Refer to the "Supported Features" chapter for additional documentation on L2TP features.
Restrictions
PPPoE
PPPoE is supported on ATM PVCs only.
The Cisco 6400 cannot initiate dial-out PPPoE sessions.
PPPoE supports Cisco Express Forwarding (CEF) only. Fastswitching on PPPoE virtual-access interfaces is not supported.
PPPoA
PPPoA does not support static IP assignments within virtual templates.
PPPoA/PPPoE Autosense on ATM VC with SNAP Encapsulation
Do not use this feature on a router that initiates PPPoA sessions.
This feature supports ATM PVCs. Switched virtual circuits (SVCs) are not supported.
This feature supports only PPPoA sessions that use SNAP or Logical Link Control (LLC) encapsulation. This feature does not support MUX-encapsulated PVCs.
PPPoE Session Count MIB
The snmp-server enable traps pppoe command enables SNMP traps only. It does not support inform requests.
Prerequisites
PPP Scalability
See the Cisco 6400 Release Notes for memory recommendations.
In order to gain maximum packet-switching performance, enable Cisco Express Forwarding (CEF) on the virtual-access interface. For information about enabling Cisco Express Forwarding, see the "Configuring Cisco Express Forwarding" chapter in the "Cisco IOS Switching Paths" part of the Cisco IOS Switching Services Configuration Guide .
The NRP uses virtual templates to assign PPP features to a PVC. As each PPP session comes online, a virtual access interface is "cloned" from the virtual template. This virtual-access interface inherits the configuration specified in the virtual template. When the virtual template is changed, the changes are automatically propagated to all virtual-access interfaces cloned from that particular virtual template.
After you configure a virtual template for PPPoE, you must configure the PVCs that carry traffic from the NRP to the ATM interfaces. Finally, to allow PPPoE to operate over the virtual-access interface, set the IP maximum transmission unit (MTU) to 1492.
Basic PPPoE configuration consists of the following tasks:
(Optional) Creates "pre-cloned" virtual-access interfaces equal to the expected maximum number of concurrent PPPoE sessions.1
1 Instead of creating virtual-access interfaces on demand, the system can be configured to create and save a number of pre-cloned virtual-access interfaces to a private PPPoE list. This cloning procedure reduces the CPU workload while PPPoE sessions are established.
Task 2: Configuring PPPoE on the ATM Interface
To configure PPPoE on the ATM interface, complete the following steps beginning in global configuration mode:
Specifies the ATM interface and optional subinterface.
Step 2
Router(config-if)# pvc[name]vpi/vci
Configures the PVC.
Step 3
Router(config-atm-vc)# encapsulation aal5snap
Configures SNAP encapsulation.
Step 4
Router(config-atm-vc)# protocol pppoe
Selects PPPoE as the protocol for the PVC.
You can also configure PPPoE in a VC class and apply this VC class to an ATM VC, subinterface, or interface. For information about configuring a VC classes, see the "Permanent Virtual Circuits" section in the "Basic NRP Configuration" chapter of the Cisco 6400 Software Setup Guide . Also see the "Example: PPPoE Configuration Using a VC Class" section.
Task 3: Setting the MTU
To allow PPPoE to operate over the virtual-access interface, set the maximum transmission unit (MTU) to 1492. To set the MTU, complete the following steps beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)# interface virtual-templatenumber
Selects the virtual-access interface to be configured.
Step 2
Router(config-if)# mtu 1492
Sets the MTU to 1492.
Verifying PPPoE
Step 1 Enter the show vpdn EXEC command. The output shows PPPoE session information (see Table 4-1). Confirm that the virtual-access interface status (VASt) is up.
Router# show vpdn
PPPOE Tunnel and Session
Session count: 1
PPPoE Session Information
SID RemMAC LocMAC Intf VASt OIntf VC
1 0010.54db.bc38 0050.7327.5dc3 Vi1 UP AT0/0/0 0/40
Table 4-1 show vpdn Field descriptions
Field
Description
SID
Session ID for the PPPoE session
RemMAC
MAC address of the host
LocMAC
MAC address of the ATM interface
Intf
Virtual-access interface associated with the PPP session
VASt
State of the virtual-access interface
OIntf
Outgoing interface
VC
Virtual circuit on which PPP session flows
Step 2 Enter the show atm pvc privileged EXEC command. The last line of the output, "PPPOE enabled," confirms that PPPoE is enabled on this VC.
