Vous êtes sur la page 1sur 47

Point-to-Point Protocol

(PPP)

www.INE.com
PPP
Point-to-Point Protocol
Open standard
Operates in the LLC sub-layer of data link layer in
OSI
Originally designed for dial-up connections
(modems, ISDN, etc.)
Only one possible destination
Copyright www.INE.com
Point-to-Point Technologies
No Layer 3 to Layer 2 resolution required
Useful for wide area network, where leased lines
exist or other P2P networks
Supports authentication
PPP Frame Format
Protocol Data/ PPP
Start Flag Address Control Control
FCS Final Flag
Code

Set to 11111111 Static Indicates whether next field


value is data, or PPP control frame
Copyright www.INE.com
LCP and NCP
PPP must negotiate a connection
Moves through a series of required steps prior to
transport of user data
LCP Link Control Protocol
Authentication (optional)
NCP Network Control Protocol
State events and transitions can be monitored in
real-time with debug ppp negotiations.
Copyright www.INE.com
PPP- LCP (Link Control Protocol)

Dial-Up or
Circuit-Switched
Network

LCP: negotiates link specific options


Callback
Multilink
Authentication (whether or not to Authenticate)
Magic Number (Loopback detection), etc.
Copyright www.INE.com
LCP Message Exchanges

LCP uses several different control messages


Configuration-Request
Lists all PPP options a sender wishes to implement such as authentication type, PPP
Multilink, Callback, etc
Configuration-Reject
When a receiver doesnt support a particular feature and offers no suitable alternatives.
Configuration-NAK (Negative Acknowledgement)
When a receiver doesnt support a particular feature and offers an alternative.
Configuration-Acknowledgement
Acknowleding all LCP options in the most recent Config-Req that was received.

Copyright www.INE.com
LCP Debug
Jun 1 011229.679 Ser1/ 1 PPP Treat ing connect ion as a callout
Jun 1 011229.679 Ser1/ 1 PPP Phase is ESTABLISHING, Act ive Open
Jun 1 011229.683 Ser1/ 1 LCP O CONFREQ [Closed] id 5 len 15
Jun 1 011229.687 Ser1/ 1 LCP Aut hProt o CHAP (0x0305C22305)
Jun 1 011229.691 Ser1/ 1 LCP MagicNumber 0x10BD9502 (0x050610BD9502)
Jun 1 011229.707 Ser1/ 1 LCP I CONFREQ [REQsent ] id 5 len 15
Jun 1 011229.711 Ser1/ 1 LCP Aut hProt o CHAP (0x0305C22305)
Jun 1 011229.711 Ser1/ 1 LCP MagicNumber 0x10B8A083 (0x050610B8A083)
Jun 1 011229.719 Ser1/ 1 LCP O CONFACK [REQsent ] id 5 len 15
Jun 1 011229.719 Ser1/ 1 LCP Aut hProt o CHAP (0x0305C22305)
Jun 1 011229.723 Ser1/ 1 LCP MagicNumber 0x10B8A083 (0x050610B8A083)
Jun 1 011229.727 Ser1/ 1 LCP I CONFACK [ACKsent ] id 5 len 15
Jun 1 011229.731 Ser1/ 1 LCP Aut hProt o CHAP (0x0305C22305)
Jun 1 011229.735 Ser1/ 1 LCP MagicNumber 0x10BD9502 (0x050610BD9502)
Jun 1 011229.735 Ser1/ 1 LCP State is Open
Copyright www.INE.com
PPP- NCP: (Network Control Protocol)
Dial-Up or
Circuit-Switched
Network

