Configuring PPP over Ethernet with NAT

This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco 890 series Integrated Services Routers (ISRs).

Overview

Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 15 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.

Figure 1. PPP over Ethernet with NAT

1

Multiple networked devices—Desktops, laptop PCs, switches

2

Fast Ethernet LAN interface (inside interface for NAT)

3

PPPoE client—Cisco 860, Cisco 880, or Cisco 890 ISRs

4

Point at which NAT occurs

5

Fast Ethernet WAN interface (outside interface for NAT)

6

Cable modem or other server that is connected to the Internet

7

PPPoE session between the client and a PPPoE server

PPPoE

The PPPoE client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.

A PPPoE session is initiated on the client side by the Cisco 819, Cisco 860, or Cisco 880 ISRs. An established PPPoE client session can be terminated in one of two ways:

  • By entering the clear vpdn tunnel pppoe command. The PPPoE client session is terminated, and the PPPoE client immediately tries to reestablish the session. This also occurs if the session has a timeout.
  • By entering the no pppoe-client dial-pool number command to clear the session. The PPPoE client does not attempt to reestablish the session.

NAT

NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.

Configuration Tasks

Perform the following tasks to configure this network scenario:

An example showing the results of these configuration tasks is shown in the Configuration Example.

Configure the Virtual Private Dialup Network Group Number

Configuring a virtual private dialup network (VPDN) enables multiple clients to communicate through the router by way of a single IP address.

To configure a VPDN, perform the following steps, starting in global configuration mode:

SUMMARY STEPS

    1.    vpdn enable

    2.    vpdn-group name

    3.    request-dialin

    4.    protocol {l2tp | pppoe}

    5.    exit

    6.    exit


DETAILED STEPS
     Command or ActionPurpose
    Step 1vpdn enable


    Example:
    Router(config)# vpdn enable
     

    Enables VPDN on the router.

     
    Step 2 vpdn-group name

    Example:
    Router(config)# vpdn-group 1
     

    Creates and associates a VPDN group with a customer or VPDN profile.

     
    Step 3request-dialin


    Example:
    Router(config-vpdn)# request-dialin
     

    Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel.

     
    Step 4protocol {l2tp | pppoe}

    Example:
    Router(config-vpdn-req-in)# protocol pppoe
     

    Specifies the type of sessions the VPDN subgroup can establish.

     
    Step 5exit


    Example:
    Router(config-vpdn-req-in)# exit
     

    Exits request-dialin VPDN group configuration mode.

     
    Step 6exit


    Example:
    Router(config-vpdn)# exit
     

    Exits VPDN configuration mode and returns to global configuration mode.

     

    Configure Ethernet WAN Interfaces

    In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100 Mbps-Ethernet interface on both the inside and the outside.

    To configure the Fast Ethernet WAN interfaces, perform these steps, starting in global configuration mode:

    SUMMARY STEPS

      1.    interface type number

      2.    pppoe-client dial-pool-number number

      3.    no shutdown

      4.    exit


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 interface type number

      Example:
      Router(config)# interface fastethernet 4
      or


      Example:
      Router(config)# interface gigabitethernet 4
       

      Enters interface configuration mode for WAN interface.

       
      Step 2pppoe-client dial-pool-number number


      Example:
      Router(config-if)# pppoe-client dial-pool-number 1
       

      Configures the PPPoE client and specifies the dialer interface to use for cloning.

       
      Step 3no shutdown


      Example:
      Router(config-if)# no shutdown
       

      Enables the Fast Ethernet interface and the configuration changes just made to it.

       
      Step 4exit


      Example:
      Router(config-if)# exit
       

      Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.

       
      What to Do Next

      Ethernet Operations, Administration, and Maintenance

      Ethernet Operations, Administration, and Maintenance (OAM) is a protocol for installing, monitoring, and troubleshooting Ethernet metropolitan-area networks (MANs) and Ethernet WANs. It relies on a new, optional sublayer in the data link layer of the Open Systems Interconnection (OSI) model. The OAM features covered by this protocol are Discovery, Link Monitoring, Remote Fault Detection, Remote Loopback, and Cisco Proprietary Extensions.

