Point-to-Point Protocol (PPP)...PPP » Point -to-Point Protocol » Open standard » Operates in the LLC sub -layer of data link layer in OSI » Originally designed for dial -up connections

Point-to-Point Protocol (PPP)

www.INE.com

Copyright © www.INE.com

PPP

» Point-to-Point Protocol » Open standard » Operates in the LLC sub-layer of data link layer in

OSI » Originally designed for dial-up connections

(modems, ISDN, etc.) » Only one possible dest ination

Presenter

Presentation Notes

Most of the operations of the MAC sub-layer of the Datalink layer aren’t utilized when using PPP because PPP is assumed to run over Point-to-Point connections. - No need for CSMA/CD, L2 addressing, or any of the other things that the MAC-sublayer is usually responsible for.


Point-to-Point Technologies

» No Layer 3 to Layer 2 resolution required » Useful for wide area network, where leased lines

exist or other P2P networks » Supports authenticat ion

Start Flag Address Control Data/ PPP Control FCS Final Flag

Set to 11111111

Protocol Code

Indicates whether next field is data, or PPP control frame

PPP Frame Format

Static value

Presenter

Presentation Notes

If PPP is carrying data (like an IP packet) after the Protocol Field you will see the encapsulation IPv4/IPv6 packet. - If PPP is carying PPP Control traffic (like LCP or NCP) then after the Protocol Code field you’ll see additional PPP Control Fields (such as sub-codes, identifiers, payload length, and PPP Options fields).


LCP and NCP

» PPP must negotiate a connection » Moves through a series of required steps prior to

transport of user data • LCP – Link Control Protocol

• Authentication (optional)

• NCP – Network Control Protocol

» State events and transit ions can be monitored in real-t ime with “debug ppp negotiat ions”.

Presenter

Presentation Notes

One of the benefits of PPP is that each, dialed Layer-2 connection can use different options. ---One connection may use authentication ---Another connection may choose not to. ---One connection may use callback All of these options are negotiated up-front with LCP.


» LCP: negotiates link specific options – Callback – Mult ilink – Authenticat ion (whether or not to Authenticate) – Magic Number (Loopback detect ion), etc.

Dial-Up or Circuit-Switched

Network

PPP- LCP (Link Control Protocol)

Presenter

Presentation Notes

LCP MUST successfully negotiate before we go any further. - During LCP you may see negotiation of MRU and MRRU values: --MRU = Maximum Receive Unit (like TCP MSS…this value reflects the MTU of the PPP interface. If the MTU value is changed from the default of 1500bytes, the MRU will be negotiated.) --MRRU = Maximum Received Reconstructible Unit (This value is only used when one…or both…sides of the link want to use PPP multilink. It indicates the maximum size of the original PPP frame prior to fragmentation).


LCP Message Exchanges

• LCP uses several different control messages Configuration-Request

• Lists all PPP options a sender wishes to implement such as authentication type, PPP Multilink, Callback, etc

Configuration-Reject • When a receiver doesn’t support a particular feature and offers no suitable alternatives.

Configuration-NAK (Negative Acknowledgement) • When a receiver doesn’t support a particular feature and offers an alternative.

Configuration-Acknowledgement • Acknowleding all LCP options in the most recent Config-Req that was received.

Presenter

Presentation Notes

DEMO: PPP Debug Notice that typically, LCP Configuration Request messages are sent at the same time. Because PPP peers often will send messages before waiting for a reply from the other side, it can take a while for LCP to “calm down” and finally arrive at a fully-negotiated state. - Each LCP message type comes with an “id” number. So when you see an outgoing Config-Request message, look at its ID number and look for a corresponding ID in an incoming Reject, NAK, or ACK message.


