Accessing the WAN Chapter 2 Modified by Tony Chen 07/20/2008

Transcription

1 PPP Accessing the WAN Chapter 2 Modified by Tony Chen 07/20/2008 ITE I Chapter Cisco Systems, Inc. All rights reserved. Cisco Public 1

2 Notes: If you see any mistake on my PowerPoint slides or if you have any questions about the materials, please feel free to me at Thanks! Tony Chen College of DuPage Cisco Networking Academy 2

3 Objectives In this chapter, you will learn to: Describe the fundamental concepts of point-to-point serial communication. Describe key PPP concepts. Configure PPP encapsulation. Explain and configure PAP and CHAP authentication. 3

4 How Does Serial Communication Work? Most PCs have both serial and parallel ports. Computers use of relatively short parallel connections between interior components, but use a serial bus to convert signals for most external communications. With a serial connection, information is sent across one wire, one data bit at a time. The 9-pin serial connector on most PCs uses two loops of wire, one in each direction, for data communication, plus additional wires to control the flow of information. A parallel connection sends the bits over more wires simultaneously. In the 25-pin parallel port on your PC, there are 8 data wires to carry 8 bits simultaneously. The parallel link theoretically transfers data eight times faster than a serial connection. In reality, it is often the case that serial links can be clocked considerably faster than parallel links, and they achieve a higher data rate Two factors that affect parallel communications: clock skew and crosstalk interference. 4

5 Parallel connection: Clock Skew & Interference In a parallel connection, it is wrong to assume that the 8 bits leaving the sender at the same time arrive at the receiver at the same time. Clock Skew Some of the bits get there later than others. This is known as clock skew. Overcoming clock skew is not trivial. The receiving end must synchronize itself with the transmitter and then wait until all the bits have arrived. The process of reading, waiting, waiting adds time to the transmission. This is not a factor with serial links, because most serial links do not need clocking. Interference Parallel wires are physically bundled in a parallel cable. The possibility of crosstalk across the wires requires more processing. Since serial cables have fewer wires, there is less crosstalk, and network devices transmit serial communications at higher, more efficient frequencies. 5

6 Serial Communication Standards In a serial communication process. Data is encapsulated by the sending router. The frame is sent on a physical medium to the WAN. There are various ways to traverse the WAN, The receiving router uses the same communications protocol to de-encapsulate the frame when it arrives. There are three key serial communication standards affecting LAN-to-WAN connections: RS Most serial ports on personal computers conform to the RS-232C standards. Both 9-pin and 25-pin connectors are used. It be used for device, including modems, mice, and printers. V.35 It is used for modem-to-multiplexer communication. V.35 is used by routers and DSUs that connect to T1 carriers. HSSI - A High-Speed Serial Interface (HSSI) supports transmission rates up to 52 Mb/s. HSSI is used to connect routers on LANs with WANs over highspeed lines such as T3 lines. 6

7 Serial Communication: RS-232 While this course does not examine the details of V.35 and HSSI pinning schemes, a quick look at a 9-pin RS-232 connector used to connect a PC to a modem helps illustrate the concept. Pin 1 - Data Carrier Detect (DCD) indicates that the carrier for the transmit data is ON. Pin 2 - The receive pin (RXD) carries data from the serial device to the computer. Pin 3 - The transmit pin (TxD) carries data from the computer to the serial device. Pin 4 - Data Terminal Ready (DTR) indicates to the modem that the computer is ready to transmit. Pin 5 - Ground Pin 6 - Data Set Ready (DSR) is similar to DTR. It indicates that the Dataset is ON. Pin 7 - The RTS pin requests clearance to send data to a modem Pin 8 - The serial device uses the Clear to Send (CTS) pin to acknowledge the RTS signal of the computer. In most situations, RTS and CTS are constantly ON throughout the communication session. Pin 9 - An auto answer modem uses the Ring Indicator (RI) to signal receipt of a telephone ring signal. 7

8 Time Division Multiplexing (TDM) Bell Laboratories invented TDM to maximize the amount of voice traffic carried over a medium. Compare TDM to a train with 32 railroad cars. Each car is owned by a different freight company, and every day the train leaves with the 32 cars attached. If the companies has cargo to send, the car is loaded. If the company has nothing to send, the car remains empty but stays on the train. Shipping empty containers is not very efficient. TDM shares this inefficiency when traffic is intermittent, because the time slot is still allocated even when the channel has no data to transmit. 8

