PPP

Accessing the WAN Chapter 2

ITE I Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Objectives

In this chapter, you will learn to:

Describe the fundamental concepts of point-to-point serial

communication.
Describe key PPP concepts.

Configure PPP encapsulation.

Explain and configure PAP and CHAP authentication.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

How Does Serial Communication Work?

Most PCs have both serial and parallel ports.

Computers use of relatively short parallel connections

between interior components, but use a serial bus to
convert signals for most external communications.
With a serial connection, information is sent across one
wire, one data bit at a time.
The 9-pin serial connector on most PCs uses two loops of
wire, one in each direction, for data communication, plus
additional wires to control the flow of information.

A parallel connection sends the bits over more wires

simultaneously. In the 25-pin parallel port on your PC,
there are 8 data wires to carry 8 bits simultaneously.
The parallel link theoretically transfers data eight times
faster than a serial connection.

In reality, it is often the case that serial links can be

clocked considerably faster than parallel links, and
they achieve a higher data rate

Two factors that affect parallel communications: clock

skew and crosstalk interference.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Parallel connection: Clock Skew & Interference

In a parallel connection, it is wrong to assume

that the 8 bits leaving the sender at the same
time arrive at the receiver at the same time.
Clock Skew

Some of the bits get there later than others. This

is known as clock skew.
Overcoming clock skew is not trivial. The
receiving end must synchronize itself with the
transmitter and then wait until all the bits have
arrived. The process of reading, waiting, waiting
adds time to the transmission.
This is not a factor with serial links, because most
serial links do not need clocking.

Interference

Parallel wires are physically bundled in a parallel

cable. The possibility of crosstalk across the wires
requires more processing.
Since serial cables have fewer wires, there is less
crosstalk, and network devices transmit serial
communications at higher, more efficient
frequencies.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Serial Communication Standards

In a serial communication process.

Data is encapsulated by the sending router.

The frame is sent on a physical medium to the WAN.

There are various ways to traverse the WAN,

The receiving router uses the same communications

protocol to de-encapsulate the frame when it arrives.

There are three key serial communication standards

affecting LAN-to-WAN connections:

RS-232 - Most serial ports on personal computers conform

to the RS-232C standards.
Both 9-pin and 25-pin connectors are used.

It be used for device, including modems, mice, and printers.

V.35 It is used for modem-to-multiplexer communication.

V.35 is used by routers and DSUs that connect to T1 carriers.

HSSI - A High-Speed Serial Interface (HSSI) supports

transmission rates up to 52 Mb/s.

HSSI is used to connect routers on LANs with WANs over highspeed lines such as T3 lines.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Serial Communication: RS-232

While this course does not examine the details of V.35 and
HSSI pinning schemes, a quick look at a 9-pin RS-232
connector used to connect a PC to a modem helps illustrate
the concept.

Pin 1 - Data Carrier Detect (DCD) indicates that the carrier for the
transmit data is ON.

Pin 2 - The receive pin (RXD) carries data from the serial device to
the computer.
Pin 3 - The transmit pin (TxD) carries data from the computer to
the serial device.

Pin 4 - Data Terminal Ready (DTR) indicates to the modem that

the computer is ready to transmit.
Pin 5 - Ground

Pin 6 - Data Set Ready (DSR) is similar to DTR. It indicates that

the Dataset is ON.

Pin 7 - The RTS pin requests clearance to send data to a modem

Pin 8 - The serial device uses the Clear to Send (CTS) pin to
acknowledge the RTS signal of the computer. In most situations,
RTS and CTS are constantly ON throughout the communication
session.
Pin 9 - An auto answer modem uses the Ring Indicator (RI) to
signal receipt of a telephone ring signal.
ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Time Division Multiplexing (TDM)

Bell Laboratories invented TDM to maximize the

amount of voice traffic carried over a medium.
Compare TDM to a train with 32 railroad cars.

Each car is owned by a different freight company,

and every day the train leaves with the 32 cars
attached.
If the companies has cargo to send, the car is
loaded.
If the company has nothing to send, the car
remains empty but stays on the train.

Shipping empty containers is not very efficient.

TDM shares this inefficiency when traffic is

intermittent, because the time slot is still allocated
even when the channel has no data to transmit.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Time Division Multiplexing (TDM)

TDM divides the bandwidth of a single link into

separate channels or time slots.

