Point to Point Protocol
- Media independant encapsulation
- Serial, Ethernet, SONET etc
- Headers
- PPP header is 2 bytes
- PPPoE header is 6 bytes in length
- Total PPPoE header is 8 bytes
- Configured at interface level
- Command:
- (config-if)#encapsulation ppp
PPP Control Protocols
- PPP uses LCP and NCP to negotiate higher layer protocols
LCP - Link Control Protocol
LCP - Link Control Protocol
- MagicNumber used for identification each side
- Link negotiation
- Speed
- Duplex
- Authentication
- Encryption
- Multilink capability
[__/su_spoiler]
NCP - Network Control Protocol
NCP - Network Control Protocol
- Routing information
- Installs a host route to the other end of the link (peer neighbor route)
- ensures recursive lookup on server next-hop address
- Makes default / other routes valid
- Can be disabled manually
- Command:
- (config-if)#no peer neighbor-route
- PPP client doesn't need to be on the same subnet as PPP server
[__/su_spoiler]
[_/su_spoiler]
PPP Authentication
- Optional
- Not mandatory to have 2 way authentication
- Can authenticate in a single direction
- Normally PPP server authenticates PPP client
- Consists of Authenticator and Authenticatee
- Authenticator generates authentication request (PPP server)
- Authenticatee generates authentication response (PPP client)
- Username and password are NOT case-sensitive on any authentication method unless you have AAA enabled
PAP
- Password Authenitcaiton Protocol
- Sends password in clear text
Authenticator - PPP Server
Authenticator - PPP server
- Creates authentication request
- Commands:
- (config-if)#ppp authentication pap
- (config)#username <username> password <password>
[___/su_spoiler]
Authenticatee - PPP Client
Authenticatee - PPP Client
- Generates authentication response
- Command:
- (config-if)#no ppp pap refuse
- (config-if)#ppp pap sent-username <username> password <password>
[___/su_spoiler]
[__/su_spoiler]
CHAP
- Challenge Handshake Protocol
- Uses MD5 hash to authenticate
- Password needs to be configured on both ends
- CHAP password is required to be in clear text in the configuration of the device for MD5 hashing to work
- Can not use the 'secret' variant, has to be 'password'
Authenticator - PPP Server
Authenticator - PPP server
- Request PPP authentication mode as CHAP from client
- Command:
- (config-if)#ppp authentication chap
- Send local hostname in CHAP request
- Command:
- (config-if)#ppp chap username <client-hostname> password <password> - Interface level
- (config)#username <client-hostname> password <password> - Global configuration
[___/su_spoiler]
Authenticatee - PPP Client
Authenticatee - PPP client
- Have to enable CHAP authentication on interface
- Command:
- (config-if)#no ppp chap refuse
- Looks in local database of users for hostname sent in CHAP request from authenticator and responds with corresponding password
- Command:
- (config-if)#ppp chap password <password> - Interface level
- (config)#username <server-hostname> password <password> - Global configuration
- Alternative to username/password configuration
- Command:
- (config-if)#ppp chap hostname <hostname>
- (config-if)#ppp chap password <password>
- Can use AAA lists for PPP authentication
- Command:
- (config)#ppp authentication chap <aaa-named-list>
[___/su_spoiler]
[__/su_spoiler]
MSCHAP
- Microsoft variation of CHAP
- Supports added features to CHAP
[__/su_spoiler]
EAP
- Extensible Authentication Protocol
- Supports / used for authentication servers
- Comparative to PAP
Authenticator - PPP Server
Authenticator - PPP server
- Enable EAP authentication
- Command:
- (config-if)#ppp authentication eap
- By default EAP wants to authenticate to remote servers
- Has to be manually configured to use local database
- Command:
- (config-if)#ppp eap local
- Have to create client authentication information
- Command:
- (config)#username <eap-identity> password <eap-password>
[___/su_spoiler]
Authenticatee - PPP Client
Authenticatee - PPP client
- No default EAP identity offered
- Command:
- (config-if)#ppp eap identity <eap identity>
- (config-if)#ppp eap password <password>
[__/su_spoiler]
[_/su_spoiler]
PPP Encryption
- Optional setting on PPP
- Relies on MS-CHAPv2 authenticationprotocol
- Command:
- (config-if)#ppp authentication ms-chap-v2
- Supports 40 bit and 128 bit encryption
- Encryption key derived from MS-CHAP authentication password
- Command:
- (config-if)#ppp encrypt mppe [40 | 128 | auto] [required]
[_/su_spoiler]
PPP Multilink
- Similar to Etherchannel but can bundle any interface type
- Can not change load balancing algorithm
- Supports Link Fragmentation and Interleaving (LFI)
- Fragments at Layer 2 to interleave voice into data packets on congested, low bandwidth links
- Set maximum delay or fragment size of packet and will auto calculate the other information
- PPP was not designed to be fragmented
- Supported only on serial interfaces
- Create multilink interface
- Command:
- (config)#interface multilink <#>
- Bind multilink to physical interface
- Command (physical interface):
- (config-if)#ppp multilink group <#>
[_/su_spoiler]
PPP over Ethernet (PPPoE)
- Adds 8 bytes of overhead
- Provides simple authentication
- Runs point-to-point technology on Ethernet (multi-access) interfaces
- Still has to be on the same segment
PPPoE Server
- Define Broadband Access Aggregation (BBA) Group and apply virtual template configuration
- Command:
- (config)#bba-group pppoe <pppoe-group-name | global>
- (config-bba)#virtual-template <#>
- Enable PPPoE on interface and bind BBA group to link
- Command:
- (config-if)#pppoe enable group <pppoe-group-name | global>
- Define PPP interface
- Command:
- (config)#interface virtual-template <#>
- Apply logical options within virtual template
- Authentication, multilink, IP address etc
- Set IP address on Virtual-Template
- Command:
- (config-if)#ip address unnumbered <IF>
- Send IP address to remote node
- Command:
- (config-if)#peer default ip address pool <pool-name>
- Set authentication (if required)
- Command:
- (config-if)#ppp authentication <method>
- Create local IP addressing pool options
- Command:
- (config)#ip local pool <pool-name> <start address> <end address>
[__/su_spoiler]
PPPoE Client
- Enable PPPoE on interface
- Bind dialer pool (logical interface) to physical interface
- Command:
- (config-if)#pppoe-client dial-pool-number <dialer-pool>
- Define PPP interface (logical interface)
- Command:
- (config)#interface dialer <#>
- (config-if)#encapsulation ppp
- (config-if)#dialer pool <dialer-pool>
- Apply logical options
- Authentication, multilink, IP address etc
- Command:
- (config-if)#ip address negotiated
[__/su_spoiler]
[_/su_spoiler]