Negotiate what Layer 3 Protocol to use


For IP: IPCP
For IPX: IPXCP
For CDP: CDPCP
Each of the above have protocol specific options
that needs to be negotiated
Copyright www.INE.com
NCP Debug
*Mar 1 011229.795 Ser1/ 1 IPCP O CONFREQ [Closed] id 5 len 10
*Mar 1 011229.799 Ser1/ 1 IPCP Address 10.1.1.1 (0x03060A010101)
*Mar 1 011229.807 Ser1/ 1 CDPCP O CONFREQ [Closed] id 5 len 4
*Mar 1 011229.811 Ser1/ 1 IPCP I CONFREQ [REQsent ] id 5 len 10
*Mar 1 011229.815 Ser1/ 1 IPCP Address 10.1.1.2 (0x03060A010102)
*Mar 1 011229.819 Ser1/ 1 IPCP O CONFACK [REQsent ] id 5 len 10
*Mar 1 011229.823 Ser1/ 1 IPCP Address 10.1.1.2 (0x03060A010102)
*Mar 1 011229.827 Ser1/ 1 CDPCP I CONFREQ [REQsent ] id 5 len 4
*Mar 1 011229.831 Ser1/ 1 CDPCP O CONFACK [REQsent ] id 5 len 4
*Mar 1 011229.835 Ser1/ 1 IPCP I CONFACK [ACKsent ] id 5 len 10
*Mar 1 011229.839 Ser1/ 1 IPCP Address 10.1.1.1 (0x03060A010101)
*Mar 1 011229.839 Ser1/ 1 IPCP St at e is Open
*Mar 1 011229.843 Ser1/ 1 CDPCP I CONFACK [ACKsent ] id 5 len 4
*Mar 1 011229.847 Ser1/ 1 CDPCP St at e is Open
*Mar 1 011229.855 Ser1/ 1 IPCP Inst all rout e t o 10.1.1.2
Copyright www.INE.com
PPP Authentication
Two primary benefits of using PPP (as compared to
other P2P WAN protocols):
Dynamically learn Layer-3 address (via NCP)
Authenticate your peer
PPP Authentication is optional, but almost always
configured.
One-way or Bi-Directional Authentication
Various PPP Authentication methods available.
Copyright www.INE.com
PAP
Password Authentication Protocol
Sends clear text username and password for
authentication
Two-way handshake
Less secure than CHAP
By default, hostname is sent as the username

Copyright www.INE.com
PAP Authentication One-way
PPP PAP authentication options
One way (client authenticates against server)
Chris (client) Hello, I want to do PPP with you. Sally (server)
Great, but I insist we use PAP. LCP
Ser0/0/0 My name is Chris, password is Cisco. Ser1/1/1

That matches what I have. Auth

Hostname Chris Hostname Sally


! Username Chris password Cisco
interface serial 0/0/0 !
ip address 1.1.1.1 255.255.0.0 interface serial 1/1/1
encapsulation ppp ip address 1.1.1.2 255.255.0.0
ppp pap sent-username Chris password Cisco encapsulation ppp
ppp authentication pap
Copyright www.INE.com
PAP Authentication Two-way
Two way (both peers authenticate each other)
Hello, I want to do PPP with you.
Great, but I insist we use PAP. LCP
Chris (client) Sally (server)
My name is Chris, password is Cisco.
That matches what I have.
Ser0/0/0 Ser1/1/1
My name is Sally, password is Server. Auth
That matches what I have.
Hostname Chris Hostname Sally
Username Sally password Server Username Chris password Cisco
! !
interface serial 0/0/0 interface serial 1/1/1
ip address 1.1.1.1 255.255.0.0 ip address 1.1.1.2 255.255.0.0
encapsulation ppp encapsulation ppp
ppp authentication pap ppp authentication pap
ppp pap sent-username Chris password Cisco ppp pap sent-username Sally password Server
Copyright www.INE.com
Verifying PAP Authentication
Verification command
Router# debug ppp negotiations
Router# debug ppp authentication
Router# show interface serial <number>
Router# show users
In the debugs above you want to see:
PPP: Received LOGIN Response PASS
Note: Upon successful authentication, a PAP server should
show the users with IP addresses who are authenticated
Copyright www.INE.com
CHAP
Challenge Handshake Authentication Protocol
Three-way handshake
More secure than PAP
By default, hostname is sent as the username;
username can be explicitly configured

Copyright www.INE.com
CHAP Authentication One-way
Hello, I want to do PPP with you.
Router (client) Great, but I insist we use CHAP. Sally (server)
My name is Chris.
Ser0/0/0 My CHAP challenge is a123bc567. Ser1/1/1

My challenge response = bbb55


a123bc567 +
a123bc567 + Looks good! You must really be Chris! Chris + Cisco
Chris + Cisco = = bbb55
bbb55
Hostname Router
Hostname Sally
!
username Chris password Cisco
interface serial 0/0/0
!
ip address 1.1.1.1 255.255.0.0
interface serial 1/1/1
encapsulation ppp
ip address 1.1.1.2 255.255.0.0
ppp chap hostname Chris
encapsulation ppp
ppp chap password Cisco
Copyright www.INE.com ppp authentication chap
CHAP Authentication (Alternative Client Config)

Hello, I want to do PPP with you.


