Table Of Contents
Restrictions for PPPoE Connection Throttling
How to Configure PPPoE Connection Throttling
Configuring PPPoE Connection Throttling
Monitoring and Maintaining PPPoE Connection Throttling
Configuration Examples for PPPoE Connection Throttling
PPPoE Connection Throttling Example
PPPoE Connection Throttling
Repeated requests to initiate PPP over Ethernet (PPPoE) sessions can adversely affect the performance of a router and RADIUS server. The PPPoE Connection Throttling feature limits PPPoE connection requests to help prevent intentional denial-of-service attacks as well as unintentional PPP authentication loops. This feature implements session throttling on the PPPoE server to limit the number of PPPoE session requests that can be initiated from a MAC address or VC (virtual circuit) during a specified period of time.
Feature Specifications for PPPoE Connection Throttling
Release Modification12.2(15)T
This feature was introduced.
12.2(27)SBA
This feature was integrated into Cisco IOS Release 12.2(27)SBA.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•Restrictions for PPPoE Connection Throttling
•How to Configure PPPoE Connection Throttling
•Configuration Examples for PPPoE Connection Throttling
Restrictions for PPPoE Connection Throttling
PPPoE connection throttling must be configured in a PPPoE profile.
How to Configure PPPoE Connection Throttling
To configure PPPoE connection throttling, perform the following tasks:
•Configuring PPPoE Connection Throttling (required)
•Monitoring and Maintaining PPPoE Connection Throttling (optional)
Configuring PPPoE Connection Throttling
Perform the following task to configure PPPoE connection throttling in a PPPoE profile.
SUMMARY STEPS
1. enable
2. configure terminal
3. bba-group pppoe {group-name | global}
4. virtual-template template-number
5. sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period
6. end
DETAILED STEPS
What to Do Next
Once a PPPoE profile has been defined, it can be assigned to a PPPoE port (Ethernet interface, VLAN, or PVC), a VC class, or an ATM PVC range. For more information about how to configure PPPoE profiles, refer to the Cisco IOS Release 12.2(15)T feature module "PPPoE Profiles."
Monitoring and Maintaining PPPoE Connection Throttling
Perform this task to monitor and maintain PPPoE connection throttling.
SUMMARY STEPS
1. enable
2. show pppoe session [all | packets]
3. clear pppoe {interface type number [vc {[vpi/]vci | vc-name}] | rmac mac-addr [sid session-id ] | all}
4. debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}]]
DETAILED STEPS
Configuration Examples for PPPoE Connection Throttling
•PPPoE Connection Throttling Example
PPPoE Connection Throttling Example
The following example shows PPPoE connection throttling configured in the PPPoE profile "group1":
bba-group pppoe group1virtual-template 1sessions per-mac throttle 10 60 300sessions per-vc throttle 100 30 300!interface ATM2/0.1 multipointpvc 2/100encapsulation aal5snapprotocol pppoe group group1!interface virtual-template1ip address negotiatedno peer default ip addressppp authentication chapAdditional References
The following sections provide additional information related to PPPoE connection throttling.
Related Documents
Technical Assistance
Command Reference
This section documents new and modified commands.
debug pppoe
To display debugging information for PPP over Ethernet (PPPoE) sessions, use the debug pppoe command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id]]
no debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id]]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following examples show sample output from the debug pppoe command:
Router# debug pppoe events interface atm1/0.10 vc 101
PPPoE protocol events debugging is on
Router#
00:41:55:PPPoE 0:I PADI R:00b0.c2e9.c470 L:ffff.ffff.ffff 0/101 ATM1/0.10
00:41:55:PPPoE 0:O PADO, R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10
00:41:55:PPPoE 0:I PADR R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10
00:41:55:PPPoE :encap string prepared
00:41:55:[3]PPPoE 3:Access IE handle allocated
00:41:55:[3]PPPoE 3:pppoe SSS switch updated
00:41:55:[3]PPPoE 3:AAA unique ID allocated
00:41:55:[3]PPPoE 3:No AAA accounting method list
00:41:55:[3]PPPoE 3:Service request sent to SSS
00:41:55:[3]PPPoE 3:Created R:0001.c9f0.0c1c L:00b0.c2e9.c470 0/101 ATM1/0.10
00:41:55:[3]PPPoE 3:State REQ_NASPORT Event MORE_KEYS
00:41:55:[3]PPPoE 3:O PADS R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10
00:41:55:[3]PPPoE 3:State START_PPP Event DYN_BIND
00:41:55:[3]PPPoE 3:data path set to PPP
00:41:57:[3]PPPoE 3:State LCP_NEGO Event PPP_LOCAL
00:41:57:PPPoE 3/SB:Sent vtemplate request on base Vi2
00:41:57:[3]PPPoE 3:State CREATE_VA Event VA_RESP
00:41:57:[3]PPPoE 3:Vi2.1 interface obtained
00:41:57:[3]PPPoE 3:State PTA_BIND Event STAT_BIND
00:41:57:[3]PPPoE 3:data path set to Virtual Acess
00:41:57:[3]PPPoE 3:Connected PTARouter# debug pppoe errors interface atm1/0.10PPPoE protocol errors debugging is on
Router#
00:44:30:PPPoE 0:Max session count(1) on mac(00b0.c2e9.c470) reached.
00:44:30:PPPoE 0:Over limit or Resource low. R:00b0.c2e9.c470 L:ffff.ffff.ffff 0/101 ATM1/0.10Table 1 describes significant fields shown in the displays.
Related Commands
sessions throttle
To configure PPP over Ethernet (PPPoE) connection throttling, which limits the number of PPPoE session requests that can be made from a virtual circuit (VC) or a MAC address within a specified period of time, use the sessions throttle command in BBA group configuration mode. To remove this limit, use the no version of this command.
sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period
no sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period
Syntax Description
Defaults
The number of PPPoE session requests that can be made within a specific period of time is not limited.
There are no default values for the session-requests, session-request-period, and blocking-period arguments.
Command Modes
BBA group configuration
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(27)SBA
This command was integrated into Cisco IOS Release 12.2(27)SBA.
Usage Guidelines
Continuous repeated requests to initiate PPPoE sessions can seriously affect the performance of a router and RADIUS server. Use the sessions throttle command to configure the PPPoE server to limit the number of requests for PPPoE sessions that can be made from a MAC address or VC during a configured period of time.
If a client exceeds the configured number of allowable session requests (session-requests) within the configured time limit (session-request-period), the PPPoE server accepts only the allowable number of session requests and blocks the MAC address or VC from making any more requests for a configured period of time (blocking-period).
After the blocking-period expires, the PPPoE server will again accept the configured number of session requests from the MAC address or VC within the configured session-request-period.
Examples
The following example shows the configuration of per-VC and per-MAC PPPoE connection throttling in PPPoE profile "grp1":
bba-group pppoe grp1virtual-template 1sessions per-mac throttle 10 60 300sessions per-vc throttle 100 30 300interface ATM2/0.1 multipointpvc 2/100encapsulation aal5snapprotocol pppoe group grp1interface virtual-template1ip address negotiatedno peer default ip addressppp authentication chapRelated Commands
Copyright © 2003-2005 Cisco Systems, Inc. All rights reserved.