TDM transmits two or more channels over the

same link by allocating a different time interval (time
slot) for the transmission of each channel.
TDM is a physical layer concept. It has no regard
of the information that is being multiplexed.

The multiplexer (MUX) accepts input from

attached devices in a round-robin fashion and
transmits the data in a never-ending pattern.

The MUX puts each segment into a single channel

by inserting each segment into a timeslot.

A MUX at the receiving end separate data streams

based only on the timing of the arrival of each bit.
A technique called bit interleaving keeps track of
the sequence of the bits so that they can be
efficiently reassembled into their original form upon
receipt.
ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Statistical Time Division Multiplexing

Statistical time-division multiplexing

(STDM) was developed to overcome this
inefficiency.

STDM uses a variable time slot length allowing

channels to compete for any free slot space.
It employs a buffer memory that temporarily
stores the data during periods of peak traffic.
STDM does not waste high-speed line time
with inactive channels using this scheme.

STDM requires each transmission to carry

identification information (a channel identifier).

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

TDM Examples - ISDN and SONET

An example of a technology that uses synchronous

TDM is ISDN.

ISDN basic rate (BRI) has three channels consisting of

two 64 kb/s B-channels (B1 and B2), and a 16 kb/s Dchannel.

The TDM has nine timeslots, which are repeated in the

sequence shown in the figure.

On a larger scale, the industry uses the SONET or

SDH for optical transport of TDM data.
SONET, used in North America, and SDH, used
elsewhere, for synchronous TDM over fiber.

SONET/SDH takes n bit streams, multiplexes them,

and optically modulates the signal, sending it out using a
light emitting device over fiber with a bit rate equal to
(incoming bit rate) x n. Thus traffic arriving at the
SONET multiplexer from four places at 2.5 Gb/s goes
out as a single stream at 4 x 2.5 Gb/s, or 10 Gb/s.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

SDH - Synchronous Digital Hierarchy

SONET - Synchronous optical networking

10

TDM Examples - T-Carrier Hierarchy

DS0: The original unit used in multiplexing

telephone calls is 64 kb/s, which represents one
phone call.
T1: In North America, 24 DS0 units are
multiplexed using TDM into a higher bit-rate
signal with an aggregate speed of 1.544 Mb/s
for transmission over T1 lines.

While it is common to refer to a 1.544 Mb/s

transmission as a T1, it is more correct to refer to
it as DS1.
T-carrier refers to the bundling of DS0s.
A T1 = 24 DSOs,

A T1C = 48 DSOs (or 2 T1s), and so on.

E1: Outside North America, 32 DS0 units are

multiplexed for E1 transmission at 2.048 Mb/s.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Demarcation Point

The demarcation point marks the point where your

network interfaces with the network owned by another
organization.

This is the interface between customer-premises

equipment (CPE) and network service provider equipment.
The demarcation point is the point in the network where
the responsibility of the service provider ends.

The example presents an ISDN scenario.

In the United States, a service provider provides the local

loop into the customer premises,
The customer provides the active equipment such as the
channel service unit/data service unit (CSU/DSU) on which the
local loop is terminated.
The customer is responsible for maintaining, replacing, or
repairing the equipment.

In other countries, the network terminating unit (NTU) is

provided and managed by the service provider.

The customer connects a CPE device, such as a router or

frame relay access device, to the NTU using a V.35 or RS-232
serial interface.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

DTE and DCE

In order to be connecting to the WAN, a serial

connection has a DTE device at one end of the
connection and a DCE device at the other end.
The DTE, which is generally a router.

The DTE could also be a terminal, computer, printer,

or fax machine.

The DCE, commonly a modem or CSU/DSU, is

the device used to convert the user data from the
DTE into a form acceptable to the WAN service
provider transmission link.
This signal is received at the remote DCE, which
decodes the signal back into a sequence of bits.

The remote DCE then signals this sequence to the

remote DTE.

The connection between the two DCE devices is

the WAN service provider transmission network.

