Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Wide-area networking services are typically leased from a service provider. Some WAN
services operate as Layer 2 connections between your remote locations and are typically
provided by a telephone company (telco) provider over its WAN switches.
PPP emerged as an encapsulation protocol for transporting IP traffic over point-to-point
(leased line) serial connections. This section describes the operation, configuration, and
verification of PPP.
Understanding WAN Encapsulations
On each WAN connection, data is encapsulated into frames before it crosses the WAN link. To
ensure that the correct protocol is used, you must configure the appropriate Layer 2 encapsulation
type. The choice of Layer 2 protocol depends on the WAN technology and the communicating
equipment. Figure 8-16 highlights some of the choices for connecting to the WAN.
Figure 8-16 WAN Choices
Leased Line:
Packet Switching:
Circuit Switching:
Metro Ethernet:
Broadband:
PPPoE, PPPoA, Ethernet
Internet
Service
Provider
Telco
Service
Provider
POTS or ISDN
Service
Provider
Ethernet
PPP, HDLC
Frame Relay, X.25, ATM
PPP, HDLC
Telco
Service
Provider
DSL,
Cable
Provider
316 Chapter 8: Extending the Network into the WAN
The following are typical WAN protocols:
■ High-Level Data Link Control (HDLC): The Cisco default encapsulation type on
point-to-point connections, dedicated links, and circuit-switched connections. You
typically use HDLC when two Cisco devices are communicating across a point-topoint
connection. HDLC is a bit-oriented synchronous data link layer protocol.
■ PPP: Provides router-to-router and host-to-network connections over synchronous
and asynchronous circuits. PPP was designed to work with several network layer
protocols, including IP. PPP also has built-in security mechanisms, such as Password
Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol
(CHAP).
■ Frame Relay: A successor to X.25. This protocol is an industry-standard, switched
data link layer protocol that handles multiple virtual circuits (VC). Frame Relay is
streamlined to eliminate some of the time-consuming processes, such as error
correction and flow control, that were employed in X.25 to compensate for older, less
reliable communication links.
■ ATM: This protocol is the international standard for cell relay in which multiple
service types, such as voice, video, and data, are conveyed in fixed-length (53-byte)
cells. ATM, a cell-switched technology, uses fixed-length cells, which allow
processing to occur in hardware, thereby reducing transit delays. ATM is designed to
take advantage of high-speed transmission media such as T3, E3, and SONET.
■ Broadband: Broadband in data communications typically refers to data transmission
where multiple pieces of data are sent simultaneously to increase the effective rate of
transmission, regardless of the actual data rate. In network engineering, this term refers
to transmission methods where two or more signals share a medium, such as the
following technologies:
— DSL-PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA): A
family of technologies that provide digital data transmission over the
wires of a local telephone network. Typically, the download speed of
consumer DSL services ranges from 256 to 24,000 kbps, depending on
DSL technology, line conditions, and the service level that has been
implemented. DSL implementations often use PPPoE or PPPoA. Both
implementations offer standard PPP features such as authentication,
encryption, and compression. PPPoE is a network protocol for
encapsulating PPP frames in Ethernet frames. PPPoA is a network
protocol for encapsulating PPP frames in ATM adaptation layer 5
(AAL5).
Establishing a Point-to-Point WAN Connection with PPP 317
— Cable-Ethernet: A cable modem is a type of modem that provides
access to a data signal sent over the cable television infrastructure. Cable
modems are primarily used to deliver broadband Internet access, taking
advantage of unused bandwidth on a cable television network. The
bandwidth of business cable modem services typically ranges from
3 Mbps up to 30 Mbps or more. Current cable modem systems use the
Ethernet frame format for data transmission over upstream and
downstream data channels. Each of the downstream data channels and
the associated upstream data channels on a cable network form an
extended Ethernet WAN.
■ Metro Ethernet: The emergence of Metro Ethernet as a viable method of providing
both point-to-point and multipoint services has been driven by an abundance of new
fiber deployment to business areas. Enterprise customers with years of Ethernet
experience in the campus have developed such a comfort level and confidence with
Ethernet that they are now asking their service providers for Ethernet as an access
option. Ethernet might be the most scalable transport technology ever developed.