LCP Debug

Jun 1 011229.679 Ser1/1 PPP Treat ing connect ion as a callout Jun 1 011229.679 Ser1/1 PPP Phase is ESTABLISHING, Act ive Open Jun 1 011229.683 Ser1/1 LCP O CONFREQ [Closed] id 5 len 15 Jun 1 011229.687 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.691 Ser1/1 LCP MagicNumber 0x10BD9502 (0x050610BD9502) Jun 1 011229.707 Ser1/1 LCP I CONFREQ [REQsent] id 5 len 15 Jun 1 011229.711 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.711 Ser1/1 LCP MagicNumber 0x10B8A083 (0x050610B8A083) Jun 1 011229.719 Ser1/1 LCP O CONFACK [REQsent] id 5 len 15 Jun 1 011229.719 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.723 Ser1/1 LCP MagicNumber 0x10B8A083 (0x050610B8A083) Jun 1 011229.727 Ser1/1 LCP I CONFACK [ACKsent] id 5 len 15 Jun 1 011229.731 Ser1/1 LCP AuthProto CHAP (0x0305C22305) Jun 1 011229.735 Ser1/1 LCP MagicNumber 0x10BD9502 (0x050610BD9502) Jun 1 011229.735 Ser1/1 LCP State is Open

Presenter

Presentation Notes

When viewing the output of “debug ppp negotiations” and concentrating on the LCP portion of the debug what you want to pay attention to are: -- The directionality of the messages (outgoing versus incoming). If you see an “CONFNAK” message that means that a particular PPP feature that was attempted to be negotiated during LCP failed. Most likely reason is that a PPP IOS command was configured on one side of the link but neglected to be configured on the other side.


PPP- NCP: (Network Control Protocol)

» Negotiate what Layer 3 Protocol to use ● For IP: IPCP ● For IPX: IPXCP ● For CDP: CDPCP

» Each of the above have protocol specific options that needs to be negotiated

Dial-Up or Circuit-Switched

Network

Presenter

Presentation Notes

NCP uses the same message types as LCP: ConfReq, ConfACK, ConfRej, and ConfNAK. - Some of the things that are negotiated during NCP don’t seem like “network” protocols to us, such as CDPCP. However, keep in mind that from PPP’s perspective, anything it will be carrying/encapsulating is considered a “network” protocol. - Each Protocol negotiated has options that go with that protocol. An example is IP. If we are negotiating IPCP, then we need to negotiate the IP addresses that both sides needs to use. It has to be agreed to, by both sides, or else, we will not bring up the connection. If one side wants to use 172.16.81.2, and the other side thinks he should be using 198.4.5.2, then the negotiation will never be successful. Other Control Protocols are thus: OSICPOSI Control Protocol XNSCPXNS IDP Control Protocol DECCPDECnet phase IV Control Protocol VINECPBanyan Vines Control Protocol NBFCPNetbios Frame Control Protocol LL2CPLLC2 Control Protocol IPV6CPPPPIPV6 Control Protocol


NCP Debug *Mar 1 011229.795 Ser1/1 IPCP O CONFREQ [Closed] id 5 len 10 *Mar 1 011229.799 Ser1/1 IPCP Address 10.1.1.1 (0x03060A010101) *Mar 1 011229.807 Ser1/1 CDPCP O CONFREQ [Closed] id 5 len 4 *Mar 1 011229.811 Ser1/1 IPCP I CONFREQ [REQsent] id 5 len 10 *Mar 1 011229.815 Ser1/1 IPCP Address 10.1.1.2 (0x03060A010102) *Mar 1 011229.819 Ser1/1 IPCP O CONFACK [REQsent] id 5 len 10 *Mar 1 011229.823 Ser1/1 IPCP Address 10.1.1.2 (0x03060A010102) *Mar 1 011229.827 Ser1/1 CDPCP I CONFREQ [REQsent] id 5 len 4 *Mar 1 011229.831 Ser1/1 CDPCP O CONFACK [REQsent] id 5 len 4 *Mar 1 011229.835 Ser1/1 IPCP I CONFACK [ACKsent] id 5 len 10 *Mar 1 011229.839 Ser1/1 IPCP Address 10.1.1.1 (0x03060A010101) *Mar 1 011229.839 Ser1/1 IPCP State is Open *Mar 1 011229.843 Ser1/1 CDPCP I CONFACK [ACKsent] id 5 len 4 *Mar 1 011229.847 Ser1/1 CDPCP State is Open *Mar 1 011229.855 Ser1/1 IPCP Install route to 10.1.1.2


PPP Authentication

» Two primary benefits of using PPP (as compared to other P2P WAN protocols): • Dynamically learn Layer-3 address (via NCP)

• Authenticate your peer

» PPP Authenticat ion is optional, but almost always configured.

