This document provides an overview of Point-to-Point Protocol (PPP) including how it is used to encapsulate TCP/IP and other network layer protocols over dial-up connections. PPP uses the Link Control Protocol (LCP) to establish and configure connections, and the Network Control Protocol (NCP) to establish specific network layer protocols. The document discusses how to configure PPP encapsulation on an interface and assign IP addresses to remote users. It also covers PPP authentication using PAP and CHAP as well as other PPP features negotiated by LCP such as compression and Multilink PPP.
1. Point-to-Point Protocol (PPP)
Chapter 2 explained how to configure an
asynchronous line for a dialup connection. In
this chapter, you will learn how to configure
that dialup connection to connect to the
network using point-to-point protocol (PPP) at
the data link layer.
It is based on open standards and includes a
variety of essential features, making it the de
facto standard for dialup and dedicated WAN
connections.
2. Point-to-Point Protocol (PPP)
In order for any layer 3 protocol to traverse
the WAN over a dialup or dedicated link, it
must be encapsulated by a data-link layer
protocol.
PPP, the Serial Line Internet Protocol (SLIP),
and the AppleTalk Remote Access Protocol
(ARAP) work at the data-link layer (Layer 2)
to encapsulate routed protocols like TCP/IP,
Novell IPX and Appletalk.
3. Point-to-Point Protocol (PPP)
The rest of this chapter focuses only on
encapsulating TCP/IP.
Today, there are essentially two data-
link layer protocols used to encapsulate
TCP/IP:
4. Point-to-Point Protocol (PPP)
SLIP - SLIP is a standard protocol for point-
to-point serial connections, using TCP/IP.
SLIP was a predecessor of PPP.
PPP - PPP provides router-to-router and
host-to-network connections over
synchronous and asynchronous circuits,
which can be either dialup or leased lines.
5. PPP
PPP is a more recent standard than
SLIP, and is almost always the
preferred data-link layer encapsulation
on dialup asynchronous links. On a
Cisco router, SLIP is the default
encapsulation on an asynchronous
dialup interface, so you must manually
configure the encapsulation in order to
use PPP.
6. PPP
SLIP is essentially limited to use with
IP, whereas PPP can be used for other
network-layer protocols such as IPX
and AppleTalk. Moreover, PPP
supports essential features such as
dynamic address allocation, PAP
authentication, CHAP authentication,
and Multilink PPP. SLIP does not
support these features.
7. PPP Overview
High-Level Data Link Control (HDLC) is the
default encapsulation for ISDN and serial
interfaces on a Cisco router.
Cisco's HDLC is not necessarily compatible
with other vendors' HDLC implementations.
PPP implementations follow open standards
and are almost always compatible. Thus,
PPP is the protocol of choice when
configuring serial links in a multivendor
environment.
8. PPP Overview
It is important to note that PPP actually
uses HDLC as a basis for
encapsulating datagrams. However,
PPP is more expansible than HDLC
because it adds extensions (features) to
the link layer.
9. PPP Overview
PPP can negotiate link options dynamically
and can support multiple Layer 3 protocols
(IP, IPX, AppleTalk, etc.). PPP accomplishes
these two tasks by encapsulating Layer 3
datagrams with a specialized frame. PPP's
frame format is based on the HDLC frame
format.
PPP defines the Link Control Protocol (LCP).
The job of LCP is to establish, configure, and
test the data-link connection.
10. PPP Overview
When hosts negotiate a PPP
connection, they exchange LCP
packets. These packets allow link
partners to dynamically negotiate link
options, including authentication,
compression, and MLP.
11. PPP Overview
Once the LCP establishes the Layer 2
connection, the Network Control Protocol
(NCP) takes over. Link partners exchange
NCP packets to establish and configure
different network-layer protocols including IP,
IPX, and AppleTalk. Each Layer 3 protocol
has its own NCP. For example, IP's NCP is
IPCP; IPX's NCP is IPXCP, and Appletalk's
NCP is ATALKCP.
