15
WAN
Introduction
CERTIFICATION OBJECTIVES
15.01 Wide Area Networking Overview
15.02 HDLCp
15.03 PPP
✓
Two-Minute Drill
Q&A
Self Test
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
Blind Folio 15:1
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
T
he last few chapters introduced you to configuring IP features on your Cisco router.
This chapter introduces you to wide area networking (WAN) concepts and some basic
point-to-point configurations, including HDLC and PPP. The two chapters following
this, Frame Relay and ISDN, focus on packet-switched and dialup connections, respectively.
CERTIFICATION OBJECTIVE 15.01
Wide Area Networking Overview
Typically, LAN connections are within a company and WAN connections allow
you to connect to remote sites. Typically, you don’t own the infrastructure for WAN
connections—another company, such as a telephone company, provides the infrastructure.
WAN connections are usually slower than LAN connections. A derivative of WAN
solutions is the metropolitan area network (MAN). MANs sometimes use high-speed
LAN connections in a small geographic area between different companies, or divisions
within a company. MANs are becoming more and more popular in large cities and

even provide connections over a LAN medium, such as Ethernet.
One of the major factors when choosing a
WAN or MAN provider is cost. These connections
are billed in multiple ways: flat monthly lease cost,
per-packet cost, per-minute cost, and many other
methods. On top of this, you have many solutions
to choose from to solve your WAN connection
problems. In order to choose the right solution, you’ll need to weigh your connection
requirements, your traffic patterns, and the cost of the solution.
Equipment and Components
WAN connections are made up of many types of equipment and components. Figure 15-1
shows some of these WAN terms. Table 15-1 has a list of the terms and definitions.
As you may recall from Chapter 2, a DCE
terminates a connection between two sites and
provides clocking and synchronization for that
connection; it connects to a DTE. The DCE
category includes equipment such as CSU/DSUs,
NT1s, and modems. A DTE is an end-user device,
2
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
The most important factor
in choosing a WAN service is cost.
It is important to remember
the WAN terms in Table 15-1.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
such as a router or PC, that connects to the WAN via the DCE equipment. In some

circumstances, the function of the DCE might be built into the DTE’s physical
interface. For instance, certain Cisco routers can be purchased with built-in NT1s
or CSU/DSUs in their WAN interfaces.
Wide Area Networking Overview
3
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
FIGURE 15-1 WAN terms
Term Definition
CPE (customer premises
equipment)
This is your network’s equipment, which includes the DCE (modem,
NT1, CSU/DSU) and your DTE (router, access server).
Demarcation point This is where the responsibility of the carrier is passed on to you; this
could be inside or outside your local facility. Please note that this is a
logical boundary, not necessarily a physical boundary.
Local loop This is the connection from the carrier's switching equipment to the
demarcation point.
CO (central office) switch This is the carrier's switch within the toll network.
Toll network This is the carrier's internal infrastructure for transporting your data.
TABLE 15-1 WAN Terms and Definitions
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:14 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Connection Types
As mentioned at the beginning of this section, you have two major concerns when
choosing a WAN solution: cost and the type of solution. There are many WAN solutions
to choose from, including the following: analog modems and ISDN for dialup connections,
ATM, dedicated point-to-point leased lines (dedicated circuits), DSL, Frame Relay,
SMDS, wireless (including cellular, laser microwave, radio, and satellite), and X.25.

As you can see from this list, you have a lot of choices. Not all of these solutions will be
available in every area, and not every solution is ideal for your needs. Therefore, one
of your first tasks is to have a basic understanding of some of these services. Chapter 1
provided a brief overview of some of these services. This chapter covers some of these
services briefly, and Chapters 16 and 17 expand on some of the others.
Typically, WAN connections fall under one of four categories:
■
Leased lines, such as dedicated circuits
or connections
■
Circuit-switched connections, such as analog
modem and digital ISDN dialup connections
■
Packet-switched connections, such as Frame
Relay and X.25
■
Cell-switched connections, such as ATM
and SMDS
The following three sections will introduce you to these three connection types.
Leased-Line Connections
A leased-line connection is basically a dedicated circuit connection between two sites.
It simulates a single cable connection between the local and remote sites. Leased lines
are best suited when both of these conditions hold:
■
The distance between the two sites is small, making them cost-effective.
■
You have a constant amount of traffic between two sites and need to guarantee
bandwidth for certain applications.
Even though leased lines can provide guaranteed bandwidth and minimal delay for
connections, other available solutions, such as ATM, can provide the same features.

