PPP is one of the WAN protocols that you can configure on Cisco IOS routers. We will take a look how PPP works and how to configure it. Do you still remember how the OSI model works?
PPP operates on the data link layer (layer 2) but as you can see the data link layer has been split into two pieces:
- NCP: Network Control Protocol
- LCP: Link Control Protocol
Let’s start with LCP:
LCP takes care of setting up the link. If you enable authentication for PPP it will take care of authentication. Once the link has been setup we use NCP.
NCP will make sure you can run different protocols over our PPP link like IP, IPv6 but also CDP (Cisco Discovery Protocol) and older protocols like IPX or AppleTalk.
So in short if you enable PPP on both routers this is what happens:
- LCP: Takes care of setting up the link.
- (Optional): Authentication.
- NCP: Makes sure we can send IP and other protocols across our PPP link.
Let’s see what authentication is about:
I have two routers; the router on the left side is called R1. If you want to use authentication for PPP you have two options:
- PAP (Password Authentication Protocol): This is plaintext! It will send the username and password over the PPP link and the router on the other side will check it.
- CHAP (Challenge Authentication Protocol): Instead of sending the password in plaintext we are going to send a “challenge” which is a hash of the password. This is far more secure.
In the example above we are using PAP:
- On the left side we have a router with hostname R1.
- On the right side we have a router without a hostname but it has the username R1 and password VIDEO configured in a local database.
- PPP will start setting up the link by using LCP.
- Since authentication is enabled our router on the right side will authenticate R1:
- R1 will send its hostname and the password in plaintext.
- The router on the right side will accept or deny the credentials.
- If everything is ok PPP will work and we are authenticated.
PAP is very simple but sending a username and password in plaintext is not a very secure method. Let’s see how CHAP works:
Once you enable Chap authentication the router will send a challenge. Above you see R1 sending a challenge towards R2.
Instead of just sending a password in plaintext R2 will send a hash. This is far more secure.
If the hash is ok R1 will let R2 know everything is as it should be and our PPP link is working.
Keep in mind authentication is ONLY about checking the username and password, it doesn’t have anything to do with encryption. All traffic sent on this PPP connection is in cleartext, if you want encryption you need to use a VPN.
Let’s see what PPP looks like on some real routers. I’ll use the two routers I just showed you:
I’m using two routers connected to each other with a serial link. Don’t forget that for serial interfaces the DCE side has to configure a clock rate:
R1(config)#interface serial 0/0
R1(config-if)#clock rate 64000
For this lab it doesn’t matter what clock rate I use, as long as the link is working.
R2#show controllers serial 0/0
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected
Idb at 0x81081AC4, driver data structure at 0x 81084AC0
In the example above R2 is the DTE side and it has received the clock rate. Show controllers is excellent because it will show you which side is DTE or DCE.
Let’s configure the IP addresses:
R1(config)#interface serial 0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0R2(config)#interface serial 0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
Nothing special so far, just two serial interfaces in the same subnet.
We can verify the default encapsulation type for serial interfaces:
R1#show interfaces serial 0/0
Serial0/0 is up, line protocol is up
Hardware is M4T
Internet address is 192.168.12.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, crc 16, loopback not setR2#show interfaces serial 0/0
Serial0/0 is up, line protocol is up
Hardware is M4T
Internet address is 192.168.12.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, crc 16, loopback not set
Use the show interfaces command to check the encapsulation type. As you can see HDLC is the default so let’s change it to PPP:
R1(config)#interface serial 0/0
R1(config-if)#encapsulation pppR2(config)#interface serial 0/0
R2(config-if)#encapsulation ppp
Use the encapsulation ppp command to change the serial interface to PPP (remember that HDLC is the default). Let’s configure an IP address on the interfaces:
R1(config)#interface serial 0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0R2(config)#interface serial 0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
Now before I type “no shutdown” I will enable a debug so you can see the LCP building the link:
R2#debug ppp negotiation
PPP protocol negotiation debugging is on
The debug ppp negotiation command will show you how the PPP link is established. Let’s activate the interfaces:
R1(config)#interface serial 0/0
