Configuring PPP over Ethernet with NAT
This chapter provides an overview of Point-to-Point Protocol over
Ethernet (PPPoE) clients and network address translation (NAT) that can be
configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco 890 series
Integrated Services Routers (ISRs).
Overview
Multiple PCs can be
connected to the LAN behind the router. Before the traffic from these PCs is
sent to the PPPoE session, it can be encrypted, filtered, and so forth.
Figure 15 shows a typical deployment
scenario with a PPPoE client and NAT configured on the Cisco router.
Figure 1. PPP over
Ethernet with NAT
1
|
Multiple
networked devices—Desktops, laptop PCs, switches
|
2
|
Fast
Ethernet LAN interface (inside interface for NAT)
|
3
|
PPPoE
client—Cisco 860, Cisco 880, or Cisco 890 ISRs
|
4
|
Point at
which NAT occurs
|
5
|
Fast
Ethernet WAN interface (outside interface for NAT)
|
6
|
Cable modem
or other server that is connected to the Internet
|
7
|
PPPoE
session between the client and a PPPoE server
|
PPPoE
The PPPoE client feature on the router provides PPPoE client support on
Ethernet interfaces. A dialer interface must be used for cloning virtual
access. Multiple PPPoE client sessions can be configured on an Ethernet
interface, but each session must use a separate dialer interface and a separate
dialer pool.
A PPPoE session is initiated on the client side by the Cisco 819, Cisco
860, or Cisco 880 ISRs. An established PPPoE client session can be terminated
in one of two ways:
- By entering the clear vpdn tunnel pppoe command. The PPPoE client
session is terminated, and the PPPoE client immediately tries to reestablish
the session. This also occurs if the session has a timeout.
- By entering the
no
pppoe-client
dial-pool
number command to clear the session. The
PPPoE client does not attempt to reestablish the session.
NAT
NAT (represented as the dashed line at the edge of the Cisco router)
signifies two addressing domains and the inside source address. The source list
defines how the packet travels through the network.
Configuration
Tasks
Perform the following
tasks to configure this network scenario:
An example showing
the results of these configuration tasks is shown in the
Configuration Example.
Configure the Virtual Private Dialup Network Group Number
Configuring a virtual private dialup network (VPDN) enables multiple
clients to communicate through the router by way of a single IP address.
To configure a VPDN, perform the following steps, starting in global
configuration mode:
SUMMARY STEPS1.
vpdn
enable
2.
vpdn-group name
3.
request-dialin
4.
protocol {l2tp
|
pppoe}
5.
exit
6.
exit
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | vpdn
enable
Example:
Router(config)# vpdn enable
|
Enables VPDN on the router.
|
Step 2 | vpdn-group name
Example:
Router(config)# vpdn-group 1
|
Creates and associates a VPDN group with a customer or VPDN
profile.
|
Step 3 | request-dialin
Example:
Router(config-vpdn)# request-dialin
|
Creates a request-dialin VPDN subgroup, indicating the dialing
direction, and initiates the tunnel.
|
Step 4 | protocol {l2tp
|
pppoe}
Example:
Router(config-vpdn-req-in)# protocol pppoe
|
Specifies the type of sessions the VPDN subgroup can establish.
|
Step 5 | exit
Example:
Router(config-vpdn-req-in)# exit
|
Exits request-dialin VPDN group configuration mode.
|
Step 6 | exit
Example:
Router(config-vpdn)# exit
|
Exits VPDN configuration mode and returns to global configuration
mode.
|
Configure Ethernet
WAN Interfaces
In this scenario,
the PPPoE client (your Cisco router) communicates over a 10/100
Mbps-Ethernet interface on both the inside and the outside.
To configure the
Fast Ethernet WAN interfaces, perform these steps, starting in global
configuration mode:
SUMMARY STEPS1.
interface type
number
2.
pppoe-client
dial-pool-number
number
3.
no
shutdown
4.
exit
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | interface type
number
Example:
Router(config)# interface fastethernet 4
or
Example:
Router(config)# interface gigabitethernet 4
|
Enters
interface configuration mode for WAN interface.
|
Step 2 | pppoe-client
dial-pool-number
number
Example:
Router(config-if)# pppoe-client dial-pool-number 1
|
Configures the
PPPoE client and specifies the dialer interface to use for cloning.
|
Step 3 | no
shutdown
Example:
Router(config-if)# no shutdown
|
Enables the
Fast Ethernet interface and the configuration changes just made to it.
