- Preface
- Overview
- Using the Command-Line Interface
- Assigning the Switch IP Address and Default Gateway
- Configuring Cisco IOS Configuration Engine
- Administering the Switch
- Configuring the Switch Alarms
- Configuring SDM Templates
- Configuring Switch-Based Authentication
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring the PPoE Intermediate Agent
- Configuring Interfaces
- Configuring Command Macros
- Configuring VLANs
- Configuring Private VLANs
- Configuring IEEE 802.1Q Tunneling, VLAN Mapping, 802.1ad, and Layer 2 Protocol Tunneling
- Configuring STP
- Configuring MSTP
- Configuring Optional Spanning-Tree Features
- Configuring Resilient Ethernet Protocol
- Configuring Flex Links and the MAC Address-Table Move Update Feature
- Configuring DHCP Features and IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IGMP Snooping and MVR
- Configuring Port-Based Traffic Control
- Configuring CDP
- Configuring LLDP and LLDP-MED
- Configuring UDLD
- Configuring SPAN and RSPAN
- Configuring RMON
- Configuring System Message Logging
- Configuring SNMP
- Configuring Embedded Event Manager
- Configuring Network Security with ACLs
- Configuring IP Unicast Routing
- Configuring Control-Plane Security
- Configuring QoS
- Configuring EtherChannels and Link-State Tracking
- Configuring IPv6 Unicast Routing
- Configuring IPv6 MLD Snooping
- Configuring IPv6 ACLs
- Configuring IPv6 QoS
- Configuring HSRP, VRRP, and GLBP
- Configuring Cisco IOS IP SLAs Operations
- Configuring Enhanced Object Tracking
- Configuring Ethernet OAM, CFM, and E-LMI
- Configuring Y.1731 Performance Monitoring
- Configuring IP Multicast Routing
- Configuring MSDP
- Troubleshooting
- Configuring Online Diagnostics
- Working with the Cisco IOS File System, Configuration Files, and Software Images
- Unsupported Commands in Cisco IOS Release 12.2(60)EZ
Configuring the PPPoE Intermediate Agent
This chapter describes PPPoE Intermediate Agent on Cisco ME 3400E series switches. It includes the following sections:
- Understanding PPPoE Intermediate Agent
- Configuring PPPoE IA
- Displaying Configuration Parameters
- Clearing Packet Counters
- Debugging PPPoE Intermediate Agent
- Troubleshooting Tips
Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Cisco ME 3400E Ethernet Access Switch Command Reference, Cisco IOS Release 12.2(60)EZ at:
http://www.cisco.com/en/US/partner/products/ps9637/prod_command_reference_list.html
Understanding PPPoE Intermediate Agent
PPPoE Intermediate Agent (PPPoE IA) is placed between a subscriber and BRAS to help the service provider BRAS distinguish between end hosts connected over Ethernet to an access switch.
On the access switch, PPPoE IA enables Subscriber Line Identification by appropriately tagging Ethernet frames of different users. The tag contains specific information such as which subscriber is connected to the switch and VLAN.
PPPoE IA acts as mini security firewall between host and BRAS by intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-VLAN basis. It provides specific security feature such as verifying the intercepted PAD message from untrusted port, performing per-port PAD message rate limiting, inserting and removing VSA Tags into and from PAD messages, respectively.
PPPoE IA is supported on the following switchport modes:
Restrictions
- PPPoE IA is not supported on routed interfaces.
- Interface and Interface-VLAN based PPPoE IA configurations take effect only when the PPPoE IA feature is enabled globally. Discovery packets are dropped if PPPoE IA is disabled globally.
- For EtherChannel, you must configure PPPoE IA on the port-channel interface. If a member port is removed from the EtherChannel, PPPoE IA configuration is not removed from the member port.
- We support up to 6000 PPPoE sessions through the ME 3400E device acting as an intermediate agent.
- Do not configure host-connected ports as PPPoE IA trusted. Only configure BRAS connecting switchports as trusted interfaces.
- PPPoE IA feature on ME 3400E platform supports global/per-port/per-VLAN based format configuration for generating the circuit-id and remote-id. Choose the correct option to meet the requirements.
- If you need to configure a large number of intermediate agent devices for PPPoE snooping, use the global command for automatically generating subscriber-line information in the VSA tag by the feature.
Guidelines for PPPoE IA with EtherChannel
Use the following guidelines when configuring PPPoE IA on EtherChannel:
- PPPoE IA configuration is permitted only on a port-channel interface. An error message is displayed if you attempt to apply or unconfigure PPPoE IA to or from member ports.
- Once configured on a port-channel interface, configuration is uniquely applied to all member ports of the channel.
- If a new member port having PPPoE IA configuration is added to EtherChannel, PPPoE IA configuration of the port-channel interface overwrites it with its own configuration.