Router (client) Great, but I insist we use CHAP. Sally (server)
My name is Chris.
Ser0/0/0 My CHAP challenge is a123bc567. Ser1/1/1

My challenge response = bbb55


Looks good! You must really be Chris!

Hostname Chris Hostname Sally


! username Chris password Cisco
Username Sally password Cisco !
! interface serial 1/1/1
interface serial 0/0/0 ip address 1.1.1.2 255.255.0.0
ip address 1.1.1.1 255.255.0.0 encapsulation ppp
encapsulation ppp ppp authentication chap

Copyright www.INE.com
CHAP Authentication Two-way
Lets use PPP and CHAP, sound good?.
I support that!
Router (client) Sally (server)
My name is Chris and I challenge you aa3355.
My name is Sally and I challenge you 77ff5e.
Ser0/0/0 Ser1/1/1
My challenge response = bbb55
My challenge response = eeccdd!
Looks good! You must really be Sally!
Looks good! You must really be Chris!
Hostname Router
username Sally password Cisco Hostname Sally
! username Chris password Cisco
interface serial 0/0/0 !
ip address 1.1.1.1 255.255.0.0 interface serial 1/1/1
encapsulation ppp ip address 1.1.1.2 255.255.0.0
ppp authentication chap encapsulation ppp
ppp chap hostname Chris ppp authentication chap
ppp chap password Cisco ppp chap hostname Sally
ppp chap password Cisco
Copyright www.INE.com
Configuring CHAP Authentication (Server)
Change encapsulation
Router(config-if)# encapsulation ppp
Create local user database
Router(config)# username <username> password <
password>
Configure CHAP server
Router(config-if)# ppp authentication chap

Copyright www.INE.com
Configuring CHAP Authentication (Client)
Change encapsulation
Router(config-if)# encapsulation ppp
Configure to send username and password
Router(config-if)# ppp chap password <password>
Router(config-if)# ppp chap hostname <username>

Copyright www.INE.com
Verifying CHAP Authentication
Verification command
Router# show users
Router# debug ppp negotiations

Note: Upon successful authentication, a CHAP


server should show the users with IP addresses
who are authenticated

Copyright www.INE.com
Authentication Debug

Mar 1 011229.739 Ser1/1 PPP Phase is AUTHENTICATING, by both


*Mar 1 011229.743 Ser1/1 CHAP O CHALLENGE id 5 len 28 from "isdn2-2"
*Mar 1 011229.747 Ser1/1 CHAP I CHALLENGE id 5 len 28 from "isdn2-3"
*Mar 1 011229.755 Ser1/1 CHAP O RESPONSE id 5 len 28 from "isdn2-2"
*Mar 1 011229.775 Ser1/1 CHAP I SUCCESS id 5 len 4
*Mar 1 011229.783 Ser1/1 CHAP I RESPONSE id 5 len 28 from "isdn2-3"
*Mar 1 011229.787 Ser1/1 CHAP O SUCCESS id 5 len 4
*Mar 1 011229.791 Ser1/1 PPP Phase is UP

Copyright www.INE.com
Things to Look for in PPP debug

LCP: State is open


LCP negotiation was successful
If not, then look for options that failed
Authentication: PAP or CHAP
Check for username, passwords, etc
NCP: IPCP, IPXCP, ATCP state is open
Means NCP negotiation was successful
If not, then look for confreq, confrej, confack, confnack, etc

Copyright www.INE.com
Layer-3 Address Negotiation
Router (client) Sally (server)

Ser0/0/0 Ser1/1/1

Hostname Chris Hostname Sally


! username Chris password Cisco
Username Sally password Cisco !
! interface serial 1/1/1
interface serial 0/0/0 ip address 1.1.1.2 255.255.0.0
ip address negotiated encapsulation ppp
encapsulation ppp ppp authentication chap
peer default ip address pool MyPool
!
ip local pool MyPool 1.1.1.3 1.1.1.10