12. PPP Overview
The NCP can build up and tear down multiple
Layer 3 protocol sessions over a single data
link. This capability is called protocol
multiplexing. When a host requests that the
connection be terminated, the NCP tears
down the Layer 3 sessions and then the LCP
tears down the data link.
PPP's components operate at Layer 2 of the
OSI model.
13. Configuring PPP
You enable PPP encapsulation on an
interface by using the following command:
Router(config-if)#encapsulation
ppp
Thus, if you want dial-in hosts on terminal line
2 to use PPP, you would enter the following
commands:
RTA(config)#interface async 2
RTA(config-if)#encapsulation ppp
14. Configuring PPP
Note that the encapsulation
command is issued in interface
configuration mode, not line
configuration mode.
15. Configuring PPP
When a remote host dials into an access
server's asynchronous interface, it can start
an EXEC session with the router. This feature
allows remote users to login to the router and
issue commands as if the user was
connected to the console port. No IP
addressing or PPP encapsulation is needed
for this type of connection. Data is sent as
asynchronous characters.
16.
17. Configuring PPP
Alternately, a remote host can dial in to an
access server and send a Layer 3 protocol
packet encapsulated by PPP, SLIP, or ARA.
This type of connection allows the remote
user to access network resources such as file
servers and mail servers.
You can also configure the router's
asynchronous interface to automatically
select between PPP data sessions and EXEC
sessions.
18. Configuring PPP
Generally, you will want to restrict the ability
of remote users to start EXEC sessions with
your router. Typical end users do not require
access to the router's interface. Instead, they
need a Layer 3 protocol (IP, etc.) connection
to the corporate network or the Internet. In
most cases, you should force the
asynchronous interface to use PPP and not
allow an EXEC connection.
19. Configuring interactive PPP
sessions
With the PPP autoselect feature, you can
configure an access server's terminal line to
provide either a PPP session or an EXEC
session based on input from the remote host.
Essentially, this feature allows the remote
host to determine the session type. The
access server automatically detects which
type of session is being requested, and
responds accordingly.
20. Configuring interactive PPP
sessions
Enabling this feature requires two steps. First,
you must configure the asynchronous
interface(s) with the async mode
interactive command in interface
configuration mode.
This command configures the router so that it
allows the remote host to choose either a
PPP session or an EXEC session.
21. Configuring interactive PPP
sessions
The following example shows how to
configure interface async 1:
RTA(config)#interface async 1
RTA(config-if)#encapsulation ppp
RTA(config-if)#async mode
interactive.
Second, you must configure the
corresponding terminal line(s) with the
autoselect ppp command in line
configuration mode.
22. Configuring interactive PPP
sessions
To complete the example configuration,
you would enter the following
commands:
RTA(config)#line 1
RTA(config-line)#autoselect
ppp during-login
23. Configuring interactive PPP
sessions
The autoselect command permits the
access server to allow an appropriate process
to start automatically when a starting
character is received. If the start character is
a return character, then the access server
starts an EXEC session. So, users who want
to begin an EXEC session typically must
press the Return key after establishing a
dialup connection.
24. Configuring interactive PPP
sessions
On the other hand, if the access server
recognizes the start character as PPP,
SLIP, or ARAP, it will begin a session
for whichever protocol it detects.
So, if an end user is using a program
that sends a PPP frame, the access
server will automatically start a PPP
session.
25.
26. Configuring interactive PPP
sessions
The during-login option of the
autoselect command causes the
username/password prompt to display in the
remote hosts' terminal window without the
user having to press the Return key. This
command is not required.
After a host has established an EXEC
session, the remote user can switch to a PPP
session at any time by issuing the ppp
command at the router prompt.
27.
28. Dedicated PPP Sessions
In most cases, you will want to configure your
access server's asynchronous lines in
dedicated mode so that users are forced into
using PPP. In dedicated mode, an interface is
automatically configured for PPP
connections. There is no user prompt or
EXEC level, and no end-user commands are
required to initiate remote-node connections.
29. Dedicated PPP Sessions
To ensure that the dial-in user must run PPP
on the specified line, use the async mode
dedicated command:
Router(config-if)#async mode
dedicated.
