Cisco IOS Software Releases 12.2 T

Table Of Contents

PPPoE Connection Throttling

Contents

Restrictions for PPPoE Connection Throttling

How to Configure PPPoE Connection Throttling

Configuring PPPoE Connection Throttling

What to Do Next

Monitoring and Maintaining PPPoE Connection Throttling

Configuration Examples for PPPoE Connection Throttling

PPPoE Connection Throttling Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

debug pppoe

sessions throttle

PPPoE Connection Throttling

---

First Published: 12.2(15)T

Last Updated: February 28, 2006

Continuous repeated requests to initiate PPPoE sessions can adversely affect the performance of a router and RADIUS server. The PPPoE Connection Throttling feature throttles PPP over Ethernet (PPPoE) connection requests to help prevent intentional denial-of-service attacks as well as unintentional PPP authentication loops. This feature implements session throttling on the PPPoE server to limit the number of PPPoE session requests that can be initiated from MAC address or VC (virtual circuit) during a specified period of time.

History for the PPPoE Connection Throttling Feature

Release	Modification
12.2(15)T	This feature was introduced.
12.2(28)SB	This feature was integrated into Cisco IOS Release 12.2(28)SB.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Restrictions for PPPoE Connection Throttling

•How to Configure PPPoE Connection Throttling

•Configuration Examples for PPPoE Connection Throttling

•Additional References

•Command Reference

Restrictions for PPPoE Connection Throttling

PPPoE connection throttling must be configured in a PPPoE profile.

How to Configure PPPoE Connection Throttling

To configure PPPoE connection throttling, perform the following tasks:

•Configuring PPPoE Connection Throttling (required)

•Monitoring and Maintaining PPPoE Connection Throttling (optional)

Configuring PPPoE Connection Throttling

Perform the following task to configure PPPoE connection throttling in a PPPoE profile.

SUMMARY STEPS

1. enable

2. configure terminal

3. bba-group pppoe {group-name | global}

4. virtual-template template-number

5. sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	bba-group pppoe {group-name | global} Example: Router(config)# bba-group pppoe global	Defines a PPPoE profile, and enters BBA group configuration mode. •The global keyword will create a profile that will serve as the default profile for any PPPoE port that is not assigned a specific profile.
Step 4	virtual-template template-number Example:Example: Router(config-bba-group)# virtual-template 1	Specifies which virtual template will be used to clone virtual access interfaces for all PPPoE ports that use this PPPoE profile.
Step 5	sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period Example: Router(config-bba-group)# sessions per-vc throttle 100 30 300	Configures PPPoE connection throttling, which limits the number of PPPoE session requests that can be made from a VC or a MAC address within a specified period of time.
Step 6	end Example: Router(config-bba-group)# end	(Optional) Exits the configuration mode and returns to privileged EXEC mode

What to Do Next

Once a PPPoE profile has been defined, it can be assigned to a PPPoE port (Ethernet interface, VLAN, or PVC), a VC class, or an ATM PVC range. For more information about how to configure PPPoE profiles, refer to the Cisco IOS Release 12.2(15)T feature module, "PPPoE Profiles".

Monitoring and Maintaining PPPoE Connection Throttling

Perform this task to monitor and maintain PPPoE connection throttling.

SUMMARY STEPS

1. enable

2. show pppoe session [all | packets]

3. clear pppoe {interface type number [vc {[vpi/]vci | vc-name}] | rmac mac-addr [sid session-id ] | all}

4. debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}]]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show pppoe session [all | packets] Example: Router# show pppoe session all	Displays information about active PPPoE sessions.
Step 3	clear pppoe {interface type number [vc {[vpi/]vci | vc-name}] | rmac mac-addr [sid session-id ] | all} Example: Router# clear pppoe interface atm0/1.0	Terminates PPPoE sessions.
Step 4	debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}]] Example: Router# debug pppoe events	Displays debugging information for PPPoE sessions.

Configuration Examples for PPPoE Connection Throttling

•PPPoE Connection Throttling Example

PPPoE Connection Throttling Example

The following example shows PPPoE connection throttling configured in the PPPoE profile "group1":

bba-group pppoe group1

 virtual-template 1

 sessions per-mac throttle 10 60 300

 sessions per-vc throttle 100 30 300

!

interface ATM2/0.1 multipoint

 pvc 2/100

  encapsulation aal5snap

  protocol pppoe group group1

!

interface virtual-template1

 ip address negotiated

 no peer default ip address

 ppp authentication chap

Additional References

For additional information related to PPPoE Connection Throttling, refer to the following references:

Related Documents

Related Topic	Document Title
PPPoE profile configuration tasks and commands	PPPoE Profiles, Cisco IOS Release 12.2(15)T feature module
PPPoE configuration tasks	Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2
PPPoE commands	Cisco IOS Wide-Area Networking Command Reference, Release 12.2

Standards

Standard	Title
None	—

MIBs

MIB	MIBs Link
None	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
None	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents modified commands.

•debug pppoe

•sessions throttle

debug pppoe

To display debugging information for PPP over Ethernet (PPPoE) sessions, use the debug pppoe command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id]]

no debug pppoe {data | errors | events | packets} [rmac remote-mac-address | interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id]]

Syntax Description

data	Displays data packets of PPPoE sessions.
errors	Displays PPPoE protocol errors that prevent a session from being established, or displays errors that cause an established session to be closed.
events	Displays PPPoE protocol messages about events that are part of normal session establishment or shutdown.
packets	Displays each PPPoE protocol packet that is exchanged.
rmac remote-mac-address	(Optional) Remote MAC address. Debugging information for PPPoE sessions sourced from this address will be displayed.
interface type number	(Optional) Interface for which PPPoE session debugging information will be displayed.
vc	(Optional) Displays debugging information for PPPoE sessions for a specific permanent virtual circuit (PVC).
vpi/	(Optional) ATM network virtual path identifier (VPI) for the PVC. In the absence of the slash (/) and a vpi value, the vpi value defaults to 0.
vci	(Optional) ATM network virtual channel identifier (VCI) for the PVC.
vc-name	(Optional) Name of the PVC.
vlan vlan-id	(Optional) IEEE 802.1Q VLAN identifier.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(13)T	This command was introduced. This command replaces the debug vpdn pppoe-data, debug vpdn pppoe-error, debug vpdn pppoe-events, and debug vpdn pppoe-packet commands available in previous Cisco IOS releases.
12.2(15)T	This command was modified to display debugging information on a per-MAC address, per-interface, and per-VC basis.
12.3(2)T	The vlan vlan-id keyword and argument were added.
12.3(7)XI3	This command was integrated into Cisco IOS Release 12.3(7)XI3.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB.

Examples

The following examples show sample output from the debug pppoe command:

Router# debug pppoe events interface atm1/0.10 vc 101 

PPPoE protocol events debugging is on 

Router# 

00:41:55:PPPoE 0:I PADI  R:00b0.c2e9.c470 L:ffff.ffff.ffff 0/101 ATM1/0.10 

00:41:55:PPPoE 0:O PADO, R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10 

00:41:55:PPPoE 0:I PADR  R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10 

00:41:55:PPPoE :encap string prepared 

00:41:55:[3]PPPoE 3:Access IE handle allocated 

00:41:55:[3]PPPoE 3:pppoe SSS switch updated 

00:41:55:[3]PPPoE 3:AAA unique ID allocated 

00:41:55:[3]PPPoE 3:No AAA accounting method list 

00:41:55:[3]PPPoE 3:Service request sent to SSS 

00:41:55:[3]PPPoE 3:Created  R:0001.c9f0.0c1c L:00b0.c2e9.c470 0/101 ATM1/0.10 

00:41:55:[3]PPPoE 3:State REQ_NASPORT    Event MORE_KEYS 

00:41:55:[3]PPPoE 3:O PADS  R:00b0.c2e9.c470 L:0001.c9f0.0c1c 0/101 ATM1/0.10 

00:41:55:[3]PPPoE 3:State START_PPP    Event DYN_BIND 

00:41:55:[3]PPPoE 3:data path set to PPP 

00:41:57:[3]PPPoE 3:State LCP_NEGO    Event PPP_LOCAL 

00:41:57:PPPoE 3/SB:Sent vtemplate request on base Vi2 

00:41:57:[3]PPPoE 3:State CREATE_VA    Event VA_RESP 

00:41:57:[3]PPPoE 3:Vi2.1 interface obtained 

00:41:57:[3]PPPoE 3:State PTA_BIND    Event STAT_BIND 

00:41:57:[3]PPPoE 3:data path set to Virtual Acess 

00:41:57:[3]PPPoE 3:Connected PTA 

Router# debug pppoe errors interface atm1/0.10

PPPoE protocol errors debugging is on 

Router# 

00:44:30:PPPoE 0:Max session count(1) on mac(00b0.c2e9.c470) reached. 

