1. Chap 1 – Point-to-Point Protocol (PPP) Learning Objectives
Describe the fundamental concepts of point-to-point serial communication including TDM, demarcation point, DTE-DCE functions, HDLC encapsulation, and serial interface troubleshooting.
Describe PPP concepts including PPP layered architecture, PPP frame structure, PPP session establishment, multiprotocol encapsulation support, link control protocol (LCP), network control protocol (NCP), and Internet Protocol Control Protocol (IPCP).
Configure PPP on a serial interface including enabling PPP encapsulation, verifying the PPP connection and troubleshooting encapsulation problems.
Configure PPP authentication including explaining PAP and CHAP authentication protocols, configuring PPP authentication using PAP and CHAP, and troubleshooting PPP authentication problems.

2. Transmission Mode Data Transmission Parallel Serial Asynchronous
Data can be transferred in two ways:
Parallel
Serial
Both methods require a timing signal, or clock, to allow the correct sampling point of each digital bit, but two different methods have evolved in order to allow both ends of the circuit to synchronise:
Asynchronous (independent clocks)
Synchronous (common clocks)
Synchronous
Asynchronous 2

3. Parallel 8 Bit Input 8 Bit Output Parallel Cables
A parallel connection sends the bits over more wires simultaneously. In the case of the 25-pin parallel port on a PC, there are eight data-carrying wires to carry 8 bits simultaneously.
Because there are eight wires to carry the data, the parallel link theoretically transfers data eight times faster than a serial connection. So based on this theory, a parallel connection sends a byte in the time a serial connection sends a bit.
Parallel Cables 3

4. Serial Each bit is passed over the same conductor, one after the other
Output
Input
Serial Cable
With serial its like marching single file one behind the other.
The advantage of serial over parallel transmission is that with only one communication channel, serial transmission reduces the cost of transmission.
The receiver is now faced with the problem of determining when to sample the bits in order to recover the encoded characters.
In order to achieve this, serial transmission uses either asynchronous or synchronous timing. 4

5. Delay Skew Each wire has a different propagation delay
Difference between wires is called delay skew
If excessive, data transmitted simultaneously arrives at different times
In a parallel connection, it is wrong to assume that the 8 bits leaving the sender at the same time arrive at the receiver at the same time. Rather, some of the bits get there later than others. This is known as clock skew or delay skew.
Overcoming clock skew is not trivial. The receiving end must synchronise itself with the transmitter and then wait until all the bits have arrived. The process of reading, waiting, latching, waiting for clock signal, and transmitting the 8 bits adds time to the transmission.
In parallel communications, a latch is a data storage system used to store information in sequential logic systems. The more wires used and the farther the connection reaches, compounds the problem and adds delay. The need for clocking slows parallel transmission well below theoretical expectations.

6. Cross Talk - Cancellation
Cross-talk is interference that is induced into adjacent wires by the
EM field that builds up along cables carrying data
More destructive at higher frequencies
By twisting the pairs together, the EM field reverses every other twist,
cancelling out the induced signal
Parallel wires are physically bundled in a parallel cable, and signals can imprint themselves on each other. The possibility of crosstalk across the wires requires more processing, especially at higher frequencies. The serial buses on computers, including routers, compensate for crosstalk before transmitting the bits.
Since serial cables have fewer wires, there is less crosstalk, and network devices transmit serial communications at higher, more efficient frequencies.
In most cases, serial communications are considerably cheaper to implement. Serial communications use fewer wires, cheaper cables, and fewer connector pins.

7. Serial Interface Standards
There are many different serial communication standards, each one using a
different signaling method. There are three key serial communication
standards affecting LAN-to-WAN connections:
RS Most serial ports on personal computers conform to the RS-232C or newer RS-422 and RS-423 standards. Both 9-pin and 25-pin connectors are used. A serial port is a general-purpose interface that can be used for almost any type of device, including modems, mice, and printers.
V.35 - Typically used for modem-to-multiplexer communication, this ITU standard for high-speed, synchronous data exchange combines the bandwidth of several telephone circuits. V.35 cables are high-speed serial assemblies designed to support higher data rates and connectivity between DTEs and DCEs over digital lines.
HSSI - A High-Speed Serial Interface (HSSI) supports transmission rates up to 52 Mb/s. Engineers use HSSI to connect routers on LANs with WANs over high-speed lines such as T3 lines. Engineers also use HSSI to provide high-speed connectivity between LANs, using Token Ring or Ethernet. HSSI is a DTE/DCE interface developed by Cisco Systems and T3plus Networking to address the need for high-speed communication over WAN links.