» One-way or Bi-Directional Authenticat ion » Various PPP Authenticat ion methods available.

Presenter

Presentation Notes

Although most people only think there are two PPP Authentication protocols available (PAP and CHAP) there many others such as: - MSCHAPv1 MSCHAPv2 EAP - More details here: https://technet.microsoft.com/en-us/library/cc958013.aspx


PAP

» Password Authenticat ion Protocol » Sends clear text username and password for

authenticat ion » Two-way handshake » Less secure than CHAP » By default , hostname is sent as the username


PAP Authentication – One-way

» PPP PAP authenticat ion options • One way (client authenticates against server)

Chris (client) Sally (server) Hello, I want to do PPP with you. Great, but I insist we use PAP. My name is Chris, password is Cisco. That matches what I have.

Hostname Chris ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp pap sent-username Chris password Cisco

Hostname Sally Username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication pap

Ser0/0/0 Ser1/1/1

LCP

Auth

Presenter

Presentation Notes

The “username x password y” command works differently in PAP versus CHAP. PAP = this command is used to authenticate inbound connections CHAP = this command is used to match the correct password to select against who is challenging us, as well as encrypt the CHAP Challenge and provide a response.


PAP Authentication – Two-way • Two way (both peers authenticate each other)

Chris (client) Sally (server)

Hostname Chris Username Sally password Server ! interface serial 0/0/0

ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp authentication pap ppp pap sent-username Chris password Cisco

Hostname Sally Username Chris password Cisco ! interface serial 1/1/1

ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication pap ppp pap sent-username Sally password Server

Ser0/0/0 Ser1/1/1

Hello, I want to do PPP with you. Great, but I insist we use PAP. My name is Chris, password is Cisco. That matches what I have.

LCP

My name is Sally, password is Server. That matches what I have.

Auth

Presenter

Presentation Notes

In this example we’re using different passwords for each uni-directional authentication session. However the same password for each authentication session can be used for simplicity.


Verifying PAP Authentication

» Verificat ion command • Router# debug ppp negotiations

• Router# debug ppp authentication

• Router# show interface serial <number>

• Router# show users

» In the debugs above you want to see: PPP: Received LOGIN Response PASS

» Note: Upon successful authenticat ion, a PAP server should show the users with IP addresses who are authenticated


CHAP

» Challenge Handshake Authenticat ion Protocol » Three-way handshake » More secure than PAP » By default , hostname is sent as the username;

username can be explicit ly configured


CHAP Authentication – One-way

Router (client) Sally (server) Hello, I want to do PPP with you. Great, but I insist we use CHAP. My name is Chris. My CHAP challenge is a123bc567.

Hostname Router ! interface serial 0/0/0

ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp chap hostname Chris ppp chap password Cisco

Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap

Ser0/0/0 Ser1/1/1

a123bc567 + Chris + Cisco =

bbb55

a123bc567 + Chris + Cisco

= bbb55

My challenge response = bbb55 Looks good! You must really be Chris!


CHAP Authentication – (Alternative Client Config)

Router (client) Sally (server) Hello, I want to do PPP with you. Great, but I insist we use CHAP. My name is Chris. My CHAP challenge is a123bc567.

Hostname Chris ! Username Sally password Cisco ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp

Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap

Ser0/0/0 Ser1/1/1

My challenge response = bbb55 Looks good! You must really be Chris!

Presenter

Presentation Notes

By moving the CHAP credentials on the Client to a “username x password y” statement, this frees up the Client to be able to make PPP calls to different remote destinations from a single interface and provide different authentication credentials to each remote destination.


CHAP Authentication – Two-way

Router (client) Sally (server) Let’s use PPP and CHAP, sound good?.

I support that! My name is Chris and I challenge you aa3355.

My name is Sally and I challenge you 77ff5e.

Hostname Router username Sally password Cisco ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp authentication chap ppp chap hostname Chris ppp chap password Cisco

Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap ppp chap hostname Sally ppp chap password Cisco

Ser0/0/0 Ser1/1/1 My challenge response = bbb55

Looks good! You must really be Chris!

My challenge response = eeccdd!

Looks good! You must really be Sally!

Presenter

Presentation Notes

The “username x password y” command works differently in PAP versus CHAP. PAP = this command is used to authenticate inbound connections CHAP = this command is used to provide outbound username as well as encrypt the CHAP Challenge and provide a response.


