StudentGuide Implementing Broadband Aggregation On Cisco10k Vol1

BBAGG
Volume 1
Implementing
Broadband Aggregation
on Cisco 10000 Series
Version 1.0
Student Guide
The products and specifications, configurations, and other technical information regarding the products in this manual
are subject to change without notice. All statements, technical information, and recommendations in this manual are
believed to be accurate but are presented without warranty of any kind, express or implied. You must take full
responsibility for their application of any products specified in this manual.
LICENSE
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,
DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU AGREE TO
BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH THE
TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF PAYMENT)
TO THE PLACE OF PURCHASE FOR A FULL REFUND.
Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable license to use
the Cisco Materials solely for Your own personal use. If the Materials include Cisco software (Software), Cisco
grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on a single
central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco. You may make
one (1) archival copy of the Software provided You affix to such copy all copyright, confidentiality, and proprietary
notices that appear on the original. EXCEPT AS EXPRE SSLY AUTHORIZED ABOVE, YOU SHALL NOT: COPY,
IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE
ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR
CREATE DERIVATIVE WORKS OF THE MATERIALS.
You agree that aspects of the licensed Materials, including the specific design and structure of individual programs,
constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or otherwise make
available such trade secrets or copyrighted material in any form to any third party without the prior written consent
of Cisco. You agree to implement reasonable security measures to protect such trade secrets and copyrighted Material.
Title to the Materials shall remain solely with Cisco.
This License is effective until terminated. You may terminate this License at any time by destroying all copies of the
Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any
provision of this License. Upon termination, You must destroy all copies of the Materials.
Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act
and its associated regulations, and may be subject to export or import regulations in other countries. You agree to
comply strictly with all such regulations and acknowledge that it has the responsibility to obtain licenses to export, reexport, or import Software.
This License shall be governed by and construed in accordance with the laws of the State of California, United States
of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If
any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full
force and effect. This License constitutes the entire License between the parties with respect to the use of the
Materials
Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its supporting
documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject
to the restrictions as set forth in subparagraph C of the Commercial Computer Software - Restricted Rights clause at
FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Governments rights in software, supporting
documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at
DFARS 252.227-7015 and DFARS 227.7202.
DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND
ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR
LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF
CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event
shall Ciscos or its suppliers liability to You, whether in contract, tort (including negligence), or otherwise, exceed the
price paid by You. The foregoing limitations shall apply even if the above-stated warranty fails of its essential
purpose.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to
comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to
provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio -frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the
interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual
generates and may radiate radio -frequency energy. If it is not installed in accordance with Ciscos installation
instructions, it may cause interference with radio and television reception. This equipment has been tested and found
to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules.
These specifications are designed to provide reasonable protection against such interference in a residential
installation. However, there is no guarantee that interference will not occur in a particular installation.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was
probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio
or television reception, try to correct the interference by using one or more of the following measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain
the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your
authority to operate the product.
The following third-party software may be included with your product and will be subject to the software license
agreement:
CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard
Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright 1992, 1993 Hewlett-Packard
Company.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of
California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved.
Copyright 1981, Regents of the University of California.
Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no
representations about the suitability of this software for any purpose.
Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the
University may not be used to endorse or promote products derived from this software without specific prior written
permission.
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by
the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system.
All rights reserved. Copyright 1981-1988, Regents of the University of California.
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac
software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to Cisco by Madge NV.
Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge
Networks Limited. Copyright 1995, Madge Networks Limited. All rights reserved.
XRemote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices, Inc.,
Mountain View, California. NCD makes no representations about the suitability of this software for any purpose.
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Web site at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech
Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland
Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland
Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden
Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright
2003, Cisco Systems, Inc. All rights reserved. AccessPath, AtmDirector, Browse with Me,
CCDA,
CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco Net Works logo, the
Cisco
Powered Network logo, Cisco Systems Networking Academy, Fast Step, Follow Me Browsing,
FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the
iQ logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare,
SlideCast, SMARTnet, TransPath, Unit y, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco
Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All Thats Possible, and Empowering the
Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco
Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco
Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA,
Network Registrar, PIX, Post -Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and
VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective
owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
(0104R)
Book Title, Revision xx.x: Student Guide

Copyright 2003, Cisco Systems, Inc.
All rights reserved. Printed in USA.
Course Overview
Intended Audience
This course is for technical professionals who need to know how to
implement broadband aggregation on the Cisco 10000 Series router.
The following are considered the primary audience for this course:
Customer technicians
Cisco System Engineers (SEs)
System Integrators (SIs)
Course Level
This course is basic and intermediate training for the topics that it
covers.
Prerequisites
Students attending this course should have successfully completed the
following training:
Interconnecting Cisco Network Devices (ICND) or equivalent

experience
Campus ATM (CATM) or equivalent experience
Basic DSL End To End Architecture either video on demand or

leader-led or equivalent experience
2003 Cisco Systems, Inc.
Version 1.0
Additional Information
Cisco Systems Technical Publications
You can print technical manuals and release notes directly from the
Internet. Go to http://www.cisco.com/univercd/home/home.htm.
Find the Cisco Systems product for which you need documentation.
Then locate the specific category and model or version for your
hardware or software product. Using Adobe Acrobat Reader, you can
open the manuals and release notes, search for the sections you need,
and print them on most standard printers. You can download Acrobat
Reader free from the Adobe Systems website, www.adobe.com.
Documentation sets and CDs are available through your local Cisco
Systems sales office or account representative.
Cisco Systems Service
Comprehensive network support is available from Cisco Systems

Service & Support solutions. Go to
http://www.cisco.com/public/support_solutions.shtml for a listing of
services.
vi
Version 1.0
Implementing Broadband Aggregation
Course Agenda
Day 1
Broadband Aggregation Architectures
RBE and RFC 1483 Routing
PPPoA
Day 2
PPPoE
Cisco Aggregation Optimization Features
AAA Service
Day 3
L2TP
Cisco 10000 Series Router Hardware Overview
Cisco 10000 Series Router Software Overview
Version 1.0
vii
viii
Version 1.0
Course Introduction and Objectives
Overview
Description
This course is intended for customer technicians and system
integrators who need to implement various broadband aggregation
technologies on Cisco routers. This course also enables Cisco System
Engineers (SEs) to present and demonstrate various broadband
aggregation technologies on Cisco routers for customers. Students
learn about RBE, PPPoA, PPPoE, and L2TP, and learn how to
configure and verify operation of these technologies on Cisco routers.
This course also explains the Cisco 10000 Series router hardware
architecture and software features.
The course is instructor-led and includes hands-on lab exercises.
Lecture topics are reinforced with supporting student exercises.
This course focuses on implementing broadband aggregation
technologies on the Cisco 10000 Series router, however, most learning
experiences from this course may be applied to o ther Cisco routers
that support these technologies.
Objectives
After completing this course, you will be able to do the following:
Compare and contrast the various broadband aggregation

architectures available with Cisco routers
Explain how RBE and RFC 1483 routing work, describe their
typical architectures and benefits, and configure them on Cisco
routers
Explain how PPPoA and PPPoE work, along with descriptions of

their typical architecture and benefits, and configure them on
Cisco routers
Version 1.0
ix
Explain and configure various methods for optimizing subscriber

connections including PVC range, auto detect PPPoX
encapsulation, VC class, ATM PVC autoprovisioning, and BBA
groups
Explain AAA services available on Cisco routers and RADIUS

servers and configure AAA services on Cisco routers
Explain how L2TP works, describe its typical architecture and

benefits, and configure it on Cisco routers
Describe the Cisco 10000 Series router and explain the features
and functions of system-wide hardware and software components
Identify and describe system modules and services on the Cisco

10000 Series router that are utilized in broadband aggregation
deployment scenarios
Version 1.0
Contents
Course Overview ........................................................................................................... v
Course Agenda ............................................................................................................ vii
Course Introduction and Objectives........................................................................ ix

Overview...................................................................................................................... ix
Module 1 Broadband Aggregation Architectures ..........................................11

Overview................................................................................................................... 11
Broadband Aggregation Introduction ......................................................................... 12
Retail and Wholesale Services ................................................................................. 112
VC Service............................................................................................................... 116
ATM Bridging and Routing Methods ....................................................................... 118
PPP Review ............................................................................................................. 120
PPP Broadband Access Methods .............................................................................. 124
PTA......................................................................................................................... 126
L2TP ....................................................................................................................... 128
AAA ........................................................................................................................ 130
Managed LNS ......................................................................................................... 132
Remote Access into MPLS ....................................................................................... 134
SSG and SESM ....................................................................................................... 136
Summary ................................................................................................................ 140
Review Questions .................................................................................................... 141
Module 2 RBE and RFC 1483 Routing...............................................................21

Overview................................................................................................................... 21
Typical RBE Architecture.......................................................................................... 22
RFC 1483 Bridging Protocol Stack............................................................................. 24
How Does RBE Work? ............................................................................................... 28
RBE Configuration .................................................................................................. 212
RBE Advantages and Disadvantages ....................................................................... 218
Typical RFC 1483 Routing Architecture .................................................................. 222
RFC 1483 Routing Protocol Stack ............................................................................ 224
Version 1.0
xi
How Does RFC 1483 Routing Work? ........................................................................ 226

RFC 1483 Routing Configuration ............................................................................. 228
RFC 1483 Routing Advantages and Disadvantages ................................................. 232
Summary ................................................................................................................ 234
Module 3 PPPoA .....................................................................................................31

Overview................................................................................................................... 31
Typical PPPoA Architecture ...................................................................................... 32
PPPoA with PTA Protocol Stack ................................................................................ 36
PPPoA with Tunneling Protocol Stack ..................................................................... 310
How Does PPPoA Work with PTA? .......................................................................... 312
How Does PPPoA Work with Tunneling? ................................................................. 314
PPPoA IP Address Management.............................................................................. 316
PPPoA Configuration .............................................................................................. 318
PPPoA Advantages and Disadvantages ................................................................... 328
Summary ................................................................................................................ 332
Module 4 PPPoE......................................................................................................41
Overview................................................................................................................... 41
Typical PPPoE Architecture ...................................................................................... 42
PPPoE Protocol Stack................................................................................................ 46
How Does PPPoE Discovery Work?............................................................................ 48
PPPoEoA with PTA Protocol Stack .......................................................................... 410
PPPoEoA with Tunneling Protocol Stack ................................................................. 414
How Does PPPoE Work with PTA? .......................................................................... 416
How Does PPPoE Work with Tunneling? ................................................................. 418
PPPoE IP Address Management.............................................................................. 420
PPPoEoA Configuration .......................................................................................... 422
PPPoE Advantages and Disadvantages ................................................................... 434
PPPoEoE and PPPoEo892.1q................................................................................... 438
PPPoEoE and PPPoEo892.1q Configuration ............................................................ 440
Summary ................................................................................................................ 442
Module 5 Cisco Aggregation Optimization Features ....................................51

Overview................................................................................................................... 51
xii
Version 1.0
Optimization Features Introduction .......................................................................... 52

Minimizing ATM PVC Provisioning ........................................................................... 54
PVC Range................................................................................................................ 56
VC Class ................................................................................................................. 514
ATM PVC Autoprovisioning .................................................................................... 518
Autosense PPPoX Encapsulation ............................................................................. 522
PPPoE Profiles ........................................................................................................ 528
Summary ................................................................................................................ 532
Module 6 AAA Services.........................................................................................61

Overview................................................................................................................... 61
Introduction to AAA .................................................................................................. 62
Authentication .......................................................................................................... 68
Authorization .......................................................................................................... 610
Accounting .............................................................................................................. 612
AAA-Supported Protocols ........................................................................................ 614
RADIUS Attributes ................................................................................................. 616
Radius Files ............................................................................................................ 620
AAA Implementations ............................................................................................. 628
RADIUS Protocol..................................................................................................... 632
Cisco Implementation of AAA.................................................................................. 644
Troubleshooting Aids............................................................................................... 656
Cisco IOS Commands .............................................................................................. 658
UNIX Commands .................................................................................................... 670
Module 7 L2TP .........................................................................................................71

Overview ................................................................................................................... 71
L2TP Overview.......................................................................................................... 72
L2TP Components..................................................................................................... 74
L2TP Tunnel and Session Identifiers......................................................................... 76
Encapsulations Supported......................................................................................... 78
L2TP Message Format............................................................................................. 710
Incoming Call Sequence........................................................................................... 712
Forwarding PPP Frames ......................................................................................... 716
Call Disconnect Sequence ........................................................................................ 718
Typical L2TP Scenarios........................................................................................... 720
Version 1.0
xiii
L2TP Configuration Overview ................................................................................. 724

L2TP Tunnel Attributes .......................................................................................... 726
L2TP Configuration Without RADIUS..................................................................... 728
L2TP Configuration with RADIUS .......................................................................... 736
Tunnel Verification ................................................................................................. 750
Summary ................................................................................................................ 758
Module 8 Cisco 10000 Series Router Hardware Overview ..........................81

Overview ................................................................................................................... 81
Cisco 10000 Series Router Introduction ..................................................................... 82
Broadband Aggregation Deployment Scenarios ......................................................... 84
Cisco 10000 Series Router Components Overview...................................................... 86
Chassis Description ................................................................................................... 88
Modules Used with Broadband Aggregation ............................................................ 814
Cisco 10000 Series Router Architecture Overview ................................................... 818
Functional Block Diagram ....................................................................................... 820
Router Buffer Management ..................................................................................... 824
Router Backplane.................................................................................................... 826
Performance Routing Engine-2 ................................................................................ 830
PRE-2 Front Panel .................................................................................................. 832
PRE-2 Architecture ................................................................................................. 834
PRE-2 Packet Flow.................................................................................................. 842
PXF Technology and Operation ............................................................................... 850
PRE Comparison ..................................................................................................... 860
High Availability ..................................................................................................... 862
PRE Redundancy..................................................................................................... 864
Cisco 10000 Series Router Broadband Aggregation Line Cards................................ 874
ATM Line Cards ...................................................................................................... 876
ATM Line Card Common Features .......................................................................... 882
Assigning VPI/VCIs for ATM VC Scaling ................................................................. 888
LAN Line Cards ...................................................................................................... 892
Packet over SONET Line Cards..............................................................................8106
Common POS/SDH Line Card Features .................................................................8112
Summary ...............................................................................................................8114
Review Questions ...................................................................................................8115
xiv
Version 1.0
Module 9 Cisco 10000 Series Router Software Overview............................91

Overview................................................................................................................... 91
Software Architecture................................................................................................ 92
Software components................................................................................................. 94
Cisco 10000 Router Software ..................................................................................... 96
Supported Encapsulations ....................................................................................... 914
Frame Relay Support .............................................................................................. 918
Broadband Features and Scaling ............................................................................. 920
Leased-Line Features and Scaling ........................................................................... 928
High Availability and Management Functionality ................................................... 934
QoS Features and Functions.................................................................................... 936
Class-Map Match Options ....................................................................................... 938
Policy-Map Keywords .............................................................................................. 940
Policy-Map Actions .................................................................................................. 942
QoS Facts ................................................................................................................ 946
Policing Considerations ........................................................................................... 952
VC Scaling with QoS ............................................................................................... 954
System Status and Alarms ...................................................................................... 958
Checking the Data Path .......................................................................................... 966
System-Wide Statistics and Performance................................................................. 980
Summary ................................................................................................................ 996
Glossary .......................................................................................................................... 1
Technology Acronyms .................................................................................................... 2
Cisco 10000 Series Router Acronyms ............................................................................. 5
Appendix A Review Question Answers........................................................... A1

Appendix Contents .................................................................................................... A1
Module 1 Broadband Aggregation Architectures ..................................................... A2
Module 2 RBE and RFC 1483 ................................................................................. A4
Module 3 PPPoA ..................................................................................................... A7
Module 4 PPPoE ................................................................................................... A10
Module 5 Cisco Aggregation Optimization Features.............................................. A13
Module 7 AAA Services......................................................................................... A14
Module 7 L2TP ..................................................................................................... A16
Module 8 Cisco 10000 Series Router Hardware Overview ..................................... A18
Version 1.0
xv
Appendix B Router Starting Configurations ..................................................B1

Appendix Contents .................................................................................................... B1
P1R1 Configurations ................................................................................................. B2
P1R2 Configurations ............................................................................................... B16
P1R3 Configuration ................................................................................................. B30
Core Routers Configurations ................................................................................... B32
PC CPE Configurations ........................................................................................... B36
xvi
Version 1.0
Module 1
Overview
Description
In this module, you will learn about the various broadband aggregation
architectures available with Cisco routers.
Objectives
After completing this module, you will be able to do the following:
List various broadband aggregation architectures
Identify the technologies used by each architecture and describe how

each architecture functions
Identify the benefits of each architecture
Version 1.0
11
Module 1
Broadband Aggregation Introduction

This section describes the various segments that constitue a broadband
subscriber network environment.
Network Segments
You can view the access and core network that serve broadband
subscribers as being divided into three segments.
Customer Premises Equipment (CPE)
Network Access Provider (NAP)
Network Service Provider (NSP)
The NAP and NSP may be owned by different businesses or by one

company. This is described in more detail in the Retail and Wholesale
Services section. Although the drawing illustrates digital subscriber line
(DSL) access, the same functional segments apply to other broadband
access methods, such as cable and wireless.
12
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP
CPECustomer Premises Equipment

NAPNetwork Access Provider
NSPNetwork Service Provider
Version 1.0
13
Module 1
Broadband Aggregation Introduction (continued)

CPE
The term CPE refers to the equipment required on the customer premises,
typically a modem and personal computer. The modem type varies with the
access method, such as DSL and cable.
The modem generally provides Layer 1 and Layer 2 functions and in some
applications Layer 3 functions.
14
Physical layer transport of data according to the subscriber

connection type; for example, asymmetric digital subscriber line
(ADSL)
Data Link layer encapsulation of data for transport across the

physical link; for example, ATM, bridging, and Point-to-Point Protocol
(PPP)
Network layer provides routing, Network Address Translation (NAT),

and DHCP functions typically using IP
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP

Version 1.0
15
Module 1

NAP
The NAP portion of the network provides at least the following
components:
Subscriber termination devices such as a digital subscriber line access

multiplexers (DSLAMs) or cable headend systems
Aggregation systems
Core network for transporting data to the NSP
Subscriber Termination
Subscriber termination devices terminate the physical layer connection

and transport of data from the subscriber. The data is then transported to
aggregation devices typically by using an ATM or Ethernet/IP
infrastructure.
Aggregation
Aggregation systems may be ATM switches or routers or a combination of

both depending on several factors, such as whether the NAP is providing
retail or wholesale services. The types of functions that aggregators may
provide include
ATM switching
Bridging
PPP termination
Routing
Core Network
Typical core networks are either ATM based or IP based. If a legacy ATM
network is in place, then the NAP may continue to use it to transport data
to the NSP. NAPs are migrating to using IP cores rather than ATM
switching or building new IP cores using Gigabit Ethernet. Additionally, IP
cores are evolving to Multiprotocol Label Switching (MPLS).
16
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP

Version 1.0
17
Module 1

NSP
The NSP is responsible for offering services to subscribers, which may be
residential or business users. Services the NSP provides include
E-mail
Internet access
Video and voice services
Access to corporations
Termination of service selection
NSP use aggregation devices, typically routers, to terminate virtual circuit

(VC) or PPP connections from the subscribers. The Layer 3 data is then
extracted and forwarded to the destination. Like aggregators in the NAP,
the aggregation devices may perform bridging, routing, and PPP
termination for various types of encapsulation methods.
18
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP

Version 1.0
19
Module 1

In this course we will focus on the aggregation aspects of broadband
subscribers. You will learn about Ciscos implementation of aggregation
services on routers that have been optimized to perform aggregation
functions.
110
Version 1.0
Module 1
Training Focus
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
Version 1.0
NSP
111
Module 1
Retail and Wholesale Services

Service providers may be categorized in terms of their operating models:
retail services and wholesale services.
Characteristics of a Retail Service

A service provider that operates a retail service performs the roles of both
the NAP and the NSP. A retailer provides broadband access, termination,
and value-added services to the subscriber, that is, both NAP and NSP
functions. A retail provider can offer data, voice, and video to residential
customers and can also offer Virtual Private Network (VPN) capability to
business customers.
The following are key aspects of a retail provider:
112
Owns the subscriber
Dictates the class of service
Provides access to the Internet
Version 1.0
Module 1
Service
Provider
Subscriber
Characteristics of a Retail Service

Owns the subscriber service (gets the monthly
subscription)
Dictates the class of service (the line rate)

Provides access to the Internet and other value-added
services such as email
Version 1.0
113
Module 1
Retail and Wholesale Services (continued)

Characteristics of a Wholesale Service
A service provider that operates a wholesale service provides the NAP
functions. It provides the access conne ction to the subscriber and connects
the subscriber to the NSP. The wholesaler has ISPs and corporations as its
primary customers.
The following are key aspects of a wholesale provider:
Connects the subscriber to the NSP
Sells various infrastructure capabilities to the ISPs and corporations
ISPs and corporations still own subscribers
______________________________ Note __________________________

Because of governmental regulation, wholesalers are not permitted to
provide services that are limited to retailers. Through an unregulated
portion of their business, some service providers provide a retail service
in addition to wholesale service.
_____________________________________________________________
114
Version 1.0
Module 1
Retail and Wholesale Services (continued)
Subscriber
Carrier
ILEC
Service
Provider
Characteristics of a Wholesale Service

Carrier connects subscriber to service provider
Offers a range of network architectures to achieve this
Retailer still owns the customer but pays percentage of
monthly subscription to wholesaler for connectivity
services
Wholesaler often has retail business
Version 1.0
115
Module 1
VC Service
Description
A virtual circuit (VC) service is one in which the subscriber permanent
virtual circuit (PVC) is switched all the way to the ISP, NSP, or
corporation. The ISP, NSP, or corporation is responsible for terminating
the PVC, retrieving the IP data, and providing IP addressing to the
subscriber. A VC service is commonplace with NAPs who are simply
providing a wholesale service.
Advantages and Disadvantages of VC Service

The following are some of advantages and disadvantages of a VC service
model:
116
NAPs do not manage IP addresses
The various encapsulation methods are transparent to VC service
End-to-end PVC provisioning takes time
Does not scale well
In some situations, lack of control over bandwidth offered to

subscribers and ISP
Version 1.0
Module 1
VC Service
VC Service
ISP1.com
Local Loops
BRAS
ISP1.com
Local Loops
Local Loops
ATM Access
Network
Local Loops
ATM Core
Network
ISP2.com
DSLAMs
ISP2.com
(Local
Exchanges)
Each subscriber is presented as a unique VC to the ISP
Version 1.0
117
Module 1
ATM Bridging and Routing Methods

RFC 1483 describes two methods for transporting data over ATM
networks: bridging and routing.
RFC 1483 Bridging

With RFC 1483 bridging, the CPE simply acts as a bridge between the
subscriber PC and the aggregation device. The PC encapsulates Layer 3
data into 802.3 (Ethernet), which is then encapsulated into ATM cells. On
the aggregation device, the Ethernet frames are terminated into a bridge
group and forwarded using bridging or routing to the final destination.
Even though it is simple and easy to deploy, this method has security
limitations, is no longer widely used with Cisco routers and will not be
discussed in this course.
RFC 1483 with RBE

RFC 1483 with RBE is often referred to as Route Bridge Encapsulation
(RBE) by Cisco. RBE builds upon some of the features and advantages of
RFC 1483 bridging and overcomes the security limitations of bridging.
From the PC and CPE perspective, there is no change in their
configuration and operation. The key difference is that the subscriber
traffic is terminated at the aggregator by using routing rather than by
using bridging.
RFC 1483 Routing

RFC 1483 routing incorporates some of the same principles as RFC 1483
bridging with the key difference that the CPE is in a routing mode rather
than bridging mode. As a router, it can support multiple networks on the
subscriber side of the CPE and can exchange routing updates, making it
ideal for business applications. RFC 1483 routing can also implement NAT
or PAT and conserve IP addresses.
118
Version 1.0
Module 1
Bridging
Aggregation
Device
Bridged CPE
ISP1.com
Bridge
Group
RBE
Core
Bridged CPE
DSLAM
Routing
Routing
ISP2.com
Routed CPE
RFC 1483 Bridging

RFC 1483 Bridging with RBE
RFC 1483 Routing
Version 1.0
119
Module 1
PPP Review
Description of PPP
Point-to-Point Protocol (PPP), defined in RFC 1661, is a standard method
of encapsulating upper layer protocols, such as IP and IPX, across point-topoint links. It was originally intended for dial-up application, but it is also
suitable for applications requiring authentication of subscribers in a
broadband environment. In a dial -up environment, PPP offers several
functions, but with broadband implementations, its principle function is to
provide user authentication using Password Authentication Protocol (PAP)
or Challenge Handshake Authentication Protocol (CHAP) and additionally
support for multiple protocols.
PPP Fundamentals
The following are fundamental concepts of PPP that you should know.
Beside the RFC, there are numerous publications that explain PPP in
detail.
PPP is comprised of three main components and phases:
High-Level Datalink Control (HDLC) encapsulates multiprotocol

datagrams.
Link Control Protocol (LCP) establishes, configures, and tests the

data-link connection.
Network Control Protocols (NCPs) establish and configure different

network-layer protocols.
120
If authentication using PAP or CHAP is implemented, it occurs

before the NCP phase.
An example of NCP is IP Control Protocol (IPCP) which is used for

transporting IP datagrams.
Version 1.0
Module 1
PPP Review
PPP Review
ATM, FR, etc.
point-to-point link
Layer 3
NCP
LCP
HDLC
PHY
Layer 3 Layer 3
NCP
LCP
HDLC
PHY
ATM,
FR,
etc.
PHY
Layer 3
ATM,
FR,
Etc.
PHY
PPP uses HDLC framing

PPP packet types
LCP Link Control Protocol
Link establishment, termination, & maintenance

Authentication PAP or CHAP
NCP Network Control Protocol
Encapsulation of Layer 3 protocol

for example IPCP
Version 1.0
121
Module 1
PPP Review (continued)

PPP Link Operation
A PPP link is initialized using both LCP and NCP. The PPP link goes
through five distinct phases.
Link Dead Phase
This phase determines the physical readiness of the link. Once the physical
layer is initialized, the link goes into the Link Establishment phase.
Link Establishment Phase
During this phase, each end uses Configure Request packets to initialize
LCP and negotiate datalink layer parameters. When a Configure Ack is
received at both ends of the link, the link enters the open state and goes
into the Authentication phase. The following options may be exchanged
during this phase:
Maximum Receive Unit
Authentication Protocol
Quality Protocol
Magic Number
Protocol Field Compression
Address and Control Field Compression
Authentication Phase (optional)
During this phase, each end of the link authenticates each other using an
agreed upon protocol such as PAP or CHAP. The link does not proceed to
the Network Layer Protocol phase until authentication is successful. If
authentication fails, then the link goes to the Link Termination phase.
Network Layer Protocol Phase
During this phase, each end exchanges Configure Request and Configure
Ack packets to active any supported network layer protocols using the
appropriate NCP. Once an NCP is opened, the PPP link transports data
across the link.
Link Termination Phase
This phase terminate the PPP link, which may be caused by physical link
failure, link quality failure, configuration rejection, or authentication
failure. The network administrator can also disable the link for diagnostic
purposes. LCP uses Terminate Request packets to terminate the link and
notifies the appropriate NCPs that the link is terminating.
122
Version 1.0
Module 1
PPP Review
PPP Link Operation
PPP Link Operation

Link Dead Phase
Link Establishment Phase
Configure Request
Configure Ack
Configure Request
Configure Ack
Authentication Phase
Authentication Packets
Authentication Packets
Network-Layer Protocol Phase

IPCP Configure Request
IPCP Configure Ack
IPCP Configure Request
IPCP Configure Ack
Data
Data Exchange
Data
Link Termination Phase

Terminate Request
Terminate Ack
Terminate Request
Terminate Ack
Version 1.0
123
Module 1
PPP Broadband Access Methods

PPP Methods
In broadband applications, there are two general ways in which PPP is
implemented.
PPP over ATM (PPPoA)
PPP over Ethernet (PPPoE)
You will o ften see the abbreviation to PPPoX, which collectively refers to
all methods of PPP over ATM, Ethernet, and so on.
PPPoA
PPPoA works in an ATM environment. It relies on the presence of a VC
between the CPE and the aggregation device. The PPP session is between
CPE and the aggregator. The CPE is responsible for authenticating with
the aggregator.
With PPPoA, the CPE can run NAT for multiple users behind the CPE and
conserve IP addresses. However, since there is a single PPP session per
VC, the users are limited to selecting a single service, that is, a single ISP.
PPPoE
PPPoE is similar PPPoA in that it establishes a PPP session with the
aggregation device. PPPoE has the following key differences from PPPoA:
Each host behind the CPE establishes it own PPP session.
The CPE acts as a bridge.
PPPoE is not restricted for use over ATM
PPPoE is suitable for residential customers with multiple PCs behind the
CPE that need the flexibility to access multiple services simultaneously.
An important consideration, though, is that the PPPoE client software
needs to be installed on the PC. There are multiple variations of PPPoE
that we will learn about later:
124
PPPoEoA
PPPoEoE
PPPoEo802.1q
Version 1.0
Module 1
PPPoA
PPP Session
ISP1.com
Aggregation
Device
CPE
Core
PPPoE
Bridged CPE
DSLAM
ISP2.com
PPP Sessions
PPPoA PPP session initiated by CPE

