- Preface
- Product Overview
- Command-line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring the Cisco IOS In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring SmartPort Macros
- Configuring STP and MST
- Configuring Flex Links and the MAC Address-Table Move Update Feature
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannels
- Configuring IGMP Snooping and Filtering
- Configuring IPv6 MLD Snooping
- Configuring 802.1Q and Layer 2 Protocol Tunneling
- Configuring CDP
- Configuring LLDP and LLDP-MED
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring 802.1X Port-Based Authentication
- Configuring PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Port Security
- Configuring Control Plane Policing
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Dynamic ARP Inspection
- Configuring Network Security with ACLs
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring System Message Logging
- Configuring SNMP
- Configuring NetFlow
- Configuring Ethernet CFM and OAM
- Configuring Y.1731 (AIS and RDI)
- Configuring Cisco IOS IP SLAs Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- ROM Monitor
- Configuring MIB Support
- Acronyms
- Index
- Overview
- Enabling PPPoE IA on a Switch
- Configuring the Access Node Identifier for PPPoE IA on a Switch
- Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch
- Configuring the Generic Error Message for PPPoE IA on an Switch
- Enabling PPPoE IA on an Interface
- Configuring the PPPoE IA Trust Setting on an Interface
- Configuring PPPoE IA Rate Limiting Setting on an Interface
- Configuring PPPoE IA Vendor-tag Stripping on an Interface
- Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface
- Enabling PPPoE IA for a Specific VLAN on an Interface
- Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface
Configuring the PPPoE Intermediate Agent
DSL Forum TR-101 [1] offers a means by which the PPPoE Discovery packets are tagged at the service provider's access switch with subscriber line specific information. The mechanism specifies using VSA of the PPPoE Discovery packets to add the line specific information at the switch. Even though you can perform Subscriber Line Identification (SLI) in another way (recreating virtual paths and circuits using stacked VLAN tags), DSL Forum 2004-071 [4] recommends the PPPoE Intermediate Agent mechanism. It cites lower provisioning costs and simpler co-ordination between OSS systems in charge of access switch and BRAS. PPPoE Intermediate Agent helps the service provider, BRAS, distinguish between end hosts connected over Ethernet to an access switch.
This chapter describes PPPoE Intermediate Agent on Catalyst 4500 series switches. It includes the following sections:
•Enabling PPPoE IA on a Switch
•Configuring the Access Node Identifier for PPPoE IA on a Switch
•Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch
•Configuring the Generic Error Message for PPPoE IA on an Switch
•Enabling PPPoE IA on an Interface
•Configuring the PPPoE IA Trust Setting on an Interface
•Configuring PPPoE IA Rate Limiting Setting on an Interface
•Configuring PPPoE IA Vendor-tag Stripping on an Interface
•Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface
•Enabling PPPoE IA for a Specific VLAN on an Interface
•Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface
Overview
PPPoE Intermediate Agent (PPPoE IA) is placed between a subscriber and BRAS to help the service provider BRAS distinguish between end hosts connected over Ethernet to an access switch. On the access switch, PPPoE IA enables Subscriber Line Identification by appropriately tagging Ethernet frames of different users. (The tag contains specific information like which subscriber is connected to the switch and VLAN.) PPPoE IA acts as mini security firewall between host and BRAS by intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-vlan basis. It provides specific security feature such as verifying the intercepted PAD message from untrusted port, performing per port PAD message rate limiting, inserting and removing VSA Tags into and from PAD messages, respectively.
Enabling PPPoE IA on a Switch
This functionality allows you to enable or disable PPPoE IA globally on the switch:
Switch> enable
Switch# configure terminal
Switch(config)# pppoe intermediate-agent
By default, PPPoE IA is disabled globally.
Configuring the Access Node Identifier for PPPoE IA on a Switch
This functionality allows you to set the Access Node Identifier of the switch. If unspecified, this parameter is derived automatically with the IP address of the management interface.
