Cisco PPPoE Setup Guide

Overview

This guide covers PPPoE configuration on Cisco routers (IOS/IOS-XE) for integration with Zal Ultra RADIUS server. Cisco routers are widely used in enterprise and ISP networks for their reliability and advanced features.

Supported Platforms:

• ✅ Cisco ISR (Integrated Services Router) - 1000, 4000 series
• ✅ Cisco ASR (Aggregation Services Router) - 1000, 9000 series
• ✅ Cisco IOS-XE (17.x and above)
• ✅ Cisco IOS (15.x)

What You'll Learn:

• 🔧 Virtual Template configuration
• 📊 IP Pool management
• 🔐 RADIUS AAA setup
• 🌐 BBA Group configuration
• 🔄 CoA (Change of Authorization)
• 🛡️ Security best practices

---

Architecture

Subscriber (PPPoE Client)
    ↓
Cisco Router (PPPoE Server + RADIUS Client)
    ↓
Zal Ultra (RADIUS Server + Billing System)

Traffic Flow:

1. Subscriber initiates PPPoE connection
2. Cisco sends RADIUS auth request to Zal Ultra
3. Zal Ultra validates credentials and returns attributes
4. Cisco creates Virtual-Access interface
5. Cisco assigns IP from pool
6. Cisco sends accounting updates to Zal Ultra
7. Zal Ultra tracks usage and enforces quotas

---

Step 1: Configure Loopback Interface

Purpose: Loopback interface serves as the gateway for all PPPoE sessions.

! Create loopback interface
interface Loopback0
 description PPPoE Gateway Interface
 ip address 10.10.0.1 255.255.255.255
 no shutdown

Why Loopback?

✅ Always up (never goes down)
✅ Single IP for all PPPoE sessions
✅ Simplifies routing
✅ Better for management
✅ Used with "ip unnumbered"

---

Step 2: Configure IP Pools

Create IP pools for PPPoE clients:

! Single pool
ip local pool PPPOE-POOL 10.10.1.2 10.10.1.254

! Multiple pools for different areas
ip local pool PPPOE-POOL-AREA-A 10.10.1.2 10.10.1.254
ip local pool PPPOE-POOL-AREA-B 10.10.2.2 10.10.2.254
ip local pool PPPOE-POOL-AREA-C 10.10.3.2 10.10.3.254

! Large pool for high-capacity networks
ip local pool PPPOE-POOL-LARGE 10.10.0.2 10.10.255.254

Pool Planning:

Small ISP (< 500 users):
  10.10.1.0/24 = 254 IPs

Medium ISP (500-2000 users):
  10.10.0.0/22 = 1022 IPs

Large ISP (2000+ users):
  10.10.0.0/16 = 65534 IPs

Best Practice:
  ✅ Use /24 subnets for easier management
  ✅ Reserve first 10 IPs (.1-.10) for infrastructure
  ✅ Document pool assignments
  ✅ Monitor pool usage regularly

---

Step 3: Configure Virtual Template

Virtual Template is the template for all PPPoE sessions:

interface Virtual-Template1
 description PPPoE Virtual Template for Zal Ultra
 ip unnumbered Loopback0
 peer default ip address pool PPPOE-POOL
 ppp authentication chap pap
 ppp authorization default
 ppp accounting default
 ppp ipcp dns 8.8.8.8 8.8.4.4
 ppp mtu adaptive
 ppp timeout idle 0
 ppp timeout authentication 30
 no shutdown

Configuration Explained:

Parameter	Description	Recommendation
ip unnumbered Loopback0	Use Loopback IP as gateway	Always use loopback
peer default ip address pool	IP pool for clients	Match pool name
ppp authentication chap pap	Auth methods (CHAP preferred)	Enable both for compatibility
ppp authorization default	Use RADIUS for authorization	Required for Zal Ultra
ppp accounting default	Send accounting to RADIUS	Required for billing
ppp ipcp dns	DNS servers for clients	Use reliable DNS (8.8.8.8, 1.1.1.1)
ppp mtu adaptive	Auto-adjust MTU	Prevents fragmentation
ppp timeout idle 0	No idle timeout	0 = never disconnect idle users
ppp timeout authentication 30	Auth timeout (seconds)	30 seconds recommended

