Day 6. PPP
CCNA 200-101 ICND2 Exam Topics
Configure and verify a PPP connection between Cisco routers
Key Topics
Today’s review covers Point-to-Point Protocol (PPP) concepts and configuration. PPP is supported on just about any hardware you choose to connect to. In addition, PPP offers a bundle of additional benefits that might entice you to use it instead of High-Level Data Link Control (HDLC), even in an environment with all Cisco routers.
PPP Concepts
PPP provides several basic but important functions that are useful on a leased line that connects two devices, as reviewed in the following list:
Definition of a header and trailer that allows delivery of a data frame over the link
Support for both synchronous and asynchronous links
A Protocol Type field in the header, allowing multiple Layer 3 protocols to pass over the same link
Built-in authentication tools: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP)
Control protocols for each higher-layer protocol that rides over PPP, allowing easier integration and support of those protocols
The PPP Frame Format
One of the more important features included in the PPP standard is the standardized Protocol field, which identifies the type of packet inside the frame. Notice in Figure 6-1 that PPP was built upon the HDLC frame. The HDLC frame shown is the Cisco format.
PPP defines a set of Layer 2 control messages that perform various link control functions. These control functions fall into two main categories:
Those needed regardless of the Layer 3 protocol sent across the link
Those specific to each Layer 3 protocol
The PPP Link Control Protocol (LCP) implements the control functions that work the same regardless of the Layer 3 protocol.
For features related to any higher-layer protocols, typically Layer 3 protocols, PPP uses a series of PPP control protocols (CPs), such as IP Control Protocol (IPCP). PPP uses one instance of LCP per link, and one CP for each Layer 3 protocol defined on the link. For example, on a PPP link using IPv4, IPv6, and Cisco Discovery Protocol (CDP), the link uses one instance of LCP, plus IPCP (for IPv4), IPv6CP (for IPv6), and CDPCP (for CDP). In the literature, you will often see these referred to collectively as network control protocols (NCPs).
PPP Link Control Protocol (LCP)
LCP provides four notable features summarized in Table 6-1.
Looped-Link Detection
LCP notices looped links quickly using a feature called magic numbers. PPP LCP messages include a magic number, which differs on each router. If a line is looped (such as during testing by a telco technician), the router receives an LCP message with its own magic number instead of getting a message with the other router’s magic number. PPP helps the router recognize a looped link quickly so that it can bring down the interface and possibly use an alternative route. If the router can immediately notice that the link is looped, it can put the interface in a down and down status, and the routing protocols can change their routing updates based on the fact that the link is down.
Enhanced Error Detection
When a network has redundant links, you can use PPP to monitor the frequency with which frames are received in error. After the configured error rate has been exceeded, PPP can take down the interface, allowing routing protocols to install a better backup route. PPP LCP analyzes the error rates on a link using a PPP feature called Link Quality Monitoring (LQM).
PPP Multilink
In a redundant configuration between two routers, the routers use Layer 3 load balancing, alternating traffic between the two links, which does not always result in truly balanced sharing of the traffic. Multilink PPP load balances the traffic equally over the links while allowing the Layer 3 logic in each router to treat the parallel links as a single link. When encapsulating a packet, PPP fragments the packet into smaller frames, sending one fragment over each link. Multilink PPP allows the Layer 3 routing tables to use a single route that refers to the combined links, keeping the routing table smaller.
PPP Authentication
PAP and CHAP authenticate the endpoints on either end of a point-to-point serial link. CHAP is the preferred method today because the identification process uses values hidden with a message digest algorithm 5 (MD5) one-way hash, which is more secure than the clear-text passwords sent by PAP.
Figure 6-2 shows the different processes used by PAP and CHAP. With PAP, the username and password are sent in the first message. With CHAP, the protocol begins with a message called a challenge, which asks the other router to send its username and password.
