Configuring PPPoE

By stretch | Monday, April 20, 2009 at 12:00 a.m. UTC

One of the topics covered by the CCNP Implementing Secure Converged WANs exam is Point-to-Point Protocol over Ethernet, more casually known as PPPoE. Unfortunately, the exam only covers the configuration of the client side; not very handy if you intend to lab out a functioning link (highly recommended). Here we'll cover the configuration of both sides across an Ethernet link to demonstrate connection establishment.

PPPoE provides an emulated (and optionally authenticated) point-to-point link across a shared medium, typically a broadband aggregation network such as those found in DSL service providers. In fact, a very common scenario is to run a PPPoE client on the customer side (commonly on a SOHO Linksys or similar brand router), which connects to and obtains its configuration from the PPPoE server (head-end router) at the ISP side. Note that ATM is typically run between the customer's modem and the DSLAM, though it will be transparent in this lab since our PPPoE client exists on a separate device.

Server Configuration

The first task at the ISP end is to configure a Broadband Aggregation (BBA) group which will handle incoming PPPoE connection attempts. We'll name this MyGroup, and bind it to a virtual template to be created shortly.

ISP(config)# bba-group pppoe MyGroup
ISP(config-bba-group)# virtual-template 1

Here we can also apply PPPoE session limits. For example, we can limit the number of sessions established per client MAC address (setting this limit to 2 allows a new session to be established immediately if the prior session was orphaned and is waiting to expire). This is an optional step.

ISP(config-bba-group)# sessions per-mac limit 2

Next we'll create the virtual template for the customer-facing interface. When a PPPoE client initiates a session with this router, the router automatically spawns a virtual interface to represent that point-to-point connection.

ISP(config)# interface virtual-template 1

At a minimum, we'll need to configure two items on our virtual template: an IP address, and a pool of IP addresses from which clients are assigned a negotiated address (similar in operation to DHCP).

ISP(config-if)# ip address
ISP(config-if)# peer default ip address pool MyPool

You may be wondering where the IP pool is defined. Well, it isn't; that's what we have to do next. Back in global configuration mode, we define a local IP pool named MyPool with the starting and ending addresses of an IP range. If you've configured DHCP on IOS before, you should find this task very familiar.

ISP(config)# ip local pool MyPool

Last, we need to enable our PPPoE group on the interface facing the customer network.

ISP(config)# interface f0/0
ISP(config-if)# no ip address
ISP(config-if)# pppoe enable group MyGroup
ISP(config-if)# no shutdown

Note that this interface should not have an IP address; the addressing is provided by our virtual template.

Client Configuration

Client configuration is relatively simple. We create a dialer interface to handle the PPPoE connection, and tie it to a physical interface which provides the transport.

Creating our PPPoE dialer interface:

CPE(config)# interface dialer1
CPE(config-if)# dialer pool 1
CPE(config-if)# encapsulation ppp
CPE(config-if)# ip address negotiated

The line ip address negotiated instructs the client to use an IP address provided by the PPPoE server.

The PPP header adds 8 bytes of overhead to each frame. Assuming the default Ethernet MTU of 1500 bytes, we'll want to lower our MTU on the dialer interface to 1492 to avoid unnecessary fragmentation.

CPE(config-if)# mtu 1492

Lastly we assign our ISP-facing interface to our newly created PPPoE dial group:

CPE(config)# interface f0/0
CPE(config-if)# no ip address
CPE(config-if)# pppoe-client dial-pool-number 1
CPE(config-if)# no shutdown

If all is well, you should see a notification indicating the PPPoE session has successfully formed:

%DIALER-6-BIND: Interface Vi1 bound to profile Di1
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up

We can verify that interface Dialer1 has negotiated an IP address from the ISP router:

CPE# show ip interface brief 
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES manual up                    up      
Virtual-Access1            unassigned      YES unset  up                    up      
Dialer1                  YES IPCP   up                    up  

show pppoe session shows our PPPoE session with the ISP router terminated on Dialer0, via FastEthernet0/0:

CPE# show pppoe session 
 1 client session

Uniq ID  PPPoE  RemMAC          Port                  Source   VA         State
       SID  LocMAC                                         VA-st
N/A     16  ca00.4843.0008  Fa0/0                 Di1      Vi1        UP      
            ca01.4843.0008                                 UP         


Of course, at this point anyone can connect via PPPoE. Generally we only want to provide service to trusted (e.g. paying) customers, so adding some low-layer authentication would be a prudent step. PPP can use PAP or CHAP to authenticate clients, with the later heavily preferred.

On our ISP router, we'll create a local user account name CPE and the password MyPassword. (In real practice, account creation is typically performed on a back-end server and referenced via RADIUS or TACACS+ rather than being stored locally.)

