PPPoE Client Configuration

Most broadband ISP connections — ADSL, VDSL, and fibre services delivered over an Ethernet handoff — use PPPoE (Point-to-Point Protocol over Ethernet) to authenticate each subscriber session before granting internet access. PPP provides the username/password authentication layer (CHAP or PAP) and IP address assignment that plain Ethernet lacks; the Ethernet encapsulation carries PPP frames across the ISP's access network to the BRAS (Broadband Remote Access Server). A Cisco IOS router acting as a PPPoE client must create a virtual dialer interface that holds the PPP session, bind it to the physical Ethernet port facing the modem, authenticate with the ISP credentials, and obtain a WAN IP address — either statically assigned or negotiated via IPCP.

Understanding PPPoE builds directly on PPP concepts. For the broader WAN context see WAN Technologies. For the NAT/PAT configuration that almost always follows a PPPoE setup to share the single WAN IP with inside hosts, see Dynamic NAT & PAT Configuration and for diagnosing NAT problems see Troubleshooting NAT/PAT Issues. For securing management access to the router once the WAN is live, see SSH Configuration.

1. PPPoE Architecture — Core Concepts

How PPPoE Works End-to-End

PPPoE operates in two distinct phases before any IP traffic flows. Understanding these phases explains every command in the configuration and every field in the verification output:

  Phase 1 — PPPoE Discovery (Layer 2 — Ethernet frames)
  ──────────────────────────────────────────────────────
  Client router sends PADI  (PPPoE Active Discovery Initiation)
        │  broadcast — "Is there a PPPoE Access Concentrator?"
        ▼
  ISP BRAS responds PADO  (PPPoE Active Discovery Offer)
        │  "Yes, I am AC 'ISP-BRAS-1', session ID pending"
        ▼
  Client sends PADR  (PPPoE Active Discovery Request)
        │  "I want to connect to AC 'ISP-BRAS-1'"
        ▼
  ISP sends PADS  (PPPoE Active Discovery Session-confirmation)
        │  "Session ID = 0x0042 — discovery complete"
        ▼
  Session tunnel established at Layer 2

  Phase 2 — PPP Negotiation (inside the PPPoE tunnel)
  ──────────────────────────────────────────────────────
  LCP  (Link Control Protocol)   — negotiate MTU, auth method (CHAP/PAP)
        │
        ▼
  Authentication  — CHAP 3-way challenge or PAP username/password
        │  ISP RADIUS server validates credentials
        ▼
  NCP / IPCP  (IP Control Protocol) — negotiate IP address assignment
        │  Router receives WAN IP from ISP (ip address negotiated)
        ▼
  PPPoE session UP — IP traffic can flow

PPPoE Key Terminology

Term	Definition	IOS Relevance
BRAS	Broadband Remote Access Server — the ISP device that terminates PPPoE sessions and authenticates subscribers	The peer your router connects to; also called an Access Concentrator (AC)
Dialer interface	A virtual interface on the Cisco router that holds the PPP session — it receives the negotiated IP address and carries all routed traffic	`interface Dialer1` — configured with IP, authentication, and PPPoE pool membership
Dial pool	A numbered pool that links a physical Ethernet port to one or more dialer interfaces	`pppoe-client dial-pool-number 1` on the physical port; `dialer pool 1` on the dialer interface
CHAP	Challenge Handshake Authentication Protocol — the ISP sends a challenge; the router responds with an MD5 hash of the password. More secure than PAP; password never sent in plaintext	`ppp chap hostname` and `ppp chap password`
PAP	Password Authentication Protocol — the router sends username and password in plaintext. Less secure; use only when ISP requires it	`ppp pap sent-username` and `ppp pap password`
ip address negotiated	The router obtains its WAN IP from the ISP via IPCP (IP Control Protocol) during PPP negotiation rather than using a static address	Most common broadband scenario — ISP assigns a dynamic WAN IP per session
MTU / MRU	PPPoE adds an 8-byte header to each Ethernet frame, reducing the effective payload MTU from 1500 to 1492 bytes	`ip mtu 1492` and `ip tcp adjust-mss 1452` on the dialer — critical to prevent fragmentation

PPPoE Interface Roles

Interface	Role	IP Address	Key Commands
GigabitEthernet0/0 (physical)	Physical Ethernet port connected to DSL modem or ISP CPE — carries PPPoE Ethernet frames	No IP address — PPPoE operates at Layer 2 on this interface	`no ip address`, `pppoe-client dial-pool-number 1`, `no shutdown`
Dialer1 (virtual)	Virtual PPP interface — holds the session, IP address, authentication credentials, and routing context	Negotiated from ISP via IPCP (`ip address negotiated`) or static	`encapsulation ppp`, `dialer pool 1`, `ip address negotiated`, `ppp chap`

2. Lab Topology & Scenario

                    192.168.10.0/24 (LAN)
                    [PC1: 192.168.10.10]
                    [PC2: 192.168.10.11]
                          │
                     Gi0/1 (LAN)
                     192.168.10.1/24
                          │
                    NetsTuts_R1  (Cisco IOS PPPoE Client)
                          │
                     Gi0/0 (WAN — no IP, PPPoE enabled)
                          │  Ethernet — PPPoE frames
                     DSL Modem / ISP CPE
                          │
                    ISP BRAS / Access Concentrator
                    WAN IP assigned: 203.0.113.45/30  (example)
                    ISP Gateway:     203.0.113.46