PAP is much less secure than CHAP because PAP sends the hostname and password in clear text in the message. CHAP instead uses a one-way hash algorithm, with input to the algorithm being a password that never crosses the link, plus a shared random number. The CHAP challenge states the random number; both routers are preconfigured with the password. The challenged router runs the hash algorithm using the just-learned random number and the secret password and sends the results back to the router that sent the challenge. The router that sent the challenge runs the same algorithm using the random number (sent across the link) and the password (not sent across the link). If the results match, the passwords must match. With the random number, the hash value is different every time.
PPP Configuration and Verification
This section references the topology shown in Figure 6-3.
Basic PPP
Configuring PPP requires only the encapsulation ppp command on both ends of the link. Example 6-1 shows a simple configuration using the two routers shown in Figure 6-3.
Example 6-1 Configuring and Verifying PPP
R1(config)# interface serial 0/0/1
R1(config-if)# ip address 192.168.2.1 255.255.255.0
R1(config-if)# encapsulation ppp
R1(config-if)# no shutdown
%LINK-5-CHANGED: Interface Serial0/0/1, changed state to down
R2(config)# interface serial 0/1/1
R2(config-if)# ip address 192.168.2.2 255.255.255.0
R2(config-if)# encapsulation ppp
R2(config-if)# no shutdown
%LINK-5-CHANGED: Interface Serial0/1/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to up
R2(config-if)# end
R2# show interfaces serial 0/1/1
Serial0/1/1 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 192.168.2.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
<output omitted>
The show interfaces command at the bottom of the example shows the normal output when the link is up and working. A few lines into the output, the highlighted phrases show that PPP is indeed configured and that LCP has completed its work successfully, as noted with the “LCP Open” phrase. In addition, the output lists the fact that two CPs, CDPCP and IPCP, have also successfully been enabled (all good indications that PPP is working properly).
CHAP
Although CHAP is optional, it should be configured to provide a secure point-to-point link. The simplest version of CHAP configuration requires only a few commands. The configuration uses a password configured on each router. As an alternative, the password could be configured on an external authentication, authorization, and accounting (AAA) server outside the router. The configuration steps are as follows:
Step 1 Configure the routers’ hostnames using the hostname name global configuration command.
Step 2 Configure the name of the other router, and the shared secret password, using the username name password password global configuration command.
Step 3 Enable CHAP on the interface on each router using the ppp authentication chap interface subcommand.
Example 6-2 shows a sample configuration using the routers in Figure 6-3. Because the hostnames are already configured, that step is not shown.
R1(config)# username R2 password itsasecret
R1(config)# interface serial 0/0/1
R1(config-if)# ppp authentication chap
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down
R2(config)# username R1 password itsasecret
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to up
R2(config)# interface serial 0/1/1
R2(config-if)# ppp authentication chap
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to up
Notice that as soon as CHAP is configured on R1, the interface goes down. Then, on R2, after the password is configured correctly, the interface comes back up. Finally, it goes down briefly before coming back up when CHAP is configured on R2.
The commands themselves are not complicated, but it is easy to misconfigure the hostnames and passwords. Notice that each router refers to the other router’s hostname in the username command, but both routers must configure the same password value. Also, not only are the passwords (itsasecret in this case) case sensitive, but the hostnames, as referenced in the username command, also are also case sensitive.
Because CHAP is a function of LCP, if the authentication process fails, LCP does not complete, and the interface falls to an up and down interface state.
PAP
Like CHAP, PAP is optional. You use it only if one of the devices does not support CHAP. PAP uses the same configuration commands as CHAP, except that the ppp authentication pap command is used instead of ppp authentication chap. The rest of the verification commands work the same, regardless of which of the two types of authentication are used. For example, if PAP authentication fails, LCP fails, and the link settles into an up and down state.
Cisco IOS Software also supports the capability to configure the router to first try one authentication method and, if the other side does not respond, try the other option. The full command syntax for the ppp authentication command is as follows:
Router(config-if)# ppp authentication {pap | chap | pap chap | chap pap}
For example, the ppp authentication chap pap interface subcommand tells the router to send CHAP messages, and if no reply is received, to try PAP. Note that the second option is not tried if the CHAP messages flow between the two devices, and the result is that authentication failed. It uses the other option only if the other device does not send back any messages.
