PPPoe with two clients and server and one way authentication

Hi all,

   Consider the case were we have three routers connected on an ethernet segmetn (R1-R2-R3), we requires that we establish a pppoe between R1&R3 and between R2&R3

so R3 will be terminating two pppoe session and also required that R3 authenticate both routers R1 and R2 but R1 and R2 will not authenticate R3

so please can anyone post a recommended config for such a scenario?

thanks a lot

 

Comments

  • Hi,

    i'll give it a go!

    R1/R2:
    vpdn enable

    vpdn-group 1
      request-dialin
      protocol pppoe

    int fa1/1
    no ip address
    pppoe enable
    pppoe-client dial-pool-number 1

    int dialer123
    ip address 123.123.123.1 255.255.255.0
    encapsulation ppp
    dialer pool 1
    ppp chap hostname CCIE
    ppp chap password CCIE
    no peer neighbor-route

    R3:
    username CCIE password CCIE

    vpdn enable

    vpdn-group 1
      accept-dialin
      protocol pppoe
      virtual-template 123

    int fa1/1
    no ip address
    pppoe enable

    int virtial-template 123
    ip address 123.123.123.3 255.255.255.0
    ppp authentication chap callin
    no peer neighbor-route

    Give that a go, it worked for me in my lab! Please keep in mind all the routers are 7200's running non-Cisco SP Lab IOS and hardware 12.3 enterprise services.

    Cheers,

    mpls-te 

  • Hi man, what about the below config ( I used 3640 with IOS 12.4) I tested it and it works fine what do you think about it?









    <!--
    /* Style Definitions */
    p.MsoNormal, li.MsoNormal, div.MsoNormal
    {mso-style-parent:"";
    margin:0in;
    margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:12.0pt;
    font-family:"Times New Roman";
    mso-fareast-font-family:"Times New Roman";}
    @page Section1
    {size:8.5in 11.0in;
    margin:1.0in 1.25in 1.0in 1.25in;
    mso-header-margin:.5in;
    mso-footer-margin:.5in;
    mso-paper-source:0;}
    div.Section1
    {page:Section1;}
    -->


    R3#sh run (Server Side)

    Building configuration...

     

    Current configuration : 824 bytes

    !

    version 12.4

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R3

    !

    boot-start-marker

    boot-end-marker

    !

    no aaa new-model

    !

    resource policy

    !

    memory-size iomem 5

    !

    ip cef

    no ip dhcp use vrf connected

    ip dhcp excluded-address 1.1.1.1

    !

    ip dhcp pool test

       network 1.1.1.0
    255.255.255.0

    !

    username R1 password 0 CISCO

    username R2 password 0 CISCO

    !

    !

    bba-group pppoe global

     virtual-template 1

    !

    interface FastEthernet0/0

     no ip address

     duplex auto

     speed auto

     pppoe enable group
    global

    !

    interface Virtual-Template1

     ip address 1.1.1.1
    255.255.255.0

     ppp authentication
    chap

     

     

    R1#sh run (Client 1)

    Building configuration...

     

    Current configuration : 688 bytes

    !

    version 12.4

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R1

    !

    boot-start-marker

    boot-end-marker

    !

    !

    no aaa new-model

    !

    resource policy

    !

    memory-size iomem 5

    !

    !

    ip cef

    !

    interface FastEthernet0/0

     no ip address

     duplex auto

     speed auto

     pppoe enable

     pppoe-client
    dial-pool-number 1

    !

    interface Dialer1

     ip address dhcp

     encapsulation ppp

     dialer pool 1

     ppp authentication
    chap callin

     ppp chap hostname R1

     ppp chap password 0
    CISCO

    !

     

     

     

     

     

     

    R2#sh run (Client 2)

    Building configuration...

     

    Current configuration : 688 bytes

    !

    version 12.4

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R2

    !

    boot-start-marker

    boot-end-marker

    !

    !

    no aaa new-model

    !

    resource policy

    !

    memory-size iomem 5

    !

    !

    ip cef

    !

    interface FastEthernet0/0

     no ip address

     duplex auto

     speed auto

     pppoe enable

     pppoe-client
    dial-pool-number 1

    !

    interface Dialer1

     ip address dhcp

     encapsulation ppp

     dialer pool 1

     ppp authentication
    chap callin

     ppp chap hostname R2

     ppp chap
    password 0 CISCO
  • ok - sorry to do this - but i am studying and just caught this and thought i will give my 2 cents on the matter

    that is the old way of doing it - i am preety sure the IOSs used in the lab are already using the new way -

    no "vpdn group" and no "pppoe enable" under it - only "bba-group pppoe [global]" syntax

    i am sorry for not mentioning from which IOS it was changed - as i have said i am in a middle of a lab now - but look into it in cisco.com - you should see the differences there...

