|
|
This chapter describes the Point-to-Point Protocol features supported in Cisco IOS Release 12.1(5)DB/DC.
The Cisco 6400 node route processor (NRP) requires 128MB of DRAM to support up to 2800 concurrent PPPoE sessions. An NRP with 64MB DRAM can support up to 2000 concurrent PPPoE sessions.
This section contains the following tasks:
Before configuring this feature see the restrictions for PPPoA.
The following tasks provide the minimum steps needed to configure PPP over ATM on the Cisco 6400 NRP. For more information about PPP over ATM, see "Configuring ATM" in the Wide-Area Networking Configuration Guide of the Cisco IOS 12.1 documentation set.
To configure a virtual template, perform these steps starting in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | interface virtual-template
number
| Associates a virtual template with a virtual template interface. |
Step 2 | ip unnumbered fastethernet 0/0/0
| Enables IP on the interface without assigning a specific IP address. |
Step 3 | peer default ip address {pool
[poolname] | dhcp }
| Specifies a dynamic IP address assignment method, either from an IP address pool or a DHCP server. |
Step 4 | ppp authentication {pap | chap}
[pap | chap]
| Selects the authentication protocol and optional secondary protocol. |
Step 5 | exit
| Returns to global configuration mode. |
Step 6 | ip local pool poolname
low-ip-address | (Optional) Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface. |
Step 7 | ip dhcp-server {ip-address |
name}
| (Optional) Specifies which DHCP servers to use on your network. |
 |
Caution Do not use a static IP assignment within a virtual template; routing problems can occur. Always enter the ip unnumbered command when configuring a virtual template. |
Examples
The following example shows a typical virtual template configuration for the Cisco 6400 NRP:
Router(config)# interface virtual-template 1
Router(config-if)# ip unnumbered fastethernet 0/0/0
router(config-if)# peer default ip address pool telecommuters
Router(config-if)# ppp authentication chap
Router(config-if)# exit
Router(config)# ip local pool telecommuters 10.36.1.1 10.36.1.254
In this configuration, it is assumed that all PPP over ATM VCs (users) cloned from virtual template 1 will use CHAP authentication and will be allocated an IP address from the pool named "telecommuters" configured on the router. In addition, the local end of the PPP over ATM connection is running without an IP address (recommended). Instead, the IP address of the FastEthernet interface is used for addressability.
To configure a different class of users on the same router, you can provision a separate virtual template interface. The following shows a DHCP server rather than a local pool and PAP authentication over CHAP:
Router(config)# interface Virtual-Template 2
Router(config-if)# ip unnumbered fastethernet 0/0/0
Router(config-if)# peer default ip address dhcp
Router(config-if)# ppp authentication pap chap
Router(config-if)# exit
Router(config)# ip dhcp-server 10.5.20.149
Up to 25 virtual templates can be configured.
A AAA authentication database, such as RADIUS or TACACS+, can be used to configure the user's virtual access interface. To configure AAA authentication for PPP over ATM, see "Configuring AAA Authentication" for configuration tasks.
After you have configured a virtual template for PPP over ATM, you must configure the PVCs that carry traffic from the NRP to the ATM interfaces. To configure PPP over ATM on a PVC, enter the following commands starting in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | interface atm 0/0/0 [.subinterface-number | Specifies the ATM interface and optional subinterface. |
Step 2 | pvc [name] vpi/vci
| Configures a new ATM PVC by assigning a name (optional) and VPI/VCI numbers. |
Step 3 | encapsulation aal5mux ppp virtual-Template number
| Configures the ATM adaptation layer (AAL) and encapsulation type, and configures a PVC to use a virtual-template as the default PPP interface configuration. |
You can also configure PVCs by using VC classes and PVC discovery, as shown in the Cisco 6400 Software Configuration Guide and Command Reference, "Configuring the NRP" chapter, "Working with Permanent Virtual Circuits" section.