PPPoE PPP sessions initiated by the client
Version 1.0
125
Module 1
PTA
PPP termination and aggregation (PTA) is the point at which PPPoX
session are terminated, that is, the aggregation device. From this point,
user data is extracted from the PPP frames and forwarded to its
destination, such as an ISP or corporation.
With PTA, the service is selected based on structured domain name
(username@service.com), and it supports one service at a time. The IP
traffic is forwarded to a single routing domain.
PTA is generally used by providers for their own customer if regulations
allow it.
126
Version 1.0
Module 1
PTA
PTA
PPPoA
PPP Session
Aggregation
Device
CPE
Internet
PPPoE
Bridged CPE
DSLAM
PTA
IP Route
PPP Sessions
PPP termination and aggregation

Terminate PPP sessions at the aggregation device
Route IP data to the ISP or corporate site
Version 1.0
127
Module 1
L2TP
Description
Layer 2 Tunneling Protocol (LT2P) is an extension to PPP. It was
introduced to allow use of PPP between different networks and multiple
communication links.
L2TP extends the PPP session beyond the PTA that you saw in the
previous illustration to a destination closer to the service that the user
wants to access. L2TP accomplishes this by setting up a tunnel over
multiple links and networks between an access concentrator and a network
server. The PPP session that would have been terminated at the
concentrator is then continued through the tunnel to the server.
L2TP is an important component of VPNs. Between the access
concentrator and network server, the service provider does not look at the
subscriber traffic beyond the Layer 2 information after the session is
established.
Benefits of L2TP
The following are benefits of L2TP:
Supports multiple protocols
Allows use of unnumbered IP addresses
Centralization of login and authentication operations
Shares access to core network components
Overlapping CPE IP addresses
Components of L2TP
The following are some o f the major components of L2TP:
128
L2TP access c oncentrator (LAC) initiates the tunnel to the LNS. It

forwards PPP traffic between the subscriber and the LNS.
L2TP network server (LNS) terminates the tunnel from the LAC. It
terminates the PPP session and extracts user data for further
forwarding.
L2TP Tunnel exits between the LAC and LNS. It encapsulates the
PPP traffic with header information necessary to support the tunnel.
Version 1.0
Module 1
L2TP
L2TP
PPPoA
PPP Session
LAC
LNS
ISP1.com
Aggregation
Device
CPE
IP
Core
PPPoE
Bridged CPE
DSLAM
ISP2.com
Tunnel
LNS
PPP Session
Layer 2 Tunneling Protocol

Terminate PPP sessions at the ISP or corporate site
Version 1.0
129
Module 1
AAA
Authentication, authorization, and accounting (AAA) provides three
functions, provided by an AAA server that maintains a database of users.
AAA Functions
Authentication identifies the users. The user login name and password are
checked against the AAA database to determine whether a user is allowed
to access the network.
Authorization determines what the users can do. The AAA database stores
attributes that determine the users capabilities and restrictions.
Accounting tracks what the users have done. Accounting collects
information in the database about user access, traffic statistics, and
resource usage. This information can then be used for billing and network
management.
AAA Methods
Three methods ar e generally used to provide AAA services. One or more of
these may be used concurrently.
Local the router or access server consults its local database.
Username/password pairs are configured in Cisco IOS software.
Remote Authorization Dial-In User Service (RADIUS) a client (router)
and server (UNIX or NT) model. Each username and associated attributes
are stored within the RADIUS database.
Terminal Access Control Access Control Server + (TACACS+) a server
that separates authentication, authorization, and accounting functions.
The router accesses the TACACS+ servers database where user
information and capabilities are maintained.
AAA Usage
AAA plays an important role with PPP and L2TP in controlling user
sessions and tunnels. AAA services are used at the PTA, LAC, and/or LNS
and are commonly provided by means of RADIUS servers. These are some
of the important functions that AAA provides:
130
Authenticates subscriber PPP sessions
Provides L2TP tunnel attributes to the LAC
Provide subscriber IP addresses
Version 1.0
Module 1
AAA
AAA
RADIUS
User
Local
AAA
AAA
PPP
L2TP
TACACS+
Authentication, authorization, and accounting (AAA)
Who can access the network

What can they access
Usage tracking
Authentication methods
Local
RADIUS
TACACS+
Version 1.0
131
Module 1
Managed LNS
Description
Managed LNS is a term used to identify an implementation of session
termination. It makes use of virtual routing and forwarding (VRF) at the
LNS or PTA. The LNS/PTA aggregator terminates the L2TP tunnel or PPP
sessions and places the sessions in the appropriate VRF. The sessions are
then forwarded through a separate logical and physical interface to their
respective upstream customer sites.
______________________________ Note __________________________
An earlier Cisco implementation of this function was PTA MultiDomain (PTA-MD).
_____________________________________________________________
Benefits
Some of the benefits of using a managed LNS architecture include the
following:
132
Subscribers communicate directly with customer AAA without needing

a proxy AAA server.
Multiple VRFs separate customer traffic without the overhead of L2TP

tunneling.
IP addresses are conserved by allowing use of overlapping IP address

space.
Version 1.0
Module 1
Managed LNS
Managed LNS
AAA
DHCP
AAA
Clients
LNS/PTA
Customer A
VRF
SP
Network
L2TP or PPP
DHCP
VRF
Customer B
AAA
Deploy virtual router (LNS/PTA) for each upstream customer

to improve service scale
Communicate directly with customer AAA without needing proxy

Multiple VRFs separate customer traffic without overhead of L2TP tunneling
Version 1.0
133
Module 1
Remote Access into MPLS

Description
Remote Access into MPLS (RA-MPLS) is very similar to the previous
architecture managed LNS. Like managed LNS, subscriber logical
connections are placed into a VRF instance at the broadband remote access
server (BRAS).
The distinction with RA-MPLS is that the VRFs are MPLS tag interfaces.
Additionally, the BRAS router that terminates the VPN tunnels functions
as a provider edge (PE) router.
RA-MPLS may start as the managed LNS model using multiple VRFs as a
migration towards MPLS.
MPLS core networks are typically more flexible and scalable than pure IP
networks, but they are more complex to initially deploy.
Benefits
RA-MPLS offer these same benefits as managed LNS:
Subscribers communicate directly with customer AAA without needing

a proxy AAA server.
Multiple VRFs separate customer traffic without the overhead of L2TP

tunneling.
IP addresses are conserved by allowing use of overlapping IP address

space
Additional benefits of RA-MPLS include the following:
134
Supports RBE and RFC 1483 Routing besides PPPoX
Can be an alternative to L2TP
Version 1.0
Module 1
AAA
DHCP
Clients
AAA
PE
NSP
BRAS
PE
MPLS Network
Corporation
PE
AAA
PPPoX to MPLS VPN

RBE to MPLS VPN
L2TP to MPLS VPN
1483 Routed to MPLS VPN
Version 1.0
135
Module 1
SSG and SESM

SAM Overview
Subscriber Access and Management (SAM) allows subscribers to manage
the services they wish to use. SAM consists of the following components:
Service Selection Gateway (SSG)
Subscriber Edge Service Manager (SESM)
AAA server
Lightweight Directory Access Protocol (LDAP) directory
SAM is independent of the type of subscriber access technology; that is, it

works with DSL, dial, leased line, and wireless technologies. Additionally,
users can use this service with their PC, WAP or PDA access device.
SSG
SSG is an Cisco IOS feature that is available on selected Cisco aggregation
routers. The following are some of the key features and functions of SSG:
Imposes sophisticated access control on a per-subscriber basis to

network resources
Enables subscribers to selectively access different services based on

their Layer 2 or Layer 3 connectivity to the service providers
SESM
SESM is a Cisco software application that runs on Windows 2000/NT or
Solaris and Linux platforms. SESM enables users to manage their service
selection experience by allowing them to perform the following functions:
Personalized service lists
Service connect/d isconnect
Personal firewall provisioning
Service subscription
Self-care account management
Subaccount creation
SESM also has a service developer kit that enables third-party and
application developers to build their own applications or to integrate
directly to their existing operat ions infrastructure.
136
Version 1.0
Module 1
SSG and SESM
SSG and SESM
Directory
AAA
PC
ADSL
SESM
Leased Line
Internet
Content
Services
Gateway
(CSG)
WAP
Dial
PDA
Corporate
VPN
GGSN/PDSN
Notebook
802.11b
Open Garden
Version 1.0
137
Module 1
SSG and SESM (continued)

Service Provider Benefits
In addition to the user benefits that SAM provides, service providers may
wish to provide the service for the following reasons:
138
Access alone will not make money
Advertise and sell value -added services to their subscribers
Retain their subscribers with services that lock them in
Version 1.0
Module 1
SSG and SESM
SSG and SESM (continued)
Directory
AAA
PC
ADSL
SESM
Leased Line
Internet
Content
Services
Gateway
(CSG)
WAP
Dial
PDA
Corporate
VPN
GGSN/PDSN
Notebook
802.11b
Open Garden
Version 1.0
139
Module 1
Summary
In this module, you learned the following:
140
Various broadband aggregation architectures
The technologies used by each architecture and how each architecture

functions
Benefits of each architecture
Version 1.0
Module 1
Review Questions
Review Questions
1. List the segments that make up a broadband subscriber network
environment.
_________________________________________________________
2. A service provider that provides the access connection to the subscriber
and connects the subscriber to the NSP is characteristic of a
_________________________ service.
3. Which of the following is not characteristic of a VC service?
a. NAPs do not need to deal with IP address management.
b. The NAP determines the users encapsulation method.
c. End-to-end provisioning takes time .
d. It is a wholesale service that a NAP would provide.
e. It does not scale well.
4. Which of the following is a reason that RBE is preferred over strict
RFC 1483 bridging?
a. With RBE, the CPE is in routing mode rather than in bridging
mode.
b. The PC encapsulates Layer 3 data into Ethernet.
c. RBE is more secure and scalable than RFC1483 bridging.
d. RBE is more suitable for business applications.
5. Which of the following statements are true when comparing PPPoA to
PPPoE? Choose three.
a. The CPE functions as a router with PPPoA and as a bridge with
PPPoE.
b. The PPP session is initiated by the CPE with PPPoA and by the PC
with PPPoE.
c. The CPE is able to run NAT for both methods and conserve IP
addresses.
d. PPPoA functions only with ATM access methods and PPPoE
functions only with Ethernet access methods.
e. When there are multiple users behind the CPE, PPPoE is more
flexible than PPPoA for selection of multiple services.
Version 1.0
141
Module 1
6. What is the preferred method for authenticating PPP sessions?

______________________________
7. When comparing L2TP to PTA, which of the following identify distinct
advantages of L2TP over PTA? Choose two.
a. PPP sessions may be terminated at the NSP rather than the NAP.
b. L2TP supports multiple protocols.
c. L2TP shares access to core components.
d. The access provider only looks at the Layer 2 information.
8. What functionality on a Cisco router do managed LNS and RA-MPLS
make use of? __________________________________________________
9. Which of the following distinguishes RA-MPLS from managed LNS?
a. RA-MPLS supports RBE.
b. RA-MPLS allows use of overlapping IP addresses.
c. RA-MPLS does not require L2TP.
d. RA-MPLS supports PPPoX.
10. What does SSG enable subscribers to do?
________________________________________________________________
142
Version 1.0
Module 2
Overview
Description
In this module, you will learn how Routed Bridge Encapsulation (RBE) and
RFC 1483 routing work, along with their typical architectures and
benefits. You will then perform hands-on exercises to configure, test, and
verify RBE and RFC 1483 routing.
Objectives
Describe the typical architecture of RBE
Identify the protocol stack eleme nts associated with RBE and describe
how RBE works
Configure RBE on Cisco routers
Identify the advantages and disadvantages of RBE
Describe the typical architecture of RFC 1483 routing
Identify the protocol stack elements associated with RFC 1483 routing
and describe how RFC 1483 routing works
Configure RFC 1483 routing on Cisco routers
Identify the advantages and disadvantages of RFC 1483 routing
Version 1.0
21
Module 2
Typical RBE Architecture

Foundation
Routed Bridge Encapsulation (RBE) is based on RFC 1483 bridging
architecture. RBE is designed to overcome some of the limitations of RFC
1483 bridging, including broadcast storms, scalability, and security. It
makes use of the routed bridge function in the aggregation router.
Key Functional Components

The following are key functional components of RBE.
Bridged CPE
With RBE, the CPE func tions as a bridge using RFC 1483 bridging. From
the perspective of a PC and customer premises equipment (CPE), there is
no functional difference between pure RFC 1483 bridging and RBE. The
802.3 encapsulated protocol data units (PDU) are sent to the CPE, which
then encapsulates them into ATM cells and forwards them over a virtual
connection (VC) to the aggregation device.
Aggregator
At the aggregation device we see the key difference between pure RFC
1483 bridging and RBE. With RFC 1483 bridging, the aggregator receives
the Ethernet PDU into a bridge group and determines whether to bridge or
route based upon the contents of the Layer 2 and Layer 3 headers. With
RBE, the aggregator receives the Ethernet PDU into an ATM routed
bridge and makes a forwarding decision based upon the Layer 3
information.
______________________________ Note __________________________
When you configure the aggregator for RBE, part of the Cisco IOS
configuration process is to include the ATM routed bridge for IP traffic
on the ATM subinterfaces.
_____________________________________________________________
22
Version 1.0
Module 2
Bridged CPE
DSLAM
Aggregation
Device
Core
802.3
RFC 1483 bridged PDUs
Routed
Bridge
Bridged CPE
Version 1.0
23
Module 2
RFC 1483 Bridging Protocol Stack

The illustration shows the protocol layers used to transport upper layer
data through the network. Although RFC 1483 is not restricted to 802.3
and IP for transporting Layer 2 and Layer 3 protocol data units (PDUs),
they are used to explain its operation.
802.3
The IP datagram is encapsulated in the 802.3 frame, also know as the
bridge protocol data unit (BPDU), by the PC and the aggregation router.
CPE Encapsulation
The illustration shows the combination protocol stack used by the PC and
the xDSL Termination Unitremote (xTU-R). The PC takes the upper
layer protocol data, encapsulates it in the 802.3 header, and forwards it to
the xTU-R. The xTU-R provides the ATM related services and layers to
exchange ATM cells with the aggregation device, including RFC 1483,
ATM adaptation layer 5 (AAL5), ATM, and physical layer functions.
24
Version 1.0
Module 2
PVC
DSLAM
Aggregator
L3
core
Router
PC/xTU-R
IP
RFC 1483 over ATM
IP
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
802.3
IP
1483
AAL5 ATM,FR,
ATM
Etc.
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
25
Module 2
RFC 1483 Bridging Protocol Stack (continued)

RFC 1483
The RFC 1483 standard describes two encapsulation methods for
multiplexing and transporting datalink and network layer protocols over
AAL5 over ATM:
Multiple protocols multiplexed over a single ATM virtual connection
Each protocol is carried over a separate ATM virtual connection
For the first method, additional headers are included to identify the PDU.
A common implementation is to include the 3-byte logical link control
(LLC) and 5-byte Subnetwork Access Protocol (SNAP) header to identify
the bridged or routed PDU that follows.
With virtual connection (VC) multiplexing, each unique bridged or routed
protocol is carried over a unique VC.
______________________________ Note __________________________
It is important that you understand the two multiplexing methods. You
must choose one of the two when you configure the VC. The method you
choose must match at both ends of the VC. The VC is in this
illustration is the PVC.
_____________________________________________________________
AAL5
ATM Adaptation Layer 5 (AAL5) is a common means of encapsulating
connectionless PDUs. An 8-byte trailer is added to the PDU.
ATM and PHY

The AAL5-encapsulated PDU is segmented into 48-byte payloads that
make up the 53-byte ATM cells. The physical layer then transports the
cells.
26
Version 1.0
Module 2
RFC 1483 Bridging Protocol Stack (continued)
PVC
DSLAM
Aggregator
L3
core
Router
PC/xTU-R
IP
RFC 1483 over ATM
IP
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
802.3
IP
1483
AAL5 ATM,FR,
ATM
Etc.
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
27
Module 2
How Does RBE Work?

The following steps describe how RBE operates using IP as the Layer 3
protocol.
CPE and Aggregator

Between the CPE and the aggregation router, the following operations
occur:
The CPE encapsulates the BPDUs using RFC 1483, AAL5, and ATM
protocols.
The ATM cells are switched through the ATM network to the
aggregation router.
At the aggregation router, the cells are reassembled.
The reassembled BPDUs are received at the ATM interface, which

operates as a routed bridge interface when RBE is enabled.
Incoming Frames
For frames originating from the subscriber end, the following events
happen at the aggregation device.
28
The aggregation router ignores the bridge header and examines the IP
datagram header to make a forwarding decision.
The packet is forwarded based upon the destination IP address.
Version 1.0
Module 2
How Does RBE Work?
How Does RBE Work?
Core
Bridged CPE
DSLAM
Aggregation
Device
CPE is standard bridge

Subscriber traffic is carried in BPDU
The routed bridge interface is treated as routed
interface
For packets originating from the subscriber end
Ethernet header is skipped

Packet forwarded based on Layer 3 information
Version 1.0
29
Module 2
How Does RBE Work? (continued)

Outgoing Frames
For frames destined for the subscriber end, the following happens at the
aggregation device.
210
The router checks the destination IP address in the packet
The outbound interface is determined from the IP routing table
The Address Resolution Protocol (ARP) table is checked for the

destination MAC address. If none is found , then an ARP request is sent
out only on the destination interface, not all interfaces as with bridging.
If the datagram is multicast traffic, then it is forwarded only on the

interfaces where Internet Group Management Protocol (IGMP) joins
were receive d.
Version 1.0
Module 2
How Does RBE Work?
How Does RBE Work? (continued)
Core
Bridged CPE
DSLAM
Aggregation
Device
For packets destined to the subscriber end
Destination IP address is checked on the packet

Outbound interface is determined from routing table
ARP table is checked for the destination MAC address, if
none found then ARP request sent out only on destination

interface
Multicast traffic is forwarded only on interfaces where
IGMP joins were received
Version 1.0
211
Module 2
RBE Configuration
Configuration Methods
The configuration of the Cisco aggregation router is based on the drawing
that follows. There are four general ways that RBE can be configured on
the aggregation router.
Numbered subinterfaces Unique addresses are assigned to each ATM

subinterface, and static addresses are assigned on subscriber hosts.
Numbered subinterfaces with DHCP Unique addresses are assigned

to each ATM subinterface, and DHCP-assigned addresses for
subscriber hosts.
Unnumbered subinterfaces An unnumbered loopback address is

assigned to each ATM subinterface with static routes to each
subscriber, and static addresses are assigned on subscriber hosts.
Unnumbered subinterface with DHCP An unnumbered loopback

address is assigned to each ATM subinterface with DHCP-assigned
addresses for subscriber hosts.
Of these methods, the first two are the least preferred because they require
individual subnets on each ATM subinterface and waste IP address space.
The example configurations that follow show the last two methods.
212
Version 1.0
Module 2
RBE Configuration
RBE Configuration
IP=192.168.1.2
GW= 192.168.1.1
Bridged CPE
IP=192.168.1.1
DSLAM
IP=192.168.1.3
GW= 192.168.1.1
Core
Aggregation
Device
Bridged CPE
Four methods:
IP=192.168.1.4
GW= 192.168.1.1
Numbered subinterfaces
Numbered subinterfaces with DHCP
Unnumbered subinterfaces
Unnumbered subinterfaces with DHCP
Version 1.0
213
Module 2
RBE Configuration (continued)

RBE Configuration Unnumbered Interfaces with Static Addressing
Complete the following steps on the Cisco aggregat ion router to support
RBE using unnumbered interfaces. DHCP is not used with this method;
instead host addresses must be assigned to each subscriber host.
1. Create a loopback interface with an IP address from the range of
addresses assigned to the subscribers.
2. For each subscriber, create a point-to-point ATM subinterface.
3. On the subinterface, assign an IP unnumbered association to the
loopback interface.
4. On the subinterface, add an ATM route-bridged for IP.
5. On the subinterface, add a PVC.
6. On the PVC, indicate the AAL5 encapsulation type: SNAP or VC mux.
7. Create static routes to the subscriber IP addresses.
214
Version 1.0
Module 2
RBE Configuration
RBE Configuration Unnumbered Interfaces with Static Addressing
2
3
4
5
6
interface Loopback0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
!
interface ATM0/0/0.132 point-to-point
ip unnumbered Loopback0
atm route-bridged ip
pvc 1/32
encapsulation aal5snap
!
pvc 1/33
!
pvc 1/34
ip route 172.168.1.2 255.255.255.255 ATM0/0/0.132
ip route 172.168.1.3 255.255.255.255 ATM0/0/0.133
ip route 172.168.1.4 255.255.255.255 ATM0/0/0.134
Version 1.0
215
Module 2
RBE Configuration (continued)

RBE Configuration Unnumbered Interfaces with DHCP
Complete the following general steps on the Cisco aggregation router to
support RBE using unnumbered interfaces with DCHP support. Subscriber
hosts are assigned addresses from the DHCP pool in Cisco IOS or from an
external DHCP server. Configuration steps for using either Cisco IOS
DHCP or an external DHCP server are shown in the example.
______________________________ Note __________________________
This method avoids the need to create static routes for subscriber ho sts.
_____________________________________________________________
1. Create a loopback interface with an IP address in the range of
______________________________ Note __________________________
Perform steps 2 and 3 when Cisco IOS DHCP server is used.
_____________________________________________________________
2. Identify the IP address of the loopback interface within the DHCP pool
that should be excluded from assignment to clients.
3. Create a DHCP pool including the network range of addresses and
default router IP address.
4. Create a point-to-point ATM subinterface.
loopback interface.
6. On the subinterface, add an ATM route-bridged for IP.
8. On the PVC, indicate the AAL5 encapsulation type; SNAP or VC mux.
______________________________ Note __________________________
Perform step 9 when an external DHCP server is used.
_____________________________________________________________
9. On the subinterface, use the ip helper-address command to point to
an external DHCP server.
It is possible to use multiple loopback interfaces. The IP address associated
with the loopback interface identifies the subnet addresses used for DHCP
address assignment.
216
Version 1.0
Module 2
RBE Configuration
RBE Configuration Unnumbered Interfaces with DHCP
2
3
1
4
5
6
7
8
9
ip dhcp excluded-address 192.168.1.1

!
ip dhcp pool RBE
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
pvc 1/32
ip helper-address 52.20.10.100
!
pvc 1/33
!
pvc 1/34
Version 1.0
Mutually exclusive
217
Module 2
RBE Advantages and Disadvantages

Advantages
RBE was developed to address some of the issues faced by the RFC 1483
bridging architecture. RBE retains the major advantages of RFC 1483
bridging architecture, while eliminating most of its drawbacks.
218
Is requires minimal configuration at the CPE, which is important for

service providers.
It is easy to migrate from pure bridging architecture to RBE, as there is

no change at the subscriber end.
RBE o vercomes security problems with pure bridging by avoiding IP

hijacking and ARP spoofing.
RBE p revents broadcast storms by using point-to-point connections.
Compared to pure bridging, RBE provides superior performance

because of routing implementation at the aggregation device. RBE is
more scalable because it does not have bridge group limitations.
Version 1.0
Module 2
Advantages
Minimal configuration of CPE
Compared to RFC 1483 with IRB, RBE separates shared
bridging domain into individual routed interfaces which
give
Control of broadcast domains No broadcast attacks

Increased security No spoofing of IP addresses via ARP
RBE is CEF switched and provides better scalability and

performance than IRB (Cisco IOS 12.1(5) T onward)
Version 1.0
219
Module 2
RBE Advantages and Disadvantages (continued)

Disadvantages
Depending on how RBE is implemented, the following may be
disadvantages:
220
Using numbered interfaces can result in waste and exhaustion of IP

addresses. RBE should be implemented with unnumbered interfaces.
Using IP unnumbered interfaces without DCHP requires static routes,

results in large configurations.
Large configurations result in delayed boot-up time. Large

configurations are a result of requiring point-to-point interfaces for
RBE. An alternative is to use the PVC autoprovisioning feature; this
feature is discussed in the optimization module.
It may be difficult to manage CPEs because CPEs may not have a

management IP address.
No control over the subscriber experience, such as the ability to control

service selection.
Version 1.0
Module 2
RBE Advantages and Disadvantages (continued)
Disadvantages
IP address exhaustion without unnumbered interfaces
Provisioning delays and large configurations without
DHCP
Many point-to-point interfaces result in large

configuration files
No management address for CPE

No control over the subscriber experience
Version 1.0
221
Module 2
Typical RFC 1483 Routing Architecture

Foundation
RFC 1483 routing is based on RFC 1483. With RFC 1483 routing, PDUs
are routed over the end -to-end VC between two routers.
Key Functional Components

The following are key functional components of RFC 1483 routing.
Routed CPE
With RFC 1483 routing, the CPE functions as a router using RFC 1483
routing. The CPE receives PDUs from the subscriber hosts and makes a
forwarding decision based upon the upper layer protocol information, such
as IP header. The CPE encapsulates PDUs into ATM cells and forwards
them over a VC to the aggregation device.
Aggregator
The aggregation device functions in a similar manner as the CPE. The

ATM interface is functions as a routed interface and make forwarding
decisions based upon the upper layer protocol header. It uses RFC 1483
encapsulation to transport PDUs over a VC to the CPE.
222
Version 1.0
Module 2
Routed CPE
DSLAM
Aggregation
Device
Core
802.3
RFC 1483 Routed PDUs
Routing
Routed CPE
Version 1.0
223
Module 2
RFC 1483 Routing Protocol Stack

The drawing on the following page shows the protocol layers used to
transport upper layer data through the network. Although RFC 1483 is not
restricted to IP for transporting Layer 3 PDUs, IP is used in this example.
IP
The IP datagram is encapsulated into a PDU, by the PC and the
aggregation router. The PDUs are then encapsulated into Layer 2 frames,
typically Ethernet, when sent between the PC and CPE. Notice that the
Ethernet header is removed before the PDU is encapsulated by the RFC
1483 process.
RFC 1483
AAL5 over ATM:
For the first method, additional headers are included to identify the PDU.
A common implementation is to include the LLC and SNAP header to
identify the bridged or routed PDU that follows.
With VC multiplexing, each unique bridged or routed protocol is carried
over a unique VC.
______________________________ Note __________________________
_____________________________________________________________
AAL5
ATM and PHY

cells.
224
Version 1.0
Module 2
PVC
DSLAM
Aggregator
L3
core
Router
PC/xTU-R
IP
RFC 1483 over ATM
IP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
IP
1483
AAL5 ATM,FR,
ATM
Etc.
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
225
Module 2
How Does RFC 1483 Routing Work?

