The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Point-to-point protocol over Ethernet intermediate agent (PPPoE IA) is placed between a subscriber and broadband remote access server (BRAS). PPPoE IA helps the service provider BRAS to distinguish between end hosts connected over Ethernet and an access device. The topology of a typical PPPoE implementation is shown in the figure below.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Toolkit and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
On the access switch, PPPoE IA enables subscriber line identification by appropriately tagging Ethernet frames of different users. The tag contains specific information such as, which subscriber is connected to the switch and ethernet flow point (EFP).
PPPoE IA acts as mini security firewall between host and BRAS by intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-EFP basis. It provides specific security feature such as, verifying the intercepted PAD message from untrusted port, performing per-port PAD message rate limiting, inserting and removing VSA Tags into and from PAD messages respectively.
Interface and per-Bridge Domain(per-BD) based PPPoE IA configurations take effect only when the PPPoE IA feature is enabled globally. Discovery packets are switched or bridged if PPPoE IA is disabled globally.
PPPoE IA feature supports global/per-port/per-BD based format configuration for generating the circuit-id and remote-id. Choose the appropriate option to meet the requirements.
To configure a large number of intermediate agent devices for PPPoE IA, use the pppoe intermediate-agent command for automatically generating subscriber-line information in the VSA tag by the feature.
Enable PPoE IA globally, per-Interface and per-BD.
PPPoE IA is not supported on routed interfaces.
PPPoE IA is not supported on Port-Channel.
You can enable either PPPoE IA or PPPoE client on the device. You can not have PPPoE IA and PPPoE client on the same device.
More than 6000 PPPoE sessions are not supported in the device acting as an intermediate agent.
PPoE IA is only supported on physical interface and Bridge Domain.
BRAS connected ports are configured as trusted and Host connected port as untrusted.
When PPPoE IA is enabled globally on the device, the discovery packets received on the Interface, which has PPPoE IA disabled, is dropped.
The following tasks describe how to configure PPPoE IA on a device:
To enable or disable PPPoE IA globally on the device, complete the following steps:
enable configure terminal pppoe intermediate-agent end
Note | If you do not specify the access node identifier of the switch, the value is automatically set as 0.0.0.0. |
enable configure terminal pppoe intermediate-agent format-type access-node-id string switch123 end
Note | PPPoE IA sends a generic error message only on specific error condition. If you do not specify string {message}, the error message is not added. |
enable configure terminal pppoe intermediate-agent format-type generic-error-message string end
The pppoe intermediate-agent format-type identifier-string string circuit1 option command has the following options
enable configure terminal pppoe intermediate-agent format-type identifier-string string circuit1 option spv delimiter : end
Note | This setting applies to all frames passing through this interface, regardless of the EFP to which they belong. By default the PPPoE IA feature is disabled on all interfaces. You need to run this command on every interface that requires this feature. |
You must enable PPPoE IA on the device in the global configuration mode.
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent end
PPPoE IA can be configured to add specific information as part of subscriber identification. This can be configured on a per-port and per-port-per-bridge domain basis. When specific packets received on a particular Bridge-domain need to be differentiated with other packets received on that interface.
To enable or disable PPPoE IA on BD, complete the following steps:
You must enable PPPoE IA on the device in the global configuration mode.
enable configure terminal interface GigabitEthernet 0/1/1 pppoe intermediate-agent bridge-domain 40 end
You can configure Circuit-ID on interface level. The PADI, PADR and PADT packets (PPPoE Discovery packets) received on this physical interface gets IA-tagged using the configured circuit-id using the pppoe intermediate-agent format-type circuit-id string word command, irrespective of the Bridge Domain (BD). This command over-writes global level circuit-id configuration or automatic generation of circuit-id by the Switch.
This parameter is not set by default.
Note | If BD is enabled with PPPoE IA, BD level circuit-id configuration overwrites all other circuit-id configuration, for the packets that are received on that particular BD. |
To configure the circuit-ID on an interface, complete the following steps:
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent format-type circuit-id string root end
This configuration overrides the circuit-id configuration specified at interface or global level. The packets received on the specified bridge-domain gets the PPPoE IA tag with configured circuit-id. By default the pppoe intermediate-agent bridge-domain <bridge-domain_num> circuit-id {string {WORD}} command is not configured.
