Point-to-Point Protocol (PPP) Chapter 2 explained how to

1
Point-to-Point Protocol (PPP)

• Chapter 2 explained how to configure an
  asynchronous line for a dialup connection. In
  this chapter, you will learn how to configure
  that dialup connection to connect to the network
  using point-to-point protocol (PPP) at the data
  link layer.
• It is based on open standards and includes a
  variety of essential features, making it the de
  facto standard for dialup and dedicated WAN
  connections.

2
Point-to-Point Protocol (PPP)

• In order for any layer 3 protocol to traverse the
  WAN over a dialup or dedicated link, it must be
  encapsulated by a data-link layer protocol.
• PPP, the Serial Line Internet Protocol (SLIP),
  and the AppleTalk Remote Access Protocol (ARAP)
  work at the data-link layer (Layer 2) to
  encapsulate routed protocols like TCP/IP, Novell
  IPX and Appletalk.

3
Point-to-Point Protocol (PPP)

• The rest of this chapter focuses only on
  encapsulating TCP/IP.
• Today, there are essentially two data-link layer
  protocols used to encapsulate TCP/IP

4
Point-to-Point Protocol (PPP)

• SLIP - SLIP is a standard protocol for
  point-to-point serial connections, using TCP/IP.
  SLIP was a predecessor of PPP.
• PPP - PPP provides router-to-router and
  host-to-network connections over synchronous and
  asynchronous circuits, which can be either dialup
  or leased lines.

5
PPP

• PPP is a more recent standard than SLIP, and is
  almost always the preferred data-link layer
  encapsulation on dialup asynchronous links. On a
  Cisco router, SLIP is the default encapsulation
  on an asynchronous dialup interface, so you must
  manually configure the encapsulation in order to
  use PPP.

6
PPP

• SLIP is essentially limited to use with IP,
  whereas PPP can be used for other network-layer
  protocols such as IPX and AppleTalk. Moreover,
  PPP supports essential features such as dynamic
  address allocation, PAP authentication, CHAP
  authentication, and Multilink PPP. SLIP does not
  support these features.

7
PPP Overview

• High-Level Data Link Control (HDLC) is the
  default encapsulation for ISDN and serial
  interfaces on a Cisco router.
• Cisco's HDLC is not necessarily compatible with
  other vendors' HDLC implementations. PPP
  implementations follow open standards and are
  almost always compatible. Thus, PPP is the
  protocol of choice when configuring serial links
  in a multivendor environment.

8
PPP Overview

• It is important to note that PPP actually uses
  HDLC as a basis for encapsulating datagrams.
  However, PPP is more expansible than HDLC because
  it adds extensions (features) to the link layer.

9
PPP Overview

• PPP can negotiate link options dynamically and
  can support multiple Layer 3 protocols (IP, IPX,
  AppleTalk, etc.). PPP accomplishes these two
  tasks by encapsulating Layer 3 datagrams with a
  specialized frame. PPP's frame format is based on
  the HDLC frame format.
• PPP defines the Link Control Protocol (LCP). The
  job of LCP is to establish, configure, and test
  the data-link connection.

10
PPP Overview

• When hosts negotiate a PPP connection, they
  exchange LCP packets. These packets allow link
  partners to dynamically negotiate link options,
  including authentication, compression, and MLP.

11
PPP Overview

• Once the LCP establishes the Layer 2 connection,
  the Network Control Protocol (NCP) takes over.
  Link partners exchange NCP packets to establish
  and configure different network-layer protocols
  including IP, IPX, and AppleTalk. Each Layer 3
  protocol has its own NCP. For example, IP's NCP
  is IPCP IPX's NCP is IPXCP, and Appletalk's NCP
  is ATALKCP.

12
PPP Overview

• The NCP can build up and tear down multiple Layer
  3 protocol sessions over a single data link. This
  capability is called protocol multiplexing. When
  a host requests that the connection be
  terminated, the NCP tears down the Layer 3
  sessions and then the LCP tears down the data
  link.
• PPP's components operate at Layer 2 of the OSI
  model.

