Configuring PPP over Ethernet with NAT
This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 900series Integrated Services Routers (ISRs).
Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 5-1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.
Figure 5-1 PPP over Ethernet with NAT
|
Multiple networked devices—Desktops, laptop PCs, switches |
|
Fast Ethernet LAN interface (inside interface for NAT) |
|
PPPoE client—Cisco 900 ISRs |
|
Point at which NAT occurs |
|
Fast Ethernet WAN interface (outside interface for NAT) |
|
Cable modem or other server that is connected to the Internet |
|
PPPoE session between the client and a PPPoE server |
PPPoE
The PPPoE client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
A PPPoE session is initiated on the client side by the Cisco 860 or Cisco 880 ISRs. An established PPPoE client session can be terminated in one of two ways:
- By entering the clear vpdn tunnel pppoe command. The PPPoE client session is terminated, and the PPPoE client immediately tries to reestablish the session. This also occurs if the session has a timeout.
- By entering the no pppoe-client dial-pool number command to clear the session. The PPPoE client does not attempt to reestablish the session.
NAT
NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.
Configuration Tasks
Perform the following tasks to configure this network scenario:
An example showing the results of these configuration tasks is shown in the “Configuration Example” section.
Configuring the Virtual Private Dialup Network Group Number
Configuring a virtual private dialup network (VPDN) enables multiple clients to communicate through the router by way of a single IP address.
This example shows how to configure a VPDN:
Router(config)# vpdn enable
Router(config)# vpdn-group 1
Router(config-vpdn)# request-dialin
Router(config-vpdn-req-in)# protocol pppoe
Router(config-vpdn-req-in)# exit
Router(config-vpdn)# exit
Configuring Ethernet WAN Interfaces
In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100/1000 Mbps-Ethernet interface on both the inside and the outside.
This example shows how to configure the Fast Ethernet WAN interfaces:
Router(config)# interface gigabitethernet 4
Router(config-if)# pppoe-client dial-pool-number 1
Router(config-if)# no shutdown
Router(config-if)# exit
Ethernet Operations, Administration, and Maintenance
Ethernet Operations, Administration, and Maintenance (OAM) is a protocol for installing, monitoring, and troubleshooting Ethernet metropolitan-area networks (MANs) and Ethernet WANs. It relies on a new, optional sublayer in the data link layer of the Open Systems Interconnection (OSI) model. The OAM features covered by this protocol are Discovery, Link Monitoring, Remote Fault Detection, Remote Loopback, and Cisco Proprietary Extensions.
For setup and configuration information about Ethernet OAM, see Using Ethernet Operations, Administration, and Maintenance at:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cether/configuration/15-mt/ce-15-mt-book/ce-oam.html
Configuring the Dialer Interface
The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access. Multiple PPPoE client sessions can be configured on a Fast Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
This example shows how to configure a dialer interface for one of the Gigabit Ethernet LAN interfaces on the route:
Router(config)# interface dialer 0
Router(config-if)# ip address negotiated
Router(config-if)# ip mtu 1492
Router(config-if)# encapsulation ppp
Router(config-if)# ppp authentication chap
Router(config-if)# dialer pool 1
Router(config-if)# dialer-group 1
Router(config)# dialer-list 1 protocol ip permit
Router(config)# ip route 10.10.25.2 255.255.255.255 dialer 0
Configuring Network Address Translation
Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation. You can configure NAT for either static or dynamic address translations.
This example shows how to configure the outside Gigabit Ethernet WAN interface with dynamic NAT:
Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0
Router(config)# ip nat inside source list 1 interface dialer 0 overload
Router(config)# interface vlan 1
Router(config-if)# ip nat inside
Router(config-if)# no shutdown
Router(config)# interface gigabitethernet1 Router(config-if)# ip nat outside
Router(config-if)# no shutdown
Router(config)# access-list 1 permit 192.168.1.0 255.255.255.0
Note
To use NAT with a virtual-template interface, you must configure a loopback interface. See “Basic Router Configuration,” for information on configuring a loopback interface.
Configuration Example
The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter.
The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside
Note
Commands marked by “(default)” are generated automatically when you run the show running-config command.
vpdn enable
vpdn-group 1
request-dialin
protocol pppoe
!
interface vlan 1
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast (default)
ip nat inside
interface gigabitethernet 4
no ip address
no ip directed-broadcast (default)
ip nat outside
pppoe enable group global
pppoe-client dial-pool-number 1
no sh
!
interface dialer 0
ip address negotiated
ip mtu 1492
encapsulation ppp
ppp authentication chap
dialer pool 1
dialer-group 1
!
dialer-list 1 protocol ip permit
ip nat inside source list 1 interface dialer 0 overload
ip classless (default)
ip route 10.10.25.2 255.255.255.255 dialer 0
ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0
ip nat inside source list acl1 pool pool1
Verifying Your Configuration
Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoE with NAT configuration. You should see verification output similar to the following example:
Router# show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
CEF Translated packets: 0, CEF Punted packets: 0
[Id: 1] access-list 1 interface Dialer0 refcount 0