In the following example, PPPoE is enabled directly on a PVC:
!
vpdn enable
!
vpdn-group 1
accept dialin pppoe virtual-template 1
!
virtual-template 1 pre-clone 500
!
interface atm 2/0.1 multipoint
pvc 0/60
encapsulation aal5snap
protocol pppoe
!
ip cef
!
interface virtual-template 1
ip address 10.0.1.2 255.255.255.0
mtu 1492
ip route-cache cef
!
Example: PPPoE Configuration Using a VC Class
In the following example, PPPoE is configured on a VC class called "users." This VC class is then applied to a particular PVC:
!
vpdn enable
!
vpdn-group 1
accept dialin pppoe virtual-template 1
!
virtual-template 1 pre-clone 500
!
interface atm 2/0.1 multipoint
pvc 0/60
class users
!
vc-class atm users
encapsulation aal5snap
protocol pppoe
!
ip cef
!
interface virtual-template 1
ip address 10.0.1.2 255.255.255.0
mtu 1492
ip route-cache cef
!
Example: Concurrent PPPoE and Bridging
PPPoE can operate concurrently with bridging on an ATM interface. This allows PPPoE to operate on one or more specific traffic protocols, leaving other protocols to be bridged.
In the following example, both PPPoE and bridging are configured to operate concurrently on the same DSL link:
!
vpdn enable
!
vpdn-group 1
accept dialin pppoe virtual-template 1
!
virtual-template 1 pre-clone 500
!
bridge 1 protocol ieee
bridge 1 route ip
!
interface atm 2/0.1 multipoint
bridge-group 1
pvc 0/60
encapsulation aal5snap
protocol pppoe
!
ip cef
!
interface virtual-template 1
ip address 10.0.1.2 255.255.255.0
mtu 1492
ip route-cache cef
!
Monitoring and Maintaining PPPoE
Use the following commands to monitor and maintain PPPoE:
Command
Purpose
show atm pvc
Displays ATM PVC and traffic information, including PPPoE status.
show vpdn
Displays PPPoE session information, including MAC addresses and virtual-access interfaces.
show vpdn session packet
Displays PPPoE session statistics.
show vpdn session all
Displays PPPoE session information for each session ID.
The NRP uses virtual templates to assign PPP features to a PVC. As each PPP session comes online, a virtual access interface is "cloned" from the virtual template. This virtual-access interface inherits the configuration specified in the virtual template. When the virtual template is changed, the changes are automatically propagated to all virtual-access interfaces cloned from that particular virtual template.
After you configure a virtual template for PPPoA, you must configure the PVCs that carry traffic from the NRP to the ATM interfaces.
While you can use a local username database for authentication, large-scale deployment of PPP user services requires the use of a central database, such as TACACS+ or RADIUS to ease the configuration burden. RADIUS or TACACS+ servers, collectively known as authentication, authorization, and accounting (AAA) servers for PPPoA (and other media), contain the per-user configuration database, including password authentication and authorization information. For more information about AAA, see the "Authentication, Authorization, and Accounting (AAA)" chapter in the Cisco IOS Security Configuration Guide.
Basic PPPoA configuration consists of the following tasks:
Selects the authentication protocol and optional secondary protocol.
Step 5
Router(config-if)# exit
Returns to global configuration mode.
Step 6
Router(config)# ip local poolpoolnamelow-ip-address [high-ip-address]
(Optional) Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
Step 7
Router(config)# ip dhcp-server
{ip-address | name}
(Optional) Specifies which DHCP server to use on your network.
CautionDo not use a static IP assignment within a virtual template; routing problems can occur. Always enter the ip unnumbered command when configuring a virtual template.
To configure a different class of users on the same router, provision a separate virtual template interface. You can configure up to 25 virtual templates.
