Hi, and welcome to this CertificationKits CCNA Training Video on Layer 2 Encapsulations of PPP, Point-to-Point Protocol and HDLC – High Level Data Link Control Protocol, which is a Cisco proprietary protocol. We are going to talk about the differences between PPP and HDLC, when you can use them, how to configure them. Then we will get further into point-to-point protocol with authentication methods of PAP, Password Authentication Protocol and challenge-handshake authentication protocol as well as troubleshooting the Layer 2 encapsulation with PPP from a CCNA perspective.
I first want to talk about what Layer 2 encapsulation really is. Again PPP and HDLC work at Layer 2, but it’s Layer 2 of the OSI model or the network access layer of the four layer model; the TCP/IP model or DOD model people call it. Now the Layer 2 is again the data link layer and the data link layer is broken up into two sub layers; LLC and media access control, MAC sub layer, so Logical Link Control and MAC sub layer of the data link layer.
Now when you are packaging information, let’s say you are sending something out from an FTP application at the application layer; it first goes to the transport layer and gets broken up into segments; smaller pieces called segments. Each segment gets information about how to put it back together, sequencing information, things like that. Then you send that segment down to the network layer or Internet layer, layer 3 of the OSI model and we get the IP information thrown on there, assuming (02:09 inaudible) IP. Then once that’s in there, you send it to Layer 2 of the OSI model. Now the very first part of that OSI model is the logical link control and this is a big part of where HDLC and Point to Point Protocol differ. You have your packet which is called layer 3, it’s called a packet there once it gets the layer 3 information on it, and what happens is the LLC part puts the type field in there. This type field tells the receiving computer what layer 3 protocol was used to package the information. So the receiving computer knows that all this data is packaged by the IP protocol.
HDLC has a proprietary type field, meaning Cisco, Cisco proprietary. So Cisco devices will work with HDLC. If you are not using a complete Cisco environment, you have Point to Point Protocol which has a standardized type field that’s been revised by IEEE and thus making it available to multivendor environments. So if you have not just Cisco, you might have Juniper, all those types of routers, you would need a protocol like Point to Point Protocol to encapsulate the data because this type field, again which is used to tell the receiving computer the type of layer 3 protocol used, is standardized so multiple vendors can use it. Cisco has its own proprietary HDLC and that type field is proprietary type field. Then it goes on and puts the rest of the information on as well as trailer with an FCS flagging in, so it puts the rest of the layer 2 information on. But this type field right here is the big difference between HDLC and PPP as well as some functions that are built into PPP that aren’t available with HDLC.
Let’s go in and look at a quick comparison of HDLC and PPP. Alright here is a slide that has a CCNA comparison of HDLC and PPP. So we have got high level data link control protocol, point to point protocol. HDLC is Cisco proprietary, meaning only like Cisco devices, PPP multi-vendor. No error recovery meaning it will not get a retransmission of damage frames. There is error recovery with PPP. No authentication, meaning when it links up to a router at the other end, it doesn’t have any way to verify that it’s supposed to be able to link with that router. PPP has authentication meaning it can verify that that router at the other end is his friend and he is able to send information back and forth.
Looped Link Detection, a service provider will loop a link for testing purposes, meaning send bits back to the direction which the bits came. So for routers sending bits out and the service provider has looped the link for whatever reason, he will get same information back and that’s not good. And he is sending information and have the other routers receive it and not get that information back. So what would happen is he includes what’s called this magic number, which is number one. If he sends bits out and he gets that same number back, then he is going to know that link is looped and he will stop transmitting on that link or consider that link down. HDLC would think that everything is happy and he would just keep sending this stuff back, get them back himself, and not even realize that it’s his own data.