The following example shows a typical configuration for PPP over ATM, using a RADIUS authentication server:
Router(config)# interface virtual-template 1
Router(config-if)# ip unnumbered fastethernet 0/0/0
Router(config-if)# peer default ip address pool telecommuters
Router(config-if)# ppp authentication chap
Router(config-if)# exit
Router(config)# ip local pool telecommuters 10.36.1.1 10.36.1.254
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default radius
Router(config)# radius-server host 172.31.5.96
Router(config)# radius-server key foo
Router(config)# radius-server attribute nas-port format d
Router(config)# interface atm 0/0/0.40 multipoint
Router(config-subif)# pvc 0/50
Router(config-if-atm-vc)# encapsulation aal5mux ppp virtual-template 1
Router(config-if-atm-vc)# exit
Router(config-subif)# pvc 0/51
Router(config-if-atm-vc)# encapsulation aal5mux ppp virtual-template 1
Router(config-if-atm-vc)# exit
The global configuration command show atm pvc ppp shows the PPP over ATM characteristics of all PVCs on the ATM interface:
Router# show atm pvc ppp
VCD /
ATM Int. Name VPI VCI Type VCSt VA VASt IP Addr
0/0/0 1 0 33 PVC UP 1 DOWN 10.123.1.1
0/0/0 foo 0 34 PVC UP 2 DOWN 10.123.1.1
The "VA" column shows the virtual-access interface used for this particular PPP over ATM session. A subsequent show interface virtual-access command gives the PPP specific characteristics of the session:
Router# show interface virtual-access 2
Virtual-Access2 is up, line protocol is up
Hardware is Virtual Access interface
Internet address is 10.123.1.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive not set
DTR is pulsed for 5 seconds on reset
LCP Open
Open: IPCP
Bound to ATM0/0/0 VCD: 2, VPI: 0, VCI: 34
Cloned from virtual-template: 1
Last input 01:04:26, output never, output hang never
Last clearing of "show interface" counters 5d02h
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
782 packets input, 30414 bytes, 0 no buffer
Received 3 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
395 packets output, 5540 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
The lines highlighted in this example show the layer 3 protocols enabled on this interface, the VPI and VCI numbers, and the master virtual template from which this virtual access interface was cloned.
Before configuring this feature see the restrictions for PPPoE and the Prerequisites section.
Perform the following tasks to configure PPP over Ethernet on ATM:
To configure PPPoE on a virtual-access interface, enter the following commands starting in global configuration mode.
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#vpdn enable
| Enables virtual private dial-up networking. |
Step 2 | Router(config)#vpdn-group number
| Selects VPDN-group configuration mode. |
Step 3 | Router(config-vpdn)#accept dialin pppoe | Configures the router to accept dial-in PPPoE calls. |
Step 4 | Router(config-vpdn)#pppoe limit per-mac number
| (Optional) Limits the number of PPPoE sessions that originate from one MAC address. Default is 100. |
Step 5 | Router(config-vpdn)#pppoe limit per-vc number
| (Optional) Limits the number of PPPoE sessions that can be established on a virtual circuit. Default is 100. |
Step 6 | Router(config-vpdn)#exit
| Returns to global configuration mode. |
Step 7 | Router(config)#virtual-template template-number | (Optional) Creates "pre-cloned" virtual-access interfaces equal to the expected maximum number of concurrent PPPoE sessions.1 |
To configure PPPoE on an ATM interface, enter the following commands starting in global configuration mode.
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#interface atm | Specifies an ATM multipoint subinterface. |
Step 2 | Router(config-if)#pvc | Configures the PVC. |
Step 3 | Router(config-if)#encapsulation aal5snap
| Configures SNAP encapsulation. |
Step 4 | Router(config-if)#protocol pppoe
| Selects PPPoE as the protocol for the PVC. |
Step 5 | Router(config)#exit
| Returns to global configuration mode. |
To allow PPPoE to operate over the virtual-access interface, the IP maximum transmission unit (MTU) must be set to 1492. Enter the following commands, starting in global configuration mode, to set the IP MTU.
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#interface virtual-template number
| Selects the virtual-access interface to be configured. |
Step 2 | Router(config-if)#ip mtu 1492
| Sets the IP MTU to 1492. |
Step 3 | Router(config)#exit
| Returns to global configuration mode. |
Router#show vpdn
PPPOE Tunnel and Session
Session count: 1
PPPoE Session Information
SID RemMAC LocMAC Intf VASt OIntf VC
1 0010.54db.bc38 0050.7327.5dc3 Vi1 UP AT0/0/0 0/40
SID | Session ID for the PPPoE session. |
RemMAC | MAC address of the host. |
LocMAC | MAC address of the ATM interface. |
Intf | Virtual-access interface associated with the PPP session. |
VASt | State of the virtual-access interface. |
OIntf | Outgoing interface. |
VC | Virtual circuit on which PPP session flows. |
Step 2 Enter the show atm pvc command from interface configuration mode. The last line of the output, "PPPOE enabled," confirms that PPPoE is enabled on this VC.