  ISP PPPoE Credentials:
    Username:  [email protected]
    Password:  P@ssw0rd!
    Auth:      CHAP (primary), PAP (fallback)

  Objectives:
    1. Configure Gi0/0 as the PPPoE-enabled physical port
    2. Create Dialer1 with CHAP credentials and negotiated IP
    3. Configure NAT overload so LAN hosts share the WAN IP
    4. Add a floating default route via the dialer
    5. Verify with show pppoe session and show ip interface dialer1

3. Step 1 — Configure the Physical WAN Interface

The physical Ethernet interface that faces the ISP modem carries raw PPPoE Ethernet frames. It must have no IP address — all IP configuration lives on the dialer interface. It must be up and bound to a dial pool so the PPPoE discovery process can initiate:

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Physical WAN port — no IP, bound to dial pool 1 ──────
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#description ISP-Modem-Uplink
NetsTuts_R1(config-if)#no ip address
NetsTuts_R1(config-if)#pppoe-client dial-pool-number 1
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

pppoe-client dial-pool-number 1 is the link between the physical port and the dialer interface. It tells IOS to initiate PPPoE discovery frames out of Gi0/0 and to hand the resulting session to whichever dialer interface is a member of dial pool 1. The physical interface must be no shutdown for the modem link to be active — without this the PPPoE PADI broadcast is never sent and discovery never starts. The description is optional but valuable for identifying the port in show interfaces output.

4. Step 2 — Configure the Dialer Interface

The dialer interface is where the PPP session, authentication credentials, IP address negotiation, and MTU settings all live. It is the interface IOS uses for routing — default routes point to Dialer1, NAT is applied to it, and it appears in show ip interface brief with the WAN IP once the session is established:

! ── Dialer interface — virtual PPP endpoint ──────────────
NetsTuts_R1(config)#interface Dialer1
NetsTuts_R1(config-if)#description PPPoE-WAN-Session
NetsTuts_R1(config-if)#encapsulation ppp
NetsTuts_R1(config-if)#dialer pool 1
NetsTuts_R1(config-if)#ip address negotiated
NetsTuts_R1(config-if)#ip mtu 1492
NetsTuts_R1(config-if)#ip tcp adjust-mss 1452
NetsTuts_R1(config-if)#ip nat outside
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

Each command has a specific role. encapsulation ppp sets the interface to use PPP framing inside the PPPoE tunnel. dialer pool 1 joins this virtual interface to pool 1, which Gi0/0 also references — this is the binding that connects the physical and virtual sides. ip address negotiated tells IPCP to request an IP from the ISP rather than using a static address. ip mtu 1492 reduces the IP MTU from the Ethernet default of 1500 to 1492 to account for the 8-byte PPPoE header — without this, packets at exactly 1500 bytes are fragmented or silently dropped, causing intermittent large-packet failures. ip tcp adjust-mss 1452 clamps the TCP Maximum Segment Size in SYN packets so that TCP connections never negotiate a segment size that would produce fragments — this is the recommended companion to ip mtu 1492.

5. Step 3 — Configure CHAP and PAP Authentication

ISP authentication credentials are configured on the dialer interface. CHAP is preferred — the password is never sent in plaintext. PAP sends credentials in cleartext and should only be used when the ISP explicitly requires it. Many ISPs accept both; configure CHAP first with PAP as a fallback:

CHAP Authentication (Preferred)

NetsTuts_R1(config)#interface Dialer1
NetsTuts_R1(config-if)#ppp authentication chap callin
NetsTuts_R1(config-if)#ppp chap hostname [email protected]
NetsTuts_R1(config-if)#ppp chap password 0 P@ssw0rd!
NetsTuts_R1(config-if)#exit

ppp authentication chap callin instructs the router to authenticate using CHAP only when calling in (initiating the connection as a client). Without callin, IOS also tries to challenge the ISP for its credentials — which ISPs never support and which causes the session to fail. The keyword callin is essential for client-side PPPoE. ppp chap hostname sets the identity the router presents in CHAP — this is typically the ISP-issued username (often in email format). The 0 before the password means it is stored in plaintext in the config; use 7 to indicate a type-7 encrypted password, or use the service password-encryption global command to encrypt all plaintext passwords automatically.

PAP Authentication (Fallback or ISP-Required)

NetsTuts_R1(config)#interface Dialer1
NetsTuts_R1(config-if)#ppp authentication pap callin
NetsTuts_R1(config-if)#ppp pap sent-username [email protected] password 0 P@ssw0rd!
NetsTuts_R1(config-if)#exit

PAP credentials are configured with a single command: ppp pap sent-username [username] password [password]. Unlike CHAP where the hostname and password are separate commands, PAP combines both on one line. The word sent in the command name reflects that PAP works by the client sending credentials to the server in plaintext — there is no challenge/response mechanism. Use PAP only when the ISP explicitly requires it or when CHAP authentication consistently fails despite correct credentials.

CHAP + PAP Both Enabled (Negotiated)

NetsTuts_R1(config)#interface Dialer1
NetsTuts_R1(config-if)#ppp authentication chap pap callin
NetsTuts_R1(config-if)#ppp chap hostname [email protected]
NetsTuts_R1(config-if)#ppp chap password 0 P@ssw0rd!
NetsTuts_R1(config-if)#ppp pap sent-username [email protected] password 0 P@ssw0rd!
NetsTuts_R1(config-if)#exit

Listing both protocols — ppp authentication chap pap callin — tells the router to try CHAP first and fall back to PAP if the ISP does not support or offer CHAP. The order matters: list the preferred protocol first. Both credential sets must be configured. This is the most flexible approach when the ISP's authentication requirements are uncertain during initial deployment.

