C H A PT E R 7

Configuring PPP and Multilink

PPP
This chapter describes how to configure the Point-to-Point Protocol (PPP) and Multilink
PPP features that can be configured on the serial interfaces on a Cisco Optical Networking
System (ONS) 15304. Before configuring the synchronous serial interfaces, be sure the
VC-12 Time Division Multiplexing (TDM) channels are drop-terminated and the DS-1
framers configured.
This chapter covers only the most common configuration options as used within the
Cisco ONS 15304 application. For a complete description of the PPP commands in this
chapter, refer to the “Media-Independent PPP and Multilink PPP Commands” chapter of
the Dial Solutions Command Reference. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
A Cisco ONS 15304 supports up to 24 synchronous serial interfaces for which PPP and
Multilink-PPP can be used as the link layer protocol. Each of the 24 synchronous serial
interfaces operate at the fixed E1 rate of 2 Mbps. PPP is used when a link consists of a single
synchronous serial channel. For higher-rate services (nxE1), Multilink-PPP is used to bond
the individual serial channels together and provide the view of a single, integrated,
high-capacity channel. Unlike other Cisco products, the Cisco ONS 15304 supports only
PPP-based link layer protocols.

Note HDLC framing can also be used if desired for special applications where PPP
features are not required.

Configuring PPP and Multilink PPP 7-1

Implementation Information

Implementation Information
PPP, described in RFC 1661, encapsulates network layer protocol information over
point-to-point links. The current implementation of PPP supports option 3, authentication
using CHAP or PAP, option 4, Link Quality Monitoring, and option 5, Magic Number
configuration options. The software always sends option 5 and negotiates for options 3 and
4 if so configured. All other options are rejected.
Magic Number support is available on all serial interfaces. PPP always attempts to
negotiate for Magic Numbers, which are used to detect looped-back lines. Depending on
how the down-when-looped command is configured, the router might shut down a link if
it detects a loop.
The software provides the Challenge Handshake Authentication Protocol (CHAP) and
Password Authentication Protocol (PAP) on serial interfaces running PPP encapsulation.
For detailed information about authentication, see the Security Configuration Guide.
In the current Cisco ONS 15304 implementation, Multilink-PPP packet fragmentation is
not currently supported. Disabling fragmentation helps preserve packet processing
bandwidth.

PPP Configuration Task List

To configure PPP on a serial interface, perform the following task in interface configuration
mode:
• Enable PPP Encapsulation
You can also complete the tasks in the following sections; these tasks are optional but offer
a variety of uses and enhancements for PPP on your systems and networks:
• Enable CHAP or PAP Authentication
• Enable Link Quality Monitoring (LQM)
• Disable or Reenable Peer Neighbor Routes
• Configure PPP Half-Bridging
• Configure Multilink PPP
• Monitor and Maintain PPP and MLP Interfaces

7-2 Cisco Optical Networking System 15304 Software Configuration Guide

 Enable PPP Encapsulation

Enable PPP Encapsulation

You can enable PPP on serial lines to encapsulate IP and other network protocol datagrams.
Use the following command in interface configuration mode:

Command Task
encapsulation ppp Enable PPP encapsulation.

PPP echo requests are used as keepalives to minimize disruptions to the end users of your
network. The no keepalive command can be used to disable echo requests.

Enable CHAP or PAP Authentication

The PPP with CHAP authentication or Password Authentication Protocol (PAP) is often
used to inform the central site about which remote routers are connected to it.
With this authentication information, if the router or access server receives another packet
for a destination to which it is already connected, it does not place an additional call.
However, if the router or access server is using rotaries, it sends the packet out the correct
port.
CHAP and PAP were originally specified in RFC 1334, and CHAP is updated in RFC 1994.
These protocols are supported on synchronous and asynchronous serial interfaces. When
using CHAP or PAP authentication, each router or access server identifies itself by a name.
This identification process prevents a router from placing another call to a router to which
it is already connected, and also prevents unauthorized access.
Access control using CHAP or PAP is available on all serial interfaces that use PPP
encapsulation. The authentication feature reduces the risk of security violations on your
router or access server. You can configure either CHAP or PAP for the interface.

Note To use CHAP or PAP, you must be running PPP encapsulation.