9 Time Division Multiplexing (TDM) TDM divides the bandwidth of a single link into separate channels or time slots. TDM transmits two or more channels over the same link by allocating a different time interval (time slot) for the transmission of each channel. TDM is a physical layer concept. It has no regard of the information that is being multiplexed. The multiplexer (MUX) accepts input from attached devices in a round-robin fashion and transmits the data in a never-ending pattern. The MUX puts each segment into a single channel by inserting each segment into a timeslot. A MUX at the receiving end separate data streams based only on the timing of the arrival of each bit. A technique called bit interleaving keeps track of the sequence of the bits so that they can be efficiently reassembled into their original form upon receipt. 9

10 Statistical Time Division Multiplexing Statistical time-division multiplexing (STDM) was developed to overcome this inefficiency. STDM uses a variable time slot length allowing channels to compete for any free slot space. It employs a buffer memory that temporarily stores the data during periods of peak traffic. STDM does not waste high-speed line time with inactive channels using this scheme. STDM requires each transmission to carry identification information (a channel identifier). 10

11 TDM Examples - ISDN and SONET An example of a technology that uses synchronous TDM is ISDN. ISDN basic rate (BRI) has three channels consisting of two 64 kb/s B-channels (B1 and B2), and a 16 kb/s D- channel. The TDM has nine timeslots, which are repeated in the sequence shown in the figure. On a larger scale, the industry uses the SONET or SDH for optical transport of TDM data. SONET, used in North America, and SDH, used elsewhere, for synchronous TDM over fiber. SONET/SDH takes n bit streams, multiplexes them, and optically modulates the signal, sending it out using a light emitting device over fiber with a bit rate equal to (incoming bit rate) x n. Thus traffic arriving at the SONET multiplexer from four places at 2.5 Gb/s goes out as a single stream at 4 x 2.5 Gb/s, or 10 Gb/s. SDH - Synchronous Digital Hierarchy SONET - Synchronous optical networking 11

12 TDM Examples - T-Carrier Hierarchy DS0: The original unit used in multiplexing telephone calls is 64 kb/s, which represents one phone call. T1: In North America, 24 DS0 units are multiplexed using TDM into a higher bit-rate signal with an aggregate speed of Mb/s for transmission over T1 lines. While it is common to refer to a Mb/s transmission as a T1, it is more correct to refer to it as DS1. T-carrier refers to the bundling of DS0s. A T1 = 24 DSOs, A T1C = 48 DSOs (or 2 T1s), and so on. E1: Outside North America, 32 DS0 units are multiplexed for E1 transmission at Mb/s. 12

13 Demarcation Point The demarcation point marks the point where your network interfaces with the network owned by another organization. This is the interface between customer-premises equipment (CPE) and network service provider equipment. The demarcation point is the point in the network where the responsibility of the service provider ends. The example presents an ISDN scenario. In the United States, a service provider provides the local loop into the customer premises, The customer provides the active equipment such as the channel service unit/data service unit (CSU/DSU) on which the local loop is terminated. The customer is responsible for maintaining, replacing, or repairing the equipment. In other countries, the network terminating unit (NTU) is provided and managed by the service provider. The customer connects a CPE device, such as a router or frame relay access device, to the NTU using a V.35 or RS-232 serial interface. 13

14 DTE and DCE In order to be connecting to the WAN, a serial connection has a DTE device at one end of the connection and a DCE device at the other end. The DTE, which is generally a router. The DTE could also be a terminal, computer, printer, or fax machine. The DCE, commonly a modem or CSU/DSU, is the device used to convert the user data from the DTE into a form acceptable to the WAN service provider transmission link. This signal is received at the remote DCE, which decodes the signal back into a sequence of bits. The remote DCE then signals this sequence to the remote DTE. The connection between the two DCE devices is the WAN service provider transmission network. Cisco Internal T1 CSU/DSU WIC-1DSU-T1 14

