Configuring PPP over Ethernet with NAT
The Cisco 1811 and Cisco 1812 integrated services fixed-configuration routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT).
Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 3-1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.
Figure 3-1 PPP over Ethernet with NAT
|
Multiple networked devices—desktops, laptop PCs, switches
|
|
Fast Ethernet LAN interface (inside interface for NAT)
|
|
PPPoE client—Cisco 1811 or Cisco 1812 integrated services router
|
|
Point at which NAT occurs
|
|
Fast Ethernet WAN interface (outside interface for NAT)
|
|
Cable modem or other server (for example, a Cisco 6400 server) that is connected to the Internet
|
|
PPPoE session between the client and a PPPoE server
|
PPPoE
The PPPoE Client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
A PPPoE session is initiated on the client side by the Cisco 1800 series router. An established PPPoE client session can be terminated in one of two ways:
• By entering the clear vpdn tunnel pppoe command. The PPPoE client session terminates, and the PPPoE client immediately tries to reestablish the session. This also occurs if the session has a timeout.
-
By entering the
no pppoe-client dial-pool
number
command to clear the session. The PPPoE client does not attempt to reestablish the session.
NAT
NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.
Configuration Tasks
Perform the following tasks to configure this network scenario:
An example showing the results of these configuration tasks is shown in the section “Configuration Example.”
Configure the Virtual Private Dialup Network Group Number
Configuring a virtual private dialup network (VPDN) enables multiple clients to communicate through the router by way of a single IP address.
Complete the following steps to configure a VPDN, starting from the global configuration mode. See the “Configure Global Parameters” section for details about entering this mode.
|
|
|
Step 1
|
vpdn enable
Example:
Router(config)#
vpdn enable
|
Enables VPDN on the router.
|
Step 2
|
vpdn group name
Example:
Router(config-vpdn)#
vpdn group 1
|
Creates and associates a VPDN group with a customer or VPDN profile.
|
Step 3
|
request-dialin
Example:
Router(config-vpdn-grp)#
request-dialin
|
Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel.
|
Step 4
|
initiate to ip ip-address
Example:
Router(config-vpdn-grp)#
initiate to 192.168.1.1
|
Specifies the address to which requests are tunneled.
For details about this command and additional parameters that can be set, see the
Cisco IOS Dial Technologies Command Reference
.
|
Step 5
|
protocol
{
l2f
|
l2tp
|
pppoe
|
any
}
Example:
Router(config-vpdn-grp)#
protocol pppoe
|
Specifies the type of sessions the VPDN subgroup can establish.
|
Step 6
|
exit
Example:
Router(config-vpdn-grp)#
exit
|
Exits VPDN group configuration.
|
Step 7
|
exit
Example:
Router(config-vpdn)#
exit
|
Exits VPDN configuration, returning to global configuration mode.
|
Configure the Fast Ethernet WAN Interfaces
In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100-Mbps Ethernet interface on both the inside and the outside.
Note The Cisco 1800 series integrated services fixed-configuration routers have a hardware limitation on the Fast Ethernet ports FE0 and FE1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than 5 Mbps in each direction), the interface experiences excessive collisions and resets every second. To avoid this problem, you must limit the traffic capacity to less than 100%.
Perform these steps to configure the Fast Ethernet WAN interfaces, starting in global configuration mode:
|
|
|
Step 1
|
interface type number
Example:
Router(config)#
interface fastethernet 0
|
Enters interface configuration mode for a Fast Ethernet WAN interface.
The Cisco 1800 integrated services routers have two Fast Ethernet WAN interfaces. You can use these steps to configure one or both of them.
|
Step 2
|
pppoe-client dial-pool-number
number
Example:
Router(config-if)#
pppoe-client dial-pool-number 1
|
Configures the PPPoE client and specifies the dialer interface to use for cloning.
|
Step 3
|
no shutdown
Example:
Router(config-if)#
no shutdown
|
Enables the Fast Ethernet interface and the configuration changes just made to it.
|
Step 4
|
exit
Example:
|
Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.
|
Configure the Dialer Interface
The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access. Multiple PPPoE client sessions can be configured on a Fast Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
Complete the following steps to configure a dialer interface for one of the Fast Ethernet LAN interfaces on the router, starting in global configuration mode.
|
|
|
Step 1
|
interface dialer dialer-rotary-group-number
Example:
Router(config)#
interface dialer 0
|
Creates a dialer interface (numbered 0–255), and enters interface configuration mode.
|
Step 2
|
ip address negotiated
Example:
Router(config-if)#
ip address negotiated
|
Specifies that the IP address for the interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation.
|
Step 3
|
ip mtu bytes
Example:
Router(config-if)#
ip mtu 1492
|
Sets the size of the IP maximum transmission unit (MTU). The default minimum is 128 bytes. The maximum for Ethernet is 1492 bytes.
|
Step 4
|
encapsulation encapsulation-type
Example:
Router(config-if)#
encapsulation ppp
|
Sets the encapsulation type to PPP for the data packets being transmitted and received.
|
Step 5
|
ppp authentication {
protocol1
[
protocol2
...]}
Example:
Router(config-if)#
ppp authentication chap
|
Sets the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP).
