Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

PPPoE Session Limit Per NAS Port

  • Viewing Options

  • PDF (317.8 KB)
  • Feedback
PPPoE Session Limit per NAS Port

Table Of Contents

PPPoE Session Limit per NAS Port

Contents

Prerequisites for PPPoE Session Limit per NAS Port

Restrictions for PPPoE Session Limit per NAS Port

Information About PPPoE Session Limit per NAS Port

How PPPoE per-NAS-Port Session Limits Work

Relationship Between the per-NAS-Port Session Limit and Other Types of Session Limits

Benefits of PPPoE Session Limits per NAS Port

How to Configure PPPoE Session Limits per NAS Port

Enabling Subscriber Service Switch Preauthorization

Configuring the RADIUS User Profile for PPPoE Session Limit per NAS Port

Verifying PPPoE Session Limit per NAS Port

Configuration Examples for PPPoE Session Limit per NAS Port

Configuring the LAC for per-NAS-Port Session Limits for PPPoE over ATM: Example

Configuring the LAC for per-NAS-Port Session Limits for PPPoE over VLAN: Example

Configuring the User Profile for PPPoE Session Limit per NAS Port: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

subscriber access


PPPoE Session Limit per NAS Port


First Published: March 17, 2003
Last Updated: February 28, 2006

The PPPoE Session Limit per NAS Port feature enables you to limit the number of PPP over Ethernet (PPPoE) sessions on a specific permanent virtual circuit (PVC) or VLAN configured on an L2TP access concentrator (LAC). The network access server (NAS) port is either an ATM PVC or a configured VLAN ID. PPPoE per-NAS-port session limits are maintained in a RADIUS server customer profile database and are downloaded during Subscriber Service Switch (SSS) preauthorization.

History for the PPPoE Session Limit per NAS Port Feature

Release
Modification

12.2(15)B

This feature was introduced on the Cisco 7200 series and Cisco 7401ASR routers.

12.3(4)T

This feature was integrated into Cisco IOS Release 12.3(4)T.

12.2(28)SB

This feature was integrated into Cisco IOS Release 12.2(28)SB.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for PPPoE Session Limit per NAS Port

Restrictions for PPPoE Session Limit per NAS Port

Information About PPPoE Session Limit per NAS Port

How to Configure PPPoE Session Limits per NAS Port

Configuration Examples for PPPoE Session Limit per NAS Port

Additional References

Command Reference

Prerequisites for PPPoE Session Limit per NAS Port

Both the LAC and the L2TP Network Server (LNS) must be running a Cisco IOS image that supports the PPPoE Session Limit Per NAS Port feature.

Restrictions for PPPoE Session Limit per NAS Port

Do not configure the PPPoE per-NAS-port session limit to zero.

PPPoE Session Limit per NAS Port does not support TACACS+.

PPPoE Session Limit per NAS Port applies only to PVCs and VLANs.

Information About PPPoE Session Limit per NAS Port

To configure per-NAS-port session limits for PPPoE, you should understand the following concepts:

How PPPoE per-NAS-Port Session Limits Work

Relationship Between the per-NAS-Port Session Limit and Other Types of Session Limits

Benefits of PPPoE Session Limits per NAS Port

How PPPoE per-NAS-Port Session Limits Work

The PPPoE Session Limit per NAS Port feature limits the number of PPPoE sessions on a specific PVC or VLAN configured on an LAC. The NAS port is either an ATM PVC or a configured VLAN ID.

The PPPoE per-NAS-port session limit is maintained in a RADIUS server customer profile database. This customer profile database is connected to a LAC and is separate from the RADIUS server that the LAC and LNS use for the authentication and authorization of incoming users. See Figure 1 for a sample network topology. When the customer profile database receives a preauthorization request from the LAC, it sends the PPPoE per-NAS-port session limit to the LAC.

