Setting up PPPoE Termination

I’ve been working with a lot of PPPoE deployments in the past few weeks, and decided to post a short template of the Cisco side of things.  Note that I will not be blogging on how to set up a radius server in this post or how to set up the AV-Pairs to rate-limit etc…

First you need to set up aaa authentication.  The Cisco aaa framework is rather rich and I encourage you to study the many options that are available.  Please note that in the example I set the router to use local authentication of management access and to use radius for the ppp users

aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default
 action-type start-stop
 group radius


Next you enable vpdn(virtual private dial-up networking) and set the global bba (broad band access) group to use virtual-template 1

vpdn enable
bba-group pppoe global
 virtual-template 1
 sessions per-vlan limit 3000

Then you set up which interfaces terminate PPPoE, put the ip’s on the loopback interface, set up the virtual template, and set up the ip pools

interface Loopback0
 ip address
interface GigabitEthernet0/1
 no ip address
 load-interval 30
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
interface GigabitEthernet0/1.1
 description To Back End Equipment
 encapsulation dot1Q 1 native
 ip address
interface GigabitEthernet0/1.2
 description DSLAMs
 encapsulation dot1Q 2
 ip address secondary
 pppoe enable group global
interface Virtual-Template1
 mtu 1492
 ip unnumbered Loopback0
 peer default ip address pool pppoepool
 ppp authentication pap
ip local pool pppoepool

Last we set up the radius servers.  Note, that I have the router set to strip out the domain name so that I can hardcode the realm in the radius configuration based on the NAS.

ip radius source-interface Loopback0
radius-server host auth-port 1815 acct-port 1816 key superSecretPassword
radius-server domain-stripping

In future blog post I plan to look again at the Cisco aaa framework to do other things using radius, tacacs+, local, and other authentication protocols.

Leave a Reply

Your email address will not be published.