Catalyst 4500 Series Switch Software Configuration Guide, 12.2(50)SG

Configuring the PPPoE Intermediate Agent

DSL Forum TR-101 [1] offers a means by which the PPPoE Discovery packets are tagged at the service provider's access switch with subscriber line specific information. The mechanism specifies using VSA of the PPPoE Discovery packets to add the line specific information at the switch. Even though you can perform Subscriber Line Identification (SLI) in another way (recreating virtual paths and circuits using stacked VLAN tags), DSL Forum 2004-071 [4] recommends the PPPoE Intermediate Agent mechanism. It cites lower provisioning costs and simpler co-ordination between OSS systems in charge of access switch and BRAS. PPPoE Intermediate Agent helps the service provider, BRAS, distinguish between end hosts connected over Ethernet to an access switch.

This chapter describes PPPoE Intermediate Agent on Catalyst 4500 series switches. It includes the following sections:

•Overview

•Enabling PPPoE IA on a Switch

•Configuring the Access Node Identifier for PPPoE IA on a Switch

•Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch

•Configuring the Generic Error Message for PPPoE IA on an Switch

•Enabling PPPoE IA on an Interface

•Configuring the PPPoE IA Trust Setting on an Interface

•Configuring PPPoE IA Rate Limiting Setting on an Interface

•Configuring PPPoE IA Vendor-tag Stripping on an Interface

•Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface

•Enabling PPPoE IA for a Specific VLAN on an Interface

•Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface

Overview

PPPoE Intermediate Agent (PPPoE IA) is placed between a subscriber and BRAS to help the service provider BRAS distinguish between end hosts connected over Ethernet to an access switch. On the access switch, PPPoE IA enables Subscriber Line Identification by appropriately tagging Ethernet frames of different users. (The tag contains specific information like which subscriber is connected to the switch and VLAN.) PPPoE IA acts as mini security firewall between host and BRAS by intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-vlan basis. It provides specific security feature such as verifying the intercepted PAD message from untrusted port, performing per port PAD message rate limiting, inserting and removing VSA Tags into and from PAD messages, respectively.

Enabling PPPoE IA on a Switch

This functionality allows you to enable or disable PPPoE IA globally on the switch:

Switch> enable

Switch# configure terminal

Switch(config)# pppoe intermediate-agent

By default, PPPoE IA is disabled globally.

Configuring the Access Node Identifier for PPPoE IA on a Switch

This functionality allows you to set the Access Node Identifier of the switch. If unspecified, this parameter is derived automatically with the IP address of the management interface.

The following example shows how to set an access node identifier of abcd:

Switch> enable

Switch# configure terminal

Switch(config)# pppoe intermediate-agent format-type access-node-id string abcd

By default, access-node-id is not set.

Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch

This functionality overrides the default automatic generation of circuit-id by the system.

The options available are sp, sv, pv and spv denoting slot:port, slot-vlan, port-vlan, and slot-port-vlan combinations, respectively. The delimiters available are # . , ; / space.

The no form of this command without WORD, options, and delimiters, reverts to the default automatic generation of circuit-id.

The following example shows how to set an identifier string word with option spv delimited by ":":

Switch> enable

Switch# configure terminal

Switch(config) pppoe intermediate-agent format-type

identifier-string string word

option spv delimiter :

This command does not affect the circuit-id configured explicitly per-interface or per-interface-per-vlan with the pppoe intermediate-agent format-type circuit-id or
pppoe intermediate-agent vlan num format-type circuit-id commands.

Configuring the Generic Error Message for PPPoE IA on an Switch

This functionality sets the Generic-Error message of the switch. PPPoE IA sends this message only on a specific error condition. If you do not specify string {WORD}, the error message is not added.

The following example shows how to configure a generic message of packet_length>1484:

Switch> enable

Switch# configure terminal

Switch(config) pppoe intermediate-agent format-type

generic-error-message string packet_length>1484

PPPoE Discover packet too large to process. Try reducing the number of tags added.

By default the generic-error-message is not set. The string value is converted to UTF-8 before it is added to the response. The message like the following will appear:

PPPoE Discover packet too large to process. Try reducing the number of tags added.

Note This TAG (0x0203 Generic-Error) indicates an error. It can be added to PADO or PADS packets generated by PPPoE IA and then sent back to user in reply of PADI or PADR, when a PPPoE discovery packet received by PPPoE IA with PPPoE payload greater than 1484 bytes. Error data must be a UTF-8 string.