Configuring CHAP Authentication (Server)

» Change encapsulat ion • Router(config-if)# encapsulation ppp

» Create local user database • Router(config)# username <username> password <

password>

» Configure CHAP server • Router(config-if)# ppp authentication chap


Configuring CHAP Authentication (Client)

» Change encapsulat ion • Router(config-if)# encapsulation ppp

» Configure to send username and password • Router(config-if)# ppp chap password <password>

• Router(config-if)# ppp chap hostname <username>


Verifying CHAP Authentication

» Verificat ion command • Router# show users

• Router# debug ppp negotiations

» Note: Upon successful authenticat ion, a CHAP server should show the users with IP addresses who are authenticated


Authentication Debug Mar 1 011229.739 Ser1/1 PPP Phase is AUTHENTICATING, by both *Mar 1 011229.743 Ser1/1 CHAP O CHALLENGE id 5 len 28 from "isdn2-2" *Mar 1 011229.747 Ser1/1 CHAP I CHALLENGE id 5 len 28 from "isdn2-3" *Mar 1 011229.755 Ser1/1 CHAP O RESPONSE id 5 len 28 from "isdn2-2" *Mar 1 011229.775 Ser1/1 CHAP I SUCCESS id 5 len 4 *Mar 1 011229.783 Ser1/1 CHAP I RESPONSE id 5 len 28 from "isdn2-3" *Mar 1 011229.787 Ser1/1 CHAP O SUCCESS id 5 len 4 *Mar 1 011229.791 Ser1/1 PPP Phase is UP


Things to Look for in PPP debug

» LCP: State is open • LCP negotiat ion was successful • If not , then look for opt ions that failed

» Authenticat ion: PAP or CHAP • Check for username, passwords, etc

» NCP: IPCP, IPXCP, ATCP state is open ● Means NCP negotiat ion was successful ● If not , then look for confreq, confrej, confack, confnack, etc

Presenter

Presentation Notes

*Mar 1 02:52:58.871: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up *Mar 1 02:52:58.907: BR0:1 PPP: Treating connection as a callout *Mar 1 02:52:58.907: BR0:1 PPP: Phase is ESTABLISHING, Active Open *Mar 1 02:52:58.911: BR0:1 LCP: O CONFREQ [Closed] id 42 len 29 *Mar 1 02:52:58.914: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 02:52:58.914: BR0:1 LCP: MagicNumber 0x60FC6219 (0x050660FC6219) *Mar 1 02:52:58.918: BR0:1 LCP: MRRU 1524 (0x110405F4) *Mar 1 02:52:58.922: BR0:1 LCP: EndpointDisc 1 Local (0x130A016973646E322D35) *Mar 1 02:52:58.946.: BR0:1 LCP: I CONFREQ [REQsent] id 88 len 29 *Mar 1 02:52:58.950: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 02:52:58.950: BR0:1 LCP: MagicNumber 0x6F9FACD8 (0x05066F9FACD8) *Mar 1 02:52:58.954: BR0:1 LCP: MRRU 1524 (0x110405F4) *Mar 1 02:52:58.958: BR0:1 LCP: EndpointDisc 1 Local (0x130A016973646E312D38) *Mar 1 02:52:58.962: BR0:1 LCP: O CONFACK [REQsent] id 88 len 29 *Mar 1 02:52:58.962: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 02:52:58.966: BR0:1 LCP: MagicNumber 0x6F9FACD8 (0x05066F9FACD8) *Mar 1 02:52:58.970: BR0:1 LCP: MRRU 1524 (0x110405F4) *Mar 1 02:52:58.970: BR0:1 LCP: EndpointDisc 1 Local (0x130A016973646E312D38) *Mar 1 02:52:58.974: BR0:1 LCP: I CONFACK [ACKsent] id 42 len 29 *Mar 1 02:52:58.978: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 02:52:58.978: BR0:1 LCP: MagicNumber 0x60FC6219 (0x050660FC6219) *Mar 1 02:52:58.982: BR0:1 LCP: MRRU 1524 (0x110405F4) *Mar 1 02:52:58.986: BR0:1 LCP: EndpointDisc 1 Local (0x130A016973646E322D35) *Mar 1 02:52:58.986: BR0:1 LCP: State is Open


