Point-to-Point Protocol

Restrictions
Prerequisites
Configuration Tasks

Configuring a PPP Virtual Template
Configuring AAA Authentication
Configuring PVCs
Verifying and Troubleshooting PPPoA

Configuring a Virtual Template for PPPoE
Configuring PPPoE on an ATM Interface
Setting the IP MTU
Verifying PPPoE
Example: PPPoE
Monitoring and Maintaining PPPoE
Troubleshooting Tips

Configuring PPP Autosense

Verifying PPP Autosense Configuration
Example: PPP Autosense
Monitoring and Maintaining PPP Autosense
Troubleshooting Tips

Configuring AAA Authentication

Using a Local Authentication Database
Configuring a RADIUS Server
Configuring a TACACS+ Server

Configuring PPPoE Session Limit

Overview
Configuration Tasks
Monitoring and Maintaining PPPoE Session Limits
Configuration Examples

Configuring PPPoE Session Count MIB

Overview
Configuration Tasks
Monitoring and Maintaining PPPoE Session Counts and SNMP Notifications
Configuration Examples

Point-to-Point Protocol

This chapter describes the Point-to-Point Protocol features supported in Cisco IOS Release 12.2(2)B.

Restrictions

PPPoE

Point-to-point protocol over Ethernet (PPPoE) is supported on ATM permanent virtual circuits (PVCs) only.
The Cisco 6400 can not initiate dial-out PPPoE sessions.
PPPoE supports Cisco Express Forwarding (CEF) only. Fastswitching on PPPoE virtual-access interfaces is not supported.

PPPoA

The PPP Autosense feature only supports point-to-point protocol over ATM (PPPoA) sessions that are Logical Link Control (LLC) encapsulated.
Do not use this feature on a router that initiates PPPoA sessions.
PPPoA does not support static IP assignments within virtual templates.

PPPoE Session Count MIB

Using the snmp-server enable traps pppoe command enables SNMP traps only and does not support inform requests.

Prerequisites

The Cisco 6400 node route processor (NRP) requires 128MB of DRAM to support up to 2800 concurrent PPPoE sessions. An NRP with 64MB DRAM can support up to 2000 concurrent PPPoE sessions.

Configuration Tasks

This section contains the following tasks:

Configuring PPPoA
Configuring PPPoE
Configuring PPP Autosense
Configuring AAA Authentication
Configuring PPPoE Session Limit
Configuring PPPoE Session Count MIB

Configuring PPPoA

Before configuring this feature see the restrictions for PPPoA.

The following tasks provide the minimum steps needed to configure PPP over ATM on the Cisco 6400 NRP. For more information about PPP over ATM, see "Configuring ATM" in the Wide-Area Networking Configuration Guide of the Cisco IOS 12.1 documentation set.

Configuring a PPP Virtual Template

The NRP uses virtual templates to assign PPP features to a PVC. As each PPP session comes online, a virtual access interface is "cloned" from the virtual template. This virtual-access interface inherits all the configuration specified in the virtual template. When the virtual template is changed, the changes are automatically propagated to all virtual-access interfaces cloned from that particular virtual template.

To configure a virtual template, perform these steps starting in global configuration mode:

	Command	Purpose
Step 1	interface virtual-template number	Associates a virtual template with a virtual template interface.
Step 2	ip unnumbered fastethernet 0/0/0	Enables IP on the interface without assigning a specific IP address.
Step 3	peer default ip address {pool [poolname] \| dhcp }	Specifies a dynamic IP address assignment method, either from an IP address pool or a DHCP server.
Step 4	ppp authentication {pap \| chap} [pap \| chap]	Selects the authentication protocol and optional secondary protocol.
Step 5	exit	Returns to global configuration mode.
Step 6	ip local pool poolname low-ip-address [high-ip-address]	(Optional) Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
Step 7	ip dhcp-server {ip-address \| name}	(Optional) Specifies which DHCP servers to use on your network.

Caution Do not use a static IP assignment within a virtual template; routing problems can occur. Always enter the ip unnumbered command when configuring a virtual template.

Examples

The following example shows a typical virtual template configuration for the Cisco 6400 NRP:

Router(config)# interface virtual-template 1

Router(config-if)# ip unnumbered fastethernet 0/0/0

router(config-if)# peer default ip address pool telecommuters

Router(config-if)# ppp authentication chap

Router(config-if)# exit

Router(config)# ip local pool telecommuters 10.36.1.1 10.36.1.254

In this configuration, it is assumed that all PPP over ATM VCs (users) cloned from virtual template 1 will use CHAP authentication and will be allocated an IP address from the pool named "telecommuters" configured on the router. In addition, the local end of the PPP over ATM connection is running without an IP address (recommended). Instead, the IP address of the FastEthernet interface is used for addressability.

To configure a different class of users on the same router, you can provision a separate virtual template interface. The following shows a DHCP server rather than a local pool and PAP authentication over CHAP:

Router(config)# interface Virtual-Template 2

Router(config-if)# ip unnumbered fastethernet 0/0/0

Router(config-if)# peer default ip address dhcp

Router(config-if)# ppp authentication pap chap

Router(config-if)# exit

Router(config)# ip dhcp-server 10.5.20.149

Up to 25 virtual templates can be configured.

Configuring AAA Authentication

A AAA authentication database, such as RADIUS or TACACS+, can be used to configure the user's virtual access interface. To configure AAA authentication for PPP over ATM, see "Configuring AAA Authentication" for configuration tasks.

Configuring PVCs

After you have configured a virtual template for PPP over ATM, you must configure the PVCs that carry traffic from the NRP to the ATM interfaces. To configure PPP over ATM on a PVC, enter the following commands starting in global configuration mode:

	Command	Purpose
Step 1	interface atm 0/0/0 [.subinterface-number {multipoint \| point-to-point} ]	Specifies the ATM interface and optional subinterface.
Step 2	pvc [name] vpi/vci	Configures a new ATM PVC by assigning a name (optional) and VPI/VCI numbers.
Step 3	encapsulation aal5mux ppp virtual-Template number	Configures the ATM adaptation layer (AAL) and encapsulation type, and configures a PVC to use a virtual-template as the default PPP interface configuration.

You can also configure PVCs by using VC classes and PVC discovery, as shown in the Cisco 6400 Software Configuration Guide and Command Reference, "Configuring the NRP" chapter, "Working with Permanent Virtual Circuits" section.

Example

The following example shows a typical configuration for PPP over ATM, using a RADIUS authentication server:

Router(config)# interface virtual-template 1

Router(config-if)# ip unnumbered fastethernet 0/0/0

Router(config-if)# peer default ip address pool telecommuters

Router(config-if)# ppp authentication chap

Router(config-if)# exit

Router(config)# ip local pool telecommuters 10.36.1.1 10.36.1.254

 
Router(config)# aaa new-model

Router(config)# aaa authentication ppp default radius

Router(config)# radius-server host 172.31.5.96

Router(config)# radius-server key foo

Router(config)# radius-server attribute nas-port format d

 
Router(config)# interface atm 0/0/0.40 multipoint

Router(config-subif)# pvc 0/50

Router(config-if-atm-vc)# encapsulation aal5mux ppp virtual-template 1

Router(config-if-atm-vc)# exit

Router(config-subif)# pvc 0/51

Router(config-if-atm-vc)# encapsulation aal5mux ppp virtual-template 1

Router(config-if-atm-vc)# exit

Verifying and Troubleshooting PPPoA

The global configuration command show atm pvc ppp shows the PPP over ATM characteristics of all PVCs on the ATM interface:

Router# show atm pvc ppp

                 VCD /
ATM Int.         Name         VPI   VCI  Type   VCSt  VA   VASt IP Addr
0/0/0            1              0    33   PVC     UP   1   DOWN 10.123.1.1
0/0/0            foo            0    34   PVC     UP   2   DOWN 10.123.1.1

The "VA" column shows the virtual-access interface used for this particular PPP over ATM session. A subsequent show interface virtual-access command gives the PPP specific characteristics of the session:

Router# show interface virtual-access 2

Virtual-Access2 is up, line protocol is up
  Hardware is Virtual Access interface
  Internet address is 10.123.1.1/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec, rely 255/255, load 1/255
  Encapsulation PPP, loopback not set, keepalive not set
  DTR is pulsed for 5 seconds on reset
  LCP Open



  
  Open: IPCP



  
  Bound to ATM0/0/0 VCD: 2, VPI: 0, VCI: 34



  
    Cloned from virtual-template: 1
  Last input 01:04:26, output never, output hang never
  Last clearing of "show interface" counters 5d02h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     782 packets input, 30414 bytes, 0 no buffer
     Received 3 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     395 packets output, 5540 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

The lines highlighted in this example show the layer 3 protocols enabled on this interface, the VPI and VCI numbers, and the master virtual template from which this virtual access interface was cloned.

Configuring PPPoE

Before configuring this feature see the restrictions for PPPoE and the Prerequisites section.

Perform the following tasks to configure PPP over Ethernet on ATM:

Configuring a Virtual Template for PPPoE
Configuring PPPoE on an ATM Interface
Setting the IP MTU

Configuring a Virtual Template for PPPoE

To configure PPPoE on a virtual-access interface, enter the following commands starting in global configuration mode.

	Command	Purpose
Step 1	Router(config)#vpdn enable	Enables virtual private dial-up networking.
Step 2	Router(config)#vpdn-group number	Selects VPDN-group configuration mode.
Step 3	Router(config-vpdn)#accept dialin pppoe virtual-template number	Configures the router to accept dial-in PPPoE calls.
Step 4	Router(config-vpdn)#pppoe limit per-mac number	(Optional) Limits the number of PPPoE sessions that originate from one MAC address. Default is 100.
Step 5	Router(config-vpdn)#pppoe limit per-vc number	(Optional) Limits the number of PPPoE sessions that can be established on a virtual circuit. Default is 100.
Step 6	Router(config-vpdn)#exit	Returns to global configuration mode.
Step 7	Router(config)#virtual-template template-number pre-clone number	(Optional) Creates "pre-cloned" virtual-access interfaces equal to the expected maximum number of concurrent PPPoE sessions.¹

¹Instead of creating virtual-access interfaces on demand, a number of pre-cloned virtual-access interfaces may be created and saved to a private PPPoE list. This cloning procedure reduces the CPU workload while PPPoE sessions are established.

Configuring PPPoE on an ATM Interface

To configure PPPoE on an ATM interface, enter the following commands starting in global configuration mode.

	Command	Purpose
Step 1	Router(config)#interface atm slot/0.subinterface-number multipoint	Specifies an ATM multipoint subinterface.
Step 2	Router(config-if)#pvc[name] VPI/VCI	Configures the PVC.
Step 3	Router(config-if)#encapsulation aal5snap	Configures SNAP encapsulation.
Step 4	Router(config-if)#protocol pppoe	Selects PPPoE as the protocol for the PVC.
Step 5	Router(config)#exit	Returns to global configuration mode.

Setting the IP MTU

To allow PPPoE to operate over the virtual-access interface, the IP maximum transmission unit (MTU) must be set to 1492. Enter the following commands, starting in global configuration mode, to set the IP MTU.

