The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The PPPoE Circuit-Id Tag Processing feature provides a way to extract a Circuit-Id tag from the digital subscriber line (DSL)
as an identifier for the authentication, authorization, and accounting (AAA) access request on a Fast Ethernet or Gigabit
Ethernet interface, thereby simulating ATM-based Broadband access, but using cost-effective Fast Ethernet or Gigabit Ethernet
instead. The tag is useful for troubleshooting the network, and is also used in RADIUS authentication and accounting processes.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for the PPPoE Circuit-Id Tag Processing Feature
It is recommended that you be familiar with RFC 2516 before configuring this feature.
Information About the PPPoE Circuit-Id Tag Processing Feature
Differences Between ATM- and Fast or Gigabit Ethernet-Based Broadband Access Networks
Broadband digital subscriber line multiplexer (DSLAM) and Broadband Remote Access Server (BRAS) vendors see a need to provide
Fast or Gigabit Ethernet-based networks as an alternative to an ATM access network, with a DSLAM bridging the ATM-DSL local
loop to the Fast or Gigabit Ethernet-based access network and allowing Fast or Gigabit Ethernet-based connectivity to the
BRAS. But in an Fast or Gigabit Ethernet access network, there is no unique mapping between the subscriber Line-Id and the
interface, as is found in an ATM-based network. In an ATM-based network, the ATM VC is associated to a subscriber line.
During the authentication phase that initiates the PPP access and AAA accounting requests, the BRAS includes a NAS-Port-Id
attribute in RADIUS authentication packets, if the feature "TAL based on the NAS-Port-Id" feature is configured. This attribute
identifies the DSL line for the subscriber. See Configuring BRAS to Include a NAS-Port-Id Attribute Example for an example.
DSL Forum 2004-71 Solution
To apply the same subscriber mapping capability to Fast or Gigabit Ethernet interfaces that is possible on ATM interfaces,
DSL Forum 2004-71 proposes a solution whereby the DSLAM sends the DSL Line-Id in the PPP over Ethernet (PPPoE) discovery phase.
This method provides a way for a PPPoE server acting as a BRAS to extract the Line-Id tag and use the Circuit-Id field of
that tag as a NAS-Port-Id attribute in AAA access and accounting requests. The PPPoE Circuit-Id Tag Processing feature makes
use of the proposed DSL Forum 2004-71 method and allows the BRAS to detect the presence of the subscriber Circuit-Id tag inserted
by the DSLAM during the PPPoE discovery phase. The BRAS will send this tag as a NAS-Port-Id attribute in PPP authentication
and AAA accounting requests. The tag is useful in troubleshooting the Ethernet network, and it is also used in RADIUS authentication
and accounting processes.
Approach for a Circuit-Id Tag in Ethernet-Based Broadband Access Networks
Traditional ATM-based DSL broadband access networks have the topology
shown in the figure below.
In terms of logical connectivity, there is a one-to-one mapping of the
DSL subscriber line to the end user and the ATM VC used to carry the PPP
session through the DSLAM and to the BRAS, where this VC information is
converted into a NAS-Port-Id for use in RADIUS packets.
The simple mapping available from an ATM-based network between the
physical line in the DSL local loop to the end user and a VC (from DSLAM to
BRAS) is not available for an Fast or Gigabit Ethernet-based network. To solve
this problem, the PPPoE Circuit-Id Tag Processing feature uses a PPPoE
intermediate agent function on the DSLAM to attach a tag to the PPPoE discovery
packets. The BRAS then receives the tagged packet, decodes the tag, and inserts
the line identifier into RADIUS packets destined for the RADIUS server.
DSLAM intercepts PPPoE discovery frames from the client and inserts a
unique line identifier (circuit-id) using the PPPoE Vendor-Specific tag
(0x0105) to PPPoE Active Discovery Initiation and Request (PADI and PADR)
packets; see the figure below. The DSLAM forwards these packets to the BRAS
after the insertion. The tag contains the circuit-id of the DSL line on which
the PADI or PADR packet was received, in the access node where the intermediate
agent resides.
When the
vendor-tag circuit-id service command is configured in BBA (broadband
access) group configuration mode, the BRAS processes the received PPPoE
Vendor-Specific tag in the PADR packet and extracts the Circuit-Id field, which
is sent to the remote AAA server as the NAS-Port-Id attribute (RADIUS attribute
87) in RADIUS access and accounting requests. When the
radius-server attribute nas-port format d global configuration command is also configured on
the BRAS, the Acct-Session-Id attribute will contain the information about the
incoming access interface, where discovery frames are received, and about the
session being established.
Outgoing PAD Offer and Session-confirmation (PADO and PADS) packets
from the BRAS will have the DSLAM-inserted Circuit-Id tag. DSLAM should strip
the tag out of PADO and PADS packets. If the DSLAM cannot strip off the tag,
the BRAS should remove it before sending the packets out, and this is
accomplished using the
vendor-tag circuit-id strip BBA group configuration mode command.