Advanced Virtual Template:

interface Virtual-Template1
 description PPPoE Virtual Template with Advanced Features
 ip unnumbered Loopback0
 ip mtu 1492
 ip tcp adjust-mss 1452
 peer default ip address pool PPPOE-POOL
 ppp authentication chap pap
 ppp authorization default
 ppp accounting default
 ppp ipcp dns 8.8.8.8 8.8.4.4
 ppp ipcp dns 1.1.1.1 1.0.0.1
 ppp mtu adaptive
 ppp timeout idle 0
 ppp timeout authentication 30
 ppp timeout retry 3
 keepalive 30 3
 no shutdown

MTU/MSS Settings:

Ethernet MTU: 1500 bytes
PPPoE overhead: 8 bytes
PPP overhead: 2 bytes
Total overhead: 10 bytes
Usable MTU: 1490 bytes (conservative: 1492)

TCP MSS = MTU - 40 (IP + TCP headers)
TCP MSS = 1492 - 40 = 1452 bytes

ip mtu 1492              → Set interface MTU
ip tcp adjust-mss 1452   → Clamp TCP MSS to prevent fragmentation

---

Step 4: Configure BBA Group

BBA (Broadband Access) Group manages PPPoE sessions:

bba-group pppoe PPPOE-GROUP
 virtual-template 1
 sessions per-mac limit 1
 sessions per-vlan limit 1000
 sessions max limit 10000

BBA Group Options:

Parameter	Description	Recommendation
virtual-template 1	Link to Virtual-Template	Must match template number
sessions per-mac limit 1	Max sessions per MAC address	1 = prevent duplicate logins
sessions per-vlan limit 1000	Max sessions per VLAN	Adjust based on capacity
sessions max limit 10000	Total max sessions	Adjust based on router capacity

Advanced BBA Group:

bba-group pppoe PPPOE-GROUP-ADVANCED
 virtual-template 1
 sessions per-mac limit 1
 sessions per-vlan limit 2000
 sessions max limit 20000
 session-limit threshold 90

Session Limits by Router Model:

Cisco ISR 1000 Series:
  Max sessions: 2,000 - 5,000

Cisco ISR 4000 Series:
  Max sessions: 10,000 - 20,000

Cisco ASR 1000 Series:
  Max sessions: 50,000 - 100,000

Cisco ASR 9000 Series:
  Max sessions: 200,000+

Note: Actual limits depend on hardware, IOS version, and features enabled

---

Step 5: Apply to Physical Interface

Apply PPPoE to subscriber-facing interface:

! Single interface
interface GigabitEthernet0/0/1
 description PPPoE Subscriber Interface
 no ip address
 pppoe enable group PPPOE-GROUP
 no shutdown

! Multiple interfaces
interface GigabitEthernet0/0/1
 description PPPoE Subscribers - Area A
 no ip address
 pppoe enable group PPPOE-GROUP
 no shutdown

interface GigabitEthernet0/0/2
 description PPPoE Subscribers - Area B
 no ip address
 pppoe enable group PPPOE-GROUP
 no shutdown

VLAN-based PPPoE:

! Enable 802.1Q trunking
interface GigabitEthernet0/0/1
 description PPPoE Trunk Interface
 no ip address
 no shutdown

! VLAN 100 - Residential
interface GigabitEthernet0/0/1.100
 description PPPoE VLAN 100 - Residential
 encapsulation dot1Q 100
 pppoe enable group PPPOE-GROUP

