Configure a PPPoE Client on a Subinterface
Focus
Focus

Configure a PPPoE Client on a Subinterface

Table of Contents

Configure a PPPoE Client on a Subinterface

Configure a PPPoE Client on a subinterface to connect to your ISP using an 802.1Q VLAN tag.
Beginning with PAN-OS 11.0.1, you can configure a PPPoE (Point-to-Point Protocol over Ethernet) client on a Layer 3 subinterface when your ISP indicates that PPPoE over 802.1Q VLAN is the way in which to connect to its internet services. The firewall establishes a PPPoE connection to the ISP using an 802.1Q VLAN tag. The PPPoE client that you configure on the subinterface learns its IPv4 address from the ISP, along with other information such as the IP address of the server, DNS information, and MTU.
The subinterface supports an IPv4 address. You can configure a PPPOE client on either a physical interface or a subinterface, but not both at the same time. Only one PPPoE subinterface is supported on a physical interface. Before you begin configuring a PPPoE client, ask your ISP what VLAN tag to use for your connection. You must enter that tag when you configure the subinterface number and the
Tag
. The task below assumes you have already configured a Layer 3 Ethernet interface on the firewall with a security zone.
The following example topology has a PPPoE connection between the firewall and the access concentrator.
The firewall encapsulates northbound traffic (a PPPoE packet) from a host in an 802.1Q frame and sends it to the opposite end of the PPPoE link, on its way to the ISP network. Likewise, the firewall decapsulates the southbound traffic from the 802.1Q frame before sending the PPPoE packet to the host.
  1. Configure a subinterface as a PPPoE client (termination point).
    1. Select
      Network
      Interfaces
      Ethernet
      and highlight a Layer 3 Ethernet interface.
    2. Add Subinterface
      .
    3. To the right of the
      Interface Name
      and dot, enter the subinterface number; use the VLAN tag number that your ISP provided. This subinterface number is for reference purposes; the VLAN tag ID is read from the Tag field.
    4. Enter the
      Tag
      , which is the VLAN tag number that your ISP provided. The actual VLAN tag ID is read from this Tag field.
    5. Select
      IPv4
      .
    6. Select the
      Type
      of address as
      PPPoE
      .
    7. Select
      General
      and
      Enable
      the subinterface.
    8. Enter the
      Username
      for the authentication you will choose in the next step.
    9. Enter the
      Password
      and
      Confirm Password
      .
  2. Configure additional characteristics of the PPPoE subinterface.
    1. Select
      Advanced
      .
    2. Select the type of
      Authentication
      :
      • None
        —(default) If you keep this setting, the firewall selects
        auto
        as the authentication protocol.
      • CHAP
        —Firewall uses Challenge Handshake Authentication Protocol (CHAP).
      • PAP
        —Firewall uses Password Authentication Protocol (PAP). PAP sends usernames and passwords in plain text, and is less secure than CHAP.
      • auto
        —Firewall negotiates the authentication method (CHAP or PAP) with the PPPoE server.
    3. To request that the PPPoE server assign a certain IPv4 address for the subinterface, specify a
      Static Address
      . (The PPPoE server may assign the requested address or a different address at its discretion.) Default is
      None
      .
    4. To automatically create a default route that points to the default gateway that the PPPoE server provides, select
      automatically create default route pointing to peer
      .
    5. Enter the
      Default Route Metric
      (priority level) of the PPPoE connection; range is 1 to 65,535; default is 10. A route with a lower number has higher priority during route selection. For example, a route with a metric of 10 is used before a route with a metric of 100.
    6. Enter the name of the
      Access Concentrator
      that your ISP provided, if any (string value of 0 to 255 characters). The firewall will connect with this Access Concentrator.
    7. Enter the
      Service
      that your ISP provided, if any (string value of 0 to 255 characters).
    8. If you want the PPPoE client (firewall) to wait for the PPPoE server to initiate a connection, select
      Passive
      . If Passive is not selected, the firewall is allowed to initiate a connection.
  3. Click
    OK
    .
  4. Commit
    the changes.
  5. View information about the PPPoE client. The Local IP Address, Primary DNS, Secondary DNS, Primary WINS, Secondary WINS, Remote IP Address, Access Concentrator name, and AC MAC address were received from the PPPoE server.
    1. Select
      Network
      Interfaces
      Ethernet
      and in the row of the subinterface that you configured, select
      Dynamic-PPPoE
      .
      Alternatively, you can select the subinterface,
      IPv4
      , and
      Show PPPoE Client Runtime Info
      .
    2. Close
      the window.

Recommended For You