Benefits of the PPPoE Circuit-Id Tag Processing Feature
The shift towards Fast or Gigabit Ethernet-based DSLAMs offers the following benefits:
Ability to use simpler and lower cost provisioning options for DSL subscribers over an Fast or Gigabit Ethernet-based backhaul
network rather than on an ATM-based network.
Ability to use higher bandwidth connectivity options available from Fast or Gigabit Ethernet not possible on ATM.
Ability to upgrade to next-generation DSLAMs with quality of service (QoS), and support for higher bandwidth, asymmetric dual
latency modems such as the ADSL2.
Ability to inject high-bandwidth content such as video in an Ethernet network.
How to Configure the PPPoE Circuit-Id Tag Processing Feature
Configuring the PPPoE Circuit-Id Tag Processing Feature
This section describes how to configure an Fast or Gigabit Ethernet-based access network on a Cisco BRAS. The extracted Circuit-Id
tag (see Information About the PPPoE Circuit-Id Tag Processing Feature) is sent in the following RADIUS syntax, as recommended by the DSL Forum:
"Access-Node-Identifier eth slot/ port
[: vlan-tag
]"
The Access-Node-Identifier is a unique subscriber identifier or telephone number text string entered without spaces. Per DSL-Forum
2004-71, the maximum length supported for the tag is 48 bytes. The BRAS copies the entire tag into the NAS-Port-Id and sends
it to the AAA server.
SUMMARY STEPS
enable
configure terminal
radius-server attribute nas-port format d
bba-group pppoe group-name
vendor-tag circuit-id service
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
radius-server attribute nas-port format d
Example:
Router(config)# radius-server attribute nas-port format d
(Optional) Selects the PPPoE extended NAS-Port format used for RADIUS access and accounting.
Configure this command so that the Acct-Session-Id attribute, as displayed in the debug radius command, will contain the information about the incoming access interface, where discovery frames are received, and about
the session being established. See the Displaying the Session Activity Log and Configuring PPPoE Circuit-Id Tag Processing Example sections for more information.
Router(config-bba-group)# vendor-tag circuit-id service
Enables processing of the received PPPoE Vendor-Specific tag in the PADR packet, which extracts the Circuit-Id part of the
tag and sends it to the AAA server as the NAS-Port-Id attribute in RADIUS access and accounting requests.
Removing the PPPoE Circuit-Id Tag
Outgoing PADO and PADS packets will have the DSLAM-inserted Vendor-Specific Line-Id tag, and DSLAM must strip the Circuit-Id
tag from the packets. If the DSLAM cannot strip the tag, the BRAS must remove it before sending out the packets. This task
is accomplished through configuration of the vendor-tag circuit-id strip command in BBA group configuration mode.
SUMMARY STEPS
enable
configure terminal
bba-group pppoe group-name
vendor-tag strip
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
bba-group pppoe group-name
Example:
Router(config)# bba-group pppoe pppoe-group
Defines a PPPoE profile and enters BBA group configuration mode.
Step 4
vendor-tag strip
Example:
Router(config-bba-group)# vendor-tag strip
Enables the BRAS to strip off incoming Vendor-Specific Circuit-Id tags from outgoing PADO and PADS packets.
Displaying the Session Activity Log
When the radius-server attribute nas-port format d global configuration command is added to the PPPoE Circuit-Id Tag Processing feature configuration on the BRAS (see the Configuring PPPoE Circuit-Id Tag Processing Example for an example), the report from the debug radius privileged EXEC command will include information about the incoming access interface, where discovery frames are received,
and about the session being established in PPPoE extended NAS-Port format (format d).
Enable the debug radius command to display a report of session activity. In the example shown in this section:
The acct_session_id is 79 or 4F in hexadecimal format.
In the message "Acct-session-id pre-pended with Nas Port = 0/0/0/200," the interface on which the PPPoE discovery frames arrived
is FastEthernet0/0.200. The 0/0/0 is Cisco format for slot/subslot/port.
The Acct-Session-Id vendor-specific attribute 44 contains the string "0/0/0/200_0000004F," which is a combination of the ingress
interface and the session identifier.
Note
Strings of interest in thedebug radius output log are presented in bold text for example purposes only.
