View
36
Download
0
Category
Preview:
Citation preview
Point-to-Point Protocol (PPP)
www.INE.com
Copyright © www.INE.com
PPP
» Point-to-Point Protocol » Open standard » Operates in the LLC sub-layer of data link layer in
OSI » Originally designed for dial-up connections
(modems, ISDN, etc.) » Only one possible dest ination
Copyright © www.INE.com
Point-to-Point Technologies
» No Layer 3 to Layer 2 resolution required » Useful for wide area network, where leased lines
exist or other P2P networks » Supports authenticat ion
Start Flag Address Control Data/ PPP Control FCS Final Flag
Set to 11111111
Protocol Code
Indicates whether next field is data, or PPP control frame
PPP Frame Format
Static value
Copyright © www.INE.com
LCP and NCP
» PPP must negotiate a connection » Moves through a series of required steps prior to
transport of user data • LCP – Link Control Protocol
• Authentication (optional)
• NCP – Network Control Protocol
» State events and transit ions can be monitored in real-t ime with “debug ppp negotiat ions”.
Copyright © www.INE.com
» LCP: negotiates link specific options – Callback – Mult ilink – Authenticat ion (whether or not to Authenticate) – Magic Number (Loopback detect ion), etc.
Dial-Up or Circuit-Switched
Network
PPP- LCP (Link Control Protocol)
Copyright © www.INE.com
LCP Message Exchanges
• LCP uses several different control messages Configuration-Request
• Lists all PPP options a sender wishes to implement such as authentication type, PPP Multilink, Callback, etc
Configuration-Reject • When a receiver doesn’t support a particular feature and offers no suitable alternatives.
Configuration-NAK (Negative Acknowledgement) • When a receiver doesn’t support a particular feature and offers an alternative.
Configuration-Acknowledgement • Acknowleding all LCP options in the most recent Config-Req that was received.
Copyright © www.INE.com
LCP Debug
Jun 1 011229.679 Ser1/1 PPP Treat ing connect ion as a callout Jun 1 011229.679 Ser1/1 PPP Phase is ESTABLISHING, Act ive Open Jun 1 011229.683 Ser1/1 LCP O CONFREQ [Closed] id 5 len 15 Jun 1 011229.687 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.691 Ser1/1 LCP MagicNumber 0x10BD9502 (0x050610BD9502) Jun 1 011229.707 Ser1/1 LCP I CONFREQ [REQsent] id 5 len 15 Jun 1 011229.711 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.711 Ser1/1 LCP MagicNumber 0x10B8A083 (0x050610B8A083) Jun 1 011229.719 Ser1/1 LCP O CONFACK [REQsent] id 5 len 15 Jun 1 011229.719 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.723 Ser1/1 LCP MagicNumber 0x10B8A083 (0x050610B8A083) Jun 1 011229.727 Ser1/1 LCP I CONFACK [ACKsent] id 5 len 15 Jun 1 011229.731 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.735 Ser1/1 LCP MagicNumber 0x10BD9502 (0x050610BD9502) Jun 1 011229.735 Ser1/1 LCP State is Open
Copyright © www.INE.com
PPP- NCP: (Network Control Protocol)
» Negotiate what Layer 3 Protocol to use ● For IP: IPCP ● For IPX: IPXCP ● For CDP: CDPCP
» Each of the above have protocol specific options that needs to be negotiated
Dial-Up or Circuit-Switched
Network
Copyright © www.INE.com
NCP Debug *Mar 1 011229.795 Ser1/1 IPCP O CONFREQ [Closed] id 5 len 10 *Mar 1 011229.799 Ser1/1 IPCP Address 10.1.1.1 (0x03060A010101) *Mar 1 011229.807 Ser1/1 CDPCP O CONFREQ [Closed] id 5 len 4 *Mar 1 011229.811 Ser1/1 IPCP I CONFREQ [REQsent] id 5 len 10 *Mar 1 011229.815 Ser1/1 IPCP Address 10.1.1.2 (0x03060A010102) *Mar 1 011229.819 Ser1/1 IPCP O CONFACK [REQsent] id 5 len 10 *Mar 1 011229.823 Ser1/1 IPCP Address 10.1.1.2 (0x03060A010102) *Mar 1 011229.827 Ser1/1 CDPCP I CONFREQ [REQsent] id 5 len 4 *Mar 1 011229.831 Ser1/1 CDPCP O CONFACK [REQsent] id 5 len 4 *Mar 1 011229.835 Ser1/1 IPCP I CONFACK [ACKsent] id 5 len 10 *Mar 1 011229.839 Ser1/1 IPCP Address 10.1.1.1 (0x03060A010101) *Mar 1 011229.839 Ser1/1 IPCP State is Open *Mar 1 011229.843 Ser1/1 CDPCP I CONFACK [ACKsent] id 5 len 4 *Mar 1 011229.847 Ser1/1 CDPCP State is Open *Mar 1 011229.855 Ser1/1 IPCP Install route to 10.1.1.2
Copyright © www.INE.com
PPP Authentication
» Two primary benefits of using PPP (as compared to other P2P WAN protocols): • Dynamically learn Layer-3 address (via NCP)
• Authenticate your peer
» PPP Authenticat ion is optional, but almost always configured.