The following steps describe how RFC 1483 routing operates using IP as
the Layer 3 protocol.
The CPE and aggregation router encapsulate the IP datagrams using

RFC 1483, AAL5, and ATM protocols.
The ATM cells are switched through the ATM network.
At the receiving device, the cells are reassembled.
The reassembled datagrams are received at the ATM interface and are
forwarded based upon information in the routing table.
Other features that are possible using RFC 1483 routing include the
following:
226
Routing updates using a routing protocol may be exchanged between

the CPE and the aggregation router.
The CPE may use Network Address Translation (NAT) or Port Address
Translation (PAT) between the subscriber network and the aggregation
device.
Version 1.0
Module 2
Core
Routed CPE
DSLAM
Aggregation
Device
CPE is a standard router

Subscriber traffic is carried in IP datagram
The CPE and aggregator route on the IP header
CPE and aggregator may exchange routing
information
CPE may use NAT
Version 1.0
227
Module 2
RFC 1483 Routing Configuration

Configuration Methods
The configuration of the Cisco aggregation router is based on the drawing
that follows. There are two general ways that RFC 1483 routing can be
configured on the aggregation router.
Numbered subinterfaces Unique addresses are assigned to each

subinterface, and a static address is assigned to the CPEs ATM
interface.
Unnumbered subinterfaces An unnumbered loopback address is

assigned to each subinterface with a static route to each CPE, and a
static address is assigned to the CPEs ATM interface.
Of these methods, the first two are the least preferred as they require
individual subnets on each subinterface and wastes IP address space. The
example configuration that follows shows the last method.
Additional Considerations
228
The ATM subinterface may need to be included for routing protocol

updates.
If routing updates are not exchanged between the aggregation router

and CPE, then static routes may be necessary on the aggregator to
networks on the far side of the CPE.
The CPE may use DHCP to subscriber devices beyond the CPE.
Additionally, the CPE may use NAT for private addresses in the
subscriber network.
Version 1.0
Module 2
IP=192.168.1.2
GW= 192.168.1.1
Routed CPE
IP=192.168.1.1
DSLAM
Core
Aggregation
Device
Routed CPE
IP=192.168.1.3
GW= 192.168.1.1
Two methods:
Numbered subinterfaces
Unnumberedsubinterfaces
Version 1.0
229
Module 2
RFC 1483 Routing Configuration (continued)

RFC 1483 Routing Configuration Unnumbered Interfaces
support RFC 1483 routing using unnumbered interfaces.
loopback interface.
5. On the PVC, indicate the AAL5 encapsulation type; SNAP or VC mux.
6. Configure static routes to the CPEs.
______________________________ Note __________________________
It is possible to use a routing protocol between the aggregation device
and the CPE. In this situation static routes are not required.
_____________________________________________________________
230
Version 1.0
Module 2
RFC 1483 Routing Configuration Unnumbered Interfaces
1
2
3
4
5
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface ATM2/0/0.132 point- to-point
pvc 1/32
!
pvc 1/33
!
pvc 1/34
ip route 172.168.2.2 255.255.255.255 ATM0/0/0.132
ip route 172.168.2.3 255.255.255.255 ATM0/0/0.133
ip route 172.168.2.4 255.255.255.255 ATM0/0/0.134
Version 1.0
231
Module 2
RFC 1483 Routing Advantages and Disadvantages

Advantages
RFC 1483 routing is well suited for enterprise or business customers

who are replacing leased lines with xDSL.
The CPE becomes manageable becasue it has an IP address associated

with it.
Multiple PVCs may be utilized between the CPE and aggregator to

separate different traffic types, such as voice and data.
The CPE can implement NAT or PAT to accommodate private networks

on the subscriber side.
Disadvantages
232
There is no easy method to do accounting for subscriber traffic if the

service provider wishes to bill based upon service usage.
This method does not allow for authentication of subscribers, and it

limits the ability to offer different services to different subscribers.
The CPE functions as a router, therefore adding another level of

complexity.
Configurations utilizing RFC1483 routing tend to be relatively large.
Version 1.0
Module 2
Advantages
CPE becomes manageable
CPE may have more than one PVC configured
CPE can implement NAT or PAT
Well suited for enterprise or business customers
Disadvantages
Lack of accounting for subscriber traffic
Cannot authenticate subscribers
Routing configuration required on CPE adds a level of
complexity
Relatively large configurations
Version 1.0
233
Module 2
Summary
234
RBE is based on the RFC 1483 bridging architecture but overcomes

many of the limitations of RFC 1483 bridging
With RBE, the CPE functions in bridging mode, and the subscriber
connections terminate into a routed bridge function on the aggregation
device
RBE and RFC 1483 routing may be configured using either numbered
or unnumbered interfaces, but unnumbered interfaces are preferred
because they preserve IP addresses
DHCP should be used with unnumbered interfaces to avoid configuring

numerous static routes on the aggregator and IP addresses on
subscriber hosts
RFC 1483 routing uses encapsulation methods similar to those used for
RFC 1483 bridging, however, the CPE and aggregator function as
routers
RFC 1483 routing is well suited for business customers replacing leased
lines
Version 1.0
Module 2
Review Questions
Review Questions
1. How does the CPE function differently between RFC 1483 bridging and
RBE?
a. The CPE functions as a bridge with RFC 1483 bridging and as a
router with RBE.
b. The CPE performs LLC/SNAP or VC multiplexing with RFC 1483
bridging but not with RBE.
c. The CPE will route IP data and bridge all other data.
d. The is no difference.
2. What is the functional difference at the aggregation device between
RFC 1483 bridging and RBE?
a. The aggregator functions as a bridge with RFC 1483 bridging and
as a router with RBE.
b. The aggregator performs LLC/SNAP or VC multiplexing with RFC
1483 bridging but not with RBE.
c. For incoming subscriber data, RBE makes forwarding decisions
based on the frame header, and RFC 1483 Routing forwards packets
based upon the Layer 3 header.
d. The is no difference.
3. List two RFC 1483 encapsulation methods for multiplexing and
transporting datalink and network layer protocols over ATM AAL5.
a. __________________________
b. __________________________
4. Which of the following ATM interfaces can be used with RBE?
a. Numbered point-to-point subinterfaces
b. Numbered multipoint subinterfaces
c. Unnumbered point-to-point subinterfaces
d. Unnumbered multipoint subinterfaces
5. What must be added to the aggregation router configuration when
using unnumbered interfaces with statically assigned subscriber host
addresses?
_________________________________________________________________
Version 1.0
235
Module 2
6. Which of the following configuration methods is preferred for RBE?

a. Numbered interfaces
b. Numbered interfaces with DHCP
c. Unnumbered interfaces
d. Unnumbered interfaces with DHCP
7. List four parameters that must be configured under the ATM
subinterface to support unnumbered RBE interfaces.
a. _________________________________
b. _________________________________
c. _________________________________
d. _________________________________
8. List four advantages of RBE over RFC 1483 bridging.
a. _________________________________________________________
b. _________________________________________________________
c. _________________________________________________________
d. _________________________________________________________
9. List four disadvantages of RBE.
a. _________________________________________________________
b. _________________________________________________________
c. _________________________________________________________
d. _________________________________________________________
10. Which of the following is common to both RFC 1483 routing and RBE?
a. RFC 1483 routing supports NAT.
b. The CPE functions as a router with RFC 1483 routing.
c. RFC 1483 routing uses a LLC and SNAP header.
d. Routing updates may be exchanged between the aggregator and
CPE.
236
Version 1.0
Module 2
Review Questions
11. Which of the following configuration methods is preferred for RFC 1483
routing?
a. Numbered interfaces
b. Numbered interfaces with DHCP
c. Unnumbered interfaces
d. Unnumbered interfaces with DHCP
12. List three parameters that must be configured under the ATM
subinterface to support unnumbered RFC 1483 routing interfaces.
a. _________________________________
b. _________________________________
c. _________________________________
13. List four advantages of RFC 1483 routing.
a. _________________________________________________________
b. _________________________________________________________
c. _________________________________________________________
d. _________________________________________________________
14. List four disadvantages of RFC 1483 routing.
a. _________________________________________________________
b. _________________________________________________________
c. _________________________________________________________
d. _________________________________________________________
Version 1.0
237
238
Module 2
Version 1.0
Module 3
PPPoA
Overview
Description
In this module, you will learn about Point to Point Protocol over ATM
(PPPoA). You will learn how it works, examine a typical architecture, and
understand its bene fits. You will perform hands-on exercises to configure,
verify operation, and test PPPoA.
Objectives
Describe the typical architecture and benefits of PPPoA
Identify the protocol stack elements associated with PPPoA and

describe how PPPoA works
List the methods used for allocating IP addresses
Configure PPPoA on Cisco routers
Identify the advantages and disadvantages of PPPoA
Version 1.0
31
PPPoA
Module 3
Typical PPPoA Architecture

PPP over ATM (PPPoA) uses ATM adaptation layer 5 (AAL5) as the
framed protocol, which supports both permanent virtual connection (PVC)
and switched virtual connection (SVC). PPPoA is primarily implemented
as part of digital subscriber line (DSL) technology using PVCs. A customer
premises equipment (CPE) device encapsulates the PPP session based on
RFCs 1483 and 2684 for transport across the digital subscriber line (DSL)
loop and the digital subscriber line access multiplexer (DSLAM) to the
aggregation router.
______________________________ Note __________________________
PPPoA is defined in RFC 2684 as PPP over AAL5; however, it is often
referred to as PPP over ATM.
_____________________________________________________________
Session Initiation
With PPPoA, the CPE initiates a PPP session on behalf of the users
connected to the CPE. When the CPE is first powered on, it begins sending
link control protocol (LCP) configuration requests to the aggregation
router. The aggregation router, with the PVCs configured, also sends out
the LCP configuration requests on a Virtual Access Interface associated
with the PVC. When both the CPE and aggregation router see each others
configuration request, they acknowledge the requests, and the LCP state is
opened.
User Authentication
For the authentication stage, the CPE sends an authentication request to
the aggregation router. Depending on its configuration, the router either
authenticates the user based on the domain name (if supplied), or the
username using its local database or RADIUS servers. User
authentication, authorization and accounting (AAA) in this scenario is best
handled by using an industry-standard RADIUS server, which can
authenticate a user based on username or on the virtual path
identifier/virtual channel identifier (VPI/VCI) being used.
32
Version 1.0
Module 3
PPP Session
CPE
DSLAM
ISP1.com
Aggregation
Device
IP Route
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
PPP session initiated from CPE

Authentication handled by aggregator or RADIUS server
Aggregator routes or tunnels to services
Version 1.0
33
PPPoA
Module 3
Typical PPPoA Architecture (continued)

How the Service Destination Is Reached
In PPPoA architectures, the service destination can be reached various
ways. These are some of the most commonly deployed methods:
Terminating PPP sessions at the network access server (NAS) and

routing the user traffic to the network service provider (NSP)
Layer 2 Tunneling Protocol (L2TP) tunneling of the PPP sessions to the

final service destination
Using Service Selection Gateway SSG and Subscriber Edge Service

Manager (SESM) to select the service destination
With tunneling, the user can access only one destination at a time. With
SSG, the user can access many services.
34
Version 1.0
Module 3
Typical PPPoA Architecture (continued)
PPP Session
CPE
DSLAM
ISP1.com
Aggregation
Device
IP Route
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
PPP session initiated from CPE

Version 1.0
35
PPPoA
Module 3
PPPoA with PTA Protocol Stack

The accompanying illustration shows termination of the PPPoA session at
the NAS and identifies the protocols used to transport the PPP session and
user data.
CPE Encapsulation
The illustration shows the combination protocol stack used by the PC and
the xDSL Termination Unitremote (xTU-R). The PC takes the upper
layer protocol data, encapsulates it in the 802.3 header, and forwards it to
the xTU-R. The xTU-R provides the PPP services and encapsulation and
establishes PPP sessions with the aggregation device. The xTU-R also
provides the ATM related services and layers to exchange ATM cells with
the aggregation device, including RFC 1483, AAL5, ATM, and physical
layer functions.
PPP
The PPP layer performs user AAA. User identification with PPP
termination and aggregation (PTA) is based on the username , which is
configured on the CPE. The CPE encapsulates the IP data before it is
handed off to the ATM adaptation process. The aggregator terminates the
PPP session and performs AAA functions either locally or by using a
RADIUS server
36
Version 1.0
Module 3
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoA
IP
PPP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
37
PPPoA
Module 3
PPPoA with PTA Protocol Stack (continued)

RFC 1483
AAL5 over ATM:
For the first method, additional headers are included to identify the
protocol data unit (PDU). A common implementation is to include the
3-byte logical link control (LLC) and 5-byte Subnetwork Access Protocol
(SNAP) header to identify the bridged or routed PDU that follows.
______________________________ Note __________________________
_____________________________________________________________
AAL5
ATM and PHY

make up the 53-byte ATM cells. The p hysical layer then transports the
cells.
38
Version 1.0
Module 3
PPPoA with PTA Protocol Stack (continued)
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoA
IP
PPP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
39
PPPoA
Module 3
PPPoA with Tunneling Protocol Stack

The accompanying illustration shows termination of the PPPoA session at
the NSP and the protocols used to transport the PPP session and user
data.
CPE Encapsulation
The PC and xTU-R perform the same functions when the PPP session is
tunneled to the NSP as it does when the session terminates on the
aggregation device with PTA. The tunnel is transparent to the CPE and
subscriber.
PPP
The PPP layer performs user AAA. User identification with tunneling is
based upon the username@domainname which is configured on the CPE.
The CPE performs the encapsulation of IP data before it is handed off to
the ATM adaptation process.
RFC 1483, AAL5, ATM and PHY Layers

These protocol layers provide the same functionality and services when
used with a tunneling protocol as they do with PTA.
Tunnel Protocol
If the request from the subscriber is in the form of
username@domainname, the aggregation server will try to create a tunnel
to the destination, if a tunnel does not already exit. After the tunnel is
created, the aggregation server forwards the PPP requests from the
subscriber to the destination. The destination authenticates the user,
typically using a RADIUS server. If the request from the subscriber does
not include the domain name, the user is authenticated by the local
database.
L2TP and remote access to Multiprotocol Label Switching (MPLS) Virtual
Private Network (VPN) are two examples of tunneling protocols used in
this scenario.
310
Version 1.0
Module 3
PVC
DSLAM
Tunnel
Aggregator
LAC
LNS
Router
L3
core
PC/xTU-R
PPP
Tunnel Protocol
PPPoA
IP
IP
PPP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
PPP
Tunnel
1483 Protocol
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
PPP
Tunnel
Protocol
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
311
PPPoA
Module 3
How Does PPPoA Work with PTA?

The illustration shows the process by which the CPE and aggregation
server authenticate the user and assign an address to the subscriber
equipment.
1. The CPE sends the authentication request to the aggregation device.
The request contains the username that has been configured on the
CPE.
2. The PPP session initiated by the subscriber is terminated at the service
provider, which authenticates the user either by using a local database
on the router or by using RADIUS servers.
3. After the user is authenticated, IP Control Protocol (IPCP) negotiation
takes place and the IP address is assigned to the CPE. After the IP
address has been assigned, a host route is established both on the CPE
and on the aggregation router.
4. The IP address allocated to the subscriber, if legal, is advertised to the
edge router. The edge router is the gateway through which the
subscriber can access the Internet. If the IP address is private, the
service provider translates it before advertising it to the edge router.
312
Version 1.0
Module 3
PPPoA
DSLAM
IP Route
PTA
ISP1.com
CPE
Core
AAA
CPE initiates PPP session

with username
Subscriber authenticated by local router

or by RADIUS server
IP address allocated to CPE

using IPCP negotiation
4 User can access service
Version 1.0
313
PPPoA
Module 3
How Does PPPoA Work with Tunneling?

The illustration shows the process by which the CPE and aggregation
equipment.
1. The CPE sends the authentication request to the aggregation device.
The request contains the username @domainname that has been
configured on the CPE.
2. The L2TP Access Concentrator (LAC) authenticates the incoming
session, based on the domain name.
3. The aggregation server creates a tunnel to the destination, if a tunnel
does not already exist. After the tunnel is created, the aggregation
server forwards the PPP requests from the subscriber to the
destination service.
4. The destination service authenticates the user using either a local
database on the router or through RADIUS servers.
5. After the user is authenticated, IPCP negotiation takes place and the
IP address is assigned to the CPE. After the IP address has been
assigned, a host route is established both on the CPE and at the service
provider.
6. The user can now access services at the destination.
314
Version 1.0
Module 3
PPPoA
Tunnel
DSLAM
LAC
ISP1.com
CPE
Core
AAA
AAA
CPE initiates PPP session

1
with username@domainname
2
Domain name authenticated by

local router or by RADIUS server
3 PPP session tunneled to LNS
4 User name authenticated by local router or by RADIUS server

5 IP address allocated to CPE using IPCP negotiation
6
User can access service
Version 1.0
315
PPPoA
Module 3
PPPoA IP Address Management

In PPPoA architecture, IP address allocation for the subscriber CPE uses
IPCP negotiation, the same principle of PPP in dial-up mode.
How Are Addresses Assigned?

The IP address is allocated by using
Locally defined pool on the aggregation or service provider router
DHCP server
RADIUS server (the preferred method)
Although not commonly used, the ISP may provide a set of static IP
addresses to the subscriber and may not assign IP addresses dynamically
when the subscriber initiates the PPP session. In this scenario, the service
provider uses only the RADIUS server to authenticate the user.
Who Assigns Addresses?

IP addresses are allocated according to the type of service a subscriber
uses.
If the subscriber session is terminated at the NAS and the user data is
routed from there, then the aggregation service assigns the address.
If the subscriber session is terminated at the NSP, then the NSP

generally assigns the address to the subscriber CPE.
Using NAT and PAT

The CPE can be configured to perform Network Address Translation (NAT)
on a statically assigned private address on the subscriber host. It may also
be set up to use Dynamic Host Configuration Protocol (DHCP) to provide
private addresses to subscriber host(s) along with Protocol Address
Translation (PAT).
Using IPCP Subnet Mask Negotiation

Using IPCP subnet mask negotiation, a subnet of IP addresses, rather
than a single IP address, is assigned to the CPE. One IP address from this
subnet is used by the CPE; the remaining IP addresses are dynamically
allocated to the stations through DHCP. When IPCP subnet mask
negotiation is used, CPEs do not need to be configured for PAT, which does
not work with some applications.
316
Version 1.0
Module 3
DSLAM
CPE
NAP
NSP
LAC
LNS
Core
NAT or
IPCP subnet negotiation
RADIUS
DHCP
IP Pool
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
RADIUS
DHCP
Assigned during IPCP phase

Dynamic allocation done using
local pool
DHCP
RADIUS
Assigned by NAP if using PTA

Assigned by NSP if using tunneling
CPE can use NAT
CPE can use IPCP subnet negotiation
Version 1.0
317
PPPoA
Module 3
PPPoA Configuration
Two essential elements of creating subscriber connections on the
aggregation router for PPPoA sessions include creating an ATM
subinterface with a PVC and a virtual access interface to which this PVC
connects. The PPPoA session terminates on the virtual access interface.
Virtual Access Interface Definitions

You do not actually define a virtual access interface but a virtual template
interface, which is referenced by the ATM subinterface. When the
subscriber PPP request is received on the ATM subinterface, the virtual
template interface is used to clone a virtual access interface.
The following describe the elements of virtual access interfaces.
Virtual access interface
A virtual access interface is an instance of a unique virtual interface that is

created dynamically and exists temporarily. Virtual access interfaces can
be created and configured differently by different applications, such as
virtual profiles and virtual private dial-up networks.
Virtual template interface
A virtual template interface is a generic configuration of an interface for a

certain purpose or configuration common to certain users, plus
router-dependent information. The template takes the form of a list of
Cisco IOS interface commands to be applied to a virtual access interface as
needed.
Cloning
Cloning is the process of c reating and configuring a virtual access interface

by applying a specific virtual template interface. The template is the
source of the generic user information and router-dependent information.
The result of cloning is a virtual access interface configured with all the
commands in the template.
Virtual profile
Unique virtual access interfaces are created dynamically when certain

users call in. These interfaces are torn down dynamically when the call
disconnects. A specific users virtual profile can be configured by a virtual
template interface, by a user-specific interface configuration stored on an
AAA server, or by both a virtual template interface and user-specific
interface configuration from AAA.
318
Version 1.0
Module 3
PPPoA Configuration
PPPoA Configuration
Create
virtual access
interface
Virtual
Template
Interface
PVCs
PPPoA
Sessions
Cloning
ATM
Interface
Virtual
VirtualAccess
VirtualAccess
Interface
VirtualAccess
Interface 5
VirtualAccess
Interface 4
Access
Interface 3
Interface 2
1
PPPoA sessions use virtual access interfaces

Virtual access interfaces created from virtual template interface
Version 1.0
319
PPPoA
Module 3
PPPoA Configuration (continued)

The illustration shows the topology for the example Cisco IOS
configurations on the aggregation router that follow in this module.
The configuration examples on the following pages show use of the
following:
Using a local database of usernames
Using a local IP address pool
Using an external DHCP server.
Other ways that PPPoA can be configured on the aggregation router

include the following:
Using RADIUS to authenticate users
Using RADIUS to allocate IP addresses to CPEs
Using static addressing on the CPE
Using point-to-point ATM subinterfaces (not recommended)
______________________________ Note __________________________

Multipoint interfaces are preferred over point-to-point interfaces
because they conserve system resource.
_____________________________________________________________
320
Version 1.0
Module 3
PPPoA Configuration
IP=192.168.1.2
GW= 192.168.1.1
PPPoA CPE
IP=192.168.1.1
DSLAM
IP=192.168.1.3
GW= 192.168.1.1
Core
Aggregation
Device
PPPoA CPE
IP=192.168.1.4
GW= 192.168.1.1
Version 1.0
321
PPPoA
Module 3

PPPoA IOS Config Local Pool
support PPPoA using a local IP address pool that the router uses to
allocate IP addresses to subscriber CPEs.
1. Define a username and password that subscriber CPEs use for PPP
authentication.
______________________________ Note __________________________
If a RADIUS server is used for user authentication, omit Step 1.
_____________________________________________________________
3. Create an IP local pool with a range of addresses that the router uses to
allocate to subscriber CPEs.
4. Create a virtual template interface with a numerical identifier.
5. On the virtual template interface, assign an IP unnumbered association
to the loopback interface.
6. On the virtual template interface, use the ip helper-address
command to point to the address of the DHCP server.
7. On the virtual template interface, indicate the type of PPP
authentication to be used for the subscribers.
8. Create a multipoint ATM subinterface.
9. On the subinterface, put the subinterface into PPP passive mode.
______________________________ Note __________________________
With PPP passive mode, the aggregation router does not attempt to
establish a PPP session; instead, it relies on the CPE to establish the
session. Although not required, this is the preferred implementation.
_____________________________________________________________
11. On the PVC, indicate the AAL5 encapsulation type VC mux PPP, along
with a pointer to the virtual template interface that you created earlier.
322
Version 1.0
Module 3
PPPoA Configuration
PPPoA IOS Config Local Pool
8
9
10
11
4
5
6
7
3
username p1user1 password 0 user1

!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface ATM8/0/0.132 multipoint
atm pppatm passive
pvc 1/32
encapsulation aal5mux ppp Virtual-Template1
pvc 1/33
pvc 1/34
!
interface Virtual-Template1
peer default ip address pool PTApool
ppp authentication chap
!
ip local pool PTApool 192.168.1.2 192.168.1.254
Version 1.0
323
PPPoA
Module 3

PPPoA IOS Config DHCP
support PPPoA using an external DHCP server that the router uses to
authentication.
______________________________ Note __________________________
If a RADIUS server is used for user authentication, omit Step 1.
_____________________________________________________________
4. On the virtual template interface, assign an IP unnumbe red association
command to point to the IP address of the DHCP server.
8. On the subinterface, put the subinterface into PPP passive mode.
______________________________ Note __________________________
With PPP passive mode, the aggregation router does not attempt to
establish a PPP session; instead, it relies on the CPE to establish the
session. Although not required, this is the preferred implementation.
_____________________________________________________________
324
Version 1.0
Module 3
PPPoA Configuration
PPPoA IOS Config DHCP
7
8
9
10
3
4
5
6

!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
atm pppatm passive
pvc 1/32
pvc 1/33
pvc 1/34
!
Version 1.0
325
PPPoA
Module 3

PPPoA IOS Config IPCP Subnet Mask Negotiation
support PPPoA using a DHCP IP address pool that the router uses to
allocate IP addresses to subscriber CPEs. The IPCP subnet negotiation is
configured on the virtual template interface.
authentication.
______________________________ Note __________________________
If a RADIUS server is used for user authentication, omit step 1.
_____________________________________________________________
3. Create a DHCP pool including the network range of addresses and
default router IP address.
4. Identify the IP address of the loopback interface within the DHCP pool
that should be excluded from assignment to clients.
7. On the virtual template interface, create a peer default IP address
association to the IP DHCP pool that you created earlier.
9. On the virtual template interface, use the PPP IPCP mask to indicate
the number of addresses to allocate from the DHCP for the CPE.
______________________________ Note __________________________
The CPE must be set up to request a range of addresses that it will
allocate to the individual subscriber hosts.
_____________________________________________________________
326
Version 1.0
Module 3
PPPoA Configuration
PPPoA IOS Config IPCP Subnet Mask Negotiation
4
3
10
11
12
5
6
7
8
9

!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool PPPoApool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
pvc 1/32
!
peer default ip address dhcp-pool PPPoApool
ppp ipcp mask 255.255.255.248
Version 1.0
327
PPPoA
Module 3
PPPoA Advantages and Disadvantages

The following is a list of advantages and disadvantages of PPPoA.
Advantages
328
Per-session authentication based on PAP CHAP. This is the greatest

advantage of PPPoA because authentication overcomes the security
hole in a bridging architecture.
Per-session accounting is possible, which allows the service provider to

charge the subscriber on the basis of session time for various services
offered. Per-session accounting enables a service provider to offer a
minimum access level for minimal charge and then charge subscribers
for additional services used.
IP address conservation at the CPE. This allows the service provider to

assign only one IP address for a CPE, with the CPE configured for
NAT. All users behind one CPE can use a single IP address to reach
different destinations. IP management overhead for the Network
Access Provider (NAP) and Network Services Provider (NSP) for each
individual user is reduced while conserving IP addresses. In Addition,
the service provider can provide a small subnet of IP addresses to
overcome the limitations of PAT and NAT.
NAPs and NSPs provide secure access to corporate gateways without

managing end -to-end PVCs using Layer 3 routing or L2TP tunnels.
Hence, they can scale their business models for selling wholesale
services.
Troubleshooting individual subscribers. The NSP can easily identify

which subscribers are on or off, based on active PPP sessions, rather
than troubleshooting entire groups as is the case when bridging
architecture is used.
The NSP can oversubscribe by deploying idle and session timeouts

using an industry-standard RADIUS server for each subscriber.
Highly scalable by terminating a very high number of PPP sessions on

an aggregation router. Authentication, authorization, and accounting
can be handled for each user by using external RADIUS servers.
Optimal use of features on the SSG.
Version 1.0
Module 3
Advantages
Per session authentication based on PAP or CHAP
Per session accounting is possible
IP address conservation at the CPE
NAPs and NSPs provide access without managing endto-end PVCs
Troubleshooting individual subscribers

NSP can oversubscribe
Highly scalable using external RADIUS
Enables use of SSG
Version 1.0
329
PPPoA
Module 3
PPPoA Advantages and Disadvantages (continued)

Disadvantages
330
Only a single session per CPE on one virtual channel (VC). Since the
username and password are configured on the CPE, all users behind
the CPE for that particular VC can access only one set of services.
Users cannot select different sets of services, although using multiple
VCs and establishing different PPP sessions on different VCs is
possible.
Increased complexity of the CPE setup. Help desk personnel at the

service provider need to be more knowledgeable. Since the username
and password are configured on the CPE, the subscriber or the CPE
vendor will need to make setup changes.
The service provider needs to maintain a database of usernames and

passwords for all subscribers. If tunnels or proxy services are used,
then authentication can be done on the basis of the domain name, and
user authentication is done at the corporate gateway. This reduces the
size of the database that the service provider has to maintain.
If a single IP address is provided to the CPE and NAT or PAT is

implemented, certain applications such as IPTV, which embed IP
information in the payload, will not work. Also, if an IP subnet feature
is used, an IP address must be reserved for the CPE.
Version 1.0
Module 3
PPPoA Advantages and Disadvantages (continued)
Disadvantages
Single session per CPE on one VC limits access
to single service selection
Increased complexity of the CPE setup

Service provider needs to maintains a database
of usernames and passwords for all subscribers
Certain applications will not work with NAT and

PAT
Version 1.0
331
PPPoA
Module 3
Summary
PPPoA
332
The typical architecture and benefits of PPPoA, including its ability to

support subscriber AAA services
The protocol stack elements associated with PPPoA and how PPPoA
works in both a PTA and tunneling environment
The various methods that may be used to allocate IP addresses,

including static, local pool, DHCP, RADIUS, NAT, and IP subnet
negotiation
Configuration of PPPoA on Cisco routers using the local pool and

DHCP
The advantages and disadvantages of PPPoA
Version 1.0
Module 3
Review Questions
Review Questions
PPPoA
1. What are the two locations that terminate PPPoA sessions?
a. _____________________________________
b. _____________________________________
2. With PPPoA, which device in the network initiates the PPP session?
Choose two.
a. Subscriber host
b. Subscriber CPE
c. DSLAM
d. Aggregation router (not in PPP passive mode)
e. NSPs router
3. When using PPPoA with PTA, which two devices terminate the PPP
session?
_______________________________________________________________
4. When using PPPoA with tunneling, which two devices terminate the
PPP session?
_______________________________________________________________
5. Put the following events in the correct order in which they would occur
when PPPoA is used with PTA. Use numbers to indicate the correct
order.
a. The NAPs aggregation device or RADIUS server authenticates the
subscriber.
b. The subscribe r CPE initiates the PPP session.
c. The NAPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the CPE.
d. The user data is routed to the service destination.
Version 1.0
333
PPPoA
Module 3
when PPPoA is used with tunneling. Use numbers to indicate the
correct order.
subscribers domain name .
b. The subscriber CPE initiates the PPP session.
c. The NSPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the CPE.
d. The PPP session is tunneled from NAP router to NSP router.
e. The NSPs aggregation device or RADIUS server authenticates the
subscribers domain and user names.
f. The User data is routed to the service destination.
7. List the three methods for allocating IP addresses to the subscriber
CPE.
a. _________________________________
b. _________________________________
c. _________________________________
8. Which of the following is not a characteristic of virtual access
interfaces?
a. Virtual access interfaces are cloned from parameters configured on
a virtual template interface.
b. Once created, virtual access interfaces are created permanently.
c. With PPPoA, a VC is bound to a virtual access interface.
d. With PPPoA, the virtual access interface is created when the PPP
session is initiated.
9. Which of the following are preferred ways to configure the aggregation
router for PPPoA? Choose two.
a. Using unnumbered loopback interfaces with virtual template
interfaces
b. Using multipoint ATM interfaces
c. Using point-to-point ATM interfaces
d. Configuring the username database on the router, especially when
many unique subscriber name are required
334
Version 1.0
Module 3
Review Questions
10. Which of the following are true statements about PPPoA? Choose four.
a. Users can be authenticated using PAP or CHAP.
b. IP addresses can be conserved at the CPE using NAT.
c. High scaling can be achieved using RADIUS for AAA services.
d. PPPoA is limited to one user host per CPE.
e. Service providers need to maintain a database of usernames when
PPP sessions are terminated at the aggregation router.
f. Oversubscription is not possible with PPPoA.
Version 1.0
335
PPPoA
336
Module 3
Version 1.0
Module 4
PPPoE
Overview
Description
In this module, you will learn about Point to Point Protocol over Ethernet
(PPPoE). You will learn how it works, examine a typical architecture, and
learn about its benefits. You will perform hands-on exercises to configure,
verify operation, and test PPPoE.
Objectives
Describe the typical architecture and benefits of PPPoE
Identify the protocol stack elements associated with PPPoE and

describe how PPPoE works
List the methods used for allocating IP addresses
Configure PPPoE on Cisco routers
Identify the advantages and disadvantages of PPPoE
Describe and identify the usage of PPPoEoE and PPPoEo802.1q
Version 1.0
41
PPPoE
Module 4
Typical PPPoE Architecture

PPP provides a standard method for transporting multi-protocol
datagrams over point-to-point links. Ethernet, on the other hand, is a
shared broadcast medium that is not intended for hosts establishing PPP
sessions with peers on the same or remote networks. PPP over Ethernet
(PPPoE), described in RFC 2516, provides a standard method for building
PPP sessions and encapsulating PPP packets over Ethernet.
User Session Initiation

From a user perspective, PPPoE operates much like a dial-up network. A
user enters a username and password whenever he or she wishes to
connect to the service provider. This capability allows multiple users to
connect to services and offers multiple service selection capabilities based
on user identification.
PPPoE overview
PPPoE has two distinct phases:
A discovery stage , which is based on a client-to-server relationship.

During the discovery stage, the host (client) attempts to discover an
access concentrator (server). Using the peers Ethernet MAC addresses
and a unique PPPoE session identifier, a point-to-point connection
between the peers is established over Ethernet.
A PPP session stage, which is based on a peer-to-peer relationship.