8. Time Division Multiplexing
Time-Division Multiplexing (TDM) is the transmission of several sources of information using one common channel, or signal, and then the reconstruction of the original streams at the remote end.
One TDM example is Integrated Services Digital Network (ISDN). ISDN basic rate (BRI) has three channels consisting of two 64 kbps B-channels (B1 and B2), and a 16 kbps D-channel.
In the slide, each of the three input channels has its own capacity. For the output channel to be able to accommodate all the information from the three inputs, the capacity of the output channel must be no less than the sum of the inputs.
Therefore, if each input channel was running at 1Mbps, the TDM output would have to be 3Mbps.
In TDM, the output timeslot is always present whether or not the TDM input has any information to transmit. This is wasteful of bandwidth, and lead to the development of Statistical TDM (STDM)
TDM is a physical layer concept, it has no regard for the nature of the information that is being multiplexed onto the output channel. TDM is independent of the Layer 2 protocol that has been used by the input channels.

9. Statistical time-division multiplexing (STDM)
Developed to overcome the inefficiency of fixed-length time slots in TDM.
STDM uses a variable time slot length allowing channels to compete for any free slot space.
It employs a buffer memory that temporarily stores the data during periods of peak traffic.
STDM does not waste high-speed line time with inactive channels using this scheme.

10. Demarcation Point – U.S.
The demarcation point, is the point in the network where the responsibility of the service provider or "telco" ends.
In the United States, a telco provides the local loop into the customer premises and the customer provides the active equipment such as the channel service unit/data service unit (CSU/DSU) on which the local loop is terminated.

11. Demarcation Point – International
In most countries around the world, the network terminating unit (NTU) is provided and managed by the telco.
This allows the telco to actively manage and troubleshoot the local loop with the demarcation point occurring after the NTU.
The customer connects a customer premises equipment (CPE) device, such as a router or frame relay access device, into the NTU using a V.35 or RS-232 serial interface.

12. DTE-DCE
The CPE, which is generally a router, is the DTE. The DTE could also be a terminal, computer, printer, or fax machine if they connect directly to the service provider network.
The DCE, commonly a modem or CSU/DSU, is the device used to convert the user data from the DTE into a form acceptable to the WAN service provider transmission link.
The EIA and the ITU-T have been most active in the development of DTE/DCE standards. The ITU-T refers to the DCE as data circuit-terminating equipment. The EIA refers to the DCE as data communication equipment.
The DTE/DCE interface for a particular standard defines the following specifications:
Mechanical/physical - Number of pins and connector type
Electrical - Defines voltage levels for 0 and 1
Functional - Specifies the functions that are performed by assigning meanings to each of the signaling lines in the interface
Procedural - Specifies the sequence of events for transmitting data
If two DTEs must be connected together, like two computers or two routers in the lab, a special cable called a null-modem is necessary to eliminate the need for a DCE. For synchronous connections, either an external device or one of the DTEs must generate the clock signal.
The synchronous serial port on a router is configured as DTE or DCE depending on the attached cable, which is ordered as either DTE or DCE to match the router configuration. If the port is configured as DTE, which is the default setting, external clocking is required from the CSU/DSU or other DCE device.

13. Router Serial WAN Connectors

14. Router Serial WAN Connectors
Cisco Serial DB-60
Cisco Smart Serial
To support higher port densities in a smaller form factor, Cisco has introduced a Smart Serial cable. The router interface end of the Smart Serial cable is a 26-pin connector that is significantly more compact than the DB-60 connector.
The cable for the DTE to DCE connection is a shielded serial transition cable. The router end of the shielded serial transition cable may be a DB-60 connector, which connects to the DB-60 port on a serial WAN interface card (WIC).
To support higher densities in a smaller form factor, Cisco has introduced a Smart Serial cable. The router interface end of the Smart Serial cable is a 26-pin connector significantly more compact than the DB-60 connector.