Configuring PPP and Multilink PPP 7-3

Enable CHAP or PAP Authentication

When CHAP is enabled on an interface and a remote device attempts to connect to it, the
local router or access server sends a CHAP packet to the remote device. The CHAP packet
requests or “challenges” the remote device to respond. The challenge packet consists of an
ID, a random number, and the host name of the local router.
The required response consists of two parts:
• An encrypted version of the ID, a secret password (or secret), and the random number
• Either the host name of the remote device or the name of the user on the remote device
When the local router or access server receives the response, it verifies the secret by
performing the same encryption operation as indicated in the response and looking up the
required host name or username. The secret passwords must be identical on the remote
device and the local router.
By transmitting this response, the secret is never transmitted in clear text, preventing other
devices from stealing it and gaining illegal access to the system. Without the proper
response, the remote device cannot connect to the local router.
CHAP transactions occur only at the time a link is established. The local router or access
server does not request a password during the rest of the call. (The local device can,
however, respond to such requests from other devices during a call.)
When PAP is enabled, the remote router attempting to connect to the local router or access
server is required to send an authentication request. If the username and password specified
in the authentication request are accepted, the Cisco IOS software sends an authentication
acknowledgment.
After you have enabled CHAP or PAP, the local router or access server requires
authentication from remote devices. If the remote device does not support the enabled
protocol, no traffic will be passed to that device.
To use CHAP or PAP, you must perform the following tasks:
Step 1 Enable PPP encapsulation.
Step 2 Enable CHAP or PAP on the interface.
Step 3 For CHAP, configure host name authentication and the secret or password for
each remote system with which authentication is required.

7-4 Cisco Optical Networking System 15304 Software Configuration Guide

 Enable CHAP or PAP Authentication

To enable PPP encapsulation, use the following command in interface configuration mode:

Command Purpose
encapsulation ppp Enable PPP on an interface.

To enable CHAP or PAP authentication on an interface configured for PPP encapsulation,

use the following command in interface configuration mode:

Command Purpose
ppp authentication {chap | chap pap | pap chap | Define the authentication methods
pap} [if-needed] [list-name | default] [callin] supported and the order in which they are
used.

The ppp authentication chap optional keyword if-needed can be used only with Terminal
Access Controller Access Control System (TACACS) or extended TACACS.
With authentication, authorization, and accounting (AAA) configured on the router and list
names defined for AAA, the optional keyword list-name can be used with AAA/TACACS+.

Caution If you use a list-name that has not been configured with the aaa authentication
ppp command, you disable PPP on the line.

Add a username entry for each remote system from which the local router or access server
requires authentication.
To specify the password to be used in CHAP or PAP caller identification, use the following
command in global configuration mode:

Command Purpose
username name password secret Configure identification.

Make sure this password does not include spaces or underscores.

Configuring PPP and Multilink PPP 7-5

Enable Link Quality Monitoring (LQM)

To configure TACACS on a specific interface as an alternative to global host authentication,

use the following command in interface configuration mode:

Command Purpose
ppp use-tacacs [single-line] Configure TACACS.
or
aaa authentication ppp

Use the ppp use-tacacs command with TACACS and Extended TACACS. Use the aaa
authentication ppp command with AAA/TACACS+.
For an example of CHAP, see the section "CHAP with an Encrypted Password Examples"
on page 7-13. CHAP is specified in RFC 1994, PPP Challenge Handshake Authentication
Protocol (CHAP).

Enable Link Quality Monitoring (LQM)

Link Quality Monitoring (LQM) is available on all serial interfaces running PPP. LQM will
monitor the link quality, and if the quality drops below a configured percentage, the router
shuts down the link. The percentages are calculated for both the incoming and outgoing
directions. The outgoing quality is calculated by comparing the total number of packets and
bytes sent with the total number of packets and bytes received by the destination node. The
incoming quality is calculated by comparing the total number of packets and bytes received
with the total number of packets and bytes sent by the destination peer.
When LQM is enabled, Link Quality Reports (LQRs) are sent, in place of keepalives, every
keepalive period. All incoming keepalives are responded to properly. If LQM is not
configured, keepalives are sent every keepalive period and all incoming LQRs are
responded to with an LQR.
LQR is specified in RFC 1989, PPP Link Quality Monitoring, by William A. Simpson of
Computer Systems Consulting Services.
To enable LQM on the interface, use the following command in interface configuration
mode:

Command Purpose
ppp quality percentage Enable LQM on the interface.