	Command	Purpose
Step 1	Router(config)#interface virtual-template number	Selects the virtual-access interface to be configured.
Step 2	Router(config-if)#ip mtu 1492	Sets the IP MTU to 1492.
Step 3	Router(config)#exit	Returns to global configuration mode.

Verifying PPPoE

Step 1 Enter the show vpdn command from interface configuration mode. This output shows PPPoE session information. Confirm that the virtual-access interface status (VASt) is up.

Router#show vpdn

 
PPPOE Tunnel and Session
 
Session count: 1
 
PPPoE Session Information
SID	        RemMAC	          LocMAC	       Intf    	VASt    	OIntf	   VC
1	       0010.54db.bc38  	0050.7327.5dc3  	Vi1	     UP      	AT0/0/0	 0/40

SID	Session ID for the PPPoE session.
RemMAC	MAC address of the host.
LocMAC	MAC address of the ATM interface.
Intf	Virtual-access interface associated with the PPP session.
VASt	State of the virtual-access interface.
OIntf	Outgoing interface.
VC	Virtual circuit on which PPP session flows.

The session information fields from the show vpdn display are detailed below:

Step 2 Enter the show atm pvc command from interface configuration mode. The last line of the output, "PPPOE enabled," confirms that PPPoE is enabled on this VC.

Router#show atm pvc 40

ATM0/0/0.2: VCD: 1, VPI: 0, VCI: 40
UBR, PeakRate: 155000
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s), OAM retry
frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC state: Not Managed
ILMI VC state: Not Managed
InARP frequency: 15 minutes(s)
InPkts: 100, OutPkts: 51, InBytes: 4692, OutBytes: 2294
InPRoc: 48, OutPRoc: 51, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 52, OutAS: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 0
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
PPPOE enabled.

Example: PPPoE

This section provides the following configuration examples:

PPPoE Configuration on a PVC
PPPoE Configuration Using VC Class
Concurrent PPPoE and Bridging

PPPoE Configuration on a PVC

In the following example, PPPoE is enabled directly on a PVC:

Router(config)#vpdn enable

Router(config)#vpdn-group 1

Router(config-vpdn)#accept dialin pppoe virtual-template 1

Router(config-vpdn)#exit

Router(config)#virtual-template 1 pre-clone 500

 
Router(config)#interface atm 2/0.1 multipoint

Router(config-if)#pvc 0/60

Router(config-if-atm-vc)#encapsulation aal5snap

Router(config-if-atm-vc)#protocol pppoe

Router(config-if-atm-vc)#exit

Router(config-if)#exit

 
Router(config)#ip cef

Router(config)#interface virtual-template 1

Router(config-if)#ip address 10.0.1.2 255.255.255.0

Router(config-if)#ip mtu 1492

Router(config-if)#ip route-cache cef

Router(config-if)#exit

PPPoE Configuration Using VC Class

In the following example, PPPoE is configured on a VC class called users. This VC class is then applied to a particular PVC:

Router(config)#vpdn enable

Router(config)#vpdn-group 1

Router(config-vpdn)#accept dialin pppoe virtual-template 1

Router(config-vpdn)#exit

Router(config)#virtual-template 1 pre-clone 500

 
Router(config)#interface atm 2/0.1 multipoint

Router(config-if)#pvc 0/60

Router(config-if-atm-vc)#class users

Router(config-if-atm-vc)#exit

Router(config-if)#exit

 
Router(config)#vc-class atm users

Router(config-vc-class)#encapsulation aal5snap

Router(config-vc-class)#protocol pppoe

Router(config-vc-class)#exit

 
Router(config)#ip cef

Router(config)#interface virtual-template 1

Router(config-if)#ip address 10.0.1.2 255.255.255.0

Router(config-if)#ip mtu 1492

Router(config-if)#ip route-cache cef

Router(config-if)#exit

Concurrent PPPoE and Bridging

In the following example, both PPPoE and bridging are configured to operate concurrently on the same DSL link:

Router(config)#vpdn enable

Router(config)#vpdn-group 1

Router(config)#accept dialin pppoe virtual-template 1

Router(config-vpdn)#exit

Router(config)#virtual-template 1 pre-clone 500

Router(config)#bridge 1 protocol ieee

Router(config)#bridge 1 route ip

 
Router(config)#interface atm 2/0.1 multipoint

Router(config-if)#bridge-group 1

Router(config-if)#pvc 0/60

Router(config-if-atm-vc)#encapsulation aal5snap

Router(config-if-atm-vc)#protocol pppoe

Router(config-if-atm-vc)#exit

Router(config-if)#exit

 
Router(config)#ip cef

Router(config)#interface virtual-template 1

Router(config-if)#ip address 10.0.1.2 255.255.255.0

Router(config-if)#ip mtu 1492

Router(config-if)#ip route-cache cef

Router(config-if)#exit

Monitoring and Maintaining PPPoE

Table 5-1 describes the commands that help you monitor and maintain PPoE.

Table 5-1: PPPoE Monitoring and Maintaining Commands

Command	Purpose

show atm pvc	Displays ATM PVC and traffic information, including PPPoE status.
show vpdn	Displays PPPoE session information, including MAC addresses and virtual-access interfaces.
show vpdn session packet	Displays PPPoE session statistics.
show vpdn session all	Displays PPPoE session information for each session ID.
show vpdn tunnel	Displays PPPoE session count for the tunnel.

Troubleshooting Tips

Concurrent Bridging and PPPoE

PPPoE can operate concurrently with bridging on an ATM interface. This allows PPPoE to operate on one or more specific traffic protocols, leaving other protocols to be bridged.

VC Classes

You can also configure PPP over Ethernet in a VC class and apply this VC class to an ATM VC, subinterface, or interface. For information about configuring a VC class, refer to the section "Configure VC Classes" in the chapter "Configuring ATM" of the Wide-Area Networking Configuration Guide for Cisco IOS Release 12.1.