6. Step 4 — Default Route and NAT Configuration

The PPPoE dialer interface typically carries a single WAN IP address shared by all inside hosts via NAT overload (PAT). The default route must point to the dialer interface rather than a specific next-hop IP because the WAN IP and gateway are dynamic — assigned fresh each time the PPPoE session comes up:

Default Route via Dialer Interface

! ── Default route via the dialer — not via a specific IP ─
NetsTuts_R1(config)#ip route 0.0.0.0 0.0.0.0 Dialer1

! ── Optional: make it a floating static (AD 254) to allow
! ── a backup route with lower AD to take over if needed
NetsTuts_R1(config)#ip route 0.0.0.0 0.0.0.0 Dialer1 254

Pointing the default route to the dialer interface rather than a next-hop IP address is the correct approach for PPPoE. When the session is negotiated, IOS installs a host route for the peer's IP (/32) automatically — there is no need to specify it as a next-hop. A route to Dialer1 works even when the WAN IP changes between sessions (dynamic ISP assignment). The optional administrative distance of 254 creates a floating static that only becomes active when no lower-AD route exists — useful when a secondary WAN link provides backup connectivity. For details on floating static routes see Floating Static Routes.

LAN Interface

! ── LAN interface ────────────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/1
NetsTuts_R1(config-if)#description LAN
NetsTuts_R1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_R1(config-if)#ip nat inside
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

NAT Overload (PAT) on the Dialer Interface

! ── ACL defining which inside hosts to translate ─────────
NetsTuts_R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255

! ── PAT using the dialer interface's negotiated IP ───────
NetsTuts_R1(config)#ip nat inside source list 1 interface Dialer1 overload

NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]

NAT overload references interface Dialer1 rather than a static IP address. This is essential because the WAN IP is dynamic — when the ISP assigns a new IP on session reconnect, NAT automatically uses whatever IP is currently on Dialer1 without requiring a configuration change. The ACL permits the entire LAN subnet for translation. The ip nat inside label on Gi0/1 and ip nat outside on Dialer1 (configured in Step 2) complete the inside/outside boundary. For a full NAT troubleshooting reference see Troubleshooting NAT/PAT Issues.

7. Complete Configuration Summary — show running-config

! ═══════════════════════════════════════════════════════════
! NetsTuts_R1 — Complete PPPoE Client Configuration
! ═══════════════════════════════════════════════════════════
!
hostname NetsTuts_R1
!
! ── Global password encryption ────────────────────────────
service password-encryption
!
! ── NAT ACL ───────────────────────────────────────────────
access-list 1 permit 192.168.10.0 0.0.0.255
!
! ── Physical WAN port ─────────────────────────────────────
interface GigabitEthernet0/0
 description ISP-Modem-Uplink
 no ip address
 pppoe-client dial-pool-number 1
 no shutdown
!
! ── LAN port ──────────────────────────────────────────────
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 no shutdown
!
! ── PPPoE virtual dialer ──────────────────────────────────
interface Dialer1
 description PPPoE-WAN-Session
 encapsulation ppp
 dialer pool 1
 ip address negotiated
 ip mtu 1492
 ip tcp adjust-mss 1452
 ip nat outside
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password 7 <encrypted>
 ppp pap sent-username [email protected] password 7 <encrypted>
 no shutdown
!
! ── Default route via dialer ──────────────────────────────
ip route 0.0.0.0 0.0.0.0 Dialer1
!
! ── PAT using dynamic dialer IP ───────────────────────────
ip nat inside source list 1 interface Dialer1 overload
!
end

After entering service password-encryption, all plaintext type-0 passwords in the configuration are converted to type-7 obfuscated strings — these appear as the encrypted placeholders shown above. Type-7 is reversible and not truly secure, but it prevents casual shoulder-surfing of the config. The complete configuration represents the minimum viable PPPoE client setup: physical port binding, dialer session parameters, CHAP/PAP credentials, MTU adjustment, NAT, and default routing.

8. Verification

show pppoe session

NetsTuts_R1#show pppoe session
     1 client session

Uniq ID  PPPoE  RemMAC          Port         VT    VA         State
-------  -----  -------         ----         --    --         -----
      1  0x0042 00:1a:2b:3c:4d:01  Gi0/0     Di1   Vi1        UP

This is the primary PPPoE health command. Each row is one active session. Key fields: Uniq ID is the local session identifier; PPPoE (0x0042) is the Session ID assigned by the ISP BRAS during the PADS discovery message — a non-zero value confirms discovery completed successfully. RemMAC is the MAC address of the ISP BRAS/modem. Port confirms which physical interface carries the session (Gi0/0). VT is the Virtual Template (Di1 = Dialer1). VA is the Virtual Access interface IOS creates internally for each PPPoE session. State: UP confirms the PPP session is fully established — LCP, authentication, and IPCP all completed successfully.

show ip interface Dialer1

NetsTuts_R1#show ip interface Dialer1
Dialer1 is up, line protocol is up
  Internet address is 203.0.113.45/32
  Broadcast address is 255.255.255.255
  MTU is 1492 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is disabled
  ...
  IP NAT: outside
  ...

