PPPoE Connection Throttling

Available Languages

Download Options

PDF (264.1 KB)
View with Adobe Reader on a variety of devices

Updated:April 17, 2005

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

PPPoE Connection Throttling

Table Of Contents

PPPoE Connection Throttling

Contents

Restrictions for PPPoE Connection Throttling

How to Configure PPPoE Connection Throttling

Configuring PPPoE Connection Throttling

What to Do Next

Monitoring and Maintaining PPPoE Connection Throttling

Configuration Examples for PPPoE Connection Throttling

PPPoE Connection Throttling Example

Additional References

Related Documents

Technical Assistance

Command Reference

debug pppoe

sessions throttle

PPPoE Connection Throttling

Repeated requests to initiate PPP over Ethernet (PPPoE) sessions can adversely affect the performance of a router and RADIUS server. The PPPoE Connection Throttling feature limits PPPoE connection requests to help prevent intentional denial-of-service attacks as well as unintentional PPP authentication loops. This feature implements session throttling on the PPPoE server to limit the number of PPPoE session requests that can be initiated from a MAC address or VC (virtual circuit) during a specified period of time.

Feature Specifications for PPPoE Connection Throttling

Release

Modification

12.2(15)T

This feature was introduced.

12.2(27)SBA

This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Restrictions for PPPoE Connection Throttling

•How to Configure PPPoE Connection Throttling

•Configuration Examples for PPPoE Connection Throttling

•Additional References

•Command Reference

Restrictions for PPPoE Connection Throttling

PPPoE connection throttling must be configured in a PPPoE profile.

How to Configure PPPoE Connection Throttling

To configure PPPoE connection throttling, perform the following tasks:

•Configuring PPPoE Connection Throttling (required)

•Monitoring and Maintaining PPPoE Connection Throttling (optional)

Configuring PPPoE Connection Throttling

Perform the following task to configure PPPoE connection throttling in a PPPoE profile.

SUMMARY STEPS

1. enable

2. configure terminal

3. bba-group pppoe {group-name | global}

4. virtual-template template-number

5. sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period

6. end

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

bba-group pppoe {group-name | global}

Example:

Router(config)# bba-group pppoe global

Defines a PPPoE profile and enters BBA group configuration mode.

•The global keyword creates a profile that will serve as the default profile for any PPPoE port that is not assigned a specific profile.

Step 4

virtual-template template-number

Example:

Router(config-bba-group)# virtual-template 1

Specifies which virtual template will be used to clone virtual access interfaces for all PPPoE ports that use this PPPoE profile.

Step 5

sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period

Example:

Router(config-bba-group)# sessions per-vc throttle 100 30 300

Configures PPPoE connection throttling, which limits the number of PPPoE session requests that can be made from a VC or a MAC address within a specified period of time.

Step 6

end

Example:

Router(config-bba-group)# end

(Optional) Exits the configuration mode and returns to privileged EXEC mode.

What to Do Next

Once a PPPoE profile has been defined, it can be assigned to a PPPoE port (Ethernet interface, VLAN, or PVC), a VC class, or an ATM PVC range. For more information about how to configure PPPoE profiles, refer to the Cisco IOS Release 12.2(15)T feature module "PPPoE Profiles."

Monitoring and Maintaining PPPoE Connection Throttling

Perform this task to monitor and maintain PPPoE connection throttling.

SUMMARY STEPS

1. enable

2. show pppoe session [all | packets]

3. clear pppoe {interface type number [vc {[vpi/]vci | vc-name}] | rmac mac-addr [sid session-id ] | all}

4. debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}]]

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

show pppoe session [all | packets]

Example:

Router# show pppoe session all

Displays information about active PPPoE sessions.

Step 3

clear pppoe {interface type number [vc {[vpi/]vci | vc-name}] | rmac mac-addr [sid session-id ] | all}

Example:

Router# clear pppoe interface atm0/1.0

Terminates PPPoE sessions.

Step 4

debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}]]

Example:

Router# debug pppoe events

Displays debugging information for PPPoE sessions.

Configuration Examples for PPPoE Connection Throttling

•PPPoE Connection Throttling Example

PPPoE Connection Throttling Example

The following example shows PPPoE connection throttling configured in the PPPoE profile "group1":
bba-group pppoe group1
 virtual-template 1
 sessions per-mac throttle 10 60 300
 sessions per-vc throttle 100 30 300
!
interface ATM2/0.1 multipoint
 pvc 2/100
  encapsulation aal5snap
  protocol pppoe group group1
!
interface virtual-template1
 ip address negotiated
 no peer default ip address
 ppp authentication chap
Additional References

The following sections provide additional information related to PPPoE connection throttling.

Related Documents

Related Topic

Document Title

PPPoE profile configuration tasks and commands

PPPoE Profiles, Cisco IOS Release 12.2(15)T feature module

PPPoE configuration tasks

Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2

PPPoE commands

Cisco IOS Wide-Area Networking Command Reference, Release 12.2

Technical Assistance

Description

Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents new and modified commands.

•debug pppoe

•sessions throttle

debug pppoe

To display debugging information for PPP over Ethernet (PPPoE) sessions, use the debug pppoe command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id]]

no debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id]]

Syntax Description

data

Displays data packets of PPPoE sessions.

errors

Displays PPPoE protocol errors that prevent a session from being established, or displays errors that cause an established session to be closed.

events

Displays PPPoE protocol messages about events that are part of normal session establishment or shutdown.

packets

Displays each PPPoE protocol packet that is exchanged.

rmac remote-mac-address

(Optional) Remote MAC address. Debugging information for PPPoE sessions sourced from this address will be displayed.

interface type number

(Optional) Interface for which PPPoE session debugging information will be displayed.

vc

(Optional) Displays debugging information for PPPoE sessions for a specific permanent virtual circuit (PVC).

vpi/

(Optional) ATM network virtual path identifier (VPI) for the PVC. In the absence of the slash (/) and a vpi value, the vpi value defaults to 0.

vci

(Optional) ATM network virtual channel identifier (VCI) for the PVC.

vc-name

(Optional) Name of the PVC.

vlan vlan-id

(Optional) IEEE 802.1Q VLAN identifier.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(13)T

This command was introduced.

12.2(15)T

This command was modified to display debugging information on a per-MAC address, per-interface, and per-VC basis.

12.3(2)T

The vlan vlan-id keyword and argument were added.

12.2(27)SBA

This command was integrated into Cisco IOS Release 12.2(27)SBA.

Examples

The following examples show sample output from the debug pppoe command:
Router# debug pppoe events interface atm1/0.10 vc 101 
PPPoE protocol events debugging is on 
Router# 
00:41:55:PPPoE 0:I PADI  R:00b0.c2e9.c470 L:ffff.ffff.ffff 0/101 ATM1/0.10 
00:41:55:PPPoE 0:O PADO, R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10 
00:41:55:PPPoE 0:I PADR  R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10 
00:41:55:PPPoE :encap string prepared 
00:41:55:[3]PPPoE 3:Access IE handle allocated 
00:41:55:[3]PPPoE 3:pppoe SSS switch updated 
00:41:55:[3]PPPoE 3:AAA unique ID allocated 
00:41:55:[3]PPPoE 3:No AAA accounting method list 
00:41:55:[3]PPPoE 3:Service request sent to SSS 
00:41:55:[3]PPPoE 3:Created  R:0001.c9f0.0c1c L:00b0.c2e9.c470 0/101 ATM1/0.10 
00:41:55:[3]PPPoE 3:State REQ_NASPORT    Event MORE_KEYS 
00:41:55:[3]PPPoE 3:O PADS  R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10 
00:41:55:[3]PPPoE 3:State START_PPP    Event DYN_BIND 
00:41:55:[3]PPPoE 3:data path set to PPP 
00:41:57:[3]PPPoE 3:State LCP_NEGO    Event PPP_LOCAL 
00:41:57:PPPoE 3/SB:Sent vtemplate request on base Vi2 
00:41:57:[3]PPPoE 3:State CREATE_VA    Event VA_RESP 
00:41:57:[3]PPPoE 3:Vi2.1 interface obtained 
00:41:57:[3]PPPoE 3:State PTA_BIND    Event STAT_BIND 
00:41:57:[3]PPPoE 3:data path set to Virtual Acess 
00:41:57:[3]PPPoE 3:Connected PTA 
Router# debug pppoe errors interface atm1/0.10
PPPoE protocol errors debugging is on 
Router# 
00:44:30:PPPoE 0:Max session count(1) on mac(00b0.c2e9.c470) reached. 
00:44:30:PPPoE 0:Over limit or Resource low. R:00b0.c2e9.c470 L:ffff.ffff.ffff 0/101 
ATM1/0.10 
Table 1 describes significant fields shown in the displays.

Table 1 debug pppoe Field Descriptions

Field

Description

PPPoE

PPPoE debug message header.

0:

PPPoE session ID.

I PADI

Incoming PPPoE Active Discovery Initiation packet.

R:

Remote MAC address.

L:

Local MAC address.

0/101

Virtual path identifier (VPI)/virtual channel identifier (VCI) of the PVC.

ATM1/0.10

Interface type and number.

O PADO

Outgoing PPPoE Active Discovery Offer packet.

I PADR

Incoming PPPoE Active Discovery Request packet.