Cisco Internal T1 CSU/DSU

WIC-1DSU-T1
ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

DTE and DCE

DTE and DCE Cable Standards

Originally, the concept of DCEs and DTEs was based on

two types of equipment: terminal equipment that
generated or received data, and communication
equipment that only relayed data.
We are left with two different types of cables:
one for connecting a DTE to a DCE,
another for connecting two DTEs directly to each other.

The DTE/DCE interface standard defines the following

specifications:
Mechanical/physical - Number of pins and connector type
Electrical - Defines voltage levels for 0 and 1
Functional - Specifies the functions that are performed by
assigning meanings to each of the signaling lines in the interface
Procedural - Specifies the sequence for transmitting data

The Serial Cables

The original RS-232 standard only defined the

connection of DTEs with DCEs, which were modems.
A null modem is a communication method to directly
connect two DTEs, such as a computer, terminal, or
printer, using a RS-232 serial cable. With a null modem
connection, the transmit (Tx) and receive (Rx) lines are
crosslinked.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

DTE and DCE

The DB-60 Connector

The cable for the DTE to DCE connection is a

shielded serial cable. The router end of the serial
cable may be a DB-60 connector.
The other end of the serial transition cable is
available with the connector appropriate for the
standard that is to be used.

The Smart Serial Connector

To support higher port densities in a smaller form

factor, Cisco has introduced a Smart Serial cable.
The router interface end of the Smart Serial cable is
a 26-pin connector that is significantly more compact
than the DB-60 connector.

The Router-to-Router

When using a null modem, keep in mind that

synchronous connections require a clock signal.
When using a null modem cable in a router-torouter connection, one of the serial interfaces
must be configured as the DCE end to provide the
clock signal for the connection.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

DTE and DCE: Parallel to Serial Conversion

The terms DTE and DCE are relative with respect to

what part of a network you are observing.

RS-232C is the recommended standard (RS)

describing the physical interface and protocol for
relatively low-speed, serial data communication between
computers and related devices.
The DTE is the RS-232C interface that a computer uses to
exchange data with a modem or other serial device.
The DCE is the RS-232C interface that a modem or other
serial device uses in exchanging data with the computer.

Your PC also has a Universal Asynchronous

Receiver/Transmitter (UART) chip on the
motherboard. The UART is the DTE agent of your PC
and communicates with the modem or other serial
device, which, in accordance with the RS-232C
standard, has a complementary interface called the
DCE interface.
The data in your PC flows along parallel circuits, the
UART chip converts the groups of bits in parallel to a
serial stream of bits.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

WAN Encapsulation Protocols

On WAN connection, data is encapsulated into frames
before crossing the WAN link. The protocol depends on the
WAN technology and communicating equipment:
HDLC - The default encapsulation type on point-to-point
connections, when the link uses two Cisco devices.

PPP - Provides router-to-router and host-to-network

connections over synchronous and asynchronous circuits.

PPP works with several network protocols, such as IP and IPX. PPP
also has built-in security mechanisms such as PAP and CHAP.

Serial Line Internet Protocol (SLIP) - A standard protocol for

point-to-point serial connections using TCP/IP.
SLIP has been largely displaced by PPP.

X.25/Link Access Procedure, Balanced (LAPB) - X.25 specifies

LAPB, a data link layer protocol.
X.25 is a predecessor to Frame Relay.

Frame Relay - Frame Relay eliminates some of the timeconsuming processes (such as error correction and flow control)
employed in X.25.
ATM - The cell relay in which devices send multiple service
types (voice, video, or data) in fixed-length (53-byte) cells.

Fixed-length cells allow processing to occur in hardware, thereby

reducing transit delays.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

With SLIP, you have to know

the IP address assigned to you
by your service provider. You
also need to know the IP
address of the remote system
you will be dialing into. You
may also need to configure such
details as MTU (maximum
transmission unit), MRU
(maximum receive unit), etc.
17

HDLC Encapsulation

HDLC is a bit-oriented synchronous data link layer

protocol developed by the International Organization
for Standardization (ISO).

HDLC was developed from the Synchronous Data Link

Control (SDLC) standard proposed in the 1970s.
HDLC provides both connection-oriented and
connectionless service.

HDLC defines a Layer 2 framing structure that allows

for flow control and error control through the use of
acknowledgments.
HDLC uses a frame delimiter, or flag, to mark the
beginning and the end of each frame.