"Dialer1 is up, line protocol is up" confirms the PPPoE session and PPP negotiation are fully complete. The internet address shows the IP assigned by the ISP via IPCP — note the /32 prefix length, which is normal for PPP point-to-point links. The MTU of 1492 bytes confirms the ip mtu 1492 command was applied correctly. "IP NAT: outside" confirms the NAT outside label is set on the dialer — required for PAT to work. If the interface is up but the protocol is down, the PPP negotiation failed — check authentication credentials and the show pppoe session output for the session state.

show ip interface brief

NetsTuts_R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     unassigned      YES unset  up                    up
GigabitEthernet0/1     192.168.10.1    YES manual up                    up
Dialer1                203.0.113.45    YES IPCP   up                    up
Virtual-Access1        203.0.113.45    YES IPCP   up                    up

The Method column is the definitive IPCP indicator: IPCP confirms the IP address was negotiated from the ISP via PPP's IP Control Protocol rather than being manually configured. GigabitEthernet0/0 correctly shows unassigned — it carries PPPoE frames at Layer 2 and has no IP. Virtual-Access1 is an IOS-internal clone of the dialer that carries the actual PPP session — it shares the same IP as Dialer1 and is normal to see.

show pppoe session detail

NetsTuts_R1#show pppoe session detail
     1 client session

Uniq ID  PPPoE  RemMAC          Port       VT  VA         State
-------  -----  -------         ----       --  --         -----
1        0x0042 00:1a:2b:3c:4d:01 Gi0/0   Di1 Vi1        UP

 Local MAC:     00:aa:bb:cc:dd:ee (GigabitEthernet0/0)
 Remote MAC:    00:1a:2b:3c:4d:01
 PPPoE Session ID:  0x0042
 Interface:         GigabitEthernet0/0
 Virtual Template:  1
 Virtual Access:    Virtual-Access1
 Negotiated IP:     203.0.113.45
 Peer IP:           203.0.113.46
 CHAP Authentication: Passed
 Username:          [email protected]

The detail output adds several fields not visible in the standard summary. CHAP Authentication: Passed explicitly confirms the ISP accepted the credentials — the single most useful line when troubleshooting authentication failures. The Peer IP (203.0.113.46) is the ISP gateway — this is the address IOS installs as a /32 host route automatically when the session comes up. Negotiated IP confirms what IPCP assigned. If authentication shows Failed, the session ID will be 0x0000 and the state will be something other than UP.

show ip route — Verify Default Route and Peer Route

NetsTuts_R1#show ip route
Codes: C - connected, S - static, ...

      203.0.113.44/30 is variably subnetted
C        203.0.113.45/32 is directly connected, Dialer1
       203.0.113.46/32 is directly connected, Dialer1
      192.168.10.0/24 is variably subnetted
C        192.168.10.0/24 is directly connected, GigabitEthernet0/1
S*    0.0.0.0/0 [1/0] via 0.0.0.0, Dialer1

Three routes confirm a healthy PPPoE session. The /32 route for 203.0.113.45 is the router's own WAN IP (connected, Dialer1). The /32 route for 203.0.113.46 is the ISP peer — IOS automatically installs this as a connected route when IPCP completes. The S* 0.0.0.0/0 default route via Dialer1 is the manually configured default. The via 0.0.0.0 is normal for interface-based static routes — it means "exit via Dialer1 regardless of next-hop IP." Traffic to any destination not in the routing table will be forwarded through the PPPoE session.

Verify NAT and End-to-End Connectivity

! ── Test from router ─────────────────────────────────────
NetsTuts_R1#ping 8.8.8.8 source GigabitEthernet0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/21/25 ms

! ── Verify translation created ───────────────────────────
NetsTuts_R1#show ip nat translations
Pro  Inside global       Inside local        Outside local    Outside global
icmp 203.0.113.45:1      192.168.10.1:1      8.8.8.8:1        8.8.8.8:1

! ── Confirm NAT statistics healthy ──────────────────────
NetsTuts_R1#show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces: Dialer1
Inside interfaces:  GigabitEthernet0/1
Hits: 5   Misses: 0

Verification Command Summary

Command	What It Shows	Primary Use
`show pppoe session`	Active PPPoE sessions — session ID, state, physical port, virtual interface	First check — is the PPPoE session UP? Is discovery complete (non-zero session ID)?
`show pppoe session detail`	Full session detail — authentication result, negotiated IP, peer IP, MAC addresses	Confirm CHAP/PAP passed; get ISP peer IP for routing verification
`show ip interface Dialer1`	Dialer interface state, IP address, MTU, NAT label	Confirm interface is up/up, IP was assigned via IPCP, MTU is 1492
`show ip interface brief`	All interfaces — IP address and Method (IPCP confirms PPPoE assignment)	Quick glance — is Dialer1 up with an IP? Is Gi0/0 correctly unassigned?
`show ip route`	Routing table — default route via Dialer1, peer /32 route installed	Confirm default route and ISP peer route are present after session establishment
`show ip nat translations`	Active NAT/PAT translations for inside hosts	Verify NAT is working — translations appear when LAN hosts send traffic
`debug ppp negotiation`	Real-time PPP LCP and IPCP negotiation events	Deep diagnosis — see exactly which PPP phase is failing and why
`debug ppp authentication`	Real-time CHAP challenge/response or PAP send events and results	Confirm authentication packets are sent and ISP response; diagnose credential faults