7-6 Cisco Optical Networking System 15304 Software Configuration Guide

 Disable or Reenable Peer Neighbor Routes

The percentage argument specifies the link quality threshold. That percentage must be
maintained, or the link is deemed to be of poor quality and taken down.

Disable or Reenable Peer Neighbor Routes

The Cisco IOS software automatically creates neighbor routes by default; that is, it
automatically sets up a route to the peer address on a point-to-point interface when the PPP
IPCP negotiation is completed.
To disable this default behavior or to reenable it after it has been disabled, use the following
commands in interface configuration mode:

Command Purpose
no peer neighbor-route Disable creation of neighbor routes.
peer neighbor-route Reenable creation of neighbor routes.

Note If entered on a dialer or async-group interface, this command affects all member
interfaces.

Configure PPP Half-Bridging

For situations in which a routed network needs connectivity to a remote bridged Ethernet
network, a serial or ISDN interface can be configured to function as a PPP half-bridge. The
line to the remote bridge functions as a virtual Ethernet interface, and the router’s serial or
ISDN interface functions as a node on the same Ethernet subnetwork as the remote
network.
The bridge sends bridge packets to the PPP half-bridge, which converts them to routed
packets and forwards them to other router processes. Likewise, the PPP half-bridge
converts routed packets to Ethernet bridge packets and sends them to the bridge on the same
Ethernet subnetwork.

Note An interface cannot function as both a half-bridge and a bridge.

Configuring PPP and Multilink PPP 7-7

Configure PPP Half-Bridging

Figure 7-1 shows a router with a serial interface configured as a PPP half-bridge. The
interface functions as a node on the Ethernet subnetwork with the bridge. Note that the
serial interface has an IP address on the same Ethernet subnetwork as the bridge.

Figure 7-1 Router Serial Interface Configured as a Half-Bridge

ATM 4/0.100

S4763
172.31.5.9

Ethernet subnet
172.31.5.0

Note The Cisco IOS software supports no more than one PPP half-bridge per Ethernet
subnetwork.

To configure a serial interface to function as a half-bridge, complete the following tasks

beginning in global configuration mode:

Command Purpose
interface serial number Specify the interface (and enter
interface configuration mode).
ppp bridge appletalk Enable PPP half-bridging for one
ppp bridge ip or more routed protocols:
AppleTalk, IP, or IPX.
ppp bridge ipx [novell-ether | arpa | sap | snap]
ip address n.n.n.n Provide a protocol address on the
appletalk address network.node same subnetwork as the remote
appletalk cable-range cable-range network.node network.

ipx network network

7-8 Cisco Optical Networking System 15304 Software Configuration Guide

 Configure Multilink PPP

Note You must enter the ppp bridge command either when the interface is shut down or
before you provide a protocol address for the interface.

For more information about AppleTalk addressing see the “Configuring AppleTalk”
chapter; for more information about IPX addresses and encapsulations, see the
“Configuring Novell IPX” chapter. Both chapters are in the Network Protocols
Configuration Guide, Part 2.

Configure Multilink PPP

As higher-speed services are deployed, Multilink-PPP provides a standardized method for
spreading traffic across multiple WAN links, while providing multivendor interoperability,
packet fragmentation and proper sequencing, and load balancing on both inbound and
outbound traffic. The Cisco ONS 15304 implementation of the Multilink Point-to-Point
Protocol (PPP) feature provides the ability to increase channel capacity to up to eight E1s.
Note that the Cisco ONS 15304 implementation of Multilink PPP does not currently
support the fragmentation and packet sequencing specifications in RFC 1717. (Packet
fragmentation and reassembly will be supported in future software releases.)
The Multilink-PPP implementation in the Cisco ONS 15304 supports up to 8 multilink
interfaces. Each multilink interface might contain up to 8 E1-rate serial interfaces for a total
link bandwidth of 12 Mbps channel. In most applications, 4 E1s should be sufficient to meet
the needs of traffic forwarded between a multilink interface and a single Ethernet interface.
The 24 serial interfaces in the Cisco ONS 15304 can be assigned to 8 multilink interfaces
arbitrarily, including 8 multilink interfaces of 3 serial links each, or 3 multilink interfaces
of 8 serial links. Multilink interfaces can be run concurrently with serial interfaces using
PPP encapsulation.
Unlike the dialer implementations of PPP and Multilink PPP, the channels are always
connected. When a multilink interface is created it remains in effect until it is deleted.

