Cisco 800 series - PPPoE client on the LAN interface?

Answered Question
Mar 17th, 2008
User Badges:

Hello,


Can someone please clarify me if there is any possibility to configure a Cisco 876 or 877 to act as PPPoE client for an external ADSL modem connected to the LAN interface?


In theory it should be possible and I can make the configuration, but in practice it doesnt work properly, and when looking at debugging I think it is not working because of source mac address issues when it sends the PPPoE PADI packet, then the responding PPPoE server sends a PADO response to an invalid/unknown mac address.


Thanks for any help.


Rui

Correct Answer by paolo bevilacqua about 9 years 4 months ago

Do you have advanced Ip services software loaded and the vlans set ? Can you sent mac-address under vlan interface ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
paolo bevilacqua Mon, 03/17/2008 - 10:35
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

It is possible and used by many people, what is the issue exactly? You can "clone" the mac address if you want.

RF_IESFAFE Mon, 03/17/2008 - 10:50
User Badges:

If it would be on a model with a WAN ethernet interface like the 871 then it works perfectly.

The problem is the 876 and 877 models have just the ADSL port as WAN, so I have to connect the external modem to a LAN interface.

The 876/877 have four bridged FastEthernet interfaces with 'dumb' mac addresses, and as I cant configure the pppoe-client on other than these FastEthernet interfaces, there is a mac address issue.

I have tried to clone the mac address of one of those ports to the one of the corresponding Vlan interface, but still no success.

The pppoe-client uses the mac of the outgoing interface, but then when a response is received to that same mac address, the 876/877 simply forwards the packet to somewhere else as it does not recognise that 'dumb' mac as of itself.


Rui

Correct Answer
paolo bevilacqua Mon, 03/17/2008 - 11:13
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Do you have advanced Ip services software loaded and the vlans set ? Can you sent mac-address under vlan interface ?

RF_IESFAFE Mon, 03/17/2008 - 12:49
User Badges:

Yes it is using an advanced ip services ios image 12.4(15)T3, just recently upgraded from T2.


It does not let me change the mac address of the vlan interface, I have tried that already too, I can only change the mac address of the FastEthernet port to be the same as the vlan but it still didnt work, it did not forwarded the response packet already as it was recognising already the mac of the vlan interface, but it still seems the pppoe-client was not "catching" the response packets... (paused for testing again)


** Update **


I dont know if it was my mistake before or it is because of the new ios version, but now I can configure the pppoe-client on the vlan interface and it is working already as expected.


Your question made me test again this time with pppoe-client in the vlan interface, I did it before with the T2 image but it didnt work, not sure if it was my mistake that time.

Anyway you made me test it again so I own you credits for that.

And I appreciate your time and help with this issue.

Thank You.


Rui

paolo bevilacqua Mon, 03/17/2008 - 13:01
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

All is good what ends in good. Thanks for the nice rating and good luck!

RF_IESFAFE Mon, 03/17/2008 - 13:07
User Badges:

Thank you sir, you deserve the rating as you have also demonstrated good knowledge about this subject and made the correct question that have conducted me to correct my configuration.


Regards,

Rui

paolo bevilacqua Mon, 03/17/2008 - 13:27
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Thank you for the appreciation.


Now if you were thinking of adding in the future, another pppoe-client under a different port/vlan, I have to tell you that won't work.


Due to IOS internal architecture there is a limit of one pppoe-client per switched group of ports.

RF_IESFAFE Mon, 03/17/2008 - 13:46
User Badges:

I was not planning to add another pppoe-client to the LAN port for now, but who knows in the future, and that is a very helpfull information that can have saved me a lot of fustration, so thank you one more time.


Currently I am using that pppoe-client on the vlan interface that I've just configured, at the same time with the pppoe-client on the ATM interface.

I have been getting really fustrated for a couple months trying to configure the Cisco to handle two ADSL lines at same time, its very nice to see it finaly working!


Regards,

Rui

paolo bevilacqua Mon, 03/17/2008 - 15:37
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I guess you will want now ISP load balancing and redundancy for a failed link.