00:44:30:PPPoE 0:Over limit or Resource low. R:00b0.c2e9.c470 L:ffff.ffff.ffff 0/101 
ATM1/0.10 

Table 1 describes the significant fields shown in the displays.

Table 1 debug pppoe Field Descriptions 

Field	Description
PPPoE	PPPoE debug message header.
0:	PPPoE session ID.
I PADI	Incoming PPPoE Active Discovery Initiation packet.
R:	Remote MAC address.
L:	Local MAC address.
0/101	Virtual path identifier (VPI)/virtual channel identifier (VCI) of the PVC.
ATM1/0.10	Interface type and number.
O PADO	Outgoing PPPoE Active Discovery Offer packet.
I PADR	Incoming PPPoE Active Discovery Request packet.
[3]	Unique user session ID. The same ID is used for identifying sessions across different applications such as PPPoE, PPP, Layer 2 Tunneling Protocol (L2TP), and Subscriber Service Switch (SSS). The same session ID appears in the output for the show pppoe session, show sss session, and show vpdn session commands.
PPPoE 3	PPPoE session ID.
Created	PPPoE session is created.
O PADS	Outgoing PPPoE Active Discovery Session-confirmation packet.
Connected PTA	PPPoE session is established.
Max session count(1) on mac(00b0.c2e9.c470) reached	PPPoE session is rejected because of per-MAC session limit.

Related Commands

Command	Description
encapsulation aal5autoppp virtual-template	Enables PPPoA/PPPoE autosense.
pppoe enable	Enables PPPoE sessions on an Ethernet interface or subinterface.
protocol pppoe (ATM VC)	Enables PPPoE sessions to be established on PVCs.
show pppoe session	Displays information about active PPPoE sessions.
show sss session	Displays Subscriber Service Switch session status.
show vpdn session	Displays session information about L2TP, L2F protocol, and PPPoE tunnels in a VPDN.

sessions throttle

To configure PPP over Ethernet (PPPoE) connection throttling, which limits the number of PPPoE session requests that can be made from a virtual circuit (VC) or a MAC address within a specified period of time, use the sessions throttle command in BBA group configuration mode. To remove this limit, use the no version of this command.

sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period

no sessions {per-mac | per-vc} throttle session-requests session-request-period blocking-period

Syntax Description

per-mac	Limits the number of PPPoE session requests that can be made from a single MAC address.
per-vc	Limits the number of PPPoE session requests that can be made from a single VC.
session-requests	Number of PPPoE session requests that will be allowed within a specified period of time. Range is from 1 to 100000.
session-request-period	Period of time, in seconds, during which a specified number of PPPoE session requests will be allowed. Range is from 1 to 3600.
blocking-period	Period of time, in seconds, during which PPPoE session requests will be blocked. This period begins when the number of PPPoE session requests from a VC or MAC address exceeds the configured session-requests value within the configured session-request-period. Range is from 0 to 3600.

Defaults

The number of PPPoE session requests that can be made within a specific period of time is not limited. There are no default values for the session-requests, session-request-period, and blocking-period arguments.

Command Modes

BBA group configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB.

Usage Guidelines

Continuous repeated requests to initiate PPPoE sessions can seriously affect the performance of a router and RADIUS server. Use the sessions throttle command to configure the PPPoE server to limit the number of requests for PPPoE sessions that can be made from a MAC address or VC during a configured period of time.

If a client exceeds the configured number of allowable session requests (session-requests) within the configured time limit (session-request-period), the PPPoE server accepts only the allowable number of session requests and blocks the MAC address or VC from making any more requests for a configured period of time (blocking-period).

After the blocking-period expires, the PPPoE server will again accept the configured number of session requests from the MAC address or VC within the configured session-request-period.

Examples

The following example shows the configuration of per-VC and per-MAC PPPoE connection throttling in PPPoE profile "grp1":

bba-group pppoe grp1

 virtual-template 1

 sessions per-mac throttle 10 60 300

 sessions per-vc throttle 100 30 300

interface ATM2/0.1 multipoint

 pvc 2/100

  encapsulation aal5snap

  protocol pppoe group grp1

interface virtual-template1

 ip address negotiated

 no peer default ip address

 ppp authentication chap

Related Commands

Command	Description
bba-group pppoe	Creates a PPPoE profile.
sessions per-mac limit	Sets the maximum number of PPPoE sessions allowed per MAC address in a PPPoE profile.
sessions per-vc limit	Sets the maximum number of PPPoE sessions to be established over a VC in a PPPoE profile and sets the PPPoE session-count threshold.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2003, 2005-2006 Cisco Systems, Inc. All rights reserved.