      For setup and configuration information about Ethernet OAM, see Using Ethernet Operations, Administration, and Maintenance at: Carrier Ethernet Configuration Guide.

      Configure the Dialer Interface

      The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access. Multiple PPPoE client sessions can be configured on a Fast Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.

      To configure a dialer interface for one of the Fast Ethernet LAN interfaces on the router, complete the following steps, starting in global configuration mode:

      SUMMARY STEPS

        1.    interface dialer dialer-rotary-group-number

        2.    ip address negotiated

        3.    ip mtu bytes

        4.    encapsulation encapsulation-type

        5.    ppp authentication {protocol1 [protocol2...]}

        6.    dialer pool number

        7.    dialer-group group-number

        8.    exit

        9.    dialer-listdialer-group protocolprotocol-name {permit | deny | list access-list-number | access-group}

        10.    ip routeprefix mask {interface-type interface-number}


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 interface dialer dialer-rotary-group-number


        Example:
        Router(config)# interface dialer 0
         

        Creates a dialer interface and enters interface configuration mode.

        • Range is from 0 to 255.
         
        Step 2ip address negotiated


        Example:
        Router(config-if)# ip address negotiated
         

        Specifies that the IP address for the interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation.

         
        Step 3 ip mtu bytes


        Example:
        Router(config-if)# ip mtu 1492
         

        Sets the size of the IP maximum transmission unit (MTU).

        • The default minimum is 128 bytes. The maximum for Ethernet is 1492 bytes.
         
        Step 4 encapsulation encapsulation-type


        Example:
        Router(config-if)# encapsulation ppp
         

        Sets the encapsulation type to PPP for the data packets being transmitted and received.

         
        Step 5 ppp authentication {protocol1 [protocol2...]}


        Example:
        Router(config-if)# ppp authentication chap
         

        Sets the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP).

        For details about this command and additional parameters that can be set, see Cisco IOS Security Command Reference.

         
        Step 6 dialer pool number


        Example:
        Router(config-if)# dialer pool 1
         

        Specifies the dialer pool that is used to connect to a specific destination subnetwork.

         
        Step 7 dialer-group group-number


        Example:
        Router(config-if)# dialer-group 1
         

        Assigns the dialer interface to a dialer group.

        • Range is from 1 to 10.
        Tip   

        Using a dialer group controls access to your router.

         
        Step 8 exit


        Example:
        Router(config-if)# exit
         

        Exits the dialer 0 interface configuration mode and returns to global configuration mode.

         
        Step 9 dialer-listdialer-group protocolprotocol-name {permit | deny | list access-list-number | access-group}


        Example:
        Router(config)# dialer-list 1 protocol ip permit
         

        Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.

        For details about this command and additional parameters that can be set, see Cisco IOS Dial Technologies Command Reference.

         
        Step 10ip routeprefix mask {interface-type interface-number}

        Example:
        Router(config)# ip route 10.10.25.2 255.255.255.255 dialer 0
         

        Sets the IP route for the default gateway for the dialer 0 interface.

         

        Configure Network Address Translation

        Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation. You can configure NAT for either static or dynamic address translations.

        To configure the outside Fast Ethernet WAN interface with dynamic NAT, perform these steps, beginning in global configuration mode:

        SUMMARY STEPS

          1.    ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

          2.    Do one of the following:

          • ip nat inside source {list access-list-number} {interface type number | pool name} [overload]
          •  Router(config)# ip nat inside source list 1 interface dialer
            				0 overload 
            			 
          • Router(config)# ip nat inside source list acl1 pool pool1 

          3.    interface type number

          4.    ip nat {inside | outside}

          5.    no shutdown

          6.    exit

          7.    interface type number

          8.    ip nat {inside | outside}

          9.    no shutdown

          10.    exit

          11.    access-list access-list-number {deny | permit} source [source-wildcard]


        DETAILED STEPS
           Command or ActionPurpose
          Step 1ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}


          Example:
          Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0
           

          Creates pool of global IP addresses for NAT.