Examples: Configuring a Virtual Template for PPPoA
In the following example, all PPPoA VCs (users) cloned from virtual template 1 will use CHAP authentication and will be allocated an IP address from the pool named "telecommuters" configured on the router. In addition, the local end of the PPPoA connection is running without an IP address (recommended). Instead, the IP address of the FastEthernet interface is used for addressability:
!
interface virtual-template 1
ip unnumbered fastethernet 0/0/0
peer default ip address pool telecommuters
ppp authentication chap
!
local pool telecommuters 10.36.1.1 10.36.1.254
!
In the following example, all PPPoA VCs cloned from Virtual-Template 2 use PAP authentication over CHAP and are allocated an IP address from a DHCP server:
!
interface Virtual-Template 2
ip unnumbered fastethernet 0/0/0
peer default ip address dhcp
ppp authentication pap chap
!
ip dhcp-server 10.5.20.149
!
Task 2: Configuring PPPoA on a PVC
To configure PPPoA on a PVC, complete the following steps beginning in global configuration mode:
Configures the ATM adaptation layer (AAL) and encapsulation type, and configures a PVC to use a virtual-template as the default PPP interface configuration.
You can also configure PVCs by using VC classes and PVC discovery. For more information, see the "Permanent Virtual Circuits" section in the "Basic NRP Configuration" chapter of the Cisco 6400 Software Setup Guide .
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
The lines highlighted in the previous example show the layer 3 protocols enabled on this interface, the VPI and VCI numbers, and the master virtual template from which this virtual access interface was cloned.
PPP Authentication
Large-scale deployment of PPP user services requires the use of a central database, such as TACACS+ or RADIUS to ease the configuration burden. RADIUS or TACACS+ servers, collectively known as authentication, authorization, and accounting (AAA) servers for PPP over ATM (and other media), contain the per-user configuration database, including password authentication and authorization information. For more information about AAA, see the "Authentication, Authorization, and Accounting (AAA)" chapter in the Cisco IOS Security Configuration Guide .
PPP authentication configuration consists of the following tasks:
Specifies one or more authentication methods for use on interfaces running PPP.
The list-name option refers to the name of this particular method list (or default, if it is the default list). The authentication method options are local, RADIUS, or TACACS+.
Example: Selecting the TACACS+ and RADIUS PPP Authentication Methods
In the following example, virtual template 3 is configured to use TACACS+ before RADIUS, and virtual template 4 is configured to use RADIUS before local authentication:
!
aaa new-model
aaa authentication ppp list1 tacacs+ radius
aaa authentication ppp list2 radius local
!
interface virtual-template 3
ip unnumbered fastethernet 0/0/0
ppp authentication chap list1
!
interface virtual-template 4
ip unnumbered fastethernet 0/0/0
ppp authentication chap list2
!
Example: Selecting the Local PPP Authentication Method
In the following example, only the local username database is used for authentication:
!
aaa new-model
aaa authentication ppp default local
!
Task 2 (Option 1): Configuring Communication with a RADIUS Server
Note This task is required if you configured the RADIUS authentication method.
To configure the NRP to communicate properly with a RADIUS server, complete the following steps in global configuration mode:
PPPoA/PPPoE autosense enables the network access server (NAS) to distinguish between incoming PPPoA and PPPoE sessions, and to allocate resources on demand for both PPP types. You can configure PPPoA/PPPoE autosense on a single PVC or on a VC class that can be applied to all PVCs on an ATM interface.
PPPoA/PPPoE autosense provides resource allocation on demand. For each PVC configured for both PPPoA and PPPoE, certain resources (including one virtual-access interface) are allocated upon configuration, regardless of the existence of a PPPoA or PPPoE session on that PVC. With PPPoA/PPPoE autosense, resources are allocated for PPPoA and PPPoE sessions only when a client initiates a session, reducing overhead on the network access server (NAS).
Note Whenever possible, configure PPPoA and PPPoE to use the same virtual template. Using separate virtual
templates leads to the inefficient use of virtual access because the maximum number of virtual-access
interfaces will have to be precloned twice: once for PPPoE and once for PPPoA. If PPPoA and PPPoE
use the same virtual template, the maximum number of virtual-access interfaces can be precloned once
and used for PPPoA and PPPoE as needed.
Option 1: Configuring PPPoA/PPPoE Autosense on a PVC
To configure PPPoA/PPPoE autosense on a PVC, complete the following steps beginning in global configuration mode:
Specifies the ATM interface and optional subinterface.