Copyright www.INE.com
Quiz!!!
Which of the following items are negotiated
during the PPP LCP stage?
A. Multilink
B. Authentication Type
C. Authentication Challenge
D. Callback
E. IP address

Copyright www.INE.com
Quiz!!!
Which PPP LCP option would you look for in the
output of debug ppp negotiations to indicate
that PPP Multilink had been configured?
MRU
MRRU
ACCM
Magic Number

Copyright www.INE.com
Quiz!!!
Router-1 sends a PPP LCP frame indicating that it wishes to implement
CHAP authentication.
Router-2, at the other end of the PPP link, is not configured for CHAP
but is configured for PAP.
In response to Router-1s Conf-Req packet Router-2 will send a
___________ indicating that it wants to do PAP.
Conf-REJ
Conf-NAK
Conf-ACK
Conf-REQ
Copyright www.INE.com
Quiz!!!
Based on the configurations shown below, will a successful PPP connection
be established between these two routers? If not, why not?

Router (client) Sally (server)

Ser0/0/0 Ser1/1/1

Hostname Router Hostname Sally


username Sally password Cisco username Chris password Cisco
! !
interface serial 0/0/0 interface serial 1/1/1
ip address 1.1.1.1 255.255.0.0 ip address 1.1.1.2 255.255.0.0
encapsulation ppp encapsulation ppp
ppp authentication pap ppp authentication pap
ppp pap sent-username Router password Cisco ppp chap hostname Sally
ppp chap password Cisco
Copyright www.INE.com
Quiz!!!
What can you infer from the following debug output?

Copyright www.INE.com
Quiz!!!
A troubleticket is opened because it has been discovered that ICMP
pings to 2.2.2.2 are not able to flow across a PPP connection on Router-3.
Based on the debug output below, what is the root cause of this problem?

Copyright www.INE.com
PPPoE
(PPP over Ethernet)

www.INE.com
Why do we need PPPoE?
Original objective for PPP was to support:
A single, dialup host
Temporary network connection
With the advent of DSL and Metro Ethernet, new
problems were presented:
How to allow a single, DSL connection to support an entire LAN of
PPP clients?
Differentiate traffic from multiple companies sharing a common
Ethernet connection to an ISP

Copyright www.INE.com
PPPoE, Common Use-Case
Only customers with correct/unique PPPoE
Company-A
Authentication credentials gain ISP access.
PPPoE
Client
ISP can track individual PPPoE sessions
Company-B for billing purposes.
PPPoE
Client
ISP
Internet
Company-C
PPPoE
Client

Company-D

PPPoE Metro Ethernet


Client

Copyright www.INE.com
PPPoE Control Packets
Normal PPP across WAN lines starts
immediately with LCP.
PPPoE prefaces LCP with special PPPoE Control
packets to establish a unique Session-ID.
Session-ID is used by ISP to indentify individual
customers.

Copyright www.INE.com
PPPoE Active Discovery
PPPoE based on Client/Server architecture.
Multiple clients on a single, shared medium
One server terminating/aggregating multiple clients.
PPPoE relies on Active Discovery frames to
enable Clients to discover Server and obtain unique
Session-ID.
Active Discovery process (and names of Control
Frames) has many similarities to DHCP process.
Copyright www.INE.com
PPP Active Discovery Process
Are there any PPPoE Servers out there? My unique Host-ID is xx-xx
PADI (PPPoE Active Discovery Initialization) L2 Ethernet Destination = Broadcast
1

Yes, Im here xx-xx. My unique Access Concentrator (AC) ID is yy.yy


2 PADO (PPPoE Active Discovery Offer) L2 Ethernet Destination = Unicast

Thanks for that info! Can I have a Session-ID please?


3
PADR (PPPoE Active Discovery Request) L2 Ethernet Destination = Unicast

Yes, lets use Session-ID 0x02.