The following example shows how to set an access node identifier of abcd:
Switch> enable
Switch# configure terminal
Switch(config)# pppoe intermediate-agent format-type access-node-id string abcd
By default, access-node-id is not set.
Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch
This functionality overrides the default automatic generation of circuit-id by the system.
The options available are sp, sv, pv and spv denoting slot:port, slot-vlan, port-vlan, and slot-port-vlan combinations, respectively. The delimiters available are # . , ; / space.
The no form of this command without WORD, options, and delimiters, reverts to the default automatic generation of circuit-id.
The following example shows how to set an identifier string word with option spv delimited by ":":
Switch> enable
Switch# configure terminal
Switch(config) pppoe intermediate-agent format-type
identifier-string string word
option spv delimiter :
This command does not affect the circuit-id configured explicitly per-interface or per-interface-per-vlan with the pppoe intermediate-agent format-type circuit-id or
pppoe intermediate-agent vlan num format-type circuit-id commands.
Configuring the Generic Error Message for PPPoE IA on an Switch
This functionality sets the Generic-Error message of the switch. PPPoE IA sends this message only on a specific error condition. If you do not specify string {WORD}, the error message is not added.
The following example shows how to configure a generic message of packet_length>1484:
Switch> enable
Switch# configure terminal
Switch(config) pppoe intermediate-agent format-type
generic-error-message string packet_length>1484
PPPoE Discover packet too large to process. Try reducing the number of tags added.
By default the generic-error-message is not set. The string value is converted to UTF-8 before it is added to the response. The message like the following will appear:
PPPoE Discover packet too large to process. Try reducing the number of tags added.
Note This TAG (0x0203 Generic-Error) indicates an error. It can be added to PADO or PADS packets generated by PPPoE IA and then sent back to user in reply of PADI or PADR, when a PPPoE discovery packet received by PPPoE IA with PPPoE payload greater than 1484 bytes. Error data must be a UTF-8 string.
Enabling PPPoE IA on an Interface
This functionality enables the PPPoE IA feature on an interface. The pppoe intermediate-agent command has an effect only if the PPPoE IA feature was enabled globally with this command. (You need to enable globally to activate PPPoE IA static ACL and on an interface for PPPoE IA processing of PPPoE discovery packets received on that interface.)
This setting applies to all frames passing through this interface, irrespective of the VLAN they belong to. By default the PPPoE IA feature is disabled on all interfaces. You need to run this command on every interface that requires this feature.
The following example shows how to enable PPPoE IA on FastEthernet 3/1:
Switch> enable
Switch# configure terminal
Switch(config) interface FastEthernet 3/1
Switch(config-if) pppoe intermediate-agent
Note Enabling PPPoE IA on an interface does not ensure that incoming packets are tagged. The necessary criteria: (a) PPPoE IA must be enabled globally, (b) At least one interface that connects the switch to PPPoE Server must have a "trusted" PPPoE IA setting. (See the following section.)
Configuring the PPPoE IA Trust Setting on an Interface
This functionality sets a physical interface as trusted. The following example shows how to set FastEthernet interface 3/2 as trusted:
Switch> enable
Switch# configure terminal
Switch(config) interface FastEthernet 3/2
Switch(config-if) pppoe intermediate-agent trust
This setting is disabled by default.
Note Interfaces that connect the switch to PPPoE Server are configured as trusted. Interfaces that connect the switch to Users (PPPoE clients) are untrusted.
Configuring PPPoE IA Rate Limiting Setting on an Interface
This functionality limits the rate (per second) at which PPPoE Discovery packets (PADI, PADO, PADR, PADS, or PADT) are received on an interface. When the incoming packet rate achieves or exceeds the configured limit, a port enters an err-disabled state.
The following example shows how to set a rate limit of 30 at FastEthernet 3/1:
Switch> enable
Switch# configure terminal
Switch(config) interface FastEthernet 3/1
Switch(config-if) pppoe intermediate-agent limit rate 30
Note The parameter for rate limiting is the number of packets per second. If the incoming packet rate exceeds this value, the port shuts down.