Cisco has developed an extension to the HLDC

protocol to solve the inability to provide multiprotocol
support.

Cisco HLDC (also referred to as cHDLC) is proprietary

Cisco HDLC frames contain a field for identifying the
network protocol being encapsulated.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

Configuring HDLC Encapsulation

Cisco HDLC is the default encapsulation method

used by Cisco devices on synchronous serial lines.
You use Cisco HDLC as a point-to-point protocol on
leased lines between two Cisco devices.

If the default encapsulation method has been changed,

use the encapsulation hdlc command in privileged mode
to re-enable HDLC.

If you are connecting to a non-Cisco device, use

synchronous PPP.

There are two steps to enable HDLC encapsulation:

Step 1. Enter the interface configuration mode of the
serial interface.
Step 2. Enter the encapsulation hdlc command to
specify the encapsulation protocol on the interface.

The output of the show interfaces serial command

displays information specific to serial interfaces.
When HDLC is configured, "Encapsulation HDLC"

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Troubleshooting a serial interface

Show ip int brief (sh ip int b)

Router# show ip interface brief
Interface
Ethernet0
Serial0

IP-Address
131.108.1.11
198.135.2.49

OK?
YES
YES

Method
manual
manual

Status
up
administratively down

Protocol
up
down

Serial x is down, line protocol is down

Serial x is up, line protocol is down
Serial x is up, line protocol is up (looped)
Serial x is up, line protocol is down (disabled)
Serial x is administratively down, line protocol is down

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

Troubleshooting a serial
interface (cont.)

Five possible problem states can be identified in the interface

status line of the show interfaces serial display:
Serial x is down, line protocol is down
Serial x is up, line protocol is down
Serial x is up, line protocol is up (looped)
Serial x is up, line protocol is down (disabled)
Serial x is administratively down, line protocol is down

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Troubleshooting a
serial interface (cont.)

Five possible problem states can be identified in the

interface status line of the show interfaces serial display:
Serial x is down, line protocol is down
Serial x is up, line protocol is down
Serial x is up, line protocol is up (looped)
Serial x is up, line protocol is down (disabled)
Serial x is administratively down, line protocol is down

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

Troubleshooting a Serial Interface

The show controllers command is

another important diagnostic tool when
troubleshooting serial lines.
In the figure, serial interface 0/0 has a
V.35 DCE cable attached.
show controllers serial command.

If the electrical interface output is shown as

UNKNOWN instead of V.35, EIA/TIA-449, or
some other electrical interface type, the likely
problem is an improperly connected cable.

If the electrical interface is unknown, the

corresponding display for the show interfaces
serial <x> command shows that the interface
and line protocol are down.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Troubleshooting a Serial Interface: Activity

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

What is PPP?

Recall that HDLC is the default serial encapsulation method

when you connect two Cisco routers.
Cisco HDLC can only work with other Cisco devices.

However, when you need to connect to a non-Cisco router,

you should use PPP encapsulation.
PPP includes many features not available in HDLC:

The link quality management feature monitors the quality of the

link. If too many errors are detected, PPP takes the link down.
PPP supports PAP and CHAP authentication.

PPP contains three main components:

HDLC protocol for encapsulating datagrams over point-to-point

links.
Extensible Link Control Protocol (LCP) to establish, configure,
and test the data link connection.
Family of Network Control Protocols (NCPs) for establishing
and configuring different network layer protocols.

PPP allows the simultaneous use of multiple network layer protocols.

Some of the more common NCPs are Internet Protocol Control
Protocol, Appletalk Control Protocol, Novell IPX Control Protocol,
Cisco Systems Control Protocol, SNA Control Protocol, and
Compression Control Protocol.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

PPP Layered Architecture

PPP and OSI share the same physical layer, but PPP
distributes the functions of LCP and NCP differently.
At the physical layer, you can configure PPP on:
Asynchronous serial
Synchronous serial
HSSI

ISDN

PPP does not impose any restrictions regarding

transmission rate other than those imposed by the
particular DTE/DCE interface in use.

Most of the work done by PPP is at the data link and

network layers by the LCP and NCPs.
The LCP sets up the PPP connection and its
parameters

The NCPs handle higher layer protocol configurations,

and the LCP terminates the PPP connection.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

PPP Architecture - Link Control Protocol Layer

The LCP sits on top of the physical layer and has a

role in establishing, configuring, and testing the datalink connection.
The LCP establishes the point-to-point link.