Configuring PPP and Multilink PPP 7-9

Configure Multilink PPP

Configure Multilink PPP on Multiple Serial Interfaces

A Multilink interface is a special virtual interface which represents a multilink PPP bundle.
The multilink interface serves to coordinate the configuration of the bundled link, and
presents a single object for the aggregate links. However, the individual PPP links that are
aggregated together, must also be configured. Therefore, to enable Multilink PPP on
multiple serial interfaces, you need to first set up the multilink interface, and then configure
each of the serial interfaces and add them to the same multilink interface.
To set up the multilink interface, use the following commands beginning in global
configuration mode:

Command Purpose
interface multilink number Specify the multilink interface.
ip address address mask Specify the IP protocol address for the
or multilink interface.

no ip address Alternatively, use the no ip address

encapsulation ppp
ppp multilink
ppp authentication chap
ppp chap hostname name
multilink max-fragments 1
multilink-group group-number
command if you intend to use bridging
without IP routing.
Enable PPP encapsulation.
Enable Multilink PPP operation.
(Optional) Enable PPP CHAP
authentication.
(Optional) Set the alternative hostname
for CHAP.
Specify the number of fragments a
packet can be split into for forwarding
across the multilink interface. In the
current implementation of the
Cisco ONS 15304 software, this number
should be set to 1 to disable
fragmentation.
Specify an identification number for the
multilink interface. All of the serial
interfaces using the same multilink
group number are considered to be
participating in the multilink bundle.

7-10 Cisco Optical Networking System 15304 Software Configuration Guide

 Configure Multilink PPP on Multiple Serial Interfaces

Command Purpose
bridge-group bridge-group-number (Optional) Specify the bridge group that
this interface belongs to. Use this
command only if bridging is enabled for
this interface.
no shutdown Enable the interface.

To configure each of the serial interfaces to belong to the same multilink group, use the
following commands beginning in global configuration mode:

Command Purpose
interface serial number Specify one of the serial interfaces.
no ip address Specify that it does not have an
individual protocol address. The
protocol address is specified with the
multilink interface configuration.
encapsulation ppp Enable PPP encapsulation.
ppp multilink Set the dialer idle timeout period, using
the same timeout for each of the BRI
interfaces you configure.
multilink-group group-number Specify the multilink interface that this
serial interface is associated with. The
multilink interface and all serial
interfaces with the same group number
are considered to be participating in the
same multilink session.
no shutdown Enable the serial interface.

Repeat Steps 1 through 6 for each serial interface you want to belong to the same multilink
group.

Configuring PPP and Multilink PPP 7-11

Monitor and Maintain PPP and MLP Interfaces

Monitor and Maintain PPP and MLP Interfaces

To monitor and maintain virtual interfaces, you can use any of the following commands:

Command Purpose
show ppp multilink Display MLP and multilink bundle
information.
show interface serial number Display interface statistics for a serial
interface.
show interface multilink number Display interface statistics for a multilink
interface.

PPP Configuration Examples

The examples provided in this section show various PPP and Multilink PPP configurations
as follows:
• Basic PPP Link Configuration
• CHAP with an Encrypted Password Examples
• Multilink PPP with IP Routing
• Multilink PPP with Bridging

7-12 Cisco Optical Networking System 15304 Software Configuration Guide

 Basic PPP Link Configuration

Basic PPP Link Configuration

PPP can be enabled by specifying PPP encapsulation, and ensuring the interface is not in
the shutdown state. The example below shows the first serial E1 interface configured for IP
routing, while the second E1 interface is configured for transparent bridging. Integrated
Routing and Bridging is enabled in the example to permit both IP routing and bridging (of
IP packets) to take place.
!
ip routing
bridge irb
bridge 1 protocol ieee
!
interface SerialE1 1
ip address 192.13.1.1 255.255.255.0
encapsulation ppp
no shutdown
!
interface SerialE1 1
no ip address
encapsulation ppp
no shutdown
bridge-group 1
!

CHAP with an Encrypted Password Examples

The following configuration examples enable CHAP on serial interface 0 of three devices.

