Documente Academic
Documente Profesional
Documente Cultură
Enable PPP encapsulation and PAP authentication with the following commands: Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication pap.
You must also configure the router with a local username/password database, or point it to a network host that has that information (such as a TACACS+ server). Without access to a username/password database, the router won't know which combinations are authorized and will deny all login attempts.
You can configure a local username/password database by using the following command in global configuration mode: Router(config)#username username password password.
In some cases, you must also configure a router's asynchronous interface to place calls to other access servers. If you want to configure an interface to respond to a peer's request to authenticate with PAP, you must use the ppp pap sent-username command: Router(config-if)#ppp pap sent-username username password password.
Configuring CHAP
When using CHAP authentication, the access server sends a challenge message to the remote node after the PPP link is established. The remote node responds with a value calculated by using a one-way hash function, typically Message Digest 5 (MD5). The access server checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged.
Configuring CHAP
Configure PPP and CHAP authentication using the following commands: Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication chap. You can enable both PAP and CHAP authentication on an interface. The first method specified is requested during link negotiation. If the peer suggests using the second method or simply refuses the first method, then the second method will be tried.
Configuring CHAP
This command can be useful, because some remote devices support CHAP only and some PAP only. The commands are as follows: Router(config-if)#ppp authentication pap chap. And, alternately: Router(config-if)#ppp authentication chap pap.
PPP Callback
PPP callback is an LCP option used over dialup links. PPP callback provides a client/server relationship between the endpoints of a point-to-point connection. PPP callback allows a dialup client to request that a dialup server call the client back. The callback feature can be used to control access and toll costs between hosts.
PPP Callback
Both routers on a point-to-point link must be configured for PPP callback; one must function as a callback client, and one must be configured as a callback server. The callback client must be configured to initiate PPP callback requests, and the callback server must be configured to accept PPP callback requests and place return calls.
PPP Callback
The asynchronous callback feature supports EXEC, PPP, and ARAP sessions. The main motivation for callback is for telephone bill consolidation and dialup cost savings. It is not necessarily a security feature; however, if the callback number is assigned in the authentication database, security is enforced because callbacks are made only to assigned telephone numbers.
PPP Callback
The incoming calls go through the normal login process and must pass authentication before callback can occur. To make callback work properly, you must make sure that callback is configured for each autoselect protocol that is defined for any given remote user. Otherwise, the remote dial-in autoselect process may work, but no callback occurs.
PPP Callback
To configure a router as a callback server, use the commands shown. Server(config)#interface async 1 Server(config-if)#ip address 10.1.1.1 255.255.255.0 Server(config-if)#encapsulation ppp Server(config-if)#ppp authentication chap.
PPP Callback
Note that to use callback, you must also use PPP authentication. The asynchronous interface can then be configured with basic DDR commands: Server(config-if)#dialer in-band Server(config-if)#dialer-group 1
PPP Callback
Finally, PPP callback is configured with these commands: Server(config)#username Client password itsasecret Server(config)#map-class dialer DIALBACK Server(config-map-class)#dialer callbackserver username Server(config-mapclass)#exit
PPP Callback
The username command creates an entry for the remote host in the Server's local password database. The mapclass command creates a dialer configuration called DIALBACK that can be applied to calls on an individual basis with the dialer map command.
PPP Callback
In this case, DIALBACK will apply the dialer callback-server username command, which enables an interface to make return calls when callback is successfully negotiated.
PPP Callback
PPP callback configuration is completed by the following required commands: Server(config)#interface async 1 Server(config-if)#ppp callback accept Server(config-if)#dialer map ip 10.1.1.2 name Client class DIALBACK modem-script hayes56k broadcast 5556002.
PPP Callback
The ppp callback accept command enables PPP callback. The dialer map statement links the callback client's IP address, username, phone number, and DIALBACK map class (thus applying the dialer callbackserver username configuration). Note that a dialup interface cannot be configured to be both a callback server and a callback client simultaneously.
PPP Callback
Server(config-if)#dialer callback-secure. This command affects those users that are not authorized to be called back with the dialer callback-server command. If the username (as specified in the dialer map command) is not authorized for callback, the call will be disconnected if the dialer callback-secure command is configured.
PPP Callback
If the dialer callback-secure command is not configured, the call will not be disconnected. In either case, callback has not occurred.
Configuring a router as a callback client requires the ppp callback request command, as shown in Figure 1.
Data Compression
PPP can also maximize performance by using data compression, which may provide higher data throughput across low-speed links. Compression is an option that is negotiated by LCP.
Data Compression
Trying to compress already compressed data can take longer than transferring the data without compression. Typically, you should only configure compression on low-speed links because the router compresses data using software, which requires router CPU time and memory.
Data Compression
Cisco recommends that you disable compression if CPU load exceeds 65 percent. To display the CPU load, use the show process cpu command. To display memory utilization, use the show processes memory command.
Data Compression
Predictor compression is recommended when the bottleneck is caused by high load on the router; Stacker compression is recommended when the bottleneck is caused by a line's bandwidth limitations. Configuring PPP for compression is simple: in interface configuration mode, issue the compress predictor, compress stac, compress mppc, or ip tcp headercompression command on both sides of the link.
Data Compression
Configure TCP header compression using the command: ip tcp header-compression. Optionally, the ip tcp header-compression passive command specifies that TCP header compression is not required, but will be used if the router receives compressed headers from its link partner. You can use the show compress command in privileged EXEC mode to view compression statistics.
PPP MULTILINK
Multilink PPP (MLP) is an LCP option that provides load balancing over multiple interfaces, including ISDN, synchronous, and asynchronous interfaces. MLP can improve throughput and reduce latency between systems by splitting Layer 3 packets and sending the fragments over parallel circuits.
PPP MULTILINK
It is important to remember that MLP works by splitting packets into fragments, not by load-balancing complete packets to a destination. Prior to the adoption of MLP there was no standardized way to use both of the ISDN BRI B channels and ensure proper sequencing.
PPP MULTILINK
Typically, you should use MLP with applications in which bandwidth requirements are dynamic, such as remote LAN access applications for telecommuters or small office, home office (SOHO) environments. When user traffic exceeds a predefined threshold, an additional physical link (such as a B channel) can be brought up to handle the burst of traffic.
PPP MULTILINK
One way to determine whether PAP or CHAP authentication succeeded is to use the show dialer command. This command can be used to view the status of asynchronous dialup connections. If the show dialer command output displays the name of the remote router, it means that authentication was successful, as shown in the "Connected to 5551234 (SanJose1)" line in Figure 1.
You can check the show dialer command on both routers to verify that the name of the other router is displayed. If it is, then you know that PAP or CHAP authentication worked. The show dialer command output will also indicate whether a line is a member of an MLP bundle, as shown in Figure 1. The debug dialer command can also be used to troubleshoot misconfiguration problems.
The debug ppp negotiation command is an excellent tool for troubleshooting the PPP LCP activities such as authentication, compression, and MLP. When the LCP is in OPEN state, the NCP negotiation takes place. For PPP to work, LCP options must be negotiated before any NCP activities take place. The debug ppp negotiation command allows you to observe negotiation of the following:
CHAP authentication. Compression Control Protocol (CCP). NCP protocols IPCP, IPXCP, ATCP, etc.
When specifically debugging CHAP or PAP authentication, the debug ppp authentication command can be used in place of debug ppp negotiation. The debug ppp authentication command gives you the same output as debug ppp negotiation, but that output is limited to CHAP and PAP authentication events.
Because debugging output is assigned a high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.