Router#show atm pvc 40
ATM0/0/0.2: VCD: 1, VPI: 0, VCI: 40
UBR, PeakRate: 155000
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s), OAM retry
frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC state: Not Managed
ILMI VC state: Not Managed
InARP frequency: 15 minutes(s)
InPkts: 100, OutPkts: 51, InBytes: 4692, OutBytes: 2294
InPRoc: 48, OutPRoc: 51, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 52, OutAS: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 0
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
PPPOE enabled.
This section provides the following configuration examples:
In the following example, PPPoE is enabled directly on a PVC:
Router(config)#vpdn enable
Router(config)#vpdn-group 1
Router(config-vpdn)#accept dialin pppoe virtual-template 1
Router(config-vpdn)#exit
Router(config)#virtual-template 1 pre-clone 500
Router(config)#interface atm 2/0.1 multipoint
Router(config-if)#pvc 0/60
Router(config-if-atm-vc)#encapsulation aal5snap
Router(config-if-atm-vc)#protocol pppoe
Router(config-if-atm-vc)#exit
Router(config-if)#exit
Router(config)#ip cef
Router(config)#interface virtual-template 1
Router(config-if)#ip address 10.0.1.2 255.255.255.0
Router(config-if)#ip mtu 1492
Router(config-if)#ip route-cache cef
Router(config-if)#exit
In the following example, PPPoE is configured on a VC class called users. This VC class is then applied to a particular PVC:
Router(config)#vpdn enable
Router(config)#vpdn-group 1
Router(config-vpdn)#accept dialin pppoe virtual-template 1
Router(config-vpdn)#exit
Router(config)#virtual-template 1 pre-clone 500
Router(config)#interface atm 2/0.1 multipoint
Router(config-if)#pvc 0/60
Router(config-if-atm-vc)#class users
Router(config-if-atm-vc)#exit
Router(config-if)#exit
Router(config)#vc-class atm users
Router(config-vc-class)#encapsulation aal5snap
Router(config-vc-class)#protocol pppoe
Router(config-vc-class)#exit
Router(config)#ip cef
Router(config)#interface virtual-template 1
Router(config-if)#ip address 10.0.1.2 255.255.255.0
Router(config-if)#ip mtu 1492
Router(config-if)#ip route-cache cef
Router(config-if)#exit
In the following example, both PPPoE and bridging are configured to operate concurrently on the same DSL link:
Router(config)#vpdn enable
Router(config)#vpdn-group 1
Router(config)#accept dialin pppoe virtual-template 1
Router(config-vpdn)#exit
Router(config)#virtual-template 1 pre-clone 500
Router(config)#bridge 1 protocol ieee
Router(config)#bridge 1 route ip
Router(config)#interface atm 2/0.1 multipoint
Router(config-if)#bridge-group 1
Router(config-if)#pvc 0/60
Router(config-if-atm-vc)#encapsulation aal5snap
Router(config-if-atm-vc)#protocol pppoe
Router(config-if-atm-vc)#exit
Router(config-if)#exit
Router(config)#ip cef
Router(config)#interface virtual-template 1
Router(config-if)#ip address 10.0.1.2 255.255.255.0
Router(config-if)#ip mtu 1492
Router(config-if)#ip route-cache cef
Router(config-if)#exit
Table 5-1 describes the commands that help you monitor and maintain PPoE.
| Command | Purpose |
|---|---|
show atm pvc
| Displays ATM PVC and traffic information, including PPPoE status. |
show vpdn
| Displays PPPoE session information, including MAC addresses and virtual-access interfaces. |
show vpdn session packet
| Displays PPPoE session statistics. |
show vpdn session all
| Displays PPPoE session information for each session ID. |
show vpdn tunnel
| Displays PPPoE session count for the tunnel. |
Concurrent Bridging and PPPoE
PPPoE can operate concurrently with bridging on an ATM interface. This allows PPPoE to operate on one or more specific traffic protocols, leaving other protocols to be bridged.