|
Step 4 | exit
Example:
Router(config-if)# exit
|
Exits
configuration mode for the Fast Ethernet interface and returns to global
configuration mode.
|
What to Do Next
Ethernet Operations,
Administration, and Maintenance
Ethernet
Operations, Administration, and Maintenance (OAM) is a protocol for installing,
monitoring, and troubleshooting Ethernet metropolitan-area networks (MANs) and
Ethernet WANs. It relies on a new, optional sublayer in the data link layer of
the Open Systems Interconnection (OSI) model. The OAM features covered by this
protocol are Discovery, Link Monitoring, Remote Fault Detection, Remote
Loopback, and Cisco Proprietary Extensions.
For setup and
configuration information about Ethernet OAM, see
Using Ethernet Operations,
Administration, and Maintenance at:
Carrier Ethernet Configuration Guide.
Configure the Dialer
Interface
The dialer
interface indicates how to handle traffic from the clients, including, for
example, default routing information, the encapsulation protocol, and the
dialer pool to use. The dialer interface is also used for cloning virtual
access. Multiple PPPoE client sessions can be configured on a Fast Ethernet
interface, but each session must use a separate dialer interface and a separate
dialer pool.
To configure a
dialer interface for one of the Fast Ethernet LAN interfaces on the router,
complete the following steps, starting in global configuration mode:
SUMMARY STEPS1.
interface
dialer
dialer-rotary-group-number
2.
ip
address
negotiated
3.
ip
mtu
bytes
4.
encapsulation
encapsulation-type
5.
ppp
authentication {protocol1 [protocol2...]}
6.
dialer
pool
number
7.
dialer-group
group-number
8.
exit
9.
dialer-listdialer-group
protocolprotocol-name
{permit |
deny |
list
access-list-number |
access-group}
10.
ip
routeprefix
mask {interface-type
interface-number}
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | interface
dialer
dialer-rotary-group-number
Example:
Router(config)# interface dialer 0
|
Creates a
dialer interface and enters interface configuration mode.
|
Step 2 | ip
address
negotiated
Example:
Router(config-if)# ip address negotiated
|
Specifies that
the IP address for the interface is obtained through PPP/IPCP (IP Control
Protocol) address negotiation.
|
Step 3 |
ip
mtu
bytes
Example:
Router(config-if)# ip mtu 1492
|
Sets the size
of the IP maximum transmission unit (MTU).
- The default minimum is 128
bytes. The maximum for Ethernet is 1492 bytes.
|
Step 4 |
encapsulation
encapsulation-type
Example:
Router(config-if)# encapsulation ppp
|
Sets the
encapsulation type to PPP for the data packets being transmitted and received.
|
Step 5 | ppp
authentication {protocol1 [protocol2...]}
Example:
Router(config-if)# ppp authentication chap
|
Sets the PPP
authentication method to Challenge Handshake Authentication Protocol (CHAP).
For details
about this command and additional parameters that can be set, see Cisco IOS
Security Command Reference.
|
Step 6 | dialer
pool
number
Example:
Router(config-if)# dialer pool 1
|
Specifies the
dialer pool that is used to connect to a specific destination subnetwork.
|
Step 7 |
dialer-group
group-number
Example:
Router(config-if)# dialer-group 1
|
Assigns the
dialer interface to a dialer group.
Tip
|
Using a
dialer group controls access to your router.
|
|
Step 8 |
exit
Example:
Router(config-if)# exit
|
Exits the
dialer 0 interface configuration mode and returns to global configuration mode.
|
Step 9 |
dialer-listdialer-group
protocolprotocol-name
{permit |
deny |
list
access-list-number |
access-group}
Example:
Router(config)# dialer-list 1 protocol ip permit
|
Creates a
dialer list and associates a dial group with it. Packets are then forwarded
through the specified interface dialer group.
For details
about this command and additional parameters that can be set, see Cisco IOS
Dial Technologies Command Reference.
|
Step 10 | ip
routeprefix
mask {interface-type
interface-number}
Example:
Router(config)# ip route 10.10.25.2 255.255.255.255 dialer 0
|
Sets the IP
route for the default gateway for the dialer 0 interface.
|
Configure Network
Address Translation
Network Address
Translation (NAT) translates packets from addresses that match a standard
access list, using global addresses allocated by the dialer interface. Packets
that enter the router through the inside interface, packets sourced from the
router, or both are checked against the access list for possible address
translation. You can configure NAT for either static or dynamic address
translations.