PPP also supports multilink support meaning aggregation of multiple links. Allowing transmission of multiple links, information over multiple links acting as one link. So there are a lot of good benefits to PPP. PPP was developed later on and they added lot of benefits to PPP. Now let’s go in and look at PPP a little bit more closely before we go in and configure HDLC and Point to Point Protocol. To get a little bit further into PPP, Point to Point Protocol, I brought up another CCNA slide. There are two main components of PPP, one part of it, Link Control Protocol is the part that is used with any protocol. And that’s the part that authenticates a line, the looped linked detection, the multilink support. So if we have two routers connecting together, Link Control Protocol is going to setup the link between the two routers, monitor the link and make sure it’s appropriate to carry the traffic across. Then you have specific control protocols and it’s a specific protocol to certain protocols, meaning if I am sending an IP packet across the link, I would be using the IPCP protocol, IP Control Protocol. If you are sending a CDP packet across the link, you would be using the CDP CP Protocol or IPX CP protocol. They have got them for AppleTalk. Every layer 3 protocol out there, they are going to have a certain control protocol that goes along with it.
What that does, it allows for the Point to Point Protocol specific features that support IP, CDP, IPX to work with that particular layer 3 protocol. An example of this would be IP address assignment with an Internet dial-up connection. So the two protocols, Link Control Protocol and then the individual control protocols work together to setup the link and allow the traffic to be carried across it. Link Control Protocol, like I said, does the authentication. Now there are two main authentication types you need to know for the CCNA. One is PAP; two is CHAP. Password Authentication Protocol and with the Password Authentication Protocol what happens is when the routers before they transfer any data, if you are having authentication, this is optional by the way. If you are going to send information across using authentication, with PAP it just sends the host name and password across in clear text, meaning if anyone was listening on the line, they are going to be able to get that information.
Challenge Handshake Authentication Protocol sends a challenge first before sending the user name and password across. So the host name of the router this might be ROA for router A, this might be ROB for router B, and there is a password that must match on each router that’s been pre-configured. Let’s say the password is 123 on both routers. With Challenge Handshake Authentication Protocol what happens is the initial challenge sends a number across, sends a number like multiply your password or whatever by this number right here. It’s a little algorithm that gets worked on the number here and ROB sends a host name and whatever answer he got by using that initial information from the challenge. The actual 123 password never gets sent across the link. This guy does his own calculation on the password and verifies that the information he received from ROB router matches. If it matches, they both match, they are going to be able to communicate. So what’s cool about that the password never actually crosses the link.
Let’s take a look at what we need to configure to get Point to Point Protocol to work. HDLC that we talked about a little bit earlier, that’s the default; it’s already configured; we don’t need to do anything on a serial interface, HDLC is already done. If we want the extra features, the authentication multivendor support, we are going to have to go in and configure Point to Point Protocol. Let’s take a look at what it takes to configure this Point to Point Protocol and make sure it works. Here is a diagram with couple of routers. We have got Palaestra1 here and Palaestra2. There is a serial 0 connection between the two and a WAN link, simulated WAN link. I have actually gone into the CCNA simulator and configured IP addresses, 1.1 and 1.2 with just a regular class C subnet mask. So they can ping each other in the simulator, have this configured, the names are configured, Palaestra1, Palaestra2. There is a user name command that we need to set up to be able to configure PPP between the routers with optional authentication.
Well we have to do it on Palaestra1. So on Palaestra1, we would be typing this in, username Palaestra2. We have to type in the username and the host name of the next hop router that we are going to be communicating with. It’s basically like creating a user account for the next hop router for authentication purposes. Then you type password and then a password, very important these two passwords on each side here. So you go password Cisco, password Cisco. They must match. If the passwords do not match it’s not going to function. So on Palaestra2 you type user name Palaestra1, password and then the password. On Palaestra1, you type username Palaestra2, password then the password. And think about why these have to match. Remember with authentication of CHAP, challenge handshake authentication protocol, they run little algorithm on this password and get a particular number and send that across. They don’t even actually send the passwords across, so if the passwords don’t match, they are not going to be able to authenticate.