VC Classes
You can also configure PPP over Ethernet in a VC class and apply this VC class to an ATM VC, subinterface, or interface. For information about configuring a VC class, refer to the section "Configure VC Classes" in the chapter "Configuring ATM" of the Wide-Area Networking Configuration Guide for Cisco IOS Release 12.1.
Cisco Express Forwarding
In order to gain maximum packet switching performance, Cisco Express Forwarding (CEF) should be enabled on the virtual-access interface. For information about enabling Cisco Express Forwarding, refer to the section "Configuring Cisco Express Forwarding" in the chapter "Cisco Express Forwarding" of the Cisco IOS Switching Services Configuration Guide for IOS Release 12.1.
PPP Autosense can be configured on a single PVC, or on a VC class that can be applied to all PVCs on an ATM interface.
To configure PPP Autosense on a PVC, enter the following commands beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#interface atm 0/0/0[.subinterface-number] | Specifies the ATM interface and optional subinterface. |
Step 2 | Router(config-subif)# | Configures a PVC on the ATM interface or subinterface. |
Step 3 | Router(config-if-atm-vc)# | Configures PPP Autosense on the PVC. Also specifies the virtual template interface to use to clone the new virtual access interfaces for PPPoA sessions on this PVC. |
To configure PPP Autosense on a VC-class, enter the following commands beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#vc-class atm vc-class-name
| Creates and names a map class. |
Step 2 | Router(config-vc-class)#encapsulation aal5autoppp | Configures PPP Autosense on the VC class. Also specifies the virtual template interface to use to clone the new virtual access interfaces for PPPoA sessions on this PVC. |
Step 3 | Router(config-vc-class)#exit
| Returns to global configuration mode. |
Step 4 | Router(config)#interface atm 0/0/0[.subinterface-number] | Specifies the ATM interface and optional subinterface. |
Step 5 | Router(config-subif)# | Applies the VC class to all VCs on the ATM interface or subinterface. |
 |
Note Virtual access interfaces for PPPoE sessions are cloned from the virtual template interface specified in the VPDN group. |
To verify that you successfully configured PPP Autosense, enter the show running-config EXEC command.
This section provides the following configuration examples:
In the following example, the NAS is configured with PPP Autosense on PVC 30/33.
!
! Configure PPP Autosense
!
interface ATM 0/0/0.33 multipoint
pvc 30/33
encapsulation aal5autoppp Virtual-Template1
!
! Configure PPPoE
!
vpdn enable
vpdn-group 1
accept dialin pppoe virtual-template 1
!
ip cef
interface virtual-template 1
ip unnumbered fastethernet 0/0/0
ip mtu 1492
ip route-cache cef
!
! Enable precloning for virtual-template 1
!
virtual-template 1 pre-clone 2000
!
In the following example, the NAS is configured with PPP Autosense on the VC class called "MyClass." MyClass applies the PPP Autosense feature to all PVCs on the ATM 0/0/0.99 interface.
!
! Configure PPP Autosense
!
vc-class ATM MyClass
encapsulation aal5autoppp Virtual-Template1
!
interface ATM 0/0/0.99 multipoint
class-int MyClass
no ip directed-broadcast
pvc 20/40
pvc 30/33
!
! Configure PPPoE
!
vpdn enable
vpdn-group 1
accept dialin pppoe virtual-template 1
!
ip cef
interface virtual-template 1
ip unnumbered fastethernet 0/0/0
ip mtu 1492
ip route-cache cef
!
! Enable precloning for virtual-template 1
!
virtual-template 1 pre-clone 2000
!
In the following example, PPPoA and PPPoE sessions are handled separately by two VC classes and two virtual templates.
ip cef
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit per-mac 1
pppoe limit per-vc 1
!
virtual-template 1 pre-clone 1500
!
interface ATM0/0/0.1 multipoint
no ip directed-broadcast
class-int pppoe
!
interface ATM0/0/0.3 multipoint
no ip directed-broadcast
class-int pppoa
!
interface ATM0/0/0.9 multipoint
ip address 10.16.40.1 255.255.0.0
no ip directed-broadcast
!
interface Virtual-Template1
ip unnumbered ATM0/0/0.9
ip route-cache cef
no ip directed-broadcast
peer default ip address pool pool-1
ppp authentication pap
!
interface Virtual-Template2
ip unnumbered ATM0/0/0.9
ip route-cache cef
no ip directed-broadcast
peer default ip address pool pool-2
ppp authentication chap
!
vc-class atm pppoe
encapsulation aal5autoppp Virtual-Template1
!
vc-class atm pppoa
encapsulation aal5autoppp Virtual-Template2
!