The main disadvantage of leased lines is their cost—they are the most expensive
WAN solution.
Leased lines use synchronous serial connections, with their data rates ranging from
2,400 bps all the way up to 45 Mbps, in what is referred to as a DS3 connection. A
4
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
Know about the four types
of WAN connections: leased lines, circuit-
switched connections, packet-switched
connections, and cell-switched connections.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:14 PM
Color profile: Generic CMYK printer profile
Composite Default screen
synchronous serial connection allows you to
simultaneously send and receive information
without having to wait for any signal from the
remote side. Nor does a synchronous connection
need to indicate when it is beginning to send
something or the end of a transmission. These
two things, plus how clocking is done, are the
three major differences between synchronous
and asynchronous connections—asynchronous
connections are typically used for dialup connections, such as modems.
If you purchase a leased line, you will need the following equipment:
■
DTE A router with a synchronous serial interface: this provides the data
link framing and terminates the WAN connection.
■

DCE A CSU/DSU to terminate the carrier’s leased-line connection: this
provides the clocking and synchronization for the connection.
Figure 15-2 shows an example of the equipment required for a leased-line connection.
The CSU/DSU is responsible for handling the physical layer framing, clocking, and
synchronization of the connection. Data link layer protocols that you can use for
Wide Area Networking Overview
5
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
FIGURE 15-2 Leased line example
Remember that leased
lines are used for short-distance connections
and when you have a constant amount
of traffic between sites with a need
of guaranteed bandwidth.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:17 PM
Color profile: Generic CMYK printer profile
Composite Default screen
dedicated connections include PPP, SLIP, and HDLC. SLIP is rarely used and is
restricted to IP traffic. SLIP has been replaced by PPP.
Circuit-Switched Connections
Circuit-switched connections are dialup connections, as are used by a PC with a modem
when dialing up an ISP. Circuit-switched connections include the following types:
■
Asynchronous serial connections These include analog modem dialup
connections and the standard telephone system, which is commonly referred
to as Plain Old Telephone Service (POTS) by the telephone carriers.
■
Synchronous serial connections These include digital ISDN BRI and PRI
dialup connections; they provide guaranteed bandwidth.

Asynchronous serial connections are the
cheapest form of WAN services but are also
the most unreliable of the services. For instance,
every time you make a connection using an analog
modem, there is no guarantee of the connection
rate you’ll get. With these connections, the top
connection rate in the U.S. is 53 Kbps, but depending on the quality of the connection,
you might get something as low as 300 bps. The Federal Communications Commission
(FCC) restricts analog data rates to 53 Kbps or less. Other countries might support
higher data rates.
The main problem with circuit-switched connections is that they are expensive
if you need to make connections over long distances, with a per-minute charge that
varies, depending on the destination. Therefore, the more data you have to send,
the more time it will take, and the more money it will cost.
Asynchronous circuit-switched connections are typically used for home office
and low-speed backup connections, as well as temporary low-speed connections for
additional boosts in bandwidth when your primary link becomes congested or when
it fails. ISDN (discussed in Chapter 17) provides a digital circuit-switched connection
with guaranteed data rates.
With leased lines, as soon as the circuit is installed and you have configured your
DTE, the line remains up unless there is a problem with the carrier’s network or the DCE
equipment. This is different from circuit-switched connections. These connections
are temporary—you make a phone call to the remote DTE and when the line comes
up, you transmit your data. Once you are done transmitting your data, the phone
connection is terminated.
6
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
Analog connections
are restricted by the FCC to 53 Kbps.

D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:17 PM
Color profile: Generic CMYK printer profile
Composite Default screen
If you will be using a circuit-switched analog connection, you’ll need this equipment:
■
DTE A router with an asynchronous serial interface
■
DCE A modem
If you will be using a circuit-switched digital connection, you’ll need this equipment:
■
DTE A router with an ISDN interface
■
DCE An NT1 for a BRI or a CSU/DSU
for a PRI
Figure 15-3 shows an example of an analog
circuit-switched connection. With this
connection, you’ll typically use PPP or HDLC
for the encapsulation: SLIP is rarely used.
Packet-Switched Connections
With leased lines and circuit-switched connections, a physical circuit is used to make
the connection between the two sites. With a leased line, the same circuit path is
always used. With circuit-switched connections, the circuit path is built every time a
phone call is made, making it highly probable that the same circuit path will not be
used for every phone call.
Packet-switched connections use logical circuits to make connections between two
sites. These logical circuits are referred to as virtual circuits (VCs). One advantage that
Wide Area Networking Overview
7
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15