After I have created the user account and verified that the host name is correct, then you can go to the interface, type encapsulation PPP, PPP authentication CHAP and then you can set it up on both sides, make sure it’s setup on both sides. If the authentication does not match, like on one side they are using PAP instead of CHAP, not going to work. So the authentication must match, encapsulation as well as the passwords and then the user account, the username has to match the host name of the next hop router. If any of those things are off, Layer 2 will not come up. So let’s go to the actual simulator and configure this and see what happens.
In my CCNA simulator, I am at router Palaestra1. I am going to enter the router and I am going to go in and configure PPP. So I get into global mode and I type username Palaestra2 password Cisco. So Palaestra2 is the next hop router that I am connecting to and then again the passwords are going to have to match on Palaestra2. So Palaestra2 I am going to type username Palaestra1 password Cisco. They got to match and they are case sensitive. The username again just creates a user account basically for Palaestra2 for the authentication purposes. Once I have done that, I go to interface serial 0 and I type encapsulation PPP and then specify the authentication, PPP authentication CHAP. I am going to shut this interface down so after I configure Palaestra2, I can come back over here, turn it on and debug the authentication. Debug allows me to view the authorization as it takes place. Debug PPP authentication, this is a very important command and you would particularly use this if for some reason Layer 2 was not coming up when you check your interface status of your serial 0 interface. You would want to check the authentication and watch it and see why the authentication wasn’t functioning.
Let me go over to Palaestra2 and configure that. So I am in privilege mode, get into global mode, username Palaestra1, password Cisco. Again, case sensitive so passwords must match. They match. This is the host name of the next hop router, not case sensitive, go to interface serial 0, encapsulation PPP, PPP authentication CHAP, no shutdown, make sure it’s tuned on. Palaestra2 is configured, I am going to save it real quick, go over to Palaestra1 again and I am going to go in and turn on the interface. So I am going to go to interface serial 0 and type no shutdown. Now remember, I turn debugging on right here. I type in debug PPP authentication so when I turn this interface on, I should see the authentication take place and there it is, no debug I am going to turn it off right now. And typically I would just type in No Debug All, but the CCNA simulator is making me type No Debug PPP authentication, which is a perfectly valid way of turning PPP authentication debugging off. It’s just simply easier to turn all debugging off because you don’t typically have a lot of debugging running. So by typing no debug all would go off.
Also I notice that on the CCNA simulator it keeps authenticating over and over and it’s saying success. What would happen on your actual router in your actual environment it would stop right here. Once it hits success, you are done, it’s not going to keep authenticating over and over and over again. So you see success, success, challenge from both sides, you get the successes for both challenges, everything is good, you are up, you won’t keep seeing this authentication run over and over again. That’s just one of the small problems with the CCNA stimulator, it just keeps running. So we turn that off.
If I type in show interface serial 0, I can see that, let me try that again interface serial 0, there it is right there, serial 0 is up. This is layer 1, meaning layer 1 is up; line protocol is up, meaning Layer 2 is good. If it said is up, line protocol is down then we know we have got a problem. Either the clock rate is not set on a back-to-back environment or again something wrong with the PPP authentication. If this was saying is down, one of the first things I would do is I would turn debugging on. I would turn debugging on in spite typing in debug PPP authentication, and that would allow me to see the authentication as it’s taking place, no debug PPP authentication. Again, if there was a problem, it would keep scrolling and it would keep trying to authenticate. Here, it’s saying success even though there is no problem and it keeps going. Again, that wouldn’t normally do that. I would do a show run.
Now when you are having problems with this authentication, you have got to verify that the host name is right because this is sending the host name over as part of the authentication. If the host name is not right, not going to authenticate. This is one of the things a simulator does redundant commands in here. Only one would show up in there. If they are both the same, it would overwrite. So I would check username Palaestra2 password Cisco. Make sure the password is right. Now normally, this router right here, this command service password encryption, that command normally will say no service password encryption by default. Here, service password encryption is turned on, meaning every password on the router would be encrypted. So instead of seeing Cisco here, we should see an encrypted version of a password something like this, meaning I couldn’t tell what the password was with service password encryption turned on. So as a troubleshooting method, I would go in and I would just retype out this line. I would type username Palaestra2 password Cisco, just to make sure it was right. I would do that on both sides if I am having trouble authenticating.