Router# debug radius
02:10:49: RADIUS(0000003F): Config NAS IP: 0.0.0.0
02:10:49: RADIUS/ENCODE(0000003F): acct_session_id: 79
02:10:49: RADIUS(0000003F): sending
02:10:49: RADIUS/ENCODE: Best Local IP-Address 10.0.58.141 for Radius-Server 172.20.164.143
02:10:49: RADIUS(0000003F): Send Access-Request to 172.20.164.143:1645 id 1645/65, len 98
02:10:49: RADIUS: authenticator 1C 9E B0 A2 82 51 C1 79 - FE 24 F4 D1 2F 84 F5 79
02:10:49: RADIUS: Framed-Protocol [7] 6 PPP [1]
02:10:49: RADIUS: User-Name [1] 7 "peer1"
02:10:49: RADIUS: CHAP-Password [3] 19 *
02:10:49: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
02:10:49: RADIUS: NAS-Port [5] 6 200
02:10:49: RADIUS: NAS-Port-Id [87] 22 "FastEthernet6/0.200:"
02:10:49: RADIUS: Service-Type [6] 6 Framed [2]
02:10:49: RADIUS: NAS-IP-Address [4] 6 10.0.58.141
02:10:49: RADIUS: Received from id 1645/65 172.20.164.143:1645, Access-Accept, len 32 02:10:49: RADIUS: authenticator 06 45 84 1B 27 1F A5 C3 - C3 C9 69 6E B9 C0 6F 94
02:10:49: RADIUS: Service-Type [6] 6 Framed [2]
02:10:49: RADIUS: Framed-Protocol [7] 6 PPP [1]
02:10:49: RADIUS(0000003F): Received from id 1645/65
02:10:49: [62]PPPoE 65: State LCP_NEGOTIATION Event PPP_LOCAL
02:10:49: PPPoE 65/SB: Sent vtemplate request on base Vi2
02:10:49: [62]PPPoE 65: State VACCESS_REQUESTED Event VA_RESP
02:10:49: [62]PPPoE 65: Vi2.1 interface obtained
02:10:49: [62]PPPoE 65: State PTA_BINDING Event STAT_BIND
02:10:49: [62]PPPoE 65: data path set to Virtual Acess
02:10:49: [62]PPPoE 65: Connected PTA
02:10:49: [62]PPPoE 65: AAA get dynamic attrs
02:10:49: [62]PPPoE 65: AAA get dynamic attrs
02:10:49: RADIUS/ENCODE(0000003F):Orig. component type = PPoE
02:10:49: RADIUS/ENCODE(0000003F): Acct-session-id pre-pended with Nas Port = 0/0/0/200
02:10:49: RADIUS(0000003F): Config NAS IP: 0.0.0.0
02:10:49: RADIUS(0000003F): sending
02:10:49: RADIUS/ENCODE: Best Local IP-Address 10.0.58.141 for Radius-Server 172.20.164.143
02:10:49: RADIUS(0000003F): Send Accounting-Request to 172.20.164.143:1646 id 1 646/42, len 117
02:10:49: RADIUS: authenticator 57 24 38 1A A3 09 62 42 - 55 2F 41 71 38 E1 CC 24
02:10:49: RADIUS: Acct-Session-Id [44] 20 "0/0/0/200_0000004F"
02:10:49: RADIUS: Framed-Protocol [7] 6 PPP [1]
02:10:49: RADIUS: User-Name [1] 7 "peer1"
02:10:49: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
02:10:49: RADIUS: Acct-Status-Type [40] 6 Start [1]
02:10:49: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
02:10:49: RADIUS: NAS-Port [5] 6 200
02:10:49: RADIUS: NAS-Port-Id [87] 22 "FastEthernet6/0.200:"
02:10:49: RADIUS: Service-Type [6] 6 Framed [2]
02:10:49: RADIUS: NAS-IP-Address [4] 6 10.0.58.141
02:10:49: RADIUS: Acct-Delay-Time [41] 6 0
02:10:49: RADIUS: Received from id 1646/42 172.20.164.143:1646, Accounting-resp onse, len 20
02:10:49: RADIUS: authenticator 34 84 7E B2 F4 40 B2 7C - C5 B2 4E 98 78 03 8B C0
Configuration Examples for the PPPoE Circuit-Id Tag Processing Feature
Configuring PPPoE Circuit-Id Tag Processing Example
In the following example, outgoing PADO and PADS packets will retain the incoming Vendor-Specific Circuit-Id tag:
radius-server attribute nas-port format d
!
bba-group pppoe pppoe-group
sessions per-mac limit 50
vendor-tag circuit-id service
!
interface FastEthernet0/0.1
encapsulation dot1Q 120
pppoe enable group pppoe-group
Configuring BRAS to Include a NAS-Port-Id Attribute Example
In the following example, the feature TAL based on the NAS-Port-Id is configured. This configuration ensures that a NAS-Port-Id
attribute is included in RADIUS authentication packets during the authentication phase to initiate PPP access and AAA accounting
requests.
radius-server attribute nas-port
policy-map type control test
class type control always event session-start
1 authorize identifier nas-port
Removing the PPPoE Circuit-Id Tag Example
In the following example, the BRAS will strip off incoming Vendor-Specific Circuit-Id tags from outgoing PADO and PADS packets:
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator
found at the following URL:
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product
Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
http://www.cisco.com/techsupport
Feature Information for PPPoE Circuit-Id Tag Processing
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for PPPoE Circuit-Id Tag Processing
Feature Name
Releases
Feature Information
PPPoE Circuit-Id Tag Processing
Cisco IOS XE Release 2.1.
The PPPoE Circuit-Id Tag Processing feature provides a way to extract a Circuit-Id tag from the DSL as an identifier for
the AAA access request on an Ethernet interface, thereby simulating ATM-based broadband access, but using cost-effective Ethernet
instead. The tag is useful for troubleshooting the network, and is also used in RADIUS authentication and accounting processes.
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.
This feature was integrated into Cisco IOS XE Release 2.3.1.
The following commands were introduced or modified:
vendor-tag circuit-id service ,
vendor-tag strip .