! VLAN 200 - Business
interface GigabitEthernet0/0/1.200
 description PPPoE VLAN 200 - Business
 encapsulation dot1Q 200
 pppoe enable group PPPOE-GROUP

! VLAN 300 - Premium
interface GigabitEthernet0/0/1.300
 description PPPoE VLAN 300 - Premium
 encapsulation dot1Q 300
 pppoe enable group PPPOE-GROUP

---

Step 6: Configure RADIUS (Zal Ultra)

Enable AAA

! Enable AAA globally
aaa new-model

! Configure authentication
aaa authentication ppp default group radius local

! Configure authorization
aaa authorization network default group radius local

! Configure accounting
aaa accounting network default start-stop group radius

AAA Explained:

aaa new-model
  → Enables AAA framework (required for RADIUS)

aaa authentication ppp default group radius local
  → Use RADIUS for PPP auth, fallback to local

aaa authorization network default group radius local
  → Use RADIUS for network authorization, fallback to local

aaa accounting network default start-stop group radius
  → Send accounting start/stop to RADIUS
  → Required for billing and usage tracking

Configure RADIUS Server

! Define RADIUS server (Zal Ultra)
radius server ZAL-ULTRA
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key 0 YourSecretKey123
 timeout 3
 retransmit 3

! Create RADIUS server group
aaa group server radius RADIUS-GROUP
 server name ZAL-ULTRA

RADIUS Server Parameters:

Parameter	Value	Description
address ipv4	192.168.1.100	Zal Ultra server IP
auth-port	1812	RADIUS authentication port (standard)
acct-port	1813	RADIUS accounting port (standard)
key	YourSecretKey123	RADIUS secret (MUST match Zal Ultra NAS)
timeout	3	Timeout in seconds (3 recommended)
retransmit	3	Number of retries (3 recommended)

⚠️ CRITICAL: RADIUS Secret

The RADIUS secret on Cisco MUST exactly match the NAS secret in Zal Ultra!

Cisco: radius server ZAL-ULTRA → key YourSecretKey123
Zal Ultra: Network → NAS → Secret: YourSecretKey123

If they don't match:
  ❌ Authentication will fail
  ❌ Users cannot connect
  ❌ No helpful error message

Troubleshooting:
  1. Verify secret on Cisco: show run | include radius
  2. Verify secret in Zal Ultra: Network → NAS → View
  3. Ensure exact match (case-sensitive)
  4. Avoid special characters
  5. Test with simple secret like "123456" first

Configure RADIUS Attributes

! Enable RADIUS attributes
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication

RADIUS Attributes Explained:

Attribute	Purpose	Required
attribute 6	Service-Type	Yes - Identifies service type
attribute 8	Framed-IP-Address	Yes - IP address assignment
attribute 25	Class	Yes - Session identification
vsa send accounting	Vendor Specific Attributes	Yes - Zal Ultra specific data
vsa send authentication	VSA in auth	Yes - Extended attributes

---

Step 7: Configure CoA (Change of Authorization)

CoA allows Zal Ultra to send commands to Cisco:

! Enable CoA
aaa server radius dynamic-author
 client 192.168.1.100 server-key YourSecretKey123
 port 3799
 auth-type all

CoA Configuration:

Parameter	Value	Description
client	192.168.1.100	Zal Ultra IP (allowed to send CoA)
server-key	YourSecretKey123	Must match RADIUS secret
port	3799	CoA port (standard, must match Zal Ultra)
auth-type	all	Accept all CoA request types

What CoA Enables:

✅ Disconnect user remotely (when quota exceeded)
✅ Change bandwidth limits (package upgrade/downgrade)
✅ Update session attributes (IP, DNS, etc.)
✅ Force re-authentication

CoA Request Types:
  - Disconnect-Request: Terminate session
  - CoA-Request: Change session attributes

Verify CoA:

! Show CoA configuration
show aaa server radius dynamic-author

! Show CoA statistics
show aaa server radius dynamic-author statistics

! Debug CoA (use carefully in production)
debug radius dynamic-author

---

Step 8: Configure NAT

Enable NAT for internet access:

! Define NAT pool (if using public IPs)
ip nat pool PUBLIC-POOL 203.0.113.1 203.0.113.254 netmask 255.255.255.0

! Or use PAT (Port Address Translation) with single IP
interface GigabitEthernet0/0/0
 description Uplink to Internet
 ip address dhcp
 ip nat outside
 no shutdown

! Mark Virtual-Template as NAT inside
interface Virtual-Template1
 ip nat inside

! Create NAT rule
ip access-list extended NAT-ACL
 permit ip 10.10.0.0 0.0.255.255 any

! Apply NAT
ip nat inside source list NAT-ACL interface GigabitEthernet0/0/0 overload

NAT Explained:

ip nat inside     → Mark PPPoE sessions as inside
ip nat outside    → Mark internet interface as outside
overload          → PAT (many private IPs to one public IP)

NAT-ACL:
  permit ip 10.10.0.0 0.0.255.255 any
  → Allow all PPPoE subnets (10.10.0.0/16)

---

Step 9: Configure Firewall

Protect router and allow RADIUS:

! Allow RADIUS from Zal Ultra
ip access-list extended RADIUS-ACL
 permit udp host 192.168.1.100 any eq 1812
 permit udp host 192.168.1.100 any eq 1813
 permit udp host 192.168.1.100 any eq 3799
 permit udp any host 192.168.1.100 eq 1812
 permit udp any host 192.168.1.100 eq 1813

! Apply to control plane
control-plane
 service-policy input RADIUS-POLICY

! Or use zone-based firewall
zone security INSIDE
zone security OUTSIDE

zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

interface Virtual-Template1
 zone-member security INSIDE

interface GigabitEthernet0/0/0
 zone-member security OUTSIDE

---

Complete Cisco PPPoE Configuration

!
! ============================================
! Complete Cisco PPPoE Configuration
! For Zal Ultra RADIUS Integration
! ============================================
!
hostname ISP-ROUTER-CISCO
!
! Enable AAA
aaa new-model
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
!
! RADIUS Server (Zal Ultra)
radius server ZAL-ULTRA
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key 0 YourSecretKey123
 timeout 3
 retransmit 3
!
aaa group server radius RADIUS-GROUP
 server name ZAL-ULTRA
!
! RADIUS Attributes
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication
!
! CoA Configuration
aaa server radius dynamic-author
 client 192.168.1.100 server-key YourSecretKey123
 port 3799
 auth-type all
!
! IP Pools
ip local pool PPPOE-POOL-1 10.10.1.2 10.10.1.254
ip local pool PPPOE-POOL-2 10.10.2.2 10.10.2.254
!
! Loopback for PPPoE gateway
interface Loopback0
 description PPPoE Gateway
 ip address 10.10.0.1 255.255.255.255
 no shutdown
!
! Virtual Template
interface Virtual-Template1
 description PPPoE Virtual Template for Zal Ultra
 ip unnumbered Loopback0
 ip mtu 1492
 ip tcp adjust-mss 1452
 ip nat inside
 peer default ip address pool PPPOE-POOL-1
 ppp authentication chap pap
 ppp authorization default
 ppp accounting default
 ppp ipcp dns 8.8.8.8 8.8.4.4
 ppp mtu adaptive
 ppp timeout idle 0
 ppp timeout authentication 30
 keepalive 30 3
 no shutdown
!
! BBA Group
bba-group pppoe PPPOE-GROUP
 virtual-template 1
 sessions per-mac limit 1
 sessions per-vlan limit 1000
 sessions max limit 10000
!
! Subscriber Interface
interface GigabitEthernet0/0/1
 description PPPoE Subscriber Interface
 no ip address
 pppoe enable group PPPOE-GROUP
 no shutdown
!
! Uplink Interface
interface GigabitEthernet0/0/0
 description Uplink to Internet
 ip address dhcp
 ip nat outside
 no shutdown
!
! NAT Configuration
ip access-list extended NAT-ACL
 permit ip 10.10.0.0 0.0.255.255 any
!
ip nat inside source list NAT-ACL interface GigabitEthernet0/0/0 overload
!
! Default Route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
! DNS
ip name-server 8.8.8.8 1.1.1.1
!
end