Configuring PPPoE IA Vendor-tag Stripping on an Interface
This functionality enables an administrator to strip the vendor-specific tag (VSA) from PADO, PADS, and PADT packets received on an interface before forwarding them to the user.
The following example shows how to enable stripping on FastEthernet 3/2:
Switch> enable
Switch# configure terminal
Switch(config) interface FastEthernet 3/2
Switch(config-if) pppoe intermediate-agent vendor-tag strip
This setting is disabled by default.
Note Generally, you would configure vendor-tag stripping on an interfaces connected to PPPoE Server. If you configure stripping, incoming packets are stripped of their VSAs (which carry subscriber and line identification information). Necessary criteria: (a) the PPPoE Intermediate agent must be enabled on the interface for the pppoe intermediate-agent vendor-tag strip command to be effective, and (b) the interface must be set to trust. Alone, the command has no effect.
Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface
The [no] pppoe intermediate-agent format-type circuit-id command sets the circuit-id on an interface and overrides the automatic generation of circuit-id by the switch. Without this command, one default tag (for example, Ethernet x/y:z on the PPPoE to which the user is connected) inserted by an intermediate-agent.
The [no] pppoe intermediate-agent format-type remote-id command sets the remote-id on an interface.
This functionality causes tagging of PADI, PADR, and PADT packets (belonging to PPPoE Discovery stage) received on this physical interface with circuit-id or remote-i. This happens irrespective of their VLAN provided PPPoE IA is not enabled for that VLAN.
You should use remote-id instead of circuit-id for subscriber line identification. You should configure this setting on every interface where you enabled PPPoE IA because it is not set by default. The default value for remote-id is the switch MAC address (for all physical interfaces).
The following example shows how to configure the circuit-id as root and the remote-id as granite:
Switch> enable
Switch# configure terminal
Switch(config) interface FastEthernet 3/1
Switch(config-if) pppoe intermediate-agent format-type circuit-id string root
Switch(config-if) pppoe intermediate-agent format-type remote-id string granite
Enabling PPPoE IA for a Specific VLAN on an Interface
This functionality allows you to enable PPPoE IA on either (a) a specific VLAN, (b) a comma separated list like "x,y," or (c) a range like "x-y."
Specific VLAN:
Switch# configure terminal
Switch(config)# interface FastEthernet 3/1
Switch(config-if)# vlan-range 5
Switch(config-if-vlan-range)# pppoe intermediate-agent
Comma-separated VLAN list:
Switch# configure terminal
Switch(config)# interface FastEthernet 3/1
Switch(config-if)# vlan-range 5,6
Switch(config-if-vlan-range)# pppoe intermediate-agent
VLAN range:
Switch# configure terminal
Switch(config)# interface FastEthernet 3/1
Switch(config-if)# vlan-range 5-9
Switch(config-if-vlan-range)# pppoe intermediate-agent
Note The pppoe intermediate-agent command in the vlan-range mode is not dependent on the
same command in interface mode. The pppoe intermediate-agent command will take effect independently of the command in the interface mode. The necessary criteria: (a) PPPoE IA must be enabled globally, and (b) at least one interface connected to the PPPoE Server.
Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface
In this section you set the circuit ID and remote ID for a specific VLAN on an interface. The command overrides the circuit ID and remote ID specified for this physical interface and the switch uses the WORD value to tag packets received on this VLAN. This parameter is unset by default.
The default value of remote-id is the switch MAC address (for all VLANs). You would set this parameter to encode subscriber-specific information.
Note The circuit-id and remote-id configurations in vlan-range mode are affected only if PPPoE IA is enabled globally and in vlan-range mode.
