Exam: 640-802
Exam Objective: Configure and verify a PPP connection between Cisco routers
Contents
- Introduction
- Technology Background
- Lab Scenario
- Lab Objectives
- Lab Solution
Introduction
The Point-to-Point Protocol (PPP) originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP addresses asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network layer address negotiation and data-compression negotiation.Technology Background
PPP is Data Link Layer Protocol and supports its functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities. In addition to IP, PPP supports other protocols, including Novell's Internetwork Packet Exchange (IPX) and DECnet.The PPP LCP provides a method of establishing, configuring, maintaining, and terminating the point-to-point connection. LCP goes through four distinct phases.
First, link establishment and configuration negotiation occur. Before any network layer datagrams (for example, IP) can be exchanged, LCP first must open the connection and negotiate configuration parameters. This phase is complete when a configuration-acknowledgment frame has been both sent and received.
This is followed by link quality determination. LCP allows an optional link quality determination phase following the link-establishment and configuration-negotiation phase. In this phase, the link is tested to determine whether the link quality is sufficient to bring up network layer protocols. This phase is optional. LCP can delay transmission of network layer protocol information until this phase is complete. An optional authentication phase can be initiated here or along with the link-quality determination phase before NCP takes over.
At this point, network layer protocol configuration negotiation occurs. After LCP has finished the link quality determination phase, network layer protocols can be configured separately by the appropriate NCP and can be brought up and taken down at any time. If LCP closes the link, it informs the network layer protocols so that they can take appropriate action.
Finally, link termination occurs. LCP can terminate the link at any time. This usually is done at the request of a user but can happen because of a physical event, such as the loss of carrier or the expiration of an idle-period timer.
PPP can be enabled on an interface using the "encapsulation ppp" command. Along with this a layer 3 address is required to ensure communication.
As mentioned before, PPP supports authenticating a link. There are two methods of authentication that can be used with PPP links:
Password Authentication Protocol (PAP): The Password Authentication Protocol (PAP) is the less secure of the two methods. Passwords are sent in clear text, and PAP is only performed upon the initial link establishment. When the PPP link is first established, the remote node sends the username and password back to the originating router until authentication is acknowledged.
Challenge Handshake Authentication Protocol (CHAP): The Challenge Handshake Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host. After PPP finishes its initial link-establishment phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash algorithm called MD5. The local router checks this hash value to make sure it matches. If the values don't match, the link is immediately terminated.
After PPP has been enabled on the interface, authentication can be configured between the routers. First, we need to set the hostname of the router. Then we set the username and password for the remote router that will be connecting to your router:
Example:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#username RouterB password ppppassword
Note that the username (RouterB) is the hostname of the remote router and it is case sensitive. The password on both routers must be the same. We must have a username and password configured for each remote system we plan to connect to. The remote routers must also be configured with usernames and passwords. Now we need to enable authentication on the interface using the "ppp authentication <protocol> <protocol>" command. Note that the second protocol is optionally and is used only when the remote end does not support the first protocol. If a single protocol is selected and the remote then does not support it, the link will be terminated.
Example:
RouterA(config)#interface s0/0
RouterA(config-if)#ppp authentication pap chap
PPP configuration can be verified using the following commands:
- show interfaces
- debug ppp negotiation
Lab Scenario
We need to have PPP configured between our Head office and Branch Office. You task is to configure PPP on both the devices and ensure that they authenticate using "0urPPP" password. You also need to ensure that the authentication is done periodically after the link is established. Our network is shown in Figure 1:
Figure 1
Lab Objectives