  • hey,

    well if that worked in your lab then all good then! It all depends on what the specific requirement comes out of the lab!

    cheers,

    mpls-te

  • The bba-group was introduced since IOS 12.2

    For mpls-te, I am asking about your opinion because I need to understand the exact meaning of the command "ppp authentication chap callin" because it is confusing me, from the english syntax of the command I thought that it must be configured at the server side but according to the following document it sayd it should be configured at the client side

    http://tecun.cimex.com.cu/tecun/software/Soporte Tecnico de Redes/Cisco/UNIVGATEWAY/understanding_ppp_chap.pdf

    so any comments...

    thanks a lot

     

  • ok - sorry to do this - but i am studying and just caught this and thought i will give my 2 cents on the matter

    that is the old way of doing it - i am preety sure the IOSs used in the lab are already using the new way -

    no "vpdn group" and no "pppoe enable" under it - only "bba-group pppoe [global]" syntax

    i am sorry for not mentioning from which IOS it was changed - as i have said i am in a middle of a lab now - but look into it in cisco.com - you should see the differences there...


     

    Yeah ur right mate, and I wasn't using the same IOS in the lab for the 7200s. I have tried it on the 7200 IOS for the lab 12.2S (Service Provider) but I cannot run bba-group or vpdn-group, so i'm guessing the lab will have some of those 2600s to run this if it is even in the lab!

  • ok - sorry to do this - but i am studying and just caught this and thought i will give my 2 cents on the matter

    that is the old way of doing it - i am preety sure the IOSs used in the lab are already using the new way -

    no "vpdn group" and no "pppoe enable" under it - only "bba-group pppoe [global]" syntax

    i am sorry for not mentioning from which IOS it was changed - as i have said i am in a middle of a lab now - but look into it in cisco.com - you should see the differences there...


     

     

    Yeah ur right mate, and I wasn't using the same IOS in the lab for the 7200s. I have tried it on the 7200 IOS for the lab 12.2S (Service Provider) but I cannot run bba-group or vpdn-group, so i'm guessing the lab will have some of those 2600s to run this if it is even in the lab!


     

    1 more thing...I just loaded both 3600 and a 2600 using the IOS that is on Cisco.com as the IOS' used in the SP Lab and they run both bba-group and vpdn-group! I guess we'll have to wait and see the specifications of the lab, if this is even in it! But I would has it a guess that this one be one of the sections that would throw people right off if it is in the lab!

  • If the IOS supports bothk, what then should be used??

    I recall that in the IOSs which support vpdn and bba-group you can not configure the command protocol pppoe under the vpdn-group config

    am I right?

     

  • i think best thing to do is to learn both options - they are both not too complex...[:)]

  • It is not about complexity my friend, its about how you should do it in the lab cause it is really confusing since the IOS support both so how you will know what is the correct thing....

     








  • To put your minds at rest. The older IOS had VPDN and the newer IOS is the bba-group. If you have the newer IOS you can still use the VPDN command and it
    will automatically change to bba-group and just configure accordingly from there.

     

    The trick to pppoe is to define the protocol before the virtual-template
    J

     

    Hope that helps

     

    Kind regards

     

      James R.Yeo

      CCIE#11676 -
    Security

      CCIE#11676 -
    Routing & Switching

      CCNA, CCNP, CCSP, CCVP, MCSE

     


    cid:image001.gif@01C894BD.A87F6470


    Office:


    +27 (0) 11 203 6731


    cid:image002.gif@01C894BD.A87F6470


    Mobile:


    +27 (0) 83 627 8318


    cid:image003.gif@01C894BD.A87F6470


    Fax:


    +27 (0) 86 602 1085


    cid:image004.gif@01C894BD.A87F6470


    Email:


    [email protected]


    cid:image005.gif@01C894BD.A87F6470


    Web:


    www.arivia.co.za

     cid:image010.jpg@01C894BD.A8E13380cid:image011.jpg@01C894BD.A8E13380

     

    From: [email protected] [mailto:[email protected]]
    On Behalf Of BassemMagdy

    Sent: Sunday, January 25, 2009 6:21 PM

    To: James Yeo

    Subject: Re: [CCIE SP] PPPoe with two clients and server and one way authentication

     

    If the IOS supports bothk, what then should be used??