To configure the
outside Fast Ethernet WAN interface with dynamic NAT, perform these steps,
beginning in global configuration mode:
SUMMARY STEPS1.
ip
nat
pool
name
start-ip
end-ip {netmask
netmask |
prefix-length
prefix-length}
2.
Do one of the
following:
3.
interface type
number
4.
ip
nat {inside |
outside}
5.
no
shutdown
6.
exit
7.
interface type
number
8.
ip
nat {inside |
outside}
9.
no
shutdown
10.
exit
11.
access-list
access-list-number {deny |
permit}
source
[source-wildcard]
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | ip
nat
pool
name
start-ip
end-ip {netmask
netmask |
prefix-length
prefix-length}
Example:
Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0
|
Creates pool of
global IP addresses for NAT.
|
Step 2 | Do one of the
following:
|
Enables dynamic
translation of addresses on the inside interface.
The first
example shows the addresses permitted by the access list
1 to be
translated to one of the addresses specified in the dialer interface
0 .
The second
example shows the addresses permitted by access list
acl1 to be
translated to one of the addresses specified in the NAT pool
pool1 .
|
Step 3 | interface type
number
Example:
Router(config)# interface vlan 1
|
Enters
configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces
[FE0–FE3] reside) to be the inside interface for NAT.
|
Step 4 | ip
nat {inside |
outside}
Example:
Router(config-if)# ip nat inside
|
Identifies the
specified VLAN interface as the NAT inside interface.
|
Step 5 | no
shutdown
Example:
Router(config-if)# no shutdown
|
Enables the
configuration changes just made to the Ethernet interface.
|
Step 6 | exit
Example:
Router(config-if)# exit
|
Exits
configuration mode for the Fast Ethernet interface and returns to global
configuration mode.
|
Step 7 | interface type
number
Example:
Router(config)# interface fastethernet 4
|
Enters
configuration mode for the Fast Ethernet WAN interface (FE4) to be the outside
interface for NAT.
|
Step 8 | ip
nat {inside |
outside}
Example:
Router(config-if)# ip nat outside
|
Identifies
the specified WAN interface as the NAT outside interface.
|
Step 9 | no
shutdown
Example:
Router(config-if)# no shutdown
|
Enables the
configuration changes just made to the Ethernet interface.
|
Step 10 | exit
Example:
Router(config-if)# exit
|
Exits
configuration mode for the Fast Ethernet interface and returns to global
configuration mode.
|
Step 11 | access-list
access-list-number {deny |
permit}
source
[source-wildcard]
Example:
Router(config)# access-list 1 permit 192.168.1.0 255.255.255.0
|
Defines a
standard access list indicating which addresses need translation.
Note
| All other
addresses are implicitly denied.
|
|
What to Do Next
For complete
information on the NAT commands, see the Cisco NX-OS Release 4.1 documentation
set. For more general information on NAT concepts, see
Appendix A, “Cisco IOS
Software Basic Skills”.
Configuration Example
The following configuration example shows a portion of the
configuration file for the PPPoE scenario described in this chapter.
The VLAN interface has an IP address of 192.168.1.1 with a subnet mask
of 255.255.255.0. NAT is configured for inside and outside
 Note |
Commands marked by “(default)” are generated automatically when you
run the
show
running-config command.
|
vpdn enable
vpdn-group 1
request-dialin
protocol pppoe
!
interface vlan 1
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast (default)
ip nat inside
interface FastEthernet 4
no ip address
no ip directed-broadcast (default)
ip nat outside
pppoe enable group global
pppoe-client dial-pool-number 1
no sh
!
interface dialer 0
ip address negotiated
ip mtu 1492
encapsulation ppp
ppp authentication chap
dialer pool 1
dialer-group 1
!
dialer-list 1 protocol ip permit
ip nat inside source list 1 interface dialer 0 overload
ip classless (default)
ip route 10.10.25.2 255.255.255.255 dialer 0
ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0
ip nat inside source list acl1 pool pool1
!
Verifying Your Configuration
Use the show ip nat statistics command in privileged EXEC mode to
verify the PPPoE with NAT configuration. You should see verification output
similar to the following example:
Router# show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet4
Inside interfaces:
Vlan1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Dialer0 refcount 0
Queued Packets: 0