R1(config-if)#no shutdownR2(config)#interface serial 0/0
R2(config-if)#no shutdown
No shutdown will activate our interfaces, and this is what you will see if you enabled the debug:
R2#
%LINK-3-UPDOWN: Interface Serial0/0, changed state to up
Se0/0 PPP: Using default call direction
Se0/0 PPP: Treating connection as a dedicated line
Se0/0 PPP: Session handle[9C000002] Session id[2]
Se0/0 PPP: Phase is ESTABLISHING, Active Open
Se0/0 LCP: O CONFREQ [Closed] id 4 len 10
Se0/0 LCP: MagicNumber 0x0045BF0E (0x05060045BF0E)
Se0/0 LCP: I CONFREQ [REQsent] id 136 len 10
Se0/0 LCP: MagicNumber 0x004598FC (0x0506004598FC)
Se0/0 LCP: O CONFACK [REQsent] id 136 len 10
Se0/0 LCP: MagicNumber 0x004598FC (0x0506004598FC)
Se0/0 LCP: I CONFACK [ACKsent] id 4 len 10
Se0/0 LCP: MagicNumber 0x0045BF0E (0x05060045BF0E)
Se0/0 LCP: State is Open
Se0/0 PPP: Phase is FORWARDING, Attempting Forward
Se0/0 PPP: Phase is ESTABLISHING, Finish LCP
Se0/0 PPP: Phase is UP
Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
Se0/0 IPCP: Address 192.168.12.2 (0x0306C0A80C02)
Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
Se0/0 PPP: Process pending ncp packets
Se0/0 CDPCP: I CONF
R2#REQ [REQsent] id 1 len 4
Se0/0 CDPCP: O CONFACK [REQsent] id 1 len 4
Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
Se0/0 IPCP: Address 192.168.12.1 (0x0306C0A80C01)
Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
Se0/0 IPCP: Address 192.168.12.1 (0x0306C0A80C01)
Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
Se0/0 IPCP: Address 192.168.12.2 (0x0306C0A80C02)
Se0/0 IPCP: State is Open
Se0/0 CDPCP: I CONFACK [ACKsent] id 1 len 4
Se0/0 CDPCP: State is Open
Se0/0 IPCP: Install route to 192.168.12.1
R2#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Above you first see first the “LCP” messages that are setting up the link. Once LCP is done you see “IPCP” and “CDPCP” messages. This is NCP making sure that we can send IP and CDP traffic over our PPP link. CDP (Cisco Discovery Protocol) is used to detect other Cisco devices on our network.
Let’s see if there is connectivity between the routers:
R1#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
A quick ping proves that PPP is working.
Let’s disable debug before we continue:
R2#no debug all
All possible debugging has been turned off
Let’s see if we can enable authentication for PPP, I’ll show you how to use CHAP:
R1(config)#username R2 password MYSECRETR2(config)#username R1 password MYSECRET
First we’ll configure the username and password. The username is the hostname of the router on the other side. Of course the password has to be the same.
R1(config)#interface serial 0/0
R1(config-if)#ppp authentication chapR2(config)#interface serial 0/0
R2(config-if)#ppp authentication chap
Use ppp authentication chap command to enable CHAP authentication. If I enable it on both routers then they will authenticate each other. It’s also possible to configure this only on one of the routers. Let me show you what I mean:
R1#debug ppp authentication
PPP authentication debugging is on
You can enable debugging for PPP authentication, this way we can see what is going on:
R1(config)#interface serial 0/0
R1(config-if)#shutdown
R1(config-if)#no shutdown
A quick shutdown and no shutdown will make sure that our routers have to reconnect and reauthenticate.
R1#
Se0/0 PPP: Using default call direction
Se0/0 PPP: Treating connection as a dedicated line
Se0/0 PPP: Session handle[C2000009] Session id[33]
Se0/0 PPP: Authorization required
%LINK-3-UPDOWN: Interface Serial0/0, changed state to up
Se0/0 CHAP: O CHALLENGE id 32 len 29 from "R1"
Se0/0 CHAP: I CHALLENGE id 3 len 26 from "R2"
Se0/0 CHAP: I RESPONSE id 32 len 26 from "R2"
Se0/0 PPP: Sent CHAP LOGIN Request
Se0/0 CHAP: Using hostname from unknown source
Se0/0 CHAP: Using password from AAA
Se0/0 CHAP: O RESPONSE id 3 len 29 from "R1"
Se0/0 PPP: Received LOGIN Response PASS
Se0/0 PPP: Sent LCP AUTHOR Request
Se0/0 PPP: Sent IPCP AUTHOR Request
Se0/0 LCP: Received AAA AUTHOR Response PASS
Se0/0 IPCP: Received AAA AUTHOR Response PASS
Se0/0 CHAP: O SUCCESS id 32 len 4
Se0/0 CHAP: I SUCCESS id 3 len 4
Se0/0 PPP: Sent CDPCP AUTHOR Request
Se0/0 CDPCP: Received AAA AUTHOR Response PASS
Above you see an “O” that stands for outgoing and the “I” for incoming. Our router sends a challenge, receives a response and sends a success message. It also receives a challenge from R2, sends a response and receives a success message.
hostname R1
!
ip cef
!
username R2 password 0 MYSECRET
!
interface Serial0/0
ip address 192.168.12.1 255.255.255.0
clock rate 64000
encapsulation ppp
ppp authentication chap
!
endhostname R2
!
ip cef
!
username R1 password 0 MYSECRET
!
interface Serial0/0
ip address 192.168.12.2 255.255.255.0
encapsulation ppp
ppp authentication chap
!
endThat’s all I wanted to share about PPP for now. I hope you enjoyed this lesson, feel free to ask any questions that you might have!
No comments:
Post a Comment