Starting at 10 Mbps, it has now evolved to 10 Gbps, with plans for 40 Gbps. Several
prominent methods exist for transporting Ethernet over Metro networks, including
these key solution approaches:
— Delivering Ethernet services over dark fiber
— Delivering Ethernet services over SONET/Synchronous Digital
Hierarchy (SDH) networks
— Delivering Ethernet services that use Resilient Packet Ring (RPR)
technology
Overview of PPP
Developers designed PPP to make the connection for point-to-point links. PPP, described
in RFC 1661, encapsulates network layer protocol information over point-to-point links.
RFC 1661 is updated by RFC 2153, “PPP Vendor Extensions.”
You can configure PPP on the following types of physical interfaces:
■ Asynchronous serial: Plain old telephone service (POTS) dialup
■ Synchronous serial: ISDN or point-to-point leased lines
The Link Control Protocol (LCP) portion of PPP is used to negotiate and set up control
options on the WAN data link. PPP offers a rich set of services. These services are options
in LCP and are primarily used for negotiation and checking frames to implement the pointto-
point controls that an administrator specifies for a connection.
318 Chapter 8: Extending the Network into the WAN
With its higher-level functions, PPP can carry packets from several network layer protocols
by using network control protocols (NCP) . The NCPs include functional fields that contain
standardized codes to indicate the network layer protocol type that is encapsulated in the
PPP frame.
Figure 8-17 shows how NCP and LCP provide these functions for PPP.
Figure 8-17 PPP Components
Three phases of a PPP session establishment are described in the following list:
1. Link establishment phase
In this phase, each PPP device sends LCP packets to configure and test the data link.
LCP packets contain a configuration option field that allows devices to negotiate the
use of options, such as the maximum receive unit, compression of certain PPP fields,
and the link authentication protocol. If a configuration option is not included in an LCP
packet, the default value for that configuration option is assumed.
2. Authentication phase (optional)
After the link has been established and the authentication protocol has been decided
on, the peer goes through the authentication phase. Authentication, if used, takes place
before the network layer protocol phase is begun.
PPP supports two authentication protocols: PAP and CHAP. Both of these protocols
are discussed in RFC 1334, “PPP Authentication Protocols.” However, RFC 1994,
“PPP Challenge Handshake Authentication Protocol (CHAP),” renders RFC 1334
obsolete.
PPP Encapsulation
Link Setup and Control
Using LCP in PPP
Multiple Protocol
Encapsulations Using
NCPs in PPP
TCP/IP
Novell IPX
AppleTalk
Establishing a Point-to-Point WAN Connection with PPP 319
3. Network layer protocol phase
In this phase, the PPP devices send NCP packets to choose and configure one or more
network layer protocols, such as IP. After each of the chosen network layer protocols
is configured, datagrams from each network layer protocol can be sent over the link.
PAP is a two-way handshake that provides a simple method for a remote node to establish
its identity. PAP is performed only upon initial link establishment.
After the PPP link establishment phase is complete, the remote node repeatedly sends a
username and password pair to the router until authentication is acknowledged or the
connection is terminated. Figure 8-18 shows an example of a PAP authentication.
Figure 8-18 PAP Authentication
PAP is not a strong authentication protocol. Passwords are sent across the link in plain text,
which can be fine in environments that use token-type passwords that change with each
authentication, but are not secure in most environments. Also there is no protection from
playback or repeated trial-and-error attacks; the remote node is in control of the frequency
and timing of the login attempts.
CHAP, which uses a three-way handshake, occurs at the startup of a link and periodically
thereafter to verify the identity of the remote node using a three-way handshake.
After the PPP link establishment phase is complete, the local router sends a challenge
message to the remote node. The remote node responds with a value that is calculated using
a one-way hash function, typically message digest algorithm 5 (MD5), based on the
password and challenge message. The local router checks the response against its own
calculation of the expected hash value. If the values match, the authentication is
acknowledged. Otherwise, the connection is terminated immediately. Figure 8-19 provides
an example of CHAP authentication.
Username: santacruz
Password: boardwalk
Central-Site Router
(HQ)
Host Name: santacruz
Password: boardwalk
Remote Router
(Santa Cruz)
PAP
Two-Way Handshake
“santacruz, boardwalk”
Accept or Reject
320 Chapter 8: Extending the Network into the WAN
Figure 8-19 CHAP Authentication
CHAP provides protection against playback attack using a variable challenge value that is
unique and unpredictable. Because the challenge is unique and random, the resulting hash
value will also be unique and random. The use of repeated challenges is intended to limit
exposure to any single attack. The local router or a third-party authentication server is in
control of the frequency and timing of the challenges.
