C H A PT E R
7
Configuring PPP and Multilink PPP This chapter describes how to configure the Point-to-Point Protocol (PPP) and Multilink PPP features that can be configured on the serial interfaces on a Cisco Optical Networking System (ONS) 15304. Before configuring the synchronous serial interfaces, be sure the VC-12 Time Division Multiplexing (TDM) channels are drop-terminated and the DS-1 framers configured. This chapter covers only the most common configuration options as used within the Cisco ONS 15304 application. For a complete description of the PPP commands in this chapter, refer to the “Media-Independent PPP and Multilink PPP Commands” chapter of the Dial Solutions Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. A Cisco ONS 15304 supports up to 24 synchronous serial interfaces for which PPP and Multilink-PPP can be used as the link layer protocol. Each of the 24 synchronous serial interfaces operate at the fixed E1 rate of 2 Mbps. PPP is used when a link consists of a single synchronous serial channel. For higher-rate services (nxE1), Multilink-PPP is used to bond the individual serial channels together and provide the view of a single, integrated, high-capacity channel. Unlike other Cisco products, the Cisco ONS 15304 supports only PPP-based link layer protocols. Note HDLC framing can also be used if desired for special applications where PPP
features are not required.
Configuring PPP and Multilink PPP 7-1
Implementation Information
Implementation Information PPP, described in RFC 1661, encapsulates network layer protocol information over point-to-point links. The current implementation of PPP supports option 3, authentication using CHAP or PAP, option 4, Link Quality Monitoring, and option 5, Magic Number configuration options. The software always sends option 5 and negotiates for options 3 and 4 if so configured. All other options are rejected. Magic Number support is available on all serial interfaces. PPP always attempts to negotiate for Magic Numbers, which are used to detect looped-back lines. Depending on how the down-when-looped command is configured, the router might shut down a link if it detects a loop. The software provides the Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) on serial interfaces running PPP encapsulation. For detailed information about authentication, see the Security Configuration Guide. In the current Cisco ONS 15304 implementation, Multilink-PPP packet fragmentation is not currently supported. Disabling fragmentation helps preserve packet processing bandwidth.
PPP Configuration Task List To configure PPP on a serial interface, perform the following task in interface configuration mode:
•
Enable PPP Encapsulation
You can also complete the tasks in the following sections; these tasks are optional but offer a variety of uses and enhancements for PPP on your systems and networks:
• • • • • •
7-2
Enable CHAP or PAP Authentication Enable Link Quality Monitoring (LQM) Disable or Reenable Peer Neighbor Routes Configure PPP Half-Bridging Configure Multilink PPP Monitor and Maintain PPP and MLP Interfaces
Cisco Optical Networking System 15304 Software Configuration Guide
Enable PPP Encapsulation
Enable PPP Encapsulation You can enable PPP on serial lines to encapsulate IP and other network protocol datagrams. Use the following command in interface configuration mode: Command
Task
encapsulation ppp
Enable PPP encapsulation.
PPP echo requests are used as keepalives to minimize disruptions to the end users of your network. The no keepalive command can be used to disable echo requests.
Enable CHAP or PAP Authentication The PPP with CHAP authentication or Password Authentication Protocol (PAP) is often used to inform the central site about which remote routers are connected to it. With this authentication information, if the router or access server receives another packet for a destination to which it is already connected, it does not place an additional call. However, if the router or access server is using rotaries, it sends the packet out the correct port. CHAP and PAP were originally specified in RFC 1334, and CHAP is updated in RFC 1994. These protocols are supported on synchronous and asynchronous serial interfaces. When using CHAP or PAP authentication, each router or access server identifies itself by a name. This identification process prevents a router from placing another call to a router to which it is already connected, and also prevents unauthorized access. Access control using CHAP or PAP is available on all serial interfaces that use PPP encapsulation. The authentication feature reduces the risk of security violations on your router or access server. You can configure either CHAP or PAP for the interface. Note To use CHAP or PAP, you must be running PPP encapsulation.
