Example: Configuring Multiple PPPoE Sessions on a Single Interface (NSM Procedure)

Some security devices support multiple PPPoE subinterfaces (each with the same MAC address) for a given physical interface. On such devices, you can make a PPPoE connection on multiple instances by binding each subinterface to a different PPPoE instance. You can determine which traffic the device sends over a particular PPPoE session by configuring routes that specify a specific PPPoE sub-interface for each session (no rules determine the flow of traffic). IPsec tunnels can terminate on such PPPoE subinterfaces.

The maximum number of concurrent PPPoE sessions on a physical interface is limited only by the number of subinterfaces allowed by the device. There is no restriction on how many physical interfaces can support multiple sessions. You can specify username, static-ip, idle-timeout, auto-connect and other parameters separately for each PPPoE instance or session.

To support a PPPoE session, a subinterface must be untagged. A tagged sub-interface uses an associated VLAN tag to enable the subinterface to receive Layer 2 traffic and direct it selectively to a particular VLAN, which usually resides in a trusted zone. VLAN tags allow a single physical interface to direct exchanged packets selectively to and from VLANs, each through a different subinterface.

By contrast, an untagged interface does not use a VLAN tag to identify a VLAN for an subinterface. Instead, it uses a feature called encap, which binds the subinterface to a particular defined PPPoE definition. By hosting multiple subinterfaces, a single physical interface can host multiple PPPoE instances. You can configure each instance to go to a specified AC (access concentrator), thus enabling separate entities (such as ISPs) to manage the PPPoE sessions through a single interface.

In the following example you define three PPPoE instances:

To configure multiple PPPoE sessions on a single interface:

  1. Add a NetScreen-208 device running ScreenOS 5.1 named “Device A” .
  2. In the NSM navigation tree, select Devices > Security Devices. Double-click Device A to open the device configuration.
  3. In the device navigation tree, select Network > Interfaces. Configure the subinterfaces for the Los Angeles and Chicago ISPs.

    Click the Add icon and select Sub Interface. The General Properties screen appears. Configure the following options:

    • For Name, select ethernet 3.
    • For Tag, select 1.
    • For Sub Interface Type, select encap.
    • For Encap, select pppoe.
    • For Zone, select Untrust.
  4. Leave all other defaults and click OK to save the new subinterface.
  5. Click the Add icon and select Sub Interface. The General Properties screen appears. Configure as follows:
    • For Name, select ethernet 3.
    • For Tag, select 2.
    • For Sub Interface Type, select encap.
    • For Encap, select pppoe.
    • For Zone, select Untrust.
    • Leave all other defaults and click OK to save the new subinterface.
  6. Configure the PPPoE Instance for the New York ISP:
    • In the device navigation tree, select Network > PPPoE.
    • Click the Add icon. The New PPPoE Instance dialog box appears.
  7. Configure the following options, and then click OK:
    • For Name, enter isp_new_york.
    • For Interface, select the physical interface ethernet3.
    • For Username, enter user1@domain1.
    • For Password, enter swordfish.
    • For Access Concentrator, enter isp_ny_ac.
    • For Service, enter Big_Apple_Service.
    • Select Clear On Disconnect.
    • Leave all other defaults.
  8. Configure the PPPoE Instance for the Los Angeles ISP:
    • In the device navigation tree, select Network > PPPoE.
    • Click the Add icon. The New PPPoE Instance dialog box appears.
  9. Configure the following options, and then click OK:
    • For Name, enter isp_los_angeles.
    • For Interface, select the subinterface ethernet3.1.
    • For Username, enter user2@domain2.
    • For Password, enter marlin.
    • For Access Concentrator, enter isp_la_ac.
    • For Service, enter Angels_Service.
    • Select Clear On Disconnect.
    • Leave all other defaults.
  10. Configure the PPPoE Instance for the Chicago ISP:
    • In the device navigation tree, select Network > PPPoE.
    • Click the Add icon. The New PPPoE Instance dialog box appears.
  11. Configure the following options, and then click OK:
    • For Name, enter isp_chicago.
    • For Interface, select the subinterface ethernet3.2.
    • For Username, enter user3@domain3.
    • For Password, enter trout.
    • For Access Concentrator, enter isp_c_ac.
    • For Service, enter Windy_City_Service.
    • Select Clear On Disconnect.
    • Leave all other defaults.
  12. Click OK to save your changes to the device.

Related Documentation