Enabling PPPoE IA on an Interface

This functionality enables the PPPoE IA feature on an interface. The pppoe intermediate-agent command has an effect only if the PPPoE IA feature was enabled globally with this command. (You need to enable globally to activate PPPoE IA static ACL and on an interface for PPPoE IA processing of PPPoE discovery packets received on that interface.)

This setting applies to all frames passing through this interface, irrespective of the VLAN they belong to. By default the PPPoE IA feature is disabled on all interfaces. You need to run this command on every interface that requires this feature.

The following example shows how to enable PPPoE IA on FastEthernet 3/1:

Switch> enable

Switch# configure terminal

Switch(config) interface FastEthernet 3/1

Switch(config-if) pppoe intermediate-agent

Note Enabling PPPoE IA on an interface does not ensure that incoming packets are tagged. The necessary criteria: (a) PPPoE IA must be enabled globally, (b) At least one interface that connects the switch to PPPoE Server must have a "trusted" PPPoE IA setting. (See the following section.)

Configuring the PPPoE IA Trust Setting on an Interface

This functionality sets a physical interface as trusted. The following example shows how to set FastEthernet interface 3/2 as trusted:

Switch> enable

Switch# configure terminal

Switch(config) interface FastEthernet 3/2

Switch(config-if) pppoe intermediate-agent trust

This setting is disabled by default.

Note Interfaces that connect the switch to PPPoE Server are configured as trusted. Interfaces that connect the switch to Users (PPPoE clients) are untrusted.

Configuring PPPoE IA Rate Limiting Setting on an Interface

This functionality limits the rate (per second) at which PPPoE Discovery packets (PADI, PADO, PADR, PADS, or PADT) are received on an interface. When the incoming packet rate achieves or exceeds the configured limit, a port enters an err-disabled state.

The following example shows how to set a rate limit of 30 at FastEthernet 3/1:

Switch> enable

Switch# configure terminal

Switch(config) interface FastEthernet 3/1

Switch(config-if) pppoe intermediate-agent limit rate 30

Note The parameter for rate limiting is the number of packets per second. If the incoming packet rate exceeds this value, the port shuts down.

Configuring PPPoE IA Vendor-tag Stripping on an Interface

This functionality enables an administrator to strip the vendor-specific tag (VSA) from PADO, PADS, and PADT packets received on an interface before forwarding them to the user.

The following example shows how to enable stripping on FastEthernet 3/2:

Switch> enable

Switch# configure terminal

Switch(config) interface FastEthernet 3/2

Switch(config-if) pppoe intermediate-agent vendor-tag strip

This setting is disabled by default.

Note Generally, you would configure vendor-tag stripping on an interfaces connected to PPPoE Server. If you configure stripping, incoming packets are stripped of their VSAs (which carry subscriber and line identification information). Necessary criteria: (a) the PPPoE Intermediate agent must be enabled on the interface for the pppoe intermediate-agent vendor-tag strip command to be effective, and (b) the interface must be set to trust. Alone, the command has no effect.

Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface

The [no] pppoe intermediate-agent format-type circuit-id command sets the circuit-id on an interface and overrides the automatic generation of circuit-id by the switch. Without this command, one default tag (for example, Ethernet x/y:z on the PPPoE to which the user is connected) inserted by an intermediate-agent.

The [no] pppoe intermediate-agent format-type remote-id command sets the remote-id on an interface.

This functionality causes tagging of PADI, PADR, and PADT packets (belonging to PPPoE Discovery stage) received on this physical interface with circuit-id or remote-i. This happens irrespective of their VLAN provided PPPoE IA is not enabled for that VLAN.

You should use remote-id instead of circuit-id for subscriber line identification. You should configure this setting on every interface where you enabled PPPoE IA because it is not set by default. The default value for remote-id is the switch MAC address (for all physical interfaces).

The following example shows how to configure the circuit-id as root and the remote-id as granite:

Switch> enable

Switch# configure terminal

Switch(config) interface FastEthernet 3/1

Switch(config-if) pppoe intermediate-agent format-type circuit-id string root

Switch(config-if) pppoe intermediate-agent format-type remote-id string granite

Enabling PPPoE IA for a Specific VLAN on an Interface

This functionality allows you to enable PPPoE IA on either (a) a specific VLAN, (b) a comma separated list like "x,y," or (c) a range like "x-y."