Configuring PPP and Multilink PPP 7-3
Enable CHAP or PAP Authentication
When CHAP is enabled on an interface and a remote device attempts to connect to it, the local router or access server sends a CHAP packet to the remote device. The CHAP packet requests or “challenges” the remote device to respond. The challenge packet consists of an ID, a random number, and the host name of the local router. The required response consists of two parts:
• •
An encrypted version of the ID, a secret password (or secret), and the random number Either the host name of the remote device or the name of the user on the remote device
When the local router or access server receives the response, it verifies the secret by performing the same encryption operation as indicated in the response and looking up the required host name or username. The secret passwords must be identical on the remote device and the local router. By transmitting this response, the secret is never transmitted in clear text, preventing other devices from stealing it and gaining illegal access to the system. Without the proper response, the remote device cannot connect to the local router. CHAP transactions occur only at the time a link is established. The local router or access server does not request a password during the rest of the call. (The local device can, however, respond to such requests from other devices during a call.) When PAP is enabled, the remote router attempting to connect to the local router or access server is required to send an authentication request. If the username and password specified in the authentication request are accepted, the Cisco IOS software sends an authentication acknowledgment. After you have enabled CHAP or PAP, the local router or access server requires authentication from remote devices. If the remote device does not support the enabled protocol, no traffic will be passed to that device. To use CHAP or PAP, you must perform the following tasks:
7-4
Step 1
Enable PPP encapsulation.
Step 2
Enable CHAP or PAP on the interface.
Step 3
For CHAP, configure host name authentication and the secret or password for each remote system with which authentication is required.
Cisco Optical Networking System 15304 Software Configuration Guide
Enable CHAP or PAP Authentication
To enable PPP encapsulation, use the following command in interface configuration mode: Command
Purpose
encapsulation ppp
Enable PPP on an interface.
To enable CHAP or PAP authentication on an interface configured for PPP encapsulation, use the following command in interface configuration mode: Command
Purpose
ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default] [callin]
Define the authentication methods supported and the order in which they are used.
The ppp authentication chap optional keyword if-needed can be used only with Terminal Access Controller Access Control System (TACACS) or extended TACACS. With authentication, authorization, and accounting (AAA) configured on the router and list names defined for AAA, the optional keyword list-name can be used with AAA/TACACS+. Caution If you use a list-name that has not been configured with the aaa authentication
ppp command, you disable PPP on the line. Add a username entry for each remote system from which the local router or access server requires authentication. To specify the password to be used in CHAP or PAP caller identification, use the following command in global configuration mode: Command
Purpose
username name password secret
Configure identification.
Make sure this password does not include spaces or underscores.
Configuring PPP and Multilink PPP 7-5
Enable Link Quality Monitoring (LQM)
To configure TACACS on a specific interface as an alternative to global host authentication, use the following command in interface configuration mode: Command
Purpose
ppp use-tacacs [single-line] or aaa authentication ppp
Configure TACACS.
Use the ppp use-tacacs command with TACACS and Extended TACACS. Use the aaa authentication ppp command with AAA/TACACS+. For an example of CHAP, see the section "CHAP with an Encrypted Password Examples" on page 7-13. CHAP is specified in RFC 1994, PPP Challenge Handshake Authentication Protocol (CHAP).
Enable Link Quality Monitoring (LQM) Link Quality Monitoring (LQM) is available on all serial interfaces running PPP. LQM will monitor the link quality, and if the quality drops below a configured percentage, the router shuts down the link. The percentages are calculated for both the incoming and outgoing directions. The outgoing quality is calculated by comparing the total number of packets and bytes sent with the total number of packets and bytes received by the destination node. The incoming quality is calculated by comparing the total number of packets and bytes received with the total number of packets and bytes sent by the destination peer. When LQM is enabled, Link Quality Reports (LQRs) are sent, in place of keepalives, every keepalive period. All incoming keepalives are responded to properly. If LQM is not configured, keepalives are sent every keepalive period and all incoming LQRs are responded to with an LQR. LQR is specified in RFC 1989, PPP Link Quality Monitoring, by William A. Simpson of Computer Systems Consulting Services. To enable LQM on the interface, use the following command in interface configuration mode:
7-6
Command
Purpose
ppp quality percentage
Enable LQM on the interface.