---

Verification Commands

Show PPPoE Sessions

! Show all PPPoE sessions
show pppoe session
show pppoe session all

! Show detailed session info
show pppoe session interface virtual-access 1

! Show Virtual-Access interfaces
show ip interface brief | include Virtual-Access
show interface Virtual-Access1

! Show active PPP sessions
show caller user detail
show caller user summary

Show RADIUS Statistics

! Show RADIUS servers
show aaa servers
show aaa servers detailed

! Show RADIUS statistics
show radius statistics

! Show specific RADIUS server
show radius server-group all

! Show CoA statistics
show aaa server radius dynamic-author statistics
show aaa server radius dynamic-author clients

Show IP Pool Usage

! Show IP pool configuration
show ip local pool

! Show IP pool usage
show ip local pool PPPOE-POOL

! Show all pools
show ip local pool all

Monitoring Commands

! Monitor new sessions
show caller user detail | include User

! Monitor bandwidth usage
show interface virtual-access 1 stats

! Monitor RADIUS communication
show radius statistics

! Show session count
show pppoe session summary

---

Debugging (Use Carefully in Production!)

! Enable debugging
debug pppoe events
debug pppoe errors
debug pppoe packets
debug radius authentication
debug radius accounting
debug aaa authentication
debug aaa authorization
debug aaa accounting

! View debug output
terminal monitor

! Disable all debugging
undebug all
no debug all

⚠️ Warning:

Debugging can generate massive amounts of output!
  ❌ Can overload router CPU
  ❌ Can fill logs quickly
  ❌ Can impact performance

Best Practices:
  ✅ Use only in maintenance window
  ✅ Enable specific debugs only
  ✅ Use "debug condition" to filter
  ✅ Always disable after troubleshooting
  ✅ Monitor CPU usage while debugging

---

Troubleshooting

Issue 1: User Cannot Connect

Symptoms:

❌ PPPoE client shows "Authentication failed"
❌ Error 691 or "Access Denied"
❌ No Virtual-Access interface created

Diagnosis:

! Check RADIUS reachability
ping 192.168.1.100 source Loopback0

! Check RADIUS configuration
show run | section radius
show aaa servers

! Enable debug
debug radius authentication
debug pppoe events

! Check for RADIUS response
show radius statistics

Common Causes:

1. RADIUS secret mismatch
   Solution: Verify secret matches Zal Ultra NAS

2. RADIUS server unreachable
   Solution: Check network connectivity, firewall

3. Wrong credentials
   Solution: Verify username/password in Zal Ultra

4. AAA not configured
   Solution: Ensure "aaa new-model" enabled

5. Virtual-Template misconfigured
   Solution: Check "ppp authentication" and "ppp authorization"

Issue 2: User Connects But No Internet

Symptoms:

✅ PPPoE session created
✅ Virtual-Access interface up
✅ IP address assigned
❌ No internet access

Diagnosis:

! Check Virtual-Access interface
show interface Virtual-Access1

! Check routing
show ip route
show ip route 0.0.0.0

! Check NAT
show ip nat translations
show ip nat statistics

! Test from router
ping 8.8.8.8 source 10.10.1.2

Common Causes:

1. No default route
   Solution: ip route 0.0.0.0 0.0.0.0 <gateway>

2. NAT not configured
   Solution: Configure ip nat inside/outside

3. Firewall blocking
   Solution: Check access-lists

4. DNS not working
   Solution: Configure ip name-server

5. MTU issues
   Solution: Enable "ppp mtu adaptive"

Issue 3: Accounting Not Working

Symptoms:

✅ User connects successfully
❌ No data usage in Zal Ultra
❌ Quota not decreasing

Diagnosis:

! Check accounting configuration
show run | include accounting

! Check RADIUS accounting packets
show radius statistics

! Enable debug
debug radius accounting

! Check AAA accounting
show aaa servers

Common Causes:

1. Accounting not enabled
   Solution: aaa accounting network default start-stop group radius

2. RADIUS accounting port wrong
   Solution: Verify acct-port 1813

3. Firewall blocking accounting
   Solution: Allow UDP 1813

4. RADIUS server not receiving
   Solution: Check Zal Ultra RADIUS logs

Issue 4: CoA Not Working

Symptoms:

❌ Cannot disconnect user from Zal Ultra
❌ Bandwidth change not applied
❌ User stays connected after expiry

Diagnosis:

! Check CoA configuration
show aaa server radius dynamic-author

! Check CoA statistics
show aaa server radius dynamic-author statistics

! Enable debug
debug radius dynamic-author

! Check firewall
show ip access-lists

Common Causes:

1. CoA not enabled
   Solution: Configure aaa server radius dynamic-author

2. Wrong CoA port
   Solution: Verify port 3799

3. Firewall blocking CoA
   Solution: Allow UDP 3799 from Zal Ultra

4. CoA secret mismatch
   Solution: Verify server-key matches RADIUS secret

5. Wrong client IP
   Solution: Verify client IP matches Zal Ultra

---

Best Practices

Security

✅ Use strong RADIUS secret (20+ characters)
✅ Restrict RADIUS access to Zal Ultra IP only
✅ Enable firewall rules for RADIUS ports
✅ Use "sessions per-mac limit 1" to prevent duplicates
✅ Monitor failed authentication attempts
✅ Regularly review active sessions
✅ Enable logging for security events
✅ Use encrypted management (SSH, not Telnet)

Performance

✅ Use appropriate session limits for router model
✅ Enable "ppp mtu adaptive" for MTU optimization
✅ Use "ip tcp adjust-mss" to prevent fragmentation
✅ Monitor CPU and memory usage
✅ Use hardware acceleration if available
✅ Optimize RADIUS timeout (3 seconds recommended)
✅ Use local fallback for critical users

Monitoring

✅ Set up syslog for RADIUS and PPPoE events
✅ Monitor active session count
✅ Track RADIUS response times
✅ Alert on RADIUS server down
✅ Monitor IP pool usage
✅ Track authentication failures
✅ Review CoA success rate
✅ Monitor interface errors

---

Related Documentation

• 📘 PPPoE Overview - MikroTik PPPoE setup
• 📗 Juniper PPPoE - JunOS configuration
• 📙 vBNG PPPoE - Virtual BNG setup
• 🔐 RADIUS Setup - FreeRADIUS configuration
• 🌐 Hotspot Setup - Captive portal

---

Summary

✅ Cisco PPPoE Setup Complete!

What We Configured:

1. ✅ Loopback interface for gateway
2. ✅ IP pools for dynamic assignment
3. ✅ Virtual Template for PPPoE sessions
4. ✅ BBA Group for session management
5. ✅ RADIUS AAA for authentication & accounting
6. ✅ CoA for remote management
7. ✅ NAT for internet access
8. ✅ Firewall for security

Key Points:

✅ RADIUS secret MUST match Zal Ultra NAS secret
✅ Enable both CHAP and PAP for compatibility
✅ Use "ip unnumbered" for efficiency
✅ Enable CoA for remote disconnect
✅ Configure NAT for internet access
✅ Monitor RADIUS communication regularly
✅ Use appropriate session limits

Your Cisco router is now ready for Zal Ultra PPPoE! 🚀