Cisco Express Forwarding

In order to gain maximum packet switching performance, Cisco Express Forwarding (CEF) should be enabled on the virtual-access interface. For information about enabling Cisco Express Forwarding, refer to the section "Configuring Cisco Express Forwarding" in the chapter "Cisco Express Forwarding" of the Cisco IOS Switching Services Configuration Guide for IOS Release 12.1.

Configuring PPP Autosense

PPP Autosense can be configured on a single PVC, or on a VC class that can be applied to all PVCs on an ATM interface.

To configure PPP Autosense on a PVC, enter the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)#interface atm 0/0/0[.subinterface-number] {multipoint \| point-to-point \| tag-switching}	Specifies the ATM interface and optional subinterface.
Step 2	Router(config-subif)#pvc [name] vpi/vci	Configures a PVC on the ATM interface or subinterface.
Step 3	Router(config-if-atm-vc)#encapsulation aal5autoppp Virtual-Template number	Configures PPP Autosense on the PVC. Also specifies the virtual template interface to use to clone the new virtual access interfaces for PPPoA sessions on this PVC.

To configure PPP Autosense on a VC-class, enter the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)#vc-class atm vc-class-name	Creates and names a map class.
Step 2	Router(config-vc-class)#encapsulation aal5autoppp Virtual-Template number	Configures PPP Autosense on the VC class. Also specifies the virtual template interface to use to clone the new virtual access interfaces for PPPoA sessions on this PVC.
Step 3	Router(config-vc-class)#exit	Returns to global configuration mode.
Step 4	Router(config)#interface atm 0/0/0[.subinterface-number] {multipoint \| point-to-point \| tag-switching}	Specifies the ATM interface and optional subinterface.
Step 5	Router(config-subif)#class-int vc-class-name	Applies the VC class to all VCs on the ATM interface or subinterface.

Note Virtual access interfaces for PPPoE sessions are cloned from the virtual template interface specified in the VPDN group.

Verifying PPP Autosense Configuration

To verify that you successfully configured PPP Autosense, enter the show running-config EXEC command.

Example: PPP Autosense

This section provides the following configuration examples:

PPP Autosense on a PVC
PPP Autosense on a VC Class
PPP Autosense on Multiple VC Classes and Virtual Templates

PPP Autosense on a PVC

In the following example, the NAS is configured with PPP Autosense on PVC 30/33.

!
! Configure PPP Autosense 
!
interface ATM 0/0/0.33 multipoint
  pvc 30/33 
     encapsulation aal5autoppp Virtual-Template1
!
! Configure PPPoE
!
vpdn enable
vpdn-group 1
  accept dialin pppoe virtual-template 1
!
ip cef
interface virtual-template 1
  ip unnumbered fastethernet 0/0/0
  ip mtu 1492
  ip route-cache cef
!
! Enable precloning for virtual-template 1
!
virtual-template 1 pre-clone 2000 
!

PPP Autosense on a VC Class

In the following example, the NAS is configured with PPP Autosense on the VC class called "MyClass." MyClass applies the PPP Autosense feature to all PVCs on the ATM 0/0/0.99 interface.

!
! Configure PPP Autosense
!
vc-class ATM MyClass
  encapsulation aal5autoppp Virtual-Template1
!
interface ATM 0/0/0.99 multipoint
  class-int MyClass
  no ip directed-broadcast
  pvc 20/40
  pvc 30/33 
!
! Configure PPPoE
!
vpdn enable
vpdn-group 1
  accept dialin pppoe virtual-template 1
!
ip cef
interface virtual-template 1
  ip unnumbered fastethernet 0/0/0
  ip mtu 1492
  ip route-cache cef
!
! Enable precloning for virtual-template 1
!
virtual-template 1 pre-clone 2000
!

PPP Autosense on Multiple VC Classes and Virtual Templates

In the following example, PPPoA and PPPoE sessions are handled separately by two VC classes and two virtual templates.

ip cef
vpdn enable
!
vpdn-group 1
 accept-dialin
  protocol pppoe
  virtual-template 1
pppoe limit per-mac 1
pppoe limit per-vc 1
!
virtual-template 1 pre-clone 1500
!
interface ATM0/0/0.1 multipoint
no ip directed-broadcast
class-int pppoe
!
interface ATM0/0/0.3 multipoint
no ip directed-broadcast
class-int pppoa
!
interface ATM0/0/0.9 multipoint
ip address 10.16.40.1 255.255.0.0
no ip directed-broadcast
!
interface Virtual-Template1
ip unnumbered ATM0/0/0.9
ip route-cache cef
no ip directed-broadcast
peer default ip address pool pool-1
ppp authentication pap
!
interface Virtual-Template2
ip unnumbered ATM0/0/0.9
ip route-cache cef
no ip directed-broadcast
peer default ip address pool pool-2
ppp authentication chap
!
vc-class atm pppoe
 encapsulation aal5autoppp Virtual-Template1
!
vc-class atm pppoa
 encapsulation aal5autoppp Virtual-Template2
!

Monitoring and Maintaining PPP Autosense

Table 5-2 describes the commands that help you monitor and maintain PPoA.

