Configuring PPPoE
One of the topics covered by the CCNP Implementing Secure Converged WANs exam is Point-to-Point Protocol over Ethernet, more casually known as PPPoE. Unfortunately, the exam only covers the configuration of the client side; not very handy if you intend to lab out a functioning link (highly recommended). Here we'll cover the configuration of both sides across an Ethernet link to demonstrate connection establishment.
PPPoE provides an emulated (and optionally authenticated) point-to-point link across a shared medium, typically a broadband aggregation network such as those found in DSL service providers. In fact, a very common scenario is to run a PPPoE client on the customer side (commonly on a SOHO Linksys or similar brand router), which connects to and obtains its configuration from the PPPoE server (head-end router) at the ISP side. Note that ATM is typically run between the customer's modem and the DSLAM, though it will be transparent in this lab since our PPPoE client exists on a separate device.
Server Configuration
The first task at the ISP end is to configure a Broadband Aggregation (BBA) group which will handle incoming PPPoE connection attempts. We'll name this MyGroup, and bind it to a virtual template to be created shortly.
ISP(config)# bba-group pppoe MyGroup ISP(config-bba-group)# virtual-template 1
Here we can also apply PPPoE session limits. For example, we can limit the number of sessions established per client MAC address (setting this limit to 2 allows a new session to be established immediately if the prior session was orphaned and is waiting to expire). This is an optional step.
ISP(config-bba-group)# sessions per-mac limit 2
Next we'll create the virtual template for the customer-facing interface. When a PPPoE client initiates a session with this router, the router automatically spawns a virtual interface to represent that point-to-point connection.
ISP(config)# interface virtual-template 1
At a minimum, we'll need to configure two items on our virtual template: an IP address, and a pool of IP addresses from which clients are assigned a negotiated address (similar in operation to DHCP).
ISP(config-if)# ip address 10.0.0.1 255.255.255.0 ISP(config-if)# peer default ip address pool MyPool
You may be wondering where the IP pool is defined. Well, it isn't; that's what we have to do next. Back in global configuration mode, we define a local IP pool named MyPool with the starting and ending addresses of an IP range. If you've configured DHCP on IOS before, you should find this task very familiar.
ISP(config)# ip local pool MyPool 10.0.0.2 10.0.0.254
Last, we need to enable our PPPoE group on the interface facing the customer network.
ISP(config)# interface f0/0 ISP(config-if)# no ip address ISP(config-if)# pppoe enable group MyGroup ISP(config-if)# no shutdown
Note that this interface should not have an IP address; the addressing is provided by our virtual template.
Client Configuration
Client configuration is relatively simple. We create a dialer interface to handle the PPPoE connection, and tie it to a physical interface which provides the transport.
Creating our PPPoE dialer interface:
CPE(config)# interface dialer1 CPE(config-if)# dialer pool 1 CPE(config-if)# encapsulation ppp CPE(config-if)# ip address negotiated
The line ip address negotiated instructs the client to use an IP address provided by the PPPoE server.
The PPP header adds 8 bytes of overhead to each frame. Assuming the default Ethernet MTU of 1500 bytes, we'll want to lower our MTU on the dialer interface to 1492 to avoid unnecessary fragmentation.
CPE(config-if)# mtu 1492
Lastly we assign our ISP-facing interface to our newly created PPPoE dial group:
CPE(config)# interface f0/0 CPE(config-if)# no ip address CPE(config-if)# pppoe-client dial-pool-number 1 CPE(config-if)# no shutdown
If all is well, you should see a notification indicating the PPPoE session has successfully formed:
%DIALER-6-BIND: Interface Vi1 bound to profile Di1 %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
We can verify that interface Dialer1 has negotiated an IP address from the ISP router:
CPE# show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES manual up up [...] Virtual-Access1 unassigned YES unset up up Dialer1 10.0.0.2 YES IPCP up up
show pppoe session shows our PPPoE session with the ISP router terminated on Dialer0, via FastEthernet0/0:
CPE# show pppoe session
1 client session
Uniq ID PPPoE RemMAC Port Source VA State
SID LocMAC VA-st
N/A 16 ca00.4843.0008 Fa0/0 Di1 Vi1 UP
ca01.4843.0008 UP
Authentication
Of course, at this point anyone can connect via PPPoE. Generally we only want to provide service to trusted (e.g. paying) customers, so adding some low-layer authentication would be a prudent step. PPP can use PAP or CHAP to authenticate clients, with the later heavily preferred.