This example shows how to set the circuit-id to aaa and the remote-id as ccc on interface g3/7:
Switch(config)# int g3/7
Switch(config-if)# vlan-range 5
Switch(config-if)# pppoe intermediate-agent
Switch(config-if-vlan-range)# pppoe intermediate-agent format-type circuit-id string aaa
Switch(config-if-vlan-range)# pppoe intermediate-agent format-type remote-id string ccc
Note The vlan-range mode commands configure PPPoE IA for either a specific VLAN, multiple VLANs, or VLAN range, depending on what you specify in the syntax.
Displaying Configuration Parameters
The show pppoe intermediate-agent [info| statistics] [interface {interface}] command displays the various configuration parameters, statistics, and counters stored for PPPoE.
The info keyword appears if the PPPoE Intermediate Agent is enabled globally on an interface or on a VLAN (in an interface). It also informs you about the access node ID and generic error message of the switch, as well as the identifier string options and delimiter values configured globally by the following command:
Switch(config)# pppoe intermediate-agent format-type ?
access-node-id Access Node Identifier
generic-error-message Generic Error Message
identifier-string Identifier String
The info keyword also displays the circuit ID, remote ID, trust and rate limit configurations, and vendor tag strip setting for all interfaces and for all VLANs pertaining to those interfaces. If any of these parameters are not set, they are not displayed.
The statistics option displays the number of PADI/PADR/PADT packets received, and the time the last packet was received on all interfaces and on all VLANs pertaining to those interfaces.
If interface is specified, information or statistics applicable only to that physical interface and pertaining VLANs is displayed.
Although PPoE IA is supported on PVLANs, be aware that no PVLAN association (primary and secondary VLAN mapping) information is displayed.
The PPPoE IA show commands (like show pppoe intermediate-agent info,
show pppoe intermediate-agent info interface g3/7, or show pppoe intermediate-agent statistics) do not provide information about private VLAN association (primary and secondary VLAN mapping). However, they do provide information about VLANs irrespective of private or normal VLANs, as the following example illustrate:
Switch# show pppoe intermediate-agent info
Switch PPPOE Intermediate-Agent is enabled
PPPOE Intermediate-Agent trust/rate is configured on the following Interfaces:
Interface IA Trusted Vsa Strip Rate limit (pps)
----------------------- -------- ------- --------- ----------------
GigabitEthernet3/4 no yes yes unlimited
PPPOE Intermediate-Agent is configured on following VLANs:
2-3
GigabitEthernet3/7 no no no unlimited
PPPOE Intermediate-Agent is configured on following VLANs:
2-3
Switch# show pppoe intermediate-agent info interface g3/7
Interface IA Trusted Vsa Strip Rate limit (pps)
----------------------- -------- ------- --------- ----------------
GigabitEthernet3/7 yes no no unlimited
PPPoE Intermediate-Agent is configured on following VLANs:
2-3
Switch# show pppoe intermediate-agent statistics
PPPOE IA Per-Port Statistics
---- -----------------
Interface : GigabitEthernet3/7
Packets received
All = 0
PADI = 0 PADO = 0
PADR = 0 PADS = 0
PADT = 0
Packets dropped:
Rate-limit exceeded = 0
Server responses from untrusted ports = 0
Client requests towards untrusted ports = 0
Malformed PPPoE Discovery packets = 0
Vlan 2: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0
Vlan 3: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0
Switch# show pppoe intermediate-agent statistics interface g3/7
Interface : GigabitEthernet3/7
Packets received
All = 3
PADI = 0 PADO = 0
PADR = 0 PADS = 0
PADT = 3
Packets dropped:
Rate-limit exceeded = 0
Server responses from untrusted ports = 0
Client requests towards untrusted ports = 0
Malformed PPPoE Discovery packets = 0
Vlan 2: Packets received PADI = 6 PADO = 0 PADR = 6 PADS = 0 PADT = 6
Vlan 3: Packets received PADI = 4 PADO = 0 PADR = 4 PADS = 0 PADT = 4
Clearing Packet Counters
This section illustrates how to clear packet counters on all interfaces (per-port and per-port-per-vlan).