Cisco Optical Networking System 15304 Software Configuration Guide
Disable or Reenable Peer Neighbor Routes
The percentage argument specifies the link quality threshold. That percentage must be maintained, or the link is deemed to be of poor quality and taken down.
Disable or Reenable Peer Neighbor Routes The Cisco IOS software automatically creates neighbor routes by default; that is, it automatically sets up a route to the peer address on a point-to-point interface when the PPP IPCP negotiation is completed. To disable this default behavior or to reenable it after it has been disabled, use the following commands in interface configuration mode: Command
Purpose
no peer neighbor-route
Disable creation of neighbor routes.
peer neighbor-route
Reenable creation of neighbor routes.
Note If entered on a dialer or async-group interface, this command affects all member
interfaces.
Configure PPP Half-Bridging For situations in which a routed network needs connectivity to a remote bridged Ethernet network, a serial or ISDN interface can be configured to function as a PPP half-bridge. The line to the remote bridge functions as a virtual Ethernet interface, and the router’s serial or ISDN interface functions as a node on the same Ethernet subnetwork as the remote network. The bridge sends bridge packets to the PPP half-bridge, which converts them to routed packets and forwards them to other router processes. Likewise, the PPP half-bridge converts routed packets to Ethernet bridge packets and sends them to the bridge on the same Ethernet subnetwork. Note An interface cannot function as both a half-bridge and a bridge.
Configuring PPP and Multilink PPP 7-7
Configure PPP Half-Bridging
Figure 7-1 shows a router with a serial interface configured as a PPP half-bridge. The interface functions as a node on the Ethernet subnetwork with the bridge. Note that the serial interface has an IP address on the same Ethernet subnetwork as the bridge. Figure 7-1
Router Serial Interface Configured as a Half-Bridge
S4763
ATM 4/0.100 172.31.5.9
Ethernet subnet 172.31.5.0
Note The Cisco IOS software supports no more than one PPP half-bridge per Ethernet
subnetwork.
To configure a serial interface to function as a half-bridge, complete the following tasks beginning in global configuration mode: Command
Purpose
interface serial number
Specify the interface (and enter interface configuration mode).
ppp bridge appletalk
Enable PPP half-bridging for one or more routed protocols: AppleTalk, IP, or IPX.
ppp bridge ip ppp bridge ipx [novell-ether | arpa | sap | snap] ip address n.n.n.n appletalk address network.node appletalk cable-range cable-range network.node
Provide a protocol address on the same subnetwork as the remote network.
ipx network network
7-8
Cisco Optical Networking System 15304 Software Configuration Guide
Configure Multilink PPP
Note You must enter the ppp bridge command either when the interface is shut down or
before you provide a protocol address for the interface.
For more information about AppleTalk addressing see the “Configuring AppleTalk” chapter; for more information about IPX addresses and encapsulations, see the “Configuring Novell IPX” chapter. Both chapters are in the Network Protocols Configuration Guide, Part 2.
Configure Multilink PPP As higher-speed services are deployed, Multilink-PPP provides a standardized method for spreading traffic across multiple WAN links, while providing multivendor interoperability, packet fragmentation and proper sequencing, and load balancing on both inbound and outbound traffic. The Cisco ONS 15304 implementation of the Multilink Point-to-Point Protocol (PPP) feature provides the ability to increase channel capacity to up to eight E1s. Note that the Cisco ONS 15304 implementation of Multilink PPP does not currently support the fragmentation and packet sequencing specifications in RFC 1717. (Packet fragmentation and reassembly will be supported in future software releases.) The Multilink-PPP implementation in the Cisco ONS 15304 supports up to 8 multilink interfaces. Each multilink interface might contain up to 8 E1-rate serial interfaces for a total link bandwidth of 12 Mbps channel. In most applications, 4 E1s should be sufficient to meet the needs of traffic forwarded between a multilink interface and a single Ethernet interface. The 24 serial interfaces in the Cisco ONS 15304 can be assigned to 8 multilink interfaces arbitrarily, including 8 multilink interfaces of 3 serial links each, or 3 multilink interfaces of 8 serial links. Multilink interfaces can be run concurrently with serial interfaces using PPP encapsulation. Unlike the dialer implementations of PPP and Multilink PPP, the channels are always connected. When a multilink interface is created it remains in effect until it is deleted.