13
Configuring PPP

• You enable PPP encapsulation on an interface by
  using the following command
• Router(config-if)encapsulation ppp
• Thus, if you want dial-in hosts on terminal line
  2 to use PPP, you would enter the following
  commands
• RTA(config)interface async 2RTA(config-if)encap
  sulation ppp

14
Configuring PPP

• Note that the encapsulation command is issued in
  interface configuration mode, not line
  configuration mode.

15
Configuring PPP

• When a remote host dials into an access server's
  asynchronous interface, it can start an EXEC
  session with the router. This feature allows
  remote users to login to the router and issue
  commands as if the user was connected to the
  console port. No IP addressing or PPP
  encapsulation is needed for this type of
  connection. Data is sent as asynchronous
  characters.

16
(No Transcript)
17
Configuring PPP

• Alternately, a remote host can dial in to an
  access server and send a Layer 3 protocol packet
  encapsulated by PPP, SLIP, or ARA. This type of
  connection allows the remote user to access
  network resources such as file servers and mail
  servers.
• You can also configure the router's asynchronous
  interface to automatically select between PPP
  data sessions and EXEC sessions.

18
Configuring PPP

• Generally, you will want to restrict the ability
  of remote users to start EXEC sessions with your
  router. Typical end users do not require access
  to the router's interface. Instead, they need a
  Layer 3 protocol (IP, etc.) connection to the
  corporate network or the Internet. In most cases,
  you should force the asynchronous interface to
  use PPP and not allow an EXEC connection.

19
Configuring interactive PPP sessions

• With the PPP autoselect feature, you can
  configure an access server's terminal line to
  provide either a PPP session or an EXEC session
  based on input from the remote host.
• Essentially, this feature allows the remote host
  to determine the session type. The access server
  automatically detects which type of session is
  being requested, and responds accordingly.

20
Configuring interactive PPP sessions

• Enabling this feature requires two steps. First,
  you must configure the asynchronous interface(s)
  with the async mode interactive command in
  interface configuration mode.
• This command configures the router so that it
  allows the remote host to choose either a PPP
  session or an EXEC session.

21
Configuring interactive PPP sessions

• The following example shows how to configure
  interface async 1
• RTA(config)interface async 1RTA(config-if)encap
  sulation pppRTA(config-if)async mode
  interactive.
• Second, you must configure the corresponding
  terminal line(s) with the autoselect ppp command
  in line configuration mode.

22
Configuring interactive PPP sessions

• To complete the example configuration, you would
  enter the following commands
• RTA(config)line 1 RTA(config-line)autoselect
  ppp during-login

23
Configuring interactive PPP sessions

• The autoselect command permits the access server
  to allow an appropriate process to start
  automatically when a starting character is
  received. If the start character is a return
  character, then the access server starts an EXEC
  session. So, users who want to begin an EXEC
  session typically must press the Return key after
  establishing a dialup connection.

24
Configuring interactive PPP sessions

• On the other hand, if the access server
  recognizes the start character as PPP, SLIP, or
  ARAP, it will begin a session for whichever
  protocol it detects.
• So, if an end user is using a program that sends
  a PPP frame, the access server will automatically
  start a PPP session.

25
(No Transcript)
26
Configuring interactive PPP sessions

• The during-login option of the autoselect command
  causes the username/password prompt to display in
  the remote hosts' terminal window without the
  user having to press the Return key. This command
  is not required.
• After a host has established an EXEC session, the
  remote user can switch to a PPP session at any
  time by issuing the ppp command at the router
  prompt.

27
(No Transcript)
28
Dedicated PPP Sessions

• In most cases, you will want to configure your
  access server's asynchronous lines in dedicated
  mode so that users are forced into using PPP. In
  dedicated mode, an interface is automatically
  configured for PPP connections. There is no user
  prompt or EXEC level, and no end-user commands
  are required to initiate remote-node connections.

29
Dedicated PPP Sessions

• To ensure that the dial-in user must run PPP on
  the specified line, use the async mode dedicated
  command
• Router(config-if)async mode dedicated.
• To summarize Interactive mode places the
  interface in interactive mode allows an EXEC
  session. Dedicated Mode places the interface
  into dedicated PPP/SLIP mode.

