PPP (Point-to-Point Protocol) is a data-link protocol that can be used over either asynchronous serial (dial-up) or synchronous serial (ISDN) media and that uses the LCP (Link Control Protocol) to build and maintain data-link connections. The basic purpose of PPP is to transport layer-3 packets across a Data Link layer point-to-point link. Figure 10.3 shows the protocol stack compared to the OSI reference model.
PPP contains four main components:
EIA/TIA-232-C: A Physical-layer international standard for serial communication.
HDLC: A method for encapsulating datagrams over serial links.
LCP: A method of establishing, configuring, maintaining, and terminating the point-to-point connection.
NCP: A method of establishing and configuring different Network layer protocols. PPP is designed to allow the simultaneous use of multiple Network layer protocols. Some examples of protocols here are IPCP (Internet Protocol Control Protocol) and IPXCP (Internetwork Packet Exchange Control Protocol).
It is important to understand that the PPP protocol stack is specified at the Physical and Data Link layers only. NCP is used to allow communication of multiple Network layer protocols by encapsulating the protocols across a PPP data link.
Link Control Protocol (LCP) Configuration Options:
Link Control Protocol offers PPP encapsulation different options, including the following:
Authentication: This option tells the calling side of the link to send information that can identify the user. The two methods discussed in this course are PAP and CHAP.
Compression: This is used to increase the throughput of PPP connections. PPP decompresses the data frame on the receiving end. Cisco uses the Stacker and Predictor compression methods, discussed in the Advanced Cisco Router Configuration course.
Error detection: PPP uses Quality and Magic Number options to ensure a reliable, loop-free data link.
Multilink: Starting in IOS version 11.1, multilink is supported on PPP links with Cisco routers. This splits the load for PPP over two or more parallel circuits and is called a bundle.
PPP Session Establishment:
PPP can be used with authentication. This means that communicating routers must provide information to identify the link as a valid communication link. When PPP connections are started, the links go through three phases of session establishment:
Link-establishment phase: LCP packets are sent by each PPP device to configure and test the link. The LCP packets contain a field called the Configuration Option that allows each device to see the size of the data, compression, and authentication. If no Configuration Option field is present, then the default configurations are used.
Authentication phase: If configured, either CHAP or PAP can be used to authenticate a link. Authentication takes place before Network-layer protocol information is read.
Network-layer protocol phase: PPP uses the Network Control Protocol to allow multiple Network-layer protocols to be encapsulated and sent over a PPP data link.
PPP Authentication Methods: There are two methods of authentication that can be used with PPP links, either Password Authentication Protocol (PAP) or Challenge Authentication Protocol (CHAP).
Password Authentication Protocol (PAP): The Password Authentication Protocol (PAP) is the less secure of the two methods. Passwords are sent in clear text, and PAP is only performed upon the initial link establishment. When the PPP link is first established, the remote node sends back to the sending router the username and password until authentication is acknowledged. That’s it.
Challenge Authentication Protocol (CHAP): The Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host.
After PPP finishes its initial phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated.
Configuring PPP on Cisco Routers: Configuring PPP encapsulation on an interface is a fairly straightforward process. To configure it, follow these router commands:
Configuring PPP Authentication:
After you configure your serial interface to support PPP encapsulation, you can then configure authentication using PPP between routers. First set the hostname of the router if it is not already set. Then set the username and password for the remote router connecting to your router.
When using the hostname command, remember that the username is the hostname of the remote router connecting to your router. It is case-sensitive. Also, the password on both routers must be the same. It is a plain-text password and can be seen with a show run command. You can configure the password to be encrypted by using the command service passwordconfig before you set the username and password. You must have a username and password configured for each remote system you are going to connect to. The remote routers must also be configured with usernames and passwords.
After you set the hostname, usernames, and passwords, choose the authentication type, either CHAP or PAP.
Verifying PPP Encapsulation:
Now that we have PPP encapsulation enabled, let’s take a look to verify that it’s up and running. You can verify the configuration with the show interface command:
PPP contains four main components:
EIA/TIA-232-C: A Physical-layer international standard for serial communication.
HDLC: A method for encapsulating datagrams over serial links.