15 DTE and DCE DTE and DCE Cable Standards Originally, the concept of DCEs and DTEs was based on two types of equipment: terminal equipment that generated or received data, and communication equipment that only relayed data. We are left with two different types of cables: one for connecting a DTE to a DCE, another for connecting two DTEs directly to each other. The DTE/DCE interface standard defines the following specifications: Mechanical/physical - Number of pins and connector type Electrical - Defines voltage levels for 0 and 1 Functional - Specifies the functions that are performed by assigning meanings to each of the signaling lines in the interface Procedural - Specifies the sequence for transmitting data The Serial Cables The original RS-232 standard only defined the connection of DTEs with DCEs, which were modems. A null modem is a communication method to directly connect two DTEs, such as a computer, terminal, or printer, using a RS-232 serial cable. With a null modem connection, the transmit (Tx) and receive (Rx) lines are crosslinked. 15

16 DTE and DCE The DB-60 Connector The cable for the DTE to DCE connection is a shielded serial cable. The router end of the serial cable may be a DB-60 connector. The other end of the serial transition cable is available with the connector appropriate for the standard that is to be used. The Smart Serial Connector To support higher port densities in a smaller form factor, Cisco has introduced a Smart Serial cable. The router interface end of the Smart Serial cable is a 26-pin connector that is significantly more compact than the DB-60 connector. The Router-to-Router When using a null modem, keep in mind that synchronous connections require a clock signal. When using a null modem cable in a router-torouter connection, one of the serial interfaces must be configured as the DCE end to provide the clock signal for the connection. 16

17 DTE and DCE: Parallel to Serial Conversion The terms DTE and DCE are relative with respect to what part of a network you are observing. RS-232C is the recommended standard (RS) describing the physical interface and protocol for relatively low-speed, serial data communication between computers and related devices. The DTE is the RS-232C interface that a computer uses to exchange data with a modem or other serial device. The DCE is the RS-232C interface that a modem or other serial device uses in exchanging data with the computer. Your PC also has a Universal Asynchronous Receiver/Transmitter (UART) chip on the motherboard. The UART is the DTE agent of your PC and communicates with the modem or other serial device, which, in accordance with the RS-232C standard, has a complementary interface called the DCE interface. The data in your PC flows along parallel circuits, the UART chip converts the groups of bits in parallel to a serial stream of bits. 17

18 WAN Encapsulation Protocols On WAN connection, data is encapsulated into frames before crossing the WAN link. The protocol depends on the WAN technology and communicating equipment: HDLC - The default encapsulation type on point-to-point connections, when the link uses two Cisco devices. PPP - Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. PPP works with several network protocols, such as IP and IPX. PPP also has built-in security mechanisms such as PAP and CHAP. Serial Line Internet Protocol (SLIP) - A standard protocol for point-to-point serial connections using TCP/IP. SLIP has been largely displaced by PPP. X.25/Link Access Procedure, Balanced (LAPB) - X.25 specifies LAPB, a data link layer protocol. X.25 is a predecessor to Frame Relay. Frame Relay - Frame Relay eliminates some of the timeconsuming processes (such as error correction and flow control) employed in X.25. ATM - The cell relay in which devices send multiple service types (voice, video, or data) in fixed-length (53-byte) cells. Fixed-length cells allow processing to occur in hardware, thereby reducing transit delays. With SLIP, you have to know the IP address assigned to you by your service provider. You also need to know the IP address of the remote system you will be dialing into. You may also need to configure such details as MTU (maximum transmission unit), MRU (maximum receive unit), etc. 18

19 HDLC Encapsulation HDLC is a bit-oriented synchronous data link layer protocol developed by the International Organization for Standardization (ISO). HDLC was developed from the Synchronous Data Link Control (SDLC) standard proposed in the 1970s. HDLC provides both connection-oriented and connectionless service. HDLC defines a Layer 2 framing structure that allows for flow control and error control through the use of acknowledgments. HDLC uses a frame delimiter, or flag, to mark the beginning and the end of each frame. Cisco has developed an extension to the HLDC protocol to solve the inability to provide multiprotocol support. Cisco HLDC (also referred to as chdlc) is proprietary Cisco HDLC frames contain a field for identifying the network protocol being encapsulated. 19