For details about this command and additional parameters that can be set, see the
Cisco IOS Security Command Reference
.
|
Step 6
|
dialer pool number
Example:
Router(config-if)#
dialer pool 1
|
Specifies the dialer pool to use to connect to a specific destination subnetwork.
|
Step 7
|
dialer-group group-number
Example:
Router(config-if)#
dialer group 1
|
Assigns the dialer interface to a dialer group (1–10).
Tip Using a dialer group controls access to your router.
|
Step 8
|
exit
Example:
|
Exits the dialer 0 interface configuration.
|
Step 9
|
dialer-list
dialer-group
protocol
protocol-name
{permit | deny | list
access-list-number
| access-group}
Example:
Router(config)# dialer-list 1 protocol ip permit
|
Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.
For details about this command and additional parameters that can be set, see the
Cisco IOS Dial Technologies Command Reference
.
|
Step 10
|
ip route
prefix mask
{
interface-type interface-number
}
Example:
Router(config)#
ip route 10.10.25.2 0.255.255.255 dialer 0
|
Sets the IP route for the default gateway for the dialer 0 interface.
For details about this command and additional parameters that can be set, see the
Cisco IOS IP Command Reference, Volume 2; Routing Protocols
.
|
Configure Network Address Translation
Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation. You can configure NAT for either static or dynamic address translations.
Perform these steps to configure the outside Fast Ethernet WAN interface with dynamic NAT, beginning in global configuration mode:
|
|
|
Step 1
|
ip nat pool
name start-ip end-ip
{
netmask
netmask
|
prefix-length
prefix-length
}
Example:
Router(config)#
ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255
|
Creates pool of global IP addresses for NAT.
|
Step 2
|
ip nat inside source {list
access-list-number
} {interface
type number |
pool
name
} [overload]
Example 1:
Router(config)#
ip nat inside source list 1 interface dialer 0 overload
or
Example 2:
Router(config)#
ip nat inside source list acl1 pool pool1
|
Enables dynamic translation of addresses on the inside interface.
The first example shows the addresses permitted by the access list
1
to be translated to one of the addresses specified in the dialer interface
0
.
The second example shows the addresses permitted by access list
acl1
to be translated to one of the addresses specified in the NAT pool
pool1
.
For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the
Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services
.
|
Step 3
|
interface type number
Example:
Router(config)#
interface vlan 1
|
Enters configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces reside) to be the inside interface for NAT.
|
Step 4
|
ip nat {inside | outside}
Example:
Router(config-if)#
ip nat inside
|
Identifies the specified VLAN interface as the NAT inside interface.
For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the
Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services
.
|
Step 5
|
no shutdown
Example:
Router(config-if)#
no shutdown
|
Enables the configuration changes just made to the Ethernet interface.
|
Step 6
|
exit
Example:
|
Exits configuration mode for the Fast Ethernet interface.
|
Step 7
|
interface type number
Example:
Router(config)#
interface fastethernet 0
|
Enters configuration mode for the Fast Ethernet WAN interface (FE0 or FE1) to be the outside interface for NAT.
|
Step 8
|
ip nat
{
inside
|
outside
}
Example:
Router(config-if)#
ip nat outside
|
Identifies the specified WAN interface as the NAT outside interface.
For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the
Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services
.
|
Step 9
|
no shutdown
Example:
Router(config-if)#
no shutdown
|
Enables the configuration changes just made to the Ethernet interface.
|
Step 10
|
exit
Example:
|
Exits configuration mode for the Fast Ethernet interface.
|
Step 11
|
access-list
access-list-number
{
deny
|
permit}
source
[
source-wildcard
]
Example:
Router(config)#
access-list 1 permit 192.168.1.0 0.0.0.255
|
Defines a standard access list indicating which addresses need translation.
Note All other addresses are implicitly denied.
|
Note If you want to use NAT with a virtual-template interface, you must configure a loopback interface. See “Basic Router Configuration,” for information on configuring a loopback interface.
For complete information on the NAT commands, see the Cisco IOS Release 12.3 documentation set. For more general information on NAT concepts, see
Appendix B, “Concepts.”
Configuration Example
The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter.
The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside.
Note Since the VLAN interface is on LAN, we have used a private IP address.
Note Commands marked by “(default)” are generated automatically when you run the show running-config command.
ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast (default) ip address 192.1.12.2 255.255.255.0 no ip directed-broadcast (default) dialer-list 1 protocol ip permit ip nat inside source list 1 interface dialer 1 overload ip route 10.10.25.2 0.255.255.255 dialer 1
Verifying Your Configuration
Use the show ip nat statistics command in privileged EXEC mode to verify NAT configuration. You should see verification output similar to the following example:
Router# show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) CEF Translated packets: 0, CEF Punted packets: 0 [Id: 1] access-list 1 interface Dialer0 refcount 0