Specific VLAN:

Switch# configure terminal

Switch(config)# interface FastEthernet 3/1

Switch(config-if)# vlan-range 5

Switch(config-if-vlan-range)# pppoe intermediate-agent

Comma-separated VLAN list:

Switch# configure terminal

Switch(config)# interface FastEthernet 3/1

Switch(config-if)# vlan-range 5,6

Switch(config-if-vlan-range)# pppoe intermediate-agent

VLAN range:

Switch# configure terminal

Switch(config)# interface FastEthernet 3/1

Switch(config-if)# vlan-range 5-9

Switch(config-if-vlan-range)# pppoe intermediate-agent

Note The pppoe intermediate-agent command in the vlan-range mode is not dependent on the
same command in interface mode. The pppoe intermediate-agent command will take effect independently of the command in the interface mode. The necessary criteria: (a) PPPoE IA must be enabled globally, and (b) at least one interface connected to the PPPoE Server.

Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface

In this section you set the circuit ID and remote ID for a specific VLAN on an interface. The command overrides the circuit ID and remote ID specified for this physical interface and the switch uses the WORD value to tag packets received on this VLAN. This parameter is unset by default.

The default value of remote-id is the switch MAC address (for all VLANs). You would set this parameter to encode subscriber-specific information.

Note The circuit-id and remote-id configurations in vlan-range mode are affected only if PPPoE IA is enabled globally and in vlan-range mode.

This example shows how to set the circuit-id to aaa and the remote-id as ccc on interface g3/7:

Switch(config)# int g3/7

Switch(config-if)# vlan-range 5

Switch(config-if)# pppoe intermediate-agent

Switch(config-if-vlan-range)# pppoe intermediate-agent format-type circuit-id string aaa

Switch(config-if-vlan-range)# pppoe intermediate-agent format-type remote-id string ccc

Note The vlan-range mode commands configure PPPoE IA for either a specific VLAN, multiple VLANs, or VLAN range, depending on what you specify in the syntax.

Displaying Configuration Parameters

The show pppoe intermediate-agent [info| statistics] [interface {interface}] command displays the various configuration parameters, statistics, and counters stored for PPPoE.

The info keyword appears if the PPPoE Intermediate Agent is enabled globally on an interface or on a VLAN (in an interface). It also informs you about the access node ID and generic error message of the switch, as well as the identifier string options and delimiter values configured globally by the following command:

Switch(config)# pppoe intermediate-agent format-type ?

  access-node-id         Access Node Identifier

  generic-error-message  Generic Error Message

  identifier-string      Identifier String

The info keyword also displays the circuit ID, remote ID, trust and rate limit configurations, and vendor tag strip setting for all interfaces and for all VLANs pertaining to those interfaces. If any of these parameters are not set, they are not displayed.

The statistics option displays the number of PADI/PADR/PADT packets received, and the time the last packet was received on all interfaces and on all VLANs pertaining to those interfaces.

If interface is specified, information or statistics applicable only to that physical interface and pertaining VLANs is displayed.

Although PPoE IA is supported on PVLANs, be aware that no PVLAN association (primary and secondary VLAN mapping) information is displayed.

The PPPoE IA show commands (like show pppoe intermediate-agent info,
show pppoe intermediate-agent info interface g3/7, or show pppoe intermediate-agent statistics) do not provide information about private VLAN association (primary and secondary VLAN mapping). However, they do provide information about VLANs irrespective of private or normal VLANs, as the following example illustrate:

Switch# show pppoe intermediate-agent info

Switch PPPOE Intermediate-Agent is enabled

PPPOE Intermediate-Agent trust/rate is configured on the following Interfaces:

Interface               IA         Trusted    Vsa Strip   Rate limit (pps)

----------------------- --------   -------    ---------   ----------------

GigabitEthernet3/4         no         yes        yes         unlimited

PPPOE Intermediate-Agent is configured on following VLANs:

2-3

GigabitEthernet3/7         no         no         no          unlimited

PPPOE Intermediate-Agent is configured on following VLANs:

2-3

Switch# show pppoe intermediate-agent info interface g3/7

Interface               IA         Trusted    Vsa Strip   Rate limit (pps)

----------------------- --------   -------    ---------   ----------------   

GigabitEthernet3/7         yes        no         no          unlimited

PPPoE Intermediate-Agent is configured on following VLANs:

2-3

Switch# show pppoe intermediate-agent statistics

PPPOE IA Per-Port Statistics

---- -----------------

Interface : GigabitEthernet3/7

 Packets received 

  All = 0 

  PADI = 0 PADO = 0 

  PADR = 0 PADS = 0 

  PADT = 0

 Packets dropped:

  Rate-limit exceeded = 0

  Server responses from untrusted ports = 0

  Client requests towards untrusted ports = 0

  Malformed PPPoE Discovery packets = 0

Vlan 2: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0

Vlan 3: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0

Switch# show pppoe intermediate-agent statistics interface g3/7

Interface : GigabitEthernet3/7

 Packets received

  All = 3

  PADI = 0 PADO = 0

  PADR = 0 PADS = 0

  PADT = 3

 Packets dropped:

  Rate-limit exceeded = 0

  Server responses from untrusted ports = 0

  Client requests towards untrusted ports = 0

  Malformed PPPoE Discovery packets = 0

Vlan 2: Packets received PADI = 6 PADO = 0 PADR = 6 PADS = 0 PADT = 6

Vlan 3: Packets received PADI = 4 PADO = 0 PADR = 4 PADS = 0 PADT = 4

Clearing Packet Counters

This section illustrates how to clear packet counters on all interfaces (per-port and per-port-per-vlan).