Configuring and Verifying PPP
To enable PPP encapsulation with PAP or CHAP authentication on an interface, complete
the following checklist:
■ Enable PPP encapsulation as the Layer 2 protocol of an interface.
■ (Optional) Enable PPP authentication by performing these steps:
Step 1 Configure the router host name to identify itself.
Step 2 Configure the username and password to authenticate the PPP peer.
Step 3 Choose the authentication technique to use on the PPP link: PAP or
CHAP.
To enable PPP encapsulation, use the encapsulation ppp command in interface
configuration mode.
To configure PPP authentication, the interface must be configured for PPP encapsulation.
Follow these steps to enable PAP or CHAP authentication.
Step 1 Verify that each router has a host name assigned to it. To assign a host name, enter
the hostname name command in global configuration mode. This name must
match the username that is expected by the authenticating router at the other end
of the link.
Username: santacruz
Host Name: SantaCruz
Password: boardwalk
Central-Site Router
(HQ)
Username: HQ
Host Name: santacruz
Password: boardwalk
Remote Router
(Santa Cruz)
CHAP
Three-Way Handshake
Challenge
Response
Accept or Reject
Establishing a Point-to-Point WAN Connection with PPP 321
Step 2 On each router, define the username and password to expect from the
remote router with the username name password password global
configuration command.
Table 8-1 describes the username command parameters.
Add a username entry for each remote system that the local router communicates
with and that requires authentication. Note that the remote device must have a
corresponding username entry for the local router with a matching password.
Step 3 Configure PPP authentication with the ppp authentication {chap | chap
pap | pap chap | pap} interface configuration command.
If you configure ppp authentication chap on an interface, all incoming PPP
sessions on that interface are authenticated using CHAP. Likewise, if you
configure ppp authentication pap, all incoming PPP sessions on that interface
are authenticated using PAP.
If you configure ppp authentication chap pap, the router attempts to authenticate
all incoming PPP sessions using CHAP. If the remote device does not support
CHAP, the router tries to authenticate the PPP session using PAP. If the remote
device does not support either CHAP or PAP, the authentication fails, and the PPP
session is dropped.
If you configure ppp authentication pap chap, the router attempts to authenticate
all incoming PPP sessions using PAP. If the remote device does not support PAP,
the router tries to authenticate the PPP session using CHAP. If the remote device
does not support either protocol, the authentication fails and the PPP session is
dropped.
Table 8-1 username Parameters
Parameter Description
name This is the host name of the remote router. Note that the host name
is case sensitive.
password On Cisco routers, the password must be the same for both routers.
In Cisco IOS Software prior to Release 11.2, this password was an
encrypted, secret password. As of Release 11.2, the password is a
plain-text password and is not encrypted. To encrypt passwords on
your Cisco IOS router, use the service password-encryption
command while in global configuration mode.
NOTE If you enable both methods, the first method that you specify is requested during
link negotiation. If the peer suggests using the second method or refuses the first method,
the second method is tried.
322 Chapter 8: Extending the Network into the WAN
Example: PPP and CHAP Configuration
Figure 8-20 shows an example of CHAP configuration on two routers. In this example, a
two-way challenge occurs. The hostname on one router must match the username that the
other router has configured. The passwords must also match.
Figure 8-20 PPP & CHAP Configuration Example
Example: Verifying PPP Encapsulation Configuration
Use the show interface command to verify proper configuration. Example 8-1 shows that
PPP encapsulation has been configured and LCP has established a connection, as indicated
by “LCP Open” in the command output.
Example 8-1 Verifying PPP Encapsulation with the show interface Command
RouterX# show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of “show interface” counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
RouterX RouterY
hostname RouterX
username RouterY password sameone
!
int serial 0
ip address 10.0.1.1 255.255.255.0
encapsulation ppp
ppp authentication chap
hostname RouterY
username RouterX password sameone
!
int serial 0
ip address 10.0.1.2 255.255.255.0
encapsulation ppp
ppp authentication chap
Establishing a Point-to-Point WAN Connection with PPP 323
Example: Verifying PPP Authentication
Example 8-2 illustrates the router output that occurs during CHAP authentication. Because
two-way authentication is configured, that is, each router authenticates the other, messages
appear that reflect both the authenticating process and the process of being authenticated.
