PPPoE Client and PPPoE Local Authentication

Understand how to configure a PPPoE server with local authentication on Cisco devices with this Pakcet Tracer Lab

Share This Post

If you come from the previous article, you know what PPP is and how does it work. The Point-to-Point Protocol is a good Layer 2 protocol that allows two peers to talk directly. Furthermore, it negotiates some parameters before considering the link up, including authentication. However, PPP runs on serial links only. With PPPoE, we overcome this limit by encapsulating PPP into Ethernet frames. Welcome to the world of Point-to-Point Protocol over Ethernet, which brings the befits of PPP on Ethernet links.

This article introduces some new configuration commands. Unfortunately, Cisco Packet Tracer doesn’t support all of them, so that we can’t create a full lab. Don’t worry, however, these commands are easy to use and easy to remember. For the server-side commands, instead, we have a great lab that you can download with the link below.

Get this lab! Practice what you learn and gain experience with our networking labs and demos - download now

Download the lab and un-zip it, then open it with Cisco Packet Tracer. Then keep it for later use, you will configure a PPPoE server later on in this article.

Introducing PPPoE

Why PPPoE?

We know from the introduction that we want the benefits of PPP in Ethernet links. That’s right, but you will see we just want one benefit in reality. In fact, we cannot leverage compression or low-overhead: putting PPP inside Ethernet means doubling the headers. This results in adding the small header of PPP to the Ethernet’s header, reducing the available space for “useful data”. Even link negotiation would be fake, as we could just use Ethernet and skip the negotiation.

There’s just one thing we want: authentication. We use PPPoE to authenticate our peer on an Ethernet link, and this becomes useful if the peer has no serial interface. This is often a good approach for connecting to the ISP. In this case, you have a modem that bridges the Ethernet signal on a serial link. The modem is just transparent, it merely converts signals and layer 2 protocols, like a switch. Instead, it doesn’t change IP addresses, nor check them to perform routing. So, it just relays traffic to your ISP (back and forth). This means that you can connect to your modem any Ethernet-enabled device, and your ISP will ask it for authentication.

You can use PPPoE to connect directly a PC to the modem (and to the Internet), or as a WAN uplink in a router. We often use PPPoE in combination with DSL connections, like ADSL.

PPPoE client and server

PPP works with peers. With that protocol, two routers are equal, and they authenticate each other. PPPoE is slightly different, as it implements a Client-Server approach. Of course, the ISP will be the server and your router or PC will be the client. The reason for that is that you are asking the ISP for a connection, and the ISP serves you. With PPPoE, the ISP will never initiate a connection toward you. Instead, you have to make the first move.

For the CCNA, you need to configure PPPoE clients, as this is a common real-life scenario.

Configuring PPPoE Client

We can group the PPPoE client configuration in two parts. The first (and smaller) one happens on the Ethernet interface, the other on the dialer. If you don’t know what a dialer is, don’t worry: we will explain that later.

Configuring the Ethernet interface

Before you start, you want to connect the Ethernet cable coming from your DSL modem in any free port. Then, we need to configure that port: in our example, it is the GigabitEthernet 0/0. On this interface, we need to enable PPPoE and associate it with a dial-pool. Cisco identifies the dial pools with numbers, and none is present on the router by default. So, we are going to use dial-pool number 1. Below, all the commands to type.

interface GigabitEthernet 0/0
 pppoe enable
 pppoe-client dial-pool-number 1
exit

Up to this point, we are telling the router to not use simple Ethernet on this interface. Instead, we are telling to use PPPoE, and that the PPPoE configuration is in the dial-pool number 1.

Configuring the Dialer, basic settings

The Dialer is a logical interface that represents the termination of the PPPoE connection. The Ethernet interface just connects the underlying Ethernet link that encapsulates PPP frames. Instead, the dialer uses the encapsulated PPP. As a result, we are going to use the dialer for all the PPP-specific features, such as authentication. And, on top of that, even for forwarding traffic: routes will use the dialer interface, not the Ethernet interface.

To configure the dialer, we need to create one and identify it with an ID. As a best practice, use the same ID of the dial-pool number, as below.

interface Dialer 1

Once you are in the interface configuration, you need to adjust some settings. First thing, we set the encapsulation to be PPP. Then, we adjust the MTU considering that we are using twice the L2 head as normal. If you remove the bytes of the PPP header from the Ethernet payload, you will see that the MTU now is 1492. PPP is able to assign an IP address to the target device, and ISPs will do that many times. So, we will tell the router to use the address given by the ISP.

encapsulation ppp
mtu 1492
ip address negotiated

Configuring the Dialer, PPP authentication

At this point, we want to bind this dialer to the Ethernet interface and specify the authentication settings. To do the binding, we associate the dialer to the same dial-pool of the Ethernet interface. Note that the command here is different: dialer pool instead of pppoe-client dial-pool. Then, we specify the authentication method (pap and chap, either with dial-in or call-in). Don’t worry about that, your ISP will tell you which one to use. You will have to provide your username (hostname in the configuration) and password, as your ISP will tell you. Normally, usernames are in an email-like format.

dialer pool 1
ppp authentication <pap|chap> <dialin|callin>
ppp <chap|pap> hostname 
ppp <chap|pap> password 
exit</chap|pap></chap|pap></dialin|callin></pap|chap>

At this point, you have a functioning Layer 2 PPPoE link. In case it doesn’t work, you can debug with the same commands of PPP. For example, use debug ppp authentication, or use the new debug pppoe events.