20 HLDC Frame Types Flag - The flag field initiates and terminates error checking. The frame always starts and ends with an 8-bit flag field. The bit pattern is Address - The address field contains the HDLC address of the secondary station. This address can contain a specific address, a group address, or a broadcast address. Control - HDLC defines three types of frames, each with a different control field format: Information (I) frame: I-frames carry upper layer information and some control information. Supervisory (S) frame: S-frames provide control information. Unnumbered (U) frame: U-frames support control purposes and are not sequenced. Protocol - (only in Cisco HDLC) It specifies the protocol type encapsulated within the frame (e.g. 0x0800 for IP). Data - The data field contains a path information unit (PIU) or exchange identification (XID) information. Frame check sequence (FCS) - The FCS precedes the ending flag delimiter and is usually a cyclic redundancy check (CRC) calculation remainder. 20

21 Configuring HDLC Encapsulation Cisco HDLC is the default encapsulation method used by Cisco devices on synchronous serial lines. You use Cisco HDLC as a point-to-point protocol on leased lines between two Cisco devices. If the default encapsulation method has been changed, use the encapsulation hdlc command in privileged mode to re-enable HDLC. If you are connecting to a non-cisco device, use synchronous PPP. There are two steps to enable HDLC encapsulation: Step 1. Enter the interface configuration mode of the serial interface. Step 2. Enter the encapsulation hdlc command to specify the encapsulation protocol on the interface. The output of the show interfaces serial command displays information specific to serial interfaces. When HDLC is configured, "Encapsulation HDLC" 21

22 Troubleshooting a serial interface Show ip int brief (sh ip int b) Router# show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet YES manual up up Serial YES manual administratively down down Serial x is down, line protocol is down Serial x is up, line protocol is down Serial x is up, line protocol is up (looped) Serial x is up, line protocol is down (disabled) Serial x is administratively down, line protocol is down 22

23 Troubleshooting a serial interface (cont.) Five possible problem states can be identified in the interface status line of the show interfaces serial display: Serial x is down, line protocol is down Serial x is up, line protocol is down Serial x is up, line protocol is up (looped) Serial x is up, line protocol is down (disabled) Serial x is administratively down, line protocol is down 23

24 Troubleshooting a serial interface (cont.) Five possible problem states can be identified in the interface status line of the show interfaces serial display: Serial x is down, line protocol is down Serial x is up, line protocol is down Serial x is up, line protocol is up (looped) Serial x is up, line protocol is down (disabled) Serial x is administratively down, line protocol is down 24

25 Troubleshooting a Serial Interface The show controllers command is another important diagnostic tool when troubleshooting serial lines. In the figure, serial interface 0/0 has a V.35 DCE cable attached. show controllers serial command. If the electrical interface output is shown as UNKNOWN instead of V.35, EIA/TIA-449, or some other electrical interface type, the likely problem is an improperly connected cable. If the electrical interface is unknown, the corresponding display for the show interfaces serial <x> command shows that the interface and line protocol are down. 25

26 Troubleshooting a Serial Interface: Activity 26

27 Troubleshooting a Serial Interface: Activity 27

28 What is PPP? Recall that HDLC is the default serial encapsulation method when you connect two Cisco routers. Cisco HDLC can only work with other Cisco devices. However, when you need to connect to a non-cisco router, you should use PPP encapsulation. PPP includes many features not available in HDLC: The link quality management feature monitors the quality of the link. If too many errors are detected, PPP takes the link down. PPP supports PAP and CHAP authentication. PPP contains three main components: HDLC protocol for encapsulating datagrams over point-to-point links. Extensible Link Control Protocol (LCP) to establish, configure, and test the data link connection. Family of Network Control Protocols (NCPs) for establishing and configuring different network layer protocols. PPP allows the simultaneous use of multiple network layer protocols. Some of the more common NCPs are Internet Protocol Control Protocol, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control Protocol, and Compression Control Protocol. 28

29 PPP Layered Architecture PPP and OSI share the same physical layer, but PPP distributes the functions of LCP and NCP differently. At the physical layer, you can configure PPP on: Asynchronous serial Synchronous serial HSSI ISDN PPP does not impose any restrictions regarding transmission rate other than those imposed by the particular DTE/DCE interface in use. Most of the work done by PPP is at the data link and network layers by the LCP and NCPs. The LCP sets up the PPP connection and its parameters The NCPs handle higher layer protocol configurations, and the LCP terminates the PPP connection. 29