The LAC sends a preauthorization request to the customer profile database when the LAC is configured for SSS preauthorization. When the LAC receives the PPPoE per-NAS-port session limit from the customer profile database, the LAC compares the PPPoE per-NAS-port session limit with the number of sessions currently on the NAS port. The LAC then decides whether to accept or reject the current call, depending upon the configured PPPoE per NAS port-session-limit and the number of calls currently on the NAS port.

Figure 1 PPPoE Session Limit per NAS Port Sample Topology

The customer profile database consists of user profiles for each user that is connected to the LAC. Each user profile contains the NAS-IP-Address (attribute 4) and the NAS-Port-ID (attribute 5.) When the LAC is configured for SSS preauthorization, it queries the customer profile database using the username. When a match is found in the customer profile database, the customer profile database sends the PPPoE per-NAS-port session limit in the user profile. The PPPoE per-NAS-port session limit is defined in the username as a Cisco AV-pair.

Relationship Between the per-NAS-Port Session Limit and Other Types of Session Limits

You can configure other types of session limits on the LAC, including session limit per VC, per VLAN, per MAC, and a global session limit for the LAC. When PPPoE Session Limit per NAS Port is enabled (that is, when you have enabled SSS preauthorization on the LAC), local configurations for session limit per VC and per VLAN are overwritten by the PPPoE per-NAS-port session limit downloaded from the customer profile database. Configured session limits per VC and per VLAN serve as backups in case of a download failure of the PPPoE per-NAS-port session limit. Global session limits and per-MAC session limits, if configured on the router, will take effect as other means of limiting PPPoE sessions.

Benefits of PPPoE Session Limits per NAS Port

The PPPoE Session Limit Per NAS Port feature provides flexibility and simplifies router configuration by allowing you to download the per-VC and per-VLAN session limits from a RADIUS server in addition to being able to configure them on the router.

How to Configure PPPoE Session Limits per NAS Port

This section contains the following procedures:

Enabling Subscriber Service Switch Preauthorization

Configuring the RADIUS User Profile for PPPoE Session Limit per NAS Port

Verifying PPPoE Session Limit per NAS Port

Enabling Subscriber Service Switch Preauthorization

When Subscriber Service Switch preauthorization is enabled on a LAC, local configurations for session limit per VC and per VLAN are overwritten by the per-NAS-port session limit downloaded from the server. To enable this preauthorization, perform the following steps:

SUMMARY STEPS

1. enable

2. configure terminal

3. subscriber access pppoe pre-authorize nas-port-id [aaa-method-list]

4. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables higher privilege levels, such as privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

subscriber access pppoe pre-authorize nas-port-id [aaa-method-list]

Example:

Router(config)# subscriber access pppoe pre-authorize nas-port-id mlist_llid

Enables Subscriber Service Switch preauthorization.

aaa-method-list—Name of a AAA authorization list configured on the LAC.


Note During SSS preauthorization, per-NAS-port session limits are downloaded to the LAC.


Step 4 

exit

Example:

Router(config)# exit

Exits global configuration mode.


Configuring the RADIUS User Profile for PPPoE Session Limit per NAS Port

Table 1 lists the attributes to enable per-NAS-port PPPoE session limits in a RADIUS user profile for the customer profile database. Refer to the Cisco IOS Security Configuration Guide, for information about creating a RADIUS user profile.

Table 1 Attributes for the RADIUS User Profile for Per-NAS-Port PPPoE Session Limits

RADIUS Entry
Purpose

User-Name = nas-port:ip-address:slot/subslot/port/vpi.vci

Configures the NAS port username for a PPPoE over ATM NAS port user.

ip-address—IP address of the LAC interface that connects to the customer profile database.

slot/subslot/port—ATM interface.

vpi.vci—Virtual path identifier (VPI) and virtual channel identifier (VCI) values for the PVC.

User-Name = 
nas-port:ip-address:slot/module/port/vlan-id

Configures the NAS port username for a PPPoE over VLAN NAS port user.

ip-address—IP address of the LAC interface that connects to the customer profile database.

slot/subslot/port—ATM interface.

vlan-id—VLAN identifier.