30
Configuring the interface addressing method

• Most dialup PPP sessions are established for the
  purpose of sending and receiving TCP/IP packets.
  Asynchronous PPP connections allow remote users
  to dial up and access the corporate IP network or
  the Internet. In order for remote nodes to be
  able to participate in a TCP/IP network, they
  must have an IP address. This means that the
  remote node's link partner, the router's
  asynchronous interface, must have an IP address
  as well.

31
Configuring the interface addressing method

• To assign an IP address to an access server's
  asynchronous interface, use the ip address
  command (which is the same command used to assign
  addresses to Ethernet or Serial interfaces).
• The following example configures the IP address
  of interface async 1
• RTA(config)interface async 1RTA(config-if)ip
  address 10.1.1.1 255.255.255.

32
Configuring the interface addressing method

• Because access servers can have literally
  hundreds of asynchronous interfaces, and because
  all of them are not likely to be in use at the
  same time, you may wish to conserve IP addresses
  by using the IP unnumbered feature.
• Multiple async interfaces on the same router can
  share the same IP address, including an address
  assigned by the IP unnumbered feature.

33
Configuring the interface addressing method

• The IP unnumbered feature can only be used with
  point-to-point configurations. The syntax for the
  ip unnumbered command is
• Router(config-if)ip unnumbered type number.

34
Configuring the interface addressing method

• With this command, you must specify the type and
  number of the interface to borrow the IP address
  from (Ethernet 0, Loopback 0, etc.). A loopback
  interface is a virtual interface that never goes
  down and is therefore an ideal line to use as the
  reference with the ip unnumbered command.

35
Configuring the interface addressing method

• The following commands illustrate how to
  configure an asynchronous interface for IP
  unnumbered using a loopback interface
• RTA(config)interface loopback 0RTA(config-if)ip
  address 10.1.1.1 255.255.255.0RTA(config-if)exi
  tRTA(config)interface async 1RTA(config-if)ip
  unnumbered loopback 0.

36
Configuring the interface addressing method

• Addressing the access server's asynchronous
  interface is only half of the IP configuration
  equation. You must also implement a mechanism for
  assigning IP addresses to remote dial-in users.

37
Configuring the interface addressing method

• PPP allows for the automatic assignment of IP
  addresses using a specific address, an address
  from a pool defined on the router, or Dynamic
  Host Configuration Protocol (DHCP). Alternately,
  you can configure the access server to allow the
  remote host to choose its own address.
• To assign a default (predefined) IP address to
  the remote dial-in host, use the peer default ip
  address command.

38
Configuring the interface addressing method

• Additionally, the pool and dhcp arguments allow
  address allocation from a local pool of addresses
  or a DHCP server.
• Router(config-if)peer default ip address
  address pool pool name dhcp.
• The following example shows how to configure a
  group of asynchronous interfaces (rotary group)
  to assign IP addresses from a locally defined
  pool.

39
Configuring the interface addressing method

• RTA(config)IP local pool DIAL-IN 10.1.1.2
  10.1.1.254.
• RTA(config)Interface group-async 1.
• RTA(config-if) peer default ip address pool
  DIAL-IN.

40
Configuring the interface addressing method

• Note that the pool option to the peer default ip
  address command require a global command to
  create the pool of addresses for example, ip
  local pool pool-name starting-address end-address.

41
Configuring the interface addressing method

• If you have configured an asynchronous interface
  for interactive mode, you have the option to
  allow the IP address to be assigned dynamically
  by the caller. After the remote user enters the
  ppp EXEC command, the access server will prompt
  the user for an IP address or logical host name.

42
Configuring the interface addressing method

• To enable this dynamic addressing feature, use
  the async dynamic address command in interface
  configuration mode, as shown
• Router(config-if)async dynamic address.

43
PPP LCP Options

• PPP offers a rich set of features that are
  configured by LCP during link establishment. The
  configuration features negotiated through the LCP
  are
• Authentication, with PAP or CHAP, is used as a
  security measure with PPP. Authentication allows
  the dial-up target to identify that any given
  dialup client is a valid client with a
  preassigned username and password. 