Table 5-2 describes the commands that help you monitor and maintain PPoA.
| Command | Purpose |
|---|---|
Router#show atm pvc ppp
| After the client at the other end of the PPP Autosense PVC initiates a PPPoA session, enter this command to check that the PVC contains the PPPoA session. |
Router#show caller
| Enter this command to:
|
Router#show interface virtual access number
| Displays information about the virtual access interface, LCP, protocol states, and interface statistics. The status of the virtual access interface should read: Virtual-Access3 is up, line protocol is up
|
To troubleshoot PPP sessions establishment, enter the following commands:
To troubleshoot the establishment of PPP sessions that are authenticated by a RADIUS or TACACS server, enter the following commands:
|
Note Use debug commands with extreme caution because they are CPU-intensive and can seriously impact your network. |
Large-scale deployment of PPP user services requires the use of a central database, such as TACACS+ or RADIUS to ease the configuration burden. RADIUS or TACACS+ servers, collectively known as authentication, authorization, and accounting (AAA) servers for PPP over ATM (and other media), contain the per-user configuration database, including password authentication and authorization information. For more information about AAA, see the chapter "Authentication, Authorization, and Accounting (AAA)" in the Cisco IOS Security Configuration Guide.
To configure the router to use AAA for PPP authentication only, enter the following configuration commands:
| Command | Description | |
|---|---|---|
Step 1 | aaa new-model
| Enables the AAA access control model. |
Step 2 | aaa authentication ppp {default
| list-name} method1 | Specifies one or more AAA authentication methods for use on interfaces running PPP. |
The list-name option refers to the name of this particular method list (or default, if it is the default list), and the method option is a list of methods. For example, to configure virtual template 3 to use TACACS+ before RADIUS, and virtual template 4 to use RADIUS before local authentication, enter the following configuration commands:
Router(config)# aaa new-model
Router(config)# aaa authentication ppp list1 tacacs+ radius
Router(config)# aaa authentication ppp list2 radius local
Router(config)# interface virtual-template 3
Router(config-if)# ip unnumbered fastethernet 0/0/0
Router(config-if)# ppp authentication chap list1
Router(config-if)# exit
Router(config)# interface virtual-template 4
Router(config-if)# ip unnumbered fastethernet 0/0/0
Router(config-if)# ppp authentication chap list2
Router(config-if)# ^z
Enter the aaa authentication ppp command with the method keyword local to specify that the Cisco router or access server will use the local username database for authentication. The following example shows how to configure authentication by using the local username database:
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default local
To configure the NRP to use a RADIUS server, enter the following commands starting in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | radius-server host {hostname |
ip-address} | Specifies a RADIUS server host. |
Step 2 | radius-server key key
| Sets the encryption key to match that used on the RADIUS server. |
Step 3 | radius-server attribute
nas-port format d
| Selects the ATM VC extended format (d) for the NAS port field. |
In the following example, a RADIUS server is enabled and identified, and the NAS port field is set to ATM VC extended format:
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default radius
Router(config)# radius-server host 172.31.5.96 auth-port 1645 acct-port 1646
Router(config)# radius-server key foo
Router(config)# radius-server attribute nas-port format d
The authentication and accounting port need not be specified, because they default to 1645 and 1646, respectively.
To configure the NRP to use a TACACS+ server, enter the following commands starting in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | tacacs-server host {hostname |
ip-address} | Specifies a TACACS+ server host. |
Step 2 | tacacs-server key key
| Sets the encryption key to match that used on the TACACS+ daemon. |
In the following example, a TACACS+ server is enabled and identified:
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default tacacs+
Router(config)# tacacs-server host 172.31.5.96
Router(config)# tacacs-server key foo
Posted: Tue Feb 26 15:34:36 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.