30 PPP Architecture - Link Control Protocol Layer The LCP sits on top of the physical layer and has a role in establishing, configuring, and testing the datalink connection. The LCP establishes the point-to-point link. The LCP also negotiates and sets up control options on the WAN data link, which are handled by the NCPs. The LCP provides automatic configuration of the interfaces at each end, including: Handling varying limits on packet size Detecting common misconfiguration errors Terminating the link Determining when a link is functioning properly or when it is failing PPP also uses the LCP to agree automatically on encapsulation formats (authentication, compression, error detection) as soon as the link is established. 30

31 PPP Architecture - Network Control Protocol Layer PPP permits multiple network layer protocols to operate on the same communications link. For every network layer protocol used, PPP uses a separate NCP. For example, IP uses the IP Control Protocol (IPCP), IPX uses the Novell IPX Control Protocol (IPXCP). NCPs include functional fields containing standardized codes (PPP protocol field numbers shown in the figure) to indicate the network layer protocol that PPP encapsulates. Each NCP manages the specific needs required by its respective network layer protocols. The various NCP components encapsulate and negotiate options for multiple network layer protocols. 31

32 PPP Frame Structure A PPP frame has six fields as shown in the figure. The LCP can negotiate modifications to the standard PPP frame structure. 32

33 Establishing a PPP Session The three phases of establishing a PPP session: Phase 1: Link establishment and configuration negotiation The LCP must first open the connection and negotiate configuration options. Phase 2: Link quality determination (optional) The LCP tests the link to determine whether the link quality is sufficient to bring up network layer protocols. Phase 3: Network layer protocol configuration negotiation After the LCP has finished the link quality determination phase, the appropriate NCP can separately configure the network layer protocols, and bring them up and take them down at any time. The link remains configured for communications until explicit LCP or NCP frames close the link, or until some external event occurs. This happen because of the loss of the carrier, authentication failure, link quality failure, the expiration of idle-period timer, or administrative closing the link. 33

34 Establishing a Link with LCP LCP operation uses three classes of LCP frames to accomplish the work of each of the LCP phases: Link-establishment frames establish and configure a link (Configure-Request, Configure-Ack, Configure-Nak, and Configure-Reject) During link establishment, the LCP opens the connection and negotiates the configuration parameters. The Configure-Request frame includes a variable number of configuration options needed to set up on the link. Link-maintenance frames manage and debug a link (Code-Reject, Protocol-Reject, Echo-Request, Echo- Reply, and Discard-Request) Echo-Request, Echo-Reply, and Discard-Request - These frames can be used for testing the link. Link-termination frames terminate a link (Terminate- Request and Terminate-Ack) The link remains open until the LCP terminates it. If the LCP terminates the link before the NCP, the NCP session is also terminated. The device initiating the shutdown sends a Terminate- Request message. The other device replies with a Terminate-Ack. 34

35 LCP Packet Each LCP packet is a single LCP message consisting of Code field identifying the type of LCP packet, The code field of the LCP packet identifies the packet type according to the table. Identifier field so that requests and replies can be matched, Length field indicating the size of the LCP packet Data: Packet type-specific data. 35

36 PPP Configuration Options PPP can be configured to support: Authentication using either PAP or CHAP Compression using either Stacker or Predictor Multilink which combines two or more channels to increase the WAN bandwidth To negotiate the use of these PPP options, the LCP link-establishment frames contain Option information in the Data field of the LCP frame. This phase is complete when a configuration acknowledgment frame has been sent and received. 36

37 NCP Process After the LCP has configured and authenticated the basic link, the appropriate NCP of the network layer protocol being used. There are NCPs for IP, IPX, AppleTalk, and others. IPCP Example After LCP has established the link, the routers exchange IPCP messages, negotiating options specific to the protocol. IPCP negotiates two options: Compression - Allows devices to negotiate an algorithm to compress TCP and IP headers and save bandwidth. IP-Address - Allows the initiating device to specify an IP address to use for routing IP over the PPP link, or to request an IP address for the responder. Dialup network links commonly use the IP address option. When the NCP process is complete, the link goes into the open state and LCP takes over again. 37