This requires careful configuration of ip sla (track command), policy routing to send probes out the desired link, and I understand also the "oer" keyword in nat is required to make that translations expire quickly.


If you want to endeavor in that and can't get it right, ask again if and when you're stuck.


RF_IESFAFE Tue, 03/18/2008 - 11:44
User Badges:

I will not need balancing or redundancy, because the two ADSL lines are for two different purposes and profiles, but I will also take note of what you just referenced as it still may be usefull for me in the future, its not easy for me to find so real-life and practical information like that :)


Thank you so much for your kindness.


Rui

vasko.stojanovski Tue, 05/27/2008 - 23:34
User Badges:

Hi all,


I am trying to set up an 877 with a LAN port configured to connect to a second ADSL connection via a pppoe-client configuration on the Vlan1 interface. I would like to load balance (or load-share per-packet) between the two ADSL connections. Inbound traffic is load balanced correctly, however the problem is outbound traffic from the LAN prefers one of the two available Dialer interfaces instead of being load-shared equally. Using IOS 12.4(4)T8.


Here are the relevant parts of the configuration:


Thanks in advance for any help,


Vasko.


interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

protocol ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Vlan1

ip address xx.xx.xx.xx 255.255.255.248

pppoe enable group global

pppoe-client dial-pool-number 2

!

interface Dialer1

ip address negotiated

ip load-sharing per-packet

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname user1

ppp chap password 0 user1

!

interface Dialer2

ip address negotiated

ip load-sharing per-packet

encapsulation ppp

dialer pool 2

dialer-group 1

ppp authentication chap callin

ppp chap hostname user2

ppp chap password 0 user2

!

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Dialer2



paolo bevilacqua Wed, 05/28/2008 - 13:12
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, after a nat translation is established via a given interface, router will keep using it, as that guarantees that server sees client coming always from a single IP.


To see the load balancing in effect you must have multiple PC's opening sessions to different servers, over time.

Michael Antonakis Tue, 09/21/2010 - 04:27
User Badges:

I've managed to do the same on a cisco 876 router. The router is connected to a single provider via 2 aDSL lines. One line is connected to the atm0 interface and the other to a baudtec router which I have configured to work in bridge mode. I then connected the baudtec router to a fastethernet interface of the c876. I configured pppoe client on the vlan1 interface and monitor both lines by tracking the line status of the dialer interfaces (I could track the reachability via sla icmp-echo requests to the ip addresses of the BRASs or IP DSLAMs but since I connect to a single ISP the ip address is the same). I use policy based routing to load share all traffic except the vpns. Until now everything works perfectly. I use the advance enterprise 12.4(24)T3 ios image.

Just for everyone's reference, here is my configuration:


!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ****

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable password ****

!

aaa new-model

!

!

aaa authentication login vpncllogin local

aaa authorization network vpnclautho local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-****

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-****

revocation-check none

rsakeypair TP-self-signed-****

!

!

crypto pki certificate chain TP-self-signed-****

certificate self-signed 01

****

        quit

dot11 syslog

ip source-route

!

!

!

!

ip cef

ip name-server 195.170.0.1

ip name-server 195.170.2.2

no ipv6 cef

!

multilink bundle-name authenticated

!

isdn switch-type basic-net3

!

!

username **** password ****

username **** password ****

username **** password ****

username **** password ****

username **** password ****

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group ****

key ****

dns 195.170.0.2 195.170.2.2

pool vpnclientspool

acl ACLVPN

save-password

include-local-lan

crypto isakmp profile vpnclientprf

   match identity group ****

   client authentication list vpncllogin

   isakmp authorization list vpnclautho

   client configuration address respond

!

!

crypto ipsec transform-set ENCRYPTION esp-des esp-md5-hmac

!

crypto dynamic-map DynMap 20

set transform-set ENCRYPTION

set isakmp-profile vpnclientprf

reverse-route

!