During the PPP session stage, the PPP peers exchange the typical
packets to open the Link Control Protocol (LCP) and Network Control
Protocol (NCP) states.
Because the host and access concentrator initiate the PPPoE and PPP
sessions, the CPE in this environment is transparent and functions as a
bridge. There is no need to perform complex configurations of the CPE.
The combination of peer MAC addresses and unique PPPoE session
identifiers permits multiple users on the shared Ethernet LAN access to
service providers.
PPPoE Environments
PPPoE is utilized in the following environments.
42
PPPoE over ATM (PPPoEoA)
PPPoE over Ethernet (PPPoEoE)
PPPoE over VLANs (PPPoEo802.1q)

Version 1.0
Module 4
PPPoE
ISP1.com
Aggregation
Device
IP Route
ATM or Ethernet
Transport
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
PPPoE provides point-to-point connection over Ethernet
Uses PPP dial in function on client
Architectures include PPPoEoA, PPPoEoE, PPPoEo802.1q
Version 1.0
43
PPPoE
Module 4
Typical PPPoE Architecture (continued)

Session Initiation
PPPoE relies on a discovery stage and a PPP session stage.
During the PPP session stage, the host initiates a PPP session to the
aggregation router by sending LCP configuration requests. The
aggregation router also sends out the LCP configuration request on a
virtual access interface. When each one sees the configuration request of
the other, they acknowledge the requests and the LCP state is opened.
User Authentication
For the authentication stage, the host sends the authentication request to
the aggregation router. Depending on its configuration, the router
authenticates the user on the basis of the domain name (if supplied), or on
the basis of the username using its local database or RADIUS servers.
User authentication, authorization, and accounting (AAA) in this scenario
is best handled by using an industry standard RADIUS server.
How the Service Destination Is Reached

In PPPoE architectures, the service destination can be reached in different
ways. These are some of the most commonly used methods:
Terminating PPP sessions at the network access server (NAS) and

routing the user traffic to the network service provider (NSP)
Layer 2 Tunneling Protocol (L2TP) tunneling of the PPP sessions to the

final service destination
Using Service Selection Gateway SSG and Subscriber Edge Service

Manager (SESM) to select the service destination
With tunneling, the user can access only one destination at a time. With
SSG, the user can access many services.
44
Version 1.0
Module 4
Typical PPPoE Architecture (continued)
PPP Session
ISP1.com
Aggregation
Device
IP Route
CPE
ATM or Ethernet
Transport
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
PPP session initiated from host

Version 1.0
45
PPPoE
Module 4
PPPoE Protocol Stack

Protocol Stack Components
PPPoE is an extension to the standard PPP layer. The protocol headers
used with PPPoE include the following:
Transport
Ethernet/802.3
PPPoE
PPP
Upper layer protocol
The additional protocol layer for PPPoE is used during the discovery stage
and PPP session stage. It contains codes for identifying the packet types
used during the discovery stage and the session identifier. The peers rely
on the session identifier, along with the source and destination MAC
addresses in the Ethernet header, to identify the unique PPPoE session.
MTU considerations
Because of the additional PPPoE header, you may need to configure the
MTU size. To accommodate the 6-byte PPPoE header and 2-byte PPP
header, the maximum MTU should be 1492 bytes.
46
Version 1.0
Module 4
ATM or Ethernet
Transport
Aggregator
Host
IP
IP
PPP
PPPoE
Ethernet
PPP
PPPoE
Ethernet
Physical
Physical
Physical
Host
ATM or Ethernet
Aggregator
Version 1.0
47
PPPoE
Module 4
How Does PPPoE Discovery Work?

There are four steps in the PPPoE discovery stage. The illustration shows
how the discovery stage works.
Session Initiation
1. The host sends a PPPoE Active Discovery Initiation (PADI) packet with
a broadcast destination Ethernet address. The PADI packet includes
the service that the host is requesting.
2. One or more access concentrators may reply with a PPPoE Active
Discovery Offer (PADO) packet containing one or more services that it
offers. The server replies directly to the client by using the clients MAC
address as the destination Ethernet address.
3. Because the host may receive more than one PADO, it looks through
the PODO packets it receives and chooses one. The choice can be based
on the access concentrator name or the services offered. The host then
sends a PPPoE Active Discovery Request (PADR) to the access
concentrator that it has chosen, along with the service it is requesting.
4. When the access concentrator receive s the PADR packet, it generates a
unique session identifier for the PPPoE session and replies to the host
with a PPPoE Active Discovery Session-confirmation (PADS) packet.
The PADS contains the session identifier and the service name.
After the discovery stage is completed, the PPP session stage begins with
the peers exchanging LCP and NCP configuration information.
Session Termination
The PPPoE session may be terminated by either peer by sending a PPPoE
Active Discovery Termination (PADT) packet.
The access concentrator may terminate the session based on an inactivity
timer, so as not the leave the session open continuously. Using inactivity
timers enables oversubscription of subscribers on the access concentrator.
48
Version 1.0
Module 4
ATM or Ethernet
Transport
Aggregator
Host
PPPoE Discovery Stage
1
Host sends PADI
2 Aggregator replies with PADO
Host selects aggregator

and sends PADR to aggregator
Aggregator generates session ID

and replies with PADS
PPP Session Stage
Version 1.0
49
PPPoE
Module 4
PPPoEoA with PTA Protocol Stack

The illustration shows termination of the PPPoEoA session at the NAS and
the protocols used to transport the PPP session and user data.
CPE Encapsulation
The drawing shows the combination protocol stack used by the PC and the
xDSL Termination Unitremote (xTU-R). The PC takes the upper layer
protocol data and encapsulates it in the PPP, PPPoE, and 802.3 headers,
and then forwards it to the xTU-R. The xTU-R then provides the ATM
related services and layers to exchange ATM cells with the aggregation
device, including RFC 1483, ATM adaptation layer 5 (AAL5), ATM, and
physical layer functions.
PPP
The PPP layer performs user AAA. User identification with PPP
termination and aggregation (PTA) is based on the username that the user
provides during login. The aggregator terminates the PPP session and
performs AAA functions locally or using a RADIUS server
410
Version 1.0
Module 4
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoEoA
IP
PPP
PPPoE
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
PPPoE
802.3
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
411
PPPoE
Module 4
PPPoEoA with PTA Protocol Stack (continued)

RFC 1483
AAL5 over ATM:
For the first method, additional headers are included to identify the
protocol data unit (PDU). A common implementation is to include the
3-byte logical link control (LLC) and 5-byte Subnetwork Access Protocol
(SNAP) header to identify the bridged or routed PDU that follows.
______________________________ Note __________________________
_____________________________________________________________
AAL5
connectionless PDUs. An 8-byte trailer is ad ded to the PDU.
ATM and PHY

cells.
412
Version 1.0
Module 4
PPPoEoA with PTA Protocol Stack (continued)
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoEoA
IP
PPP
PPPoE
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
PPPoE
802.3
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
413
PPPoE
Module 4
PPPoEoA with Tunneling Protocol Stack

The illustration shows termination of the PPP session at the NSP and
identifies the protocols used to transport the PPP session and user data.
Notice that the PPPoEoA session is terminated at the aggregation device.
CPE Encapsulation
The PC and xTU-R perform the same functions when the PPP session is
tunneled to the NSP as it does when the session terminates on the
aggregation device with PTA. The tunnel is transparent to the CPE and
subscriber.
PPP
The PPP layer performs user AAA. User identification with tunneling is
based on the username@domainname that the user provides during login.
Tunnel Protocol
If the request from the subscriber is in the form of
username@domainname, the aggregation server will try to create a tunnel
to the destination, if a tunnel does not already exit. After the tunnel is
created, the aggregation server forwards the PPP requests from the
subscriber to the destination. The destination authenticates the user,
typically using a RADIUS server. If the request from the subscriber does
not include the domain name, the user is authenticated by the local
database.
L2TP and remote access to Multiprotocol Label Switching (MPLS) Virtual
Private Network (VPN) are two examples of tunneling protocols used in
this scenario.
414
Version 1.0
Module 4
PVC
DSLAM
Tunnel
Aggregator
LAC
LNS
Router
L3
core
PC/xTU-R
IP
PPP
PPPoEoA
IP
PPP
IP
PPPoE
PPP
802.3
1483
AAL5
ATM
PHY
Customer
Premises
Tunnel Protocol
IP
ATM
PHY
ATM
PHY
DSLAM
IP
PPP
PPP
PPPoE
802.3 Tunnel
1483 Protocol
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
PPP
Tunnel
Protocol
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
415
PPPoE
Module 4
How Does PPPoE Work with PTA?

The illustration shows the process by which the host and aggregation
equipment.
______________________________ Note __________________________
These steps occur after the PPPoE discovery process is completed.
_____________________________________________________________
1. The host sends the authentication request to the aggregation device.
The request contains the username that the user provided.
2. The PPP session initiated by the subscriber is terminated at the service
provider which authenticates the user using either a local database on
the router or through RADIUS servers.
3. After the user is authenticated, IP Control Protocol (IPCP) negotiation
takes place and the IP address is assigned to the host. After the IP
address has been assigned, a host route is established both on the host
and on the aggregation router.
4. The IP address allocated to the subscriber, if legal, is advertised to the
edge router. The edge router is the gateway through which the
subscriber can access the Internet. If the IP address is private, the
service provider translates it before advertising it to the edge router.
416
Version 1.0
Module 4
PPPoEoA
IP Route
DSLAM
PTA
ISP1.com
CPE
Core
AAA
1 Host initiates PPP session with username
Subscriber authenticated by local router

or by RADIUS server
IP address allocated to host

using IPCP negotiation
Version 1.0
417
PPPoE
Module 4
How Does PPPoE Work with Tunneling?

The illustration shows the process that takes place from the host to the
service provider to authenticate the user and assign an address to the host.
______________________________ Note __________________________
These steps occur after the PPPoE discovery process is completed.
_____________________________________________________________
1. The host sends the authentication request to the aggregation device.
The request contains the username @domainname that the user
provided.
2. The L2TP Access Concentrator (LAC) authenticates the incoming
session, based on the domain name.
3. The aggregation server creates a tunnel to the destination, if a tunnel
does not already exist. After the tunnel is created, the aggregation
server forwards the PPP requests from the subscriber to the
destination service.
4. The destination service authenticates the user using either a local
database on the router or through RADIUS servers.
5. After the user is authenticated, IPCP negotiation takes place and the
IP address is assigned to the host. After the IP address has been
assigned, a host route is established both on the host and at the service
provider.
6. The user can now access services at the destination.
418
Version 1.0
Module 4
PPPoEoA
Tunnel
DSLAM
LAC
ISP1.com
CPE
Core
AAA
Host initiates PPP session

with username@domainname
Domain name authenticated by local router

or by RADIUS server
AAA
3 PPP session tunneled to LNS

4 Username authenticated by local router or by RADIUS server
5 IP address allocated to CPE using IPCP negotiation
Version 1.0
419
PPPoE
Module 4
PPPoE IP Address Management

In PPPoE architecture, IP address allocation for the subscribers host uses
IPCP negotiation, the same principle as PPP in dial-up mode.
How Are Addresses Assigned?

The IP address is allocated by using
Locally defined pool on the aggregation or service provider router
DHCP server
RADIUS server
Although not commonly used, the ISP may provide a set of static IP
addresses to the subscriber and may not assign IP addresses dynamically
when the subscriber initiates the PPP session. In this scenario, the service
provider uses only the RADIUS server to authenticate the user.
Who Assigns Addresses?

IP addresses are allocated according to the type of service a subscriber
uses.
420
If the subscriber session is terminated at the NAS and the user data is
routed from there, then the aggregation service assigns the address.
If the subscriber session is terminated at the NSP, then the NSP

generally assigns the address to the subscriber CPE.
Version 1.0
Module 4
DSLAM
CPE
NAP
NSP
LAC
LNS
Core
RADIUS
DHCP
IP Pool
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
RADIUS
DHCP
Assigned during IPCP phase

Dynamic allocation done using
local pool
DHCP
RADIUS
Assigned by NAP if using PTA

Assigned by NSP if using tunneling
Version 1.0
421
PPPoE
Module 4
PPPoEoA Configuration
Three essential elements o f creating subscriber connections on the
aggregation router for PPPoE sessions include creating a virtual private
dial-up network (VPDN) group, creating an ATM subinterface with a PVC,
and creating a virtual access interface to which this PVC connects. The
user session is then terminated on the virtual access interface.
Virtual Access Interface Definitions

You do not actually define a virtual access interface but instead a virtual
template interface, which is referenced by the VPDN group . When the
subscriber PPP request is received on the ATM subinterface, the virtual
template interface is used to clone a virtual access interface.
The following describe the elements of virtual access interfaces.
Virtual access interface
A virtual access interface is an instance of a unique virtual interface that is

created dynamically and exists temporarily. Virtual access interfaces can
be created and configured differently by different applications, such as
virtual profiles and virtual private dial-up networks.
Virtual template interface
A virtual template interface is a generic configuration of an interface for a

certain purpose or configuration common to certain users, plus
router-dependent information. The template takes the form of a list of
Cisco IOS interface commands to be applied to a virtual access interface as
needed.
Cloning
Cloning is the process of creating and configuring a virtual access interface

by applying a specific virtual template interface. The template is the
source of the generic user information and r outer-dependent information.
The result of cloning is a virtual access interface configured with all the
commands in the template.
Virtual profile
Unique virtual access interfaces are created dynamically when certain

users call in. These interfaces are torn down dynamically when the call
disconnects. A specific users virtual profile can be configured by a virtual
template interface, by a user-specific interface configuration stored on an
AAA server, or by both a virtual template interface and user-specific
interface configuration from AAA.
422
Version 1.0
Module 4
VPDN
Group
Create
virtual access
interface
Virtual
Template
Interface
PVCs
Cloning
PPPoE
Sessions
ATM
Interface
Virtual
VirtualAccess
VirtualAccess
Interface
VirtualAccess
Interface 5
VirtualAccess
Interface 4
Access
Interface 3
Interface 2
1
PPPoE sessions use VPDN Group and virtual access interfaces

Version 1.0
423
PPPoE
Module 4
PPPoEoA Configuration (continued)

VPDN Group
A VPDN group is configured for accepting PPPoE sessions as dial -in
requests. This group has a pointer to the virtual template interface. When
a PPPoE request is received on the ATM subinterface, the request is
forwarded to this VPDN group.
______________________________ Note __________________________
BBA Groups, a recent addition to Cisco IOS software, may be used
instead of a VPDN group. BBA Group s are presented in the
optimization module.
_____________________________________________________________
424
Version 1.0
Module 4
VPDN
Group
Create
virtual access
interface
Virtual
Template
Interface
PVCs
Cloning
PPPoE
Sessions
ATM
Interface
Virtual
VirtualAccess
VirtualAccess
Interface
VirtualAccess
Interface 5
VirtualAccess
Interface 4
Access
Interface 3
Interface 2
1
PPPoE sessions use VPDN Group and virtual access interfaces

Version 1.0
425
PPPoE
Module 4

The illustration shows the topology for the example Cisco IOS
configurations on the aggregation router that follow in this module.
The configuration examples on the following pages show use of the
following:
Using a local database of usernames
Using a local IP address pool
Using an external DHCP server.
Other ways that PPPoEoA can be configured on the aggregation router

include the following:
Using RADIUS to authenticate users
Using RADIUS to allocate IP addresses to CPEs
Using static addressing on the CPE
Using point-to-point ATM subinterfaces (not recommended)
______________________________ Note __________________________

Multipoint interfaces are preferred over point-to-point interfaces
because they conserve system resource.
_____________________________________________________________
426
Version 1.0
Module 4
IP=192.168.1.2
GW= 192.168.1.1
CPE
IP=192.168.1.1
DSLAM
IP=192.168.1.3
GW= 192.168.1.1
Core
Aggregation
Device
CPE
IP=192.168.1.4
GW= 192.168.1.1
Version 1.0
427
PPPoE
Module 4

PPPoEoA IOS Config Local Pool
support PPPoEoA using a local IP address pool that the router uses to
authentication.
______________________________ Note __________________________
If a RADIUS server is used for user authentication, omit step 1.
_____________________________________________________________
allocate to subscriber CPEs.
6. On the virtual template interface, create a peer default IP address
association to the IP local pool that you created earlier.
authentication that is used for the subscribers.
8. Enable VPDN.
9. Create a VPDN group with a name identifier.
10. On the VPDN group, use the accept-dialin command to accept
incoming calls.
11. On the VPDN group accept-dialin mode, indicate that the tunneling
protocol to be used is PPPoE.
12. On the VPDN group accept-dialin mode, indicate the virtual template
to be used for cloning virtual access interfaces.
14. On the ATM subinterface, add a PVC.
15. On the PVC, indicate the AAL5 encapsulation type SNAP.
16. On the PVC, indicate the protocol used for this connection.
428
Version 1.0
Module 4
PPPoEoA IOS Config Local Pool
8
9
10
11
12
2
13
14
15
16
4
5
6
7
3

!
vpdn enable
!
vpdn-group PPPoE
accept-dialin
protocol pppoe
virtual-template 1
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
pvc 1/32
protocol pppoe
pvc 1/33
protocol pppoe
!
peer default ip address pool PPPoEpool
!
ip local pool PPPoEpool 192.168.1.2 192.168.1.254
Version 1.0
429
PPPoE
Module 4

PPPoEoA IOS Config DHCP
support PPPoEoA using an external DHCP server that the router uses to
authentication.
______________________________ Note __________________________
If a RADIUS server is used for user authe ntication, omit step 1.
_____________________________________________________________
command to point to the IP address of the DHCP server.
7. Enable VPDN.
9. On the VPDN group, use the accept-dialin command to accept
incoming calls.
10. On the VPDN group accept-dialin mode, indicate that the tunneling
protocol to be used is PPPoE.
11. On the VPDN group accept-dialin mode, indicate the virtual template
used for cloning virtual access interfaces.
14. On the PVC, indicate the AAL5 encapsulation type SNAP.
15. On the PVC, indicate the protocol used for this connection.
430
Version 1.0
Module 4
PPPoEoA IOS Config DHCP
7
8
9
10
11
2
12
13
14
15
3
4
5
6

!
vpdn enable
!
vpdn-group PPPoE
accept-dialin
protocol pppoe
virtual-template 1
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
pvc 1/32
protocol pppoe
pvc 1/33
protocol pppoe
!
Version 1.0
431
PPPoE
Module 4

Additional PPPoEoA Configuration Considerations
You should consider the following Cisco IOS configurations when
implementing PPPoE.
Denial-of-service attacks
To circumvent denial -of-service attacks from subscriber PCs, you can limit
the number of PPPoE sessions on a p er-MAC and/or per-VC basis.
1. On the VPDN group, limit the number of PPPoE sessions that can be
sourced from a MAC address.
2. On the VPDN group, limit the number of PPPoE sessions that can be
permitted on all VCs.
MTU Consideration
PPPoE along with PPP uses 8 bytes of the Ethernet payload; therefore, you
may need to limit the MTU size of the PDU.
3. On the virtual template interface, set the size of the MTU to 1492.
Or
4. On the virtual template interface, set the interface to adapt to the
peers MTU. This assumes that the peers set their MTU to 1492 or less.
432
Version 1.0
Module 4
Additional PPPoEoA Configuration Considerations
1
2
or
4
vpdn-group PPPoE
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit per-mac 1
pppoe limit per-vc 1
!
!
ip mtu 1492
ppp mtu adaptive
Version 1.0
433
PPPoE
Module 4
PPPoE Advantages and Disadvantages

The following is a list of advantages and disadvantages of PPPoE.
Advantages
434
Per-session authentication based on PAP CHAP. This is the greatest

advantage of PPPoE because authentication overcomes the security
hole in a bridging architecture.
Per-session accounting is possible, which allows the service provider to

charge the subscriber on the basis of session time for various services
offered. Per-session accounting enables a service provider to offer a
minimum access level for minimal charge and then charge subscribers
for additional services used.
PPPoE can be used on existing CPE installations that cannot be

upgraded to PPP or that cannot run PPPoA; use of PPPoE extends the
PPP session over the bridged Ethernet LAN to the PC.
PPPoE preserves the point-to-point session used by ISPs in the current

dial-up model. PPPoE is the only protocol capable of running point-topoint sessions over Ethernet without requiring an intermediate IP
stack.
Multiple hosts (PCs) at a subscriber location can access multiple

destinations at a given time. There can be multiple PPPoE sessions per
PVC.
NAPs and NSPs provide secure access to corporate gateways without

managing end -to-end PVCs using Layer 3 routing or L2TP tunnels.
Hence, they can scale their business models for selling wholesale
services.
Troubleshooting individual subscribers. The NSP can easily identify

which subscribers are on or off, based on active PPP sessions, rather
than troubleshooting entire groups as is the case when bridging
architecture is used.
The NSP can oversubscribe by deploying idle and session timeouts

using an industry-standard RADIUS server for each subscriber.
Highly scalable by terminating a very high number of PPP sessions on

an aggregation router. Authentication, authorization, and accounting
can be handled for each user by using external RADIUS servers.
Optimal use of features on the SSG.
Version 1.0
Module 4
Advantages
Per-session authentication based on PAP or CHAP
Multiple host access to differing destinations from a CPE
Per-session accounting is possible

PPPoE can be used on existing bridged CPEs
Preserves point-to-point dialup model of ISPs
NAPs and NSPs provide access without managing end-to-end
PVCs
Troubleshooting individual subscribers
NSP can oversubscribe
Highly scalable using external RADIUS
Enables use of SSG
Version 1.0
435
PPPoE
Module 4
PPPoE Advantages and Disadvantages (continued)

Disadvantages
436
PPPoE client software needs to be installed on hosts connected to

Ethernet segments.
Because PPPoE implementation uses RFC1483 bridging, it is

susceptible to broadcast storms and possible denial-of-service attacks.
The service provider needs to maintain a database of usernames and

passwords for all subscribers. If tunnels or proxy services are used,
then the authentication can be done on the basis of the domain name,
and the user authentication is done at the corporate gateway. This
reduces the size of the database that the service provider has to
maintain.
Version 1.0
Module 4
PPPoE Advantages and Disadvantages (continued)
Disadvantages
Requires PPPoE client software on PC
Service provider needs to maintains a database
of usernames and passwords for all subscribers
Susceptible to broadcast storms
Version 1.0
437
PPPoE
Module 4
PPPoEoE and PPPoEo892.1q

Description
Cisco routers allow the tunneling and termination of PPP sessions over
Ethernet links. The PPPoE over Ethernet interface (PPPoEoE) feature
enables the Cisco router to tunnel and terminate Ethernet PPP sessions
over Ethernet links. The PPPoE over IEEE 802.1Q (PPPoEo802.1q) feature
enables the router to tunnel and terminate Ethernet PPP sessions across
VLAN links.
Usage
PPPoEoE and PPPoEo802.1q are used as an alternative to PPPoEoA. This
is a solution in metro Ethernet deployments when users need to be
connected to service providers and PPP authentication is important.
Operation
PPPoEoE and PPPoEo802.1q function similarly to PPPoEoA.
With PPPoEoE and PPPoEo802.1q, multiple hosts on shared Ethernet
segments establish PPP sessions using a PPPoE software adapter as they
would in a PPPoEoA environment.
The connection between the client and server routers is an Ethernet or
VLAN link with PPPoE enabled on the link. Consequently, PPPoE sessions
initiated by the hosts are forwarded over the PPPoE enabled link, and they
terminate at the aggregation router. The PPP session may be terminated
at the aggregation router or may be tunneled to an LNS router.
The frame level encapsulation on the PPPoE enable link is standard
Ethernet framing with PPPoEoE, or Ethernet with VLAN information with
PPPoEo802.1q.
438
Version 1.0
Module 4
PPPoE
ISP1.com
Aggregation
Device
IP Route
Ethernet
Transport
Core
Tunnel
CPE
ISP2.com
PPPoE enabled
Ethernet links
AAA
PPP Session
Enhances PPPoE architectures by providing direct

connections to Ethernet interfaces
Common in metro Ethernet deployments

ATM is no longer used in the access network
Version 1.0
439
PPPoE
Module 4
PPPoEoE and PPPoEo892.1q Configuration

PPPoEoE and PPPoEo802.1q are configured similarly to PPPoEoA on the
aggregation router. The differences are highlighted on the illustration.
PPPoEoE
To enable PPPoEoE on the aggregation router, you enable PPPoE on the
Ethernet interface that connects directly or indirectly to the CPE router.
PPPoEo802.1q
To enable PPPoEo802.1q on the aggregation router, you enable PPPoE on
the Ethernet subinterface that has the VLAN over which hosts connect to
the aggregation router.
The VLAN type must be IEEE 802.1q.
______________________________ Note __________________________
Cisco routers support PPPoEoE and PPPoEo892.1q on Ethernet, Fast
Ethernet, and Gigabit Ethernet interfaces.
_____________________________________________________________
440
Version 1.0
Module 4
PPPoEoE
PPPoEo802.1q

!
vpdn enable
!
vpdn-group PPPoE
accept-dialin
protocol pppoe
virtual-template 1
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2/0/0
ip address 172.16.12.12 255.255.255.0
pppoe enable
!
interface FastEthernet2/1/0
ip address 172.17.1.12 255.255.255.0
!
interface FastEthernet2/1/0.1
encapsulation dot1Q 2
pppoe enable
!
!
ip local pool PPPoEpool 192.168.1.2 192.168.1.254
Version 1.0
441
PPPoE
Module 4
Summary
PPPoE
442
The typical architecture and benefits of PPPoE, including being able to

support subscriber AAA services
The protocol stack elements associated with PPPoE and describe how
PPPoE works in both a PTA and tunneling environment
The various methods that may be used to allocate IP addresses,

including static, local pool, DHCP, RADIUS, NAT, and IP subnet
negotiation
Configuration of PPPoE on Cisco routers using the local pool and

DHCP
The advantages and disadvantages of PPPoE
Version 1.0
Module 4
Review Questions
Review Questions
PPPoE
1. At what two locations are PPPoE sessions terminated?
a. _____________________________________
b. _____________________________________
2. With PPPoE, which device in the network usually initiates the PPP
session?
a. Subscriber host
b. Subscriber CPE
c. DSLAM
d. Aggregation router
e. NSPs router
3. When using PPPoE with PTA, which two devices terminate the PPP
session?
_______________________________________________________________
4. When using PPPoE with tunneling, which two devices terminate the
PPP session?
_______________________________________________________________
5. List the four messages types that are exchanged between the host and
aggregation device during PPPoE discovery.
a. ______________________
b. ______________________
c. ______________________
d. ______________________
when PPP session is used with PTA after PPPoE discovery is
completed. Use numbers to indicate the correct order.
subscriber.
b. The subscriber host initiates the PPP session.
c. The NAPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the host.
d. The user data is routed to the service destination.
Version 1.0
443
PPPoE
Module 4
when PPP is used with tunneling after PPPoE discovery is completed.
Use numbers to indicate the correct order.
subscribers domain name .
b. The subscriber host initiates the PPP session.
c. The NSPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the host.
d. The PPP session is tunneled from NAP router to NSP router.
e. The NSPs aggregation device or RADIUS server authenticates the
subscribers domain and user names.
f. The user data is routed to the service destination.
8. List the four methods that IP addresses can be allocated to the
subscriber host.
a. _________________________________
b. _________________________________
c. _________________________________
9. Which of the following is not a characteristic of virtual access
interfaces?
a. Virtual access interfaces are cloned from parameters configured on
a virtual template interface.
b. Once created, virtual access interfaces are created permanently.
c. With PPPoE, a session is bound to a virtual access interface.
d. With PPPoE, the virtual access interface is created when the PPP
session is initiated.
10. Which of the following are preferred ways to configure the aggregation
router for PPPoEoA? Choose two.
a. Using unnumbered loopback interfaces with virtual access
interfaces
b. Using multipoint ATM interfaces
c. Using point-to-point ATM interfaces
d. Configuring the username database on the router, especially when
many unique subscriber name are required
444
Version 1.0
Module 4
Review Questions
11. Which of the following are true statements about PPPoE? Choose four.
a. Users can be authenticated using PAP or CHAP.
b. Each subscriber connected to the CPE can be authenticated
individually.
c. High scaling can be achieved using RADIUS for AAA services.
d. PPPoE is limited to one user host per CPE.
e. Service providers need to maintain a database of user names when
PPP sessions are terminated at the aggregation router.
f. Oversubscription is not possible with PPPoE.
Version 1.0
445
PPPoE
446
Module 4
Version 1.0
Module 5
Overview
Description
In this module you will learn how to utilize features of the Cisco router
that help optimize broadband aggregation functions. The se features are
designed to minimize Cisco IOS configuration and improve router
performance.
Objectives
Describe methods to minimize ATM PVC provisioning and use

appropriate Cisco IOS configuration c ommands to implement the
methods
Use Cisco IOS commands to optimize PPPoA and PPPoE configurations

and performance
Describe autosense PPPoX encapsulation and use appropriate

commands to configure it
Describe and configure PPPoE profiles
Version 1.0
51
Module 5
Optimization Features Introduction

Cisco IOS software implements seve ral features that optimize the
deployment of broadband aggregation. These features improve router
configuration and performance.
These features include the following:
52
Methods for minimizing router provisioning
Autosense PPPoX encapsulation (PPPoX refers to either PPP over ATM

or Ethernet)
PPP over Ethernet (PPPoE) profiles
Version 1.0
Module 5
Features that optimize router configuration

and performance
Methods for minimizing ATM PVC provisioning
Autosense PPPoX encapsulation
PPPoE profiles
Version 1.0
53
Module 5
Minimizing ATM PVC Provisioning