Table 5-2: PPPoA Monitoring and Maintaining Commands

Command	Purpose

Router#show atm pvc ppp	After the client at the other end of the PPP Autosense PVC initiates a PPPoA session, enter this command to check that the PVC contains the PPPoA session.
Router#show caller	Enter this command to: View individual users and consumed resources on the NAS. Inspect active call statistics for large pools of connections. (The debug commands produce too much output and tax the CPU too heavily.) Display the absolute and idle times for each user. The current values for both of these settings are displayed on the TTY line and the asynchronous interface. Users that have been idle for unacceptably long periods of time can be easily identified. By using this information, you can define timeout policies and multiple grades of services for different users.
Router#show interface virtual access number	Displays information about the virtual access interface, LCP, protocol states, and interface statistics. The status of the virtual access interface should read: Virtual-Access3 is up, line protocol is up

Troubleshooting Tips

To troubleshoot PPP sessions establishment, enter the following commands:

debug ppp negotiation
debug ppp authentication

To troubleshoot the establishment of PPP sessions that are authenticated by a RADIUS or TACACS server, enter the following commands:

debug aaa authentication
debug aaa authorization

Note Use debug commands with extreme caution because they are CPU-intensive and can seriously impact your network.

Configuring AAA Authentication

Large-scale deployment of PPP user services requires the use of a central database, such as TACACS+ or RADIUS to ease the configuration burden. RADIUS or TACACS+ servers, collectively known as authentication, authorization, and accounting (AAA) servers for PPP over ATM (and other media), contain the per-user configuration database, including password authentication and authorization information. For more information about AAA, see the chapter "Authentication, Authorization, and Accounting (AAA)" in the Cisco IOS Security Configuration Guide.

To configure the router to use AAA for PPP authentication only, enter the following configuration commands:

	Command	Description
Step 1	aaa new-model	Enables the AAA access control model.
Step 2	aaa authentication ppp {default \| list-name} method1 [method2...]	Specifies one or more AAA authentication methods for use on interfaces running PPP.

The list-name option refers to the name of this particular method list (or default, if it is the default list), and the method option is a list of methods. For example, to configure virtual template 3 to use TACACS+ before RADIUS, and virtual template 4 to use RADIUS before local authentication, enter the following configuration commands:

Router(config)# aaa new-model

Router(config)# aaa authentication ppp list1 tacacs+ radius

Router(config)# aaa authentication ppp list2 radius local

 
Router(config)# interface virtual-template 3

Router(config-if)# ip unnumbered fastethernet 0/0/0

Router(config-if)# ppp authentication chap list1

Router(config-if)# exit

 
Router(config)# interface virtual-template 4

Router(config-if)# ip unnumbered fastethernet 0/0/0

Router(config-if)# ppp authentication chap list2

Router(config-if)# ^z

Using a Local Authentication Database

Enter the aaa authentication ppp command with the method keyword local to specify that the Cisco router or access server will use the local username database for authentication. The following example shows how to configure authentication by using the local username database:

Router(config)# aaa new-model

Router(config)# aaa authentication ppp default local

Configuring a RADIUS Server

To configure the NRP to use a RADIUS server, enter the following commands starting in global configuration mode:

	Command	Purpose
Step 1	radius-server host {hostname \| ip-address} [auth-port port-number] [acct-port port-number]	Specifies a RADIUS server host.
Step 2	radius-server key key	Sets the encryption key to match that used on the RADIUS server.
Step 3	radius-server attribute nas-port format d	Selects the ATM VC extended format (d) for the NAS port field.

In the following example, a RADIUS server is enabled and identified, and the NAS port field is set to ATM VC extended format:

Router(config)# aaa new-model

Router(config)# aaa authentication ppp default radius

 
Router(config)# radius-server host 172.31.5.96 auth-port 1645 acct-port 1646

Router(config)# radius-server key foo

Router(config)# radius-server attribute nas-port format d

The authentication and accounting port need not be specified, because they default to 1645 and 1646, respectively.

Configuring a TACACS+ Server

To configure the NRP to use a TACACS+ server, enter the following commands starting in global configuration mode:

	Command	Purpose
Step 1	tacacs-server host {hostname \| ip-address} [single-connection] [port integer] [timeout integer] [key string]	Specifies a TACACS+ server host.
Step 2	tacacs-server key key	Sets the encryption key to match that used on the TACACS+ daemon.

In the following example, a TACACS+ server is enabled and identified:

Router(config)# aaa new-model

Router(config)# aaa authentication ppp default tacacs+

 
Router(config)# tacacs-server host 172.31.5.96

Router(config)# tacacs-server key foo

Configuring PPPoE Session Limit

Overview

The PPPoE Session Limit feature enables you to limit the number of PPP over Ethernet (PPPoE) sessions that can be created on a router or on an ATM permanent virtual circuit (PVC), PVC range, or virtual circuit (VC) class.

Before the introduction of this feature, there was no way to limit the number of PPPoE sessions that could be created on a router. Not having a limit was potentially a problem because it was possible that the router could create so many PPPoE sessions that it would run out of memory.

To prevent the router from using too much memory for virtual access, the PPPoE Session Limit feature introduces a new command and a modification to an existing command that enable you to specify the maximum number of PPPoE sessions that can be created. Using the new pppoe limit max-sessions command limits the number of PPPoE sessions that can be created on the router. Using the modified pppoe max-sessions command limits the number of PPPoE sessions that can be created on an ATM PVC, PVC range, VC class, or Ethernet subinterface.

PPPoE Session Limit Types

There are three basic types of limits that can be applied to PPPoE sessions. These session limit types work independently of each other. The following statements describe these limits:

PPPoE session limits on the router.

The pppoe limit max-sessions command limits the total number of PPPoE sessions on the router, regardless of the type of medium the sessions are using.

PPPoE session limits based on a MAC address.

The pppoe limit per-mac command limits the number of PPPoE sessions that can be sourced from a single MAC address. This limit applies to all PPPoE sessions on the router.

PPPoE session limits on a physical port.

This type of limit applies to PVCs or VLANs and can be applied globally or to specific PVCs or VLANs.

