Chapter 2 - Sem IV

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE I Chapter 6 1

PPP

Accessing the WAN � Chapter 2

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 2

Objectives In this chapter, you will learn to:

� Describe the fundamental concepts of point-to-point serial communication.

� Describe key PPP concepts.

� Configure PPP encapsulation.

� Explain and configure PAP and CHAP authentication.


How Does Serial Communication Work? Most PCs have both serial and parallel ports.

Computers use of relatively short parallel connections between interior components, but use a serial bus to convert signals for most external communications.

�With a serial connection, information is sent across one wire, one data bit at a time.

�The 9-pin serial connector on most PCs uses two loops of wire, one in each direction, for data communication, plus additional wires to control the flow of information.

�A parallel connection sends the bits over more wires simultaneously. In the 25-pin parallel port on your PC, there are 8 data wires to carry 8 bits simultaneously.

�The parallel link theoretically transfers data eight times faster than a serial connection.

In reality, it is often the case that serial links can be clocked considerably faster than parallel links, and they achieve a higher data rate

�Two factors that affect parallel communications: clock skew and crosstalk interference.


Parallel connection: Clock Skew & Interference In a parallel connection, it is wrong to assume

that the 8 bits leaving the sender at the same time arrive at the receiver at the same time.

Clock Skew�Some of the bits get there later than others. This is known as clock skew. �Overcoming clock skew is not trivial. The receiving end must synchronize itself with the transmitter and then wait until all the bits have arrived. The process of reading, waiting, waiting adds time to the transmission. �This is not a factor with serial links, because most serial links do not need clocking.

Interference�Parallel wires are physically bundled in a parallel cable. The possibility of crosstalk across the wires requires more processing. �Since serial cables have fewer wires, there is less crosstalk, and network devices transmit serial communications at higher, more efficient frequencies.


Serial Communication Standards In a serial communication process.

�Data is encapsulated by the sending router.

�The frame is sent on a physical medium to the WAN.

�There are various ways to traverse the WAN,

�The receiving router uses the same communications protocol to de-encapsulate the frame when it arrives.

There are three key serial communication standards affecting LAN-to-WAN connections:

�RS-232 - Most serial ports on personal computers conform to the RS-232C standards.

�Both 9-pin and 25-pin connectors are used.

�It be used for device, including modems, mice, and printers.

�V.35 � It is used for modem-to-multiplexer communication. �V.35 is used by routers and DSUs that connect to T1 carriers.

�HSSI - A High-Speed Serial Interface (HSSI) supports transmission rates up to 52 Mb/s.

�HSSI is used to connect routers on LANs with WANs over high-speed lines such as T3 lines.


Serial Communication: RS-232 While this course does not examine the details of V.35 and

HSSI pinning schemes, a quick look at a 9-pin RS-232 connector used to connect a PC to a modem helps illustrate the concept.

�Pin 1 - Data Carrier Detect (DCD) indicates that the carrier for the transmit data is ON.

�Pin 2 - The receive pin (RXD) carries data from the serial device to the computer.

�Pin 3 - The transmit pin (TxD) carries data from the computer to the serial device.

�Pin 4 - Data Terminal Ready (DTR) indicates to the modem that the computer is ready to transmit.

�Pin 5 - Ground

�Pin 6 - Data Set Ready (DSR) is similar to DTR. It indicates that the Dataset is ON.

�Pin 7 - The RTS pin requests clearance to send data to a modem

�Pin 8 - The serial device uses the Clear to Send (CTS) pin to acknowledge the RTS signal of the computer. In most situations, RTS and CTS are constantly ON throughout the communication session.

�Pin 9 - An auto answer modem uses the Ring Indicator (RI) to signal receipt of a telephone ring signal.


Time Division Multiplexing (TDM) Bell Laboratories invented TDM to maximize the

amount of voice traffic carried over a medium.

Compare TDM to a train with 32 railroad cars. �Each car is owned by a different freight company, and every day the train leaves with the 32 cars attached.

�If the companies has cargo to send, the car is loaded.

�If the company has nothing to send, the car remains empty but stays on the train.