With Cisco IOS, you may use several methods to minimize the provisioning
of ATM permanent virtual connections (PVCs), including the following:
PVC range
Virtual connection (VC) class
ATM PVC autoprovisioning
The methods may be used independently or together. Using them together

may provide better results.
The benefits of using these features include
54
Smaller configuration files
Faster bootup time
Fewer provisioning errors
Improved troubleshooting
Version 1.0
Module 5
Methods for minimizing ATM PVC include

PVC range
VC class
ATM PVC autoprovisioning
Version 1.0
55
Module 5
PVC Range
Description
In a digital subscriber line (DSL) environment, many applications require
the configuration of a large number of ATM PVCs. The ATM PVC Range
and Routed Bridge Encapsulation (RBE) Subinterface Grouping feature
lets you group a number of PVCs into a PVC range in order to configure
them all at once.
The benefits of using this feature are
Saving time. Configuring a range of PVCs is faster than configuring

each PVC individually.
Saving NVRAM. A range of PVCs takes up less NVRAM on network

service routers than a large number of individually configured PVCs.
Speeding router bootup. The parser can parse one configuration

command instead of many, thus speeding bootup.
Use with PPPoX and RBE Applications

For applications that use multipoint subinterfaces, such as PPPoE and
PPPoA, the PVC range is on a single multipoint subinterface. For
applications that use point-to-point subinterfaces, such as RBE, a point-topoint subinterface is created for each PVC in the range.
56
Version 1.0
Module 5
PVC Range
PVC Range
atm1/0/0.1
PVC Range
VC 1/32
PVC
1/32
PVC
1/33
VC 1/34
PVC
1/34
VC 1/35
PVC
1/35
PPPoA
or
PPPoE
or
RBE
PVC
1/36
VC 1/37
PVC
1/37
Configure range of PVCs on ATM multipoint and point-to-point

subinterface
Minimize configuration file and provisioning

Reduce system boot time
Version 1.0
57
Module 5
PVC Range (continued)

Defining the Range
You use the range pvc <starting vpi/starting vci> <ending
vpi/ending vci> command to create the PVC range.
A PVC range is defined by two VPI-VCI pairs. The two virtual path
identifiers (VPIs) define a VPI range, and the two virtual channel
identifiers (VCIs) define a VCI range. The number of PVCs in the PVC
range equals the number of VPIs in the VPI range multiplied by the
number of VCIs in the VCI range.
The example in the illustration shows use of the range pvc command, the
number of VCs created, and a portion of the ATM VC table.
After you define the PVC range, you can configure the range by using the
existing interface-ATM-VC configuration commands that are also
supported in PVC range configuration mode.
Managing Individual VCs in a Range

The ATM PVC Range and Routed Bridge Encapsulation Subinterface
Grouping feature incorporates the pvc-in-range command, which allows
you to explicitly configure an individual PVC within the defined range of
PVCs on a multipoint subinterface. You can use the shutdown command on
a PVC-in-range to deactivate an individual PVC within a PVC range.
58
Version 1.0
Module 5
PVC Range
Command: range pvc 1/100 2/199

Result = (# of VPI) * (# of VCI): 2 * 100 = 200
Active VCs
Interface
3/0/0.432
3/0/0.432
3/0/0.432
3/0/0.432
3/0/0.432
3/0/0.432
VCD Name
1
2
!
!
99
100
101
!
!
199
VPI
1
1
VCI
100
101
Type
PVC
PVC
Encaps
MUX
MUX
SC
UBR
UBR
Sts
UP
UP
1
2
2
199
100
101
PVC
PVC
PVC
MUX
MUX
MUX
UBR
UBR
UBR
UP
UP
UP
199
PVC
MUX
UBR
UP
Version 1.0
59
Module 5

PVC Range Configuration
The illustration shows three examples of usage of PVC range.
Example 1 PPPoX
This is an example of using PVC range on a multipoint interface for PPPoA

or PPPoE. You perform the following steps:
2. Add a PVC range that includes the starting VPI/VCI and ending
VPI/VCI pairs for the range of PVCs.
3. Define the encapsulation method and any other parameters that apply
to the PVC range.
Example 2 PPPoX
This is an example of using PVC range on a multipoint interface for PPPoA

or PPPoE, along with a pvc-in-range command to manage an individual
PVC. You perform the following steps:
to the PVC range.
4. Add the PVC in the range of PVCs that you wish to take different
parameters from the rest of the range.
5. Add the appropriate parameters for the individual PVC.
______________________________ Note __________________________
The shutdown command can be used to deactivate the range or specific
PVC in a PVC range without deleting the configuration.
_____________________________________________________________
510
Version 1.0
Module 5
PVC Range
Example 1 PPPoX
1
2
3
interface atm8/0/0.132 multipoint

range pvc 1/32 1/4095
encapsulation aal5mux ppp virtual-template1
Example 2 PPPoX
1
2
3
4
5

range pvc 2/32 2/4095
protocol pppoe
pvc-in-range 2/100
shutdown
Example 3 RBE
1
2
3
Interface atm8/0/0.300 point-to-point

ip unnumbered loopback 1
atm route-bridge ip
range pvc 3/100 3/199
Version 1.0
511
Module 5

Example 3 RBE
This is an example of using PVC range on a point-to-point interface for

RBE. You perform the following steps:
to the PVC range.
______________________________ Note __________________________
You cannot explicitly configure the individual point-to-point
subinterfaces created by the PVC range on a point-to-point
subinterface. All the point-to-point subinterfaces in the range share the
same configuration as the subinterface on which the PVC range is
configured.
_____________________________________________________________
512
Version 1.0
Module 5
PVC Range
PVC Range Configuration (continued)
Example 1 PPPoX
1
2
3

range pvc 1/32 1/4095
Example 2 PPPoX
1
2
3
4
5

range pvc 2/32 2/4095
protocol pppoe
pvc-in-range 2/100
shutdown
Example 3 RBE
1
2
3
Interface atm8/0/0.300 point-to-point

atm route-bridge ip
range pvc 3/100 3/199
Version 1.0
513
Module 5
VC Class
Description
A VC class is a set of preconfigured VC parameters that you configure and
apply to a particular VC or ATM interface. You may apply a VC class to an
ATM main interface, subinterface, PVC range, PVC, or SVC. For example,
you can create a VC class that contains VC parameter configurations that
you will apply to a particular PVC or SVC. You might create another VC
class that contains VC parameter configurations that you will apply to all
VCs configured on a particular ATM main interface or subinterface.
VC Class Parameters
The following parameters may be configured on a VC class.
514
Constant bit rate (cbr command)
Unspecified bit rate (ubr command)
UBR and a minimum guaranteed rate (ubr+ command)
Variable bit rate-nonreal time (vbr-nrt command)
Cell delay variation tolerance (cdvt command)
VC auto-creation type (create command)
Dynamic bandwidth selection (dbs command)
Encapsulation type (encapsulation command)
Idle-timeout (idle-timeout command)
Integrated Local Management Interface (ILMI) (ilmi command)
Inverse ARP broadcasts and protocol selection (protocol command)
Inverse ARP time period (inarp command)
Broadcast forwarding (broadcast command)
OAM management parameters (oam command)
OAM management on a PVC (oam-pvc command)
PPPoE options (pppoe command)
Queue depth high and low watermarks (queue-depth command)
Transmit priority for the VC (transmit-priority command)
Version 1.0
Module 5
VC Class
VC Class
Without VC Class
With VC Class
ATM int/subinterface
PVC
encapsulation
QoS parameters
PVC
encapsulation
QoS parameters
VC-class atm bronze

encapsulation
QoS parameters
ATM int/subinterface
PVC
class bronze
PVC
class bronze
Set of preconfigured VC parameters

Class associated with VC or ATM interface
Specify QoS, encapsulation, and bandwidth parameters
Version 1.0
515
Module 5
VC Class (continued)
VC Class Configuration
The illustration shows the configuration of VC class.
Step 1 and Step 2 show the configuration of the VC class. Step 3, Step 4,
and Step 5 show the application of the class to a ATM subinterface, PVC
range, and PVC-in-range, respectively.
1. Create an ATM VC class and assign a name to the class. The names
used in this example reflect the subscription services.
2. Define the parameters that apply to the class.
3. To assign the class to an interface, use the class-int vc-class-name
command.
4. To assign the class to a PVC range, use the class-range vc-classname command.
5. To assign the class to a PVC-in-range, use the class-vc vc-class-name
command.
516
Version 1.0
Module 5
VC Class
VC Class Configuration
1
2
1
2
1
2
4
5
vc-class atm bronze

encapsulation aal5mux
ubr 1000
!
vc-class atm silver
ubr 2000
!
vc-class atm gold
ubr 3000
!
interface atm8/0/0.132
range pvc 1/32 1/4095
class-range bronze
pvc-in-range 1/100
class-vc silver
!
interface atm8/0/0.232
class-int gold
pvc 2/32
pvc 2/95
ppp virtual -template1
multipoint
multipoint
Version 1.0
517
Module 5
ATM PVC Autoprovisioning

Description
With the rapid growth in broadband customers, service providers need to
provision service for subscribers in the most efficient and accurate way
possible. The ATM PVC Autoprovisioning feature automates the
configuration of a large number of ATM PVCs in DSL service provider
networks using the PPPoA, PPPoE, and RBE protocols.
By using this feature, DSL wholesale service providers can use a local
configuration to dynamically provision ATM service for subscribers.
Operation
Incoming traffic on the VPI/VCI pair triggers virtual circuit (VC) creation.
The Cisco router does not create the on-demand VC until incoming traffic
arrives. For example:
If you configure an ATM interface by using the shutdown or no

shutdown interface command, the on-demand VCs configured on the
interface remain in the inactive state until the first incoming packet
arrives on the VC, triggering VC creation.
If you reload the Cisco 10000 router, the router does not establish the
on-demand VCs until incoming traffic triggers VC creation.
______________________________ Note __________________________

With PPPoX, two Link Control Protocol (LCP) attempts are necessary
to establish the PPP session because the first attempt creates the VC.
_____________________________________________________________
ATM Interface Oversubscription

The Cisco 10000 router lets you create more on-demand PVCs than the
chassis allows to be active simultaneously. For example, the router chassis
allows a total of 61,500 PVCs to be up at the same time, even though you
can configure more than 61,500 on-demand PVCs on the chassis. In
actuality, you can configure up to 32,000 PVCs on each line card. If you
install ATM line cards in 6 of the 8 available slots in the chassis, you can
configure up to 128,000 on-demand PVCs instead of the chassis limits
61,500 PVCs.
When an ATM interface is oversubscribed, you can use the idle-timeout
command on the ATM interface to dynamically bring down on-demand
PVCs. If you use CLI commands to explicitly configure a PVC, the router
brings the PVC to the inactive state when the idle-timeout timer expires.
518
Version 1.0
Module 5
atm1/0/0.1
PVC Range
VC 1/32
PVC
1/32
VC 1/34
PVC
1/34
VC 1/35
PVC
1/35
VC 1/37
PVC
1/37
PPPoA
or
PPPoE
or
RBE
PVCs created automatically as needed

Permits overallocation of VCs
Version 1.0
519
Module 5
ATM PVC Autoprovisioning (continued)

ATM PVC Autoprovisioning Configuration
The illustration shows two examples of autoprovisioning. On-demand
PVCs may be created directly on an individual PVC, a PVC range, or a
specific PVC within PVC range. You may also create on-demand PVCs by
using a VC class.
Autoprovisioning on a PVC, PVC range, or PVC in range
Perform the following steps to create on-demand PVCs directly on a PVC,

PVC range , or PVC-in-range:
1. Create a PVC, PVC range, or PVC-in-range on the ATM subinterface.
2. Apply the create on-demand command to the PVC or PVC range.
3. (Optional) Apply the idle-timeout command. The first value specifies
the timeout in seconds and the second value specifies the minimum
traffic in kilobits per second. The default is no timeout.
4. (Optional) Use the atm autovc retry command to change the intervals
at which a router will repeat the attempt to create autoprovisioned
PVCs after an initial attempt fails. The default is 1 minute. Use this
command when using the full VC capacity of the router, line card, or
interface to allow subscribers to connect.
Autoprovisioning on a VC Class
Perform the following steps to create on-demand PVCs directly on a PVC,

PVC range , or PVC-in-range:
1. Create a VC class.
2. Apply the create on-demand command to the VC class.
3. (Optional) Apply the idle-timeout command. The first value specifies
the timeout in seconds and the second value specifies the minimum
traffic in kilobits per second. The default is no timeout.
4. Add a PVC or PVC range to an ATM subinterface.
5. Apply the PVC or PVC range to the VC class.
6. (Optional) Use the atm autovc retry command to change the intervals
at which a router will repeat the attempt to create autoprovisioned
PVCs after an initial attempt fails. The default is 1 minute.
520
Version 1.0
Module 5
ATM PVC Autoprovisioning Configuration
Autoprovisioning on a PVC, PVC range, or PVC-in-range

4
1
2
3
!
atm autovc retry 2
range pvc 1/32 2/4095
create on-demand
idle -timeout 300 10
Autoprovisioning on a VC class
1
2
3
6
4
5
!
vc-class atm auto-pvc
create on-demand
idle-timeout 300 10
!
atm autovc retry 2
range pvc 1/32 2/4095
class-range auto-pvc
Version 1.0
521
Module 5
Autosense PPPoX Encapsulation

Description
PPPoA/PPPoE autosense enables a router to distinguish between incoming
PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) over ATM
sessions and to create virtual access based on demand for both PPP types.
This feature is supported on MUX - and SNAP-encapsulated ATM PVCs.
The feature enables the PVC encapsulation type to be autosensed by the
router. The router determines the encapsulation type of a PVC by looking
at the encapsulation type of the first incoming packet. If the PVC
encapsulation type is changed while the PPPoA or PPPoE session on the
network access server (NAS) is still up, the incoming packet is dropped, the
encapsulation type is reset to autosense, and all sessions are removed from
the PVC. The next incoming packet determines the new encapsulation type
of the PVC.
Benefits
The feature provides resource allocation on demand. When PVCs are
configured for PPPoA or PPPoE, certain resources (including one virtualaccess interface) are allocated, regardless of the presence of a PPPoA or
PPPoE session on the PVC. With this feature, resources are allocated for
PPPoA and PPPoE sessions only when a client initiates a session, thus
reducing overhead on the network access server (NAS).
This feature also saves configuration time by eliminating the need to
specify the encapsulation type when provisioning ATM PVCs and by
eliminating the need to manually provision ATM PVCs each time the
encapsulation type changes.
Restrictions
522
Do not use this feature on a router that initiates PPPoA sessions.
This feature supports ATM PVCs. Switched virtual circuits (SVCs) are
not supported.
PPPoA does not support static IP assignments within virtual

templates.
Version 1.0
Module 5
PVC Range
PPPoA
PPPoA
PPPoE
PPPoE
PVC
Virtual
Template
1
PVC
PVC
PVC
VPDN
Group
2
Virtual
Template
2
Vi1
Vi2
Vi3
Vi4
Distinguishes between PPPoA and PPPoE sessions

Works for SNAP and MUX encapsulation
Functions on PVC, PVC range, or VC class
Saves configuration time and overhead on NAS
Version 1.0
523
Module 5
Autosense PPPoX Encapsulation (continued)

Autosense PPPoX Encapsulation Configuration on PVC/PVC Range
The illustration shows the steps you perform to use PPPoX RA-MPLS on a
PVC, PVC range , or PVC-in-range.
1. Create the PVC or PVC range on the ATM subinterface.
2. Apply the encapsulation aal5autoppp command to the PVC or PVC
range. The virtual template value should point to the virtual template
interface that PPPoA sessions use.
3. Enable VPDN.
4. Create a VPDN group for PPPoE sessions. The virtual template value
should point to the virtual template interface that PPPoE sessions use.
5. Create virtual template interface(s) for PPPoA and PPPoE sessions.
524
Version 1.0
Module 5
Autosense PPPoX Encapsulation Configuration on PVC/PVC Range
3
4
1
2
5
vpdn enable
!
vpdn-group 1
accept dialin
protocol pppoe
virtual-template 1
!
range pvc 1/32 1/4095
encapsulation aal5autoppp Virtual-Template2
!
interface virtual-template 1
ip mtu 1492
!
Version 1.0
525
Module 5
Autosense PPPoX Encapsulation (continued)

Autosense PPPoX Encapsulation Configuration on VC Class
The illustration shows the steps you perform to use PPPoX autosense on a
VC class.
1. Create the VC class.
2. Apply the encapsulation aal5autoppp command to the VC class. The
virtual template value should point to the virtual template interface
that PPPoA sessions use.
3. Create the PVC or PVC range on the ATM subinterface.
4. Add the class pointer to the VC class.
5. Enable VPDN.
6. Create a VPDN group for PPPoE sessions. The virtual template value
should point to the virtual template interface that PPPoE sessions use.
7. Create virtual template interface(s) for PPPoA and PPPoE sessions.
526
Version 1.0
Module 5
Autosense PPPoX Encapsulation Configuration on VC Class
5
6
1
2
3
4
7
vpdn enable
!
vpdn- group 1
accept dialin
protocol pppoe
virtual-template 1
!
vc-class atm autoppp
encapsulation aal5autoppp Virtual-Template2
!
range pvc 1/32 1/4095
class-range autoppp
!
interface virtual -template 1
ip mtu 1492
!
interface virtual -template 2
Version 1.0
527
Module 5
PPPoE Profiles
Description
PPPoE profiles contain configuration information for PPPoE sessions.
After a profile has been defined, it can be assigned to a PPPoE port
(Ethernet interface, VLAN, or PVC), a VC class, or an ATM PVC range.
PPPoE profiles can also be used for PPPoE sessions established by
PPPoA/PPPoE autosense.
Multiple PPPoE profiles can be created, allowing different virtual
templates and other PPPoE configuration parameters to be assigned to
different Ethernet interfaces, VLANs, and ATM PVCs. A global PPPoE
profile can also be created to serve as the default profile for any port that
has not been assigned a specific PPPoE profile.
Benefits of PPPoE Profiles

Before this feature was introduced, PPPoE parameters were configured
within a VPDN group. Configuring PPPoE in a VPDN group limited
PPPoE configuration options because only one PPPoE VPDN group with
one virtual template is permitted on a device. The PPPoE Profiles feature
provides simplicity and flexibility in PPPoE configuration by separating
PPPoE configuration from VPDN configuration. The PPPoE Profiles
feature allows multiple PPPoE profiles, each with a different configuration,
to be used on a single device.
Limitations for PPPoE Profiles
528
The PPPoE Profiles feature separates the configuration of PPPoE from

the configuration of VPDN. The legacy method of configuring PPPoE in
VPDN groups is still permitted, but you cannot configure PPPoE
profiles and PPPoE in VPDN groups simultaneously.
If a PPPoE profile is assigned to a PPPoE port (Ethernet interface,

VLAN, or PVC), VC class, or ATM PVC range, and the profile has not
yet been defined, the port, VC class, or range will not have any PPPoE
parameters configured and will not use parameters from the global
group.
PPPoE session limits cannot be configured both in PPPoE profiles and

directly on PPPoE ports simultaneously.
Version 1.0
Module 5
PPPoE Profiles
PPPoE Profiles
PVC Range
PPPoE
PPPoE
PPPoE
PPPoE
PVC
PVC
BBA
Group
global
Virtual
Template
1
BBA
Group
1
Virtual
Template
2
PVC
PVC
Vi1
Vi2
Vi3
Vi4
VPDN group permits only one group for PPPoE

BBA group allows multiple groups for PPPoE
Applies to interfaces, PVC, PVC range, PVC-in-range, VC class, PPP autosense
Version 1.0
529
Module 5
PPPoE Profiles (continued)

PPPoE Profile Configuration
The graphic that follows shows the steps you perform to use PPPoE
profiles.
1. Create a global PPPoE profile using the bba-group pppoe global
command. This profile is used by ports that are not assigned to a
named profile.
2. Add the pointer to the virtual template interface for this profile.
3. Add appropriate PPPoE session parameters to the profile.
4. Create a named PPPoE profile using the bba-group pppoe name
command.
5. Add the pointer to the virtual template interface for this profile.
6. Add appropriate PPPoE session parameters to the profile.
7. Create virtual template interfaces with necessary parameters. The
example shows two virtual template interfaces using different local
address pools, a key feature of PPPoE profiles.
8. Create a VC class and apply the protocol pppoe command to the VC
class. The protocol pppoe command without any additional
parameters indicates that the PPPoE sessions will use the global
PPPoE profile.
9. On an ATM subinterface, PVC, or PVC range, add a class pointer to the
VC class.
______________________________ Note __________________________
The protocol pppoe command may be used on the PVC or PVC range
directly rather than using a VC class.
_____________________________________________________________
10. On a PVC or PVC range use the protocol pppoe group name
command to point to the named PPPoE profile. Alternately, if you are
using PPPoX autosense encapsulation, you add group name to the end
of the command. Omitting the group name at the end of the autosense
encapsulation command causes the PPPoE session to use the global
group.
530
Version 1.0
Module 5
PPPoE Profiles
PPPoE Profile Configuration
1
2
3
4
5
6
8
10
or
10
7
7
bba-group ppppoe global

virtual-template 1
sessions per-vc limit 8
!
bba-group pppoe vpn1
virtual-template 2
sessions per-vc limit 2
!
vc-class atm class-pppoe-global
protocol pppoe
!
class-int class-pppoe-global
pvc 0/100
!
range pvc 1/32 1/4095
protocol pppoe group vpn1
encapsulation aal5autoppp virtual-template 3 group vpn1
!
peer default ip address pool PPPoEpool1
!
peer default ip address pool PPPoEpool2
Version 1.0
531
Module 5
Summary
532
How to use PVC range, VC class, and create on-demand PVC to

minimize ATM PVC provisioning
How to use PPPoX autosense to simplify PPPoA and PPPoE

configurations
How to use PPPoE profiles to allow versatile PPPoE implementations
Version 1.0
Module 5
Review Questions
Review Questions
1. You may use PVC range with which of the following access methods?
Choose three.
a. RBE
b. RFC 1483 routing
c. PPPoA
d. PPPoEoA
e. PPPoEoE
2. Give the command syntax for creating a PVC range for the following
VCs: 1/1 through 1/127, 2/1 though 2/127, and 3/1 through 3/127.
_________________________________________________________________
3. How would you temporarily shut down PVC 2/55 in the range from the
previous question?
_________________________________________________________________
4. What command enables PVCs to be autoprovisioned?
_________________________________________________________________
5. Using autosense of the encapsulation method permits distinguishing
between which of the following connection types?
a. PPPoA MUX and RBE SNAP
b. PPPoE MUX and RBE SNAP
c. PPPoA MUX and PPPoE MUX
d. PPPoA SNAP and PPPoE SNAP
e. PPPoA MUX and PPPoE SNAP
6. When using PPPoE profiles, users who do not get their profile from a
named BBA group get their profile from the ________________ group.
Version 1.0
533
Module 5
7. Which of the following are true with respect to using BBA groups?
Choose three.
a. BBA groups o vercome the limitations of a single VPDN group .
b. BBA groups allow use of multiple virtual templates.
c. BBA groups may be used concurrently with a VPDN group used for
PPPoE.
d. PPPoA connections get their profile from the VPDN group .
e. Session limits may be configured on the BBA group .
534
Version 1.0
Module 6
AAA Services
Overview
Description
This module provides an overview of how AAA services work on Cisco routers with an emphasis on
PPP authentication using default method lists in an ADSL broadband environment. Students perform
hands-on exercises to configure and verify RADIUS authentication services on a Cisco router.
Objectives
Describe AAA concepts
Describe RADIUS protocol concepts
Configure AAA for PPP authentication and authorization on Cisco

routers using default method lists
Use Cisco IOS debug commands as an aide in troubleshooting AAA

authentication problems
View RADIUS log files as an aid in troubleshooting RADIUS

Version 1.0
61
AAA Services
Module 6
Introduction to AAA
What Is It?
Authentication, authorization, and accounting (AAA) is an architectural
framework for configuring a set of three independent security and
management functions in a consistent manner. Adopting the AAA
framework ensures that all users are treated in a consistent manner when
they access the network. The AAA features provide for systematic access
security of sensitive network devices and services.
Increased Flexibility
By using a centralized AAA server, a network administrator can maintain
security in the network while allowing the flexibility and scalability for
adding and removing users, without having to change the configuration on
the peripheral devices (for example, the access server or router).
Standardized Authentication Methods

AAA uses standardized authentication methods such as RADIUS,
TACACS+, and Kerberos to administer its security functions. If the router
or access server is acting as a network access server (NAS), AAA enables
communication between the NAS and the AAA server, TACACS+ server, or
Kerberos server.
Highly Scalable and Multiple Backups

AAA allows specialized remote database servers (for example, an Oracle
DB Server) to be used for storing user profile and billing information. AAA
also allows multiple backup AAA servers.
______________________________ Note __________________________
For clarity, the terms user or subscriber are used interchangeably in
this module. The terms RADIUS server, TACACS+ server, Kerberos
server, AAA server and security server are used interchangeably. The
communications protocol that is used between a NAS and the security
server could be RADIUS, TACACS+, or Kerberos protocols.
_____________________________________________________________
62
Version 1.0
Module 6
Introduction to AAA
Introduction to AAA
What is it?
An architectural framework for consistently configuring
three independent security and management functions
Provides increased flexibility and control over security

Uses standardized authentication methods
Highly scalable
Allows for multiple backups
Version 1.0
63
AAA Services
Module 6
Introduction to AAA (continued)

What does it provide?
AAA provides three major functions:
Authentication requires users to prove that they really are who they
say they are, by providing a username and password, exchanging
challenge and response, using token cards, and other methods.
Authorization decides which resources users are allowed to access

and which operations they are allowed to perform.
User Bill can access router P1R3 with Telnet.
Accounting records what the users actually did, what they accessed,
and how long they accessed it, for accounting and auditing purposes.
Accounting keeps track of how network resources are used.
64
I am user Bill and my password R2d2 verifies it.
User Bill accessed router P1R3 with Telnet 10 times.
Version 1.0
Module 6
Introduction to AAA
What does it provide?

A modular method of configuring the following
security services:
Authentication
Authorization
Accounting
Version 1.0
65
AAA Services
Module 6

How Does Cisco IOS Software Support AAA?
Within the Cisco IOS software, AAA can be configured on a per-line (peruser) or per-service basis with fallback options.
66
Lines console, aux, tty, vty lines, ISDN and async interfaces
Services Point-to-Point Protocol (PPP), Appletalk Remote Access

Protocol (ARA), Novell Asynchronous Services Interface (NASI), Virtual
Private Dialup Network (VPDN)
Version 1.0
Module 6
Introduction to AAA
How does Cisco IOS support AAA?

Cisco IOS AAA support enables dynamic
configuration of the type of authentication and
authorization
Per line (per user)
Console, aux, tty, vty, ISDN, async interfaces
Per service with fallback options

PPP, ARA, NASI, VPDN
Version 1.0
67
AAA Services
Module 6
Authentication
What Is It?
Authentication is the process of validating the claimed identity of a user or
a device, such as a host, server, switch, router. Authentication is one of the
most important and difficult parts of network security. Different methods
are available which vary in the amount of secrecy and protection they offer:
Usernames/p asswords (static)
Usernames/p asswords (aging)
One-time passwords (OTP)
Token cards
What Does It Do?

Authentication methods check the validity of a user who wants to access
the network. Authentication may involve a challenge and response. If the
response is successful, the user is granted access. If the response fails, then
an appropriate message is sent back to the user. The data that is sent
between the user and the authenticating server may be encrypted to add
further security.
How Is It Used?
Authentication can be configured on a per-line or per-service basis.
Multiple authentication methods can be configured for each instance to
provide a fallback mechanism. Authentication profiles can be created for
different user groups, enabling flexibility and scalability in the network.
Authentication method lists can be created and then applied to specific
lines or interfaces.
68
Version 1.0
Module 6
Authentication
Authentication
Provides a method for identifying users and

includes
Login and password dialog

Challenge and response
Messaging support
Encryption (protocol specific)
Authentication identifies a user before granting

access to the network or its services
Who are you?

I am user Bill and my password is R2D2
Version 1.0
69
AAA Services
Module 6
Authorization
What Is It?
Authorization is the act of granting access rights to a user, groups of users,
a system, or a process. It specifies what level of privilege the user is
entitled to and what network resources he or she can use.
How Is It Used?
Authorization can be configured on a per-line or per-service basis.
Authorization can be configured so that different authorization profiles are
created. Each profile may have multiple authorization options, providing a
fallback mechanism. The fallback capability is achieved by creating
authorization method lists, and then applying these method lists to specific
Ciscos IOS software supports authorization not only for IP but also for
authorization requests from services using other protocols, such as IPX and
AppleTalk.
AAA authorization works by assembling a set of attributes that describe
what a user is authorized to perform. These attributes are compared to the
information contained in a database for the user, and the result is returned
to AAA to determine the users capabilities and restrictions. The database
can be located on the local access server or router, or it can be hosted
remotely on a RADIUS or TACACS+ security server.
Remote security servers, such as RADIUS and TACACS+, authorize users
for specific rights by associating attribute-value (AV) pairs, which define
those rights, with the appropriate user.
610
Version 1.0
Module 6
Authorization
Authorization
Controls remote access to network services
One-time authorization
Per-service authorization
Account lists and profiles
User group support
IP, IPX, ARA and Telnet support
Authorization defines a users capabilities and

restrictions
Uses a set of attributes contained in the users database

record
What can the user do? What can the user access?
User Bill can access router P1R2 with Telnet
Version 1.0
611
AAA Services
Module 6
Accounting
What Is It?
Accounting establishes who, or what, performed a certain action, such as
tracking user connection and logging system users. This information is
required for billing, auditing, and reporting.
The information that is logged may include the users identity, start and
stop times, commands issued, number of packets, number of bytes, and so
forth.
What Does It Do?

