- Information About PPPoE Intermediate Agent
- Prerequisites for PPPoE Intermediate Agent
- Restrictions for PPPoE Intermediate Agent
- How to Configure PPPoE Intermediate Agent
- Enabling or Disabling PPPoE IA on a Device
- Enabling or Disabling PPPoE IA on an Interface
- Enabling or Disabling PPPoE IA on BD
- Configuring PPPoE IA Circuit-ID on an Interface
- Configuring PPPoE IA Remote-ID on an Interface
- Configuring PPPoE IA Rate Limiting Setting on an Interface
- Configuring the PPPoE IA Trust Setting on an Interface
- Configuring PPPoE IA Vendor-tag Stripping on an Interface
PPPoE Intermediate
Agent
Point-to-point protocol over Ethernet intermediate agent (PPPoE IA) is placed between a subscriber and broadband remote access server (BRAS). PPPoE IA helps the service provider BRAS to distinguish between end hosts connected over Ethernet and an access device. The topology of a typical PPPoE implementation is shown in the figure below.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Toolkit and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
- Information About PPPoE Intermediate Agent
- Prerequisites for PPPoE Intermediate Agent
- Restrictions for PPPoE Intermediate Agent
- How to Configure PPPoE Intermediate Agent
- Verifying PPoE IA Configuration
- Troubleshooting Tips
- Configuration Examples
- Additional References for PPPoE Intermediate Agent
Information About PPPoE Intermediate Agent
On the access switch, PPPoE IA enables subscriber line identification by appropriately tagging Ethernet frames of different users. The tag contains specific information such as, which subscriber is connected to the switch and ethernet flow point (EFP).
PPPoE IA acts as mini security firewall between host and BRAS by intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-EFP basis. It provides specific security feature such as, verifying the intercepted PAD message from untrusted port, performing per-port PAD message rate limiting, inserting and removing VSA Tags into and from PAD messages respectively.
Prerequisites for PPPoE Intermediate Agent
-
Interface and per-Bridge Domain(per-BD) based PPPoE IA configurations take effect only when the PPPoE IA feature is enabled globally. Discovery packets are switched or bridged if PPPoE IA is disabled globally.
-
PPPoE IA feature supports global/per-port/per-BD based format configuration for generating the circuit-id and remote-id. Choose the appropriate option to meet the requirements.
-
To configure a large number of intermediate agent devices for PPPoE IA, use the pppoe intermediate-agent command for automatically generating subscriber-line information in the VSA tag by the feature.
-
Enable PPoE IA globally, per-Interface and per-BD.
Restrictions for PPPoE Intermediate Agent
-
PPPoE IA is not supported on routed interfaces.
-
PPPoE IA is not supported on Port-Channel.
-
You can enable either PPPoE IA or PPPoE client on the device. You can not have PPPoE IA and PPPoE client on the same device.
-
More than 6000 PPPoE sessions are not supported in the device acting as an intermediate agent.
-
PPoE IA is only supported on physical interface and Bridge Domain.
-
BRAS connected ports are configured as trusted and Host connected port as untrusted.
-
When PPPoE IA is enabled globally on the device, the discovery packets received on the Interface, which has PPPoE IA disabled, is dropped.