�Shipping empty containers is not very efficient.

�TDM shares this inefficiency when traffic is intermittent, because the time slot is still allocated even when the channel has no data to transmit.


Time Division Multiplexing (TDM) TDM divides the bandwidth of a single link into

separate channels or time slots.�TDM transmits two or more channels over the same link by allocating a different time interval (time slot) for the transmission of each channel.

�TDM is a physical layer concept. It has no regard of the information that is being multiplexed.

The multiplexer (MUX) accepts input from attached devices in a round-robin fashion and transmits the data in a never-ending pattern.�The MUX puts each segment into a single channel by inserting each segment into a timeslot.

�A MUX at the receiving end separate data streams based only on the timing of the arrival of each bit.

� A technique called bit interleaving keeps track of the sequence of the bits so that they can be efficiently reassembled into their original form upon receipt.


Statistical Time Division Multiplexing Statistical time-division multiplexing

(STDM) was developed to overcome this inefficiency. �STDM uses a variable time slot length allowing channels to compete for any free slot space.

�It employs a buffer memory that temporarily stores the data during periods of peak traffic.

�STDM does not waste high-speed line time with inactive channels using this scheme.

�STDM requires each transmission to carry identification information (a channel identifier).


TDM Examples - ISDN and SONET An example of a technology that uses synchronous

TDM is ISDN. �ISDN basic rate (BRI) has three channels consisting of two 64 kb/s B-channels (B1 and B2), and a 16 kb/s D-channel.

�The TDM has nine timeslots, which are repeated in the sequence shown in the figure.

On a larger scale, the industry uses the SONET or SDH for optical transport of TDM data.

�SONET, used in North America, and SDH, used elsewhere, for synchronous TDM over fiber.

�SONET/SDH takes n bit streams, multiplexes them, and optically modulates the signal, sending it out using a light emitting device over fiber with a bit rate equal to (incoming bit rate) x n. Thus traffic arriving at the SONET multiplexer from four places at 2.5 Gb/s goes out as a single stream at 4 x 2.5 Gb/s, or 10 Gb/s.

SDH - Synchronous Digital Hierarchy

SONET - Synchronous optical networking


TDM Examples - T-Carrier Hierarchy DS0: The original unit used in multiplexing

telephone calls is 64 kb/s, which represents one phone call.

T1: In North America, 24 DS0 units are multiplexed using TDM into a higher bit-rate signal with an aggregate speed of 1.544 Mb/s for transmission over T1 lines. �While it is common to refer to a 1.544 Mb/s transmission as a T1, it is more correct to refer to it as DS1.

�T-carrier refers to the bundling of DS0s.

�A T1 = 24 DSOs,

�A T1C = 48 DSOs (or 2 T1s), and so on.

E1: Outside North America, 32 DS0 units are multiplexed for E1 transmission at 2.048 Mb/s.


Demarcation Point The demarcation point marks the point where your

network interfaces with the network owned by another organization.

�This is the interface between customer-premises equipment (CPE) and network service provider equipment.

�The demarcation point is the point in the network where the responsibility of the service provider ends.

The example presents an ISDN scenario. �In the United States, a service provider provides the local loop into the customer premises,

�The customer provides the active equipment such as the channel service unit/data service unit (CSU/DSU) on which the local loop is terminated.

�The customer is responsible for maintaining, replacing, or repairing the equipment.

�In other countries, the network terminating unit (NTU) is provided and managed by the service provider.

�The customer connects a CPE device, such as a router or frame relay access device, to the NTU using a V.35 or RS-232 serial interface.


DTE and DCE In order to be connecting to the WAN, a serial

connection has a DTE device at one end of the connection and a DCE device at the other end.

�The DTE, which is generally a router. �The DTE could also be a terminal, computer, printer, or fax machine.

�The DCE, commonly a modem or CSU/DSU, is the device used to convert the user data from the DTE into a form acceptable to the WAN service provider transmission link.

�This signal is received at the remote DCE, which decodes the signal back into a sequence of bits.

�The remote DCE then signals this sequence to the remote DTE.

The connection between the two DCE devices is the WAN service provider transmission network.