Configuration of Cisco ONS 15304 yyy

hostname yyy
interface serial 0
encapsulation ppp
ppp authentication chap
username xxx password secretxy
username zzz password secretzy

Configuring PPP and Multilink PPP 7-13

PPP Configuration Examples

Configuration of Cisco ONS 15304 xxx

hostname xxx
interface serial 0
encapsulation ppp
ppp authentication chap

username yyy password secretxy

username zzz password secretxz

Configuration of Cisco ONS 15304 zzz

hostname zzz
interface serial 0
encapsulation ppp
ppp authentication chap
username xxx password secretxz
username yyy password secretzy

When you look at the configuration file, the passwords will be encrypted and the display
will look similar to the following:
hostname xxx
interface serial 0
encapsulation ppp
ppp authentication chap
username yyy password 7 121F0A18
username zzz password 7 1329A055

Multilink PPP with IP Routing

The following example gives a basic configuration of a multilink interface operating in IP
routing mode. In the example, the multilink1 interface is configured with 3 serial interfaces
with the common multilink-group name “group1.” PPP CHAP authentication is enabled.
The example uses the unnumbered IP address option to conserve IP addresses. The IP
address for the Ethernet1 is reused for the multilink1 interface. An IP address can be
assigned to the multilink interface if unnumbered operation is not desired.
As part of this example, traffic from the multilink1 interface is policy-routed between the
multilink1 to the Ethernet1 interface, and vice versa. Two policy route maps are defined as
“bundle” and “customer.” The policy route map named “bundle” is bound to multilink1 so

7-14 Cisco Optical Networking System 15304 Software Configuration Guide

 Multilink PPP with IP Routing

that traffic received is forwarded to the Ethernet1 interface. Similarly, the policy route map
“customer” is bound to the Ethernet1 interface so that Ethernet traffic is forwarded to the
multilink1 interface.
!
interface Multilink1
ip unnumbered Ethernet1
ip route-cache policy
ip policy route-map bundle
no shutdown
no cdp enable
ppp chap hostname group1
ppp multilink
multilink-group 1
!
interface Ethernet1
ip address 192.13.1.1 255.255.255.0
ip route-cache policy
ip policy route-map customer
no shutdown
full-duplex
!
interface SerialE1 1
no ip address
encapsulation ppp
no shutdown
no fair-queue
ppp chap hostname group1
ppp multilink
multilink-group 1
!
interface SerialE1 2
no ip address
encapsulation ppp
no shutdown
no fair-queue
ppp chap hostname group1
ppp multilink
multilink-group 1
!
interface SerialE1 3
no ip address
encapsulation ppp
no shutdown
no fair-queue

Configuring PPP and Multilink PPP 7-15

PPP Configuration Examples

ppp chap hostname group1

ppp multilink
multilink-group 1
!
route-map customer permit 10
set interface Multilink1
!
route-map bundle permit 10
set interface Ethernet1

Multilink PPP with Bridging

The following example configures three serial interfaces to belong to the same group for
Multilink PPP. Remember that the multilink-group command is used to assign each of the
serial interfaces to the multilink group.
! Before setting up the Ethernet and Serial interfaces, the TDM channels
must be
! drop-terminated and the E1 framers need to be configured. The
! configuration of TDM channels is given in document TBD.
!
bridge 1 protocol ieee

! Configure the Ethernet interface

!
interface Ethernete1
no ip address
no shutdown
full-duplex
bridge-group 1
bridge-group 1 spanning-disabled

! Configure the multilink group interface

!
interface Multilink1
no ip address
no shutdown
no cdp enable
ppp chap hostname group1
ppp multilink
multilink max-fragments 1
multilink-group 1
bridge-group 1

7-16 Cisco Optical Networking System 15304 Software Configuration Guide

 Multilink PPP with Bridging

! Configure the individual serial interfaces

!
interface SerialE1 1
no ip address
encapsulation ppp
no shutdown
no fair-queue
ppp chap hostname group1
ppp multilink
multilink-group 1
!
interface SerialE1 2
no ip address
encapsulation ppp
no shutdown
no fair-queue
ppp chap hostname group1
ppp multilink
multilink-group 1
!
interface SerialE1 3
no ip address
encapsulation ppp
no shutdown
no fair-queue
ppp chap hostname group1
ppp multilink
multilink-group 1

Configuring PPP and Multilink PPP 7-17

PPP Configuration Examples

7-18 Cisco Optical Networking System 15304 Software Configuration Guide