!

crypto map VPN 1 ipsec-isakmp dynamic DynMap

!

archive

log config

  hidekeys

!

!

!

track 1 interface Dialer0 line-protocol

!

track 2 interface Dialer1 line-protocol

!

!

bba-group pppoe 2ndWAN

!

!

interface Null0

no ip unreachables

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation ppp

dialer pool-member 1

isdn switch-type basic-net3

isdn tei-negotiation preserve

isdn point-to-point-setup

!

interface ATM0

bandwidth 732

backup delay 3 3

backup interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description *** INSIDE ***

ip address 192.168.1.1 255.255.255.0

ip access-group LAN_Inbound in

ip nat inside

ip virtual-reassembly

ip policy route-map PBR

pppoe enable group 2ndWAN

pppoe-client dial-pool-number 2

!

interface Dialer0

description *** OUTSIDE ***

ip address negotiated

ip access-group WAN_Inbound in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 270

dialer string ****

dialer-group 1

keepalive 5 2

ppp chap hostname ****

ppp chap password ****

ppp pap sent-username **** password ****

crypto map VPN

!

interface Dialer1

description *** OUTSIDE ***

ip address negotiated

ip access-group WAN_Inbound in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 2

dialer idle-timeout 270

dialer-group 1

keepalive 5 2

ppp chap hostname ****

ppp chap password ****

ppp pap sent-username **** password ****

!

ip local pool vpnclientspool 192.168.2.1 192.168.2.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 192.168.2.0 255.255.255.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 track 2

no ip http server

ip http access-class 23

ip http secure-server

ip http secure-port ****

!

!

ip dns server

ip nat inside source static tcp 192.168.1.10 25 interface Dialer0 25

ip nat inside source static tcp 192.168.1.10 443 interface Dialer0 443

ip nat inside source static tcp 192.168.1.10 465 interface Dialer0 465

ip nat inside source static tcp 192.168.1.10 563 interface Dialer0 563

ip nat inside source static tcp 192.168.1.10 636 interface Dialer0 636

ip nat inside source static tcp 192.168.1.10 993 interface Dialer0 993

ip nat inside source static tcp 192.168.1.10 995 interface Dialer0 995

ip nat inside source route-map Dialer0PAT interface Dialer0 overload

ip nat inside source route-map Dialer1PAT interface Dialer1 overload

!

ip access-list extended ACLVPN

remark --- VPN IPSec traffic to permit to VPN clients

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip any any

remark ---------------------------------------------------------------

ip access-list extended LAN_Inbound

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

deny   ip host 255.255.255.255 any

deny   ip host 0.0.0.0 any

deny   tcp any any range 137 139

deny   udp any any range netbios-ns netbios-ss

permit icmp 192.168.1.0 0.0.0.255 any

deny   icmp any any

permit ip 192.168.1.0 0.0.0.255 any

deny   ip any any

remark ---------------------------------------------------------------

ip access-list extended PAT

remark --- NAT overload

deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

deny   ip any any

remark ---------------------------------------------------------------

ip access-list extended Servers_to_Internet

permit ip host 192.168.1.2 any

permit ip host 192.168.1.4 any

permit ip host 192.168.1.10 any

deny   ip any any

remark ---------------------------------------------------------------

ip access-list extended Users_to_Internet

deny   ip host 192.168.1.2 any

deny   ip host 192.168.1.4 any

deny   ip host 192.168.1.10 any

permit ip 192.168.1.0 0.0.0.255 any

deny   ip any any

remark ---------------------------------------------------------------

ip access-list extended WAN_Inbound

remark --- Phase 1 . Add anti-spoofing entries.

remark --- Deny special-use address sources.

remark --- See RFC 3330 for additional special-use addresses.

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

deny   ip host 255.255.255.255 any

deny   ip host 0.0.0.0 any

remark --- Filter RFC 1918 space.

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

remark --- Deny your space as source (as noted in RFC 2827).

deny   ip 192.168.1.0 0.0.0.255 any

remark --- Phase 2 . Explicitly permit return traffic.

remark --- Allow specific ICMP types.