Cisco Internal T1 CSU/DSUWIC-1DSU-T1


DTE and DCE DTE and DCE Cable Standards

�Originally, the concept of DCEs and DTEs was based on two types of equipment: terminal equipment that generated or received data, and communication equipment that only relayed data. �We are left with two different types of cables:

�one for connecting a DTE to a DCE, �another for connecting two DTEs directly to each other.

The DTE/DCE interface standard defines the following specifications:

�Mechanical/physical - Number of pins and connector type �Electrical - Defines voltage levels for 0 and 1 �Functional - Specifies the functions that are performed by assigning meanings to each of the signaling lines in the interface �Procedural - Specifies the sequence for transmitting data

The Serial Cables�The original RS-232 standard only defined the connection of DTEs with DCEs, which were modems. �A null modem is a communication method to directly connect two DTEs, such as a computer, terminal, or printer, using a RS-232 serial cable. With a null modem connection, the transmit (Tx) and receive (Rx) lines are crosslinked.


DTE and DCE The DB-60 Connector

�The cable for the DTE to DCE connection is a shielded serial cable. The router end of the serial cable may be a DB-60 connector.

�The other end of the serial transition cable is available with the connector appropriate for the standard that is to be used.

The Smart Serial Connector�To support higher port densities in a smaller form factor, Cisco has introduced a Smart Serial cable.

�The router interface end of the Smart Serial cable is a 26-pin connector that is significantly more compact than the DB-60 connector.

The Router-to-Router�When using a null modem, keep in mind that synchronous connections require a clock signal. �When using a null modem cable in a router-to-router connection, one of the serial interfaces must be configured as the DCE end to provide the clock signal for the connection.


DTE and DCE: Parallel to Serial Conversion The terms DTE and DCE are relative with respect to

what part of a network you are observing. �RS-232C is the recommended standard (RS) describing the physical interface and protocol for relatively low-speed, serial data communication between computers and related devices.

�The DTE is the RS-232C interface that a computer uses to exchange data with a modem or other serial device.

�The DCE is the RS-232C interface that a modem or other serial device uses in exchanging data with the computer.

Your PC also has a Universal Asynchronous Receiver/Transmitter (UART) chip on the motherboard. The UART is the DTE agent of your PC and communicates with the modem or other serial device, which, in accordance with the RS-232C standard, has a complementary interface called the DCE interface.

�The data in your PC flows along parallel circuits, the UART chip converts the groups of bits in parallel to a serial stream of bits.


WAN Encapsulation Protocols On WAN connection, data is encapsulated into frames

before crossing the WAN link. The protocol depends on the WAN technology and communicating equipment:

�HDLC - The default encapsulation type on point-to-point connections, when the link uses two Cisco devices.

�PPP - Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits.

�PPP works with several network protocols, such as IP and IPX. PPP also has built-in security mechanisms such as PAP and CHAP.

�Serial Line Internet Protocol (SLIP) - A standard protocol for point-to-point serial connections using TCP/IP.

�SLIP has been largely displaced by PPP.

�X.25/Link Access Procedure, Balanced (LAPB) - X.25 specifies LAPB, a data link layer protocol.

�X.25 is a predecessor to Frame Relay.

�Frame Relay - Frame Relay eliminates some of the time-consuming processes (such as error correction and flow control) employed in X.25.

�ATM - The cell relay in which devices send multiple service types (voice, video, or data) in fixed-length (53-byte) cells.

�Fixed-length cells allow processing to occur in hardware, thereby reducing transit delays.

With SLIP, you have to know the IP address assigned to you by your service provider. You also need to know the IP address of the remote system you will be dialing into. You may also need to configure such details as MTU (maximum transmission unit), MRU (maximum receive unit), etc.


HDLC Encapsulation HDLC is a bit-oriented synchronous data link layer

protocol developed by the International Organization for Standardization (ISO).

�HDLC was developed from the Synchronous Data Link Control (SDLC) standard proposed in the 1970s.

�HDLC provides both connection-oriented and connectionless service.

�HDLC defines a Layer 2 framing structure that allows for flow control and error control through the use of acknowledgments.