Use the debug ppp authentication command to display the exchange sequence as it occurs.
To determine whether the router is performing one-way or two-way CHAP authentication,
look for the following message in the debug ppp authentication output, which indicates
that the routers are performing two-way authentication:
Se0 PPP: Phase is AUTHENTICATING, by both
Either one of the following messages indicates that the routers are performing one-way
authentication:
Se0 PPP: Phase is AUTHENTICATING, by the peer
Se0 PPP: Phase is AUTHENTICATING, by this end
The following output highlights output for a two-way PAP authentication:
! Two way authentication:
Se0 PPP: Phase is AUTHENTICATING, by both
! Outgoing authentication request:
Se0 PAP: O AUTH-REQ id 4 len 18 from “RouterX”
! Incoming authentication request:
Se0 PAP: I AUTH-REQ id 1 len 18 from “RouterY”
! Authenticating incoming:
Se0 PAP: Authenticating peer RouterY
! Outgoing acknowledgement:
Se0 PAP: O AUTH-ACK id 1 len 5
! Incoming acknowledgement:
Se0 PAP: I AUTH-ACK id 4 len 5
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Example 8-2 Verifying Authentication with the debug ppp authentication Command
RouterX# debug ppp authentication
4d20h: %LINK-3-UPDOWN: Interface Serial0, changed state to up
4d20h: Se0 PPP: Treating connection as a dedicated line
4d20h: Se0 PPP: Phase is AUTHENTICATING, by both
4d20h: Se0 CHAP: O CHALLENGE id 2 len 28 from “left”
4d20h: Se0 CHAP: I CHALLENGE id 3 len 28 from “right”
4d20h: Se0 CHAP: O RESPONSE id 3 len 28 from “left”
4d20h: Se0 CHAP: I RESPONSE id 2 len 28 from “right”
4d20h: Se0 CHAP: O SUCCESS id 2 len 4
4d20h: Se0 CHAP: I SUCCESS id 3 len 4
4d20h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed
Example 8-1 Verifying PPP Encapsulation with the show interface Command (Continued)
324 Chapter 8: Extending the Network into the WAN
To determine whether the router is performing CHAP or PAP authentication, look for the
following lines in the debug ppp authentication command output:
■ Look for CHAP in the AUTHENTICATING phase, as shown in this example:
*Mar 7 21:16:29.468: BR0:1 PPP: Phase is AUTHENTICATING, by this end
*Mar 7 21:16:29.468: BR0:1 CHAP: O CHALLENGE id 5 len 33 from “maui-soho-03”
■ Look for PAP in the AUTHENTICATING phase, as shown in this example:
*Mar 7 21:24:11.980: BR0:1 PPP: Phase is AUTHENTICATING, by both
*Mar 7 21:24:12.084: BR0:1 PAP: I AUTH-REQ id 1 len 23 from “maui-soho-01”
The most common output from the debug ppp negotiation command is described as
follows:
■ Timestamp: Millisecond timestamps are useful.
■ Interface and Interface number: This field is useful when debugging multiple
connections or when the connection transitions through several interfaces.
■ Type of PPP message: This field indicates whether the line is a general PPP, LCP,
CHAP, PAP, or IP Control Protocol (IPCP) message.
■ Direction of the message: An “I” indicates an incoming packet, and an “O” indicates
an outgoing packet. This field can be used to determine whether the message was
generated or received by the router.
■ Message: This field includes the particular transaction under negotiation.
■ ID: This field is used to match and coordinate request messages to the appropriate
response messages. You can use the ID field to associate a response with an incoming
message.
■ Length: The length field defines the length of the information field. This field is not
important for general troubleshooting.
The last four fields might not appear in all the PPP messages, depending on the purpose of
the message.
Summary of Establishing a Point-to-Point WAN Connection with PPP
The following summarizes the key points that were discussed in the previous sections:
■ PPP is a common Layer 2 protocol for the WAN. Two components of PPP exist: LCP
negotiates the connection and NCP encapsulates traffic.
Establishing a WAN Connection with Frame Relay 325
■ You can configure PPP to use PAP or CHAP. PAP sends everything in plain text. CHAP
uses an MD5 hash.
■ Common PPP verification commands include show interface to verify PPP
encapsulation and debug ppp negotiation to verify the LCP handshake.
No comments:
Post a Comment