I would also go over to Palaestra2 and verify the host name over here. Check every character, make sure there are no underscores or maybe the e and a could be swapped, something like that. Those host names aren’t exactly right, again authentication won’t take place. I would also check out the username Palaestra1 password Cisco. I would just retype it out if I couldn’t see the password and verify the password. So I would always go in and basically reset this account. I would also go and check the Show Run and check the interface, verify the encapsulation on the interface, PPP authentication CHAP. I would verify all of those things. IPs don’t come into play here. They will come into play if the interface is up and up and I can’t ping. But if the interface is up and down, I need to simply focus on Layer 2 encapsulation and problems with the authentication, making sure that the authentication is CHAP, making sure encapsulation is PPP and not HDLC. If I already get rid of that and maybe set HDLC, if I do a show run, I don’t see anything there. This line should actually disappear by the way on the simulator. But I wouldn’t see anything there.
So what I would have to do to verify the encapsulation is do show interface serial 0 and I can see the encapsulation there, encapsulation HDLC. The other side is encapsulation PPP so that’s not going to work. If I do a show interface, notice here, it says line protocol is down, meaning again Layer 2 problem. I just did the show interface so again line protocol is down, here is up, layer 1 is good, line protocol down, Layer 2 bad. The reason it’s bad is because this end, I am using HDLC, the other end I am using PPP.
So let me bring back the CCNA slide and verify everything you should check when you are troubleshooting line protocol being down. Here is my CCNA slide on everything that needs to be configured. And when you are troubleshooting line protocol being down and you are suspecting something with PPP on the authentication, first thing, verify the host name. I do a show run, check the host names out because remember, this host name needs to match the name in the statement. It’s not case sensitive but you can put the case there if you want the upper case when necessary. But that must match. If they don’t, something is different, its not going to function. These passwords have to match. If the passwords aren’t encrypted, simply retype out username Palaestra1 password Cisco and it will overwrite the other one resetting the password. These are case sensitive and again, they have got to match so check those out.
Encapsulation PPP needs to be done on both interfaces and the authentication has to match. If one side is CHAP and the other side is PAP, it won’t work. They both have to be CHAP. I have seen people overlook the hostnames not being typed right or the username, specifying the username not typed right, passwords not matching for something, improper authentications, improper Layer 2 encapsulations if this was HDLC again, not going to work. So you just need to go in and verify every one of these carefully. If you have to, retype and make sure you get the right ones. Again, for a little help with this to find out why it’s not authenticating. If that’s the problem, debug PPP authentication will show you the authentication as it takes place, and if there is a problem, it will tell you what the problem is. Like you might get an MessageDigest compared failure and what that means is the passwords are not matching. So debug PPP authentication, very important and use that to help figure out what the problem is with the authentication as well as the show interface because your first goal is to make sure the interfaces on both sides are up and up. The first up is Layer 1, second up Layer 2, then worry about pinging.
We have talked about PPP and HDLC Layer 2 encapsulation from a CCNA perspective, PPP and HDLC comparison there, configuration of PPP more specifically HDLC is by default and again, they configure that, all we type is encapsulation HDLC and it’s done or turn off PPP on the Cisco router and HDLC is there by default. So not a lot going on there with configuration. How to set up authentication? The differences between CHAP and PAP, Password Authentication Protocol, again, not very secure, CHAP much more secure, as well as troubleshooting that Layer 2 encapsulation. I hope you have enjoyed this CertificationKits CCNA Training Video on PPP and HDLC Layer 2 encapsulation.