Accounting enables you to track the services that users are accessing and
the network resources they are consuming. When AAA accounting is
activated, the NAS reports user activity to the TACACS+ or RADIUS
security server (depending on which security method you have
implemented) in the form of accounting records. Each accounting record is
composed of accounting AV pairs and is stored on the access control server.
This data can then be analyzed for network management, client billing,
and/or auditing.
Accounting can also be configured on a per-line or per-service basis.
Accounting can be configured so that different accounting profiles are
created. Each profile may have multiple accounting options, providing a
fallback mechanism. The fallback mechanism is achieved by creating
accounting method lists, and then applying these method lists to specific
______________________________ Note __________________________
RADIUS accounting features and implementation are beyond the scope
of this course and will not be covered.
_____________________________________________________________
612
Version 1.0
Module 6
Accounting
Accounting
Provides a method of collecting and sending security

information
User identities
Start and stop times
Commands executed
Number of packets
Number of bytes
Accounting information may be used for billing, auditing,

and reporting
Accounting enables tracking of services per user and the

amount of consumed network resources
What did the user do? For how long? How often?
User Bill accessed router P1R2 with Telnet 10 times
Version 1.0
613
AAA Services
Module 6
AAA-Supported Protocols
Overview
The AAA standardized security protocols are as follows:
Terminal Access Controller Access Control System Plus (TACACS+)
Remote Authentication Dial-In User Service (RADIUS)
Kerberos
Local and Remote Security Databases

Cisco networking products support AAA access control using either a local
security database or a remote security database. A local security database
runs in the NAS for a small group of network users. A remote security
database is a separate server running one of the AAA security protocol
listed above, providing AAA services for multiple network devices and
many network users.
Communication between the NAS and the remote server is through the
AAA protocol.
______________________________ Note __________________________
This module focuses strictly on the use of RADIUS as the security
protocol and Merit RADIUS as the AAA server.
_____________________________________________________________
614
Version 1.0
Module 6
AAA-Supported Protocols
AAA Supported Protocols
AAA typically implements security functions

using standardized security protocols:
TACACS+
RADIUS
Kerberos
IP
NAS
Security
Server
Implementation of these protocols typically

requires an external security server
NAS communicates with security server using a

AAA protocol
Version 1.0
615
AAA Services
Module 6
RADIUS Attributes
Attribute-Value (AV) Pairs
AAA uses attribute-value (AV) pairs to maintain information such as
usernames, passwords, IP-addresses, and port numbers.
Each AV pair consists of a type of identifier associated with one or more
assignable values.
AV pairs specified in user and group profiles define the authentication and
authorization characteristics for their respective users and groups.
RADIUS implements an array of AV pairs, each with separate type
definitions and characteristics.
Since RADIUS is a fully open protocol, distributed in source code format, it
can be modified to work with any security system currently available.
Many versions of RADIUS attributes are in use today. The IETF RADIUS
AV pair definitions are standards based. Some vendors have extended the
RADIUS attribute set in a unique way to support their products; their
implementations are referred to as vendor-specific attributes (VSAs).
616
Version 1.0
Module 6
RADIUS Attributes
RADIUS Attributes
An attribute-value (AV) pair consists of a type of identifier

which is associated with one or more assignable values
AV pairs can be specified in user and group profiles

AV pairs define authentication, authorization, and
accounting characteristics for users and groups
RADIUS implements an array of AV pairs

VSAs are vendor-specific extensions to the RADIUS
attribute sets that allow vendors to support their
products in a unique way
Version 1.0
617
AAA Services
Module 6
RADIUS Attributes (continued)

IETF Attributes
The RADIUS Internet Engineering Task Force (IETF) attributes are the
original 255 standard attributes that are used to communicate AAA
information between a client and a server. Because the IETF attributes are
standard, the attribute data is predefined and well known; thus clients and
servers who exchange AAA information via IETF attributes must agree on
attribute data such as the exact meaning of the attributes and the general
bounds of the values for each attribute.
Vendor-Specific Attributes
RADIUS vendor-specific attributes (VSAs) are derived from one IETF
attributevendor-specific (attribute 26). Attribute 26 allows a vendor to
create an additional 255 attributes however the vendor wishes. That is, a
vendor can create an attribute that does not match the data of any IETF
attribute and then encapsulate it behind attribute 26; thus, the newly
created attribute is accepted if the user accepts attribute 26.
618
Version 1.0
Module 6
RADIUS Attributes
RADIUS Attributes (continued)
IETF Attributes
Provides 255 standard attributes

Used for client and server communications
Attributed data predefined and well-known
Clients and servers must agree on exact meaning
Vendor-Specific Attributes (VSAs)
Derived from attribute 26 of the IETF attributes

Using attribute 26, a vendor can create 255 VSAs
VSAs are encapsulated behind attribute 26
Version 1.0
619
AAA Services
Module 6
Radius Files
Overview
Understanding the types of files used by RADIUS is important for
communicating AAA information from a client to a server. Each file defines
a level of authentication or authorization for the user:
620
Dictionary file defines which attributes the users NAS can

implement
Clients file defines which clients (NAS) are allowed to make requests
to the RADIUS server
Users files defines which user requests the RADIUS server will
authenticate based on security and configuration data
Version 1.0
Module 6
Radius Files
RADIUS Files
Used to define levels of authentication or

authorization for a user
Dictionary File defines which attributes the
users NAS can implement
Clients File defines which clients (NAS) are

allowed to make requests to the RADIUS server
Users File defines which user requests the

RADIUS server will authenticate based on
security and configuration data
Version 1.0
621
AAA Services
Module 6
Radius Files (continued)

Dictionary File
A dictionary file provides a list of attributes that depend on which
attributes your NAS supports. However, you can add your own set of
attributes to your dictionary for custom solutions. The file defines attribute
values, thereby allowing you to interpret attribute output such as parsing
requests. A dictionary file contains the following information:
Name The ASCII string name of the attribute, such as User-Name.
ID The numerical name of the attribute; for example, User-Name

attribute is attribute 1.
Value type Each attribute can be specified as one of the following

five value types:
string 0 to253 octets
octets 0 to253 undistinguished octets (experimental, for display

only)
vendor - octet #0 is zero, then three octets IANA #, then the rest
tag-int - single octet followed by three octets of integer value
tag-str - single octet followed by 0 to 252 octets
tag-encstr - single octet followed by two salt octets followed by 16 to

240 encrypted octets
abinary 0 to 254 Ascend binary filter octets
ipaddr - 4 octets in network byte order
integer 32-bit value in big endian order (high-order byte first)
octet 8-bit unsigned integer value
short 16-bit unsigned integer value
date 32-bit value in big endian order - the number of seconds since
00:00:00 GMT, Jan. 1, 1970
A sample dictionary is shown on the opposite page . It includes integerbased attributes and corresponding values.
622
Version 1.0
Module 6
Radius Files
Dictionary File
#
default strings ATTRIBUTE and VALUE.
#
ATTRIBUTE
User-Name
1
string # comment
ATTRIBUTE
User-Password 2
string
ATTRIBUTE
CHAP-Password 3
string
ATTRIBUTE
NAS-IP-Address 4
ipaddr
ATTRIBUTE
NAS-Port
5
integer
ATTRIBUTE
Service-Type
6
integer (1, 0)
#
# dictionary sample of integer entry
ATTRIBUTE
Service-Type
6
Integer
VALUE
Service-Type
Login
1
VALUE
Service-Type
Framed
2
VALUE
Service-Type
Callback-Login
3
VALUE
Service-Type
Callback-Framed
4
VALUE
Service-Type
Outbound
5
VALUE
Service-Type
Administrative
6
VALUE
Service-Type
NAS-Prompt
7
Version 1.0
623
AAA Services
Module 6

Clients File
A clients file is important because it contains a list of the NASs (RADIUS
clients) that are allowed to send authentication and accounting requests to
the RADIUS server.
An example of a clients file is shown on the opposite page.
______________________________ Note __________________________
To receive authentication, the name and authentication key that the
client sends the server must exactly match the data contained in the
clients file.
_____________________________________________________________
Communications between the NAS and the RADIUS server are encrypted
using the shared encryption key from this file.
624
Version 1.0
Module 6
Radius Files
Clients File
# The four entries are for the NAS clients (Cisco 10000)
#
#Client Name
Key
[type]
[version] [prefix]
# ---------------- -------------------------------------------52.20.0.12
lab
type=Cisco:NAS
52.20.0.22
lab
type= Cisco:NAS
52.20.0.32
lab
type= Cisco:NAS
52.20.0.42
lab
type= Cisco:NAS
Hollywood
0u812
type= Cisco:PROXY
NAS port
IP
NAS
AAA
Server
User
Version 1.0
625
AAA Services
Module 6

Users File
A RADIUS users file contains an entry for each user that the RADIUS
server will authenticate; each entry, which is also referred to as a user
profile, establishes an attribute the user can access.
The first line in any user profile is always a user access line (username
and password); that is, the server must check the attributes on the first
line before it can grant access to the user. The first line contains the name
of the user, which can be up to 252 characters, followed by authentication
information such as the password of the user.
Additional lines, which are associated with the user access line, indicate
the attribute reply that is sent to the requesting client or server. The
attributes sent in the reply must be defined in the dictionary file.
When looking at a users file, note the data to the left of the equals (=)
character is an attribute defined in the dictionary file, and the data to the
right of the equal character is the configuration data.
______________________________ Note __________________________
A blank line cannot appear anywhere within a user profile.
_____________________________________________________________
Shown on the opposite page is an example of a RADIUS user profile in
Merit Daemon format. In this example, the username is p1user1 and has
the following characteristics:
626
Password is lab
Protocol is PPP
IP address is dynamically assigned via an IP pool or DHCP
Three input ACLs
Version 1.0
Module 6
Radius Files
Users File
# This user profile includes av-pair attributes

p1user1
Password=lab,
Service-Type=Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
av-pair=ip:inacl#1=permit udp any any,
av-pair=ip:inacl#2=permit tcp any any,
av-pair=ip:inacl#3=permit ip any any
NAS port
IP
NAS
AAA
Server
User
Version 1.0
627
AAA Services
Module 6
AAA Implementations
There are two methods for implementing AAA: local-based on the NAS or
server-based on an external server.
Local-Based AAA
In local-based AAA, a local security database runs in the NAS for a small
group of network users.
If the network consists of a single NAS, and there are few users accessing
the NAS, it may be desirable to store username and password security
information directly on the Cisco NAS. This is referred to as local
authentication using a local security database.
Local authentication characteristics are as follows:
Used for small networks
Username and password are stored in the Cisco router
User authenticates against local security database in the Cisco router
Authorization and accounting are supported
Saves cost of remote security database
The system administrator must populate the local security database by

specifying username profiles for each user that logs in. If multiple NASs
are used in the network, then the local security database must be
replicated on all the NASs to ensure security. This is an undesirable
amount of administrative overhead.
628
Version 1.0
Module 6
AAA Implementations
AAA Implementations Local-Based AAA
User accounts are stored on the
NAS
AAA negotiation is performed
internally by Cisco IOS software
Local authentication
characteristics:
Used for small networks

Username & password stored
in router (NAS)
User authenticates against
local database
Authorization and accounting
supported
Saves cost of remote security
server
Useful for local-based console,

AUX, VTY, and dial access
System administrator must
Local-based console access
IP
NAS
Local-based VTY access

IP
PSTN
NAS
Local-based dial access
populate local database
IP
NAS
Version 1.0
629
AAA Services
Module 6
AAA Implementations (continued)

Server-Based AAA
For large networks in which flexibility and scalability are important,
remote-based AAA servers are more suitable. A remote AAA server using
TACACS+, RADIUS, or Kerberos provides the AAA functionality.
Individual user profiles are stored using the AV pairs available in the AAA
protocol being used.
For redundancy, a secondary AAA server may be included. If desired, the
AAA server can also communicate to a specialized remote database server
(for example, an Oracle DB Server) containing the user profiles.
Cisco IOS software supports the following AAA protocols:
630
TACACS+
RADIUS
Kerberos
Version 1.0
Module 6
AAA Implementations
AAA Implementations Server-Based AAA
Used for large networks in

which flexibility and
scalability are important
Uses TACACS+, RADIUS,
or Kerberos as
communications protocol
between the NAS and
remote server
Individual profiles are

stored using AV pairs
May include a secondary

AAA server for
redundancy
IP
NAS
AAA
Server
Server-based console access
IP
NAS
AAA
Server
Server-based VTY access
IP
PSTN
NAS
AAA
Server
Server-based dial access
Version 1.0
631
AAA Services
Module 6
RADIUS Protocol
Overview
RADIUS is a distributed client/server system that secures networks
against unauthorized access.
The RADIUS authentication and authorization specification (RFC 2865) is
a standard protocol. The RADIUS accounting specification (RFC 2866) is
informational.
Transactions between the client and RADIUS AAA server are
authenticated through the use of a shared secret, which is never sent over
the network. In addition, any user passwords are sent encrypted between
the client and RADIUS server, to eliminate the possibility that someone
snooping on an unsecured network could determine a users password.
632
Version 1.0
Module 6
RADIUS Protocol
RADIUS Protocol Overview
A distributed client/server system that secures

network against unauthorized access
A fully open protocol, distributed in source code

format, that can be modified to work with any
security system currently available
Provides network security via shared secret and

password encryption
Version 1.0
633
AAA Services
Module 6
RADIUS Protocol (continued)

Environment
RADIUS is a client/server protocol. The RADIUS client is typically a router
or some other device. The client is referred to as a network access server
(NAS). The RADIUS server is usually a daemon process running on a
UNIX or Windows NT machine.
Communication between the client and server is based on the User
Datagram Protocol (UDP), a connectionless service.
The client passes user information to a designated RADIUS server and
acts on the response that is returned.
A RADIUS server can act as a proxy client to other RADIUS servers or to
other authentication servers.
634
Version 1.0
Module 6
RADIUS Protocol
RADIUS Protocol Environment
RADIUS client (NAS) runs on Cisco routers

Client sends authentication requests to a central RADIUS
server that contains all user authentication and network
service access information
Communication between a NAS and a RADIUS server is

based on UDP
Client passes user information to RADIUS server and acts

on the response that is returned
A RADIUS server can act as a proxy client to another

RADIUS server or to other authentication servers
Version 1.0
635
AAA Services
Module 6

RADIUS Packet
The data between a RADIUS server and a RADIUS client is exchanged in
RADIUS packets. The data fields are transmitted from left to right.
Each RADIUS packet contains the following information:
636
Code The code field is one octet; it identifies one of the following
types of RADIUS packets:
Access-Request (1)
Access-Accept (2)
Access-Reject (3)
Accounting-Request (4)
Accounting-Response (5)
Access-Challenge (11)
Status-Server (under continued development) (12)
Status-Client (under continued development) (13)
Reserved (255)
Identifier The identifier field is one octet; it helps the RADIUS

server match requests and responses and detect duplicate requests.
Length The length field is two octets; it specifies the length of the
entire packet.
Authenticator The authenticator field is 16 octets. The most

significant octet is transmitted first; it is used to authenticate the reply
from the RADIUS server. Two types of authenticators are as follows:
Request-Authentication: Available in Access-Request and

Accounting-Request packets
Response-Authenticator: Available in Access-Accept, Access-Reject,

Access-Challenge, and Accounting-Response packets
Version 1.0
Module 6
RADIUS Protocol
RADIUS Protocol RADIUS Packet
32
Code
Identifier
Length
Authenticator
Attributes
Code
Access-Request
Access-Accept
Access-Reject
Accounting-Request
Accounting-Response
Version 1.0
(1)
(2)
(3)
(4)
(5)
637
AAA Services
Module 6

RADIUS Packet Types
638
Access-Request Sent from a client to a RADIUS server. The packet

contains information that allows the RADIUS server to determine
whether to allow access to a specific network access server (NAS),
which will allow access to the user. Any user performing authentication
must submit an Access-Request packet. Once an Access-Request packet
is received, the RADIUS server must forward a reply.
Access-Accept After a RADIUS server receives an Access-Request

packet, it must send an Access-Accept packet if all attribute values in
the Access-Request packet are acceptable. Access-Accept packets
provide the configuration information necessary for the client to
provide service to the user.
Access-Reject After a RADIUS server receives an Access-Request

packet, it must send an Access-Reject packet if any of the attribute
values are not acceptable.
Access-Challenge If a server receives conflicting information from a

user, requires more information, or simply wishes to decrease the risk
of a fraudulent authentication, it can issue an Access-Challenge packet
to the client. The client, upon receipt of the Access-Challenge packet,
must then issue a new Access-Request with the appropriate
information included.
Accounting-Request Sent from a client to a RADIUS accounting

server, which provides accounting information. If the RADIUS server
successfully records the Accounting-Request packet, it must submit an
Accounting Response packet.
Accounting-Response Sent by the RADIUS accounting server to the

client to acknowledge that the Accounting-Request has been received
and recorded successfully.
Version 1.0
Module 6
RADIUS Protocol
RADIUS Protocol RADIUS Packet Types
There are six RADIUS packet types:

User
NAS
(Client)
Security
Server
Access-Request
Access-Accept
Access-Reject
Access-Challenge
Accounting-Request
Accounting-Response
Version 1.0
639
AAA Services
Module 6

RADIUS Operation
When a user attempts to log in and authenticate to an access server using
RADIUS, the following events occur:
1. User initiates connection to the NAS.
The format of the request provides information about the type of
session that the user wants to initiate. For example, if the query is
presented in character mode, the inference is Service-Type = ExecUser. If the request is presented in PPP packet mode, the inference is
Service Type = Framed User and Framed Type = PPP, which is the
case when the subscriber is using PPPoA or PPPoE.
2. User is prompted for a username and password.
3. User r eplies
640
Version 1.0
Module 6
RADIUS Protocol
RADIUS Protocol RADIUS Operation
NAS
IP
PSTN
AAA
Server
1
2
3
When a user attempts to log in and authenticate to an

access server using RADIUS, the following events occur:
1. User initiates PPP connection to the NAS
2. User is prompted for username and password (PAP) or
challenge (CHAP)
3. User replies
Version 1.0
641
AAA Services
Module 6
Radius Protocol (continued)

RADIUS Operation (continued)
4. RADIUS client (NAS) sends username and encrypted password to the
RADIUS server.
RADIUS supports a variety of protocol mechanisms to transmit
sensitive user-specific data to and from the authentication server. PPP
in particular offers different options for this purpose:
The old-style Password Authentication Protocol (PAP), which

exchanges security information in clear text
The more secure challenge -based options such as the Challenge

Handshake Authentication Protocol (CHAP)
The Microsoft variant, Microsoft-CHAP (MS-CHAP)
The Extensible Authentication Protocol-Message Digest 5 (EAPMD5), a rather new Internet Engineering Task Force (IETF)
authentication protocol that is implemented, for example, in
Windows 2000
Typically, a user login consists of a query (Access-Request) from the

NAS to the RADIUS server and a corresponding response (AccessAccept or Access-Reject) from the server. The Access-Request packet
contains the username, encrypted password, NAS IP address, and port.
(The authentication port for RADIUS is 1645).
5. RADIUS server responds with ACCEPT, REJECT, CHALLENGE, or
CHANGE PASSWORD.
ACCEPT The user is authenticated
REJECT The user is not authenticated and is prompted to

reenter the username and password, or access is denied
CHALLENGE A challenge, to collect additional data, is issued by

the RADIUS server
CHANGE PASSWORD A request is issued by the RADIUS

server, asking the user to select a new password
6. The RADIUS client acts upon services and services parameters bundled
with the RADIUS accept or reject packets.
642
Version 1.0
Module 6
RADIUS Protocol
RADIUS Protocol RADIUS Operation (continued)
NAS
IP
PSTN
AAA
Server
4
6
4. RADIUS client (NAS) sends username and encrypted

password to the RADIUS server
5. RADIUS server responds with ACCEPT, REJECT, or

CHALLENGE
6. The RADIUS client acts upon services and services

parameters bundled with the accept or reject
Version 1.0
643
AAA Services
Module 6
Cisco Implementation of AAA

Overview
Ciscos AAA implementation allows you to dynamically configure the type
of authentication and authorization on a per-line (per-user) or per-service
(for example, IP, IPX, or VPDN) basis. You define the type of
authentication and authorization that you want by creating method lists,
and then applying those method lists to specific services or interfaces. The
AAA services can be configured as local-based AAA or as server-based
AAA. Regardless of the method, the configuration involve s the use of
method lists.
Enabling AAA
The first step in deploying AAA on a Cisco network device is to enable the
AAA process. In the privileged EXEC mode, enable AAA with following
command:
(config)#aaa new-model
Authentication Method Lists

A method list is a sequential list that defines the authentication methods
used to authenticate a user. Method lists enable you to designate one or
more security protocols to be used for authentication, thus ensuring a
backup system for authentication in case the initial method fails. The
Cisco IOS software uses the first method listed to authenticate users; if
that method does not respond, the Cisco IOS software selects the next
authentication method in the method list. This process continues until
there is successful communication with a listed authentication method or
unitl the authentication method list is exhausted, in which case
authentication fails.
The Cisco IOS software attempts authentication with the next listed
authentication method only when there is no response from the previous
method. If authentication fails at any point in this cycleif the security
server or local username database responds by denying the user access
the authentication process stops, and no other authentication methods are
attempted.
644
Version 1.0
Module 6
Method Lists
Defines an ordered list of authentication
methods to authenticate users
Supports the use of multiple security protocols

Provides for security system redundancy
User authentication is based on methods within
the list are attempted sequentially
If there is no response from the first method in

the list, authentication is then attempted using
the next method, and so on.
Version 1.0
645
AAA Services
Module 6
Cisco Implementation of AAA (continued)

Authentication Method Lists Example 1
Suppose the system administrator has decided on a security solution in
which all interfaces will use the same authentication methods to
authenticate PPP connections. In the RADIUS group, the RADIUS servers
are defined by a group list named radservers. RADIUS server AAA-1 is
contacted first for authentication information, and then if there is no
response, AAA-2 is contacted. If all designated servers fail to respond,
authentication falls to the local username database on the access server
itself.
Method List
To implement this solution, the system administrator would create a

default method list by entering the following command:
(config)#aaa authentication ppp default group radservers local
In this example, default is the name of the method list. The protocol(s)
included in this method list are listed after the name, in the order in which
they are to be queried. The default list is automatically applied to all
interfaces.
AAA Group
To create the list of RADIUS servers named radservers, use the following
commands:
(config)#aaa group server radius radservers
(config-sg-radius)#server AAA-1
When a remote user attempts to dial into the network, the network access
server (P1R2) first queries AAA-1 (this examples assumes that a name
resolution protocol is in use) for authentication information. If AAA-1
authenticates the user, it issues a PASS response to the network access
server, and the user is allowed to access the network. If AAA-1 returns a
FAIL response, the user is denied access and the session is terminated. If
AAA-1 does not respond, then the network access server processes that as
an ERROR and queries AAA-2 for authentication information. This pattern
continue s through the remaining designated methods until the user is
either authenticated or rejected, or until the session is terminated.
646
Version 1.0
Module 6
AAA-1
ATM
CPE
AAA-2
ATM
DSLAM
P1R2
(config)#radius-key lab
Note: Host name resolution is needed for this example.
Version 1.0
647
AAA Services
Module 6

Authentication Method Lists Example 1 (continued)
RADIUS -Server Key
The NAS and the RADIUS daemon (server process) uses an encryption key
for all communications that passes between them. If the keys do no t match
then communications will fail. The key is defined in the RADIUS server
using the clients file. To configured the key in the NAS use the following
command:
(config)#radius-server key lab
It is important to remember that a FAIL response is significantly different

from an ERROR. A FAIL means that the user has not met the criteria
contained in the applicable authentication database to be successfully
authenticated. Authentication ends with a FAIL response. An ERROR
means that the security server has not responded to an authentication
query. Because of this, no authentication has been attempted. Only when
an ERROR is detected will AAA select the next authentication method
defined in the authentication method list.
648
Version 1.0
Module 6
Authentication Method Lists Example 1 (continued)
AAA-1
ATM
CPE
AAA-2
ATM
DSLAM
P1R2
Version 1.0
649
AAA Services
Module 6

The illustration shows a single RADIUS server. If the system
administrator decided on a security solution in which all interfaces will use
the same authentication method and a single RADIUS server to
authenticate PPP connections, then the configuration could be simplified
as follows:
(config)#aaa authentication ppp default group radius local
(config)#radius-server host AAA-1 auth-port 1645 acct-port 1646
(config)#radius-server key lab
In this example, the first command uses the default AAA authentication
method list for PPP connections and defines two protocol methods; group
radius and local in the command. In this command group radius defines
radius as the first authentication protocol, and if a radius server does not
respond, then local, as the second means of communications, uses the
username & password parameters defined on the router.
Since there isnt a named list of servers, you need to identify the specific
RADIUS server by using the second command. Optionally, you can specify
the authentication and account ports to use (default values are shown).
The port numbers are defined in the UNIX etc/services file, or they can be
declared when the daemon is started by using the appropriate switch
parameters.
The last command is the encrypted key that is used for all RADIUS
communications between the NAS and the RADIUS daemon.
______________________________ Note __________________________
This module presents only basic information concerning AAA
authentication and authentication method lists. For more information,
please refer to the appropriate documentation found on Cisco.com.
_____________________________________________________________
650
Version 1.0
Module 6
AAA-1
ATM
CPE
ATM
DSLAM
P1R2
(config)#aaa authentication ppp default group radius local
(config)#radius-server host AAA 1 auth-port 1645 acct-port 1646
Version 1.0
651
AAA Services
Module 6

Authorization Method List
AAA authorization enables you to limit the services available to a user.

When AAA authorization is enabled, the NAS uses information retrieved
from the users profile, which is located either in the local user database or
on the security server, to configure the users session. Once this is done,
the user will be granted access to a requested service only if the
information in the user profile allows it.
Method lists for AAA authorization work in the same manner as method
lists for AAA authentication using a sequenced list of security protocols.
Method lists are specific to the authorization type requested:
Auth-proxyapplies specific security policies on a per-user basis.
Commandsapplies to the EXEC mode commands a user issues.
EXECapplies to the attributes associated with a user EXEC terminal

session.
Networkapplies to network connections including a PPP, SLIP, or

ARAP.
Reverse Accessapplies to reverse Telnet sessions.
When you create a named method list, you define a particular list of
authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces
before any of the defined methods will be performed. The only exception is
the default method list (which is named default). If the aaa
authorization command for a particular authorization type is issued
without a named method list specified, the default method list is
automatically applied to all interfaces or lines except those that have a
named method list explicitly defined. (A defined method list overrides the
default method list.) If no default method list is defined, local authorization
takes place by default.
652
Version 1.0
Module 6
Authorization Method List
Authorization method list enables limiting services available to

users
Method list defines the ways and sequence in which

authorization will be performed
User authorization based on methods within the list that are

attempted sequentially
If there is no response from the first method in the list,
authorization is then attempted with the next method, and so on.
Method lists are specific to the authorization type requested:
Auth-proxy, commands, exec, network or reverse telnet
Method lists are applied to specific lines or interfaces, unless

using the default method list
Version 1.0
653
AAA Services
Module 6

AAA Network Authorization
Method lists are specific to the authorization type requested. The following
will only describe only network authorization as it applies to PPP
connections.
When a PPP user is authenticated and the command aaa authorization
network default group radius local is configured, the NAS looks to the
user profile defined in the users file of the RADIUS server to determine
what the user is authorized to d o. In the command, the type keyword
network applies to a user connecting via PPP, SLIP, or ARAP. The
method list name is default, which means that this method list applies to
any line or interfaces on the box, unless there is another named method
list assigned that would override the default method list. The NAS first
attempts authorization using RADIUS and if there is no response the
authorization is attempted locally.
Authorization Example
A PPPoE user is authenticated and then authorized to receive an IP
address from an IP local pool named pool1, while all other users connecting
through this virtual interface receive an IP address from a different IP
local pool. In addition, this user has been denied the ability to send ICMP
echo requests to a particular IP address via an extended input ACL
downloaded via his user profile.
Shown in the illustration on the opposite page is a partial Cisco IOS
interface configuration and a user profile in Merit RADIUS format. PPPoE
users accessing the network using virtual-template 4 will be assigned an
IP address from a local pool on the NAS name d PPPoEPTAPool, whose
address range is from 192.168.37.2 to 192.168.37.254. When user p2user6
conne cts via this interface, the NAS reads the user profile and sees that
this user is authorized to receive an IP address from a local pool on the
NAS named pool1 that falls within the range of 192.168.80.2 to
192.168.80.254. In addition, this user is denied pinging 192.168.38.1, but is
permitted to send UDP or TCP packets to IP address 192.168.38.1.
______________________________ Note __________________________
The previous explanation and example of AAA authorization are just
one scenario among numerous authorization possibilities.
_____________________________________________________________
654
Version 1.0
Module 6
Authorization Example
peer default ip address pool PPPoEPTAPpool
no keepalive
ppp mtu adaptive
!
ip local pool PPPoEPTApool 192.168.37.2 192.168.37.254
ip local pool pool1 192.168.80.2 192.168.80.254
Merit RADIUS
user profile
Cisco IOS
interface
config
p2user6 Password = "lab"

Service-Type = Framed-User,
Framed-Protocol = PPP,
av-pair="ip:addr-pool=pool1"
av-pair="ip:inacl#101=deny icmp any 192.168.38.1 0.0.0.0 echo
av-pair="ip:inacl#101=permit udp any 192.168.38.1 0.0.0.0
av-pair="ip:inacl#101=permit tcp any 192.168.38.1 0.0.0.0
Version 1.0
655
AAA Services
Module 6
Troubleshooting Aids
Questions
When attempting to troubleshoot any problem, you need to ask yourself
several questions:
1. Did it work before? If so, what has changed?
2. Is it a new installation or configuration?
When attempting to troubleshoot an authentication problem, you need to
consider the sequence of events that must take place before a user can be
authenticated and what tools you have available to you to aid in isolating
the problem.
Cisco IOS Commands

______________________________ Note __________________________
Other useful Cisco IOS commands were covered in previous modules or
lab exercises.
_____________________________________________________________
show users
debug ppp negotiation successful
debug ppp negotiation fail
debug ppp authentication successful
debug ppp authentication fail
debug radius
UNIX commands
snoop V
tail f radius.debug
tail f logfile.<date>
656
Version 1.0
Module 6
Troubleshooting Aids
Troubleshooting Aides
Questions
Did it work before? If so, what has changed?