The LCP also negotiates and sets up control options on

the WAN data link, which are handled by the NCPs.

The LCP provides automatic configuration of the

interfaces at each end, including:
Handling varying limits on packet size

Detecting common misconfiguration errors

Terminating the link

Determining when a link is functioning properly or when

it is failing

PPP also uses the LCP to agree automatically on

encapsulation formats (authentication, compression,
error detection) as soon as the link is established.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

PPP Architecture - Network Control Protocol Layer

PPP permits multiple network layer protocols to

operate on the same communications link. For
every network layer protocol used, PPP uses a
separate NCP.
For example, IP uses the IP Control Protocol
(IPCP),
IPX uses the Novell IPX Control Protocol
(IPXCP).

NCPs include functional fields containing

standardized codes (PPP protocol field numbers
shown in the figure) to indicate the network layer
protocol that PPP encapsulates.
Each NCP manages the specific needs required
by its respective network layer protocols.
The various NCP components encapsulate and
negotiate options for multiple network layer
protocols.
ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

PPP Frame Structure

A PPP frame has six fields as shown in the figure.

The LCP can negotiate modifications to the standard PPP frame structure.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Establishing a PPP Session

The three phases of establishing a PPP session:

Phase 1: Link establishment and configuration
negotiation

The LCP must first open the connection and negotiate

configuration options.

Phase 2: Link quality determination (optional)

The LCP tests the link to determine whether the link

quality is sufficient to bring up network layer protocols.

Phase 3: Network layer protocol configuration

negotiation

After the LCP has finished the link quality determination

phase, the appropriate NCP can separately configure the
network layer protocols, and bring them up and take them
down at any time.

The link remains configured for communications

until explicit LCP or NCP frames close the link, or
until some external event occurs.

This happen because of the loss of the carrier,

authentication failure, link quality failure, the expiration
of idle-period timer, or administrative closing the link.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

PPP Configuration Options

PPP may include the following LCP options:

Authentication - Peer exchange authentication

messages.

Two choices are Password Authentication Protocol (PAP)

and Challenge Handshake Authentication Protocol (CHAP).

Compression - Increases the effective throughput on

PPP connections by reducing the amount of data in the
frame that must travel across the link.
Two compression are Stacker and Predictor.

Error detection - Identifies fault conditions.

The Quality and Magic Number options help ensure a

reliable, loop-free data link.

Multilink - Cisco IOS Release 11.1 and later supports

multilink PPP.
This alternative provides load balancing over the router
interfaces that PPP uses.

PPP Callback - To enhance security, Cisco IOS

Release 11.1 and later offers callback over PPP.

The client makes the initial call, requests that the server call
it back, and terminates its initial call.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

PPP Configuration Commands

Example 1: Enabling PPP on an Interface

To set PPP as the encapsulation method used by a serial or ISDN interface,

use the encapsulation ppp interface configuration command.
R3#configure terminal

R3(config)#interface serial 0/0

R3(config-if)#encapsulation ppp

You must first configure the router with an IP routing protocol to use PPP
encapsulation. If you do not configure PPP on a Cisco router, the default encapsulation
for serial interfaces is HLDC.

Example 2: Compression

You can configure point-to-point compression on serial interfaces after you

have enabled PPP. Because this option invokes a software compression
process, it can affect system performance. If the traffic already consists of
compressed files (.zip, .tar, or .mpeg, for example), do not use this option.
R3(config)#interface serial 0/0

R3(config-if)#encapsulation ppp

R3(config-if)#compress [predictor | stac]

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

PPP Configuration Commands

Example 3: Link Quality Monitoring

LCP provides an optional link quality determination phase.

If the link quality percentage is not maintained, the link is deemed to be of poor
quality and is taken down.
This example configuration monitors the data dropped on the link and avoids
frame looping:
R3(config)#interface serial 0/0

R3(config-if)#encapsulation ppp
R3(config-if)#ppp quality 80

Example 4: Load Balancing Across Links

Multilink PPP (also referred to as MP, MPPP, MLP, or Multilink) provides a

method for spreading traffic across multiple physical WAN links while providing
packet fragmentation and reassembly, proper sequencing, multivendor
interoperability, and load balancing on inbound and outbound traffic.
Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp
Router(config-if)#ppp multilink

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

33

Verified a Serial PPP Encapsulation Configuration

Use the show interfaces serial

command to verify proper
configuration of HDLC or PPP
encapsulation.