�HDLC uses a frame delimiter, or flag, to mark the beginning and the end of each frame.

Cisco has developed an extension to the HLDC protocol to solve the inability to provide multiprotocol support.

�Cisco HLDC (also referred to as cHDLC) is proprietary

�Cisco HDLC frames contain a field for identifying the network protocol being encapsulated.


Configuring HDLC Encapsulation Cisco HDLC is the default encapsulation method

used by Cisco devices on synchronous serial lines.�You use Cisco HDLC as a point-to-point protocol on leased lines between two Cisco devices.

�If the default encapsulation method has been changed, use the encapsulation hdlc command in privileged mode to re-enable HDLC.

If you are connecting to a non-Cisco device, use synchronous PPP.

There are two steps to enable HDLC encapsulation:�Step 1. Enter the interface configuration mode of the serial interface.

�Step 2. Enter the encapsulation hdlc command to specify the encapsulation protocol on the interface.

The output of the show interfaces serial command displays information specific to serial interfaces. When HDLC is configured, "Encapsulation HDLC"


Troubleshooting a serial interface Show ip int brief (sh ip int b)

Router# show ip interface brief

Interface IP-Address OK? Method Status ProtocolEthernet0 131.108.1.11 YES manual up up Serial0 198.135.2.49 YES manual administratively down down

Serial x is down, line protocol is down Serial x is up, line protocol is down Serial x is up, line protocol is up (looped) Serial x is up, line protocol is down (disabled) Serial x is administratively down, line protocol is down


Troubleshooting a serial interface (cont.)

Five possible problem states can be identified in the interface status line of the show interfaces serial display:

�Serial x is down, line protocol is down �Serial x is up, line protocol is down �Serial x is up, line protocol is up (looped) �Serial x is up, line protocol is down (disabled) �Serial x is administratively down, line protocol is down


Troubleshooting a serial interface (cont.)

Five possible problem states can be identified in the interface status line of the show interfaces serial display:

�Serial x is down, line protocol is down �Serial x is up, line protocol is down�Serial x is up, line protocol is up (looped) �Serial x is up, line protocol is down (disabled) �Serial x is administratively down, line protocol is down


Troubleshooting a Serial Interface The show controllers command is

another important diagnostic tool when troubleshooting serial lines.

In the figure, serial interface 0/0 has a V.35 DCE cable attached. �show controllers serial command. �If the electrical interface output is shown as UNKNOWN instead of V.35, EIA/TIA-449, or some other electrical interface type, the likely problem is an improperly connected cable.

�If the electrical interface is unknown, the corresponding display for the show interfaces serial <x> command shows that the interface and line protocol are down.


Troubleshooting a Serial Interface: Activity


What is PPP? Recall that HDLC is the default serial encapsulation method

when you connect two Cisco routers. �Cisco HDLC can only work with other Cisco devices.

However, when you need to connect to a non-Cisco router, you should use PPP encapsulation.

PPP includes many features not available in HDLC:�The link quality management feature monitors the quality of the link. If too many errors are detected, PPP takes the link down.

�PPP supports PAP and CHAP authentication.

PPP contains three main components: �HDLC protocol for encapsulating datagrams over point-to-point links.

�Extensible Link Control Protocol (LCP) to establish, configure, and test the data link connection.

�Family of Network Control Protocols (NCPs) for establishing and configuring different network layer protocols.

�PPP allows the simultaneous use of multiple network layer protocols.

�Some of the more common NCPs are Internet Protocol Control Protocol, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control Protocol, and Compression Control Protocol.


PPP Layered Architecture PPP and OSI share the same physical layer, but PPP

distributes the functions of LCP and NCP differently.

At the physical layer, you can configure PPP on:�Asynchronous serial

�Synchronous serial

�HSSI

�ISDN

PPP does not impose any restrictions regarding transmission rate other than those imposed by the particular DTE/DCE interface in use.

Most of the work done by PPP is at the data link and network layers by the LCP and NCPs.

�The LCP sets up the PPP connection and its parameters

�The NCPs handle higher layer protocol configurations, and the LCP terminates the PPP connection.