The following example illustrates how to do this:
Switch# clear pppoe intermediate-agent statistics
Issuing of the above command clears the counters for all PPPoE discovery packets (PADI,PADO,PADR,PADS,PADT) received on DUT.
Switch# show pppoe intermediate-agent statistics interface g3/7
Interface : GigabitEthernet3/7
Packets received
All = 0
PADI = 0 PADO = 0
PADR = 0 PADS = 0
PADT = 0
Packets dropped:
Rate-limit exceeded = 0
Server responses from untrusted ports = 0
Client requests towards untrusted ports = 0
Malformed PPPoE Discovery packets = 0
Vlan 2: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0
Vlan 3: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0
Debugging PPPoE Intermediate Agent
The debug pppoe intermediate-agent [packet | event | all] command enables you to display useful PPPoE information that assists in debugging. This command is disabled by default.
The packet option of the command displays the contents of a packet received in the software: source and destination MAC address of Ethernet frame, code, version and type of PPPoE Discovery packet and a list of TAGs present.
The event option of the command echoes important messages (interface state change to errdisabled due to PPPoE discovery packets entering at a rate exceeding the configured limit). This is the only event shown by the debug pppoe intermediate-agent event command.
The all option enables both package and event options.
The following example illustrates how to enter the debug command with the packet option:
Switch# debug pppoe intermediate-agent packet
PPPOE IA Packet debugging is on
*Sep 2 06:12:56.133: PPPOE_IA: Process new PPPoE packet, Message type: PADI, input interface: Gi3/7, vlan : 2 MAC da: ffff.ffff.ffff, MAC sa: aabb.cc00.0000
*Sep 2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/4)
*Sep 2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/8)
*Sep 2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADO, input interface: Gi3/4, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: 001d.e64c.6512
*Sep 2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADO, input interface: Gi3/8, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: aabb.cc80.0000
*Sep 2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/7)
*Sep 2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADR, input interface: Gi3/7, vlan : 2 MAC da: 001d.e64c.6512, MAC sa: aabb.cc00.0000
*Sep 2 06:12:56.145: PPPOE_IA: received new PPPOE packet from inputinterface (GigabitEthernet3/4)
*Sep 2 06:12:56.145: PPPOE_IA: Process new PPPoE packet, Message type: PADS, input interface: Gi3/4, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: 001d.e64c.6512
The following example illustrates how to enter the debug command with the event option:
Switch# debug pppoe intermediate-agent event
PPPOE IA Event debugging is on
*Jul 30 19:00:10.254: %PPPOE_IA-4-PPPOE_IA_ERRDISABLE_WARNING: PPPOE IA received 5 PPPOE packets on interface Gi3/7
*Jul 30 19:00:10.254: %PPPOE_IA-4-PPPOE_IA_RATE_LIMIT_EXCEEDED: The interface Gi3/7 is receiving more than the threshold set
*Jul 30 19:00:10.394: %PM-4-ERR_DISABLE: STANDBY:pppoe-ia-rate-limit error detected on Gi3/7, putting Gi3/7 in err-disable stat
Troubleshooting Tips
When the radius-server attribute 31 remote-id global configuration command is entered in the PPPoE Agent Remote-ID Tag and DSL Line Characteristics feature configuration on the BRAS, the
debug radius privileged EXEC command can be used to generate a report that includes information about the incoming access interface, where discovery frames are received, and about the session being established in PPPoE extended NAS-Port format (format d).
Related Documents
|
|
---|---|
PPPoE Circuit-Id Tag Processing |
|
RADIUS attributes |
Refer to the Cisco IOS Security Configuration Guide, Release 12.4 |
DSL Forum Line-ID tag solution |
DSL Forum 2004-71: Solution for Remote-ID in PPPoE Discovery Phase |
Migration to Ethernet-based DSL aggregation |
RFCs
|
|
---|---|
RFC 2516 |