The pppoe limit per-vc and pppoe limit per-vlan commands limit the number of PPPoE sessions on all PVCs or VLANs on the router.
The pppoe max-sessions command limits the number of PPPoE sessions on a specific PVC or VLAN. Limits created for a specific PVC or VLAN using the pppoe max-session command take precedence over the global limits created with the pppoe limit per-vc and pppoe limit per-vlan commands.

Benefits

The PPPoE Session Limit feature prevents the router from using too much memory for virtual access by enabling you to limit the number of PPPoE sessions that can be created on a router or on an PVC, ATM PVC range, or VC class.

Configuration Tasks

To configure PPPoE sessions limits, complete one or more of the following tasks:

Limiting the Number of PPPoE Sessions on the Router (optional)
Limiting the Number of PPPoE Sessions on a PVC (optional)
Limiting the Number of PPPoE Sessions in a VC Class (optional)
Limiting the Number of PPPoE Sessions in an ATM PVC Range (optional)
Limiting the Number of PPPoE Sessions on an Individual PVC Within a PVC Range (optional)

To verify PPPoE sessions limits, complete the following task:

Verifying PPPoE Session Limits (optional)

Limiting the Number of PPPoE Sessions on the Router

To specify the maximum number of PPPoE sessions that can be created on a router, use the following command in VPDN group configuration mode:

Command	Purpose
Router(config-vpdn)# pppoe limit max-sessions number-of-sessions	Specifies the maximum number of PPPoE sessions that are permitted on the router.

PPPoE session limits configured by using the pppoe limit max-session command take precedence over limits configured using the pppoe limit per-vlan and pppoe limit per-mac commands.

Limiting the Number of PPPoE Sessions on a PVC

To specify the maximum number of PPPoE sessions that can be created on a PVC, use the following command in interface-ATM-VC configuration mode:

Command	Purpose
Router(config-if-atm-vc)#pppoe max-sessionsnumber-of-sessions	Specifies the maximum number of PPPoE sessions that are permitted on the PVC.

PPPoE session limits created on a PVC by using the pppoe max-sessions command take precedence over the limits created with the pppoe limit per-vc command.

PPPoE session limits created on a PVC take precedence over limits created in a VC class or ATM PVC range.

Limiting the Number of PPPoE Sessions in a VC Class

To specify the maximum number of PPPoE sessions that can be created in a VC class, use the following command in VC-class configuration mode:

Command	Purpose
Router(config-vc-class)#pppoe max-sessions number-of-sessions	Specifies the maximum number of PPPoE sessions that are permitted in the VC class.

PPPoE session limits created in a VC class by using the pppoe max-sessions command take precedence over the limits created with the pppoe limit per-vc command.

PPPoE session limits created on a PVC and ATM PVC range take precedence over limits created in a VC class.

Limiting the Number of PPPoE Sessions in an ATM PVC Range

To specify the maximum number of PPPoE sessions that can be created in an ATM PVC range, use the following command in ATM PVC range configuration mode:

Command	Purpose
Router(config-if-atm-range)#pppoe max-sessions number-of-sessions	Specifies the maximum number of PPPoE sessions that are permitted in the range.

PPPoE session limits created in an ATM PVC range by using the pppoe max-sessions command take precedence over the limits created with the pppoe limit per-vc command.

PPPoE session limits created in an ATM PVC range take precedence over limits created in a VC class.

Limiting the Number of PPPoE Sessions on an Individual PVC Within a PVC Range

To specify the maximum number of PPPoE sessions that can be created on an individual PVC within a PVC range, use the following command in ATM PVC-in-range configuration mode:

Command	Purpose
Router(cfg-if-atm-range-pvc)#pppoe max-sessions number-of-sessions	Specifies the maximum number of PPPoE sessions that are permitted on the PVC.

PPPoE session limits created on an individual PVC within a range by using the pppoe max-sessions command take precedence over the limits created with the pppoe limit per-vc command.

PPPoE session limits created on an individual PVC within a range take precedence over limits created in a VC class or ATM PVC range.

Verifying PPPoE Session Limits

To verify that PPPoE session limits are configured correctly, use the following command in privileged EXEC mode:

Command	Purpose
Router#more system:running-config	Displays the running configuration.

Monitoring and Maintaining PPPoE Session Limits

To monitor PPPoE sessions limits, use the following command in EXEC mode:

Command	Purpose
Router#debug vpdn pppoe-errors	Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.

Configuration Examples

This section provides the following configuration examples:

Limiting the Number of PPPoE Sessions on the Router Example
Limiting the Number of PPPoE Sessions on an ATM PVC Example
Limiting the Number of PPPoE Sessions in an ATM VC Class Example
Limiting the Number of PPPoE Sessions in an ATM PVC Range Example
Limiting the Number of PPPoE Sessions on an Individual PVC Within a PVC Range Example

Limiting the Number of PPPoE Sessions on the Router Example

The following example shows a limit of 100 PPPoE sessions configured for the router:

vpdn enable
 
vpdn-group 1
 accept dialin
  protocol pppoe
  virtual-template 1
 pppoe limit max-sessions 100

Limiting the Number of PPPoE Sessions on an ATM PVC Example

The following example shows a limit of 10 PPPoE sessions configured for the PVC:

interface ATM1/0.102 multipoint
 pvc 3/304
  encapsulation aal5snap
  protocol pppoe
  pppoe max-sessions 10

Limiting the Number of PPPoE Sessions in an ATM VC Class Example

The following example shows a limit of 20 PPPoE sessions configured for the VC class called "main":

vc-class atm main
 pppoe max-sessions 20

Limiting the Number of PPPoE Sessions in an ATM PVC Range Example

The following example shows a limit of 30 PPPoE sessions configured for the ATM PVC range called "range-1":

interface atm 6/0.110 multipoint
 range range-1 pvc 100 4/199
  encapsulation aal5snap
  protocol ppp virtual-template 2
  pppoe max-sessions 30

Limiting the Number of PPPoE Sessions on an Individual PVC Within a PVC Range Example

The following example shows a limit of 10 PPPoE sessions configured for "pvc1", which is part of the ATM PVC range called "range1":

interface atm 6/0.110 multipoint
 range range1 pvc 100 4/199
  pvc-in-range pvc1 3/104
   pppoe max-sessions 10

Configuring PPPoE Session Count MIB

Note The snmp-server enable traps pppoe command enables SNMP traps only. It does not support inform requests.