15. WAN Encapsulation Protocols
On each WAN connection, data is encapsulated into frames before crossing the WAN link. The choice of protocol depends on the WAN technology and the communicating equipment.
HDLC - The default encapsulation type on point-to-point connections, dedicated links, and circuit-switched connections when the link uses two Cisco devices.
PPP - Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. PPP works with several network layer protocols, such as IP and IPX. PPP also has built-in security mechanisms such as PAP and CHAP.
Serial Line Internet Protocol (SLIP) - A standard protocol for point-to-point serial connections using TCP/IP. SLIP has been largely displaced by PPP.
HDLC - The default encapsulation type on point-to-point connections, dedicated links, and circuit-switched connections when the link uses two Cisco devices. HDLC is now the basis for synchronous PPP used by many servers to connect to a WAN, most commonly the Internet.
PPP - Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. PPP works with several network layer protocols, such as IP and Internetwork Packet Exchange (IPX). PPP also has built-in security mechanisms such as PAP and CHAP. Most of this chapter deals with PPP.
Serial Line Internet Protocol (SLIP) - A standard protocol for point-to-point serial connections using TCP/IP. SLIP has been largely displaced by PPP.
X.25/Link Access Procedure, Balanced (LAPB) - ITU-T standard that defines how connections between a DTE and DCE are maintained for remote terminal access and computer communications in public data networks. X.25 specifies LAPB, a data link layer protocol. X.25 is a predecessor to Frame Relay.
Frame Relay - Industry standard, switched, data link layer protocol that handles multiple virtual circuits. Frame Relay is a next generation protocol after X.25. Frame Relay eliminates some of the time-consuming processes (such as error correction and flow control) employed in X.25. The next chapter is devoted to Frame Relay.
ATM - The international standard for cell relay in which devices send multiple service types (such as voice, video, or data) in fixed-length (53-byte) cells. Fixed-length cells allow processing to occur in hardware, thereby reducing transit delays. ATM takes advantages of high-speed transmission media such as E3, SONET, and T3.

16. HDLC Encapsulation
1 byte
1 or 2 bytes
1 or 2 bytes
Variable
2 bytes
1 byte
Flag
Address
Control
Data
FCS
Flag
HDLC uses synchronous serial transmission providing error-free communication between two points.
HDLC defines a Layer 2 framing structure that allows for flow control and error control using acknowledgments and a windowing scheme.
Standard HDLC does not inherently support multiple protocols on a single link, as it does not have a way to indicate which protocol is being carried.
PPP actually uses HDLC as a basis for encapsulating data.
Control - The control field uses three different formats, depending on the type of HDLC frame used:
Information (I) frame: I-frames carry upper layer information and some control information. This frame sends and receives sequence numbers, and the poll final (P/F) bit performs flow and error control. The send sequence number refers to the number of the frame to be sent next. The receive sequence number provides the number of the frame to be received next. Both sender and receiver maintain send and receive sequence numbers. A primary station uses the P/F bit to tell the secondary whether it requires an immediate response. A secondary station uses the P/F bit to tell the primary whether the current frame is the last in its current response.
Supervisory (S) frame: S-frames provide control information. An S-frame can request and suspend transmission, report on status, and acknowledge receipt of I-frames. S-frames do not have an information field.
Unnumbered (U) frame: U-frames support control purposes and are not sequenced. A U-frame can be used to initialize secondaries. Depending on the function of the U-frame, its control field is 1 or 2 bytes. Some U-frames have an information field.

17. Cisco HDLC Encapsulation
1 byte
1 bytes
1 or 2 bytes
2 bytes
Variable
2 bytes
1 byte
Flag
Address
Control
Type
Data
FCS
Flag
HDLC is Cisco's default layer-2 encapsulation for serial lines. This implementation is very streamlined, as there is no windowing or flow control, and only point-to-point connections are allowed.
Cisco HDLC inserts a 2-byte proprietary type code is after the control field. This means that Cisco HDLC framing is not interoperable with other vendors' equipment.

18. Configuring HDLC
The default encapsulation method used by Cisco devices on synchronous serial lines is Cisco HDLC.
Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices.
When communicating with a non-Cisco device, PPP is a more viable option.

19. Troubleshooting a serial interface
Indicates the state of the interface, and the encapsulation used.
Indicates the state of the interface channels and whether a cable is attached to the interface
The output of the show interfaces serial command displays information specific to serial interfaces. When HDLC is configured, "Encapsulation HDLC" should be reflected in the output. When PPP is configured, "Encapsulation PPP" should be seen in the output.
Five possible problem states can be identified in the interface status line of the show interfaces serial display:
Serial x is down, line protocol is down
Serial x is up, line protocol is down
Serial x is up, line protocol is up (looped)
Serial x is up, line protocol is down (disabled)
Serial x is administratively down, line protocol is down
The show controllers command is another important diagnostic tool when troubleshooting serial lines, as it indicates the state of the interface channels and whether a cable is attached to the interface.
If the electrical interface output is shown as UNKNOWN instead of V.35, EIA/TIA-449, or some other electrical interface type, the likely problem is an improperly connected cable.

20. Point-To-Point Protocol (PPP)
PPP's frame format is based on the HDLC frame format put forth by the International Organization for Standardization (ISO).
Unlike the HDLC frame for the ISO, the PPP frame defines a protocol field.
PPP protocols follow open standards and are almost always compatible.
PPP is the protocol of choice when configuring serial links in a multi-vendor environment.
PPP can support multiple Layer 3 protocols, such as IP, IPX, and AppleTalk.
PPP can be configured on Asynchronous serial, Synchronous serial, HSSI & ISDN physical interfaces.
HDLC is the default serial encapsulation method when you connect two Cisco routers. With an added protocol type field, the Cisco version of HDLC is proprietary. Thus, Cisco HDLC can only work with other Cisco devices. However, to connect to a non-Cisco router, PPP encapsulation must be used.
PPP encapsulation has been carefully designed to retain compatibility with most commonly used supporting hardware. PPP encapsulates data frames for transmission over Layer 2 physical links. PPP establishes a direct connection using serial cables, phone lines, trunk lines, cellular telephones, specialized radio links, or fiber-optic links. There are many advantages to using PPP, including the fact that it is not proprietary. Moreover, it includes many features not available in HDLC:
The link quality management feature monitors the quality of the link. If too many errors are detected, PPP takes the link down. PPP supports PAP and CHAP authentication. This feature is explained and practiced in a later section.

21. PPP layered architecture
NCP
LCP
PPP contains two sub-protocols:
Link Control Protocol (LCP) – Used for establishing the point-to-point link over the WAN
Network Control Protocol (NCP) – Used for configuring the various network layer protocols.
PPP contains three main components:
HDLC protocol for encapsulating datagrams over point-to-point links.
Extensible Link Control Protocol (LCP) to establish, configure, and test the data link connection.
Family of Network Control Protocols (NCPs) for establishing and configuring different network layer protocols. PPP allows the simultaneous use of multiple network layer protocols. Some of the more common NCPs are Internet Protocol Control Protocol, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control Protocol, and Compression Control Protocol.

22. PPP layered architecture Physical Layer
PPP operates across any DTE/DCE interface (RS-232-C, RS-422, RS-423, or V.35).
The only absolute requirement imposed by PPP is a duplex circuit, either dedicated or switched, that can operate in either an asynchronous or synchronous mode, that is transparent to the PPP link layer frames.
PPP contains three main components:
HDLC protocol for encapsulating datagrams over point-to-point links.
Extensible Link Control Protocol (LCP) to establish, configure, and test the data link connection.
Family of Network Control Protocols (NCPs) for establishing and configuring different network layer protocols. PPP allows the simultaneous use of multiple network layer protocols. Some of the more common NCPs are Internet Protocol Control Protocol, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control Protocol, and Compression Control Protocol.

23. PPP layered architecture Datalink Layer
The LCP provides automatic configuration of the interfaces at each end, including:
Handling varying limits on packet size
Detecting common mis-configuration errors
Terminating the link
Determining when a link is functioning properly or when it is failing
The LCP is the real working part of PPP. The LCP sits on top of the physical layer and has a role in establishing, configuring, and testing the data-link connection. The LCP establishes the point-to-point link. The LCP also negotiates and sets up control options on the WAN data link, which are handled by the NCPs.
PPP also uses the LCP to agree automatically on encapsulation formats (authentication, compression, error detection) as soon as the link is established.

24. PPP layered architecture Network Layer
PPP permits multiple network layer protocols to operate on the same communications link. For every network layer protocol used, PPP uses a separate NCP.
For example, IP uses the IP Control Protocol (IPCP), and IPX uses the Novell IPX Control Protocol (IPXCP).
NCPs include functional fields containing standardised codes (PPP protocol field numbers shown in the figure) to indicate the network layer protocol that PPP encapsulates.
Each NCP manages the specific needs required by its respective network layer protocols. The various NCP components encapsulate and negotiate options for multiple network layer protocols.

25. PPP Session Establishment
PPP session establishment progresses
through three phases:
Link establishment
Authentication
Network layer protocol phase

26. PPP Session Establishment (Detail)
1. Link establishment - (LCPs)
2. Authentication - Optional (LCPs)
3. Link quality determination - Optional (LCPs)
4. Network layer protocol configuration (NCPs)
5. Link termination (LCPs)
Phase 1: Link establishment and configuration negotiation - Before PPP exchanges any network layer datagrams (for example, IP), the LCP must first open the connection and negotiate configuration options. This phase is complete when the receiving router sends a configuration-acknowledgment frame back to the router initiating the connection.
Phase 2: Link quality determination (optional) - The LCP tests the link to determine whether the link quality is sufficient to bring up network layer protocols. The LCP can delay transmission of network layer protocol information until this phase is complete.
Phase 3: Network layer protocol configuration negotiation - After the LCP has finished the link quality determination phase, the appropriate NCP can separately configure the network layer protocols, and bring them up and take them down at any time. If the LCP closes the link, it informs the network layer protocols so that they can take appropriate action.
The link remains configured for communications until explicit LCP or NCP frames close the link, or until some external event occurs (for example, an inactivity timer expires or a user intervenes). The LCP can terminate the link at any time. This is usually done when one of the routers requests termination, but can happen because of a physical event, such as the loss of a carrier or the expiration of an idle-period timer.

27. PPP Session Establishment (Detail)
The link establishment process starts with the initiating device sending a Configure-Request frame to the responder. The Configure-Request frame includes a variable number of configuration options needed to set up on the link. In other words, the initiator has sent a "wish list" to the responder.
The initiator's wish list includes options for how it wants the link created, including protocol or authentication parameters. The responder processes the wish list, and if it is acceptable responds with a Configure-Ack message. After receiving the Configure-Ack message, the process moves on to the authentication stage.
If the options are not acceptable or not recognized the responder sends a Configure-Nak or Configure-Reject. If a Configure-Ack is received, the operation of the link is handed over to the NCP. If either a Configure-Nak or Configure-Reject message is sent to the requester, the link is not established. If the negotiation fails, the initiator needs to restart the process with new options.
During link maintenance, LCP can use messages to provide feedback and test the link.Code-Reject and Protocol-Reject - These frame types provide feedback when one device receives an invalid frame due to either an unrecognized LCP code (LCP frame type) or a bad protocol identifier. Echo-Request, Echo-Reply, and Discard-Request - These frames can be used for testing the link.
After the transfer of data at the network layer completes, the LCP terminates the link. In the figure, notice that the NCP only terminates the network layer and NCP link. The link remains open until the LCP terminates it. If the LCP terminates the link before the NCP, the NCP session is also terminated.

28. PPP NCP Process (Detail)
After the LCP has configured and authenticated the basic link, the appropriate NCP is invoked to complete the specific configuration of the network layer protocol being used. When the NCP has successfully configured the network layer protocol, the network protocol is in the open state on the established LCP link. At this point, PPP can carry the corresponding network layer protocol packets.
Example NCP process for IP - after LCP has established the link, the routers exchange IP Control Protocol (IPCP) messages, negotiating options specific to the protocol. IPCP is responsible for configuring, enabling, and disabling the IP modules on both ends of the link.
IPCP negotiates two options:
Compression - Allows devices to negotiate an algorithm to compress TCP and IP headers and save bandwidth. Van Jacobson TCP/IP header compression reduces the size of the TCP/IP headers to as few as 3 bytes. This can be a significant improvement on slow serial lines, particularly for interactive traffic.
IP-Address - Allows the initiating device to specify an IP address to use for routing IP over the PPP link, or to request an IP address for the responder. Dialup network links commonly use the IP address option.
When the NCP process is complete, the link goes into the open state and LCP takes over again. Link traffic consists of any possible combination of LCP, NCP, and network layer protocol packets.

29. Configuring PPP Enables PPP encapsulation on serial interface 0/0
Router#configure terminal
Router(config)#interface serial 0/0
Router(config-if)#encapsulation ppp
Enables PPP encapsulation on serial interface 0/0
The encapsulation ppp command has no arguments, however, first configure the router with an IP routing protocol to use PPP encapsulation.