Step 2
Router(config-subif)# pvc [name]vpi/vci
Configures a PVC on the ATM interface or subinterface.
Step 3
Router(config-if-atm-vc)#
encapsulation aal5autoppp
Virtual-Template number
Configures PPPoA/PPPoE autosense on the PVC. Also specifies the virtual template interface to clone the new virtual access interfaces for PPPoA sessions on this PVC.
Example: Configuring PPPoA/PPPoE Autosense on a PVC
In the following example, the NAS is configured with PPPoA/PPPoE autosense on PVC 30/33.
!
! Configure PPPoA/PPPoE autosense
!
interface ATM 0/0/0.33 multipoint
pvc 30/33
encapsulation aal5autoppp Virtual-Template1
!
! Configure PPPoE
!
vpdn enable
vpdn-group 1
accept dialin pppoe virtual-template 1
!
ip cef
interface virtual-template 1
ip unnumbered fastethernet 0/0/0
mtu 1492
ip route-cache cef
!
! Enable precloning for virtual-template 1
!
virtual-template 1 pre-clone 2000
!
Option 2: Configuring PPPoA/PPPoE Autosense on a VC Class
Note Virtual access interfaces for PPPoE sessions are cloned from the virtual template interface specified in
the VPDN group.
To configure PPPoA/PPPoE autosense on a VC class, complete the following steps beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)# vc-class atm vc-class-name
Creates and names a map class.
Step 2
Router(config-vc-class)# encapsulatio
n aal5autoppp
Virtual-Template number
Configures PPPoA/PPPoE autosense on the VC class. Also specifies the virtual template interface to use to clone the new virtual access interfaces for PPPoA sessions on this PVC.
Specifies the ATM interface and optional subinterface.
Step 5
Router(config-subif)#class-int
vc-class-name
Applies the VC class to all VCs on the ATM interface or subinterface.
Example: Configuring PPPoA/PPPoE Autosense on a VC Class
In the following example, the NAS is configured with PPPoA/PPPoE autosense on the VC class called "MyClass." MyClass applies the PPPoA/PPPoE autosense feature to all PVCs on the ATM 0/0/0.99 interface:
!
! Configure PPPoA/PPPoE autosense
!
vc-class ATM MyClass
encapsulation aal5autoppp Virtual-Template1
!
interface ATM 0/0/0.99 multipoint
class-int MyClass
no ip directed-broadcast
pvc 20/40
pvc 30/33
!
! Configure PPPoE
!
vpdn enable
vpdn-group 1
accept dialin pppoe virtual-template 1
!
ip cef
interface virtual-template 1
ip unnumbered fastethernet 0/0/0
mtu 1492
ip route-cache cef
!
! Enable precloning for virtual-template 1
!
virtual-template 1 pre-clone 2000
!
Example: Configuring PPPoA/PPPoE Autosense on Multiple VC Classes and Virtual Templates
In the following example, PPPoA and PPPoE sessions are handled separately by two VC classes and two virtual templates:
ip cef
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit per-mac 1
pppoe limit per-vc 1
!
virtual-template 1 pre-clone 1500
!
interface ATM0/0/0.1 multipoint
no ip directed-broadcast
class-int pppoe
!
interface ATM0/0/0.3 multipoint
no ip directed-broadcast
class-int pppoa
!
interface ATM0/0/0.9 multipoint
ip address 10.16.40.1 255.255.0.0
no ip directed-broadcast
!
interface Virtual-Template1
ip unnumbered ATM0/0/0.9
ip route-cache cef
no ip directed-broadcast
peer default ip address pool pool-1
ppp authentication pap
!
interface Virtual-Template2
ip unnumbered ATM0/0/0.9
ip route-cache cef
no ip directed-broadcast
peer default ip address pool pool-2
ppp authentication chap
!
vc-class atm pppoe
encapsulation aal5autoppp Virtual-Template1
!
vc-class atm pppoa
encapsulation aal5autoppp Virtual-Template2
!
Verifying PPP Autosense Configuration
To verify that you successfully configured PPPoA/PPPoE autosense, enter the show running-config EXEC command.