38 NCP Explained: Activity 38

39 PPP Configuration Options PPP may include the following LCP options: Authentication - Peer exchange authentication messages. Two choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Compression - Increases the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link. Two compression are Stacker and Predictor. Error detection - Identifies fault conditions. The Quality and Magic Number options help ensure a reliable, loop-free data link. Multilink - Cisco IOS Release 11.1 and later supports multilink PPP. This alternative provides load balancing over the router interfaces that PPP uses. PPP Callback - To enhance security, Cisco IOS Release 11.1 and later offers callback over PPP. The client makes the initial call, requests that the server call it back, and terminates its initial call. 39

40 PPP Configuration Commands Example 1: Enabling PPP on an Interface To set PPP as the encapsulation method used by a serial or ISDN interface, use the encapsulation ppp interface configuration command. R3#configure terminal R3(config)#interface serial 0/0 R3(config-if)#encapsulation ppp You must first configure the router with an IP routing protocol to use PPP encapsulation. If you do not configure PPP on a Cisco router, the default encapsulation for serial interfaces is HLDC. Example 2: Compression You can configure point-to-point compression on serial interfaces after you have enabled PPP. Because this option invokes a software compression process, it can affect system performance. If the traffic already consists of compressed files (.zip,.tar, or.mpeg, for example), do not use this option. R3(config)#interface serial 0/0 R3(config-if)#encapsulation ppp R3(config-if)#compress [predictor stac] Why? 40

41 PPP Configuration Commands Example 3: Link Quality Monitoring LCP provides an optional link quality determination phase. If the link quality percentage is not maintained, the link is deemed to be of poor quality and is taken down. This example configuration monitors the data dropped on the link and avoids frame looping: R3(config)#interface serial 0/0 R3(config-if)#encapsulation ppp R3(config-if)#ppp quality 80 Example 4: Load Balancing Across Links Multilink PPP (also referred to as MP, MPPP, MLP, or Multilink) provides a method for spreading traffic across multiple physical WAN links while providing packet fragmentation and reassembly, proper sequencing, multivendor interoperability, and load balancing on inbound and outbound traffic. Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp multilink 41

42 Verified a Serial PPP Encapsulation Configuration Use the show interfaces serial command to verify proper configuration of HDLC or PPP encapsulation. When you configure HDLC, the output of the show interfaces serial command should show "encapsulation HDLC". When you configure PPP, you can check its LCP and NCP states. 42

43 Troubleshooting the Serial Encapsulation Configuration Debug displays information about various router operations and the related traffic generated or received by the router, as well as any error messages. It is a very useful and informative tool, but you must always remember that Cisco IOS treats debug as a high priority task. It can consume a significant amount of resources, and the router is forced to processswitch the packets being debugged. Debug must not be used as a monitoring tool-it is meant to be used for a short period of time for troubleshooting. Use the debug ppp command to display information about the operation of PPP. 43

44 Output of the debug ppp packet Command A good command to use when troubleshooting serial interface encapsulation is debug ppp packet. The example in the figure is output from the debug ppp packet command as seen from the Link Quality Monitor (LQM) side of the connection. This display example depicts packet exchanges under normal PPP operation. Look at each line in the output and match it to the meaning of the field. PPP - PPP debugging output. Serial2 - Interface number associated with this debugging information. (o), O - The detected packet is an output packet. (i), I - The detected packet is an input packet. lcp_slqr() - Procedure name; running LQM, send a Link Quality Report (LQR). lcp_rlqr() - Procedure name; running LQM, received an LQR. input (C021) - Router received a packet of the specified packet type (in hexadecimal). A value of C025 indicates packet of type LQM. state = OPEN - PPP state; normal state is OPEN. magic = D21B4 - Magic Number for indicated node; when output is indicated, this is the Magic Number of the node on which debugging is enabled. The actual Magic Number depends on whether the packet detected is indicated as I or O. 44

45 Output of the debug ppp negotiation Command The figure shows the output of the debug ppp negotiation command in a normal negotiation, where both sides agree on network control program (NCP) parameters. In this case, protocol type IP is proposed and acknowledged. The first two lines indicate that the router is trying to bring up the LCP and will use the indicated negotiation options (Quality Protocol and Magic Number). The value fields are the values of the options themselves. C025/3E8 translates to Quality Protocol LQM. 3E8 is the reporting period (in hundredths of a second). 3D56CAC is the value of the Magic Number for the router. ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = C025/3E8 ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 3D56CAC The next two lines indicate that the other side negotiated for options 4 and 5 and that it requested and acknowledged both. If the responding end does not support the options, the responding node sends a CONFREJ. If the responding end does not accept the value of the option, it sends a CONFNAK with the value field modified. ppp: received config for type = 4 (QUALITYTYPE) acked ppp: received config for type = 5 (MAGICNUMBER) value = 3D567F8 acked (ok) 45