PPP Architecture - Link Control Protocol Layer The LCP sits on top of the physical layer and has a

role in establishing, configuring, and testing the data-link connection.

�The LCP establishes the point-to-point link.

�The LCP also negotiates and sets up control options on the WAN data link, which are handled by the NCPs.

The LCP provides automatic configuration of the interfaces at each end, including:

�Handling varying limits on packet size

�Detecting common misconfiguration errors

�Terminating the link

�Determining when a link is functioning properly or when it is failing

PPP also uses the LCP to agree automatically on encapsulation formats (authentication, compression, error detection) as soon as the link is established.


PPP Architecture - Network Control Protocol Layer PPP permits multiple network layer protocols to

operate on the same communications link. For every network layer protocol used, PPP uses a separate NCP. �For example, IP uses the IP Control Protocol (IPCP),

�IPX uses the Novell IPX Control Protocol (IPXCP).

NCPs include functional fields containing standardized codes (PPP protocol field numbers shown in the figure) to indicate the network layer protocol that PPP encapsulates. �Each NCP manages the specific needs required by its respective network layer protocols.

�The various NCP components encapsulate and negotiate options for multiple network layer protocols.


PPP Frame Structure A PPP frame has six fields as shown in the figure.

The LCP can negotiate modifications to the standard PPP frame structure.


Establishing a PPP Session The three phases of establishing a PPP session:

�Phase 1: Link establishment and configuration negotiation �

�The LCP must first open the connection and negotiate configuration options.

�Phase 2: Link quality determination (optional) ��The LCP tests the link to determine whether the link quality is sufficient to bring up network layer protocols.

�Phase 3: Network layer protocol configuration negotiation �

�After the LCP has finished the link quality determination phase, the appropriate NCP can separately configure the network layer protocols, and bring them up and take them down at any time.

The link remains configured for communications until explicit LCP or NCP frames close the link, or until some external event occurs.�This happen because of the loss of the carrier, authentication failure, link quality failure, the expiration of idle-period timer, or administrative closing the link.


PPP Configuration Options PPP may include the following LCP options:

�Authentication - Peer exchange authentication messages.

�Two choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

�Compression - Increases the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link.

�Two compression are Stacker and Predictor.

�Error detection - Identifies fault conditions. �The Quality and Magic Number options help ensure a reliable, loop-free data link.

�Multilink - Cisco IOS Release 11.1 and later supports multilink PPP.

�This alternative provides load balancing over the router interfaces that PPP uses.

�PPP Callback - To enhance security, Cisco IOS Release 11.1 and later offers callback over PPP.

�The client makes the initial call, requests that the server call it back, and terminates its initial call.


PPP Configuration Commands Example 1: Enabling PPP on an Interface

�To set PPP as the encapsulation method used by a serial or ISDN interface, use the encapsulation ppp interface configuration command.

�R3#configure terminal

�R3(config)#interface serial 0/0

�R3(config-if)#encapsulation ppp�You must first configure the router with an IP routing protocol to use PPP encapsulation. If you do not configure PPP on a Cisco router, the default encapsulation for serial interfaces is HLDC.

Example 2: Compression�You can configure point-to-point compression on serial interfaces after you have enabled PPP. Because this option invokes a software compression process, it can affect system performance. If the traffic already consists of compressed files (.zip, .tar, or .mpeg, for example), do not use this option.


�R3(config-if)#encapsulation ppp

�R3(config-if)#compress [predictor | stac]


PPP Configuration Commands Example 3: Link Quality Monitoring

�LCP provides an optional link quality determination phase.

�If the link quality percentage is not maintained, the link is deemed to be of poor quality and is taken down.

�This example configuration monitors the data dropped on the link and avoids frame looping:


�R3(config-if)#encapsulation ppp

�R3(config-if)#ppp quality 80

Example 4: Load Balancing Across Links�Multilink PPP (also referred to as MP, MPPP, MLP, or Multilink) provides a method for spreading traffic across multiple physical WAN links while providing packet fragmentation and reassembly, proper sequencing, multivendor interoperability, and load balancing on inbound and outbound traffic.