On our ISP router, we'll create a local user account name CPE and the password MyPassword. (In real practice, account creation is typically performed on a back-end server and referenced via RADIUS or TACACS+ rather than being stored locally.)
ISP(config)# username CPE password MyPassword
Next we enforce CHAP authentication on our virtual template:
ISP(config)# interface virtual-template 1 ISP(config-if)# ppp authentication chap callin
This will terminate our client session, as we can see from the logs on CPE:
%DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1 %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
To reestablish the connection from CPE, we'll need to enter the proper credentials:
CPE(config)# interface dialer 1 CPE(config-if)# ppp chap password MyPassword
We should see the PPPoE session come back up a few seconds later after successfully authenticating. debug ppp authentication can be used on the ISP router to monitor the CHAP exchange:
ppp50 PPP: Using vpn set call direction ppp50 PPP: Treating connection as a callin ppp50 PPP: Session handle[E800003A] Session id[50] ppp50 PPP: Authorization required ppp50 CHAP: O CHALLENGE id 1 len 24 from "ISP" ppp50 CHAP: I RESPONSE id 1 len 24 from "CPE" ppp50 PPP: Sent CHAP LOGIN Request ppp50 PPP: Received LOGIN Response PASS Vi1.1 PPP: Sent LCP AUTHOR Request Vi1.1 PPP: Sent IPCP AUTHOR Request Vi1.1 LCP: Received AAA AUTHOR Response PASS Vi1.1 IPCP: Received AAA AUTHOR Response PASS Vi1.1 CHAP: O SUCCESS id 1 len 4
The final configuration of both routers are attached below.
About the Author
Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.
Comments
Fantastic article. Thanks stretch!
One thing i did notice (although its probably me being a complete novice) is that its only the password that is referenced in the client config and not the username in addition to this.
Is this correct?
Now I just use the client router's name as the user. Can I use other as the user name of PPPoE authentication?
Jeremy, it's a recommended tactic on the isp router to use "ip unnumbered" under the vtemplate and use another interface (i.e. loopback) for the ip address. I don't know if this has been fixed in later IOS, but there was a limit of max 6 interfaces using the same ip address, unless "ip unnumbered" was used. That means you probably won't be able to have more than 5 users online.
Is there a benefit to the bba-group pppoe commands over the vpdn-group\accept-dialin\protocol pppoe\virtual-template 1 command? They can both be used to setup a PPPoE server. Thanks
David: that's because the router's hostname is being used as username. The PPPoE client router is called CPE, which is the username configured on the server.
Enchanter: you can tell the client to send another username as the hostname by configuring the Dialer1 interface: ppp chap hostname whatever .
You can send the default route to the client by configuring the Virtual-Template 1 interface: ppp ipcp route default .
Ron: I think vpdn-groundaccept-dialinprotocol pppoe is deprecated, that's why he's using bba-ground instead.
Hi Stretch,
Just wanted to say thanks very much, i just passed BCMSN and about to get into ISCW so perfect timing.
Hi, Jeremy. I tried to configure the mutual authentication with no luck. Could you, please, add this option to your example?
great article..getting ready to take my bcmsn and this will help on my upcoming exams!
how is the new job going?
Why do you have to use ppp authentication chap callin on server side?
ppp authentication chap is still ok.
Thanks
I beleive that the ppp authentication chap callin is in here because the ISP is the server and is going to authenticate any connection that comes in, but ppp authentication chap would still do the same. However, if you had the ISP and the Client doing mutual authentication, the callin feature states that the client must first authenticate before the ISP will send it's credentials.