Overview

The PPPoE Session Count MIB provides the ability to use Simple Network Management Protocol (SNMP) to monitor in real time the number of PPPoE sessions on permanent virtual circuits (PVCs) and on the router.

This new MIB also introduces two SNMP traps that generate notification messages when a PPPoE session count threshold is reached on any PVC or on the router. The PPPoE session count thresholds can be configured by using the pppoe limit max-sessions and pppoe max-sessions commands.

Table 5-3 describes the objects and tables supported by the PPPoE Session Count MIB. For a complete description of the MIB, see the PPPoE Sessions Managment MIB file CISCO-PPPOE-MIB.my, available through Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml .

Table 5-3: PPPoE Session Count MIB Objects and Tables.

Object	Description

cPppoeSystemCurrSessions	Number of active PPPoE sessions on the router.
cPppoeSystemHighWaterSessions	Total number of PPPoE sessions configured on the router since the system was initialized.
cPppoeSystemMaxAllowedSessions	Number of PPPoE sessions configurable on the router.
cPppoeSystemThresholdSessions	Threshold value of PPPoE sessions configurable on the router.
cPppoeSystemExceededSessionErrors	Accumulated number of errors on the router that have occurred because the cPppoeSystemCurrSessions value exceeded the cPppoeSystemMaxAllowedSessions value.
cPppoeVcCfgTable	PPPoE protocol related configuration information about the virtual channel links (VCLs).
cPppoeVcSessionsTable	Configuration information and statistics about the number of PPPoE sessions on the VCLs.
cPppoeSystemSessionThresholdTrap	Generates a notification message when the number of PPPoE sessions on the router exceeds the configured threshold value.
cPppoeVcSessionThresholdTrap	Generates a notification message when the number of PPPoE sessions on the PVC exceeds the configured threshold value.

Benefits

The PPPoE Session Count MIB provides the following benefits:

Allows the monitoring of PPPoE session counts using SNMP.
Helps manage the number of PPPoE sessions on a router or PVC by sending notification messages when the PPPoE session threshold has been exceeded.
Provides a way to track PPPoE session information and utilization trends over time.

Configuration Tasks

See the following sections for configuration tasks for the PPPoE Session Limit MIB feature. Each task in the list is identified as optional or required.

Enabling PPPoE Session Count SNMP Traps (required)
Configuring the PPPoE Session Count Threshold for the Router (optional)
Configuring the PPPoE Session Count Threshold for a PVC (optional)
Configuring the PPPoE Session Count Threshold for a VC Class (optional)
Configuring the PPPoE Session Count Threshold for an ATM PVC Range (optional)
Configuring the PPPoE Session Count Threshold for an Individual PVC Within a Range (optional)
Verifying PPPoE Session Count Thresholds (optional)

Enabling PPPoE Session Count SNMP Traps

To enable SNMP traps that send notification messages when PPPoE session thresholds have been exceeded, use the following command in global configuration mode:

Command	Purpose
Router(config)#snmp-server enable traps pppoe	Enables PPPoE session count Simple Network Management Protocol (SNMP) notifications.

Configuring the PPPoE Session Count Threshold for the Router

To configure the PPPoE session count threshold for the router, use the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)#vpdn group name	Associates a virtual private dialup network (VPDN) group to a customer or VPDN profile.
Step 2	Router(config-vpdn)#accept dialin	Creates an accept dial-in VPDN group.
Step 3	Router(config-vpdn-acc-in)#protocol pppoe	Configures the Layer 2 Tunneling Protocol (L2TP) that the virtual private dialup network (VPDN) subgroup will use.
Step 4	Router(config-vpdn-acc-in)#virtual-template template-number	Specifies which virtual template will be used to clone virtual access interfaces.
Step 5	Router(config-vpdn)#pppoe limit max-sessions number-of-sessions [threshold-sessions number-of-sessions]	Sets the maximum number of PPPoE sessions that will be permitted on a router, and sets the PPPoE session count threshold at which an SNMP trap will be generated.

Configuring the PPPoE Session Count Threshold for a PVC

To configure the PPPoE session count threshold for a PVC, use the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)#interface atm number [point-to-point \| multipoint]	Configures an ATM interface. To determine the correct form of the interface atm command, refer to your ATM network module, port adapter, or router documentation.
Step 2	Router(config-if)#pvc [name] vpi/vci	Configures the PVC.
Step 3	Router(config-if-atm-vc)#pppoe max-session number-of-sessions [threshold-sessions number-of-sessions]	Sets the maximum number of PPPoE sessions that are permitted on an ATM PVC, PVC range, VC class, or VLAN, and sets the PPPoE session count threshold at which an SNMP trap is generated.

Configuring the PPPoE Session Count Threshold for a VC Class

To configure the PPPoE session count threshold for a VC class, use the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)#vc-ckass atm name	Creates a VC class for an ATM PVC, SVC, or ATM interface.
Step 2	Router(config-vc-class)#pppoe max-session number-of-sessions [threshold-sessions number-of-sessions]	Sets the maximum number of PPPoE sessions that are permitted on an ATM PVC, PVC range, VC class, or VLAN, and sets the PPPoE session count threshold at which an SNMP trap is generated.