The following example illustrates how to do this:

Switch# clear pppoe intermediate-agent statistics

Issuing of the above command clears the counters for all PPPoE discovery packets 
(PADI,PADO,PADR,PADS,PADT) received on DUT.

Switch# show pppoe intermediate-agent statistics interface g3/7

Interface : GigabitEthernet3/7

 Packets received

  All = 0

  PADI = 0 PADO = 0

  PADR = 0 PADS = 0

  PADT = 0

 Packets dropped:

  Rate-limit exceeded = 0

  Server responses from untrusted ports = 0

  Client requests towards untrusted ports = 0

  Malformed PPPoE Discovery packets = 0

Vlan 2: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0

Vlan 3: Packets received PADI = 0 PADO = 0 PADR = 0 PADS = 0 PADT = 0

Debugging PPPoE Intermediate Agent

The debug pppoe intermediate-agent [packet | event | all] command enables you to display useful PPPoE information that assists in debugging. This command is disabled by default.

The packet option of the command displays the contents of a packet received in the software: source and destination MAC address of Ethernet frame, code, version and type of PPPoE Discovery packet and a list of TAGs present.

The event option of the command echoes important messages (interface state change to errdisabled due to PPPoE discovery packets entering at a rate exceeding the configured limit). This is the only event shown by the debug pppoe intermediate-agent event command.

The all option enables both package and event options.

The following example illustrates how to enter the debug command with the packet option:

Switch# debug pppoe intermediate-agent packet

PPPOE IA Packet debugging is on

*Sep  2 06:12:56.133: PPPOE_IA: Process new PPPoE packet, Message type: PADI, input 
interface: Gi3/7, vlan : 2 MAC da: ffff.ffff.ffff, MAC sa: aabb.cc00.0000

*Sep  2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface 
(GigabitEthernet3/4)

*Sep  2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface 
(GigabitEthernet3/8)

*Sep  2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADO, input 
interface: Gi3/4, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: 001d.e64c.6512

*Sep  2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADO, input 
interface: Gi3/8, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: aabb.cc80.0000

*Sep  2 06:12:56.137: PPPOE_IA: received new PPPOE packet from inputinterface 
(GigabitEthernet3/7)

*Sep  2 06:12:56.137: PPPOE_IA: Process new PPPoE packet, Message type: PADR, input 
interface: Gi3/7, vlan : 2 MAC da: 001d.e64c.6512, MAC sa: aabb.cc00.0000

*Sep  2 06:12:56.145: PPPOE_IA: received new PPPOE packet from inputinterface 
(GigabitEthernet3/4)

*Sep  2 06:12:56.145: PPPOE_IA: Process new PPPoE packet, Message type: PADS, input 
interface: Gi3/4, vlan : 2 MAC da: aabb.cc00.0000, MAC sa: 001d.e64c.6512

The following example illustrates how to enter the debug command with the event option:

Switch# debug pppoe intermediate-agent event

PPPOE IA Event debugging is on

*Jul 30 19:00:10.254: %PPPOE_IA-4-PPPOE_IA_ERRDISABLE_WARNING: PPPOE IA received 5 PPPOE 
packets on interface Gi3/7

*Jul 30 19:00:10.254: %PPPOE_IA-4-PPPOE_IA_RATE_LIMIT_EXCEEDED: The interface Gi3/7 is 
receiving more than the threshold set

*Jul 30 19:00:10.394: %PM-4-ERR_DISABLE: STANDBY:pppoe-ia-rate-limit error detected on 
Gi3/7, putting Gi3/7 in err-disable stat

Troubleshooting Tips

When the radius-server attribute 31 remote-id global configuration command is entered in the PPPoE Agent Remote-ID Tag and DSL Line Characteristics feature configuration on the BRAS, the
debug radius privileged EXEC command can be used to generate a report that includes information about the incoming access interface, where discovery frames are received, and about the session being established in PPPoE extended NAS-Port format (format d).

Related Documents

RFCs