Adding routes

Now, you can use the dialer like any other interface. A common application for that is having a default route to the Internet which goes over the PPPoE link. To add that, you can use ip route 0.0.0.0 0.0.0.0 dialer 1. Remember to add NAT and some basic ACLs to protect your network from outside attacks.

Configuring the PPPoE Server

PPPoE Server Lab Introduction

The Topology

For this lab, we have two clients connected to a router via a Modem and a DSL connection. The router terminates the DSL connection and will have to terminate the PPPoE too, acting as a PPPoE server.

Learn how to configure PPPoE with local authentication using this Packet Tracer lab
The topology for this lab.

So, we are going to configure only that router, and use the clients for testing the connection.

The Requirements

Our goal is simple: the router must serve as a PPPoE Dial-in server for the clients. They must be able to initiate the connection themselves, using PPPoE. To allow that, we will create two users: cst-001 and cst-002, both with password ictshore. The router should have an address of 84.3.98.1/29, and must give addresses from .2 to .6 to clients.

Configuring a PPPoE Server

Usernames and address lease

We will start this lab by configuring usernames. For the CCNA, we need to know how to install PPPoE servers with local authentication. Therefore, we will create two new users on the router, as by requirement. To do that, we need to use the username configuration command, like below.

username cst-001 password ictshore
username cst-002 password ictshore

Then, we need to define which addresses will the client get. We can’t bind a specific address to a specific username, but we can create a pool instead. This looks a lot like a DHCP pool, but this time PPP will assign addresses. For our lab, we want to create a pool named “PPPoE-Dialers” which starts from 84.3.98.2 and ends with 84.3.98.6. We can do it with the command below, which expects the pool name, the start address, and the end address.

ip local pool PPPoE-Dialers 84.3.98.2 84.3.98.6

The Virtual Template

PPPoE are point-to-point connections. However, we defined a pool of addresses, typical of a broadcast network, like plain Ethernet. This is not a problem, thanks to virtual templates. A virtual template is a special type of virtual interface on a router, which represents the PPP connection over PPPoE. In other words, when the client establishes the connection to the server, the server will create dynamically an interface to represent the connection. The parameters of this interface come from a template: the virtual template interface.

So, we enter the configuration of the virtual template 1 by typing interface Virtual-Template 1. From there, we need to specify the connection settings. With ip unnumbered, we tell the router to use the IP address of another interface, instead of a dedicated one. We will use the GigabitEthernet0/0, which faces the WAN. Then, we specify the addresses to give to peers, and finally that we want to authenticate with CHAP. Here are the commands.

interface Virtual-Template 1
 ip unnumbered GigabitEthernet 0/0
 peer default ip address pool PPPoE-Dialers
 ppp authentication chap
 exit

The VPDN Group

VPDN stands for Virtual Private Dial-up Network. In other words, a network where clients dial-in to initiate a connection to the server. We need to enable this feature on the router with vpdn enable global configuration command.

Then, we need to define a VPDN group (which we will name “GROUP”). This associates the VPDN feature to the Virtual-Template we created, using PPPoE. Note that we bind the protocol and the template to the “accept-dialin” feature.

vpdn-group GROUP
 accept-dialin
  protocol pppoe
  virtual-template 1

Now, we would need to do something else. In real life, we need to type the following commands to associate the PPPoE group to the virtual template. However, Packet Tracer doesn’t support that, and automatically generates the command below.

bba-group pppoe global
 virtual-template 1
 exit

Configuring the Physical Interface

The last thing we want to do is the physical interface configuration. We just need to give it an IP address and enable PPPoE, as below.

interface GigabitEthernet 0/0
 pppoe enable
 ip address 84.3.98.1 255.255.255.248

Congratulations! You have now finished the lab, your score should be 100% by now.

Verify the PPPoE Dial-in

If you want to verify that things work, you can log into any of the two clients. Then, from the desktop tab, select the PPPoE dialer as by the screenshot below.

Use Packet Tracer to select the PPPoE Dialer and test a PPPoE connection
Select the PPPoE Dialer.

Then, type your credentials and click connect. You will get a message saying that you have established a PPPoE connection. After that, you can ping 8.8.8.8, or type ipconfig to see your configuration. Instead of having an IP address on the Ethernet interface, you will see one on the PPP adapter.

Conclusion

In this article, we covered all the beauty of configuring a PPPoE client. Now, you should be able to connect to a DSL or Cable provider using this technology. On top of that, you will have a better understanding of this protocol, knowing what to do when using it from the PC. We won’t report all the configuration commands in this conclusion, as the article was pretty dense. Instead, we will recap the key concepts you need to take with you.

  • Configure a PPPoE client
    • Enable PPPoE on the Ethernet interface and associate it to a dial pool
    • Create a dialer interface and define the encapsulation (PPP), MTU, and how it will get the IP (generally from the provider)
    • Associate the interface with the same dial pool as the ethernet interface, then define PPP authentication settings
  • Configure a PPPoE server
    • Define the usernames, then define the address pools for clients
    • Create a Virtual Template interface where you will define the PPP connection settings, like authentication
    • Enable VPDN and the accept-dialin feature, then bind it to PPPoE (automatic in Packet Tracer)
    • Configure the Ethernet interface facing the WAN to support PPPoE and to have an IP address

Now that you are into nested encapsulation, we will take you ahead with your CCNA by explaining some other tunneling protocols. Just continue with the Free CCNA course.

Don't fail the CCNA Exam!

Failing the CCNA exam equals wasting $300. Don't do that, be prepared instead.
Together with our free course, we offer a companion book with Questions and Answers. And it's only $27.50 if you are following the course.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.

Alessandro Maggio

2017-11-02T16:30:48+00:00

Unspecified

Free CCNA Course

Unspecified