3' Configuring PPP and Controlling Network Access

1
3. Configuring PPP and Controlling Network Access

• Semester 6

2

• PPP - CCNA
• Much of the information in this chapter was
  covered in CCNA Semester 4.
• Please refer to the CCNA Semester 4 or other
  materials to re-familiarize yourself with PPP
  concepts and terminology including
• PPP and SLIP
• PPP frames, LCPs, NCPs
• PPP router configuration
• PPP with PAP and CHAP authentications
• The labs will make sense of this presentation.
  Re-read this presentation following the labs.

3
EXEC Session versus PPP Connection

• EXEC Session
• PPP Connection
• Both!

4

• EXEC Session versus PPP Connection
• EXEC Session - This is a session which allows you
  to use the routers IOS commands, just as if you
  were connected to the console port.
• PPP Connection - This is a serial connection
  which allow you to pass IP and other layer 3
  traffic, just as if there was a dedicated serial
  line between the two devices (router and host,
  router and router, )

5

• EXEC Session
• Can access a remote router with an EXEC session
  either using HyperTerm or Dialup networking.
• Both allow you to remotely login to a system.
• Dialup Networking will give us a few more
  options.
• We will use both.

6

• Labs 2-1 and 2-2 you will be dialing into the
  router using HyperTerm, and you will have an EXEC
  session with the router (IOS commands)
• SLIP connection
• down and down
• perform IOS commands in HyperTerm window
• interface Serial1
• physical-layer async
• no ip address
• line 2
• password cisco
• login
• modem InOut
• modem autoconfigure discovery
• transport input all
• stopbits 1
• speed 115200
• flowcontrol hardware
• Look at my red Book it references those labs

7

• Lab 3-1 you will be using Dialup Networking to
  both be dialing into the router for an EXEC
  session and also a PPP connection.
• Here a couple of new commands we will be
  discussing ( and one old one )
• inter serial 1
• physical layer-async
• ip address 10.1.1.1 255.255.255.0
  
• async mode interactive
• peer default ip address 10.1.1.3
• Look at my red Book it references those labs

8

• Async modes
• async mode interactive EXEC or PPP
• async mode dedicated PPP only
• async mode interactive - Allows the remote user
  to select between a PPP connection and an EXEC
  session.
• PPP connection will be established unless the
  user chooses Bring up terminal window after
  dialing
• If terminal window is chosen, user will be
  put in EXEC mode. They can choose to go to a PPP
  connections by RTAgtppp command
• async mode dedicated - The interface is
  automatically configured for SLIP or PPP
  connections.
• This is common for router to router connectivity.
• There is no user prompt or EXEC level, and no
  end-user commands are required to initiate remote
  node connections.
• PPP is most common encap ppp

9

• async mode interactive - allows the remote user
  to select between a PPP connection and an EXEC
  session
• peer default ip address - assigns a predefined ip
  address to a remote client that dials in to the
  corresponding asynchronous line
• From the Lab...
• Step 4 start a PPP connection (not EXEC session)
  where your host will get an IP address from the
  router, and encapsulation will be changed to PPP.
  
• Ping and Telnet from host to router.
• Step 5 Bring up terminal window after dialing
• Brings up EXEC session just like labs 2-1, 2-2
• Uses a Dialup terminal window
• RTAgtppp - starts PPP connection just like step 4

10

• Assigning a Default Async Address (from BCRAN)
• To assign a predefined default IP address to the
  remote client node that dials in to the
  corresponding asynchronous line, use the peer
  default ip address command.
• Additionally, the pool and dhcp arguments allow
  address allocation from a local pool of addresses
  or a Dynamic Host Configuration Protocol (DHCP)
  server.
• Router(config-if)peer default ip
  addressip-address dhcp pool poolname

11

• Additionally, the pool and dhcp options to the
  peer default ip address command may require a
  global command such as ip local pool pool-name
  starting-address end-address, to create the pool
  of addresses one the router.
• DHCP ConsiderationIf the peer default ip dhcp
  option is chosen, you may have to also configure
  ip helper address and ip dhcp-server.

12

• PPP Options
• Authentication, with PAP or CHAP
• Callback is a PPP option used to provide call and
  dialup billing consolidation.
• Compression is used to improve throughput across
  existing lines. Cisco routers support Stacker,
  Predictor, and Microsoft Point to Point
  Compression (MPPC).
• Multilink PPP (MLP) takes advantage of multiple
  bearer channels to improve throughput.