Configuring PPPoE IA
To configure PPPoE IA, use the following procedures:
- Configuring PPPoE IA on the Switch
- Configuring PPPoE IA on an Interface
- Configuring PPPoE IA on a VLAN
Configuring PPPoE IA on the Switch
The following sections describe how to configure PPPoE IA at the switch level using global configuration commands:
Enabling PPPoE IA on a Switch
Beginning in privileged EXEC mode, follow these steps to enable or disable PPPoE IA globally on the switch:
Note By default, PPPoE IA is disabled globally.
|
|
|
---|---|---|
Enable PPPoE IA on the switch. Use the no version of the command to disable the PPPoE IA feature on the switch. |
This example shows how to enable PPPoE IA:
Configuring the Access Node Identifier for PPPoE IA
If you do not specify the access node identifier of the switch, the value is automatically set as the IP address of the management interface.
Beginning in privileged EXEC mode, follow these steps to set the access node identifier string of the switch.
The following example shows how to set an access node identifier of switch123.
Configuring the Circuit-ID With Host Name and Port Name in Global Configuration Mode
By default, the circuit ID is automatically generated by the switch.
Beginning in privileged EXEC mode, follow these steps to manually set the circuit ID in global configuration mode.
The following example shows how to set the circuit ID in global configuration mode.
Note A specific VLAN of the interface takes the highest priority, followed by the interface, and then the globally-enabled circuit ID and remote ID.
Configuring the Identifier String, Option, and Delimiter for PPPoE IA
By default, the circuit ID is automatically generated by the switch.
Beginning in privileged EXEC mode, follow these steps to manually set the circuit ID:
The following example shows how to set an identifier string of circuit1 with slot:port:VLAN delimited by “:”:
Configuring the Generic Error Message for PPPoE IA
PPPoE IA sends a generic error message only on a specific error condition. If you do not specify string {WORD}, the error message is not added.
Beginning in privileged EXEC mode, follow these steps to specify a generic error message:
|
|
|
---|---|---|
pppoe intermediate-agent format-type generic-error-message string message |
Specify the ASCII string value for the generic error message. |
The following example shows how to configure a generic message of packet_length>1484:
By default the generic-error-message is not set. The string value is converted to UTF-8 before it is added to the response. A message similar to the following displays:
Note This TAG (0x0203 Generic-Error) indicates an error. It can be added to PPPoE Active Discovery Offer (PADO) or PPPoE active discovery session-confirmation (PADS) packets generated by PPPoE IA and then sent back to user in reply of PPPoE Active Discovery Initiation (PADI) or PPPoE active discovery request (PADR), when a PPPoE discovery packet received by PPPoE IA with PPPoE payload greater than 1484 bytes. Error data must be a UTF-8 string.
Configuring PPPoE IA on an Interface
The following sections describe how to configure PPPoE IA at the interface level using interface configuration commands:
Enabling PPPoE IA on an Interface
Use the steps in this section to enable PPPoE IA on an interface.
This setting applies to all frames passing through this interface, regardless of the VLAN to which they belong. By default the PPPoE IA feature is disabled on all interfaces. You need to run this command on every interface that requires this feature.
Prerequisite
You must enable PPPoE IA on the switch in the global configuration mode. See Enabling PPPoE IA on a Switch.
Configuration
Beginning in privileged EXEC mode, follow these steps to enable or disable PPPoE IA on an interface:
|
|
|
---|---|---|
Enter interface configuration mode. |
||
The following example shows how to enable PPPoE IA on FastEthernet 3/1:
Note Enabling PPPoE IA on an interface does not ensure that incoming packets are tagged. For this to happen PPPoE IA must be enabled globally, and at least one interface that connects the switch to PPPoE server has a trusted PPPoE IA setting.
Configuring the PPPoE IA Trust Setting on an Interface
Interfaces that connect the switch to the PPPoE server are configured as trusted. Interfaces that connect the switch to users (PPPoE clients) are untrusted.
This setting is disabled by default.
Beginning in privileged EXEC mode, follow these steps to set a physical interface as trusted:
|
|
|
---|---|---|
Enter interface configuration mode. |
||
The following example shows how to set FastEthernet interface 3/1 as trusted:
Configuring PPPoE IA Rate Limiting Setting on an Interface
You can limit the rate (packets per second) at which PPPoE discovery packets (PADI, PADO, PADR, PADS, and PADT) are received on an interface. When the incoming packet rate achieves or exceeds the configured limit, a port enters an error-disabled state and shuts down.
Note This limit applies to the physical interface. If a single VLAN goes down on an interface in trunk mode, the entire interface is shut down (error-disabled), bringing down other VLAN traffic on the interface.
If you set the limit on the interface that connect the access switch to BRAS, use a higher value since the BRAS aggregates all the PPPoE traffic to the access switch through this interface.
Beginning in privileged EXEC mode, follow these steps to set a rate limit:
|
|
|
---|---|---|
Enter interface configuration mode. |
||
Set the limit rate in packets per second. By default no rate limit is set. To throttle the PPPoE discovery packets, set the explicit limit. |
The following example shows how to set a rate limit of 30 at FastEthernet 3/1:
Configuring PPPoE IA Vendor-tag Stripping on an Interface
Vendor-specific tags (VSAs) carry subscriber and line identification information in the packets.