To summarize: Interactive mode
places the interface in
interactive mode: allows an EXEC
session. Dedicated Mode places
the interface into dedicated
30. Configuring the interface
addressing method
Most dialup PPP sessions are established for
the purpose of sending and receiving TCP/IP
packets. Asynchronous PPP connections
allow remote users to dial up and access the
corporate IP network or the Internet. In order
for remote nodes to be able to participate in a
TCP/IP network, they must have an IP
address. This means that the remote node's
link partner, the router's asynchronous
interface, must have an IP address as well.
31. Configuring the interface
addressing method
To assign an IP address to an access
server's asynchronous interface, use the ip
address command (which is the same
command used to assign addresses to
Ethernet or Serial interfaces).
The following example configures the IP
address of interface async 1:
RTA(config)#interface async 1
RTA(config-if)#ip address
10.1.1.1 255.255.255.
32. Configuring the interface
addressing method
Because access servers can have literally
hundreds of asynchronous interfaces, and
because all of them are not likely to be in use
at the same time, you may wish to conserve
IP addresses by using the IP unnumbered
feature.
Multiple async interfaces on the same router
can share the same IP address, including an
address assigned by the IP unnumbered
feature.
33. Configuring the interface
addressing method
The IP unnumbered feature can only be
used with point-to-point configurations.
The syntax for the ip unnumbered
command is:
Router(config-if)#ip
unnumbered type number.
34. Configuring the interface
addressing method
With this command, you must specify
the type and number of the interface to
borrow the IP address from (Ethernet 0,
Loopback 0, etc.). A loopback
interface is a virtual interface that never
goes down and is therefore an ideal line
to use as the reference with the ip
unnumbered command.
35. Configuring the interface
addressing method
The following commands illustrate how to
configure an asynchronous interface for IP
unnumbered using a loopback interface:
RTA(config)#interface loopback 0
RTA(config-if)#ip address
10.1.1.1 255.255.255.0
RTA(config-if)#exit
RTA(config)#interface async 1
RTA(config-if)#ip unnumbered
loopback 0.
36. Configuring the interface
addressing method
Addressing the access server's
asynchronous interface is only half of
the IP configuration equation. You must
also implement a mechanism for
assigning IP addresses to remote dial-
in users.
37. Configuring the interface
addressing method
PPP allows for the automatic assignment of
IP addresses using a specific address, an
address from a pool defined on the router, or
Dynamic Host Configuration Protocol
(DHCP). Alternately, you can configure the
access server to allow the remote host to
choose its own address.
To assign a default (predefined) IP address to
the remote dial-in host, use the peer
default ip address command.
38. Configuring the interface
addressing method
Additionally, the pool and dhcp arguments
allow address allocation from a local pool of
addresses or a DHCP server.
Router(config-if)#peer default ip address
{address | pool pool name | dhcp}.
The following example shows how to
configure a group of asynchronous interfaces
(rotary group) to assign IP addresses from a
locally defined pool.
39. Configuring the interface
addressing method
RTA(config)#IP local pool DIAL-IN
10.1.1.2 10.1.1.254.
RTA(config)#Interface group-async 1.
RTA(config-if)# peer default ip
address pool DIAL-IN.
40. Configuring the interface
addressing method
Note that the pool option to the peer
default ip address command
require a global command to create the
pool of addresses; for example, ip
local pool pool-name
starting-address end-address.
41. Configuring the interface
addressing method
If you have configured an asynchronous
interface for interactive mode, you have
the option to allow the IP address to be
assigned dynamically by the caller.
After the remote user enters the ppp
EXEC command, the access server will
prompt the user for an IP address or
logical host name.
42. Configuring the interface
addressing method
To enable this dynamic addressing
feature, use the async dynamic
address command in interface
configuration mode, as shown:
Router(config-if)#async
dynamic address.
43. PPP LCP Options
PPP offers a rich set of features that are
configured by LCP during link establishment.
The configuration features negotiated through
the LCP are:
Authentication, with PAP or CHAP, is used
as a security measure with PPP.