LCP: A method of establishing, configuring, maintaining, and terminating the point-to-point connection.
NCP: A method of establishing and configuring different Network layer protocols. PPP is designed to allow the simultaneous use of multiple Network layer protocols. Some examples of protocols here are IPCP (Internet Protocol Control Protocol) and IPXCP (Internetwork Packet Exchange Control Protocol).
It is important to understand that the PPP protocol stack is specified at the Physical and Data Link layers only. NCP is used to allow communication of multiple Network layer protocols by encapsulating the protocols across a PPP data link.
Link Control Protocol (LCP) Configuration Options:
Link Control Protocol offers PPP encapsulation different options, including the following:
Authentication: This option tells the calling side of the link to send information that can identify the user. The two methods discussed in this course are PAP and CHAP.
Compression: This is used to increase the throughput of PPP connections. PPP decompresses the data frame on the receiving end. Cisco uses the Stacker and Predictor compression methods, discussed in the Advanced Cisco Router Configuration course.
Error detection: PPP uses Quality and Magic Number options to ensure a reliable, loop-free data link.
Multilink: Starting in IOS version 11.1, multilink is supported on PPP links with Cisco routers. This splits the load for PPP over two or more parallel circuits and is called a bundle.
PPP Session Establishment:
PPP can be used with authentication. This means that communicating routers must provide information to identify the link as a valid communication link. When PPP connections are started, the links go through three phases of session establishment:
Link-establishment phase: LCP packets are sent by each PPP device to configure and test the link. The LCP packets contain a field called the Configuration Option that allows each device to see the size of the data, compression, and authentication. If no Configuration Option field is present, then the default configurations are used.
Authentication phase: If configured, either CHAP or PAP can be used to authenticate a link. Authentication takes place before Network-layer protocol information is read.
Network-layer protocol phase: PPP uses the Network Control Protocol to allow multiple Network-layer protocols to be encapsulated and sent over a PPP data link.
PPP Authentication Methods: There are two methods of authentication that can be used with PPP links, either Password Authentication Protocol (PAP) or Challenge Authentication Protocol (CHAP).
Password Authentication Protocol (PAP): The Password Authentication Protocol (PAP) is the less secure of the two methods. Passwords are sent in clear text, and PAP is only performed upon the initial link establishment. When the PPP link is first established, the remote node sends back to the sending router the username and password until authentication is acknowledged. That’s it.
Challenge Authentication Protocol (CHAP): The Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host.
After PPP finishes its initial phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated.
Configuring PPP on Cisco Routers: Configuring PPP encapsulation on an interface is a fairly straightforward process. To configure it, follow these router commands:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int s0
Router(config-if)#encapsulation ppp
Router(config-if)#^Z
Router#
Configuring PPP Authentication:
After you configure your serial interface to support PPP encapsulation, you can then configure authentication using PPP between routers. First set the hostname of the router if it is not already set. Then set the username and password for the remote router connecting to your router.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# hostname RouterA
RouterA(config)#username todd password cisco
When using the hostname command, remember that the username is the hostname of the remote router connecting to your router. It is case-sensitive. Also, the password on both routers must be the same. It is a plain-text password and can be seen with a show run command. You can configure the password to be encrypted by using the command service passwordconfig before you set the username and password. You must have a username and password configured for each remote system you are going to connect to. The remote routers must also be configured with usernames and passwords.
After you set the hostname, usernames, and passwords, choose the authentication type, either CHAP or PAP.
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int s0
RouterA(config-if)#ppp authentication chap
RouterA(config-if)#ppp autherntication pap
RouterA(config-if)#^Z
RouterA#
Verifying PPP Encapsulation:
Now that we have PPP encapsulation enabled, let’s take a look to verify that it’s up and running. You can verify the configuration with the show interface command:
RouterA#show int s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 172.16.20.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Listen: IPXCP
Open: IPCP, CDPCP, ATCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops:0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
670 packets input, 31845 bytes, 0 no buffer
Received 596 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
707 packets output, 31553 bytes, 0 underruns
0 output errors, 0 collisions, 18 interface resets
0 output buffer failures, 0 output buffers swapped out 21 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
RouterA#
