Cisco PPPOE Dial-in

Like I may have stated before, I work at an ISP.
Big part of my work in the support department is configuring and troubleshooting internet connectivity, and in order to accomplish this an important step is understanding who it works,
So I would like to dedicate the next few post to that purpose, starting with the PPPOE, to do so I used GNS3 with the following topology (or download it right here )

Server side :

Configure the pool of IP's to redistribute to clients
Server(config)#ip local pool MyPool
Create a username for the authentication
Server(config)#username test password 0 pass
Configure the template with the PPPOE configurations
Server(config-if)#interface Virtual-Template1
Server(config-if)# ip address
Server(config-if)# ip virtual-reassembly
Server(config-if)# peer default ip address pool MyPool
Server(config-if)# ppp authentication pap callin

Assign the template to the pppoe group, in this case global group
Server(config)#bba-group pppoe global
Server(config-bba-group)# virtual-template 1
Server(config-bba-group)# sessions per-mac limit 3
Enable the pppoe group on the link to the clients
Server(config)#interface FastEthernet0/0
Server(config-if)# pppoe enable group global
 Client side :

Allow PPPOE on the link to the Server:
Client(config)#interface FastEthernet0/0
Client(config-if)# pppoe enable
Client(config-if)# pppoe-client dial-pool-number 1
Create the dialer:
Client(config)#interface Dialer1
Client(config-if)# ip address negotiated
Client(config-if)# encapsulation ppp
Client(config-if)# dialer pool 1
Client(config-if)# ppp pap sent-username test password 0 pass
Route all traffic via the PPPOE link
Client(config)#ip route Dialer1
And last thing, verify connectivity
From server's side :
Server#show users
   Interface           User      Mode    Idle        Peer Address
  Vi1.1                    test        PPPoE   -    

Or the client :
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/148/184 ms
 *Except the getting a high ping round trip, I think we can call it a success … 

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


  1. This comment has been removed by the author.

  2. Hi Valentine Gutkin,

    Thanx for such a nice post. As you specifed that you work for an ISP, can you please help us all in understanding the flow of the products which are used in ISP implementation for managing users subscribed to different broadband plans, and how their traffic statistics is monitored and what type of QOS is implemented if any.

    Thanks in advance.


    1. Hi Shin,

      As you can understand every ISP has it's own set of equipment and as such both the flow and the configuration is different.

      With this being said, in a nutshell:
      The users imitate a tunnel to the edge device, The authentication and authorization is preformed by a radius server and the basic rate limit is created on the Virtual-Access interface on the ISP edge device thus assuring the subscriber receive the correct bandwidth.
      From the edge device there is a simple routing process sending the traffic to an aggregator devices who then refers the traffic to the correct path (An edge device in case of local traffic or a border router in case of traffic destined outside the AS ) in order to route the user to the final destination.

      For the QOS there are two solutions first is a policy implemented on the edge device assuring quality of experience for VOIP services and the second is a dedicated device located on the border of the AS in this case an Allot Net-enforcer who classifies the traffic and applies a policy appropriate to the Class.

      Like i said it's an extremely simplified answer but should cover the basics

      Hope it helps you,

  3. This comment has been removed by the author.

  4. In case anyone wanted to set this up with quick-and dirty CHAP authentication, simply omit the username/password cmds and the PAP line and substitute with:

    ppp authentication chap

    then configure PPP username/passwords as you normally would, essentially creating an account for the neighboring device with a shared password.

    1. Hi Benet,

      As you have mentioned, In case you want to use CHAP for the authentication mechanism all you need to do is make the following changes :

      Server# ppp authentication chap callin

      Client# interface Dialer1
      Client# ppp chap hostname
      Client# ppp chap password 0

      Hope this helps :)

  5. A portion of these Universities will likewise offer "Free" enlistment. I will clarify this shortly. As expressed above, you'll have to do your examination with the goal for you to have the option to locate the ones that has a "motivator program".