46 Output of the debug ppp error Command You can use the debug ppp error command to display protocol errors and error statistics associated with PPP connection negotiation and operation. These messages might appear when the Quality Protocol option is enabled on an interface that is already running PPP. Look at each line in the output and match it to the meaning of the field. PPP - PPP debugging output. Serial3(i) - Interface number associated with this debugging information; indicates that this is an input packet. rlqr receive failure - Receiver does not accept the request to negotiate the Quality Protocol option. myrcvdiffp = Number of packets received over the time period specified. peerxmitdiffp = Number of packets sent by the remote node over this period. myrcvdiffo = Number of octets received over this period. peerxmitdiffo = Number of octets sent by the remote node over this period. threshold = 25 - Maximum error percentage acceptable on this interface. You calculate this percentage using the threshold value entered in the ppp quality percentage interface configuration command. A value of 100 minus number is the maximum error percentage. In this case, a number of 75 was entered. This means that the local router must maintain a minimum 75 percent non-error percentage, or the PPP link closes down. 46

47 PPP Authentication Protocols PPP defines an extensible LCP that allows negotiation of an authentication protocol for authenticating its peer before allowing network layer protocols to transmit over the link. PAP is a very basic two-way process. There is no encryption-the username and password are sent in plain text. If it is accepted, the connection is allowed. CHAP is more secure than PAP. It involves a threeway exchange of a shared secret. The authentication phase of a PPP session is optional. If used, you can authenticate the peer after the LCP establishes the link. If it is used, authentication takes place before the network layer protocol configuration phase begins. The authentication options require that the calling side of the link enter authentication information. This helps to ensure that the user has the permission of the network administrator to make the call. 47

48 Password Authentication Protocol (PAP) PPP can performs Layer 2 authentication in addition to other layers of authentication PAP provides method for a remote node to establish its identity using a two-way handshake. the ppp authentication pap command is used, the remote node repeatedly sends a usernamepassword pair across the link until the sending node acknowledges it or terminates the connection. Using PAP, you send passwords across the link in clear text and there is no protection from playback or repeated trial-and-error attacks. There are times when using PAP is justified. Client applications that do not support CHAP Incompatibilities between different vendor implementations of CHAP Situations where a plaintext password must be available to simulate a login at the remote host 48

49 Challenge Handshake Authentication Protocol (CHAP) Once authentication is established with PAP, it essentially stops working. This leaves the network vulnerable to attack. CHAP conducts periodic challenges to make sure that the remote node still has a valid password value. The password value is variable and changes unpredictably while the link exists. After the PPP link establishment phase is complete, The router sends a challenge to the remote node. The remote node responds with a value calculated using a one-way hash function using MD5. The local router checks the response against its own calculation of the expected hash value. If the values match, the initiating node acknowledges the authentication. Otherwise, it immediately terminates the connection. Because the challenge is unique and random, the resulting hash value is also unique and random. 49

50 PPP Encapsulation and Authentication Process You can use a flowchart to help understand the PPP authentication process when configuring PPP. If an incoming PPP request requires no authentication, then PPP progresses to the next level. If an incoming PPP request requires authentication, then it can be authenticated using either the local database or a security server. Successful authentication progresses to the next level, An authentication failure will disconnect and drop the incoming PPP request. 50

51 PPP Encapsulation and Authentication Process Router R1 wishes to establish an PPP CHAP connection with Router R2. Step 1. R1 negotiates the link connection using LCP with router R2 and the two systems agree to use CHAP authentication during the PPP LCP negotiation. Step 2. Router R2 generates an ID and a random number and its username as a CHAP challenge packet to R1. Step 3. R1 will use the username of the challenger (R2) and cross reference it with its local database to find its associated password. R1 will then generate a unique MD5 hash number using the R2's username, ID, random number and the shared secret password. Step 4. Router R1 then sends the challenge ID, the hashed value, and its username (R1) to R2. 51