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny   icmp any any

remark --- These are outgoing DNS queries.

permit udp any eq domain host dialer_0_ip_address gt 1023

permit udp any eq domain host dialer_1_ip_address gt 1023

remark --- Permit older DNS queries and replies to primary DNS server.

permit udp any eq domain host dialer_0_ip_address eq domain

permit udp any eq domain host dialer_1_ip_address eq domain

remark --- Permit legitimate business traffic.

permit tcp any host dialer_0_ip_address established

permit udp any range 1 1023 host dialer_0_ip_address gt 1023

permit tcp any host dialer_1_ip_address established

permit udp any range 1 1023 host dialer_1_ip_address gt 1023

remark --- Explicitly permit externally sourced traffic.

remark --- These are incoming DNS queries.

permit udp any gt 1023 host dialer_0_ip_address eq domain

remark --- These are zone transfer DNS queries to primary DNS server.

permit tcp host 195.170.0.1 gt 1023 host dialer_0_ip_address eq domain

permit tcp host 195.170.2.2 gt 1023 host dialer_0_ip_address eq domain

remark --- Permit older DNS zone transfers.

permit tcp host 195.170.0.1 eq domain host dialer_0_ip_address eq domain

permit tcp host 195.170.2.2 eq domain host dialer_0_ip_address eq domain

remark --- Deny all other DNS traffic.

deny   udp any any eq domain

deny   tcp any any eq domain

remark --- Allow IPSec VPN traffic.

permit udp any host dialer_0_ip_address eq isakmp

permit udp any host dialer_0_ip_address eq non500-isakmp

permit esp any host dialer_0_ip_address

permit ahp any host dialer_0_ip_address

remark --- These are Internet-sourced connections to

remark --- publicly accessible servers.

permit tcp any host dialer_0_ip_address eq smtp

permit tcp any host dialer_0_ip_address eq 443

permit tcp any host dialer_0_ip_address eq 465

permit tcp any host dialer_0_ip_address eq 563

permit tcp any host dialer_0_ip_address eq 636

permit tcp any host dialer_0_ip_address eq 993

permit tcp any host dialer_0_ip_address eq 995

remark --- Explicitly deny all other traffic.

deny   ip any any

remark ---------------------------------------------------------------

!

access-list 23 remark >>> HTTP and LINE VTY Access-class list <<<

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 deny   any

access-list 23 remark ----------

dialer-list 1 protocol ip permit

no cdp run


!

!

!

!

route-map PBR permit 10

match ip address Servers_to_Internet

set ip next-hop verify-availability 80.106.108.152 10 track 1

set ip next-hop verify-availability 80.106.108.152 20 track 2

!

route-map PBR permit 20

match ip address Users_to_Internet

set ip next-hop verify-availability 80.106.108.152 10 track 2

set ip next-hop verify-availability 80.106.108.152 20 track 1

!

route-map Dialer0PAT permit 10

match ip address PAT

match interface Dialer0

!

route-map Dialer1PAT permit 10

match ip address PAT

match interface Dialer1

!

!

control-plane

!

!

line con 0

exec-timeout 120 0

login authentication vpncllogin

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 120 0

login authentication vpncllogin

!

scheduler max-task-time 5000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end


And here is my routing table


sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 0.0.0.0 to network 0.0.0.0


     80.0.0.0/32 is subnetted, 1 subnets
C       80.106.108.152 is directly connected, Dialer1
                       is directly connected, Dialer0

     83.0.0.0/32 is subnetted, 1 subnets
C       dialer_1_ip_address is directly connected, Dialer1
     79.0.0.0/32 is subnetted, 1 subnets
C       dialer_0_ip_address is directly connected, Dialer0
C    192.168.1.0/24 is directly connected, Vlan1
S    192.168.2.0/24 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer1
               is directly connected, Dialer0


I have noted in bold the ip address I use as next-hop for the PBR route-map.


Yours Sincerely,

Michael Antonakis

Actions

This Discussion