44
PPP LCP Options

• Callback is a PPP option used to provide call and
  dialup billing consolidation. PPP callback was
  first supported in Cisco IOS Release 11.0(3). 

45
PPP LCP Options

• Compression reduces the size of data frames to be
  transmitted over a network link which reduces the
  time required to transmit the frame across the
  network. PPP compression was first supported in
  Cisco IOS Release 10.3. Cisco routers support
  Stacker, Predictor, and Microsoft Point to Point
  Compression (MPPC). .

46
PPP LCP Options

• Multilink PPP (MLP) feature provides load
  balancing functionality over multiple WAN links,
  while providing multivendor interoperability,
  proper sequencing, and load calculation on both
  inbound and outbound traffic. Datagrams are
  split, sequenced, transmitted across multiple
  links, and then recombined at the destination.
  The multiple links together are called a bundle.

47
PPP LCP Options

• Multilink is especially useful with ISDN BRI
  configurations, in which both B channels can be
  used to achieve 128-kbps throughput. MLP also
  works with modems to provide additional
  bandwidth. This protocol was first supported in
  Cisco IOS Release 11.0(3).

48
PAP and CHAP

• Generally, you should always configure
  asynchronous lines to require authentication.
  With PPP, you have the option to require that
  callers authenticate using one of two
  authentication protocols, PAP or CHAP. If you are
  using PPP over a point-to-point leased line,
  authentication is unnecessary, and should not be
  configured.

49
PAP and CHAP

• PAP is not as good as CHAPCHAP is considered a
  superior authentication protocol and should be
  used when possible. When is it appropriate to run
  PAP? You may find that hosts running legacy
  software may not support CHAP, in which case PAP
  is your only authentication option.

50
PAP and CHAP

• When using PAP, the remote host is in control of
  the frequency and timing of login requests. This
  is undesirable, as the access server must respond
  to all login requests, even the repeated attempts
  of a hacker to guess, or "brute force," a
  username/password combination. PAP also sends
  passwords as clear text over the media, which
  means a strategically placed packet sniffer could
  capture and easily decode the password.

51
PAP and CHAP

• On the other hand, access servers that are
  configured with CHAP are in control of login
  attempts.
• The server must send a challenge packet. The
  challenge packet consists of an ID, a random
  number, and the host name of the local router.

52
PAP and CHAP

• The CHAP protocol also allows servers to request
  that the remote host re-authenticate at any time,
  which provides another dimension of security.
  This feature is not typically used with Cisco
  routers.

53
Configuring PAP Example

• Enable PPP encapsulation and PAP authentication
  with the following commands Router(config-if)enc
  apsulation pppRouter(config-if)ppp
  authentication pap

54
Configuring PAP Example

• You must also configure the router with a local
  username/password database, or point it to a
  network host that has that information (such as a
  TACACS server). Without access to a
  username/password database, the router won't know
  which combinations are authorized and will deny
  all login attempts. You can configure a local
  username/password database by using the following
  command in global configuration mode

55
Configuring PAP Example

• Router(config)username username password
  password
• Router(config)username Romeo password Juliet

56
Configuring PAP Example

• In some cases, you must also configure a router's
  asynchronous interface to place calls to other
  access servers. If you want to configure an
  interface to respond to a peer's request to
  authenticate with PAP, you must use the ppp pap
  sent-username command
• Router(config-if)ppp pap sent-username username
  password password

57
(No Transcript)
58
Configuring PAP Example

• Note that in router RTA's configuration, the ppp
  pap sent-username command is used to specify what
  username/password information to send in the
  event that it dials RTB and is asked to
  authenticate. Router RTB is also configured to
  send a username and password for PAP, if
  challenged.

59
Configuring PAP Example

• The name included with the username and dialer
  map commands is case sensitive. If the remote
  host's name is RTA, and you create a username
  entry for rta instead, authentication will fail.

60
Configuring PAP Example

• To ensure that both systems in the example can
  communicate properly, their asynchronous
  interfaces have been configured with the dialer
  map command that includes the remote router's
  name. By configuring each router with a dialer
  map statement, each system knows what to do with
  authentication issues because the systems have
  prior knowledge of each other's names.