�Router(config)#interface serial 0/0

�Router(config-if)#encapsulation ppp

�Router(config-if)#ppp multilink


Verified a Serial PPP Encapsulation Configuration Use the show interfaces serial

command to verify proper configuration of HDLC or PPP encapsulation.�When you configure HDLC, the output of the show interfaces serial command should show "encapsulation HDLC".

�When you configure PPP, you can check its LCP and NCP states.


Troubleshooting the Serial Encapsulation Configuration Debug displays information about various

router operations and the related traffic generated or received by the router, as well as any error messages. �It is a very useful and informative tool, but you must always remember that Cisco IOS treats debug as a high priority task.

�It can consume a significant amount of resources, and the router is forced to process-switch the packets being debugged.

�Debug must not be used as a monitoring tool-it is meant to be used for a short period of time for troubleshooting.

Use the debug ppp command to display information about the operation of PPP.


PPP Authentication Protocols PPP defines an extensible LCP that allows

negotiation of an authentication protocol for authenticating its peer before allowing network layer protocols to transmit over the link.

�PAP is a very basic two-way process.�There is no encryption-the username and password are sent in plain text. If it is accepted, the connection is allowed.

�CHAP is more secure than PAP. It involves a three-way exchange of a shared secret.

The authentication phase of a PPP session is optional.

�If used, you can authenticate the peer after the LCP establishes the link.

�If it is used, authentication takes place before the network layer protocol configuration phase begins.

�The authentication options require that the calling side of the link enter authentication information. This helps to ensure that the user has the permission of the network administrator to make the call.


Password Authentication Protocol (PAP) PPP can performs Layer 2 authentication in

addition to other layers of authentication�PAP provides method for a remote node to establish its identity using a two-way handshake.

�the ppp authentication pap command is used, �the remote node repeatedly sends a username-password pair across the link until the sending node acknowledges it or terminates the connection.

�Using PAP, you send passwords across the link in clear text and there is no protection from playback or repeated trial-and-error attacks.

There are times when using PAP is justified. �Client applications that do not support CHAP

�Incompatibilities between different vendor implementations of CHAP

�Situations where a plaintext password must be available to simulate a login at the remote host


Challenge Handshake Authentication Protocol (CHAP) Once authentication is established with PAP, it

essentially stops working. This leaves the network vulnerable to attack.

CHAP conducts periodic challenges to make sure that the remote node still has a valid password value.

�The password value is variable and changes unpredictably while the link exists.

After the PPP link establishment phase is complete, �The router sends a challenge to the remote node.

�The remote node responds with a value calculated using a one-way hash function using MD5.

�The local router checks the response against its own calculation of the expected hash value. If the values match, the initiating node acknowledges the authentication. Otherwise, it immediately terminates the connection.

�Because the challenge is unique and random, the resulting hash value is also unique and random.


The ppp authentication Command To specify the order in which the CHAP

or PAP protocols are requested on the interface, use the ppp authenticationinterface command. �You may enable PAP or CHAP or both. �After you have enabled CHAP or PAP authentication, or both, the local router requires the remote device to prove its identity before allowing data traffic to flow.

�If both methods are enabled, the first method specified is requested during link negotiation. If the peer suggests using the second method or simply refuses the first method, the second method is tried.


Configuring PPP with Authentication PAP

�The figure is an example of a two-way PAP authentication configuration. Both routers authenticate and are authenticated, so the PAP authentication commands mirror each other.

�[Tony]: The term �two-way� used here is not the same term used in �two-way� handshake. This �two-way� here means R1 challenge R3 and R3 also challenge R1.

�The PAP username and password that each router sends must match those specified with the username name password password command of the other router.

CHAP�CHAP periodically verifies the identity of the remote node using a three-way handshake.

�The hostname on one router must match the username the other router has configured.

�The passwords must also match.

�This occurs on initial link establishment and can be repeated any time after the link has been established.

The router name and password are exactly the same, because they are case-sensitive


PAP EXAMPLE


CHAP EXAMPLE


Documents

Chapter 2 - Sem IV