Monitoring and Maintaining PPPoA/PPPoE Autosense
Use the following commands to monitor and maintain PPPoA/PPPoE autosense:
Command
Purpose
Router# show atm pvc
[ppp]
After the client at the other end of the PVC has initiated a PPPoA session, use this command to check that the PVC contains the PPPoA session.
Router# show caller
Enter this command to:
View individual users and consumed resources on the NAS.
Inspect active call statistics for large pools of connections. (The debug commands produce too much output and tax the CPU too heavily.)
Display the absolute and idle times for each user. The current values for both of these settings are displayed on the TTY line and the asynchronous interface. Users who have been idle for unacceptably long periods of time can be easily identified. By using this information, you can define timeout policies and multiple grades of services for different users.
Router# show interface
virtual accessnumber
Displays information about the virtual access interface, LCP, protocol states, and interface statistics. The status of the virtual access interface should read:
Virtual-Access3 is up, line protocol is up
Troubleshooting PPPoA/PPPoE Autosense
To troubleshoot PPP sessions establishment, use the following commands:
debug ppp negotiation
debug ppp authentication
To troubleshoot the establishment of PPP sessions that are authenticated by a RADIUS or TACACS server, use the following commands:
debug aaa authentication
debug aaa authorization
Caution Use debug commands with extreme caution because they are CPU-intensive and can seriously impact your network.
The PPPoE Session-Count MIB provides the ability to use Simple Network Management Protocol (SNMP) to monitor in real time the number of PPPoE sessions configured on PVCs and on a router.
The PPPoE Session-Count MIB also introduces two SNMP traps that generate notification messages when a PPPoE session-count threshold is reached on any PVC or on the router. You can configure the PPPoE session-count thresholds by using the pppoe limit max-sessions and pppoe max-sessions commands.
Table 4-2 describes the objects and tables supported by the PPPoE Session-Count MIB. For a complete description of the MIB, see the PPPoE Sessions Management MIB file CISCO-PPPOE-MIB.my, available through Cisco.com at the following URL:
Table 4-2 PPPoE Session Count MIB Objects and Tables
Object
Description
cPppoeSystemCurrSessions
Number of PPPoE sessions active on the router.
cPppoeSystemHighWaterSessions
Total number of PPPoE sessions configured on the router since the system was initialized.
cPppoeSystemMaxAllowedSessions
Number of PPPoE sessions configurable on the router.
cPppoeSystemThresholdSessions
Threshold value of PPPoE sessions configurable on the router.
cPppoeSystemExceededSessionErrors
Accumulated number of errors on the router that have occurred because the cPppoeSystemCurrSessions value exceeded the cPppoeSystemMaxAllowedSessions value.
cPppoeVcCfgTable
PPPoE protocol-related configuration information about the virtual channel links (VCLs).
cPppoeVcSessionsTable
Configuration information and statistics about the number of PPPoE sessions on the VCLs.
cPppoeSystemSessionThresholdTrap
Generates a notification message when the number of PPPoE sessions on the router reaches the configured threshold value.
cPppoeVcSessionThresholdTrap
Generates a notification message when the number of PPPoE sessions on the PVC reaches the configured threshold value.
The PPPoE Session Count MIB provides the following benefits:
Allows the monitoring of PPPoE session counts using SNMP.
Helps to manage the number of PPPoE sessions configured on a router or PVC by sending notification messages when the PPPoE session threshold has been reached.
Provides a way to track PPPoE session information over time.
See the following sections for configuration tasks for the PPPoE Session Limit MIB feature. Each task in the list is identified as optional or required.
To enable SNMP traps that send notification messages when PPPoE session thresholds have been reached, use the following command in global configuration mode:
Sets the maximum number of PPPoE sessions that are permitted on a router, and sets the PPPoE session-count threshold at which an SNMP trap is generated.
Example: Configuring the PPPoE Session-Count Threshold for the Router
The following example shows a limit of 4000 PPPoE sessions configured for the router. The PPPoE session-count threshold is set at 3000 sessions, so when the number of PPPoE sessions on the router reaches 3000, an SNMP trap is generated.
Sets the maximum number of PPPoE sessions that will be permitted on an ATM PVC, PVC range, virtual circuit (VC) class, or VLAN, and sets the PPPoE session-count threshold at which an SNMP trap will be generated.