           
          Step 2Do one of the following:
          • ip nat inside source {list access-list-number} {interface type number | pool name} [overload]
          •  Router(config)# ip nat inside source list 1 interface dialer
            				0 overload 
            			 
          • Router(config)# ip nat inside source list acl1 pool pool1 
           

          Enables dynamic translation of addresses on the inside interface.

          The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the dialer interface 0 .

          The second example shows the addresses permitted by access list acl1 to be translated to one of the addresses specified in the NAT pool pool1 .

           
          Step 3 interface type number

          Example:
          Router(config)# interface vlan 1
           

          Enters configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces [FE0–FE3] reside) to be the inside interface for NAT.

           
          Step 4ip nat {inside | outside}

          Example:
          Router(config-if)# ip nat inside
           

          Identifies the specified VLAN interface as the NAT inside interface.

           
          Step 5no shutdown


          Example:
          Router(config-if)# no shutdown
           

          Enables the configuration changes just made to the Ethernet interface.

           
          Step 6exit


          Example:
          Router(config-if)# exit
           

          Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.

           
          Step 7 interface type number

          Example:
          Router(config)# interface fastethernet 4
           

          Enters configuration mode for the Fast Ethernet WAN interface (FE4) to be the outside interface for NAT.

           
          Step 8ip nat {inside | outside}

          Example:
          Router(config-if)# ip nat outside
           

          Identifies the specified WAN interface as the NAT outside interface.

           
          Step 9no shutdown


          Example:
          Router(config-if)# no shutdown
           

          Enables the configuration changes just made to the Ethernet interface.

           
          Step 10exit


          Example:
          Router(config-if)# exit
           

          Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.

           
          Step 11access-list access-list-number {deny | permit} source [source-wildcard]


          Example:
          Router(config)# access-list 1 permit 192.168.1.0 255.255.255.0
           

          Defines a standard access list indicating which addresses need translation.

          Note    All other addresses are implicitly denied.
           
          What to Do Next


          Note


          To use NAT with a virtual-template interface, you must configure a loopback interface. See Chapter 3, “Basic Router Configuration,” for information on configuring a loopback interface.

          For complete information on the NAT commands, see the Cisco NX-OS Release 4.1 documentation set. For more general information on NAT concepts, see Appendix A, “Cisco IOS Software Basic Skills”.

          Configuration Example

          The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter.

          The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside


          Note


          Commands marked by “(default)” are generated automatically when you run the show running-config command.
          vpdn enable
          vpdn-group 1
          request-dialin
          protocol pppoe
          !
          interface vlan 1
          ip address 192.168.1.1 255.255.255.0
          no ip directed-broadcast (default)
          ip nat inside 
          interface FastEthernet 4
          no ip address 
          no ip directed-broadcast (default)
          ip nat outside
          pppoe enable group global
          pppoe-client dial-pool-number 1
          no sh 
          !
          interface dialer 0
          ip address negotiated
          ip mtu 1492
          encapsulation ppp
          ppp authentication chap
          dialer pool 1
          dialer-group 1
          !
          dialer-list 1 protocol ip permit
          ip nat inside source list 1 interface dialer 0 overload
          ip classless (default)
          ip route 10.10.25.2 255.255.255.255 dialer 0 
          ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0
          ip nat inside source list acl1 pool pool1
          !

          Verifying Your Configuration

          Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoE with NAT configuration. You should see verification output similar to the following example:

          Router# show ip nat statistics 
          Total active translations: 0 (0 static, 0 dynamic; 0 extended)
          Outside interfaces:
            FastEthernet4
          Inside interfaces:
            Vlan1
          Hits: 0  Misses: 0
          CEF Translated packets: 0, CEF Punted packets: 0
          Expired translations: 0
          Dynamic mappings:
          -- Inside Source
          [Id: 1] access-list 1 interface Dialer0 refcount 0
          Queued Packets: 0