9. Troubleshooting PPPoE Client Issues

Problem	Symptom	Cause	Fix
No PPPoE session	`show pppoe session` shows no sessions; Dialer1 is down/down	Physical port not up; `pppoe-client dial-pool-number` missing on Gi0/0; modem not passing PPPoE frames; `dialer pool` number mismatch between Gi0/0 and Dialer1	Confirm `show interfaces Gi0/0` shows up/up. Verify `pppoe-client dial-pool-number 1` on Gi0/0 and `dialer pool 1` on Dialer1 — numbers must match. Check modem/CPE is powered and in bridge mode
Session stuck — discovery complete but PPP fails	Session ID is non-zero but state is not UP; Dialer1 is up/down	LCP negotiation failed — MTU mismatch, authentication rejected, or IPCP failure	Run `debug ppp negotiation` to see which PPP phase fails. Most likely is authentication — run `debug ppp authentication` to see CHAP/PAP exchange results
Authentication failure	`show pppoe session detail` shows CHAP: Failed or PAP: Failed; session resets repeatedly	Wrong username or password; hostname in `ppp chap hostname` does not match what ISP expects; missing `callin` keyword causes router to challenge ISP back	Verify credentials with ISP. Ensure `ppp authentication chap callin` — the `callin` keyword is mandatory for client-side operation. Try PAP if CHAP fails consistently. Run `debug ppp authentication` to see exact failure reason
Session UP but no IP address	Dialer1 is up/up but IP is unassigned or 0.0.0.0; no IPCP in `show ip interface brief`	IPCP negotiation failed — ISP is not offering an address; `ip address negotiated` missing from Dialer1; or a static IP was incorrectly configured	Confirm `ip address negotiated` is on Dialer1 (not a static IP). Run `debug ppp negotiation` and look for IPCP-related messages. Contact ISP to confirm dynamic IP assignment is enabled for your account
Large packets fail / websites load partially	Small pings succeed; large file transfers fail or hang; some HTTPS sites unreachable	`ip mtu 1492` or `ip tcp adjust-mss 1452` missing — packets at 1500 bytes hit the PPPoE 8-byte overhead limit and are fragmented or dropped	Add `ip mtu 1492` and `ip tcp adjust-mss 1452` to Dialer1. Test with `ping 8.8.8.8 size 1472 df-bit` — a successful ping with DF-bit and size 1472 confirms the MTU is correct
Session UP but no internet from LAN hosts	Router can ping internet; LAN PCs cannot; `show ip nat statistics` shows misses	NAT misconfiguration — `ip nat inside` missing on LAN interface, `ip nat outside` missing on Dialer1, ACL does not match LAN subnet, or NAT rule not referencing Dialer1	Verify `show ip nat statistics` — confirm inside/outside interfaces. Check `access-list 1` permits the correct LAN subnet. Confirm NAT rule references `interface Dialer1` not a static IP. See Troubleshooting NAT/PAT Issues
Session drops and reconnects intermittently	Internet works for minutes then drops; `show pppoe session` shows session ID incrementing (new session each reconnect)	Physical layer issue on the DSL/Ethernet connection; ISP-side idle timeout; modem stability problem	Check `show interfaces Gi0/0` for input errors and line protocol flaps. Add `ppp lcp echo-interval 30` and `ppp lcp echo-failure 5` on Dialer1 to detect drops faster. Contact ISP if modem line statistics show excessive errors

Key Points & Exam Tips

PPPoE uses a two-phase process: discovery (PADI → PADO → PADR → PADS) establishes the Ethernet tunnel at Layer 2; PPP negotiation (LCP → authentication → IPCP) runs inside the tunnel to authenticate and assign an IP address.
The physical Ethernet interface facing the modem must have no IP address — it carries PPPoE frames at Layer 2. All IP configuration lives on the Dialer interface.
The dial pool number must match on both sides: pppoe-client dial-pool-number 1 on the physical interface and dialer pool 1 on the Dialer interface. A mismatch means no session is initiated.
ppp authentication chap callin — the callin keyword is mandatory for client operation. Without it, the router challenges the ISP for its credentials, which fails every time.
CHAP never sends the password in plaintext — it uses a three-way challenge/response with MD5 hashing. PAP sends credentials in cleartext. Always prefer CHAP when the ISP supports it.
ip mtu 1492 is required because PPPoE adds an 8-byte header to every Ethernet frame, reducing the effective IP payload from 1500 to 1492 bytes. Always pair it with ip tcp adjust-mss 1452 to clamp TCP MSS and prevent fragmentation of large TCP segments.
ip address negotiated on the Dialer interface tells IPCP to request a dynamic WAN IP from the ISP. The routing table confirms success with a /32 connected route on Dialer1 and the ISP peer /32 route.
NAT overload should reference interface Dialer1 rather than a static IP — this ensures NAT always uses the current WAN IP even when the ISP reassigns it on each session reconnect.
The default route must point to Dialer1 (not a specific IP) for the same reason — the ISP gateway IP is dynamic and installed automatically as a /32 connected route by IPCP.
On the CCNA exam: know the two-phase PPPoE process, the role of the Dialer interface vs the physical interface, the MTU/MSS adjustment requirement (1492/1452), the callin keyword for CHAP, and the key output fields in show pppoe session.

Next Steps: With the PPPoE WAN session established, configure NAT overload so LAN hosts can share the WAN IP — see Dynamic NAT & PAT Configuration. For diagnosing any NAT problems that follow, see Troubleshooting NAT/PAT Issues. To add a backup WAN link that activates only when the PPPoE session fails, see Floating Static Routes. For securing the router's management plane now that it is internet-facing, see SSH Configuration and Login Security and Brute-Force Protection.