ISP(config)# username CPE password MyPassword

Next we enforce CHAP authentication on our virtual template:

ISP(config)# interface virtual-template 1
ISP(config-if)# ppp authentication chap callin

This will terminate our client session, as we can see from the logs on CPE:

%DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

To reestablish the connection from CPE, we'll need to enter the proper credentials:

CPE(config)# interface dialer 1
CPE(config-if)# ppp chap password MyPassword

We should see the PPPoE session come back up a few seconds later after successfully authenticating. debug ppp authentication can be used on the ISP router to monitor the CHAP exchange:

ppp50 PPP: Using vpn set call direction
ppp50 PPP: Treating connection as a callin
ppp50 PPP: Session handle[E800003A] Session id[50]
ppp50 PPP: Authorization required
ppp50 CHAP: O CHALLENGE id 1 len 24 from "ISP"
ppp50 CHAP: I RESPONSE id 1 len 24 from "CPE"
ppp50 PPP: Sent CHAP LOGIN Request
ppp50 PPP: Received LOGIN Response PASS
Vi1.1 PPP: Sent LCP AUTHOR Request
Vi1.1 PPP: Sent IPCP AUTHOR Request
Vi1.1 LCP: Received AAA AUTHOR Response PASS
Vi1.1 IPCP: Received AAA AUTHOR Response PASS
Vi1.1 CHAP: O SUCCESS id 1 len 4

The final configuration of both routers are attached below.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Remote Access


william H (guest)
April 20, 2009 at 1:45 a.m. UTC

Great article, Thanks for writing it.

David Prince (guest)
April 20, 2009 at 9:14 a.m. UTC

Fantastic article. Thanks stretch!

One thing i did notice (although its probably me being a complete novice) is that its only the password that is referenced in the client config and not the username in addition to this.

Is this correct?

Enchanter (guest)
April 20, 2009 at 9:57 a.m. UTC

Now I just use the client router's name as the user. Can I use other as the user name of PPPoE authentication?

Tassos (guest)
April 20, 2009 at 11:42 a.m. UTC

Jeremy, it's a recommended tactic on the isp router to use "ip unnumbered" under the vtemplate and use another interface (i.e. loopback) for the ip address. I don't know if this has been fixed in later IOS, but there was a limit of max 6 interfaces using the same ip address, unless "ip unnumbered" was used. That means you probably won't be able to have more than 5 users online.

Ron (guest)
April 20, 2009 at 5:35 p.m. UTC

Is there a benefit to the bba-group pppoe commands over the vpdn-group\accept-dialin\protocol pppoe\virtual-template 1 command? They can both be used to setup a PPPoE server. Thanks

Diosbejgli (guest)
April 20, 2009 at 8:31 p.m. UTC

David: that's because the router's hostname is being used as username. The PPPoE client router is called CPE, which is the username configured on the server.

Enchanter: you can tell the client to send another username as the hostname by configuring the Dialer1 interface: ppp chap hostname whatever .

You can send the default route to the client by configuring the Virtual-Template 1 interface: ppp ipcp route default .

fadet (guest)
April 21, 2009 at 7:40 a.m. UTC

Ron: I think vpdn-groundaccept-dialinprotocol pppoe is deprecated, that's why he's using bba-ground instead.

sirsamon (guest)
April 21, 2009 at 10:33 a.m. UTC

Hi Stretch,

Just wanted to say thanks very much, i just passed BCMSN and about to get into ISCW so perfect timing.

diriger (guest)
April 22, 2009 at 8:00 a.m. UTC

Hi, Jeremy. I tried to configure the mutual authentication with no luck. Could you, please, add this option to your example?

spencer (guest)
April 22, 2009 at 2:16 p.m. UTC

great article..getting ready to take my bcmsn and this will help on my upcoming exams!

how is the new job going?

hat (guest)
April 23, 2009 at 6:41 p.m. UTC

Why do you have to use ppp authentication chap callin on server side?
ppp authentication chap is still ok.


Null_0 (guest)
April 25, 2009 at 5:29 a.m. UTC

I beleive that the ppp authentication chap callin is in here because the ISP is the server and is going to authenticate any connection that comes in, but ppp authentication chap would still do the same. However, if you had the ISP and the Client doing mutual authentication, the callin feature states that the client must first authenticate before the ISP will send it's credentials.


Ching (guest)
April 26, 2009 at 8:20 a.m. UTC

This is so fantastic..... one exam left and done CCNP. This site is very very informative and usefull.

Rodrigo (guest)
April 26, 2009 at 2:23 p.m. UTC

Seriously, I think you could create a book with your networking posts. I'd purchase it.

wildrussian (guest)
April 28, 2009 at 2:19 a.m. UTC

Jeremy, you always come through for me when I need you the most. Here in the past few days I was trying to work with some pppoe configs in GNS3 and was having hard time but now that I have your article it will be much easier to understand. While back I was working with CBAC stuff and next thing I know you post a CBAC article. Great Job and Keep it up!

Booguman (guest)
June 21, 2009 at 8:55 p.m. UTC

Great, great, great article. This was exactly what I was looking for to continue with my CCNP study. Thanks a lot for your great job

Usman (guest)
July 2, 2009 at 12:59 p.m. UTC

I would like to ask if there is a computer attached to an interface of the client router then what will be the ip address of the local LAN of the computer and what will be the ip address of the interface ( to which PC is attached) to the client.. And when the PC dials in to the router and gets connected what will be the ip address assigned to the PC ?