1 To determine the correct form of the interface atm command, consult your ATM network module, port adapter, or router documentation.
Example: Configuring the PPPoE Session-Count Threshold for a PVC
The following example shows a limit of 5 PPPoE sessions configured for the PVC. The PPPoE session-count threshold is set at 3 sessions, so when the number of PPPoE sessions on the PVC reaches 3, an SNMP trap is generated.
interface ATM0/0/0
ip address 10.0.0.1 255.255.255.0
no atm ilmi-keepalive
pvc 5/120
protocol ip 10.0.0.2 broadcast
pppoe max-sessions 5 threshold-sessions 3
protocol pppoe
Configuring the PPPoE Session Count Threshold for a VC Class
To configure the PPPoE session-count threshold for a VC class, use the following commands beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)# vc-class atm name
Creates a VC class for an ATM PVC, SVC, or ATM interface.
Sets the maximum number of PPPoE sessions that are permitted on an ATM PVC, PVC range, VC class, or VLAN, and sets the PPPoE session-count threshold at which an SNMP trap is generated.
Example: Configuring the PPPoE Session Count Threshold for a VC Class
The following example shows a limit of 7 PPPoE sessions configured for a VC class called "main". The PPPoE session-count threshold is set at 3 sessions, so when the number of PPPoE sessions for the VC class reaches 3, an SNMP trap is generated.
vc-class atm main
pppoe max-sessions 7 threshold-sessions 3
Configuring the PPPoE Session-Count Threshold for an ATM PVC Range
To configure the PPPoE session- count threshold for an ATM PVC range, use the following commands beginning in global configuration mode:
Sets the maximum number of PPPoE sessions that are permitted on an ATM PVC, PVC range, VC class, or VLAN, and sets the PPPoE session-count threshold at which an SNMP trap is generated.
1 To determine the correct form of the interface atm command, consult your ATM network module, port adapter, or router documentation.
Example: Configuring the PPPoE Session-Count Threshold for an ATM PVC Range
The following example shows a limit of 20 PPPoE sessions configured for the PVC range. The PPPoE session-count threshold is also be 20 sessions because when the session-count threshold has not been explicitly configured, it defaults to the PPPoE session limit. An SNMP trap is generated when the number of PPPoE sessions for the range reaches 20.
interface ATM0/0/0.3 point-to-point
range pvc 3/100 3/105
pppoe max-sessions 20
protocol pppoe
Configuring the PPPoE Session-Count Threshold for an Individual PVC Within a Range
To configure the PPPoE session-count threshold for an individual PVC within an ATM PVC range, use the following commands beginning in global configuration mode:
Sets the maximum number of PPPoE sessions that are permitted on an ATM PVC, PVC range, VC class, or VLAN, and sets the PPPoE session-count threshold at which an SNMP trap is generated.
1 To determine the correct form of the interface atm command, consult your ATM network module, port adapter, or router documentation.
Example: Configuring the PPPoE Session-Count Threshold for an Individual PVC Within a Range
The following example shows a limit of 10 PPPoE sessions configured for "pvc1". The PPPoE session-count threshold is set at 3 sessions, so when the number of PPPoE sessions for the PVC reaches 3, an SNMP trap is generated.
interface atm 6/0.110 multipoint
range range1 pvc 100 4/199
pvc-in-range pvc1 3/104
pppoe max-sessions 10 threshold-sessions 3
Verifying PPPoE Session Count Thresholds
To verify the configuration of PPPoE session-count thresholds, use the following command in EXEC mode:
Command
Purpose
Router# more system:running-config
Displays the running configuration.
Monitoring and Maintaining PPPoE Session Counts and SNMP Notifications
To monitor PPPoE session counts and SNMP notifications, use the following commands in EXEC mode:
Command
Purpose
Router# debug snmp packets
Displays information about every SNMP packet sent or received by the router.
Router# debug vpdn pppoe-errors
Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.
Router# debug vpdn pppoe-packets
Displays each PPPoE protocol packet exchanged.
Router# show vpdn [session][packets][tunnel][all]
Displays information about active tunnel and message identifiers in a VPDN.