TEST WHAT YOU LEARNED

1. Why must the physical Ethernet interface connected to the DSL modem be configured with `no ip address` in a PPPoE client setup?

A. The interface cannot have an IP address while NAT is active — removing the IP prevents routing loops between the physical port and the Dialer interface B. The ISP assigns the IP directly to the physical interface via DHCP during the PPPoE discovery phase, so no manual address is needed C. The physical interface carries PPPoE frames at Layer 2 — it is a transport for encapsulated PPP traffic, not an IP endpoint. All IP configuration lives on the logical Dialer interface that represents the PPP session. An IP address on the physical port would cause IOS to treat it as a routed interface instead of a PPPoE bearer D. Cisco IOS automatically removes any IP address from an interface when pppoe-client dial-pool-number is applied — the command is rejected if an IP is present

Correct answer is C. PPPoE operates across two distinct layers. The physical Ethernet interface is purely a Layer 2 transport — it sends and receives PPPoE Ethernet frames (EtherType 0x8863 for discovery, 0x8864 for session data) but it never processes IP packets directly. Assigning an IP address to the physical port would create a routed L3 interface that competes with the Dialer interface for traffic handling. The Dialer interface is the logical PPP endpoint — it receives the WAN IP from IPCP, participates in routing, and is where NAT outside is applied. The physical interface's only job is to carry the PPPoE encapsulated frames to and from the modem. This is why show ip interface brief correctly shows GigabitEthernet0/0 as "unassigned" while Dialer1 shows the ISP-assigned WAN IP.

2. What is the significance of the dial pool number in PPPoE client configuration, and what happens if the numbers do not match?

A. The dial pool is the binding mechanism between the physical Ethernet interface and the Dialer interface. pppoe-client dial-pool-number 1 on the physical port and dialer pool 1 on Dialer1 must use the same number. A mismatch means no PPPoE session is initiated — the physical port has no Dialer interface to deliver the session to, and show pppoe session shows no sessions B. The dial pool number is the PPPoE Session ID assigned by the ISP BRAS — it must match the session ID in the ISP's RADIUS server C. The dial pool number defines the VLAN the PPPoE session runs on — mismatched numbers place the session on the wrong VLAN and prevent discovery D. The dial pool number is optional — if omitted, IOS automatically assigns the session to Dialer interface 0

Correct answer is A. The dial pool is Cisco's mechanism for associating a physical bearer interface with a logical dialer interface. On the physical side, pppoe-client dial-pool-number 1 tells GigabitEthernet0/0 "when you receive a PPPoE session confirmation, hand it to whichever dialer interface is a member of pool 1." On the virtual side, dialer pool 1 on Dialer1 declares "I am a member of pool 1 and I will handle sessions assigned to it." If pool 1 is specified on the physical port but pool 2 is specified on the Dialer, they never connect — the physical port has no Dialer to hand the session to and PPPoE discovery silently fails. The dial pool number has no relationship to the ISP-assigned session ID (which is a value negotiated during the PADS discovery message and visible in show pppoe session).

3. Why is the `callin` keyword critical in `ppp authentication chap callin` for a PPPoE client? What happens if it is omitted?

A. callin enables CHAP only during the initial call setup — without it, CHAP re-authenticates every 30 seconds causing session instability B. callin prevents the ISP from seeing the router's hostname — without it the ISP identifies the router and applies rate limiting C. callin disables PAP fallback — without it, IOS automatically falls back to PAP which is less secure D. Without callin, the router behaves as both a CHAP client and a CHAP server — it sends its own challenge to the ISP BRAS demanding that the BRAS authenticate itself back. ISPs never respond to this challenge, causing the PPP authentication phase to fail. callin restricts CHAP to client-only mode — authenticate when calling in, but do not challenge the remote peer

Correct answer is D. PPP's CHAP authentication is designed to be bidirectional — both endpoints can challenge each other. In an enterprise-to-enterprise PPP link, mutual authentication makes sense. In a broadband PPPoE scenario, the router is always the client and the ISP BRAS is always the server. The BRAS authenticates the router (client); the BRAS does not expect to be authenticated by the router. When callin is omitted from ppp authentication chap, IOS sends a CHAP challenge to the BRAS along with responding to the BRAS's challenge. The BRAS ignores or rejects the unexpected challenge, and IOS interprets the lack of response as an authentication failure — the session never comes up despite correct credentials. The callin keyword is therefore not optional for any PPPoE client configuration; it is required for the authentication phase to complete successfully.

4. A router has a working PPPoE session. `show ip interface brief` shows Dialer1 as up/up with IP 203.0.113.45. LAN hosts can ping the router's LAN IP (192.168.10.1) but cannot reach 8.8.8.8. `show ip nat statistics` shows 0 Hits and 0 Misses. What is the most likely cause?

A. The default route is missing — add ip route 0.0.0.0 0.0.0.0 Dialer1 B. The ip nat inside label is missing from the LAN interface (Gi0/1) — NAT is never invoked because IOS does not recognise packets arriving on Gi0/1 as inside NAT traffic, so the Hits and Misses counters both remain at zero despite active LAN traffic C. The PPPoE session MTU is wrong — packets from LAN hosts are 1500 bytes and being fragmented before reaching the ISP D. The NAT ACL permits the wrong subnet — the ACL entry does not match the 192.168.10.0/24 LAN hosts

Correct answer is B. The critical diagnostic clue here is that both Hits and Misses are zero. As covered in the NAT troubleshooting module, zero Misses means NAT was never invoked at all — not that it was invoked and failed. NAT is only invoked when a packet arrives on an interface marked ip nat inside. Without that label on Gi0/1, packets from LAN hosts route normally without any translation attempt — they arrive at the WAN with private source IPs (192.168.10.x) and are discarded by the ISP. The default route (Option A) being missing would produce a different symptom — the router itself would also be unable to reach 8.8.8.8, but the question states the session is up and Dialer1 has an IP. An ACL mismatch (Option D) would produce non-zero Misses. MTU issues (Option C) typically affect large packets, not all connectivity.