13
PPP Authentication

• PAP
• CHAP

14

• Authentication
• This is covered in CCNA.
• There are a couple of examples of PAP and CHAP in
  the following slides.
• Refer to CCNP PAP and CHAP material for further
  information.
• Check out the information on CHAP and the MD5 has
  function!

15
PPP with PAP authentication
Gateway
Mkting
Mktings running-config hostname Mkting username
Gateway password gatepass interface
Serial0 encapsulation ppp ppp authentication
pap ppp pap sent-username Mkting password
mktingpass
Gateways running-config hostname
Gateway username Mkting password
mktingpass interface Serial0 encapsulation
ppp ppp authentication pap ppp pap sent-username
Gateway password gatepass
16
PPP with CHAP authentication
Admin
Engin
Engins running-config hostname Engin username
Admin password sameone interface
Serial0 encapsulation ppp ppp authentication chap
Admins running-config hostname Admin username
Engin password sameone interface
Serial0 encapsulation ppp ppp authentication chap
17
PPP Callback

• Callback Client
• Callback Server

18

• PPP Callback
• PPP callback allows a router to request that a
  dialup peer router call back.
• The callback feature can be used to control
  access and toll costs between the routers.
• Both routers on a point-to-point link must be
  configured for PPP callback
• The callback client must be configured to
  initiate PPP callback requests, and the callback
  server must be configured to accept PPP callback
  requests and place return calls.
• The physical interface of the router can only be
  configured as a callback client or a callback
  server, not both.

19

• For callback to be successful
• Authentication must be used
• The initial call must be completely disconnected
  before the return call is made. This is
  determined by the dialer enable-timeout command
  on the callback server.
• Server(config-if) dialer enable timeout 2
• The callback server must return the call before
  the callback clients dialer hold-queue timeout
  expires, or the client may try to make the call
  again.
• The clients dialer hold-queue timeout should be
  approximately four times larger than the servers
  dialer hold queue timeout interval. (Defaults
  usually work fine.)

20

• Notes regarding BCRAN book and other resources
• I have been told that the examples in many of the
  BCRAN books are incomplete or wrong.
• The commands in this presentation will hopefully
  help you figure this out, its not that
  difficult.
• There are some other examples of configuring PPP
  callback with username command options. This can
  be used if you want your router to accept the
  callback phone number from the caller. We will
  not be doing any examples using this feature.

21

• (From Chapter 2) NOTE If using dialer map
  statements with ppp, you must use PPP with
  authentication for router to accept the call.
• Problem Connecting two routers via an
  asynchronous connection, modems, using PPP, no
  authentication, with dialer map statements at
  both ends. The router (with a dialer map
  statement) will dial out, but the remote router
  (also with a dialer map statement) will not
  create a connection. The answering modem does
  answer, but after a few seconds the line is
  deactivated. By removing the dialer-group from
  the interface of the remote router, the router
  will accept the call, but cannot be the one to
  initiate a call.
• IOS 12.05(T)
• Routers 1720 and 2621
• Modems Hayes Accura V.90
• Solution You must run PPP with authentication
  for this to work! Used PPP with CHAP and life
  was good again! Also works with PAP. If dialer
  map statements are used at both ends, and you
  want either router to initiate the call, (and of
  course the remote router to answer), you must use
  PPP with authentication. Both routers can now
  initiate and answer calls from the other router.
  Other workaround If you want the routers to
  dial each other without mapping ip address to
  phone numbers and chat-scripts, you can use the
  dialer string command.
• There are weird combinations that othersI did get
  to work, with a dialer map at one end and a
  dialer string at the other, but at some point you
  need to get a life.

22

• (From Chapter 2) Here are configs using dialer
  maps for two routers with either router
  initiating the call

