Restrictions for PPPoE Intermediate Agent
PPPoE Intermediate Agent is not supported on routed interfaces.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
PPPoE Intermediate Agent is not supported on routed interfaces.
PPPoE Intermediate Agent (PPPoE IA) is placed between a subscriber and BRAS to help the service provider BRAS distinguish between end hosts connected over Ethernet to an access switch. On the access switch, PPPoE IA enables Subscriber Line Identification by appropriately tagging Ethernet frames of different users. (The tag contains specific information such as which subscriber is connected to the switch and VLAN.) PPPoE IA acts as mini security firewall between host and BRAS by intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-VLAN basis. It provides specific security feature such as verifying the intercepted PAD message from untrusted port, performing per-port PAD message rate limiting, inserting and removing VSA Tags into and from PAD messages, respectively.
DSL Forum TR-101 [1] offers a means by which the PPPoE Discovery packets are tagged at the service provider's access switch with subscriber line specific information. The mechanism specifies using VSA of the PPPoE Discovery packets to add the line specific information at the switch. Even though you can perform Subscriber Line Identification (SLI) in another way (recreating virtual paths and circuits using stacked VLAN tags), DSL Forum 2004-071 [4] recommends the PPPoE Intermediate Agent mechanism. It cites lower provisioning costs and simpler co-ordination between OSS systems in charge of access switch and BRAS. PPPoE Intermediate Agent helps the service provider, BRAS, distinguish between end hosts connected over Ethernet to an access switch.
How to Configure PPPoE IA
Note |
By default, PPPoE IA is disabled globally. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
pppoe intermediate-agent Example:
|
Enables PPPoE IA globally on the switch. |
Note |
By default, access-node-id is not set. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
pppoe intermediate-agent format-type access-node-id string word Example:
|
|
This functionality overrides the default automatic generation of circuit-id by the system.
The options available are sp, sv, pv and spv denoting slot:port, slot-vlan, port-vlan, and slot-port-vlan combinations, respectively. Valid delimiters are # . , ; / space.
The no form of this command without WORD, options, and delimiters, reverts to the default automatic generation of circuit-id.
This command does not affect the circuit ID configured explicitly per-interface or per-interface per-VLAN with the pppoe intermediate-agent format-type circuit-id .
Follow these steps to set an identifier string word with option spv delimited by “:”
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
pppoe intermediate-agent format-type identifier-string string wordoption {sp | sv | pv | spv} delimiter {, | . | ; | / | #} Example:
|
|
Follow these steps to to configure a generic message of packet_length>1484:
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
pppoe intermediate-agentformat-type generic-error-message stringstring Example:
|
|
Follow these steps to enable PPPoE IA on FastEthernet 3/1:
Note |
Enabling PPPoE IA on an interface does not ensure that incoming packets are tagged. For this to happen PPPoE IA must be enabled globally, and at least one interface that connects the switch to PPPoE server has a trusted PPPoE IA setting. Refer to the following section for details. |
This functionality enables the PPPoE IA feature on an interface. The pppoe intermediate-agent command has an effect only if the PPPoE IA feature was enabled globally with this command. (You need to enable globally to activate PPPoE IA static ACL and on an interface for PPPoE IA processing of PPPoE discovery packets received on that interface.)
This setting applies to all frames passing through this interface, regardless of the VLAN they belong to. By default the PPPoE IA feature is disabled on all interfaces. You need to run this command on every interface that requires this feature.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
interfaceinterface-id Example:
|
Enter interface configuration mode and the physical interface identification. |
Step 4 |
pppoe intermediate-agent Example:
|
Enables PPPoE IA on the interface. |
Note |
Interfaces that connect the switch to PPPoE server are configured as trusted. Interfaces that connect the switch to users (PPPoE clients) are untrusted. |
Follow these steps to to set FastEthernet interface 3/2 as trusted:
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
interfaceinterface-id Example:
|
Enter interface configuration mode and the physical interface identification. |
Step 4 |
pppoe intermediate-agent trust Example:
|
Sets the trust configuration of an interface. |
Note |
The parameter for rate limiting is the number of packets per second. If the incoming packet rate exceeds this value, the port shuts down. |
Follow these steps to to set a rate limit on an interface :
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
interfaceinterface-id Example:
|
Enters interface configuration mode and the physical interface identification. |
Step 4 |
pppoe intermediate-agent limit ratenumber Example:
|
Limits the rate of the PPPoE Discovery packets arriving on an interface. |
Note |
Generally, you would configure vendor-tag stripping on an interfaces connected to the PPPoE server. If you configure stripping, incoming packets are stripped of their VSAs (which carry subscriber and line identification information). For this to happen, the PPPoE Intermediate agent must be enabled to make the pppoe intermediate-agent vendor-tag strip command effective, and the interface must be set to trust. In isolation, the command has no effect. |
Note |
BRAS automatically strips the vendor-specific tag off of the PPPoE discovery packets before sending them downstream to the access switch. To operate with older BRAS which does not possess this capability, use the pppoe intermediate-agent vendor-tag strip command on the interface connecting the access switch to BRAS. |
Follow these steps to enable vendor-tag stripping :
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
interfaceinterface-id Example:
|
Enters interface configuration mode and the physical interface identification. |
Step 4 |
pppoe intermediate-agent vendor-tag strip Example:
|
Enables vendor-tag stripping on PPPoE Discovery packets from PPPoE Server (or BRAS). |
The [no] pppoe intermediate-agent format-type circuit-id command sets the circuit ID on an interface and overrides the automatic generation of circuit ID by the switch. Without this command, one default tag (for example, Ethernet x/y:z on the PPPoE to which the user is connected) inserted by an intermediate-agent.