[3]

Unique user session ID. The same ID is used for identifying sessions across different applications such as PPPoE, PPP, Layer 2 Tunneling Protocol (L2TP), and Subscriber Service Switch (SSS). The same session ID appears in the output for the show pppoe session, show sss session, and show vpdn session commands.

PPPoE 3

PPPoE session ID.

Created

PPPoE session is created.

O PADS

Outgoing PPPoE Active Discovery Session-confirmation packet.

Connected PTA

PPPoE session is established.

Max session count(1) on mac(00b0.c2e9.c470) reached

PPPoE session is rejected because of per-MAC session limit.

Related Commands

Command

Description

encapsulation aal5autoppp virtual-template

Enables PPPoA/PPPoE autosense.

pppoe enable

Enables PPPoE sessions on an Ethernet interface or subinterface.

protocol pppoe (ATM VC)

Enables PPPoE sessions to be established on PVCs.

show pppoe session

Displays information about active PPPoE sessions.

show sss session

Displays Subscriber Service Switch session status.

show vpdn session

Displays session information about L2TP, L2F protocol, and PPPoE tunnels in a VPDN.

sessions throttle

To configure PPP over Ethernet (PPPoE) connection throttling, which limits the number of PPPoE session requests that can be made from a virtual circuit (VC) or a MAC address within a specified period of time, use the sessions throttle command in BBA group configuration mode. To remove this limit, use the no version of this command.

sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period

no sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period

Syntax Description

per-mac

Limits the number of PPPoE session requests that can be made from a single MAC address.

per-vc

Limits the number of PPPoE session requests that can be made from a single VC.

session-requests

Number of PPPoE session requests that will be allowed within a specified period of time. Range is from 1 to 100000.

session-request-period

Period of time, in seconds, during which a specified number of PPPoE session requests will be allowed. Range is from 1 to 3600.

blocking-period

Period of time, in seconds, during which PPPoE session requests will be blocked. This period begins when the number of PPPoE session requests from a VC or MAC address exceeds the configured session-requests value within the configured session-request-period. Range is from 0 to 3600.

Defaults

The number of PPPoE session requests that can be made within a specific period of time is not limited.

There are no default values for the session-requests, session-request-period, and blocking-period arguments.

Command Modes

BBA group configuration

Command History

Release

Modification

12.2(15)T

This command was introduced.

12.2(27)SBA

This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

Continuous repeated requests to initiate PPPoE sessions can seriously affect the performance of a router and RADIUS server. Use the sessions throttle command to configure the PPPoE server to limit the number of requests for PPPoE sessions that can be made from a MAC address or VC during a configured period of time.

If a client exceeds the configured number of allowable session requests (session-requests) within the configured time limit (session-request-period), the PPPoE server accepts only the allowable number of session requests and blocks the MAC address or VC from making any more requests for a configured period of time (blocking-period).

After the blocking-period expires, the PPPoE server will again accept the configured number of session requests from the MAC address or VC within the configured session-request-period.

Examples

The following example shows the configuration of per-VC and per-MAC PPPoE connection throttling in PPPoE profile "grp1":
bba-group pppoe grp1
 virtual-template 1
 sessions per-mac throttle 10 60 300
 sessions per-vc throttle 100 30 300
interface ATM2/0.1 multipoint
 pvc 2/100
  encapsulation aal5snap
  protocol pppoe group grp1
interface virtual-template1
 ip address negotiated
 no peer default ip address
 ppp authentication chap
Related Commands

Command

Description

bba-group pppoe

Creates a PPPoE profile.

sessions per-mac limit

Sets the maximum number of PPPoE sessions allowed per MAC address in a PPPoE profile.

sessions per-vc limit

Sets the maximum number of PPPoE sessions to be established over a VC in a PPPoE profile and sets the PPPoE session-count threshold.

Copyright © 2003-2005 Cisco Systems, Inc. All rights reserved.

Release	Modification
12.2(15)T	This feature was introduced.
12.2(27)SBA	This feature was integrated into Cisco IOS Release 12.2(27)SBA.

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	bba-group pppoe {group-name \| global} Example: Router(config)# bba-group pppoe global	Defines a PPPoE profile and enters BBA group configuration mode. •The global keyword creates a profile that will serve as the default profile for any PPPoE port that is not assigned a specific profile.
Step 4	virtual-template template-number Example: Router(config-bba-group)# virtual-template 1	Specifies which virtual template will be used to clone virtual access interfaces for all PPPoE ports that use this PPPoE profile.
Step 5	sessions {per-mac \| per-vc} throttle session-requests session-request-period blocking-period Example: Router(config-bba-group)# sessions per-vc throttle 100 30 300	Configures PPPoE connection throttling, which limits the number of PPPoE session requests that can be made from a VC or a MAC address within a specified period of time.
Step 6	end Example: Router(config-bba-group)# end	(Optional) Exits the configuration mode and returns to privileged EXEC mode.