Configuring the PPPoE Session Count Threshold for an ATM PVC Range

To configure the PPPoE session count threshold for an ATM PVC range, use the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)#interface atm number [point-to-point \| multipoint]	Configures an ATM interface.¹
Step 2	Router(config-if)#range [range-name] pvc start-vpi/start-vci end-vpi/end-vci	Defines a range of ATM PVCs.
Step 3	Router(cfg-if-atm-range)#pppoe max-session number-of-sessions [threshold-sessions number-of-sessions]	Sets the maximum number of PPPoE sessions that will be permitted on an ATM PVC, PVC range, VC class, or VLAN, and sets the PPPoE session count threshold at which an SNMP trap will be generated.

¹To determine the correct form of the interface atm command, refer to your ATM network module, port adapter, or router documentation.

Configuring the PPPoE Session Count Threshold for an Individual PVC Within a Range

To configure the PPPoE session count threshold for an individual PVC within an ATM PVC range, use the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)#interface atm number [point-to-point \| multipoint]	Configures an ATM interface.¹
Step 2	Router(config-if)#range [range-name] pvc start-vpi/start-vci end-vpi/end-vci	Defines a range of ATM PVCs.
Step 3	Router(cfg-if-atm-range)#pvc-in-range [pvc-name] [vpi/vci]	Configures an individual PVC within a PVC range.
Step 4	Router(cfg-if-atm-range-pvc)#pppoe max-session number-of-sessions [threshold-sessions number-of-sessions]	Sets the maximum number of PPPoE sessions that will be permitted on an ATM PVC, PVC range, VC class, or VLAN, and sets the PPPoE session count threshold at which an SNMP trap will be generated.

¹To determine the correct form of the interface atm command, consult your ATM network module, port adapter, or router documentation.

Verifying PPPoE Session Count Thresholds

To verify the configuration of PPPoE session count thresholds, use the following command in EXEC mode:

Command	Purpose
Router#more system:running-config	Displays the running configuration.

Monitoring and Maintaining PPPoE Session Counts and SNMP Notifications

To monitor PPPoE session counts and SNMP notifications, use the following commands in EXEC mode:

Command	Purpose
Router#debug snmp packets	Displays information about every SNMP packet sent or received by the router.
Router#debug vpdn pppoe-errors	Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.
Router#debug vpdn pppoe-packets	Displays each PPPoE protocol packet exchanged.
Router#show vpdn [session][packets][tunnel][all]	Displays information about active Level 2 Forwarding (L2F) Protocol tunnel and message identifiers in a VPDN.

Configuration Examples

This section provides the following configuration examples:

Configuring PPPoE Session Count SNMP Traps Example
PPPoE Session Count Threshold for the Router Example
PPPoE Session Count Threshold for a PVC Example
PPPoE Session Count Threshold for a VC Class Example
PPPoE Session Count Threshold for a PVC Range Example
PPPoE Session Count Threshold for an Individual PVC Within a PVC Range Example

Configuring PPPoE Session Count SNMP Traps Example

The following example enables the router to send PPPoE session count SNMP notifications to the host at the address 10.64.131.20:

snmp-server community public RW
snmp-server enable traps pppoe
snmp-server host 10.64.131.20 version 2c public udp-port 1717

PPPoE Session Count Threshold for the Router Example

The following example shows a limit of 4000 PPPoE sessions configured for the router. The PPPoE session count threshold is set at 3000 sessions, so when the number of PPPoE sessions on the router exceeds 3000, an SNMP trap is generated.

vpdn enable
no vpdn logging
!
vpdn-group 1
 accept-dialin
  protocol pppoe
  virtual-template 1
 pppoe limit max-sessions 4000 threshold-sessions 3000

PPPoE Session Count Threshold for a PVC Example

The following example shows a limit of 5 PPPoE sessions configured for the PVC. The PPPoE session count threshold is set at 3 sessions, so when the number of PPPoE sessions on the PVC exceeds 3, an SNMP trap is generated.

interface ATM0/0/0
 ip address 10.0.0.1 255.255.255.0
 no atm ilmi-keepalive
 pvc 5/120
  protocol ip 10.0.0.2 broadcast
  pppoe max-sessions 5 threshold-sessions 3
  protocol pppoe

PPPoE Session Count Threshold for a VC Class Example

The following example shows a limit of 7 PPPoE sessions configured for a VC class called "main". The PPPoE session count threshold is set at 3 sessions, so when the number of PPPoE sessions for the VC class exceeds 3, an SNMP trap is generated.

vc-class atm main
 pppoe max-sessions 7 threshold-sessions 3

PPPoE Session Count Threshold for a PVC Range Example

The following example shows a limit of 20 PPPoE sessions configured for the PVC range. The PPPoE session count threshold is also 20 sessions because, when it has not been explicitly configured, the session count threshold defaults to the PPPoE session limit. An SNMP trap is generated when the number of PPPoE sessions for the range exceeds 20.

interface ATM0/0/0.3 point-to-point
 range pvc 3/100 3/105
  pppoe max-sessions 20 
  protocol pppoe

PPPoE Session Count Threshold for an Individual PVC Within a PVC Range Example

The following example shows a limit of 10 PPPoE sessions configured for "pvc1". The PPPoE session count threshold is set at 3 sessions, so when the number of PPPoE sessions for the PVC exceeds 3, an SNMP trap is generated.

interface atm 6/0.110 multipoint
 range range1 pvc 100 4/199
  pvc-in-range pvc1 3/104
   pppoe max-sessions 10 threshold-sessions 3

Table of Contents