4 PADS (PPPoE Active Discovery Session-Confirmation) L2 Ethernet Destination = Unicast

PPPoE Server PPPoE Client


MAC = yy:yy:yy:yy:yy:yy MAC = xx:xx:xx:xx:xx:xx

Copyright www.INE.com
PPP Encapsulation within Ethernet

PPP General Frame Format


PPP Control, or
Start Flag Address Control Protocol Encapsulated Data
Padding FCS Final Flag

0x8863
0x8864
Source PPP Control, or
Dest Mac Ethertype Protocol Ethernet FCS
Mac Encapsulated Data
PPPoE Ethernet General Frame Format

Copyright www.INE.com
Configuring PPPoE
Fast0/0 Fast0/0
hostname server
!
username client password cisco hostname client
! !
bba-group pppoe INE interface Dialer1
virtual-template 1 ip address negotiated
! encapsulation ppp
interface Virtual-Template1 dialer pool 1
ip address 1.2.1.1 255.255.255.0 orip unnumbered loopback 0 ppp chap password 0 cisco
peer default ip address pool MyPool !
ppp authentication chap interface FastEthernet0/0
! no ip address
ip local pool MyPool 1.2.1.2 1.2.1.254 duplex auto
! speed auto
interface FastEthernet0/0 pppoe-client dial-pool-number 1
no ip address !
duplex auto
speed auto
pppoe enable
Copyright group INE
www.INE.com
Configuring PPPoE with DHCP
Fast0/0 Fast0/0
hostname server
!
DHCP hostname client
username client password cisco
Server ! !
bba-group pppoe INE interface Dialer1
7.7.7.7 ip address dhcp
virtual-template 1
! encapsulation ppp
interface Virtual-Template1 dialer pool 1
ip address 1.2.1.1 255.255.255.0 ppp chap password 0 cisco
peer default ip address dhcp !
ppp authentication chap interface FastEthernet0/0
ip helper-address 7.7.7.7 no ip address
! duplex auto
interface FastEthernet0/0 speed auto
no ip address pppoe-client dial-pool-number 1
duplex auto !
speed auto
pppoe enable group INE
Copyright www.INE.com
Verifying PPPoE on Server (1)
(PTA)
PPP Termination Aggregation

Copyright www.INE.com
Verifying PPPoE on Server (2)

Copyright www.INE.com
Verifying PPPoE on Client (1)

Copyright www.INE.com
Verifying PPPoE on Client (2)

Copyright www.INE.com
PPPoE and MTU
PPP = 8-bytes of overhead (headers)
Max-sized Ethernet frame (data) = 1500-bytes
1500-bytes + 8-bytes (PPP) = 1508
1508-bytes + 14-bytes (Ethernet headers) = 1522-byt es
Every maximum-sized Ethernet frame sent from hosts will
need to be fragmented by PPPoE-speaking routers.
Fragmentation = CPU-intensive

Copyright www.INE.com
MTU and Virtual-interfaces
Virtual-Templates (and Dialer-Interfaces) spawn Virtual-
Access interfaces for terminating PPPoE session.
Virtual-Access interfaces spawned from Virtual-Templates
(using PPPoE) have default MTU=1492
Virtual-Access interfaces spawned from Dialer-Interfaces
have default MTU=1500
What are the results of mismatched MTU?
Frequent fragmentation of large Ethernet frames
OSPF peering stuck in EXSTART state.

Copyright www.INE.com
Fixing MTU Mismatches
PPPoE Server Fast0/0 Fast0/0 PPPoE Client Fast1/1

hostname server hostname client


! !
Web Server
username client password cisco interface Dialer1
! ip address dhcp
bba-group pppoe INE encapsulation ppp
virtual-template 1 dialer pool 1
! ppp chap password 0 cisco
interface Virtual-Template1 ip mtu 1492
ip address 1.2.1.1 255.255.255.0 !
peer default ip address dhcp interface FastEthernet0/0
ppp authentication chap no ip address
ip helper-address 7.7.7.7 duplex auto
! speed auto
interface FastEthernet0/0 pppoe-client dial-pool-number 1
no ip address !
duplex auto Interface FastEthernet1/1
speed auto ip address x.x.x.x y.y.y.y
pppoe enable group INE ip tcp adjust-mss 1452
Copyright www.INE.com
Q&A

Copyright INE Inc. All rights reserved.