You must enable PPPoE IA globally and on particular BD.
To configure the circuit-ID on BD, complete the following steps:
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent bridge-domain 50 circuit-id ct1 end
You can configure remote-id on interface level. The PADI, PADR and PADT packets (PPPoE Discovery packets) received on this physical interface gets IA-tagged using the configured remote-id using the pppoe intermediate-agent format-type remote-id string word command irrespective of the BD. This command over-writes global level remote-id configuration or automatic generation of remote-id by the device.
This parameter is not set by default.
Note | If BD is enabled with PPPoE IA, BD level remote-id configuration overwrites all other remote-id configuration, for the packets that are received on that particular BD. |
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent format-type remote-id string granite end
This configuration overrides the remote-id configuration specified at interface/global level and the packets received on the specified bridge-domain, will get PPPoE IA tag with remote-id configured. By default the pppoe intermediate-agent bridge-domain <bridge-domain_num> remote-id {string {WORD}} command is not configured.
Note | The default value of remote-id is the router MAC address (for all bridge-domains). |
You must enable PPPoE IA globally and on particular BD.
To configure the remote-ID on BD, complete the following steps:
enable configure terminal interface GigabitEthernet 0/1/1 pppoe intermediate-agent bridge-domain 50 remote-id RD1 end
You can limit the rate (packets per second) at which PPPoE discovery packets (PADI, PADO, PADR, PADS, and PADT) are received on an interface. When the incoming packet rate achieves or exceeds the configured limit, a port enters an error-disabled state and shuts down.
Note | This limit applies to the physical interface to counter misbehaving hosts. Even if a single EFP misbehaves on an interface in trunk mode, the entire interface is shut down (error-disabled), bringing down other EFP traffic on the interface. |
If you set the limit on the interface that connect the access switch to BRAS, use a higher value since the BRAS aggregates all the PPPoE traffic to the access switch through this interface.
enable configure terminal interface GigabitEthernet 0/1/1 pppoe intermediate-agent limit rate 30 end
Interfaces that connect the device to the PPPoE server are configured as trusted. Interfaces that connect the device to users (PPPoE clients) are untrusted.
This setting is disabled by default.
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent pppoe intermediate-agent trust end
Vendor-specific tags (VSAs) carry subscriber and line identification information in the packets.
Vendor-tag stripping involves removing the VSAs from PADO, PADS, and PADT packets that are received on an interface before forwarding them to the user.
You can configure vendor-tag stripping on interfaces connected to the PPPoE server.
This setting is disabled by default.
Note | BRAS automatically strips the vendor-specific tag off of the PPPoE discovery packets before sending them downstream to the access switch. To operate with older BRAS which does not possess this capability, use the pppoe intermediate-agent vendor-tag strip command on the interface connecting the access switch to BRAS |
To enable stripping on an interface , complete the following steps:
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent vendor-tag strip end
Verifying PPoE IA Configuration
Use the following command to clear packet counters for all PPPoE discovery packets (PADI,PADO,PADR,PADS,PADT) on all interfaces (per-port and per-port-per-EFP):
Router# clear pppoe intermediate-agent statistics
Use the following command to clear packet counters on a selected interface:
Router# clear pppoe intermediate-agent statistics interface type typeslot /subslot /port
Example:
Router# clear pppoe intermediate-agent statistics interface gigabitEthernet 0/0/3
Use the following command to view the statistics of all the interfaces on which PPPoEIA is enabled:
Router# show pppoe intermediate-agent statistics