Vendor-tag stripping involves removing the VSAs from PADO, PADS, and PADT packets that are received on an interface before forwarding them to the user.
You configure vendor-tag stripping on interfaces connected to the PPPoE server.
This setting is disabled by default.
Note BRAS automatically strips the vendor-specific tag off of the PPPoE discovery packets before sending them downstream to the access switch. To operate with older BRAS which does not possess this capability, use the pppoe intermediate-agent vendor-tag strip command on the interface connecting the access switch to BRAS.
Prerequisites
Configuration
Beginning in privileged EXEC mode, follow these steps to enable stripping on an interface:
|
|
|
---|---|---|
Enter interface configuration mode. |
||
The following example shows how to enable stripping on FastEthernet 3/1:
Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface
You can configure the circuit ID and remote ID on a physical interface. The PADI, PADR, and PADT packets (belonging to PPPoE discovery stage) that are received on this physical interface are tagged with either one of these IDs. These packets are tagged regardless of their VLAN if PPPoE is not enabled for that VLAN.
Set the circuit ID on an interface to override the automatic generation of the circuit ID by the switch.
Set the remote ID instead for subscriber link identification. Configure the remote ID on every interface in which you enabled PPPoE IA. Otherwise, the default value for remote ID is the switch MAC address.
Beginning in privileged EXEC mode, follow these steps to configure the circuit ID and remote ID on an interface:
|
|
|
---|---|---|
Enter interface configuration mode. |
||
The following example shows how to configure the circuit ID as root and the remote ID as granite:
When configuring the PPPoE intermediate agent circuit ID and remote ID on an interface:
- When "PPPoE intermediate-agent is enabled globally, a TCAM entry is added to snoop the packets with ethertype=8863. When such entry is not present, the switch treats the packet as normal data packets.
- In a daisy-chain model, when connecting client/BRAS server, the PPPoE intermediate agent must be enabled at the interface and global level. In the intermediate links of the daisy chain, enable the intermediate agent connected to it to snoop the packet.
- "PPPoE intermediate agent trust" should be enabled on all switches of the interface that lead to the server. Additionally, if the PPPoE intermediate agent is also enabled, the packets are snooped and the circuit ID is rewritten.
Configuring PPPoE IA on a VLAN
The following sections describe how to configure PPPoE IA at the interface level using interface configuration commands:
Enabling PPPoE IA for a Specific VLAN on an Interface
You can enable PPPoE IA on either a specific VLAN, a comma-separated list such as “x,y,” or a range such as “x-y.”
Enabling PPPoE IA on VLANs is not dependent upon enabling PPPoE IA on the interfaces.
Prerequisites
Configuration
Beginning in privileged EXEC mode, follow these steps to enable PPPoE IA on one VLAN or a group of VLANs:
|
|
|
---|---|---|
Enter interface configuration mode. |
||
Enter VLAN configuration mode. For a specific VLAN, enter the ID. |
||
The following examples show how to enable PPPoE on VLANs:
Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface
You can set the circuit ID and remote ID for a specific VLAN on an interface. The command overrides the circuit ID and remote ID specified for this physical interface. The switch uses the WORD value to tag packets received on this VLAN. This parameter is not set by default.
Set the circuit ID on a VLAN to override the automatic generation of the circuit ID by the switch.
The default value of remote-id is the switch MAC address (for all VLANs). Set this parameter to encode subscriber-specific information.
Prerequisites
Configuration
Beginning in privileged EXEC mode, follow these steps to set the circuit ID and remote ID on one VLAN or a group of VLANs:
This example shows how to set the circuit-id to aaa and the remote-id as ccc on interface FastEthernet 3/2:
Displaying Configuration Parameters
Use the show pppoe intermediate-agent [info| statistics] [interface {interface}] command to display the various configuration parameters, statistics, and counters stored for PPPoE. This section contains examples of this command and sample data.
Although PPPoE IA is supported on private VLANs, no association (primary and secondary VLAN mapping) information is displayed.
PPPoE IA Information for All Interfaces
Use the following command to show the interfaces and VLANs on which PPPoE is configured:
PPPoE Information for an Interface
Use the following command to show PPPoE information for a specified interface:
Use the following command to show the number of PADI/PADR/PADT packets received, and the time the last packet was received on all interfaces and on all VLANs pertaining to those interfaces.
Use the following command to show statistics for a specified interface:
Clearing Packet Counters
Use the following command to clear packet counters on all interfaces (per-port and per-port-per-VLAN):
Debugging PPPoE Intermediate Agent
Use the debug pppoe intermediate-agent [packet | event | all] command to display useful PPPoE information that assists in debugging. This section contains examples of this command and sample data.
The all option enables both package and event options.
Use the following command to display the contents of a packet received in the software: source and destination MAC address of Ethernet frame, code, version and type of PPPoE Discovery packet and a list of TAGs present:
Use the following command to receive messages about PPPoE events:
Troubleshooting Tips
Use the debug radius privileged EXEC command to generate a report that includes information about the incoming access interface, where discovery frames are received, and about the session being established in PPPoE extended NAS-Port format (format d).