52 PPP Encapsulation and Authentication Process Step 5. R2 generates it own hash value using the ID, the shared secret password, and the random number it originally sent to R1. Step 6. R2 compares its hash value with the hash value sent by R1. If the values are the same, R2 sends a link established response to R1. If the authentication failed, a CHAP failure packet is built from the following components: 04 = CHAP failure message type id = copied from the response packet "Authentication failure" or some such text message, which is meant to be a userreadable explanation Note that the shared secret password must be identical on R1 and R2. 52

53 The ppp authentication Command To specify the order in which the CHAP or PAP protocols are requested on the interface, use the ppp authentication interface command. You may enable PAP or CHAP or both. After you have enabled CHAP or PAP authentication, or both, the local router requires the remote device to prove its identity before allowing data traffic to flow. If both methods are enabled, the first method specified is requested during link negotiation. If the peer suggests using the second method or simply refuses the first method, the second method is tried. 53

54 Configuring PPP with Authentication The procedure outlined in the table describes how to configure PPP encapsulation and PAP/CHAP authentication protocols. 54

55 Configuring PPP with Authentication PAP CHAP The figure is an example of a two-way PAP authentication configuration. Both routers authenticate and are authenticated, so the PAP authentication commands mirror each other. [Tony]: The term two-way used here is not the same term used in two-way handshake. This two-way here means R1 challenge R3 and R3 also challenge R1. The PAP username and password that each router sends must match those specified with the username name password password command of the other router. CHAP periodically verifies the identity of the remote node using a three-way handshake. The hostname on one router must match the username the other router has configured. The passwords must also match. This occurs on initial link establishment and can be repeated any time after the link has been established. The router name and password are exactly the same, because they are case-sensitive 55

56 Troubleshooting the serial encapsulation configuration The debug ppp authentication command displays the authentication exchange sequence. Figure illustrates the Left router output during CHAP authentication with the router on the right when debug ppp authentication is enabled. With two-way authentication configured, each router authenticates the other. Messages appear for both the authenticating process and the process of being authenticated. Use the debug ppp authentication command to display the exchange sequence as it occurs. Figure highlights router output for a twoway PAP authentication. The debug ppp command is used to display information about the operation of PPP. The no form of this command disables debugging output. Router#debug ppp {authentication packet negotiation error chap} Router#no debug ppp {authentication packet negotiation error chap} 56

57 One-Way and Two-Way Authentication CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side. In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication. One-way authentication is often required when you connect to non- Cisco devices. For one-way authentication, configure the ppp authentication chap callin command on the calling router. 57

58 One-Way and Two-Way Authentication If you want to operate with non-cisco routers that do not support authentication by the calling router or device, you must use the ppp authentication chap callin command. When using the ppp authentication command with the callin keyword. the username and password that is allocated by the ISP may not be the remote router's hostname. In such a situation, the ppp chap hostname command is used to specify an alternate username that will be used for authentication. 58

59 One-Way and Two-Way Authentication 59

60 debug ppp negotiation Debug ppp negotiation includes: LCP (Mandatory Phase) Authentication (Optional Phase) (debug ppp authentication) NCP (Mandatory Phase) 60

61 Troubleshooting a PPP Configuration with Authentication Authentication is a feature that needs to be implemented correctly or the security of your serial connection may be compromised. Never assume your authentication configuration works without testing it. Debugging allows you to confirm your configuration and correct any deficiencies. The command is debug ppp authentication. Line 1 says that the router is unable to authenticate on interface Serial0 because the peer did not send a name. Line 2 says the router was unable to validate the CHAP response because USERNAME 'pioneer' was not found. Line 3 says no password was found for 'pioneer'. In the last line, the code = 4 means a failure has occurred. Other code values are as follows: 1 = Challenge 2 = Response 3 = Success 4 = Failure id = 3 is the ID number per LCP packet format. len = 48 is the packet length without the header. 61

62 Chapter Summary In this chapter, you have learned to: Describe the fundamental concepts of point-topoint serial Tony Chen COD communication. Cisco Networking Academy Describe key PPP concepts. Configure PPP encapsulation. Explain and configure PAP and CHAP authentication. 62