Is it a new installation or configuration?
Cisco IOS Commands
show users
debug ppp negotiation
debug ppp authentication
debug radius
UNIX Commands
snoop V
tail f radius.debug
Version 1.0
657
AAA Services
Module 6
Cisco IOS Commands

show users
This command displays the users table, an example of which is shown on
the opposite page. The users table is populated with information
pertaining to authenticated PPP. In the users table, you should see the
ingress interface name, the PPP username, connection mode, the
connection idle time , and the peer IP address.
658
Version 1.0
Module 6
Cisco IOS Commands
show users
P2R2#sh users
Line
User
* 2 vty 0 p2user1
Interface
Vi1.1
Vi1.2
Vi1.3
Vi1.4
Vi1.5
Vi1.6
Vi2.1
P2R2#
User
p2user1
p2user4
p2user5
p2user3
p2user2
p2user7
p2user8
Host(s)
idle
Idle
00:00:00
Mode
PPPoATM
PPPoATM
PPPoATM
PPPoATM
PPPoATM
PPPoATM
PPPoE
Location
52.10.10.20
Idle
00:07:29
00:07:29
00:07:29
00:07:18
00:07:18
06:31:25
00:00:05
Version 1.0
Peer Address
192.168.35.4
192.168.35.6
192.168.36.18
192.168.35.5
192.168.35.2
192.168.36.8
192.168.38.21
659
AAA Services
Module 6
Cisco IOS Commands (continued)

debug ppp negotiation Successful
In the process of configuring, maintaining, and terminating a PPP link, the
PPP link undergoes several distinct phases:
Link Dead This is the beginning and ending phase for a PPP link.
This phase indicates that the physical layer is ready to be used; from
here, PPP proceeds to the Link Establishment phase.
Link Establishment The Link Control Protocol (LCP) is used to

establish the connection through an exchange of LCP configure packets.
LCP enters the Open state once an LCP Configure-ACK packet has
been both sent and received.
Authentication The exchange that takes place during this phase is

protocol dependent. Typically, PAP or CHAP is used. If successful, PPP
enters the Network Control Protocol phase.
Network Control Protocol Layer 3 protocol information such as

address assignments and exchanges, compression information, and
server information. The example shown on the opposite page uses IPCP
to exchange the IP addressing information.
Link Termination LCP is used to close the link through an exchange

of LCP Terminate-Request and Terminate-ACK packets.
The debug display of the first four phases of a successful PPP negotiation is
shown on the opposite page.
660
Version 1.0
Module 6
Cisco IOS Commands
debug ppp negotiation Successful
P2R2#debug ppp neg

PPP protocol negotiation debugging is on
P2R2#
*Sep 12 09:31:22.831: ppp159 PPP: Using default call direction
*Sep 12 09:31:22.831: ppp159 PPP: Treating connection as a dedicated line
*Sep 12 09:31:22.831: ppp159 PPP: Phase is ESTABLISHING, Active Open
*Sep 12 09:31:22.831: ppp159 LCP: O CONFREQ [Closed] id 1 len 19
*Sep 12 09:31:22.831: ppp159 LCP: MRU 1492 (0x010405D4)
*Sep 12 09:31:22.831: ppp159 LCP: AuthProto CHAP (0x0305C22305)
*Sep 12 09:31:22.831: ppp159 LCP: MagicNumber 0x000E88B3 (0x0506000E88B3)
*Sep 12 09:31:22.887: ppp159 LCP: I CONFREQ [REQsent] id 0 len 40
*Sep 12 09:31:22.887: ppp159 LCP: MagicNumber 0x76532510 (0x050676532510)
*Sep 12 09:31:22.887: ppp159 LCP: Callback 6 (0x0D0306)
*Sep 12 09:31:25.035: Vi2.1 IPCP: TIMEout: State REQsent
*Sep 12 09:31:25.035: Vi2.1 IPCP: O CONFREQ [REQsent] id 2 len 10
*Sep 12 09:31:25.035: Vi2.1 IPCP: Address 192.168.38.1 (0x0306C0A82601)
*Sep 12 09:31:25.107: Vi2.1 IPCP: Pool returned 192.168.38.2
*Sep 12 09:31:25.107: Vi2.1 IPCP: O CONFREJ [REQsent] id 5 len 34
*Sep 12 09:31:25.107: Vi2.1 IPCP: CompressType VJ 15 slots CompressSlotID (0)
*Sep 12 09:31:25.107: Vi2.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Sep 12 09:31:25.107: Vi2.1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
*Sep 12 09:31:25.107: Vi2.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Sep 12 09:31:25.107: Vi2.1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
Version 1.0
661
AAA Services
Module 6

debug ppp negotiation Fail
The partial debug display in the illustration shows how a failed PPP
negotiation is represented. Notice that after the authentication phase fails,
PPP immediately enters the termination phase.
662
Version 1.0
Module 6
Cisco IOS Commands
debug ppp negotiation Fail
P2R2#debug ppp neg

PPP protocol negotiation debugging is on
P2R2#
*************************************PARTIAL*********************************************
*Sep 11 19:29:51.766: ppp557 LCP: I CONFACK [ACKsent] id 2 len 15
*Sep 11 19:29:51.766: ppp557 LCP: AuthProto CHAP (0x0305C22305)
*Sep 11 19:29:51.766: ppp557 LCP: MagicNumber 0x00FAD1D6 (0x050600FAD1D6)
*Sep 11 19:29:51.766: ppp557 LCP: State is Open
*Sep 11 19:29:51.766: ppp557 PPP: Phase is AUTHENTICATING, by this end
*Sep 11 19:29:51.766: ppp557 CHAP: O CHALLENGE id 1 len 25 from "P2R2"
*Sep 11 19:29:51.810: ppp557 LCP: I IDENTIFY [Open] id 2 len 18 magic 0x4C017CA0
*Sep 11 19:29:51.818: ppp557 LCP: I IDENTIFY [Open] id 3 len 21 magic 0x4C017CA3
*Sep 11 19:29:51.822: ppp557 CHAP: I RESPONSE id 1 len 28 from "p2user8"
*Sep 11 19:29:51.822: ppp557 PPP: Phase is FORWARDING, Attempting Forward
*Sep 11 19:29:51.826: ppp557 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Sep 11 19:29:51.826: ppp557 CHAP: O FAILURE id 1 len 26 msg is "Authentication"
*Sep 11 19:29:51.826: ppp557 PPP: Sending Acct Event[Down] id[61A]
*Sep 11 19:29:51.826: ppp557 PPP: Phase is TERMINATING
*Sep 11 19:29:51.826: ppp557 LCP: O TERMREQ [Open] id 3 len 4
*Sep 11 19:29:51.826: ppp557 LCP: State is Closed
*Sep 11 19:29:51.826: ppp557 PPP: Phase is DOWN
*Sep 11 19:29:51.826: ppp557 PPP: Phase is TERMINATING
Version 1.0
663
AAA Services
Module 6

debug ppp authentication Successful
The debug d isplay in the illustration shows a successful CHAP challenge.
Notice the name of the device issuing the CHAP challenge, and notice that
the user ID of the subscriber that is attempting authentication is
displayed. If the authentication phase was successful the PASS message is
displayed.
664
Version 1.0
Module 6
Cisco IOS Commands
debug ppp authentication Successful
P2R2#debug ppp auth

PPP authentication debugging is on
P2R2#
*Sep 12 09:33:53.375: ppp160 PPP: Authorization NOT required
*Sep 12 09:33:53.547: ppp160 PPP: Sent CHAP LOGIN Request
*Sep 12 09:33:53.547: ppp160 PPP: Received LOGIN Response PASS
*Sep 12 09:33:53.551: Vi2.1 CHAP: O SUCCESS id 1 len 4
Version 1.0
665
AAA Services
Module 6

debug ppp authentication Fail
The debug display in the illustration shows the FAIL message, indicates
that the PPP authentication phase was not successful.
666
Version 1.0
Module 6
Cisco IOS Commands
debug ppp authentication Fail
P2R2#debug ppp auth

PPP authentication debugging is on
P2R2#
*Sep 11 20:21:03.771: ppp2 PPP: Authorization required
*Sep 11 20:21:03.955: ppp2 PPP: Sent CHAP LOGIN Request
*Sep 11 20:21:03.967: ppp2 PPP: Received LOGIN Response FAIL
*Sep 11 20:21:03.967: ppp2 CHAP: O FAILURE id 1 len 25 msg is "Authentication f"
Version 1.0
667
AAA Services
Module 6

debug radius
The debug display shown in the illustration is the sequence of events that
RADIUS protocol undergoes during the successful subscriber
authentication.
668
Version 1.0
Module 6
Cisco IOS Commands
debug radius
P2R2#debug radius
Radius protocol debugging is on
Radius packet protocol debugging is on
P2R2#
*Sep 9 20:21:10.216: RADIUS: AAA Unsupported [151] 10
*Sep 9 20:21:10.216: RADIUS: 33 2F 30 2F 30 2F 34 2E
]
*Sep 9 20:21:10.216: RADIUS(0003537A): Storing nasport 0 in rad_db
*Sep 9 20:21:10.216: RADIUS(0003537A): Config NAS IP: 0.0.0.0
*Sep 9 20:21:10.216: RADIUS/ENCODE(0003537A): acct_session_id: 217978
*Sep 9 20:21:10.216: RADIUS(0003537A): sending
*Sep 9 20:21:10.216: RADIUS/ENCODE: Best Local IP-Address 52.20.0.22 for Radiu1
*Sep 9 20:21:10.216: RADIUS(0003537A): Send Access-Request to 52.20.0.101:16458
*Sep 9 20:21:10.216: RADIUS: authenticator E5 AC 72 1F EC E9 58 10 - E8 FF 2C7
*Sep 9 20:21:10.216: RADIUS: Framed-Protocol [7] 6 PPP
]
*Sep 9 20:21:10.220: RADIUS: User-Name
[1] 9 "p2user1"
*Sep 9 20:21:10.220: RADIUS: CHAP-Password [3] 19 *
*Sep 9 20:21:10.220: RADIUS: NAS-Port-Type
[61] 6 Virtual
]
*Sep 9 20:21:10.220: RADIUS: NAS-Port
[5] 6 0
*Sep 9 20:21:10.220: RADIUS: Service-Type
[6] 6 Framed
]
*Sep 9 20:21:10.220: RADIUS: NAS-IP-Address [4] 6 52.20.0.22
*Sep 9 20:21:10.220: RADIUS: AAA Unsupported [151] 10
*Sep 9 20:21:10.220: RADIUS: 33 2F 30 2F 30 2F 34 2E
]
Version 1.0
669
AAA Services
Module 6
UNIX Commands
Overview
Although numerous UNIX commands could be used for troubleshooting
AAA and RADIUS-related problems, this module describes just two very
useful commands, snoop and tail.
snoop -V
The snoop command captures packets from the network and displays their
contents. The V switch indicates verbose summary mode. It displays a
summary line for each protocol layer in the packet.
In the display, notice the exchange between IP host 52.20.0.22 (P2R2) and
RADIUS1. You should also note the use of UDP and port 1645, the
authentication port. This packet exchange verifies that the NAS and the
AAA server are indeed exchanging RADIUS packets.
670
Version 1.0
Module 6
UNIX Commands
snoop -V
# snoop -V
Using device /dev/hme (promiscuous mode)
________________________________
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
________________________________
RADIUS1 -> (broadcast) ETHER Type=0806 (ARP), size = 42 bytes
RADIUS1 -> (broadcast) ARP C Who is 52.20.0.22, 52.20.0.22 ?
________________________________
52.20.0.22 -> RADIUS1
ETHER Type=0800 (IP), size = 120 bytes
52.20.0.22 -> RADIUS1
IP D=52.20.0.101 S=52.20.0.22 LEN=106, ID=6426
52.20.0.22 -> RADIUS1
UDP D=1645 S=21724 LEN=86
________________________________
52.20.0.22 -> RADIUS1
ETHER Type=0806 (ARP), size = 60 bytes
52.20.0.22 -> RADIUS1
ARP R 52.20.0.22, 52.20.0.22 is 0:5:dc:39:c:60
________________________________
RADIUS1 -> 52.20.0.22 ETHER Type=0800 (IP), size = 83 bytes
RADIUS1 -> 52.20.0.22 IP D=52.20.0.22 S=52.20.0.101 LEN=69, ID=42629
RADIUS1 -> 52.20.0.22 UDP D=21724 S=1645 LEN=49
________________________________
Version 1.0
671
AAA Services
Module 6
UNIX Commands (continued)

tail f radius.debug
The tail command is useful for dynamically monitoring information being
placed into the radius.debug file. The tail command, when used in this
format, will display the last ten lines of the radius.debug file, plus any
lines that are appended to the file until the command is terminated. The
radius.debug file captures RADIUS protocol exchanges between the NAS
and the AAA server. An sample display is shown in the illustration.
672
Version 1.0
Module 6
UNIX Commands
tail f radius.debug
# tail -f radius.debug
CHAP-Password = "\0x01%\0xda\0x10\0xfa\0xbf\0xc9\0x88@\0xf9\0xf4\0x83@\0x9a]
NAS-Port-Type = Virtual [flags = 0x00004500]
NAS-Port = 0 [flags = 0x00004500]
Service-Type = Framed-User [flags = 0x00004600]
NAS-IP-Address = 52.20.0.22 [flags = 0x00004500]
get_radrequest: Request from 34140016 (52.20.0.22[21724]) access, id = 167, len8
User-Id = "p2user2" [flags = 0x00000400]
Framed-Protocol = PPP [flags = 0x00004600]
send_reply: Authentication: 167/76 'p2user2' from 52.20.0.22 port 0 PPP
Framed-Protocol = PPP [flags = 0x00004600]
User-Name = "p2user1" [flags = 0x00004500]
CHAP-Password = "\0x01\0xb7\0x06?2\0xe41\0x91\0x1b@\0xa3\0xa3\0x9d\0x1e4|\0]
NAS-Port-Type = Virtual [flags = 0x00004500]
NAS-Port = 0 [flags = 0x00004500]
NAS-IP-Address = 52.20.0.22 [flags = 0x00004500]
Version 1.0
673
AAA Services
Module 6
UNIX Commands (continued)

A logfile is automatically created based on a 24-hour clock. The name
format is logfile.year -month-day. A script file that starts the RADIUS
daemon, along with various switches, determines whether or not error and
informational messages are entered into the radius.debug file and the
logfile file. An example of the logfile is shown in the illustration.
674
Version 1.0
Module 6
UNIX Commands
# tail -f logfile.030910
Wed Sep 10 01:16:49 2003: Authentication: 169/78 'p2user4' from 52.20.0.22 port0
Wed Sep 10 01:16:49 2003: Original-Authentication: 170/0 'p2user5' from 52.20.0P
Wed Sep 10 01:16:49 2003: Received-Authentication: 170/79 'p2user5' from 52.20.P
^C#
Version 1.0
675
AAA Services
Module 6
Summary
AAA Services
676
Basic AAA concepts
Concepts of RADIUS protocol
How to configure AAA for PPP authentication and authorization on

Cisco routers using default method lists
How to use Cisco IOS debug commands as aids in troubleshooting AAA

How to view RADIUS log files as aids in troubleshooting RADIUS

Version 1.0
Module 6
Review Questions
Review Questions
AAA Services
1. Within the Cisco IOS software, AAA can be configured on which one of
the following?
a. console
b. aux console
c. tty
d. vty lines
e. all of the above
2. What new file is automatically created every 24 hours to contain
RADIUS log information?
a. clients file
b. users file
c. dictionary file
d. radius.debug
e. logfile.yymmdd
3.
What are the distinct phases that a PPP link undergoes? Choose four.
a. Link Establishment
b. authentication
c. Link Alive
d. Network Control Protocol
e. Link Terminate
4. Which of the following statements are true? Choose four.

a. RADIUS is a standards based protocol.
b. RADIUS protocol uses UDP and not TCP.
c. RADIUS is designed to operate in a client/server model.
d. The RADIUS-server key must be the same at both the NAS and the
AAA server.
e. RADIUS is supported only on a UNIX platform.
Version 1.0
677
AAA Services
Module 6
5. RADIUS vendor-specific attributes (VSAs) are derived from which

IETF attribute?
a. attribute 52
b. attribute 62
c. attribute 26
d. attribute 25
e. attribute 36
678
Version 1.0
Module 7
L2TP
Overview
Description
In this module, you will learn about Layer 2 Tunneling Protocol (L2TP).
You will learn how it works, examine a typical architecture, and learn
about its benefits. You will perform hands-on exercises to configure, verify
operation, and test L2TP
Objectives
Describe, at a high level, L2TP technology
Identify the components that make up L2TP technology
Describe how L2TP establishes tunnels and PPP sessions
Configure L2TP on the LAC and LNS on Cisco routers
Verify proper tunnel operation using various show and debug

commands
Version 1.0
71
L2TP
Module 7
L2TP Overview
The Layer 2 Tunneling Protocol (L2TP) provides a mechanism for
aggregation of multiple Layer 2 connections across packet-oriented data
networks. These Layer 2 connections are typically PPP sessions.
PPP Encapsulation
PPP encapsulation allows for transport of multiprotocol packets across
Layer 2 point-to-point links. With digital subscriber line (DSL), a user
obtains a Layer 2 connection to a network access server (NAS) over a DSL
connection and then runs PPP over that connection. The Layer 2
termination point and PPP session endpoint both reside on the NAS.
Extending PPP with L2TP

L2TP extends PPP by allowing the Layer 2 and PPP endpoints to reside on
different devices interconnected by a shared network. With L2TP, a user
has a Layer 2 connection to the L2TP access concentrator (LAC), which
then tunnels individual PPP frames to a remote L2TP network server
(LNS). This allows the processing of PPP packets to be separated from the
termination of the Layer 2 circuit.
Termination Benefits
The benefit of this separation is that the Layer 2 connection can terminate
on a local concentrator, which then extends the logical PPP session over a
shared infrastructure, such as the Internet, to the remote access server. To
the remote server, the user appears to be directly connected.
72
Version 1.0
Module 7
L2TP Overview
L2TP Overview
DLSAM
NAS
Layer 2 Endpoint
PPP
CPE
PPP Session
Endpoint
Layer 2 Link
PPP Session
DLSAM
LAC
Tunnel
L2TP
Layer 2 Endpoint
CPE
Layer 2 Link
PPP Session
Endpoint
PPP Session
Version 1.0
73
L2TP
Module 7
L2TP Components
The following section describes the fundamental components of L2TP and
explains how they work together to tunnel data across a shared network.
L2TP Access Concentrator

The user directly connects to the LAC, which resides between the home
network (Cisco, in the illustration) and the remote user. The LACs job is to
tunnel PPP frames through the Internet to the local LNS. It may tunnel
any protocol carried within PPP. The LAC initiates incoming calls and
receives outgoing calls.
L2TP Network Server

The LNS is the termination point for the L2TP tunnel where the home
network is located. It is the home networks access point where PPP frames
are processed and passed to higher layer protocols. An LNS can operate on
any platform capable of PPP termination. The LNS handles the server side
of the L2TP protocol. The LNS initiates outgoing calls and receives
incoming calls.
Network Access Server

A NAS provides temporary, on-demand network access to users. The access
is point-to-point typically using PSTN or ISDN lines. A NAS may also
serve as a LAC, LNS, or both. In Ciscos implementation for L2TP, the
NAS serves as a LAC for incoming calls and serves as the LNS for outgoing
calls. The term NAS is synonymous with LAC.
Session
A single, tunneled PPP session. A session is also referred to as a call.
Tunnel
A tunnel is a virtual pipe between the LAC and the LNS that carries
multiple PPP sessions. It consists of user traffic and header information
necessary to support the tunnel.
AAA Server
An authentication, authorization, and accounting (AAA) server stores
domain and user information. At the LAC, the AAA server stores domain
information that is necessary for identifying and establishing the tunnel to
the remote LNS. At the LNS, the AAA server stores user information
needed for authenticating the tunnel user.
74
Version 1.0
Module 7
L2TP Components
L2TP Components
Home Network
LAC/
Router
bill@cisco.com
ATM
Network
LNS/
Router
Tunnel Sessions
DLSAM
CPE
Domain
Information
Cisco.com
AAA
User
Information
bill
AAA
Cisco
Network
Version 1.0
75
L2TP
Module 7
L2TP Tunnel and Session Identifiers

Tunnel ID
L2TP tunnels are described by identifiers that have only local significance
at each end of the tunnel. The LAC and LNS ends of the tunnel will have
different tunnel IDs. The tunnel ID sent in each message is that of the
recipients end of the tunnel, not the ID of the sender. Tunnel IDs are
selected and exchanged during the tunnel setup process (described later in
this module). The LAC uses the tunnel ID declared by the LNS, and the
LNS uses the ID declared by the LAC.
Session ID
Multiple PPP connections can share the same L2TP tunnel using
independent sessions. L2TP sessions within the tunnel are distinguished
from each other using session identifiers that are assigned during the
session setup process. Like tunnel IDs, session IDs have local significance.
The session ID sent in a message is that of the recipient, not that of the
sender.
76
Version 1.0
Module 7
LAC
User C
Provider
Network
LNS
Servers
F
User E
L2TP Tunnel
Tunnel-ID A
Session-ID C
Session
Tunnel-ID B
Session-ID D
Session-ID E
Session
Session-ID F
Version 1.0
77
L2TP
Module 7
Encapsulations Supported
PPP Session Types
L2TP can support either PPPoA or PPPoE encapsulation on the PVC
coming from the CPE.
The LAC accepts the PPP session and establishes the link. After the Link
Control Protocol (LCP) has been negotiated, the LAC partially
authenticates the end user with Challenge Handshake Authentication
Protocol (CHAP) or Password Authentication Protocol (PAP) but does not
process PPP packets.
Session Authentication
The username@domain name is used to verify that the user is a virtual
private dial-up network (VPDN) client and to provide a mapping to a
specific endpoint LNS. This information may be stored in the local
configuration or on an AAA server. The tunnel endpoints (LAC and LNS)
now authenticate each other and the tunnel is open.
Once the tunnel exists, an L2TP session is created for the end user.
Authentication of the user is done on the LNS at which the call terminates.
Information necessary to identify the remote user can be stored in the AAA
server or can be entered directly into the configuration of the LNS. The
LAC propagates the LCP-negotiated options and the partially
authenticated CHAP or PAP information to the LNS.
78
Version 1.0
Module 7
AAA
AAA
NAP
Network
Tunnel Sessions
DLSAM
LAC
LNS
CPE
PPPoA
L2TP
PPPoE
L2TP
PPP
PPPoE or PPPoA
Version 1.0
79
L2TP
Module 7
L2TP Message Format

L2TP uses multiple headers between the LAC and LNS to provide
tunneling security and transparency to the IP addresses of the service
provider and the end user.
L2TP Message Components

The L2TP data message, which carries end-to-end IP packets, has the
following components:
IP Header The IP header contains source and destination IP

addresses as well as encapsulated protocol information. The IP
addresses are the addresses of the LAC and LNS.
UPD Header The User Datagram Protocol (UDP) offers a

non-guaranteed datagram delivery service. The port numbers indicate
that L2TP data follows.
L2TP Header This header c ontains L2TP control and data message
codes, tunnel and session identifiers, and optional message-sequencing
identifiers.
PPP Header The PPP header identifies the encapsulated protocol

within the information field.
IP Packet This packet contains e nd-to-end user data exchange d

between remote users.
Control and Data Messages

L2TP uses two types of messages: control messages and data messages.
Control messages establish, maintain, and clear a tunnel and set up and
clear sessions. Data messages encapsulate PPP frames being that are sent
through the tunnel.
Guaranteed Message Delivery

L2TP guarantees the delivery of control messages through a control
channel. Messages in the control channel have sequence numbers that
detect loss or out-of-order delivery. Lost control messages are
retransmitted.
Data messages may or may not have sequence numbers and are not
retransmitted when packet loss occurs.
710
Version 1.0
Module 7
L2TP Message Format
L2TP Message Format
DSLAM
Aggregator
LAC
L3
core
LNS
Router
PC/xTU-R
IP
PPP
PPPoX
L2TP
IP
IP
IP
PPP
IP
PPPoX
1483
AAL5
ATM
PHY
Customer
Premises
ATM
PHY
ATM
PHY
DSLAM
PPP
L2TP
PPP
PPPoX UDP
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
PPP
L2TP
UDP
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
711
L2TP
Module 7
Incoming Call Sequence

This section describes how an incoming call is set up between a remote
user, the LAC, and the LNS. An incoming call is received by the LAC to be
tunneled to the LNS. Although this is a typical process, some variations
are possible.
1. Incoming Call The remote user initiates a PPP connection to the ISP.
LCP negotiation is followed by PPP authentication. The PPP username
is a fully qualified domain name in the format username@domain.com.
2. The NAS authenticates the user by sending a RADIUS Access Request
packet to the RADIUS server.
3. RADIUS returns an Access Accept packet for a valid user. If the users
profile indicates an L2TP Tunnel is needed, RADIUS returns the
following tunnel parameters:
LNS IP address
Tunnel type (L2TP)
L2TP tunnel password
Tunnel ID
4. The LAC accepts the connection, and the PPP link is established. The
LAC partially authenticates the end user with CHAP or PAP.
5. The tunnel endpoints the LAC and the LNS must first authenticate
each other before any sessions are attempted within the tunnel. The
LAC sends a Start-Control-Connection-Request (SCCRQ) message
containing the following parameters:
Host name Host name of issuing LAC
Framing capabilities Synchronous or asynchronous
LAC assigned tunnel ID
6. The LNS returns a Start-Control-Connection-Reply (SCCRP) message

indicating the request was accepted and establishment of the tunnel
should continue. The SCCRP contains the following parameters:
Framing capabilities Synchronous or asynchronous
Host name Host name of issuing LNS
LNS assigned tunnel ID
7. The LAC responds with a Start-Control-Connection-Connected

(SCCCN) message, which completes the tunnel establishment process.
The LAC can now open an L2TP tunnel session for the incoming call.
The SCCCN contain the following parameter:
712
Version 1.0
Module 7
LAC RADIUS
Cisco.com
Access Request 2
Access Accept
L2TP Parameters
LNS
Tunnel
bill@cisco.com
LAC
CPE
Call Setup
Tunnel Setup
1 Call Request
4 Call Accept
Version 1.0
SCCRQ
SCCRP
SCCRN
713
L2TP
Module 7
Incoming Call Sequence (continued)

8. The LAC sends an Incoming-Call-Request (ICRQ) message that signal
the need for an incoming call session through the tunnel. The ICRQ can
contain the following parameters:
LAC assigned session ID
Call serial number
Optional parameters: bearer type, physical channel id, c alling

number, called number, and sub-address
9. The LNS sends an Access Request packet to its RADIUS server to

authenticate the incoming session.
10. The RADIUS server returns an Access Accept packet for a valid session
user.
11. The LNS responds to the ICRQ by sending an Incoming-Call-Reply
(ICRP). This reply instructs the LAC to answer the incoming call (if it
has not already done so). The ICRQ contains the following parameters:
LNS assigned session id
12. The LAC now sends an Incoming-Call-Connected (ICCN) message

indicating that the ICRP was accepted and the call has been answered.
The ICCN message contains the following parameters:
Tx connect speed
Framing type Synchronous or asynchronous
The result is that the exchange process appears to take place between the
dial-up user and the remote LNS exclusively, as if no intermediary device
(the LAC) is involved.
714
Version 1.0
Module 7
Incoming Call Sequence (continued)
LAC RADIUS
LNS RADIUS
Access
Request
LAC
Tunnel
CPE
10
Access
Accept
LNS
Session Setup
8
ICRQ
11
ICRP
12 ICCN
PPP Session
Version 1.0
715
L2TP
Module 7
Forwarding PPP Frames

Frame Processing
Now that the L2TP tunnel and the session have been opened, PPP frames
from the users that are received at the LAC and LNS are stripped of CRC,
link framing, and transparency bytes and are encapsulated in L2TP
packets. The session ID and tunnel ID (specified by its peer) are placed in
the L2TP header for all outgoing messages. The assembled L2TP packets
are then forwarded by the LAC or LNS through the tunnel to its peer.
When the LAC or LNS receives the L2TP packet, it strips off the L2TP
header and processes the encapsulated PPP frame as if it were received on
a local PPP interface.
Multiplexing and Demultiplexing PPP Frames

The LAC and LNS are able to multiplex and demultiplex PPP frames over
a single tunnel. Multiple tunnels may exist between a given LNS-LAC
pair, each may contain a different quality of service, and multiple sessions
may exist within each tunnel.
Data Packet Sequence Numbering

L2TP data packets do not require sequence numbers to retransmit lost
data messages. However, data packets may optionally use sequence
numbers to detect lost packets and/or to restore the original sequence of
packets that may have been received out of order during transport. The
LAC may request that sequence numbers be present in data messages via
the Sequencing Required parameter present in the session setup packet. If
this parameter is present during session setup, sequence numbers must be
present at all times at the LNS and LAC.
If the Sequencing Required parameter is not present during the session
setup, sequence number presence is under control of the LNS. If the LNS
sends a data message with sequence numbers present at any time during
the life of a session, the LAC must begin sending sequence numbers in
future outgoing data messages. Conversely, if the LAC receives a data
message without sequence numbers present, it must stop sending sequence
numbers in future data messages.
716
Version 1.0
Module 7
Forwarding PPP Frames
PPP Frame Forwarding
Server
LAC
LNS
Tunnel
CPE
Tunnel Session
PPP frame
L2TP Frame
Version 1.0
PPP frame
717
L2TP
Module 7
Call Disconnect Sequence