5. Why should the NAT overload rule reference `interface Dialer1` rather than the WAN IP address (e.g. `203.0.113.45`) in a PPPoE environment?

A. IOS does not support static IP addresses in NAT overload rules — interface references are mandatory B. Referencing the interface makes NAT faster because IOS looks up the IP directly from the interface table rather than comparing against a configured static value C. The WAN IP is dynamically assigned by the ISP via IPCP and changes every time the PPPoE session reconnects. Using interface Dialer1 tells NAT to always use whatever IP is currently on the Dialer — no configuration change is needed when the ISP assigns a different IP on reconnect. A static IP in the NAT rule would fail to translate if the ISP assigns a different address D. Using the interface reference instead of a static IP prevents NAT from creating duplicate translation entries when the same host reconnects

Correct answer is C. Dynamic IP assignment is the norm for residential and small-business broadband services. The IP address that IPCP assigns (203.0.113.45 today) may be different tomorrow or after any session restart — ISPs recycle their address pools and do not guarantee the same IP to the same customer on every session. If the NAT overload rule is written as ip nat inside source list 1 203.0.113.45 overload (hypothetical static syntax) and the ISP assigns 203.0.113.67 on the next reconnect, the NAT rule still references .45 — which no longer exists on the router — and all translations fail. Writing interface Dialer1 instead means IOS dynamically looks up the current IP on that interface at translation time, ensuring NAT always uses the correct active WAN address regardless of what the ISP assigns.

6. What do the values `ip mtu 1492` and `ip tcp adjust-mss 1452` address, and why must both be configured on Dialer1?

A. They are equivalent commands — configure only ip mtu 1492 as it implicitly sets the MSS to 1452 B. ip mtu 1492 sets the MTU for UDP; ip tcp adjust-mss 1452 sets the MTU for TCP — both are needed to cover all traffic types C. Both values only affect traffic generated by the router itself — transit traffic from LAN hosts is unaffected and does not need adjustment D. PPPoE adds an 8-byte header to every frame, reducing the usable IP payload from 1500 to 1492 bytes. ip mtu 1492 tells IOS to fragment IP packets larger than 1492 bytes before sending — preventing oversized frames. ip tcp adjust-mss 1452 rewrites the MSS field in TCP SYN packets to 1452 (1492 minus the 40-byte TCP/IP header), preventing TCP endpoints from negotiating segments so large that they generate fragments even before reaching the router. Both are necessary: MTU handles non-TCP traffic and packets already in flight; MSS clamping prevents the problem at the TCP negotiation stage

Correct answer is D. The 8-byte PPPoE overhead (6-byte PPPoE header + 2-byte PPP protocol field) reduces the Ethernet payload available for IP from 1500 to 1492 bytes. Without ip mtu 1492, a 1500-byte IP packet arriving from the LAN destined for the internet would exceed the PPPoE frame capacity — IOS either fragments it (causing performance degradation) or drops it with DF-bit set (causing mysterious connectivity failures for large transfers). The MSS problem is different: TCP endpoints negotiate their maximum segment size during the three-way handshake SYN/SYN-ACK exchange. Without MSS clamping, a client and server might agree on 1460-byte segments (standard Ethernet MSS), each of which — when combined with IP and TCP headers — produces a 1500-byte IP packet that then hits the 1492 PPPoE limit. ip tcp adjust-mss 1452 intercepts SYN packets and rewrites the MSS to ensure TCP connections never negotiate a segment size that would produce an oversized packet on the PPPoE link.

7. `show pppoe session` shows a session with a non-zero PPPoE Session ID but the state is not UP. `show ip interface Dialer1` shows the interface is up but line protocol is down. What phase of PPPoE has failed?

A. PPPoE discovery succeeded (non-zero session ID confirms PADS was received) but PPP negotiation failed — either LCP failed to agree parameters, authentication was rejected, or IPCP could not assign an IP address. Run debug ppp authentication and debug ppp negotiation to identify which PPP sub-phase is failing B. The physical layer failed after discovery — the modem dropped the Ethernet link between the PADS and PPP LCP exchange C. The dial pool number mismatch — discovery completed on Gi0/0 but the session cannot be handed to a Dialer interface D. IPCP succeeded but the IP address negotiated is already in use on the LAN — IOS detects the conflict and holds the line protocol down

Correct answer is A. The PPPoE session ID is assigned during the discovery phase (PADS message). A non-zero session ID is proof that Phase 1 (discovery) completed — the BRAS accepted the connection request and assigned a session identifier. Phase 2 is the PPP negotiation that runs inside the established PPPoE tunnel: LCP (negotiate link parameters like MRU and authentication method), Authentication (CHAP or PAP), and IPCP (assign IP address). "Interface up, line protocol down" on the Dialer interface is the classic indicator that the physical/session layer is alive (up) but the PPP protocol negotiation layer failed (line protocol down). The most common cause is authentication failure — wrong username, wrong password, or the missing callin keyword causing the router to challenge the BRAS. Run debug ppp authentication to see exactly what the BRAS responds with.