» One-way or Bi-Directional Authenticat ion » Various PPP Authenticat ion methods available.
Copyright © www.INE.com
PAP
» Password Authenticat ion Protocol » Sends clear text username and password for
authenticat ion » Two-way handshake » Less secure than CHAP » By default , hostname is sent as the username
Copyright © www.INE.com
PAP Authentication – One-way
» PPP PAP authenticat ion options • One way (client authenticates against server)
Chris (client) Sally (server) Hello, I want to do PPP with you. Great, but I insist we use PAP. My name is Chris, password is Cisco. That matches what I have.
Hostname Chris ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp pap sent-username Chris password Cisco
Hostname Sally Username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication pap
Ser0/0/0 Ser1/1/1
LCP
Auth
Copyright © www.INE.com
PAP Authentication – Two-way • Two way (both peers authenticate each other)
Chris (client) Sally (server)
Hostname Chris Username Sally password Server ! interface serial 0/0/0
ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp authentication pap ppp pap sent-username Chris password Cisco
Hostname Sally Username Chris password Cisco ! interface serial 1/1/1
ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication pap ppp pap sent-username Sally password Server
Ser0/0/0 Ser1/1/1
Hello, I want to do PPP with you. Great, but I insist we use PAP. My name is Chris, password is Cisco. That matches what I have.
LCP
My name is Sally, password is Server. That matches what I have.
Auth
Copyright © www.INE.com
Verifying PAP Authentication
» Verificat ion command • Router# debug ppp negotiations
• Router# debug ppp authentication
• Router# show interface serial <number>
• Router# show users
» In the debugs above you want to see: PPP: Received LOGIN Response PASS
» Note: Upon successful authenticat ion, a PAP server should show the users with IP addresses who are authenticated
Copyright © www.INE.com
CHAP
» Challenge Handshake Authenticat ion Protocol » Three-way handshake » More secure than PAP » By default , hostname is sent as the username;
username can be explicit ly configured
Copyright © www.INE.com
CHAP Authentication – One-way
Router (client) Sally (server) Hello, I want to do PPP with you. Great, but I insist we use CHAP. My name is Chris. My CHAP challenge is a123bc567.
Hostname Router ! interface serial 0/0/0
ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp chap hostname Chris ppp chap password Cisco
Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap
Ser0/0/0 Ser1/1/1
a123bc567 + Chris + Cisco =
bbb55
a123bc567 + Chris + Cisco
= bbb55
My challenge response = bbb55 Looks good! You must really be Chris!
Copyright © www.INE.com
CHAP Authentication – (Alternative Client Config)
Router (client) Sally (server) Hello, I want to do PPP with you. Great, but I insist we use CHAP. My name is Chris. My CHAP challenge is a123bc567.
Hostname Chris ! Username Sally password Cisco ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp
Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap
Ser0/0/0 Ser1/1/1
My challenge response = bbb55 Looks good! You must really be Chris!
Copyright © www.INE.com
CHAP Authentication – Two-way
Router (client) Sally (server) Let’s use PPP and CHAP, sound good?.
I support that! My name is Chris and I challenge you aa3355.
My name is Sally and I challenge you 77ff5e.
Hostname Router username Sally password Cisco ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp authentication chap ppp chap hostname Chris ppp chap password Cisco
Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap ppp chap hostname Sally ppp chap password Cisco
Ser0/0/0 Ser1/1/1 My challenge response = bbb55
Looks good! You must really be Chris!
My challenge response = eeccdd!
Looks good! You must really be Sally!