Layer-3 Address Negotiation

Router (client) Sally (server)

Hostname Chris ! Username Sally password Cisco ! interface serial 0/0/0 ip address negotiated encapsulation ppp

Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication chap peer default ip address pool MyPool ! ip local pool MyPool 1.1.1.3 1.1.1.10

Ser0/0/0 Ser1/1/1

Presenter

Presentation Notes

Typically in dialup scenarios, the interface configured for PPP will not have a static IP address…it will learn of the appropriate address/subnet it should be on by virtue of whoever that interface calls. - This configuration demonstrates the inherent ability (option) of the PPP Server providing a /32 IP address to the PPP client. - DHCP can also be used to provide an address. In that case the PPP Server could also be configured as a DHCP Server, or it could use the “ip helper-address” command to act as a DHCP Relay Agent. The command, “peer default ip address” would be modified to reflect dhcp instead of a local address pool as shown above.


Quiz!!!

» Which of the following items are negotiated during the PPP LCP stage? A. Multilink

B. Authentication Type

C. Authentication Challenge

D. Callback

E. IP address

Presenter

Presentation Notes

Answers to Quiz Questions can be found in the video.


Quiz!!!

» Which PPP LCP option would you look for in the output of “debug ppp negotiat ions” to indicate that PPP Mult ilink had been configured? • MRU

• MRRU

• ACCM

• Magic Number

Presenter

Presentation Notes



Quiz!!!

» Router-1 sends a PPP LCP frame indicat ing that it wishes to implement CHAP authenticat ion.

» Router-2, at the other end of the PPP link, is not configured for CHAP but is configured for PAP.

» In response to Router-1’s “Conf-Req” packet Router-2 will send a ___________ indicat ing that it wants to do PAP.

• Conf-REJ

• Conf-NAK

• Conf-ACK

• Conf-REQ

Presenter

Presentation Notes



Quiz!!!

Router (client) Sally (server)

Hostname Router username Sally password Cisco ! interface serial 0/0/0 ip address 1.1.1.1 255.255.0.0 encapsulation ppp ppp authentication pap ppp pap sent-username Router password Cisco

Hostname Sally username Chris password Cisco ! interface serial 1/1/1 ip address 1.1.1.2 255.255.0.0 encapsulation ppp ppp authentication pap ppp chap hostname Sally ppp chap password Cisco

Ser0/0/0 Ser1/1/1

Based on the configurations shown below, will a successful PPP connection be established between these two routers? If not, why not?

Presenter

Presentation Notes



Quiz!!!

» What can you infer from the following debug output?

Presenter

Presentation Notes



Quiz!!! » A troublet icket is opened because it has been discovered that ICMP

pings to 2.2.2.2 are not able to flow across a PPP connect ion on Router-3. » Based on the debug output below, what is the root cause of this problem?

Presenter

Presentation Notes


PPPoE

(PPP over Ethernet)

www.INE.com


Why do we need PPPoE?

» Original objective for PPP was to support : • A single, dialup host

• Temporary network connection

» With the advent of DSL and Metro Ethernet , new problems were presented: • How to allow a single, DSL connection to support an entire LAN of

PPP clients?

• Differentiate traffic from multiple companies sharing a common Ethernet connection to an ISP


PPPoE, Common Use-Case

Company-A

Company-B

Company-C

Company-D

Metro Ethernet

ISP

• Only customers with correct/unique PPPoE Authentication credentials gain ISP access.

• ISP can track individual PPPoE sessions for billing purposes.

PPPoE Client

PPPoE Client

PPPoE Client

PPPoE Client

Internet

Presenter

Presentation Notes

What problem is solved by PPPoE? --ISP provides shared medium (i.e. Ethernet) to multiple customers --How to ensure that ONLY authorized customers are allowed to use that medium for Internet access? --How to account for, and bill, packets from separate customers?


PPPoE Control Packets

» Normal PPP across WAN lines starts immediately with LCP.

» PPPoE prefaces LCP with special PPPoE Control packets to establish a unique “Session-ID”.

» Session-ID is used by ISP to indentify individual customers.


PPPoE Active Discovery

» PPPoE based on Client/Server architecture. • Multiple clients on a single, shared medium

• One server terminating/aggregating multiple clients.