8. What is the difference between CHAP and PAP authentication in a PPPoE session, and which is preferred?

A. CHAP authenticates once during session setup; PAP re-authenticates every 60 seconds. CHAP is preferred for performance B. CHAP uses a three-way challenge/response — the ISP sends a random challenge, the router responds with an MD5 hash of the challenge and the password. The password itself is never transmitted. PAP sends the username and password in cleartext with no challenge mechanism. CHAP is strongly preferred because a captured PAP exchange directly exposes the credentials C. CHAP is used for the initial session; PAP is used when the session is re-established after a drop. Both are equally secure D. PAP is preferred because it is faster — CHAP's three-way handshake adds latency to session establishment which impacts time-sensitive applications

Correct answer is B. CHAP (Challenge Handshake Authentication Protocol) works by having the authenticator (ISP BRAS) send a random challenge value. The supplicant (router) computes MD5(challenge + session ID + password) and sends back only the hash — the password never appears on the wire. Even if an attacker captures every packet of the exchange, they cannot recover the password from the hash (assuming a strong password). PAP (Password Authentication Protocol) has no challenge — the router simply transmits the username and password in plaintext ASCII during the PPP authentication phase. Anyone capturing the PPPoE session establishment can read the credentials directly. The CCNA exam tests this distinction: CHAP = challenge/response with hashing = secure; PAP = plaintext = insecure. Always configure CHAP (ppp authentication chap callin) as the primary and only add PAP as a fallback when the ISP specifically requires it.

9. The routing table shows `S* 0.0.0.0/0 [1/0] via 0.0.0.0, Dialer1`. Why does the next-hop appear as `0.0.0.0` rather than the ISP gateway IP, and is this correct?

A. This indicates a misconfiguration — the default route should reference the ISP gateway IP (203.0.113.46) as the next-hop, not 0.0.0.0 B. 0.0.0.0 as the next-hop means the route is inactive — the PPPoE session has not yet established and the route is a placeholder C. The 0.0.0.0 next-hop means the route uses ECMP (equal-cost multipath) — traffic is load-balanced between all active interfaces D. This is correct and expected for an interface-based static route. The default route was configured as ip route 0.0.0.0 0.0.0.0 Dialer1 — specifying an interface without a next-hop IP. IOS displays the next-hop as 0.0.0.0 to indicate no explicit next-hop was configured; all traffic matching the default route exits via Dialer1 regardless of the peer IP. The ISP peer IP is installed separately as a /32 connected route by IPCP

Correct answer is D. When an ip route command specifies an exit interface without a next-hop IP address — as in ip route 0.0.0.0 0.0.0.0 Dialer1 — IOS stores the route with a next-hop of 0.0.0.0 in the routing table, meaning "exit via this interface." For point-to-point interfaces like PPP, this is completely valid because there is only one possible peer on the other end — IOS does not need a specific next-hop IP to determine where to send the packet. The ISP peer address (e.g. 203.0.113.46) is automatically installed by IPCP as a /32 directly-connected route, but the default static route does not need to reference it. Configuring the default route as ip route 0.0.0.0 0.0.0.0 203.0.113.46 would also work but would fail if the ISP ever assigns a different gateway IP — the interface-based route is more resilient for dynamic PPPoE environments.

10. An engineer successfully establishes a PPPoE session. Small pings to 8.8.8.8 work perfectly, but large file downloads stall after a few kilobytes, and some HTTPS websites fail to load. What is the most likely cause and fix?

A. The PPPoE session is being throttled by the ISP — contact the ISP to remove speed limits on the account B. The CHAP password is being rejected for large sessions — reconfigure using PAP which supports longer data transfers C. The ip mtu 1492 and/or ip tcp adjust-mss 1452 commands are missing from Dialer1. Small ICMP pings use small packets that fit within the PPPoE frame without issue. Large TCP transfers use 1460-byte segments (default Ethernet MSS) which — plus headers — produce 1500-byte IP packets. These exceed the 1492-byte PPPoE limit and are either silently dropped (DF-bit set) or fragmented, causing stalls. Fix: add ip mtu 1492 and ip tcp adjust-mss 1452 to Dialer1 D. The NAT translation table is full — increase the NAT timeout or clear stale bindings with clear ip nat translation *

Correct answer is C. The symptom pattern — small packets work, large transfers fail — is the classic fingerprint of an MTU/MSS mismatch on a PPPoE link. ICMP ping packets sent with default sizes (100 bytes) are far below the 1492-byte limit and traverse the PPPoE link without issue. TCP connections negotiating 1460-byte MSS (the Ethernet default) produce IP packets of 1500 bytes (1460 data + 20 TCP + 20 IP headers), which exceed the 1492-byte PPPoE capacity by 8 bytes. With the DF (Don't Fragment) bit set — which all modern TCP stacks use — these packets cannot be fragmented and are silently discarded. The connection appears to start (the TCP handshake uses small SYN/SYN-ACK packets) then stalls immediately when data transfer begins. Adding ip tcp adjust-mss 1452 to Dialer1 intercepts SYN packets and reduces the advertised MSS to 1452, ensuring TCP segments stay within the 1492-byte IP MTU. The test to confirm MTU is the issue: ping 8.8.8.8 size 1473 df-bit — this should fail (1473 + 20 IP + 8 PPPoE = 1501 bytes, exceeds limit), while ping 8.8.8.8 size 1464 df-bit should succeed.

Back to Home