PPPOE IA Per-Port Statistics ---- ----------------- Interface : GigabitEthernet0/0/24 Packets received All = 53 PADI = 17 PADO = 0 PADR = 17 PADS = 0 PADT = 19 Packets dropped: Rate-limit exceeded = 0 Server responses from untrusted ports = 0 Client requests towards untrusted ports = 0 Malformed PPPoE Discovery packets = 0 BD 40: Packets received PADI = 8 PADO = 0 PADR = 8 PADS = 0 PADT = 9 BD 50: Packets received PADI = 9 PADO = 0 PADR = 9 PADS = 0 PADT = 10 Interface : GigabitEthernet0/0/24 Packets received All = 59 PADI = 0 PADO = 19 PADR = 0 PADS = 26 PADT = 14 Packets dropped: Rate-limit exceeded = 0 Server responses from untrusted ports = 0 Client requests towards untrusted ports = 0 Malformed PPPoE Discovery packets = 0 BD 40: Packets received PADI = 0 PADO = 12 PADR = 0 PADS = 15 PADT = 7 BD 50: Packets received PADI = 0 PADO = 7 PADR = 0 PADS = 11 PADT = 7
Use the following command to view the packet details on an interface:
Router# show pppoe intermediate-agent statistics interface type typeslot /subslot /port
Example:
Router# show pppoe intermediate-agent statistics interface gigabitEthernet 0/0/3
Interface : Gi 0/0/3 Packets received All = 0 PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0 Packets dropped: Rate-limit exceeded = 0 Server responses from untrusted ports = 0 Client requests towards untrusted ports = 0 Malformed PPPoE Discovery packets = 0 BD 40: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0 BD 50: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0
show pppoe intermediate-agent info PPPoE Intermediate-Agent is enabled Global access-node-id is default Global generic error msg is not set Global identifier-string and delimiter are not set PPPoE Intermediate-Agent trust/rate is configured on the following Interfaces: Interface IA Trusted Vsa Strip Rate limit (pps) ----------------------- -------- ------- --------- ---------------- GigabitEthernet0/0/10 yes no no unlimited PPPoE Intermediate-Agent is configured on following bridge domains: 40,50
show pppoe intermediate-agent info interface GigabitEthernet 0/0/10 Interface IA Trusted Vsa Strip Rate limit (pps) ----------------------- -------- ------- --------- ---------------- Gi 0/0/10 yes no no unlimited PPPoE Intermediate-Agent is configured on following bridge domains: 40,50
debug pppoe intermediate-agent packet—Displays the contents of a packet received in the software: source and destination MAC address of Ethernet frame, code, version and type of PPPoE Discovery packet and a list of TAGs present.
debug radius—Generates a report that includes information about the incoming access interface, where discovery frames are received, and about the session being established in PPPoE extended NAS-Port format (format d).
Configuration Examples
enable configure terminal interface GigabitEthernet0/0/1 no ip address media-type rj45 negotiation auto pppoe intermediate-agent format-type circuit-id string cktid10 pppoe intermediate-agent format-type remote-id string rmtid10 pppoe intermediate-agent service instance 1 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 40 ! end
enable configure terminal interface GigabitEthernet0/0/1 no ip address media-type rj45 negotiation auto pppoe intermediate-agent bridge-domain 40 circuit-id string cktid-20 pppoe intermediate-agent bridge-domain 40 remote-id string rmtid-20 pppoe intermediate-agent bridge-domain 40 service instance 1 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 40 ! end
enable configure terminal interface GigabitEthernet0/0/1 no ip address media-type rj45 negotiation auto pppoe intermediate-agent bridge-domain 40 circuit-id string cktid-20 pppoe intermediate-agent bridge-domain 40 remote-id string rmtid-20 pppoe intermediate-agent format-type circuit-id string cktid10 pppoe intermediate-agent format-type remote-id string rmtid10 pppoe intermediate-agent bridge-domain 40 pppoe intermediate-agent service instance 1 ethernet encapsulation dot1q 20 rewrite ingress tag pop 1 symmetric bridge-domain 40 ! service instance 2 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 30 ! end
The following sections provide references related to the PPPoE IA feature.
MIB | MIBs link |
---|---|
None. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC | Title |
---|---|
No new or modified RFCs are supported, and support for existing RFCs has not been modified. |
— |
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/cisco/web/support/index.html |