» PPPoE relies on “Active Discovery” frames to enable Clients to discover Server and obtain unique Session-ID.

» Active Discovery process (and names of Control Frames) has many similarit ies to DHCP process.

Presenter

Presentation Notes

Active Discovery also used so Client can learn the MAC address of the PPPoE Server.


PPP Active Discovery Process

PPPoE Client PPPoE Server

MAC = xx:xx:xx:xx:xx:xx MAC = yy:yy:yy:yy:yy:yy

1 “Are there any PPPoE Servers out there? My unique Host-ID is xx-xx” PADI (PPPoE Active Discovery Initialization) L2 Ethernet Destination = Broadcast

2 “Yes, I’m here xx-xx. My unique Access Concentrator (AC) ID is yy.yy” PADO (PPPoE Active Discovery Offer) L2 Ethernet Destination = Unicast

“Thanks for that info! Can I have a Session-ID please?” PADR (PPPoE Active Discovery Request) L2 Ethernet Destination = Unicast

3

4 “Yes, let’s use Session-ID 0x02.” PADS (PPPoE Active Discovery Session-Confirmation) L2 Ethernet Destination = Unicast

Presenter

Presentation Notes

In this example, for simplicity’s sake the “Host-ID” and “AC-ID” are being shown as equivalent to the MAC address. In reality, this is not true, they are separate and unique values. After this four-step process is complete, PPP proceeds as normal with LCP, Authentication (if configured), and NCP negotiations. - PPPoE uses the following two Ethertype values within the Ethernet header: 0x8863 = PPPoE control packets (shown above). 0x8864 = PPPoE session packets (LCP, Authentication, NCP as well as Data transfer)


PPP Encapsulation within Ethernet

Start Flag Address Control FCS Final Flag

PPP General Frame Format PPP Control, or

Encapsulated Data Protocol

Dest Mac Source Mac Ethertype

PPPoE Ethernet General Frame Format

Ethernet FCS

Padding

PPP Control, or Encapsulated Data Protocol

0x8863 0x8864


Configuring PPPoE

hostname server ! username client password cisco ! bba-group pppoe INE virtual-template 1 ! interface Virtual-Template1 ip address 1.2.1.1 255.255.255.0 or…ip unnumbered loopback 0 peer default ip address pool MyPool ppp authentication chap ! ip local pool MyPool 1.2.1.2 1.2.1.254 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe enable group INE

hostname client ! interface Dialer1 ip address negotiated encapsulation ppp dialer pool 1 ppp chap password 0 cisco ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe-client dial-pool-number 1 !

Fast0/0 Fast0/0

Presenter

Presentation Notes

Virtual Templates provide a “configuration template” that can be used when a dynamic Virtual-Access interface is created. - Virtual Access interfaces are dynamically created when: ----dialer interface on PPPoE client initiates an outbound PPPoE session ----Virtual-Template on PPPoE server terminates (receives) an inbound PPPoE session -- - In older IOS, one used to configure a “vpdn-group” instead of a “bba-group”. Sometimes people ask, “what’s the difference?” ! Configuring PPPoE in a VPDN group limited PPPoE configuration options because only one PPPoE VPDN group with one virtual template was permitted on a device. So if you wanted to support some PPP options with certain groups of PPPoE clients, but not support those same options with other PPPoE clients…you were stuck. - The PPPoE Profiles feature (bba-group) provides simplicity and flexibility in PPPoE configuration by separating PPPoE from VPDN configuration. The PPPoE Profiles feature allows multiple PPPoE profiles, each with a different configuration, to be used on a single device.


Configuring PPPoE with DHCP

hostname server ! username client password cisco ! bba-group pppoe INE virtual-template 1 ! interface Virtual-Template1 ip address 1.2.1.1 255.255.255.0 peer default ip address dhcp ppp authentication chap ip helper-address 7.7.7.7 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe enable group INE

hostname client ! interface Dialer1 ip address dhcp encapsulation ppp dialer pool 1 ppp chap password 0 cisco ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe-client dial-pool-number 1 !

Fast0/0 Fast0/0

DHCP Server

7.7.7.7

Presenter

Presentation Notes

In this topology, the PPPoE server must also have a valid IP route to reach 7.7.7.7.