-
Circuit-id and remote-id is configured globally, at interface or at the Bridge Domain level. PPPoE IA uses this to create tag in the following way:
How to Configure PPPoE Intermediate Agent
The following tasks describe how to configure PPPoE IA on a device:
Enabling or Disabling PPPoE IA on a Device
To enable or disable PPPoE IA globally on the device, complete the following steps:
enable configure terminal pppoe intermediate-agent end
- Configuring the Access Node Identifier for PPPoE IA
- Configuring the Generic Error Message for PPPoE IA
- Configuring the Identifier String, Option, and Delimiter for PPPoE IA
Configuring the Access Node Identifier for PPPoE IA
 Note | If you do not specify the access node identifier of the switch, the value is automatically set as 0.0.0.0. |
enable configure terminal pppoe intermediate-agent format-type access-node-id string switch123 end
Configuring the Generic Error Message for PPPoE IA
Note | PPPoE IA sends a generic error message only on specific error condition. If you do not specify string {message}, the error message is not added. |
enable configure terminal pppoe intermediate-agent format-type generic-error-message string end
Configuring the Identifier String, Option, and Delimiter for PPPoE IA
The pppoe intermediate-agent format-type identifier-string string circuit1 option command has the following options
enable configure terminal pppoe intermediate-agent format-type identifier-string string circuit1 option spv delimiter : end
Enabling or Disabling PPPoE IA on an Interface
Note | This setting applies to all frames passing through this interface, regardless of the EFP to which they belong. By default the PPPoE IA feature is disabled on all interfaces. You need to run this command on every interface that requires this feature. |
Before You Begin
You must enable PPPoE IA on the device in the global configuration mode.
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent end
- Enabling or Disabling PPPoE IA on BD
- Configuring PPPoE IA Circuit-ID on an Interface
- Configuring PPPoE IA Remote-ID on an Interface
- Configuring PPPoE IA Rate Limiting Setting on an Interface
- Configuring the PPPoE IA Trust Setting on an Interface
- Configuring PPPoE IA Vendor-tag Stripping on an Interface
Enabling or Disabling PPPoE IA on BD
PPPoE IA can be configured to add specific information as part of subscriber identification. This can be configured on a per-port and per-port-per-bridge domain basis. When specific packets received on a particular Bridge-domain need to be differentiated with other packets received on that interface.
To enable or disable PPPoE IA on BD, complete the following steps:
Before You Begin
You must enable PPPoE IA on the device in the global configuration mode.
enable configure terminal interface GigabitEthernet 0/1/1 pppoe intermediate-agent bridge-domain 40 end
Configuring PPPoE IA Circuit-ID on an Interface
You can configure Circuit-ID on interface level. The PADI, PADR and PADT packets (PPPoE Discovery packets) received on this physical interface gets IA-tagged using the configured circuit-id using the pppoe intermediate-agent format-type circuit-id string word command, irrespective of the Bridge Domain (BD). This command over-writes global level circuit-id configuration or automatic generation of circuit-id by the Switch.
This parameter is not set by default.
Note | If BD is enabled with PPPoE IA, BD level circuit-id configuration overwrites all other circuit-id configuration, for the packets that are received on that particular BD. |
To configure the circuit-ID on an interface, complete the following steps:
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent format-type circuit-id string root end
Configuring PPPoE IA Circuit-ID on BD
This configuration overrides the circuit-id configuration specified at interface or global level. The packets received on the specified bridge-domain gets the PPPoE IA tag with configured circuit-id. By default the pppoe intermediate-agent bridge-domain <bridge-domain_num> circuit-id {string {WORD}} command is not configured.
Before You Begin
You must enable PPPoE IA globally and on particular BD.
To configure the circuit-ID on BD, complete the following steps:
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent bridge-domain 50 circuit-id ct1 end
Configuring PPPoE IA Remote-ID on an Interface
You can configure remote-id on interface level. The PADI, PADR and PADT packets (PPPoE Discovery packets) received on this physical interface gets IA-tagged using the configured remote-id using the pppoe intermediate-agent format-type remote-id string word command irrespective of the BD. This command over-writes global level remote-id configuration or automatic generation of remote-id by the device.
This parameter is not set by default.
Note | If BD is enabled with PPPoE IA, BD level remote-id configuration overwrites all other remote-id configuration, for the packets that are received on that particular BD. |
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent format-type remote-id string granite end
Configuring PPPoE IA Remote-ID on BD
This configuration overrides the remote-id configuration specified at interface/global level and the packets received on the specified bridge-domain, will get PPPoE IA tag with remote-id configured. By default the pppoe intermediate-agent bridge-domain <bridge-domain_num> remote-id {string {WORD}} command is not configured.