Copyright © www.INE.com
Configuring CHAP Authentication (Server)
» Change encapsulat ion • Router(config-if)# encapsulation ppp
» Create local user database • Router(config)# username <username> password <
password>
» Configure CHAP server • Router(config-if)# ppp authentication chap
Copyright © www.INE.com
Configuring CHAP Authentication (Client)
» Change encapsulat ion • Router(config-if)# encapsulation ppp
» Configure to send username and password • Router(config-if)# ppp chap password <password>
• Router(config-if)# ppp chap hostname <username>
Copyright © www.INE.com
Verifying CHAP Authentication
» Verificat ion command • Router# show users
• Router# debug ppp negotiations
» Note: Upon successful authenticat ion, a CHAP server should show the users with IP addresses who are authenticated
Copyright © www.INE.com
Authentication Debug Mar 1 011229.739 Ser1/1 PPP Phase is AUTHENTICATING, by both *Mar 1 011229.743 Ser1/1 CHAP O CHALLENGE id 5 len 28 from "isdn2-2" *Mar 1 011229.747 Ser1/1 CHAP I CHALLENGE id 5 len 28 from "isdn2-3" *Mar 1 011229.755 Ser1/1 CHAP O RESPONSE id 5 len 28 from "isdn2-2" *Mar 1 011229.775 Ser1/1 CHAP I SUCCESS id 5 len 4 *Mar 1 011229.783 Ser1/1 CHAP I RESPONSE id 5 len 28 from "isdn2-3" *Mar 1 011229.787 Ser1/1 CHAP O SUCCESS id 5 len 4 *Mar 1 011229.791 Ser1/1 PPP Phase is UP
Copyright © www.INE.com
Things to Look for in PPP debug
» LCP: State is open • LCP negotiat ion was successful • If not , then look for opt ions that failed
» Authenticat ion: PAP or CHAP • Check for username, passwords, etc
» NCP: IPCP, IPXCP, ATCP state is open ● Means NCP negotiat ion was successful ● If not , then look for confreq, confrej, confack, confnack, etc
Copyright © www.INE.com
Layer-3 Address Negotiation
Router (client) Sally (server)
Hostname Chris ! Username Sally password Cisco ! interface serial 0/0/0 ip address negotiated encapsulation ppp
Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap peer default ip address pool MyPool ! ip local pool MyPool 1.1.1.3 1.1.1.10
Ser0/0/0 Ser1/1/1
Copyright © www.INE.com
Quiz!!!
» Which of the following items are negotiated during the PPP LCP stage? A. Multilink
B. Authentication Type
C. Authentication Challenge
D. Callback
E. IP address
Copyright © www.INE.com
Quiz!!!
» Which PPP LCP option would you look for in the output of “debug ppp negotiat ions” to indicate that PPP Mult ilink had been configured? • MRU
• MRRU
• ACCM
• Magic Number
Copyright © www.INE.com
Quiz!!!
» Router-1 sends a PPP LCP frame indicat ing that it wishes to implement CHAP authenticat ion.
» Router-2, at the other end of the PPP link, is not configured for CHAP but is configured for PAP.
» In response to Router-1’s “Conf-Req” packet Router-2 will send a ___________ indicat ing that it wants to do PAP.
• Conf-REJ
• Conf-NAK
• Conf-ACK
• Conf-REQ
Copyright © www.INE.com
Quiz!!!
Router (client) Sally (server)
Hostname Router username Sally password Cisco ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp authentication pap ppp pap sent-username Router password Cisco
Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication pap ppp chap hostname Sally ppp chap password Cisco
Ser0/0/0 Ser1/1/1
Based on the configurations shown below, will a successful PPP connection be established between these two routers? If not, why not?
Copyright © www.INE.com
Quiz!!!
» What can you infer from the following debug output?
Copyright © www.INE.com
Quiz!!! » A troublet icket is opened because it has been discovered that ICMP
pings to 2.2.2.2 are not able to flow across a PPP connect ion on Router-3. » Based on the debug output below, what is the root cause of this problem?
PPPoE
(PPP over Ethernet)
www.INE.com
Copyright © www.INE.com
Why do we need PPPoE?
» Original objective for PPP was to support : • A single, dialup host
• Temporary network connection
» With the advent of DSL and Metro Ethernet , new problems were presented: • How to allow a single, DSL connection to support an entire LAN of
PPP clients?
• Differentiate traffic from multiple companies sharing a common Ethernet connection to an ISP
Copyright © www.INE.com
PPPoE, Common Use-Case
Company-A
Company-B
Company-C
Company-D
Metro Ethernet
ISP
• Only customers with correct/unique PPPoE Authentication credentials gain ISP access.
• ISP can track individual PPPoE sessions for billing purposes.
PPPoE Client
PPPoE Client
PPPoE Client
PPPoE Client
Internet
Copyright © www.INE.com
PPPoE Control Packets
» Normal PPP across WAN lines starts immediately with LCP.
» PPPoE prefaces LCP with special PPPoE Control packets to establish a unique “Session-ID”.
» Session-ID is used by ISP to indentify individual customers.
Copyright © www.INE.com
PPPoE Active Discovery
» PPPoE based on Client/Server architecture. • Multiple clients on a single, shared medium
• One server terminating/aggregating multiple clients.