The [no] pppoe intermediate-agent format-type remote-id command sets the remote ID on an interface.
This functionality causes tagging of PADI, PADR, and PADT packets (belonging to PPPoE Discovery stage) received on this physical interface with circuit ID or remote ID. This happens regardless s of their VLAN if PPPoE IA is not enabled for that VLAN.
You should use remote ID instead of circuit ID for subscriber line identification. You should configure this setting on every interface where you enabled PPPoE IA because it is not set by default. The default value for remote-id is the switch MAC address (for all physical interfaces).
Follow these steps to configure the circuit ID as root and the remote ID as granite:
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
interfaceinterface-id Example:
|
Enters interface configuration mode and the physical interface identification. |
Step 4 |
pppoe intermediate-agent format-type {circuit-id | remote-id} stringstring Example:
|
|
Note |
The pppoe intermediate-agent command in the vlan-range mode is not dependent on the same command in interface mode. The pppoe intermediate-agent command will take effect independently of the command in the interface mode. To make this happen, PPPoE IA must be enabled globally and at least one interface is connected to the PPPoE server. |
Follow these stepas to to enable PPPoE IA on a specific VLAN:
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
interfaceinterface-id Example:
|
Enters interface configuration mode and the physical interface identification. |
Step 4 |
vlan-range {vlan-id |vlan-list|vlan-range} Example:
|
Enters the vlan-range mode. |
Step 5 |
pppoe intermediate-agent Example:
|
Enables PPPoE IA on the specified interfaces. |
Note |
The circuit-id and remote-id configurations in vlan-range mode are affected only if PPPoE IA is enabled globally and in vlan-range mode. |
Note |
The vlan-range mode commands configure PPPoE IA for either a specific VLAN, multiple VLANs, or VLAN range, depending on what you specify in the syntax. |
In this section you set the circuit ID and remote ID for a specific VLAN on an interface. The command overrides the circuit ID and remote ID specified for this physical interface and the switch uses the WORD value to tag packets received on this VLAN. This parameter is unset by default.
The default value of remote-id is the switch MAC address (for all VLANs). You would set this parameter to encode subscriber-specific information.
Follow these steps to set the circuit-id and the remote-id :
Command or Action | Purpose | |
---|---|---|
Step 1 |
interfaceinterface-id Example:
|
Enters interface configuration mode and the physical interface identification. |
Step 2 |
vlan-rangevlan-range Example:
|
Enters the vlan-range mode. |
Step 3 |
pppoe intermediate-agent Example:
|
Enables PPPoE IA on the specified interfaces. |
Step 4 |
pppoe intermediate-agent format-type {circuit-id | remote-id} stringstring Example:
|
|
Configuration Examples for PPPoE IA
This examples shows how to enable or disable PPPoE IA globally on the switch
Device> enable
Device# configure terminal
Device(config)# pppoe intermediate-agent
This example shows how to to set an access node identifier of abcd:
Device> enable
Device# configure terminal
Device(config)#pppoe intermediate-agent format-type access-node-id string abcd
This example shows how to set an identifier string word with option spv delimited by “:”:
Device> enable
Device# configure terminal
Device(config)#pppoe intermediate-agent format-type
identifier-string string word
option spv delimiter :
This example shows how to configure a generic message of packet_length>1484:
Device> enable
Device# configure terminal
Device(config)#pppoe intermediate-agent format-type generic-error-message string packet_length>1484
This example shows how to enable PPPoE IA on FastEthernet 3/1:
Device> enable
Device# configure terminal
Device(config) interface FastEthernet 3/1
Device(config-if)pppoe intermediate-agent
The following example shows how to set FastEthernet interface 3/2 as trusted:
Device> enable
Device# configure terminal
Device(config)interface FastEthernet 3/2
Device(config-if)pppoe intermediate-agent trust
This example shows how to set a rate limit of 30 at FastEthernet 3/1:
Device> enable
Device# configure terminal
Device(config) interface FastEthernet 3/1
Device(config-if)pppoe intermediate-agent limit rate 30
The following example shows how to to enable stripping on FastEthernet 3/2:
Device> enable
Device# configure terminal
Device(config)interface FastEthernet 3/2
Device(config-if)pppoe intermediate-agent vendor-tag strip
The following example shows how to configure the circuit ID as root and the remote ID as granite:
Device> enable
Device# configure terminal
Device(config) interface FastEthernet 3/1
Device(config-if)pppoe intermediate-agent format-type circuit-id string root
Device(config-if)pppoe intermediate-agent format-type remote-id string granite
The following example shows how to enable PPPOE IA on a specific VLAN:
Switch# configure terminal
Switch(config)# interface FastEthernet 3/1
Switch(config-if)# vlan-range 5
Switch(config-if-vlan-range)# pppoe intermediate-agent
The following examples shows how to enable PPPoE IA on a comma-separated VLAN list
Switch# configure terminal
Switch(config)# interface FastEthernet 3/1
Switch(config-if)# vlan-range 5,6
Switch(config-if-vlan-range)# pppoe intermediate-agent
The following example shows how to enable PPPoE IA on a VLAn-range such as “x-y.”