Authentication allows the dial-up target to
identify that any given dialup client is a valid
client with a preassigned username and
password.
44. PPP LCP Options
Callback is a PPP option used to
provide call and dialup billing
consolidation. PPP callback was first
supported in Cisco IOS Release
11.0(3).
45. PPP LCP Options
Compression reduces the size of data
frames to be transmitted over a network
link which reduces the time required to
transmit the frame across the network.
PPP compression was first supported in
Cisco IOS Release 10.3. Cisco routers
support Stacker, Predictor, and
Microsoft Point to Point Compression
(MPPC). .
46. PPP LCP Options
Multilink PPP (MLP) feature provides load
balancing functionality over multiple WAN
links, while providing multivendor
interoperability, proper sequencing, and load
calculation on both inbound and outbound
traffic. Datagrams are split, sequenced,
transmitted across multiple links, and then
recombined at the destination. The multiple
links together are called a bundle.
47. PPP LCP Options
Multilink is especially useful with ISDN
BRI configurations, in which both B
channels can be used to achieve 128-
kbps throughput. MLP also works with
modems to provide additional
bandwidth. This protocol was first
supported in Cisco IOS Release
11.0(3).
48. PAP and CHAP
Generally, you should always configure
asynchronous lines to require authentication.
With PPP, you have the option to require that
callers authenticate using one of two
authentication protocols, PAP or CHAP. If you
are using PPP over a point-to-point leased
line, authentication is unnecessary, and
should not be configured.
49. PAP and CHAP
PAP is not as good as CHAP
CHAP is considered a superior
authentication protocol and should be
used when possible. When is it
appropriate to run PAP? You may find
that hosts running legacy software may
not support CHAP, in which case PAP
is your only authentication option.
50. PAP and CHAP
When using PAP, the remote host is in
control of the frequency and timing of login
requests. This is undesirable, as the access
server must respond to all login requests,
even the repeated attempts of a hacker to
guess, or "brute force," a username/password
combination. PAP also sends passwords as
clear text over the media, which means a
strategically placed packet sniffer could
capture and easily decode the password.
51. PAP and CHAP
On the other hand, access servers that
are configured with CHAP are in control
of login attempts.
The server must send a challenge
packet. The challenge packet consists
of an ID, a random number, and the
host name of the local router.
52. PAP and CHAP
The CHAP protocol also allows servers
to request that the remote host re-
authenticate at any time, which provides
another dimension of security. This
feature is not typically used with Cisco
routers.
53. Configuring PAP Example
Enable PPP encapsulation and PAP
authentication with the following
commands: Router(config-
if)#encapsulation ppp
Router(config-if)#ppp
authentication pap
54. Configuring PAP Example
You must also configure the router with a
local username/password database, or point
it to a network host that has that information
(such as a TACACS+ server). Without access
to a username/password database, the router
won't know which combinations are
authorized and will deny all login attempts.
You can configure a local
username/password database by using the
following command in global configuration
mode:
55. Configuring PAP Example
Router(config)#username
username password password
Router(config)#username Romeo
password Juliet
56. Configuring PAP Example
In some cases, you must also configure a
router's asynchronous interface to place calls
to other access servers. If you want to
configure an interface to respond to a peer's
request to authenticate with PAP, you must
use the ppp pap sent-username
command:
Router(config-if)#ppp pap sent-
username username password
password
57.
58. Configuring PAP Example
Note that in router RTA's configuration,
the ppp pap sent-username
command is used to specify what
username/password information to
send in the event that it dials RTB and
is asked to authenticate. Router RTB is
also configured to send a username
and password for PAP, if challenged.
59. Configuring PAP Example
The name included with the username
and dialer map commands is case
sensitive. If the remote host's name is
RTA, and you create a username entry
for rta instead, authentication will fail.
60. Configuring PAP Example
To ensure that both systems in the example
can communicate properly, their
asynchronous interfaces have been
configured with the dialer map command
that includes the remote router's name. By
configuring each router with a dialer map
statement, each system knows what to do
with authentication issues because the
systems have prior knowledge of each other's
names.