HTH
This is so fantastic..... one exam left and done CCNP. This site is very very informative and usefull.
Seriously, I think you could create a book with your networking posts. I'd purchase it.
Jeremy, you always come through for me when I need you the most. Here in the past few days I was trying to work with some pppoe configs in GNS3 and was having hard time but now that I have your article it will be much easier to understand. While back I was working with CBAC stuff and next thing I know you post a CBAC article. Great Job and Keep it up!
Great, great, great article. This was exactly what I was looking for to continue with my CCNP study. Thanks a lot for your great job
I would like to ask if there is a computer attached to an interface of the client router then what will be the ip address of the local LAN of the computer and what will be the ip address of the interface ( to which PC is attached) to the client.. And when the PC dials in to the router and gets connected what will be the ip address assigned to the PC ?
Thanks
Great article! It helped me a lot !
Thanks
Hey, I am able to implement this in my GNS3 lab, however, can any one tell me, how to forward all aggregated traffic from BRAS to Internet backbone...I have simulated other router, which is able to negotiate real IP from my DSL broadband. I am able to run internet through that router alone...but when I attach that router to BRAS; my CPE is failing to ping my real DSL IP, so that to get out to the outside world. I am only able to ping till the outside interface of BRAS, but not beyond that. I am using a static route. What extra configuration, I need?
Hello guys, I have one 1751-V with WIC-1ADSL and I'm try configuring a like pppoe client. But for hours I donĀ“t have successfully "/ I read too many documents but not solved for Me. Any can Help Me? below some info:
http://pastebin.com/m25e2d72b
I from brazil, my pvc is 0/33 and I use the ISP with 1024K of downstream.
other word, using fast0/0 I have success, but is not good for me.
I like: LAN <--> SW <--> 1751 WIC-1ADSL <--[POTS]--> ISP
thank so mutch.
Dear, GRRRRRRRR8 job. For last 48 hours I was struck up building this topology in my simulator. Thanks a lot for writing this article, its wonderful. Please, guide me that I want to setup two ISP connections on my router and practese load balancing. Can this be done if I add another ISP to other interface of my router (CPE). Moreover, what is the best technique for load balancing internet links without BGP. Could you pleae refer me some comprehensive document on this topic.
Thanks a lot.
Thanks jeremy!!!!!
This article and configuration ,, I can't tell you how much he help me !!!!
Keep posting !
Thanks!!!
Very useful indeed.
A question: Does this mean that I could use a Cisco router (say 3750 interfaced to a DSL modem in a bridged configuration) to login to my ADSL line?
Thanks.
thx for this useful post, i've been looking this object for my exam lab :)
I just have to say thank you very much, I've been working with Cisco equipment for close to 20 years and have never found a problem more elusive than this particular one! I was horribly stuck on VPDN-GROUP and getting the error: %only one vpdn-group can be created at a time! I was just about to give up when I found this page and the fact that the vpdn-group command is now under bba-group! as soon as I made the change the virtual-access interface came right up! TY TY TY!!!
tks u so much, this' great article
Lately I was tasked to configure a PPPoE Client and Server but not with BBA-GROUP but VPDN-GROUP and what I found interesting is that it won't work if you assign an IP address to Virtual-Template interface under VPDN-GROUP configuration (it only works when ip unnumbered is used for Template), but of course it works in BBA-GROUP. Cheers mate and keep up the good work :)
Hi, just wondering how I could specify a network mask on the client side, the default mask that the ip pool hands out is /32 from the looks of things?
Can anyone help me with getting pppoe packets from the adsl line... I mean from the telephone cable that is connected to the adsl modem/router.
Thanks a bunch!
The case we have here is of just one ip local pool. So hence we say ........peer default ip address pool MyPool ...because theres one one pool, what if there were multiple pools, and we have more than one Dialer?
Great article, Thanks for writing it.