2.1 Configure and verify PPP

2.1.a Authentication (PAP, CHAP)

The Point to Point Protocol was conceived to take data and put it into a format that would work over serial lines. It is very generic and allows the transmission of many routed protocols: TCP/IP, AppleTalk, IPX/SPX, etc. as PPP encapsulates data. It can send data via many different types of media. The most common implementation of PPP is on DSL in the form of PPPoE (PPP over Ethernet), so that means it is used in nearly every broadband connection and therefore the majority of residential connections to the internet (at least in the UK). In this instance, PPP is also used as it allows an authentication mechanism to be introduced which provides additional security to the connection so that only the intended customer can connect. Another feature of PPP is multilink, this allows you to bond multiple connections and present them as a single link in a way similar to EtherChannel.

IPCP: Internet Protocol Control Protocol

PAP Password Authentication Protocol: This is a plain-text password authentication which is why it is not really utilised anymore

CHAP Challenge Handshake Authentication Protocol: contrary to PAP this uses a hashed password comparison for authentication which makes it inherently more secure than PAP where the password is sent in clear text to the other side.

Configuring PAP/CHAP in a Cisco Deployment

The configuration of PAP and CHAP is essentially the same for both protocols. If you are able to configure CHAP for a connection then it is strongly recommended that you do so, the only reason for employing PAP instead of CHAP is on devices where CHAP is not supported (which is a very unlikely scenario).

When configuring PAP/CHAP you have to remember that the configuration is mirrored. By default, PPP will use the hostname of the device as the username to authenticate with another device. What this means is that on the router at the other end of the connection there needs to be a username configured that is the hostname of the other router. You should create the username with the basic username command: username secret as this account only requires the lowest level of privilege we should not assign any privileges to the username, it is only used to authenticate the connection between the devices and should not provide any system access. Whilst the usernames will be different on the two routers the secret must be the same for both sides of the connection, this is because verification is provided by means of a password hash comparison if the two passwords do not match they will create different hashed and therefore not authenticate correctly.

Once the usernames are configured for authentication, you need to configure the PPP connection to use PAP/CHAP for it's authentication protocol for the connection, you can do this with the command ppp authentication chap | pap at the interface configuration mode.

You can also override the default of using the hostname as the username for the connection. It can be a good idea to change this. For example, if someone were to change the hostname of the router that would break the PPP connection between the local and remote routers as the hostname is taken from the username, changing the hostname changes the username for the connection. This would mean this link goes down until such time as someone could investigate and fix the issue. To avoid issues like this you can override the username and password for the PPP connection with the following commands:

ppp chap hostname

ppp chap password

If you are having issue with the configuration of CHAP you can issue the debug command debug ppp authentication.

2.1.b PPPoE (client-side only)

As previously mentioned in the introduction to this section, PPPoE is most ubiquitously employed in the connections between residential routers and ISP's (Internet Service Providers) DSLAMs (Digital Subscriber Line Access Module). This is because it provides a means of authentication for the connection. The ISP provides Ethernet connections, if they were not to safeguard the connection then it would be possible for devices such as hubs to be placed in the path of the connection and that could allow people to steal access to the internet. Although the most common modern implementation of this technology is for high-speed broadband lines there are a lot of older terms used. This is because PPP was designed during a time when dial-up connections were prevalent, as such, there are a lot of references to dialers and the like which are not in common usage nowadays. For the exam, the only requirement is to understand the client side of the connection. In labs, it would be tricky to just configure the client side of a connection without having anything to connect to in the first place......


Client-side Configuration


In the interface configuration for the interface that will be connecting via PPPoE:

router(config-if)# pppoe-client dial-pool-number <1>

router(config-if)# pppoe enable

Then create the dialer:

router(config)# interface dialer <1>

router(config-if)# mtu 1492 --- (The PPPoE header is 8 bytes in size so the MTU needs to be adjusted accordingly)

router(config-if)# encapsulation ppp

router(config-if)# ip address negotiated

router(config-if)# dialer pool <1>

router(config-if)# dialer-group <1>

 If this connection requires authentication then this must be configured on the dialer instead of on the physical interface, this would be the same as with a regular PPP connection

router(config-if)# ppp authentication chap

router(config-if)# ppp chap username password|secret <password|secret>

 Once the dialer-group is configured there are a couple of extra things need to be done as the dialer-group makes the dialer available to use and it also attaches an access list (in much the same way as assigning access-group does to a regular interface) this means you can filter what traffic is allowed to pass through this connection. To access this list you need to do the following:

router(config)# dialer-list 1 protocol ip permit

This will allow all IP traffic to go through this connection.

If - as it most likely the case - this is a route out to the internet you will also have to configure a route for this traffic to exit the router:

router(config)# ip route

Bear in mind that for this configuration to work for a broadband connection you would also need some other configurations such as NAT.

Server-side Configuration

router(config)# bba-group pppoe global

bba-group = BroadBand Access Group.

router(config-bba-group)# virtual-template <1>

On a PPPoE server there will be a number of Virtual-Access interfaces that are created, as these will mostly be commonly configured a virtual-template is used to create all of these Virtual-Access interfaces similarly.

router(config-bba-group)# interface vitual-template <1>

router(config-if)# ip address <> <>

router(config-if)# mtu 1492

router(config-if)# peer default ip address pool If authentication is enabled/required:

router(config-if)# ppp authentication chap

router(config-if)# ppp chap username password|secret <password|secret>

router(config)# ip local pool

router(config-if)# pppoe enable

router(config-if)# pppoe enable group global 

2.2 Explain Frame Relay

2.2.a Operations

No notes on this section yet. I am getting around to rewriting them...

2.2.b Point-to-point

No matter if you've used a visual page builder before, with Brizy you'll be a pro the second you start using it.

2.2.c Multipoint

No matter if you've used a visual page builder before, with Brizy you'll be a pro the second you start using it.

If you need a new website or your website needs updating go to https://10kinds.tech.

10 Kinds Technology
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram