3-6 Point-to-Point Protocol (PPP)

  • PPP encapsulates network layer packets for transport over point-to-point links.

  • PPP is supported on DDR interfaces as well as fixed point-to-point interfaces.

  • Authentication is supported over PPP using Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP).

  • With CHAP or PAP authentication, users and other routers can be properly authenticated when they connect. In addition, a router host name is used during authentication and to prevent additional calls if it is already connected.

  • CHAP offers a handshake procedure by using the local host name in a challenge to the remote user or router. The remote side responds with its host name and an encrypted password. The passwords and encryption methods used must match on both ends of the connection.

  • PAP requires the remote user or router to send both a username and a password to be authenticated. There is no challenge or shared secret passwords, and passwords are also sent in the clear with no encryption.

  • Link Quality Monitoring (LQM) compares the PPP packets exchanged between two peers. When the percentage of good packets falls below a threshold, the PPP connection is torn down.

  • IP addresses can be negotiated using the IP Control Protocol (IPCP). A router can assign addresses to dial-in peers by proxying DHCP requests and replies, from a locally defined IP address pool, or from a static IP address configuration.

  • Multilink PPP (MLP) uses multiple PPP links to provide load balancing and packet fragmentation. The multiple links can be brought up in succession, depending on traffic thresholds.

  • PPP callback can be used to have a calling (client) router request that the destination (server) router call it back. The client router's authentication information is given to the server router. If it can be authenticated, and a dial string is found for the return call, the call is reversed .

Configuration

  1. Enable PPP encapsulation on an interface:

     (interface)  encapsulation ppp  

    PPP encapsulation can be enabled on both logical and physical dialer interfaces, asynchronous, synchronous serial, HSSI, and ISDN interfaces.

  2. (Async interfaces only) Select the interface mode:

     (interface)  async mode  {  dedicated   interactive  } 

    In dedicated mode, the interface uses PPP encapsulation continuously. A user connected to the interface does not receive a login prompt or an EXEC session with the router. In interactive mode, a user receives normal login and password prompting (if configured) and is presented with an EXEC session on the router. The user is free to use other router commands and must then issue the ppp command to start PPP encapsulation.

  3. (Optional) Use PPP authentication:

     (interface)  ppp   authentication  {  protocol1  [  protocol2...  ]} [  if-needed  ]   [  list-name   default  ] [  callin  ] [  one-time  ] 

    PPP can use one or more authentication protocols ( chap, pap, or ms-chap ), listed in the order that they are tried. The ms-chap method can be used for CHAP between a router and a Microsoft Windows device. If you are using AAA with TACACS+ authentication, the if-needed keyword prevents PAP or CHAP from being used when the user is already authenticated. If configured, either the list-name AAA method list ( aaa authentication ppp ) or the default method list is used to perform AAA authentication. The callin keyword performs authentication only on incoming calls. Rather than giving the username and password separately, the one-time keyword can be used to present both at once.

    NOTE

    If AAA authentication is not used, you must configure the remote router host names and their shared secret passwords before CHAP will work. Use username name password password to define the router's host name as the username. For further information, refer to Section 1-1 for local username authentication, and refer to Section 13-1 for AAA authentication configuration.

  4. (Optional) Use PPP callback to increase security or to lower toll costs.

    1. (Optional) Request a callback from a remote peer (callback client):

       (interface)  ppp callback request  

      As soon as a call is made to a peer router, the local router requests that it be called back to complete the PPP connection.

    2. (Optional) Accept a callback request (callback server):

       (interface)  ppp callback accept  (interface)  dialer callback-server  [  username  ] [  dialstring  ] (interface)  dialer callback-secure  

      The router accepts incoming calls that request PPP callback service. If the incoming peer router is authenticated by PPP, the call is completed. Then the local router initiates a call back to the requesting router. If authentication is successful, the PPP connection is established. The username keyword (the default) can be given to look up and authenticate the router host name in a dialer map command. The dialstring keyword is used to identify the return call during callback negotiation. The callback-secure keyword can be used to drop callback requests if the username or host name cannot be authenticated and approved for callback.

  5. (Optional) Use LQM on the PPP interface:

     (interface)  ppp quality   percentage  

    The number of PPP packets sent and received is compared to the number collected by the remote router. If the percentage of successful packet transfers falls below the percentage (1 to 100) threshold, the PPP link is shut down.

  6. (Optional) Assign IP addresses over PPP.

    1. (Optional) Use DHCP proxy to relay an address.

      • Enable DHCP proxy:

         (global)  ip address-pool dhcp-proxy-client  

        The router accepts DHCP requests from the far end and relays them to a DHCP server.

      • Relay requests to one or more DHCP servers:

         (global)  ip dhcp-server  [  ip-address   name  ] 

        The router relays DHCP requests to the server identified by ip-address or the host name. Up to ten DHCP servers can be configured.

      • Assign an address over the PPP interface:

         (interface)  peer default ip address pool dhcp  

        The far-end PPP peer receives an address from the DHCP server.

    2. (Optional) Use an address from a local pool.

      • Enable a local address pool:

         (global)  ip address-pool local  

        The router uses a pool of IP addresses from its own configuration.

      • Define the address pool:

         (global)  ip local pool  {  default   pool-name  }  low-ip-address  [  high-ip-address  ] 

        The pool can be named either default or pool-name (a text string). The range of IP addresses starts at the lowest IP address, low-ip-address, and ends at the highest IP address, high-ip-address. If the upper limit is not given, the pool consists of a single address.

      • Assign an address over the PPP interface:

         (interface)  peer default ip address pool   pool-name  

        The router assigns the PPP peer an address from the locally defined pool called pool-name.

    3. (Optional) Assign a specific IP address over the PPP interface:

       (interface)  peer default ip address   ip-address  

      Use this method if there are few IP addresses to assign to dial-in peers.

      NOTE

      If the remote dial-in PPP peer is another router, you must configure the remote PPP interface to accept a negotiated IP address. Use the (interface) ip address negotiated command.

    4. (Optional) Permit routing protocol traffic to pass over an asynchronous interface:

       (interface)  async dynamic routing  

      By default, no dynamic routing protocol traffic is allowed to pass over an asynchronous interface. Use this command if you need to exchange routing information over an asynchronous PPP interface.

  7. (Optional) Use Multilink PPP (MLP).

    1. Enable MLP on one or more interfaces:

       (interface)  ppp multilink  

      Usually, MLP is configured on a logical dialer interface so that all physical interfaces used in a rotary group or dialer pool are added to the bundle.

    2. (Optional) Use MLP interleaving to fragment large packets:

       (interface)  ppp multilink interleave  (interface)  ppp multilink fragment delay   milliseconds  

      Packets destined for an MLP interface are fragmented and distributed across the links in the MLP bundle. The size of the fragments is governed by the required fragment transmission time milliseconds (1 to 1000 milliseconds; the default is 30). This feature is especially useful for the delivery of time-critical protocols such as voice traffic. Voice traffic requires a maximum packet serialization delay of 10 milliseconds.

Example

A router is configured for DDR using two ISDN interfacesBRI 0 and BRI 1. A logical dialer interface is configured for PPP encapsulation, CHAP authentication, and Multilink PPP. The dialer interface uses a dialer pool that consists of both BRI interfaces. Additional B channels are brought up when the overall traffic load of the interfaces in use reaches 50 percent (or a threshold value of 255 times 50 percent, or 128). Multilink PPP fragmentation and interleaving are also configured to allow time-critical traffic such as voice to receive a guaranteed transmission delay of 10 milliseconds.

  username Remote password letmein   interface dialer 1   ip address 192.168.254.1 255.255.255.0   encapsulation ppp   dialer in-band   dialer load-threshold 128   dialer-group 10   ppp authentication chap   ppp multilink   ppp multilink fragment delay 10   dialer pool 5   interface bri 0   encapsulation ppp   dialer pool-member 5   dialer load-threshold 128   interface bri 1   encapsulation ppp   dialer pool-member 5   dialer load-threshold 128  


Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net