    I recall that in the IOSs which support vpdn and bba-group you can not configure the command protocol pppoe under the vpdn-group config

    am I right?

     







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx






    DISCLAIMER:

    Everything in this email and its attachments relating to the official business of arivia.kom is proprietary to arivia.kom. It is confidential, legally privileged and protected by law. The person addressed in the email is the sole authorised recipient. Any unauthorized
    dissemination or copying of this e-mail (or any attachment to this e-mail) or the wrongful disclosure of the information herein contained is prohibited.



  • Thanks for the reply mate, now what about the one-way authentication part, for me the config of the vpdn-group makes more sense but with the bba-group "the above example I posted" I really can not understand why the "ppp authentication chap callin" must be configured at the client side and not the NAS

    Thanks again

     












  • You are telling the client to ask for auth when it dials into
    the NAS. No authentication is configured on the SVR. Only the username &
    password are configured on the server.

     

    From: [email protected]
    [mailto:[email protected]] On Behalf Of BassemMagdy

    Sent: Monday, January 26, 2009 9:53 AM

    To: [email protected]

    Subject: Re: [CCIE SP] RE: PPPoe with two clients and server and one way
    authentication

     

    Thanks for the reply mate, now what about the one-way authentication part,
    for me the config of the vpdn-group makes more sense but with the bba-group
    "the above example I posted" I really can not understand why the
    "ppp authentication chap callin" must be configured at the client
    side and not the NAS

    Thanks again

     







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx





  • Now it makes sense for me...thanks a lot man

     

  • I don't understand why the example given by mpls-te has the ppp authentication chap callin configured on the NAS (called), but not on the client (calling)? According to Cisco, ppp authentication chap callin should be configured on the client side so that the client will not send out challenge message to the NAS. Only the NAS will send out challenge message to the client. Can someone please verify?

     

    http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

    Authentication Type

    Client (calling)

    NAS (called)

    One-way (unidirectional)

    ppp authentication chap callin

    ppp authentication chap

    Two-way (bidirectional)

    ppp authentication chap

    ppp authentication chap

  • You're right, "ppp authentication chap callin" goes to the client and "ppp authentication chap" ewokes NAS to send the challenge. Your "table" above is exactly correct.

  • Hi Jent, thanks for your verification.

  • Actually, on the client side, don't put anything at all... That'll be
    simpler.

    The callin will work, as you'll never "answer" a call, but it's innocuous.

    HTH,




    *Scott Morris*, CCIE/x4/ (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]


    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344


    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......



    zey wrote:
    >
    > I don't understand why the example given by mpls-te has the *ppp
    > authentication chap callin *configured on the NAS (called), but not on
    > the client (calling)? According to Cisco, *ppp authentication chap
    > callin* should be configured on the client side so that the client
    > will not send out challenge message to the NAS. Only the NAS will send
    > out challenge message to the client. Can someone please verify?
    >
    >
    >
    > http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml
    >
    > Authentication Type
    >
    >
    >
    > Client (calling)
    >
    >
    >
    > NAS (called)
    >
    > One-way (unidirectional)
    >
    >
    >
    > *ppp authentication chap callin*
    >
    >
    >
    > *ppp authentication chap*
    >
    > Two-way (bidirectional)
    >
    >
    >
    > *ppp authentication chap*
    >
    >
    >
    > *ppp authentication chap*
    >
    >
    >
    >
    > Internetwork Expert - The Industry Leader in CCIE Preparation
    > http://www.internetworkexpert.com
    >
    > Subscription information may be found at:
    > http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hey guys,

     

    Let me defend myself here...I put that "ppp authen chap callin" command in as I was doing it to implement PPPoE using AAA and CHAP authentication.

     

    It worked for me nicely, and I have tested it again to work a number of times over. :)

     

    Anyways...good luck on the studies! I'm still deciding on JNCIE-M or CCIE Sec....

     

    Cheers,

    mpls-te

  • Thanks Scott and mpls-te. My only concern is which is "proctor's preferred answer". :) I've tested both with and without callin, both give similar debugging output. The NAS will still send out challenge message with callin

Sign In or Register to comment.