Switch# configure terminal
Switch(config)# interface FastEthernet 3/1
Switch(config-if)# vlan-range 5-9
Switch(config-if-vlan-range)# pppoe intermediate-agent
The following example shows how to set the circuit-id to aaa and the remote-id as ccc on interface g3/7:
Switch(config)# int g3/7
Switch(config-if)# vlan-range 5
Switch(config-if)# pppoe intermediate-agent
Switch(config-if-vlan-range)# pppoe intermediate-agent format-type circuit-id string aaa
Switch(config-if-vlan-range)# pppoe intermediate-agent format-type remote-id string ccc
The show ppoe intermediate-agent [ info | statistics] [interface {interface} command displays the various configuration parameters, statistics, and counters stored for PPPoE.
The info keyword appears if the PPPoE Intermediate Agent is enabled globally on an interface or on a VLAN (in an interface). It also informs you about the access node ID and generic error message of the switch, as well as the identifier string options, delimiter values configured globally, global circuit id and remote id configuration by using the following command:
Switch(config)# pppoe intermediate-agent format-type ?
access-node-id Access Node Identifier
circuit-id Circuit Id
generic-error-message Generic Error Message
identifier-string Identifier String
remote-id Remote Id
The info keyword also displays the circuit ID, remote ID, trust and rate limit configurations, and vendor tag strip setting for all interfaces and for all VLANs pertaining to those interfaces. If any of these parameters are not set, they are not displayed.
The statistics option displays the number of PADI/PADR/PADT packets received, and the time the last packet was received on all interfaces and on all VLANs pertaining to those interfaces.
If interface is specified, information or statistics applicable only to that physical interface and pertaining VLANs is displayed.
Although PPoE IA is supported on PVLANs, be aware that no PVLAN association (primary and secondary VLAN mapping) information is displayed.
The PPPoE IA show commands such as show pppoe intermediate-agent info , show pppoe intermediate-agent info interface g3/7 , or show pppoe intermediate-agent statistics do not provide information about private VLAN association (primary and secondary VLAN mapping).
However, they do provide information about VLANs regardless of private or normal VLANs, as the following example illustrate:
Switch# show pppoe intermediate-agent info
Switch PPPOE Intermediate-Agent is enabled
PPPOE Intermediate-Agent trust/rate is configured on the following Interfaces:
Interface IA Trusted Vsa Strip Rate limit (pps)
----------------------- -------- ------- --------- ----------------
GigabitEthernet3/4 no yes yes unlimited PPPOE Intermediate-Agent is
configured on following VLANs:
2-3
GigabitEthernet3/7 no no no unlimited OE Intermediate-Agent is
configured on following VLANs:
-3
Switch# show pppoe intermediate-agent info interface g3/7
Interface IA Trusted Vsa Strip Rate limit (pps)
----------------------- -------- ------- --------- ----------------
GigabitEthernet3/7 yes no no unlimited oE Intermediate-Agent is
configured on following VLANs:
-3
Switch# show pppoe intermediate-agent statistics
PPPOE IA Per-Port Statistics
---- -----------------
Interface : GigabitEthernet3/7 Packets received
All = 0
PADI = 0 PADO = 0
PADR = 0 PADS = 0
PADT = 0
Packets dropped:
Rate-limit exceeded = 0
Server responses from untrusted ports = 0
Client requests towards untrusted ports = 0
Malformed PPPoE Discovery packets = 0
The following statistics will be displayed when PPPoE IA feature is enabled on every VLAN interface and the PAD packet counters have a non-zero value.
switch# sh run int gi2/0/1
Building configuration...