RTB chat-script hayes56k ABORT ERROR "" "AT Z" OK
"ATDT \T" TIMEOUT 30 CONNECT \c interface
Loopback0 ip address 2.2.2.2
255.255.255.255 interface Serial0/1
physical-layer async ip address 10.1.1.2
255.255.255.0 no ip directed-broadcast
encapsulation ppp dialer in-band dialer map ip
10.1.1.1 name RTA modem-script hayes56k broadcast
5556001 dialer hold-queue 60 dialer-group 1
async mode dedicated fair-queue 64 16 0 ppp
authentication chap ip route 0.0.0.0 0.0.0.0
10.1.1.1 dialer-list 1 protocol ip permit line
2 same as before
RTA chat-script hayes56k ABORT ERROR "" "AT Z" OK
"ATDT \T" TIMEOUT 30 CONNECT \c interface
Loopback0 ip address 1.1.1.1
255.255.255.255 interface Serial1
physical-layer async ip address 10.1.1.1
255.255.255.0 no ip directed-broadcast
encapsulation ppp dialer in-band dialer map ip
10.1.1.2 name RTB modem-script hayes56k broadcast
5556002 dialer-group 1 async mode dedicated
fair-queue 64 16 0 no cdp enable ppp
authentication chap dialer-list 1 protocol ip
permit ip route 0.0.0.0 0.0.0.0 10.1.1.2 line
2 same as before
23

• Callback Client - basic commands
• To initiate the call
• Client can use dialer string or dialer map
• Server must use dialer map with map-class
• To configure a callback request on the client
• Client(config-if)ppp callback request
• Must use authentication

24

• Here are the client commands for ppp callback

RTB-Client chat-script hayes56k ABORT ERROR ""
"AT Z" OK "ATDT \T" TIMEOUT 30 CONNECT
\c interface Loopback0 ip address 2.2.2.2
255.255.255.255 interface Serial0/1 physical-laye
r async ip address 10.1.1.2 255.255.255.0
encapsulation ppp dialer in-band dialer string
5556001 modem-script hayes56k OR
dialer map ip 10.1.1.1 name RTA modem-script
hayes56k broadcast 5556001 dialer hold-queue 60
dialer-group 1 async mode dedicated ppp
callback request ppp authentication pap ppp pap
sent-username RTB password passwd dialer-list 1
protocol ip permit line 2 same as before
RTA-Server (Dont worry about this right
now) chat-script hayes56k ABORT ERROR "" "AT Z"
OK "ATDT \T" TIMEOUT 30 CONNECT \c interface
Loopback0 ip address 1.1.1.1
255.255.255.255 interface Serial1
physical-layer async ip address 10.1.1.1
255.255.255.0 encapsulation ppp dialer in-band
dialer map ip 10.1.1.2 name RTB class dial1
modem-script hayes56k broadcast 5556002
dialer-group 1 async mode dedicated no cdp
enable ppp callback accept ppp authentication
pap ppp pap sent-username RTA password
passwd ip route 0.0.0.0 0.0.0.0
10.1.1.2 map-class dialer dial1 dialer
callback-server username dialer-list 1 protocol
ip permit line 2 same as before
25

• Callback Server - basic commands
• To initiate the call back to the server
• Client can use dialer string or dialer map
• Server must use dialer map with map-class
• To configure the callback from the server back to
  the client
• Server(config-if)ppp callback accept
• Server(config-if)dialer map ip 10.1.1.2 name RTB
  class dial1 modem-script hayes56k broadcast
  5556002
• Server(config)map-class dialer dial1
• Server(config-map-class)dialer callback-server
  username
• Must use authentication

26

• Here are the server and client commands for ppp
  callback

RTB-Client chat-script hayes56k ABORT ERROR ""
"AT Z" OK "ATDT \T" TIMEOUT 30 CONNECT
\c interface Loopback0 ip address 2.2.2.2
255.255.255.255 interface Serial0/1 physical-laye
r async ip address 10.1.1.2 255.255.255.0
encapsulation ppp dialer in-band dialer string
5556001 modem-script hayes56k OR
dialer map ip 10.1.1.1 name RTA modem-script
hayes56k broadcast 5556001 dialer hold-queue 60
dialer-group 1 async mode dedicated ppp
callback request ppp authentication pap ppp pap
sent-username RTB password passwd dialer-list 1
protocol ip permit line 2 same as before
RTA-Server chat-script hayes56k ABORT ERROR ""
"AT Z" OK "ATDT \T" TIMEOUT 30 CONNECT
\c interface Loopback0 ip address 1.1.1.1
255.255.255.255 interface Serial1
physical-layer async ip address 10.1.1.1
255.255.255.0 encapsulation ppp dialer in-band
dialer map ip 10.1.1.2 name RTB class dial1
modem-script hayes56k broadcast 5556002
dialer-group 1 async mode dedicated no cdp
enable ppp callback accept ppp authentication
pap ppp pap sent-username RTA password
passwd ip route 0.0.0.0 0.0.0.0
10.1.1.2 map-class dialer dial1 dialer
callback-server username dialer-list 1 protocol
ip permit line 2 same as before
27