Verifying PPPoE on Server (1)

(PTA) PPP Termination Aggregation

Presenter

Presentation Notes

Notice in the output of “show pppoe session” the reference to a “Vi1.1”. This is telling us that this particular PPPoE session has been terminated (received) by interface virtual-access 1.1. This is a virtual-access interface that was dynamically generated by the Virtual-Template interface. - - In the output of “show pppoe summary” there is a column for “Forwarded Sessions”. This applies when the router is also doing Q-in-Q tunneling over PPPoE. That is beyond the scope of this class.


Verifying PPPoE on Server (2)


Verifying PPPoE on Client (1)


Verifying PPPoE on Client (2)


PPPoE and MTU

» PPP = 8-bytes of overhead (headers) » Max-sized Ethernet frame (data) = 1500-bytes » 1500-bytes + 8-bytes (PPP) = 1508 » 1508-bytes + 14-bytes (Ethernet headers) = 1522-bytes » Every maximum-sized Ethernet frame sent from hosts will

need to be fragmented by PPPoE-speaking routers. » Fragmentat ion = CPU-intensive

Presenter

Presentation Notes

Demonstrate this in lab with Sniffer traces.


MTU and Virtual-interfaces

» Virtual-Templates (and Dialer-Interfaces) spawn Virtual-Access interfaces for terminating PPPoE session.

» Virtual-Access interfaces spawned from Virtual-Templates (using PPPoE) have default MTU=1492

» Virtual-Access interfaces spawned from Dialer-Interfaces have default MTU=1500

» What are the results of mismatched MTU? • Frequent fragmentation of large Ethernet frames

• OSPF peering stuck in EXSTART state.

Presenter

Presentation Notes

Demonstrate OSPF peering and “debug ip ospf adj”.


Fixing MTU Mismatches

hostname server ! username client password cisco ! bba-group pppoe INE virtual-template 1 ! interface Virtual-Template1 ip address 1.2.1.1 255.255.255.0 peer default ip address dhcp ppp authentication chap ip helper-address 7.7.7.7 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe enable group INE

hostname client ! interface Dialer1 ip address dhcp encapsulation ppp dialer pool 1 ppp chap password 0 cisco ip mtu 1492 ! interface FastEthernet0/0 no ip address duplex auto speed auto pppoe-client dial-pool-number 1 ! Interface FastEthernet1/1 ip address x.x.x.x y.y.y.y ip tcp adjust-mss 1452

PPPoE Client PPPoE Server

Web Server

Fast0/0 Fast0/0 Fast1/1

Presenter

Presentation Notes

The “IP MTU 1492” command under the Dialer interface will ensure that the PPP connection has the same MTU on both sides of the link. This is necessary if OSPF is going to be run over this link. - Normally, when PCs are initiating TCP connections they will ask for an MSS value of 1460. This supports: TCP data of 1460-bytes + 20 bytes of TCP headers + 20-bytes of IP headers + 14-bytes of Ethernet headers = Total of 1514bytes (maximum-sized Ethernet frame) But when you add 8-bytes of PPP headers you’re now over that maximum sized frame. Which means each-and-every 1514-byte frame sent between PC-and-Server will need to be fragmented. The “ip tcp adjust-mss 1452” command on the FastEthernet interface facing the laptop/PC will intercept and modify TCP “Sync” messages from the PC/Laptop by replacing whatever MSS value is inside those TCP Sync messages with the value of 1452, which accounts for the extra 8-bytes of headers added by PPP. - When the Web Server receives this TCP Sync, it will respond with a TCP Sync+Ack (acknowledging the MSS value of 1452, unless the Server needs something smaller). - Upon receiving the TCP Sync+Ack (with an MSS value of 1452) the PC/Laptop will Acknowledge this value…so now both parties (PC and Web Server) will be synchronized to an MSS value of 1452. - Now, nothing will need to be fragmented in the TCP/IP/PPP/Ethernet stream between the PC and the Web Server.

Copyright © INE Inc. All rights reserved.

Q&A

Documents

Point-to-Point Protocol (PPP)...PPP » Point -to-Point Protocol » Open standard » Operates in the LLC sub -layer of data link layer in OSI » Originally designed for dial -up connections