30. Configuring Compression
Router(config)#interface serial 0/0
Router(config-if)#encapsulation ppp
Router(config-if)#compress [predictor|stac]
Point-to-point software compression can be configured on serial interfaces that use PPP encapsulation.
Compression is performed in software and might significantly affect system performance.
Compression is not recommended if most of the traffic consists of compressed files.
Because this option invokes a software compression process, it can affect system performance. If the traffic already consists of compressed files (.zip, .tar, or .mpeg, for example), do not use this option.

31. Configuring Link Quality Monitoring
Router(config)#interface serial 0/0
Router(config-if)#encapsulation ppp
Router(config-if)#ppp quality percentage
Link Quality Monitoring (LQM) is available on all serial interfaces running PPP.
LQM will monitor the link quality, and if the quality drops below a configured percentage, the link will be taken down.
The percentages are calculated for both the incoming and outgoing directions.
LCP provides an optional link quality determination phase. In this phase, LCP tests the link to determine whether the link quality is sufficient to use Layer 3 protocols. The command ppp quality percentage ensures that the link meets the quality requirement set; otherwise, the link closes down.
The percentages are calculated for both incoming and outgoing directions. The outgoing quality is calculated by comparing the total number of packets and bytes sent to the total number of packets and bytes received by the destination node. The incoming quality is calculated by comparing the total number of packets and bytes received to the total number of packets and bytes sent by the destination node.
If the link quality percentage is not maintained, the link is deemed to be of poor quality and is taken down. Link Quality Monitoring (LQM) implements a time lag so that the link does not bounce up and down.

32. LCP
NCP
The show interfaces command reveals the LCP and NCP states under PPP configuration.
The PPP link remains configured for communications until LCP or NCP frames close the link or until an inactivity timer expires or a user intervenes.

33. Debug PPP command options
Packet – displays PPP packets being sent and received.
Negotiation – Displays PPP packets transmitted during PPP start-up, during the options negotiation phase.
Error – displays protocol error statistics associated with PPP connection and negotiation.
Authentication – Displays authentication protocol messages, including CHAP & PAP exchanges.
Compression – useful for obtaining incorrect packet sequence number information when compresion is enabled.
Debug displays information about various router operations and the related traffic generated or received by the router, as well as any error messages.
It is a very useful and informative tool, but note that the Cisco IOS treats debug as a high priority task, and it consumes a significant amount of resources, forcing the router to process-switch the packets being debugged.
Debug must not be used as a monitoring tool-it is meant to be used for a short period of time for troubleshooting.

34. PPP Authentication
PAP is a very basic two-way process. There is no encryption -the username and password are sent in plain text. If it is accepted, the connection is allowed.
PPP defines an extensible LCP that allows negotiation of an authentication protocol for authenticating its peer before allowing network layer protocols to transmit over the link. RFC 1334 defines two protocols for authentication, PAP and CHAP.
CHAP is more secure than PAP. It involves a three-way exchange of a shared secret.

35. Password Authentication Protocol (PAP)
PAP provides a simple method for a remote node to establish its identity, using a two-way handshake.
After the PPP link establishment phase is complete, a username/password pair is repeatedly sent by the remote node across the link until authentication is acknowledged or the connection is terminated.
The remote node is in control of the frequency and timing of the login attempts.
After PPP completes the link establishment phase, the remote node repeatedly sends a username-password pair across the link until the sending node acknowledges it or terminates the connection. At the receiving node, the username-password is checked by an authentication server that either allows or denies the connection. An accept or reject message is returned to the requester.
PAP is not a strong authentication protocol. Using PAP, passwords are sent across the link in clear text and there is no protection from playback or repeated trial-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.
Nonetheless, there are times when using PAP can be justified. For example, despite its shortcomings, PAP may be used in the following environments:
A large installed base of client applications that do not support CHAP.
Incompatibilities between different vendor implementations of CHAP.
Situations where a plaintext password must be available to simulate a login at the remote host.