Password = "cisco"

Sets the fixed password.

cisco-avpair = "pppoe:session-limit=session limit per 
NAS-port"

Adds the PPPoE Session Limit per NAS Port Cisco AV-pair to the user profile.

session limit per NAS-port—per-NAS-port PPPoE session limit.


Verifying PPPoE Session Limit per NAS Port

Perform this task to verify per-NAS-port session limit performance.

SUMMARY STEPS

1. enable

2. debug aaa authorization

3. debug radius [brief | hex]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug aaa authorization

Example:

Router# debug aaa authorization

Displays information on AAA authorization.

Step 3 

debug radius [brief | hex]

Example:

Router# debug radius

Displays information about RADIUS.

Configuration Examples for PPPoE Session Limit per NAS Port

Configuring the LAC for per-NAS-Port Session Limits for PPPoE over ATM: Example

Configuring the LAC for per-NAS-Port Session Limits for PPPoE over VLAN: Example

Configuring the User Profile for PPPoE Session Limit per NAS Port: Example

Configuring the LAC for per-NAS-Port Session Limits for PPPoE over ATM: Example

The following example shows how to configure per-NAS-port session limits for PPPoE over ATM on the LAC:

!
username lac password 0 lab
username lns password 0 lab
aaa new-model
!
aaa authentication ppp default group radius local
aaa authentication ppp mlist_nasport group radius
aaa authorization network mlist_nasport group radius 
aaa session-id common
ip subnet-zero
!
no ip domain lookup
ip host abrick 192.168.2.0
!
ip cef
subscriber access pppoe pre-authorize nas-port-id mlist_nasport
vpdn enable
!
vpdn-group l2tp_initiator
 request-dialin
  protocol l2tp
  domain domain1.com
 initiate-to ip 10.1.1.2 
 local name lac
!
vpdn-group pppoe_terminate
 accept-dialin
  protocol pppoe
  virtual-template 1
 pppoe limit per-mac 10
 pppoe limit per-vc 10
 pppoe limit per-vlan 10
!
vc-class atm pppoe
  protocol pppoe
  ubr 155000
  encapsulation aal5snap
!
interface ATM2/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
!
interface ATM2/0.1 point-to-point
 class-int pppoe
 pvc 1/100 
  encapsulation aal5snap
 !
!
interface FastEthernet4/0
 ip address 10.1.1.1 255.255.255.0
 no ip mroute-cache
 duplex full
!
interface FastEthernet6/0
 ip address 192.168.1.0 255.255.255.0
 no ip mroute-cache
 duplex full
!
interface Virtual-Template1
 ip unnumbered Loopback0
 no peer default ip address
 ppp authentication chap mlist_nasport
!
ip default-gateway 10.3.0.1
ip classless
ip route 10.0.0.0 10.0.0.0 10.3.0.1
!
!
ip radius source-interface FastEthernet6/0 
!
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646
radius-server key cisco
radius-server authorization permit missing Service-Type
!

Configuring the LAC for per-NAS-Port Session Limits for PPPoE over VLAN: Example

The following example shows how to configure per-NAS-port session limits for PPPoE over VLAN on the LAC:

!
username lac password 0 lab
username lns password 0 lab
aaa new-model
!
!
aaa authentication ppp default group radius local
aaa authentication ppp mlist_nasport group radius
aaa authorization network mlist_nasport group radius 
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip host abrick 192.168.2.223
!
ip cef
subscriber access pppoe pre-authorize nas-port-id mlist_nasport
vpdn enable
!
vpdn-group l2tp_initiator
 request-dialin
  protocol l2tp
  domain nasport.com
 initiate-to ip 10.1.1.2 
 local name lac
!
vpdn-group pppoe_terminate
 accept-dialin
  protocol pppoe
  virtual-template 1
 pppoe limit per-mac 10
 pppoe limit per-vc 10
 pppoe limit per-vlan 10
!
vc-class atm pppoe
  protocol pppoe
  ubr 155000
  encapsulation aal5snap
!
interface ATM2/0
 no ip address
 no ip mroute-cache
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet4/0
 ip address 10.1.1.1 255.255.255.0
 no ip mroute-cache
 duplex full
!
interface FastEthernet6/0
 ip address 192.168.20.3 255.255.255.0
 no ip mroute-cache
 duplex full
!
interface Virtual-Template1
 ip unnumbered Loopback0
 no peer default ip address
 ppp authentication chap mlist_nasport
!
ip default-gateway 10.3.0.1
ip classless
ip route 10.0.0.0 10.0.0.0 10.3.0.1
!
!
ip radius source-interface FastEthernet6/0 
!
!
!
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646
radius-server key cisco
radius-server authorization permit missing Service-Type
!