When you configure HDLC, the

output of the show interfaces serial
command should show
"encapsulation HDLC".

When you configure PPP, you can

check its LCP and NCP states.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

Troubleshooting the Serial Encapsulation Configuration

Debug displays information about various

router operations and the related traffic
generated or received by the router, as well as
any error messages.
It is a very useful and informative tool, but you
must always remember that Cisco IOS treats
debug as a high priority task.
It can consume a significant amount of
resources, and the router is forced to processswitch the packets being debugged.

Debug must not be used as a monitoring tool-it

is meant to be used for a short period of time for
troubleshooting.

Use the debug ppp command to display

information about the operation of PPP.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

PPP Authentication Protocols

PPP defines an extensible LCP that allows

negotiation of an authentication protocol for
authenticating its peer before allowing network layer
protocols to transmit over the link.
PAP is a very basic two-way process.

There is no encryption-the username and password are

sent in plain text. If it is accepted, the connection is allowed.

CHAP is more secure than PAP. It involves a threeway exchange of a shared secret.

The authentication phase of a PPP session is

optional.

If used, you can authenticate the peer after the LCP

establishes the link.
If it is used, authentication takes place before the
network layer protocol configuration phase begins.

The authentication options require that the calling side

of the link enter authentication information. This helps to
ensure that the user has the permission of the network
administrator to make the call.
ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

Password Authentication Protocol (PAP)

PPP can performs Layer 2 authentication in

addition to other layers of authentication

PAP provides method for a remote node to

establish its identity using a two-way handshake.
the ppp authentication pap command is used,

the remote node repeatedly sends a usernamepassword pair across the link until the sending node
acknowledges it or terminates the connection.

Using PAP, you send passwords across the link

in clear text and there is no protection from
playback or repeated trial-and-error attacks.

There are times when using PAP is justified.

Client applications that do not support CHAP

Incompatibilities between different vendor
implementations of CHAP

Situations where a plaintext password must be

available to simulate a login at the remote host
ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

Challenge Handshake Authentication Protocol (CHAP)

Once authentication is established with PAP, it

essentially stops working. This leaves the network
vulnerable to attack.

CHAP conducts periodic challenges to make sure

that the remote node still has a valid password value.
The password value is variable and changes
unpredictably while the link exists.

After the PPP link establishment phase is complete,

The router sends a challenge to the remote node.

The remote node responds with a value calculated

using a one-way hash function using MD5.

The local router checks the response against its own

calculation of the expected hash value. If the values
match, the initiating node acknowledges the
authentication. Otherwise, it immediately terminates the
connection.
Because the challenge is unique and random, the
resulting hash value is also unique and random.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

The ppp authentication Command

To specify the order in which the CHAP

or PAP protocols are requested on the
interface, use the ppp authentication
interface command.
You may enable PAP or CHAP or both.

After you have enabled CHAP or PAP

authentication, or both, the local router
requires the remote device to prove its identity
before allowing data traffic to flow.

If both methods are enabled, the first method

specified is requested during link negotiation. If
the peer suggests using the second method or
simply refuses the first method, the second
method is tried.

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

39

Configuring PPP with Authentication

PAP

The figure is an example of a two-way PAP

authentication configuration. Both routers authenticate
and are authenticated, so the PAP authentication
commands mirror each other.

[Tony]: The term two-way used here is not the same term
used in two-way handshake. This two-way here means
R1 challenge R3 and R3 also challenge R1.

The PAP username and password that each router

sends must match those specified with the username
name password password command of the other router.

CHAP

CHAP periodically verifies the identity of the remote

node using a three-way handshake.

The hostname on one router must match the username the

other router has configured.
The passwords must also match.

This occurs on initial link establishment and can be

repeated any time after the link has been established.

The router name and password are exactly the same, because they are case-sensitive
ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

PAP EXAMPLE

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

CHAP EXAMPLE

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

42

ITE 1 Chapter 6

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

43