Victor (guest)
August 18, 2009 at 4:07 p.m. UTC

Great article! It helped me a lot !

Sid (guest)
August 22, 2009 at 12:51 p.m. UTC

Hey, I am able to implement this in my GNS3 lab, however, can any one tell me, how to forward all aggregated traffic from BRAS to Internet backbone...I have simulated other router, which is able to negotiate real IP from my DSL broadband. I am able to run internet through that router alone...but when I attach that router to BRAS; my CPE is failing to ping my real DSL IP, so that to get out to the outside world. I am only able to ping till the outside interface of BRAS, but not beyond that. I am using a static route. What extra configuration, I need?

bi0os (guest)
October 25, 2009 at 5:30 p.m. UTC

Hello guys, I have one 1751-V with WIC-1ADSL and I'm try configuring a like pppoe client. But for hours I donĀ“t have successfully "/ I read too many documents but not solved for Me. Any can Help Me? below some info:

I from brazil, my pvc is 0/33 and I use the ISP with 1024K of downstream.

other word, using fast0/0 I have success, but is not good for me.

I like: LAN <--> SW <--> 1751 WIC-1ADSL <--[POTS]--> ISP

thank so mutch.

Faisal (guest)
August 18, 2010 at 9:59 p.m. UTC

Dear, GRRRRRRRR8 job. For last 48 hours I was struck up building this topology in my simulator. Thanks a lot for writing this article, its wonderful. Please, guide me that I want to setup two ISP connections on my router and practese load balancing. Can this be done if I add another ISP to other interface of my router (CPE). Moreover, what is the best technique for load balancing internet links without BGP. Could you pleae refer me some comprehensive document on this topic.

Thanks a lot.

November 22, 2010 at 10:34 p.m. UTC

Thanks jeremy!!!!!

This article and configuration ,, I can't tell you how much he help me !!!!

Keep posting !


February 21, 2011 at 3:52 p.m. UTC

Very useful indeed.

A question: Does this mean that I could use a Cisco router (say 3750 interfaced to a DSL modem in a bridged configuration) to login to my ADSL line?


Ronnie (guest)
May 25, 2011 at 6:51 a.m. UTC

thx for this useful post, i've been looking this object for my exam lab :)

ixholla (guest)
September 9, 2011 at 8:28 p.m. UTC

I just have to say thank you very much, I've been working with Cisco equipment for close to 20 years and have never found a problem more elusive than this particular one! I was horribly stuck on VPDN-GROUP and getting the error: %only one vpdn-group can be created at a time! I was just about to give up when I found this page and the fact that the vpdn-group command is now under bba-group! as soon as I made the change the virtual-access interface came right up! TY TY TY!!!

namtm (guest)
December 24, 2011 at 10:11 a.m. UTC

tks u so much, this' great article

July 22, 2012 at 3:10 p.m. UTC

Lately I was tasked to configure a PPPoE Client and Server but not with BBA-GROUP but VPDN-GROUP and what I found interesting is that it won't work if you assign an IP address to Virtual-Template interface under VPDN-GROUP configuration (it only works when ip unnumbered is used for Template), but of course it works in BBA-GROUP. Cheers mate and keep up the good work :)

ciscopig (guest)
September 12, 2012 at 3:36 p.m. UTC

Hi, just wondering how I could specify a network mask on the client side, the default mask that the ip pool hands out is /32 from the looks of things?

djusko (guest)
November 18, 2012 at 11:46 p.m. UTC

Can anyone help me with getting pppoe packets from the adsl line... I mean from the telephone cable that is connected to the adsl modem/router.

Thanks a bunch!

novice (guest)
March 30, 2013 at 8:40 p.m. UTC

The case we have here is of just one ip local pool. So hence we say ........peer default ip address pool MyPool ...because theres one one pool, what if there were multiple pools, and we have more than one Dialer?

Custu (guest)
September 3, 2013 at 5:59 a.m. UTC

Very nice article.
Thank you very much

Mohammed Aftab Memon (guest)
March 2, 2014 at 3:57 p.m. UTC

Perfect Article as always!!!!

Tang Bo Hu (guest)
May 18, 2015 at 3:45 a.m. UTC

I have a question about who authenticates whom. Because ISP has configured "ppp authentication chap callin", I tend to think that CPE challenges ISP. In other words, CPE asks ISP to show ISP's username and password (credentials).

I base my reasoning on the following link.

JP (guest)
October 20, 2015 at 5:07 a.m. UTC

Thanks Jeremy!! very good article for understanding the basics of PPoE. Regards,

Syed Javed (guest)
March 24, 2016 at 1:02 p.m. UTC

This was a wonderful article on PPPoE Client and Server side configuration. Other articles are really messed up and not much clear and precise as this one is... keep up bro.

chan (guest)
May 27, 2016 at 9:59 a.m. UTC

very simple. No mix up. 1st : You clearly specific the cfg for PPPoE without authentication. 2nd: You added the authentication part. Most website mix up PPPoE and PPP authentication part.

Comments have closed for this article due to its age.