Configuring the User Profile for PPPoE Session Limit per NAS Port: Example

The following example shows how to configure the user profile for PPPoE Session Limit per NAS port. In this example, the user has a PVC with a VPI of 1 and a VCI of 100 on ATM interface 4/0/0 of the LAC with an IP address of 10.10.10.10:

Username=nas_port:10.10.10.10:4/0/0/1.100
Password = "password1"
cisco-avpair= "pppoe:session-limit=<session limit per NAS-port>"

Additional References

The following sections provide references related to the Cisco IOS Release: Multiple releases (see the Feature History table) feature.

Related Documents

Related Topic
Document Title

ATM PVC configuration

"ATM" chapter in the Cisco IOS Wide-Area Networking Configuration Guide

PPPoE and PPPoE over 802.1Q VLAN configuration

"Broadband Access: PPP and Routed Bridge Encapsulation" chapter in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2

ATM and PPPoE configuration commands

Cisco IOS Wide-Area Networking Command Reference, Cisco IOS Release 12.3(4)T


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

None


Technical Assistance

Description
Link

The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport


Command Reference

This section documents a modified command only.

subscriber access

subscriber access

To configure a network access server (NAS) to enable Subscriber Service Switch (SSS) to preauthorize the NAS port identifier (NAS-Port-ID) string before authorizing the domain name, use the subscriber access command in global configuration mode. To disable SSS preauthorization, use the no form of this command.

subscriber access {pppoe | pppoa} pre-authorize nas-port-id [default | list-name] [send username]

no subscriber access {pppoe | pppoa} pre-authorize nas-port-id

Syntax Description

pppoe

Specifies PPP over Ethernet (PPPoE).

pppoa

Specifies PPP over ATM (PPPoATM).

pre-authorize nas-port-id

Signals SSS to preauthorize the NAS-Port-ID string before authorizing the domain name.

default

(Optional) Uses the default method list name instead of the named list-name argument.

list-name

(Optional) Authentication, authorization, and accounting (AAA) authorization configured on the LAC.

send username

(Optional) Specifies to send the authentication username of the session in the Change_Info attribute (attribute 77).


Defaults

Preauthorization is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)B

This command was introduced on the Cisco 6400 series, the Cisco 7200 series, and the Cisco 7401 Application Specific Router (ASR).

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T, and the pppoe and pppoa keywords were added.

12.4(2)T

The send username keyword was added.

12.3(14)YM2

This command was integrated into Cisco IOS Release 12.3(14)YM2 and implemented on the Cisco 7301, Cisco 7204VXR, and Cisco 7206VXR routers.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

The NAS-Port-ID string is used to locate the first service record, which may contain one of three attributes, as follows:

A restricted set of values for the domain substring of the unauthenticated PPP name.

This filtered service key then locates the final service. See the vpdn authorize domain command for more information.

PPPoE session limit.

The logical line ID (LLID).

Once NAS port authorization has taken place, normal authorization, which is usually the domain authorization, continues.

Logical Line ID

The LLID is an alphanumeric string of 1 to 253 characters that serves as the logical identification of a subscriber line. The LLID is maintained in a RADIUS server customer profile database and enables users to track their customers on the basis of the physical lines on which customer calls originate. Downloading the LLID is also referred to as "preauthorization" because it occurs before normal virtual private dialup network (VPDN) authorization downloads layer two tunnel protocol (L2TP) information.