36. Configuring PAP R1 R2
DTE
172 . 25 . 3 . / 24
DCE . 2 / S
Serial . 1 / S
hostname R1
username R2 password R2cisco
interface Serial0
ip address
encapsulation ppp
ppp authentication pap
ppp pap sent-username R1 password R1cisco
hostname R2
username R1 password R1cisc0
interface Serial0
ip address
encapsulation ppp
ppp authentication pap
ppp pap sent-username R2 password R2cisco
Slide shows an example of a two-way PAP authentication configuration. Both routers authenticate and are authenticated, so the PAP authentication commands mirror each other.
The PAP username and password that each router sends must match those specified with the usernamename passwordpassword command of the other router.
PAP provides a simple method for a remote node to establish its identity using a two-way handshake. This is done only upon initial link establishment.
The hostname on one router must match the username the other router has configured. The passwords must also match.
Notes: sent-username and password must match local username and password.
Usernames and Passwords are case-sensitive, hostnames are not involved.

37. Challenge Handshake Authentication Protocol (CHAP)
The remote node responds with a value calculated using a one-way hash function, which is typically Message Digest 5 (MD5), based on password and challenge message.
The local router checks the response against its own calculation of the expected hash value.
If the values match, the authentication is acknowledged, otherwise the connection is immediately terminated.
Once authentication is established with PAP, it essentially stops working. This leaves the network vulnerable to attack. Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the remote node still has a valid password value. The password value is variable and changes unpredictably while the link exists.
After the PPP link establishment phase is complete, the local router sends a challenge message to the remote node.
The remote node responds with a value calculated using a one-way hash function, which is typically Message Digest 5 (MD5) based on the password and challenge message.
The local router checks the response against its own calculation of the expected hash value. If the values match, the initiating node acknowledges the authentication. Otherwise, it immediately terminates the connection.

38. Challenge Handshake Authentication Protocol (CHAP)
CHAP is used at the startup of a link and periodically verifies the identity of the remote node using a three-way handshake.
CHAP provides protection against playback attack by using a variable challenge value that is unique and unpredictable. Because the challenge is unique and random, the resulting hash value is also unique and of exposure to any single attack.
The use of repeated challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.

39. Configuring CHAP R1 R1
DTE
172 . 25 . 3 . / 24
DCE . 2 / S
Serial . 1 / S
hostname R1
username R2 password R2cisco
ppp chap hostname R1 (optional)
interface Serial0
ip address
encapsulation ppp
ppp authentication chap
hostname R2
username R1 password R1cisco
ppp chap hostname R1 (optional)
interface Serial0
ip address
encapsulation ppp
ppp authentication chap
Notes: Hostnames are involved unless the ppp chap hostname command is used, and must match remote router’s username command (not case-sensitive).
Passwords are case-sensitive and must match
CHAP is used to periodically verify the identity of the remote node using a three-way handshake. The hostname on one router must match the username the other router has configured.
The passwords must also match. This is done upon initial link establishment and can be repeated any time after the link has been established.

40. Configuring PPP Authentication

41. Debug PPP authentication
The debug ppp authentication command displays the authentication exchange sequence.
Line 1 - router is unable to authenticate on interface Serial0 because the peer did not send a name.
Line 2 - router was unable to validate the CHAP response because USERNAME 'pioneer' was not found.
Line 3 - no password was found for 'pioneer'. Other possible responses at this line might have been no name received to authenticate, unknown name, no secret for given name, short MD5 response received, or MD5 compare failed.
In the last line, the code = 4 means a failure has occurred. Other code values are as follows:
1 = Challenge
2 = Response
3 = Success
4 = Failure

42. Chap 1 – Point-to-Point Protocol (PPP) Learning Objectives
Describe the fundamental concepts of point-to-point serial communication including TDM, demarcation point, DTE-DCE functions, HDLC encapsulation, and serial interface troubleshooting.
Describe PPP concepts including PPP layered architecture, PPP frame structure, PPP session establishment, multiprotocol encapsulation support, link control protocol (LCP), network control protocol (NCP), and Internet Protocol Control Protocol (IPCP).
Configure PPP on a serial interface including enabling PPP encapsulation, verifying the PPP connection and troubleshooting encapsulation problems.
Configure PPP authentication including explaining PAP and CHAP authentication protocols, configuring PPP authentication using PAP and CHAP, and troubleshooting PPP authentication problems.

43. Any
Questions?

44. Chapter 2.5.1 – Basic PPP Config
Lab Topology
Chapter – Basic PPP Config
Lo0
/27 R2
S0/0/0
S0/0/1
DCE
/30 .2 .1
/30
S0/0/0
DCE
S0/0/1
PC3
/24
PC1
/24 .1 .2
Fa0/1 R1 R3
Fa0/1
/24
/24