» PPPoE relies on “Active Discovery” frames to enable Clients to discover Server and obtain unique Session-ID.
» Active Discovery process (and names of Control Frames) has many similarit ies to DHCP process.
Copyright © www.INE.com
PPP Active Discovery Process
PPPoE Client PPPoE Server
MAC = xx:xx:xx:xx:xx:xx MAC = yy:yy:yy:yy:yy:yy
1 “Are there any PPPoE Servers out there? My unique Host-ID is xx-xx” PADI (PPPoE Active Discovery Initialization) L2 Ethernet Destination = Broadcast
2 “Yes, I’m here xx-xx. My unique Access Concentrator (AC) ID is yy.yy” PADO (PPPoE Active Discovery Offer) L2 Ethernet Destination = Unicast
“Thanks for that info! Can I have a Session-ID please?” PADR (PPPoE Active Discovery Request) L2 Ethernet Destination = Unicast
3
4 “Yes, let’s use Session-ID 0x02.” PADS (PPPoE Active Discovery Session-Confirmation) L2 Ethernet Destination = Unicast
Copyright © www.INE.com
PPP Encapsulation within Ethernet
Start Flag Address Control FCS Final Flag
PPP General Frame Format PPP Control, or
Encapsulated Data Protocol
Dest Mac Source Mac Ethertype
PPPoE Ethernet General Frame Format
Ethernet FCS
Padding
PPP Control, or Encapsulated Data Protocol
0x8863 0x8864
Copyright © www.INE.com
Configuring PPPoE
hostname server ! username client password cisco ! bba-group pppoe INE virtual-template 1 ! interface Virtual-Template1 ip address 1.2.1.1 255.255.255.0 or…ip unnumbered loopback 0 peer default ip address pool MyPool ppp authentication chap ! ip local pool MyPool 1.2.1.2 1.2.1.254 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe enable group INE
hostname client ! interface Dialer1 ip address negotiated encapsulation ppp dialer pool 1 ppp chap password 0 cisco ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe-client dial-pool-number 1 !
Fast0/0 Fast0/0
Copyright © www.INE.com
Configuring PPPoE with DHCP
hostname server ! username client password cisco ! bba-group pppoe INE virtual-template 1 ! interface Virtual-Template1 ip address 1.2.1.1 255.255.255.0 peer default ip address dhcp ppp authentication chap ip helper-address 7.7.7.7 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe enable group INE
hostname client ! interface Dialer1 ip address dhcp encapsulation ppp dialer pool 1 ppp chap password 0 cisco ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe-client dial-pool-number 1 !
Fast0/0 Fast0/0
DHCP Server
7.7.7.7
Copyright © www.INE.com
Verifying PPPoE on Server (1)
(PTA) PPP Termination Aggregation
Copyright © www.INE.com
Verifying PPPoE on Server (2)
Copyright © www.INE.com
Verifying PPPoE on Client (1)
Copyright © www.INE.com
Verifying PPPoE on Client (2)
Copyright © www.INE.com
PPPoE and MTU
» PPP = 8-bytes of overhead (headers) » Max-sized Ethernet frame (data) = 1500-bytes » 1500-bytes + 8-bytes (PPP) = 1508 » 1508-bytes + 14-bytes (Ethernet headers) = 1522-bytes » Every maximum-sized Ethernet frame sent from hosts will
need to be fragmented by PPPoE-speaking routers. » Fragmentat ion = CPU-intensive
Copyright © www.INE.com
MTU and Virtual-interfaces
» Virtual-Templates (and Dialer-Interfaces) spawn Virtual-Access interfaces for terminating PPPoE session.
» Virtual-Access interfaces spawned from Virtual-Templates (using PPPoE) have default MTU=1492
» Virtual-Access interfaces spawned from Dialer-Interfaces have default MTU=1500
» What are the results of mismatched MTU? • Frequent fragmentation of large Ethernet frames
• OSPF peering stuck in EXSTART state.
Copyright © www.INE.com
Fixing MTU Mismatches
hostname server ! username client password cisco ! bba-group pppoe INE virtual-template 1 ! interface Virtual-Template1 ip address 1.2.1.1 255.255.255.0 peer default ip address dhcp ppp authentication chap ip helper-address 7.7.7.7 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe enable group INE
hostname client ! interface Dialer1 ip address dhcp encapsulation ppp dialer pool 1 ppp chap password 0 cisco ip mtu 1492 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe-client dial-pool-number 1 ! Interface FastEthernet1/1 ip address x.x.x.x y.y.y.y ip tcp adjust-mss 1452
PPPoE Client PPPoE Server
Web Server
Fast0/0 Fast0/0 Fast1/1
Copyright © INE Inc. All rights reserved.
Q&A
Recommended