Current configuration : 135 bytes
!
interface GigabitEthernet2/0/1
switchport mode trunk
pppoe intermediate-agent
vlan-range 200-201
pppoe intermediate-agent
end
Switch# show pppoe intermediate-agent statistics interface gi2/0/3
Interface: GigabitEthernet2/0/3
Packets received
All = 0
PADI = 0 PADO = 0
PADR = 0 PADS = 0
PADT = 0
Packets dropped:
Rate-limit exceeded = 0
Server responses from untrusted ports = 0
Client requests towards untrusted ports = 0
Malformed PPPoE Discovery packets = 0
Switch# show pppoe intermediate-agent statistics interface gi2/0/3
Interface: GigabitEthernet2/0/1
Packets received
All = 50
PADI = 20 PADO = 0
PADR = 20 PADS = 0
PADT = 10
Packets dropped: Rate-limit exceeded = 0
Server responses from untrusted ports = 0
Client requests towards untrusted ports = 0
Malformed PPPoE Discovery packets = 0
Vlan 200: Packets received PADI = 2 PADO = 0 PADR = 2 PADS = 0 PADT = 1
Vlan 201: Packets received PADI = 2 PADO = 0 PADR = 2 PADS = 0 PADT = 1
This section illustrates how to clear packet counters on all interfaces (per-port and per-port-per-VLAN).
The following example illustrates how to do this:
Switch# clear pppoe intermediate-agent statistics
Issuing of the above command clears the counters for all PPPoE discovery packets (PADI,PADO,PADR,PADS,PADT) received on DUT.
The debug pppoe intermediate-agent [packet | event | all] command enables you to display useful PPPoE information that assists in debugging. This command is disabled by default.
The packet option of the command displays the contents of a packet received in the software: source and destination MAC address of Ethernet frame, code, version and type of PPPoE Discovery packet and a list of TAGs present.
The event option of the command echoes important messages (interface state change to errdisabled due to PPPoE discovery packets entering at a rate exceeding the configured limit). it is the only event shown by the debug pppoe intermediate-agent event command.
The all option enables both package and event options.
The following example illustrates how to enter the debug command with the packet option:
Switch# debug pppoe intermediate-agent packet
PPPOE IA Packet debugging is on
*Sep 2 06:12:56.133: PPPOE_IA: Process new PPPoE packet, Message type: PADI, input interface:
Gi3/7, vlan : 2 MAC da: ffff.ffff.ffff, MAC sa: aabb.cc00.0000
*Sep 2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/4)
*Sep 2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/8)
*Sep 2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADO, input interface:
Gi3/4, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: 001d.e64c.6512
*Sep 2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADO, input interface:
Gi3/8, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: aabb.cc80.0000
*Sep 2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/7)
*Sep 2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADR, input interface:
Gi3/7, vlan : 2 MAC da: 001d.e64c.6512, MAC sa: aabb.cc00.0000
*Sep 2 06:12:56.145: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/4)
*Sep 2 06:12:56.145: PPPOE_IA: Process new PPPoE packet, Message type: PAD ut interface:
Gi3/4, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: 001d.e64c.6512
The following example illustrates how to enter the debug command with the event option:
Switch# PPPOE I
*Jul 30 19:00:10.254: %PPPOE_IA-4-PPPOE_IA_ERRDISABLE_WARNING: PPPOE IA received 5 PPPOE
packets on interface Gi3/7
*Jul 30 19:00:10.254: %PPPOE_IA-4-PPPOE_IA_RATE_LIMIT_EXCEEDED: The interface Gi3/7 is
receiving more than the threshold set
*Jul 30 19:00:10.394: %PM-4-ERR_DISABLE: detected on
Gi3/7, putting Gi3/7 in err-disable stat
When the radius-server attribute 31 remote-id global configuration command is entered in the PPPoE Agent Remote-ID Tag and DSL Line Characteristics feature configuration on the BRAS, the debug radius privileged EXEC command can be used to generate a report that includes information about the incoming access interface, where discovery frames are received, and about the session being established in PPPoE extended NAS-Port format (format d)
Feature Name |
Releases |
Feature Information |
---|---|---|
PPPoE Intermediate Agent |
Cisco IOS XE 15.2(6)E2 |
Supports Point-to-point protocol over Ethernet intermediate agent (PPPoE IA) which is placed between a subscriber and broadband remote access server (BRAS). PPPoE IA helps the service provider BRAS to distinguish between end hosts connected over Ethernet to an access switch. |