The following procedure describes the call disconnect process in L2TP.
Either the LAC or the LNS can initiate this procedure. In this example, the
closing of the L2TP session is initiated by the LAC in response to the Call
Disconnect from the user. Since there are no othe r active L2TP sessions,
the LAC also closes the L2TP tunnel.
1. Call Disconnect The PPP session from the end user is disconnected.
2. The LAC issues a Call-Disconnect-Notify (CDN) message to request the
disconnection of a specified call within the tunnel. It informs the LNS
of the disconnection and provides a cause code. The following
parameters are present on the CDN:
Results Code Reason for terminating a session
Assigned session ID
Cause Code (Optional) Provides additional information on a call

disconnection
3. The Zero-Length Body (ZLB) message acknowledgement is sent if there

are no more messages in queue waiting to be sent to the LAC.
______________________________ Note __________________________
If there are no other active sessions, then the following messages are
exchanges to shut down the tunnel.
_____________________________________________________________
4. To shut down the tunnel, the LAC now issues a Stop-ControlConnection-Notification (StopCCN). The StopCCN notifies the LNS
that the tunnel is being shut down and the control connection should be
closed. In addition, all active sessions are implicitly cleared without the
sending of additional CDN messages.
The following parameters are present in the StopCCN message:
Assigned tunnel ID
Results code Reasons for terminating the tunnel
5. There is no explicit acknowledgement to the StopCCN message other

than the ZLB ACK message sent by the transport layer.
718
Version 1.0
Module 7
LAC
LNS
Tunnel
CPE
1 Call Disconnect
CDN
ZLB ACK
StopCCN
ZLB ACK
Shutdown Tunnel
Version 1.0
719
L2TP
Module 7
Typical L2TP Scenarios

Wholesale Dial-In for Service Providers
The goal of the Internet Service Providers (ISPs) is to build and maintain
affordable networks of geographically dispersed points of presence (PoPs).
By outsourcing dial and xDSL access from Internet wholesalers, telcos,
Regional Bell Operating companies (RBOCs), carriers, or other service
providers who already have the dispersed PoPs, the medium-sized ISP can
build revenue while overcoming resource constraints. These outsourcing
services known as wholesale Internet or wholesale access can use
L2TP technology to offload Internet dialup network traffic from the service
providers traditional voice network, creating new revenue streams over
existing, underutilized links and offering added flexibility to growing ISPs.
Service Provider Motivations
The service provider has the following motivations for establishing

wholesale access:
To remain competitive, it must offer worldwide roaming dialup service.
Leasing access VPDN service from a large ISP is more cost-effective

than maintaining an 800 number for roaming service.
It does not have the resources to maintain geographically dispersed

PoPs.
Service Provider Benefits
The benefits gained by the ISP in using wholesale service are
720
Offers end-to-end custom solutions that help differentiate the ISP in a

competitive market
Eliminates responsibility of managing the enterprise customer user

database
Allows expansion to broadband technologies such as cable and wireless
Version 1.0
Module 7
Wholesale Dial-In for Service Providers
Dial-in
Users
Service
Provider
Network
LNS
Router
ISP Network
PSTN
L2TP Tunnel
LAC
Version 1.0
Forwarding
Router
721
L2TP
Module 7
Typical L2TP Scenarios (continued)

Remote Access to Enterprise Network
The rise of telecommuting, the need to conduct business globally, and the
value and necessity of creating stronger strategic links with suppliers,
customers, and dealers create a huge demand for remote network access at
a large multinational corporation.
Enterprise customers want to establish secure, comprehensive dial service
for their employees and partners. Some enterprises also want dial-out
service to upload information from their central network to remote sites.
Enterprise Customer Motivation
The enterprise customer has the following motivations for establishing the
access VPDN:
As the enterprise grows, it is forced to purchase more access servers

and lease more phone lines to allow its employees remote access.
As the IT infrastructure of the enterprise increases, the enterprise

must hire more network administrators.
The increasing complexity of the IT infrastructure of the enterprise

causes increased network delays and failures.
Long-distance and 800 number phone bills increase.
Enterprise Customer Benefits
The benefits gained by implementing VPSs are
722
Allows enterprise customers to focus on their core business

responsibilities
Minimizes equipment costs
Simplifies complexity of upgrading technology
Eliminates need of maintaining internetworking expertise
Reduces long-distance and 800 number costs
Version 1.0
Module 7
Remote Access to Enterprise Network
Router
LAC
ISP Network
LNS
L2TP Tunnel
Small Office/
Home Office
Enterprise
Network
Router
Access VPN
Version 1.0
723
L2TP
Module 7
L2TP Configuration Overview

Establishment of L2TP tunnels requires configuration of both the LAC and
the LNS. The AAA functions occur at both ends of the tunnel. The LAC and
LNS can create tunnels in two scenarios.
Without using a separate AAA server such as RADIUS
Using a separate AAA server such as RADIUS
L2TP Without RADIUS

Letting the LAC and LNS provide the AAA functions without a separate
AAA server is not as common as using a separate AAA server. This type of
deployment might be use in small networks. The following are some of the
limitations when AAA is handled by the router:
Does not scale well
Limited backup
Can require more configuration effort
L2TP with RADIUS

This is the most common implementation of L2TP in large networks. AAA
functions are handled by the external server rather than the LAC and
LNS. The following are some of the reasons for using external AAA servers
such as RADIUS.
724
Scales better
Allow redundant AAA servers
Centralized user configuration
Version 1.0
Module 7
LAC
Tunnel
LNS
ISP1.com
PPPoA
Aggregation
Device
CPE
PPPoE
IP
Core
CPE
RADIUS
DSLAM
RADIUS
ISP2.com
LNS
Configure both LAC and LNS

Configuration scenarios
Without RADIUS
With RADIUS
Version 1.0
725
L2TP
Module 7
L2TP Tunnel Attributes

L2TP tunnels have several attributes used to control the establishment of
a tunnel between the LAC and LNS. These attributes include the
following:
Tunnel type (L2TP)
Tunnel password
Name of the LAC
These three attributes must match at both the LAC and LNS in order to
successfully create the tunnel.
The following attributes are also needed at the LAC and LNS:
At the LAC, the destination domain to which the user session is

forwarded
At the LAC, the destination IP address of the LNS
At the LNS, the local name of the LNS
Using VPDN Groups Versus AAA Servers

The tunnel attributes may be stored directly on the LAC and LNS in a
VPDN group or may be obtained from an AAA server, such as a RADIUS
server. The following describe where each method might be used when the
LAC needs to e stablish a tunnel to the LNS:
726
Using a VPDN group to store the tunnel attributes is suitable for small
networks that support a single or few tunnels.
Using a RADIUS server to store the tunnel attributes is the ideal

solution in large networks that may support multiple tunnels.
Version 1.0
Module 7
NAP
Network
LAC
LNS
RADIUS
RADIUS
LAC Attributes
LNS Attributes
Tunnel type (L2TP)

Destination domain
Destination LNS (IP address)
Local LAC name
Tunnel password
Tunnel type (L2TP)

Remote LAC name
Local LNS name
Tunnel password
Version 1.0
727
L2TP
Module 7
L2TP Configuration Without RADIUS

Implementing L2TP tunneling without using RADIUS involves specific
tasks on both the LAC and the LNS.
On the LAC
1. Configure authentication for PPP sessions.
2. Enable VPDN.
3. Define a VPDN group, to which you will apply all VPDN attributes for
the LAC.
4. Enable the LAC to request L2TP tunnels.
On the LNS
1. Configure Authentication for PPP sessions.
2. Enable VPDN.
3. Define a VPDN group, to which you will apply all VPDN attributes for
the LNS.
4. Enable the LNS to receive L2TP tunnels.
5. Define the virtual template interface for the tunnel.
Additional VPDN and L2TP commands can be applied as needed to fine tune p arameters to suit your network.
728
Version 1.0
Module 7
Configuring L2TP Without RADIUS
LAC
Tunnel
LNS
ISP1.com
PPPoA
Aggregation
Device
CPE
PPPoE
IP
Core
CPE
DSLAM
ISP2.com
LNS
On the LAC
On the LNS
1.
2.
3.
4.
1.
2.
3.
4.
5.
Configure authentication
Enable VPDN
Define a VPDN group
Enable the LAC to request L2TP tunnels
Configure authentication
Enable VPDN
Define a VPDN group
Enable the LNS to receive L2TP tunnels
Define the virtual template for the VPDN group
Version 1.0
729
L2TP
Module 7
L2TP Configuration Without RADIUS (continued)

Configuring the LAC with Local Authentication
Complete the following general steps on the Cisco LAC router when no
external RADIUS server is used to authenticate users and provide tunnel
attributes.
1. Define a username and password that subscribers use for PPP
authentication.
2. Enable AAA.
3. Define the AAA method list for PPP authentication. Use local
authentication to search the local database on the router.
4. Enable VPDN.
6. On the VPDN group, request dial-in calls to initiate a tunnel to the
LNS.
7. On the VPDN group request dial -in, indicate that the tunneling
protocol to be used is L2TP.
8. On the VPDN group request dial -in, indicate the domain name to which
the tunnel will be established.
9. On the VPDN group, indicate the IP address of the LNS to which the
tunnel will be initiated.
10. On the VPDN group, provide the local name of the LAC.
11. On the VPDN group , provide the L2TP tunnel password.
12. (Optional) Define a username and password for the LAC. If the
password used here is the same as the L2TP tunnel password, then the
previous step may be omitted.
730
Version 1.0
Module 7
Configuring the LAC with Local Authentication
12
2
3
4
5
6
7
8
9
10
11
username p1user1@ips1.com password 0 lab

username LAC1 password 0 cisco
!
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
!
vpdn enable
!
vpdn- group l2tp
request-dialin
protocol l2tp
domain isp1.com
initiate-to ip 200.0.0.13
local name LAC1
l2tp tunnel password 0 cisco
Version 1.0
731
L2TP
Module 7

Configuring the LNS with Local Authentication
Complete the following general steps on the Cisco LNS router when no
attributes.
1. Define a username and password that subscribers use for PPP
authentication.
2. Enable AAA.
4. Enable VPDN.
6. On the VPDN group, accept dial-in calls from the LAC.
7. On the VPDN group accept dial-in, indicate that the tunneling protocol
to be used is L2TP.
8. On the VPDN group accept dial-in, indicate the virtual template used
for cloning virtual access interfaces.
9. On the VPDN group, indicate the host name of the LAC from which
tunnel initiation requests will be accepted.
10. On the VPDN group, provide the local name of the LNS.
11. On the VPDN group, provide the L2TP tunnel password.
12. (Optional) Define a username and password for the LNS. If the
732
Version 1.0
Module 7
Configuring the LNS with Local Authentication
1
12
2
3
4
5
6
7
8
9
10
11
13
14
15
16
17
18
username p1user1@isp1.com password 0 lab

username LNS1 password 0 cisco
!
aaa new-model
!
vpdn enable
!
vpdn-group l2tp
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC1
local name LNS1
!
interface loopback1
ip address 192.168.1.1 255.255.255.0
!
peer default ip address pool LNSpool
no keepalive
!
ip local pool LNSpool 192.168.1.2 192.168.1.254
Version 1.0
733
L2TP
Module 7

Configuring the LNS with Local Authentication (continued)
16. On the virtual template interface, point to a peer default IP address
pool.
allocate to the subscribers.
734
Version 1.0
Module 7
Configuring the LNS with Local Authentication (continued)
1
12
2
3
4
5
6
7
8
9
10
11
13
14
15
16
17
18

!
aaa new-model
!
vpdn enable
!
vpdn-group l2tp
accept-dialin
protocol l2tp
virtual-template 1
local name LNS1
!
interface loopback1
ip address 192.168.1.1 255.255.255.0
!
no keepalive
!
Version 1.0
735
L2TP
Module 7
L2TP Configuration with RADIUS

Using external AAA servers with L2TP removes a significant portion of the
configuration tasks from the LAC and LNS. The illustration shows that the
RADIUS server is connected to both the LAC and the LNS and that it will
provide authentication services. The following describes the configuration
tasks performed on the RADIUS server, LAC, and LNS.
On RADIUS
1. Configure user profiles for the domain and the PPP user.
2. Configure client p rofiles for the LAC and the LNS.
3. Configure a service profile for the L2TP tunnel.
On the LAC
2. Enable VPDN.
3. Configure the RADIUS server.
On the LNS
2. Configure the RADIUS server.
3. Enable VPDN.
4. Define a VPDN group to which you will apply all VPDN attributes for
the LNS.
5. Enable the LNS to receive L2TP tunnels.
6. Define the virtual template interface for the tunnel.
Additional VPDN and L2TP commands can be applied as needed to fine tune parameters to suit your network.
736
Version 1.0
Module 7
Home Network
LAC/
Router
bill@cisco.com
ATM
Network
LNS/
Router
Tunnel Sessions
DLSAM
CPE
Domain
Info
On RADIUS
1. Configure user profiles for the
domain and the PPP user
2. Configure client profiles for the
LAC and LNS
3. Configure an L2TP service profile
On the LAC
1. Configure authentication
2. Enable VPDN
3. Configure the RADIUS server
Cisco.com
User
Information
AAA
bill
AAA
Cisco
On the LNS
Network
1. Configure authentication
2. Configure the RADIUS server
3. Enable VPDN
4. Define a VPDN group
5. Enable the LNS to receive L2TP tunnels
6. Define the virtual template for the tunnel
Version 1.0
737
L2TP
Module 7
L2TP Configuration with RADIUS (continued)

Configuring the RADIUS Server
The following pages explain configuration of the user, client, and tunnel
profiles on the RADIUS server using Cisco Access Registrar .
Configuring User Profiles

Each Access Registrar servers default userlist must be updated to include
a new user. The first AAA server must define the domain name (example:
cisco.com) as a new user to identify the access request coming from the
LAC. The second AAA server must define the user, user@domainname
(example: bill@cisco.com), configured to identify the user contained in the
Access Request coming from the LNS.
The following is an example of a completed userlist entry:
bill@cisco.com/
Name = bill@cisco.com
Description =
Password = <encrypted>
(cisco)
Enabled = TRUE
Group~ =
BaseProfile~ = default-PPP-users
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
738
Version 1.0
Module 7
Configuring User Profiles
LAC/
Router
LNS/
Router
Tunnel Sessions
bill@cisco.com
cisco.com
Domain
Information
cisco.com
User
Information
AAA
bill
AAA
Version 1.0
739
L2TP
Module 7

Configuring the RADIUS Server (continued)
Configuring Clients
Both the LAC and LNS must be configured as clients of the Access
Registrar servers. Each will communicates with one of the Access Registrar
servers during the tunnel creation process and must appear in the clients
list.
The following is an example of a completed client profile entry:
Lac1/
Name = lac1
Description =
IPAddress = 172.16.0.1
SharedSecret = cisco
Type = NAS
Vendor =
IncomingScript~ =
OutgoingScript~ =
UseDNIS = FALSE
DeviceName =
DevicePassword =
740
Version 1.0
Module 7
Configuring Clients
LAC/
Router
Tunnel Sessions
Client Profiles
LAC
Domain
Information
LNS/
Router
cisco.com
User
Information
AAA
Client Profiles
LNS
bill
AAA
Version 1.0
741
L2TP
Module 7

Configuring the RADIUS Server (continued)
Configuring an L2TP Profile
A profile must be created for the tunnel to be set between the LAC and the
LNS. This tunnel profile would normally reside on the Access Registrar
server off the LAC and will have attributes that describe the tunnel id, its
type, the IP address of the destination (LNS), and the tunnel password.
The following is an example of a completed L2TP profile entry:
cisconet/
Name = cisconet
Description =
Attributes/
cisco-avpair =
cisco-avpair =
cisco-avpair =
cisco-avpair =
742
Version 1.0
vpdn:tunnel-id=cisconet
vpdn:tunnel-type=l2tp
vpdn:ip-addresses=200.0.0.13
vpdn:l2tp-tunnel-password=cisco
Module 7
Configuring an L2TP Profile
L2TP Service Profiles

cisconet
Tunnel ID
Tunnel Password
Tunnel Type
Dest. LNS Address
Domain
Information
LAC/
Router
LNS/
Router
Tunnel Sessions
cisco.com
User
Information
AAA
bill
AAA
Version 1.0
743
L2TP
Module 7

Configuring the LAC with RADIUS Authentication
Complete the following general steps on the Cisco LAC router when an
attributes.
1. Enable AAA.
2. Define the AAA method list for PPP authentication. Use RADIUS as
the first method in the method list.
3. Create a RADIUS server host definition that indicates the IP address
or host name of the RADIUS server. The authentication and accounting
port numbers are optional if the RADIUS server is using the wellknown port numbers.
4. Define the RADIUS server key. This must match the shared secret
assigned to the LAC in the RADIUS client definition.
5. Enable VPDN.
______________________________ Note __________________________
If the RADIUS server provides the L2TP tunnel attributes using a
tunnel profile definition, then the VPDN group is not used.
_____________________________________________________________
7. On the VPDN group, request dial -in calls to initiate a tunnel to the
LNS.
8. On the VPDN group request dial -in, indicate that the tunneling
protocol to be used is L2TP.
9. On the VPDN group request dial -in, indicate the domain name to which
the tunnel will be established.
10. On the VPDN group, indicate the IP address of the LNS to which the
tunnel will be initiated.
11. On the VPDN group, provide the local name of the LAC.
13. (Optional) Define a username and password for the LAC. If the
744
Version 1.0
Module 7
Configuring the LAC with RADIUS Authentication
1
2
13
5
6
7
8
9
10
11
12
3
4
aaa new-model
aaa authentication ppp default group radius local
!
username LAC1 password 0 cisco
!
vpdn enable
!
vpdn- group l2tp
request-dialin
protocol l2tp
domain isp1.com
optional
initiate-to ip 200.0.0.13
local name LAC1
!
radius-server host 52.20.0.101 auth-port 1645 acct-port 1646
radius-server key cisco
Version 1.0
745
L2TP
Module 7

Configuring the LNS with RADIUS Authentication
Complete the following general steps on the Cisco LNS router when no
attributes.
1. Enable AAA.
3. Create a RADIUS server host definition that indicates the IP address
or host name of the RADIUS server. The authentication and accounting
port numbers are optional if the RADIUS server is using the wellknown port numbers.
4. Define the RADIUS server key. This must match the shared secret
assigned to the LAC in the RADIUS client definition.
5. Enable VPDN.
7. On the VPDN group, accept dial-in calls from the LAC.
8. On the VPDN group accept dial-in, indicate that the tunneling protocol
to be used is L2TP.
9. On the VPDN group accept dial-in, indicate the virtual template used
for cloning virtual access interfaces.
10. On the VPDN group, indicate the hostname of the LAC from which
tunnel initiation requests will be accepted.
11. On the VPDN group, provide the local name of the LNS.
13. (Optional) Define a username and password for the LNS. If the
746
Version 1.0
Module 7
Configuring the LNS with RADIUS Authentication
13
1
2
5
6
7
8
9
10
11
12
14
15
16
17
18
19
3
4

!
aaa new-model
aaa authentication ppp default group radius local
!
vpdn enable
!
vpdn-group l2tp
accept-dialin
protocol l2tp
virtual-template 1
local name LNS1
!
interface loopback1
ip address 192.168.1.1 255.255.255.0
!
no keepalive
!
!
Version 1.0
747
L2TP
Module 7

Configuring the LNS with RADIUS Authentication (continued)
17. On the virtual template interface, point to a peer default IP address
pool.
allocate to the subscribers.
748
Version 1.0
Module 7
Configuring the LNS with RADIUS Authentication (continued)
13
1
2
5
6
7
8
9
10
11
12
14
15
16
17
18
19
3
4

!
aaa new-model
aaa authentication ppp default local vpdn enable
!
vpdn enable
!
vpdn-group l2tp
accept-dialin
protocol l2tp
virtual-template 1
local name LNS1
!
interface loopback1
ip address 192.168.1.1 255.255.255.0
!
no keepalive
!
!
Version 1.0
749
L2TP
Module 7
Tunnel Verification
Several Cisco IOS commands are available to verify that the tunnel has
been created and to check for proper tunnel operation. These commands
include:
750
show vpdn
debug vpdn events
debug radius
Version 1.0
Module 7
Tunnel Verification
Tunnel Verification
show vpdn
debug vpdn events
debug radius
Version 1.0
751
L2TP
Module 7
Tunnel Verification (continued)

show VPDN
To display information about active tunnels and message identifiers in a
VPDN, use the show vpdn command in EXEC mode. The first line displays
a summary of the active L2TP tunnels. The second two lines display
information about the L2TP tunnel between the LAC and the LNS.
Command Output Description
752
Field
Description
LocID
A unique number that identifies the local id for the session.
RemID
A unique number that identifies the remote id for the

session.
TunID
A unique number that identifies the tunnel.
Intf
The interface associated with a specific session.
Username
Username of the session.
State
Indicates status for the individual user in the tunnel. The

states are: opening, open, closed, closing, and
waiting_for_tunnel. The waiting_for_tunnel state means that
the user c onnection is waiting until the main tunnel can be
brought up before it moves to the opening state.
Last Chg
Last status change.
Version 1.0
Module 7
Tunnel Verification
show VPDN
P1R2#show vpdn
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocID RemID Remote Name
78
51792 P1R3
State
est
LocID RemID TunID Intf

1451 1404 78
SSS Circuit
Remote Address
200.0.0.13
Username
p1user8@isp1.com
Port
1701
Sessions VPDN Group

1
l2tp
State
est
Last Chg Uniq ID

00:00:15 470
%No active L2F tunnels

%No active PPTP tunnels
PPPoE Tunnel and Session Information Total tunnels 1 sessions 1
PPPoE Session Information
Uniq ID PPPoE RemMAC
SID LocMAC
470
67 0030.bd21.ef11
0001.6440.4648
Port
ATM3/0/0.732
VC: 13/34
Version 1.0
VT
4
VA
VA-s t
N/A
State
FWDED
753
L2TP
Module 7

debug VPDN
To display debug traces for the VPDN feature, which provides PPP tunnels
using the L2TP protocol, use the debug vpdn EXEC command.
There are several different debug VPDN outputs that may be used to verify
and troubleshoot L2TP tunnels. Of these debug vpdn events and debug
vpdn call event are generally useful.
754
Version 1.0
Module 7
Tunnel Verification
Debug VPDN Events
P1R2#show debug
VPN:
VPDN call event debugging is on
VPDN events debugging is on
*VPDN CALL [uid:470]: Requesting connection
*VPDN CALL [uid:470]: Call request sent
*VPDN MGR [uid:470]: Initiating compulsory connection to 200.0.0.13
*uid:470 Tnl/Sn 78/1451 L2TP: VPDN session up
*VPDN MGR [uid:470]: Succeed to forward p1user8@isp1.com
*VPDN MGR [uid:470]: accounting start sent
*VPDN CALL [uid:470]: Connection succeeded
Version 1.0
755
L2TP
Module 7

debug RADIUS
To verify and troubleshoot establishment of user session through the
tunnel, use the debug radius command.
756
Version 1.0
Module 7
Tunnel Verification
Debug RADIUS
RADIUS/ENCODE(0000057D): acct_session_id: 65
RADIUS(0000057D): sending
RADIUS/ENCODE: Best Local IP-Address 200.1.1.13 for Radius-Server 52.30.0.101
RADIUS(0000057D): Send Access-Request to 52.30.0.101:1645 id 21645/64, len 87
RADIUS: authenticator E1 27 CB 35 8B A5 51 B1 - CB A6 50 93 C3 61 89 41
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: User-Name
[1]
18 "p1user8@isp1.com"
CHAP-Password
[3]
19 *
RADIUS: NAS-Port-Type
[61] 6
Virtual
[5]
RADIUS: NAS-Port
[5]
6
394
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: NAS-IP-Address
[4]
6
200.1.1.13
RADIUS: Received from id 21645/64 52.30.0.101:1645, Access-Accept, len 56
RADIUS: authenticator 5C 46 3E EE 6B F0 BF 9E - C2 2F 9F 4D 86 18 F9 E4
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: Framed-Routing
[10] 6
0
RADIUS: Framed-MTU
[12] 6
1500
RADIUS: Framed-Compression [13] 6
VJ TCP/IP Header Compressi[1]
RADIUS(0000057D): Received from id 21645/64
Version 1.0
757
L2TP
Module 7
Summary
758
A high level understanding of L2TP technology
The components that make up L2TP technology
The protocol messages used to establish L2TP tunnels and sessions,

exchange end-user data, and terminate L2TP sessions and tunnels
Configuration of L2TP on the LAC and LNS on Cisco products
Verification of proper tunnel operation
Version 1.0
Module 7
Review Questions
Review Questions
L2TP
1. True or False. L2TP allows the Layer 2 and the PPP endpoints to
reside on different networks.
a. True
b. False
2. Select all that apply to L2TP tunneling:
a. Supports only registered IP addresses
b. Separates the Layer 2 and the PPP session endpoints
c. Allows end user to appear directly connected to remote servers
d. Supports a single tunnel between LAC and LNS
3. True or False. Tunnel identifiers are at each end of the tunnel must be
identical.
a. True
b. False
4. Which of the following statements apply to the L2TP call setup process?
Choose two.
a. A call request from the user will be processed only if a tunnel
already exists.
b. Tunnel setup must be completed before an L2TP session can be
initiated.
c. The Start-Control-Connection-Reply message indicates the
completion of tunnel establishment.
d. The LAC must wait for the Incoming-Call-Reply message from the
LNS before answering the incoming call request.
e. The Incoming-Call-Connected message completes the session setup
process.
5. True or False. Sequence numbers are present on all data message s
passing through the L2TP tunnel.
a. True
b. False
Version 1.0
759
L2TP
Module 7
6. True or False. Local PPP authentication requires that a local database

of usernames be setup in the router:
a. True
b. False
7. Circle the command that is NOT part of the LAC configuration when it
initiates the tunnel:
a. protocol l2tp
b. vpdn-group (group-number)
c. accept-dialin
d. request-dialin
e. domain (name)
8. A tunnel request is associated with a particular VPDN group based on
which of the following:
a. Destination IP address
b. Virtual template
c. Protocol type
d. Domain name
e. VPDN search order
9. The peer IP ad dress pool in the LNS is used for which of the following
purposes:
a. Set the tunnel destination IP address.
b. Respond to an IPCP request from the remote CPE.
c. Assign an IP address to the Ethernet port of the LAC.
d. Set the IP address of the ATM interface.
e. None of the above.
760
Version 1.0

StudentGuide Implementing Broadband Aggregation On Cisco10k Vol1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

StudentGuide Implementing Broadband Aggregation On Cisco10k Vol1

Hochgeladen von

Copyright:

Verfügbare Formate

BBAGG

Book Title, Revision xx.x: Student Guide

Cisco System Engineers (SEs)

System Integrators (SIs)

Interconnecting Cisco Network Devices (ICND) or equivalent

Campus ATM (CATM) or equivalent experience

Basic DSL End To End Architecture either video on demand or

2003 Cisco Systems, Inc.

Comprehensive network support is available from Cisco Systems

Implementing Broadband Aggregation

2003 Cisco Systems, Inc.

Implementing Broadband Aggregation

Course Introduction and Objectives

Compare and contrast the various broadband aggregation

Explain how PPPoA and PPPoE work, along with descriptions of

2003 Cisco Systems, Inc.

Explain and configure various methods for optimizing subscriber

Explain AAA services available on Cisco routers and RADIUS

Explain how L2TP works, describe its typical architecture and

Identify and describe system modules and services on the Cisco

Implementing Broadband Aggregation

Course Introduction and Objectives........................................................................ ix

Module 1 Broadband Aggregation Architectures ..........................................11

Module 2 RBE and RFC 1483 Routing...............................................................21

2003 Cisco Systems, Inc.

How Does RFC 1483 Routing Work? ........................................................................ 226

Module 3 PPPoA .....................................................................................................31

Module 5 Cisco Aggregation Optimization Features ....................................51

Implementing Broadband Aggregation

Optimization Features Introduction .......................................................................... 52

Module 6 AAA Services.........................................................................................61

Module 7 L2TP .........................................................................................................71

2003 Cisco Systems, Inc.

L2TP Configuration Overview ................................................................................. 724

Module 8 Cisco 10000 Series Router Hardware Overview ..........................81

Implementing Broadband Aggregation

Module 9 Cisco 10000 Series Router Software Overview............................91

Appendix A Review Question Answers........................................................... A1

2003 Cisco Systems, Inc.

Appendix B Router Starting Configurations ..................................................B1

Implementing Broadband Aggregation

List various broadband aggregation architectures

Identify the technologies used by each architecture and describe how

Identify the benefits of each architecture

2003 Cisco Systems, Inc.

Broadband Aggregation Architectures

Broadband Aggregation Introduction

Customer Premises Equipment (CPE)

Network Access Provider (NAP)

Network Service Provider (NSP)

The NAP and NSP may be owned by different businesses or by one

Implementing Broadband Aggregation

Broadband Aggregation Introduction

Broadband Aggregation Introduction

CPECustomer Premises Equipment

2003 Cisco Systems, Inc.

Broadband Aggregation Architectures

Broadband Aggregation Introduction (continued)

Physical layer transport of data according to the subscriber

Data Link layer encapsulation of data for transport across the

Network layer provides routing, Network Address Translation (NAT),

Implementing Broadband Aggregation

Broadband Aggregation Introduction

____ Note