be only one UNTAGGED VLAN per port. In the same way there can me multiple VLANs in a Cisco TRUNK, and multiple VLANs tagged per port.

In the Cisco ASDM the configuration looks like this:


Standalone Cisco ASA with IPTV ports on Eth0/4 and Eth0/5

Cisco ASA with Managed switch IPTV ports on Eth0/4 and Eth0/5, trunk from switch on port Eth0/1

Shows the Interfaces when the PPPoE is connected.

Leave a Reply