The concern for PPPOE is wether client sessions will re-establish
automatically after disconnects of the link.
For example, if a Pre-n BElkin router is used for a end user link, and I did
connect there service, for example by rebooting a trango AP at the cell site
or from significant packet loss causing the link to degrade for too long a
period, the Belkin will NOT try to re-establish the PPPOE connection unitl
the Belkin router is physycally rebooted. This was a problem for us, because
it generated support calls to get users backup after a reboot of our APs,
and oftenm customers would experience much longer outages before they
realized they jsut needed to reboot their own in house Belkin router. We
also ran into this with several Netgear router models. What you want is a
router that tries to login automatically continuously if it losses
connection. Our linksys routers work great, and auto-reconnect with no
problems. So PPPOE had created an issue where we had to dictate what
equipment an end user could use on our network, if we set them up as PPPOE.
PPPOE is a tunnel client to server protocol so both a server and client need
to be aware of wether a session is connected or disconnected, and can be
disconnected from either side. This timeout for disconnect can be set on
the server side. For example, if you set a disconnect time of 5 second at
the server, if there is some packet loss, the server might terminate a
session prematurely waiting for communication that it never receives from
teh CPE at that time, and then the client router does not know that the
connection is terminated and doesn't know to try to re-stablish a connection
because it does not know its down, or atleast not for a period of time. So
you don't want the timeout at the server to be to small. Now if you make the
time out large, let say1 minute. IF their is packet loss, and the client
thinks the connection has been terminated because its inability to get o the
server for a short period, it will disconnect and try to re-establish a
connection, however it wil not be able to for 1 minute. This is because the
server things the original session is still active and will not clear the
original session to allow the next session to reconnect, and two session are
not allowed at the same time. This can cause outages longer than normal,
where a 5 second outage turns into a 1 minutes outage. Not a big deal for
residential, but for business where the links may be monitored by third
parties, it can be an added pain in the neck. The problem can be solved by
allow multiple connection of a PPPOE login, but then there is a security
issue where two people can connect at the same time with the same password.
These problems are not a big deal to deal with, you just need to be aware of
them, for designing your PPPOE system.
When PPPOE is established, you can not access the client via an Arpping,
because the protocol does not support that. I forget the exact technical
explanation, but its sometthing like it does support broadcasts because its
not using tcpip at that point its using its own protocol at layer two for
communication. So to tell if a client is up, you do it by monitoring the
session logs at the server.
We do the PPPOE server apps at the first hop. We do the authentication at
the cell router with our own implementation that integrates to our router
provisioning system, but most people have it relay to a remote
authentication system centrally such as a radius server.
PPPOE now means every client needs either a PPPOE router or software load ed
that supprots PPPOE. Many represent that XP's built in PPPOE support works
well, but we don't use it yet.
PPPOE does reduce the packet size, so it is no longer a full 1500 bytes. So
end users sometimes need to configurare their VPN software if using one, to
adjust for that situation, and added headache. However, most VPNs we tested
pass through PPPOE OK.
PPPOE also does have significant overhead. You could limit the total number
of connections you can support, because of the badnwdith that is wasted for
the tunneling protool. However I do not remember what that limit is, we have
not hit it yet. But that is why we operate the PPPOE server at the first
hop, to reduce the PPPOE server traffic/over head accross the network, it
also makes it more reliable for session management. The more links, and
packet loss possible end to end increases the change of session disconnects.
The fact that many hops may be needed to get to the authenticatioion system
(radious) really doesn't matter because its not part of the client server
session end to end.
We have chosen not to use PPPOE because of these issues, exept for some
residential customers that are required to use Linksys routers. However,
I'm aware of some ISPs that have successfully used PPPOE as a protocol for
EVERY customer as a requirement. They generally do it to ease their
management. You no longer need to be aware of the path a customer takes to
connct to the network because the routes will be auto created where ever the
customer connects from. For example if you have a three sector cell site,
clients could connect from any sector without your reconfiguraton of teh
PPPOE for the client, so redundancy could be built in very easilly. Where as
with a routed connection to a client from a specific sector, if they change
secotrs , I need toc hange my routing for them. The trade off, is when I
manually route, I am always aware of what path the custoemr travels so I can
monitor their link path for reliabilty, with PPPOE if they complain about
performance I really don't know what path an end user took after a session
I do not have a recommendation on wether PPPOE should or shouldn't be used
for your implementation, but those are some things for you to consider when
making the determination.
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband
----- Original Message -----
From: "John Scrivner" <[EMAIL PROTECTED]>
Sent: Wednesday, November 30, 2005 10:54 AM
Subject: [WISPA] Ethernet based authentication
Anyone out there have experience with PPPoE?. I have a client who is a
local government entity. They have people who have abused their Internet
connection in the past. They restrict who has Internet access and when it
can be used. One of our techs unknowingly circumvented protocol by helping
an employee learn how to connect his personal laptop to the hardwired
Ethernet network. Now the government entity is highly peeved at me. They
want a complete report on the incident and a plan for how I will prevent
people from doing this in the future at all locations. I am thinking we
can use PPPoE to force all users even on the hardwired network to
authenticate in order to get on the Internet. What are your thoughts? What
will this break on an internal network that may be doing other things?
Could an internal Windows network still function normally while the
computer is not authenticated for Internet access? I have never done PPPoE
and need a little guidance from those of you who have.
WISPA Wireless List: firstname.lastname@example.org
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date:
WISPA Wireless List: email@example.com