Configuring PPP and Multilink PPP 7-9
Configure Multilink PPP
Configure Multilink PPP on Multiple Serial Interfaces A Multilink interface is a special virtual interface which represents a multilink PPP bundle. The multilink interface serves to coordinate the configuration of the bundled link, and presents a single object for the aggregate links. However, the individual PPP links that are aggregated together, must also be configured. Therefore, to enable Multilink PPP on multiple serial interfaces, you need to first set up the multilink interface, and then configure each of the serial interfaces and add them to the same multilink interface. To set up the multilink interface, use the following commands beginning in global configuration mode: Command
Purpose
interface multilink number
Specify the multilink interface.
ip address address mask
Specify the IP protocol address for the multilink interface.
or
7-10
no ip address
Alternatively, use the no ip address command if you intend to use bridging without IP routing.
encapsulation ppp
Enable PPP encapsulation.
ppp multilink
Enable Multilink PPP operation.
ppp authentication chap
(Optional) Enable PPP CHAP authentication.
ppp chap hostname name
(Optional) Set the alternative hostname for CHAP.
multilink max-fragments 1
Specify the number of fragments a packet can be split into for forwarding across the multilink interface. In the current implementation of the Cisco ONS 15304 software, this number should be set to 1 to disable fragmentation.
multilink-group group-number
Specify an identification number for the multilink interface. All of the serial interfaces using the same multilink group number are considered to be participating in the multilink bundle.
Cisco Optical Networking System 15304 Software Configuration Guide
Configure Multilink PPP on Multiple Serial Interfaces
Command
Purpose
bridge-group bridge-group-number
(Optional) Specify the bridge group that this interface belongs to. Use this command only if bridging is enabled for this interface.
no shutdown
Enable the interface.
To configure each of the serial interfaces to belong to the same multilink group, use the following commands beginning in global configuration mode: Command
Purpose
interface serial number
Specify one of the serial interfaces.
no ip address
Specify that it does not have an individual protocol address. The protocol address is specified with the multilink interface configuration.
encapsulation ppp
Enable PPP encapsulation.
ppp multilink
Set the dialer idle timeout period, using the same timeout for each of the BRI interfaces you configure.
multilink-group group-number
Specify the multilink interface that this serial interface is associated with. The multilink interface and all serial interfaces with the same group number are considered to be participating in the same multilink session.
no shutdown
Enable the serial interface.
Repeat Steps 1 through 6 for each serial interface you want to belong to the same multilink group.
Configuring PPP and Multilink PPP 7-11
Monitor and Maintain PPP and MLP Interfaces
Monitor and Maintain PPP and MLP Interfaces To monitor and maintain virtual interfaces, you can use any of the following commands: Command
Purpose
show ppp multilink
Display MLP and multilink bundle information.
show interface serial number
Display interface statistics for a serial interface.
show interface multilink number
Display interface statistics for a multilink interface.
PPP Configuration Examples The examples provided in this section show various PPP and Multilink PPP configurations as follows:
• • • •
7-12
Basic PPP Link Configuration CHAP with an Encrypted Password Examples Multilink PPP with IP Routing Multilink PPP with Bridging
Cisco Optical Networking System 15304 Software Configuration Guide
Basic PPP Link Configuration
Basic PPP Link Configuration PPP can be enabled by specifying PPP encapsulation, and ensuring the interface is not in the shutdown state. The example below shows the first serial E1 interface configured for IP routing, while the second E1 interface is configured for transparent bridging. Integrated Routing and Bridging is enabled in the example to permit both IP routing and bridging (of IP packets) to take place. ! ip routing bridge irb bridge 1 protocol ieee ! interface SerialE1 1 ip address 192.13.1.1 255.255.255.0 encapsulation ppp no shutdown ! interface SerialE1 1 no ip address encapsulation ppp no shutdown bridge-group 1 !
CHAP with an Encrypted Password Examples The following configuration examples enable CHAP on serial interface 0 of three devices.
Configuration of Cisco ONS 15304 yyy hostname yyy interface serial 0 encapsulation ppp ppp authentication chap username xxx password secretxy username zzz password secretzy
Configuring PPP and Multilink PPP 7-13
PPP Configuration Examples
Configuration of Cisco ONS 15304 xxx hostname xxx interface serial 0 encapsulation ppp ppp authentication chap username yyy password secretxy username zzz password secretxz
Configuration of Cisco ONS 15304 zzz hostname zzz interface serial 0 encapsulation ppp ppp authentication chap username xxx password secretxz username yyy password secretzy
When you look at the configuration file, the passwords will be encrypted and the display will look similar to the following: hostname xxx interface serial 0 encapsulation ppp ppp authentication chap username yyy password 7 121F0A18 username zzz password 7 1329A055
Multilink PPP with IP Routing The following example gives a basic configuration of a multilink interface operating in IP routing mode. In the example, the multilink1 interface is configured with 3 serial interfaces with the common multilink-group name “group1.” PPP CHAP authentication is enabled. The example uses the unnumbered IP address option to conserve IP addresses. The IP address for the Ethernet1 is reused for the multilink1 interface. An IP address can be assigned to the multilink interface if unnumbered operation is not desired. As part of this example, traffic from the multilink1 interface is policy-routed between the multilink1 to the Ethernet1 interface, and vice versa. Two policy route maps are defined as “bundle” and “customer.” The policy route map named “bundle” is bound to multilink1 so
7-14
Cisco Optical Networking System 15304 Software Configuration Guide
Multilink PPP with IP Routing
that traffic received is forwarded to the Ethernet1 interface. Similarly, the policy route map “customer” is bound to the Ethernet1 interface so that Ethernet traffic is forwarded to the multilink1 interface. ! interface Multilink1 ip unnumbered Ethernet1 ip route-cache policy ip policy route-map bundle no shutdown no cdp enable ppp chap hostname group1 ppp multilink multilink-group 1 ! interface Ethernet1 ip address 192.13.1.1 255.255.255.0 ip route-cache policy ip policy route-map customer no shutdown full-duplex ! interface SerialE1 1 no ip address encapsulation ppp no shutdown no fair-queue ppp chap hostname group1 ppp multilink multilink-group 1 ! interface SerialE1 2 no ip address encapsulation ppp no shutdown no fair-queue ppp chap hostname group1 ppp multilink multilink-group 1 ! interface SerialE1 3 no ip address encapsulation ppp no shutdown no fair-queue
Configuring PPP and Multilink PPP 7-15
PPP Configuration Examples
ppp chap hostname group1 ppp multilink multilink-group 1 ! route-map customer permit 10 set interface Multilink1 ! route-map bundle permit 10 set interface Ethernet1
Multilink PPP with Bridging The following example configures three serial interfaces to belong to the same group for Multilink PPP. Remember that the multilink-group command is used to assign each of the serial interfaces to the multilink group. ! Before setting up the Ethernet and Serial interfaces, the TDM channels must be ! drop-terminated and the E1 framers need to be configured. The ! configuration of TDM channels is given in document TBD. ! bridge 1 protocol ieee ! Configure the Ethernet interface ! interface Ethernete1 no ip address no shutdown full-duplex bridge-group 1 bridge-group 1 spanning-disabled ! Configure the multilink group interface ! interface Multilink1 no ip address no shutdown no cdp enable ppp chap hostname group1 ppp multilink multilink max-fragments 1 multilink-group 1 bridge-group 1
7-16
Cisco Optical Networking System 15304 Software Configuration Guide
Multilink PPP with Bridging
! Configure the individual serial interfaces ! interface SerialE1 1 no ip address encapsulation ppp no shutdown no fair-queue ppp chap hostname group1 ppp multilink multilink-group 1 ! interface SerialE1 2 no ip address encapsulation ppp no shutdown no fair-queue ppp chap hostname group1 ppp multilink multilink-group 1 ! interface SerialE1 3 no ip address encapsulation ppp no shutdown no fair-queue ppp chap hostname group1 ppp multilink multilink-group 1
Configuring PPP and Multilink PPP 7-17
PPP Configuration Examples
7-18
Cisco Optical Networking System 15304 Software Configuration Guide