This command enables LLID and SSS querying only for PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN or Dot1Q) calls; all other calls, such as ISDN, are not supported.

Per-NAS-Port Session Limits for PPPoE

Use this command to configure SSS preauthorization on the L2TP Access Concentrator (LAC) so that the PPPoE per-NAS-port session limit can be downloaded from the customer profile database. To use PPPoE per-NAS-port session limits, you must also configure the PPPoE Session-Limit per NAS-Port Cisco attribute-value pair in the user profile.

Examples

The following example signals SSS to preauthorize the NAS-Port-ID string before authorizing the domain name. This policy applies only to sessions that have a PPPoE access type.

aaa new-model
aaa group server radius sg-llid
 server 172.20.164.106 auth-port 1645 acct-port 1646
aaa group server radius sg-group
 server 172.20.164.106 auth-port 1645 acct-port 1646
aaa authentication ppp default group radius 
aaa authorization confg-commands
aaa authorization network default group sg-group
aaa authorization network mlist_llid group sg-llid
aaa session-id common
!
username s7200_2 password 0 lab
username s5300 password 0 lab
username sg-group password 0 lab
vpdn enable
!
vpdn-group 2
  request-dialin
  protocol 12tp
 domain group.com
 initiate-to ip 10.1.1.1
 local name s7200-2
!
vpdn-group 3
 accept dialin
  protocol pppoe
  virtual-template 1
!
! Signals Subscriber Service Switch to preauthorize the NAS-Port-ID string before
! authorizing the domain name.
subscriber access pppoe pre-authorize nas-port-id mlist-llid
!
interface Loopback0
 ip address 10.1.1.2 255.255.255.0
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1/0
 ip address 10.2.2.2 255.255.255.0 secondary
 ip address 10.0.58.111 255.255.255.0
 no cdp enable
!
interface ATM4/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM4/0.1 point-to-point
 pvc 1/100
  encapsulation aa15snap
  protocol pppoe
!
interface virtual-template1
 no ip unnumbered Loopback0
 no peer default ip address
 ppp authentication chap
!
radius-server host 172.20.164.120 auth-port 1645 acct-port 1646 key rad123
radius-server host 172.20.164.106 auth-port 1645 acct-port 1646 key rad123
ip radius source-interface Loopback1

The following example is identical to the previous example except that it also adds support for sending the PPP authenticating username with the preauthorization in the Connect-Info attribute. This example also includes command-line interface (CLI) suppression on the LLID if the username that is used to authenticate has a domain that includes #184.

aaa new-model
aaa group server radius sg-llid
 server 172.31.164.106 auth-port 1645 acct-port 1646
aaa group server radius sg-group
 server 172.31.164.106 auth-port 1645 acct-port 1646
aaa authentication ppp default group radius 
aaa authorization confg-commands
aaa authorization network default group sg-group
aaa authorization network mlist-llid group sg-llid
aaa session-id common
!
username s7200-2 password 0 lab
username s5300 password 0 lab
username sg-group password 0 lab
vpdn enable
!
vpdn-group 2
 request-dialin
 protocol 12tp
 domain domain1.com
 domain domain1.com#184
 initiate-to ip 10.1.1.1
 local name s7200-2
 l2tp attribute clid mask-method right * 255 match #184
!
vpdn-group 3
 accept dialin
 procotol pppoe
 virtual-template 1
!
subscriber access pppoe pre-authorize nas-port-id mlist-llid send username
!

Related Commands

Command
Description

ip radius source-interface

Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.

l2tp attribute clid mask-method

Configure a NAS to provide L2TP calling line ID suppression for calls belonging to a VPDN group.

subscriber authorization enable

Enables SSS type authorization.

vpdn authorize domain

Enables domain preauthorization on a NAS.

vpdn l2tp attribute clid mask-method

Configure a NAS to provide L2TP calling line ID suppression globally on the router.