Configure PPP on both routers using CHAP as authentication protocolLab Solution
RouterA(config)#username RouterB password 0urPPP
RouterA(config)#interface s0/0
RouterA(config-if)#encapsulation ppp
RouterA(config-if)#ppp authentication chap
RouterA(config-if)#ip address 192.168.1.1 255.255.255.0
RouterA(config-if)#no shut
RouterB(config)#username RouterA password 0urPPP
RouterB(config)#interface s0/0
RouterB(config-if)#encapsulation ppp
RouterB(config-if)#ppp authentication chap
RouterB(config-if)#ip address 192.168.1.2 255.255.255.0
RouterB(config-if)#no shut
Let's verify the connectivity from RouterA:
RouterA#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/24 ms
Let's see the interface output on both routers:
RouterA#show interfaces s0/0
Serial0/0 is up, line protocol is up
Hardware is GT96K Serial
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)
Last input 00:00:44, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:04:33
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
65 packets input, 3035 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
74 packets output, 2900 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
RouterB#show interfaces s0/0
Serial0/0 is up, line protocol is up
Hardware is GT96K Serial
Internet address is 192.168.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)
Last input 00:00:30, output 00:00:01, output hang never
Last clearing of "show interface" counters 00:05:20
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
79 packets input, 3259 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
81 packets output, 3909 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
This is what debug ppp negotiation looks like on RouterA
*Mar 1 00:08:36.615: Se0/0 LCP: I CONFREQ [Open] id 3 len 15
*Mar 1 00:08:36.619: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:08:36.619: Se0/0 LCP: MagicNumber 0x0136C252 (0x05060136C252)
*Mar 1 00:08:36.627: Se0/0 IPCP: State is Closed
*Mar 1 00:08:36.635: Se0/0 PPP: Phase is TERMINATING
*Mar 1 00:08:36.635: Se0/0 PPP: Phase is ESTABLISHING
*Mar 1 00:08:36.639: Se0/0 LCP: O CONFREQ [Open] id 13 len 15
*Mar 1 00:08:36.643: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:08:36.643: Se0/0 LCP: MagicNumber 0x0036C341 (0x05060036C341)
*Mar 1 00:08:36.647: Se0/0 LCP: O CONFACK [Open] id 3 len 15
*Mar 1 00:08:36.647: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:08:36.651: Se0/0 LCP: MagicNumber 0x0136C252 (0x05060136C252)
*Mar 1 00:08:36.659: Se0/0 IPCP: Remove route to 192.168.1.2
*Mar 1 00:08:36.671: Se0/0 LCP: I CONFACK [ACKsent] id 13 len 15
*Mar 1 00:08:36.671: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:08:36.675: Se0/0 LCP: MagicNumber 0x0036C341 (0x05060036C341)
*Mar 1 00:08:36.675: Se0/0 LCP: State is Open
*Mar 1 00:08:36.679: Se0/0 PPP: Phase is AUTHENTICATING, by both
*Mar 1 00:08:36.679: Se0/0 CHAP: O CHALLENGE id 3 len 28 from "RouterA"
*Mar 1 00:08:36.679: Se0/0 CHAP: I CHALLENGE id 3 len 28 from "RouterB"
*Mar 1 00:08:36.691: Se0/0 CHAP: Using hostname from unknown source
*Mar 1 00:08:36.695: Se0/0 CHAP: Using password from AAA
*Mar 1 00:08:36.695: Se0/0 CHAP: O RESPONSE id 3 len 28 from "RouterA"
*Mar 1 00:08:36.699: Se0/0 CHAP: I RESPONSE id 3 len 28 from "RouterB"
*Mar 1 00:08:36.699: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 00:08:36.703: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar 1 00:08:36.711: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 00:08:36.715: Se0/0 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar 1 00:08:36.731: Se0/0 CHAP: O SUCCESS id 3 len 4
*Mar 1 00:08:36.739: Se0/0 CHAP: I SUCCESS id 3 len 4
*Mar 1 00:08:36.743: Se0/0 PPP: Phase is UP
*Mar 1 00:08:36.747: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 1 00:08:36.747: Se0/0 IPCP: Address 192.168.1.1 (0x0306C0A80101)
*Mar 1 00:08:36.747: Se0/0 PPP: Process pending ncp packets
*Mar 1 00:08:36.755: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar 1 00:08:36.755: Se0/0 IPCP: Address 192.168.1.2 (0x0306C0A80102)
*Mar 1 00:08:36.759: Se0/0 AAA/AUTHOR/IPCP: Start. Her address 192.168.1.2, we want 0.0.0.0
*Mar 1 00:08:36.775: Se0/0 AAA/AUTHOR/IPCP: Reject 192.168.1.2, using 0.0.0.0
*Mar 1 00:08:36.779: Se0/0 AAA/AUTHOR/IPCP: Done. Her address 192.168.1.2, we want 0.0.0.0
*Mar 1 00:08:36.783: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Mar 1 00:08:36.783: Se0/0 IPCP: Address 192.168.1.2 (0x0306C0A80102)
*Mar 1 00:08:36.783: Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
*Mar 1 00:08:36.783: Se0/0 IPCP: Address 192.168.1.1 (0x0306C0A80101)
*Mar 1 00:08:36.783: Se0/0 IPCP: State is Open
*Mar 1 00:08:36.799: Se0/0 IPCP: Install route to 192.168.1.2
References:
PPP
http://www.cisco.com/en/US/docs/internetworking/technology/handbook/PPP.html
Configuring PPP CHAP authentication
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml
No hay comentarios.:
Publicar un comentario