Note | The default value of remote-id is the router MAC address (for all bridge-domains). |
Before You Begin
You must enable PPPoE IA globally and on particular BD.
To configure the remote-ID on BD, complete the following steps:
enable configure terminal interface GigabitEthernet 0/1/1 pppoe intermediate-agent bridge-domain 50 remote-id RD1 end
Configuring PPPoE IA Rate Limiting Setting on an Interface
You can limit the rate (packets per second) at which PPPoE discovery packets (PADI, PADO, PADR, PADS, and PADT) are received on an interface. When the incoming packet rate achieves or exceeds the configured limit, a port enters an error-disabled state and shuts down.
Note | This limit applies to the physical interface to counter misbehaving hosts. Even if a single EFP misbehaves on an interface in trunk mode, the entire interface is shut down (error-disabled), bringing down other EFP traffic on the interface. |
If you set the limit on the interface that connect the access switch to BRAS, use a higher value since the BRAS aggregates all the PPPoE traffic to the access switch through this interface.
enable configure terminal interface GigabitEthernet 0/1/1 pppoe intermediate-agent limit rate 30 end
Configuring the PPPoE IA Trust Setting on an Interface
Interfaces that connect the device to the PPPoE server are configured as trusted. Interfaces that connect the device to users (PPPoE clients) are untrusted.
This setting is disabled by default.
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent pppoe intermediate-agent trust end
Configuring PPPoE IA Vendor-tag Stripping on an Interface
Vendor-specific tags (VSAs) carry subscriber and line identification information in the packets.
Vendor-tag stripping involves removing the VSAs from PADO, PADS, and PADT packets that are received on an interface before forwarding them to the user.
You can configure vendor-tag stripping on interfaces connected to the PPPoE server.
This setting is disabled by default.
Note | BRAS automatically strips the vendor-specific tag off of the PPPoE discovery packets before sending them downstream to the access switch. To operate with older BRAS which does not possess this capability, use the pppoe intermediate-agent vendor-tag strip command on the interface connecting the access switch to BRAS |
To enable stripping on an interface , complete the following steps:
Before You Begin
enable configure terminal interface GigabitEthernet 0/0/1 pppoe intermediate-agent vendor-tag strip end
Verifying PPoE IA Configuration
Clearing Packet Counters
Use the following command to clear packet counters for all PPPoE discovery packets (PADI,PADO,PADR,PADS,PADT) on all interfaces (per-port and per-port-per-EFP):
Router# clear pppoe intermediate-agent statistics
Use the following command to clear packet counters on a selected interface:
Router# clear pppoe intermediate-agent statistics interface type typeslot /subslot /port
Example:
Router# clear pppoe intermediate-agent statistics interface gigabitEthernet 0/0/3
Verifying Interface Statistics
Use the following command to view the statistics of all the interfaces on which PPPoEIA is enabled:
Router# show pppoe intermediate-agent statistics
PPPOE IA Per-Port Statistics ---- ----------------- Interface : GigabitEthernet0/0/24 Packets received All = 53 PADI = 17 PADO = 0 PADR = 17 PADS = 0 PADT = 19 Packets dropped: Rate-limit exceeded = 0 Server responses from untrusted ports = 0 Client requests towards untrusted ports = 0 Malformed PPPoE Discovery packets = 0 BD 40: Packets received PADI = 8 PADO = 0 PADR = 8 PADS = 0 PADT = 9 BD 50: Packets received PADI = 9 PADO = 0 PADR = 9 PADS = 0 PADT = 10 Interface : GigabitEthernet0/0/24 Packets received All = 59 PADI = 0 PADO = 19 PADR = 0 PADS = 26 PADT = 14 Packets dropped: Rate-limit exceeded = 0 Server responses from untrusted ports = 0 Client requests towards untrusted ports = 0 Malformed PPPoE Discovery packets = 0 BD 40: Packets received PADI = 0 PADO = 12 PADR = 0 PADS = 15 PADT = 7 BD 50: Packets received PADI = 0 PADO = 7 PADR = 0 PADS = 11 PADT = 7