• Optional Command (Cisco proprietary)
• dialer callback-secure - Ensures that the initial
  call is always disconnected at the receiving end
  and that the return call is made only if the same
  username is configured for the callback (or
  hostname in dialer map statement). If the
  username (hostname in the dialer map command) is
  not configured for callback, the initial call
  stays up and no return call is made.
• Lab 3-3 Callback Lab will give you experience
  configuring PPP Callback.
• Look at my red Book it references those labs

28
PPP Compression

• Predictor
• Stacker
• MPPC (Microsoft Point-to-Point Compression)
• TCP header compression

29

• Cisco supports these types of compression
• Predictor-Determines whether the data is already
  compressed. If so, the data is just sent-no time
  is wasted trying to compress already compressed
  data.
• Stacker-A Lempel-Ziv (LZ)-based compression
  algorithm looks at the data, and sends each data
  type only once with information about where the
  type occurs within the data stream. The receiving
  side uses this information to reassemble the data
  stream. (Stacker is the only supported algorithm
  in the Cisco 700 series.)
• MPPC-This protocol (RFC 2118) allows Cisco
  routers to exchange compressed data with
  Microsoft clients. MPPC uses an LZ-based
  compression algorithm.
• TCP header compression-This type of compression
  is used to compress the TCP headers.

30

• Important notes on compression
• The highest compression ratio is usually reached
  with highly compressible text files.
• Already compressed files such as JPEG graphics or
  MPEG files, or files that were compressed with
  software such as PKZIP or StuffIt, are only
  compressed 11, or even less.
• Trying to compress already compressed data can
  take longer than transferring the data without
  compression.
• Compressing data can cause performance
  degradation because it is software, not hardware
  compression.
• Compression can be CPU or memory intensive.
• Predictor is more memory intensive and less CPU
  intensive, whereas Stacker and MPPC are more CPU
  intensive and less memory intensive. Memory
  intensive means that an extra memory allowance is
  required.

31

• Compression Command
• Predictor
• Stacker
• MPPC
• Router(config-if)compress predictor stac
  mppc

32

• TCP Header Compression - RFC 1144.
• It is supported on serial lines by using HDLC,
  PPP, or SLIP encapsulation.
• You must enable the compression on both ends of
  the connections for TCP header compression to
  work.
• Only TCP headers are compressed-UDP headers are
  not affected.
• The data is not compressed, just the TCP header.
• The following is the interface command used to
  activate TCP header compression
• Router(config-if)ip tcp header-compression
• The ip tcp header-compression passive command
  specifies that TCP header compression is not
  required, if the router receives compressed
  headers from a destination, then use header
  compression for that destination.

33
PPP Multilink

• Concepts only
• PPP Multilink lab when covering ISDN

34

• PPP Multilink Concepts - MLP
• Multilink PPP provides load balancing over dialer
  interfaces-including ISDN, synchronous, and
  asynchronous interfaces.
• MLP can improve throughput and reduce latency
  between systems by splitting packets and sending
  the fragments over parallel circuits.
• Prior to MLP, two or more ISDN B channels could
  not be used in a standardized way while ensuring
  sequencing. MLP is most effective when used with
  ISDN.
• Multilink fragments are called packets per RFC
  1990.
• This feature negotiates the Maximum Received
  Reconstructed Unit (MRRU) option during the PPP
  LCP negotiation to indicate to its peer that it
  can combine multiple physical links into a bundle.

35

• Transmission channels in the bundle need not be
  the same types.
• Asynchronous and synchronous links, for example,
  can be used to simultaneously transmit fragments
  of one datagram.
• During the PPP LCP option negotiation, a system
  indicates to its peer that it is willing to use
  multilink by sending the MRRU option as part of
  the initial LCP option negotiation. Multilink
  systems must be able to do the following
• Combine multiple physical links into one logical
  link (bundle)
• Receive and reassemble upper-layer protocol data
  units (PDUs)
• Receive PDUs of a negotiated size

36

• After the LCP negotiation is complete the remote
  destination must be authenticated and a dialer
  map with the remote system name must be
  configured.
• Commands
• Router(config-if) ppp multilink
• Router show ppp multilink