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show pppoe session [all \| packets] Example: Router# show pppoe session all	Displays information about active PPPoE sessions.
Step 3	clear pppoe {interface type number [vc {[vpi/]vci \| vc-name}] \| rmac mac-addr [sid session-id ] \| all} Example: Router# clear pppoe interface atm0/1.0	Terminates PPPoE sessions.
Step 4	debug pppoe {data \| errors \| events \| packets} [rmac remote-mac-address \| interface type number [vc {[vpi/]vci \| vc-name}]] Example: Router# debug pppoe events	Displays debugging information for PPPoE sessions.

Related Topic	Document Title
PPPoE profile configuration tasks and commands	PPPoE Profiles, Cisco IOS Release 12.2(15)T feature module
PPPoE configuration tasks	Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2
PPPoE commands	Cisco IOS Wide-Area Networking Command Reference, Release 12.2

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

data	Displays data packets of PPPoE sessions.
errors	Displays PPPoE protocol errors that prevent a session from being established, or displays errors that cause an established session to be closed.
events	Displays PPPoE protocol messages about events that are part of normal session establishment or shutdown.
packets	Displays each PPPoE protocol packet that is exchanged.
rmac remote-mac-address	(Optional) Remote MAC address. Debugging information for PPPoE sessions sourced from this address will be displayed.
interface type number	(Optional) Interface for which PPPoE session debugging information will be displayed.
vc	(Optional) Displays debugging information for PPPoE sessions for a specific permanent virtual circuit (PVC).
vpi/	(Optional) ATM network virtual path identifier (VPI) for the PVC. In the absence of the slash (/) and a vpi value, the vpi value defaults to 0.
vci	(Optional) ATM network virtual channel identifier (VCI) for the PVC.
vc-name	(Optional) Name of the PVC.
vlan vlan-id	(Optional) IEEE 802.1Q VLAN identifier.

Release	Modification
12.2(13)T	This command was introduced.
12.2(15)T	This command was modified to display debugging information on a per-MAC address, per-interface, and per-VC basis.
12.3(2)T	The vlan vlan-id keyword and argument were added.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Table 1 debug pppoe Field Descriptions
Field	Description
PPPoE	PPPoE debug message header.
0:	PPPoE session ID.
I PADI	Incoming PPPoE Active Discovery Initiation packet.
R:	Remote MAC address.
L:	Local MAC address.
0/101	Virtual path identifier (VPI)/virtual channel identifier (VCI) of the PVC.
ATM1/0.10	Interface type and number.
O PADO	Outgoing PPPoE Active Discovery Offer packet.
I PADR	Incoming PPPoE Active Discovery Request packet.
[3]	Unique user session ID. The same ID is used for identifying sessions across different applications such as PPPoE, PPP, Layer 2 Tunneling Protocol (L2TP), and Subscriber Service Switch (SSS). The same session ID appears in the output for the show pppoe session, show sss session, and show vpdn session commands.
PPPoE 3	PPPoE session ID.
Created	PPPoE session is created.
O PADS	Outgoing PPPoE Active Discovery Session-confirmation packet.
Connected PTA	PPPoE session is established.
Max session count(1) on mac(00b0.c2e9.c470) reached	PPPoE session is rejected because of per-MAC session limit.

Command	Description
encapsulation aal5autoppp virtual-template	Enables PPPoA/PPPoE autosense.
pppoe enable	Enables PPPoE sessions on an Ethernet interface or subinterface.
protocol pppoe (ATM VC)	Enables PPPoE sessions to be established on PVCs.
show pppoe session	Displays information about active PPPoE sessions.
show sss session	Displays Subscriber Service Switch session status.
show vpdn session	Displays session information about L2TP, L2F protocol, and PPPoE tunnels in a VPDN.

per-mac	Limits the number of PPPoE session requests that can be made from a single MAC address.
per-vc	Limits the number of PPPoE session requests that can be made from a single VC.
session-requests	Number of PPPoE session requests that will be allowed within a specified period of time. Range is from 1 to 100000.
session-request-period	Period of time, in seconds, during which a specified number of PPPoE session requests will be allowed. Range is from 1 to 3600.
blocking-period	Period of time, in seconds, during which PPPoE session requests will be blocked. This period begins when the number of PPPoE session requests from a VC or MAC address exceeds the configured session-requests value within the configured session-request-period. Range is from 0 to 3600.

Release	Modification
12.2(15)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Command	Description
bba-group pppoe	Creates a PPPoE profile.
sessions per-mac limit	Sets the maximum number of PPPoE sessions allowed per MAC address in a PPPoE profile.
sessions per-vc limit	Sets the maximum number of PPPoE sessions to be established over a VC in a PPPoE profile and sets the PPPoE session-count threshold.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)