Use the following command to view the packet details on an interface:
Router# show pppoe intermediate-agent statistics interface type typeslot /subslot /port
Example:
Router# show pppoe intermediate-agent statistics interface gigabitEthernet 0/0/3
Interface : Gi 0/0/3 Packets received All = 0 PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0 Packets dropped: Rate-limit exceeded = 0 Server responses from untrusted ports = 0 Client requests towards untrusted ports = 0 Malformed PPPoE Discovery packets = 0 BD 40: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0 BD 50: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0
Verifying PPPoE IA is Enabled
show pppoe intermediate-agent info PPPoE Intermediate-Agent is enabled Global access-node-id is default Global generic error msg is not set Global identifier-string and delimiter are not set PPPoE Intermediate-Agent trust/rate is configured on the following Interfaces: Interface IA Trusted Vsa Strip Rate limit (pps) ----------------------- -------- ------- --------- ---------------- GigabitEthernet0/0/10 yes no no unlimited PPPoE Intermediate-Agent is configured on following bridge domains: 40,50
Verifying Configuration for PPPoE IA on an Interface
show pppoe intermediate-agent info interface GigabitEthernet 0/0/10 Interface IA Trusted Vsa Strip Rate limit (pps) ----------------------- -------- ------- --------- ---------------- Gi 0/0/10 yes no no unlimited PPPoE Intermediate-Agent is configured on following bridge domains: 40,50
Troubleshooting Tips
-
debug pppoe intermediate-agent packet—Displays the contents of a packet received in the software: source and destination MAC address of Ethernet frame, code, version and type of PPPoE Discovery packet and a list of TAGs present.
- debug pppoe intermediate-agent event—Provides debugging information about PPPoE events.
-
debug radius—Generates a report that includes information about the incoming access interface, where discovery frames are received, and about the session being established in PPPoE extended NAS-Port format (format d).
Configuration Examples
Configuration Example for PPPoE IA on an Interface
enable configure terminal interface GigabitEthernet0/0/1 no ip address media-type rj45 negotiation auto pppoe intermediate-agent format-type circuit-id string cktid10 pppoe intermediate-agent format-type remote-id string rmtid10 pppoe intermediate-agent service instance 1 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 40 ! end
Configuration Example for PPPoE IA on a Bridge Domain Interface
enable configure terminal interface GigabitEthernet0/0/1 no ip address media-type rj45 negotiation auto pppoe intermediate-agent bridge-domain 40 circuit-id string cktid-20 pppoe intermediate-agent bridge-domain 40 remote-id string rmtid-20 pppoe intermediate-agent bridge-domain 40 service instance 1 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 40 ! end
Configuration Example with Multiple Bridge Domains
enable configure terminal interface GigabitEthernet0/0/1 no ip address media-type rj45 negotiation auto pppoe intermediate-agent bridge-domain 40 circuit-id string cktid-20 pppoe intermediate-agent bridge-domain 40 remote-id string rmtid-20 pppoe intermediate-agent format-type circuit-id string cktid10 pppoe intermediate-agent format-type remote-id string rmtid10 pppoe intermediate-agent bridge-domain 40 pppoe intermediate-agent service instance 1 ethernet encapsulation dot1q 20 rewrite ingress tag pop 1 symmetric bridge-domain 40 ! service instance 2 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 30 ! end
Additional References for PPPoE Intermediate Agent
The following sections provide references related to the PPPoE IA feature.
MIBs
| MIB | MIBs link |
|---|---|
None. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
| RFC | Title |
|---|---|
No new or modified RFCs are supported, and support for existing RFCs has not been modified. |
— |
Technical Assistance
| Description | Link |
|---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/cisco/web/support/index.html |
Feedback