FIGURE 15-3 Analog circuit-switched connection
Remember that circuit-
switched connections are typically used
to back up primary connections, provide
additional bandwidth boosts, and afford
remote access to dialup users.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:18 PM
Color profile: Generic CMYK printer profile
Composite Default screen
a logical circuit has over a physical one is that a logical circuit is not tied to any
particular physical circuit. Instead, a logical circuit is built across any available physical
connection. Another advantage of logical circuits is that you can build multiple logical
circuits over the same physical circuit. Therefore, with a single physical connection
to a carrier, you can connect to multiple sites. This is not possible with leased lines:
for each location you want to connect to, you need a separate physical circuit, making
the cost of the solution much higher that one that uses logical circuits. Technologies
that use packet switching and logical circuits include ATM, Frame Relay, SMDS, and
X.25. From a cost perspective, packet-switched solutions fall somewhere between
circuit-switched solutions and leased lines.
The oldest of these four technologies is X.25, which is an ITU-T standard. X.25
is a network layer protocol that runs across both synchronous and asynchronous
physical circuits, providing a lot of flexibility for your connection options. X.25 was
actually developed to run across unreliable connections. It provides both error detection
and correction, as well as flow control, at both the data link layer (by LAPB) and the
network layer (by X.25). In this sense, it performs a function similar to what TCP, at
the transport layer, provides for IP. Because of its overhead, X.25 is best delegated to
asynchronous, unreliable connections. If you have a synchronous digital connection,
another protocol, such as ATM or Frame Relay, is much more efficient.
Frame Relay is a digital packet-switched service that can run only across synchronous

digital connections at the data link layer. Because it uses digital connections (which
have very few errors), it does not perform any error correction or flow control as X.25
does. Frame Relay will, however, detect errors and drop bad frames. It is up to a higher-
layer protocol, such as IP’s TCP, to resend the dropped information.
If you are setting up a Frame Relay connection, you’ll need the following equipment.
■
DTE A router with a synchronous serial interface
■
DCE A CSU/DSU to connect to the carrier
Figure 15-4 shows an example of a Frame Relay connection. In this example, the
router needs only a single physical connection to the carrier to connect to multiple
sites: this is accomplished via virtual circuits. Frame Relay supports speeds from
fractional T1 or E1 connections (56–64 Kbps) up to a DS3 (45 Mbps). Frame Relay
is discussed in Chapter 16.
ATM and SMDS are also packet-switched technologies that use digital circuits.
Unlike Frame Relay and X.25, however, these services use fixed-length (53 byte)
packets, called cells, to transmit information. Therefore, these services are commonly
called cell-switched services. They have an advantage over Frame Relay in that they
8
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:18 PM
Color profile: Generic CMYK printer profile
Composite Default screen
can provide guaranteed throughput and minimal delay for a multitude of services,
including voice, video, and data. However, they do cost more than Frame Relay services.
SMDS, which was developed by BellCore,
is precursor to ATM and has been replaced by
the latter service. ATM (sort of an enhanced

Frame Relay) can offer a connection guaranteed
bandwidth, limited delay, limited number of
errors, Quality of Service (QOS), and more.
Frame Relay can provide some minimal guarantees
to connections, but not the degree of precision
that ATM can. Whereas Frame Relay is limited
to 45 Mbps connections, ATM can scale to very high speeds; OC-192 (SONET), for
instance, affords about 10 Gbps of bandwidth.
WAN Interfaces on Cisco Routers
Cisco supports a wide variety of serial cables for their serial router interfaces. Here are
some of the cable types supported for synchronous serial interfaces: EIA/TIA-232,
Wide Area Networking Overview
9
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
FIGURE 15-4 Frame Relay packet-switched connection
Remember that packet-
switched and cell-switched services are
typically used when a router has only
a single WAN interface but needs to
connect to multiple remote sites.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:19 PM
Color profile: Generic CMYK printer profile
Composite Default screen
EIA/TIA-449, EIA/TIA-530, V.35, and X.21.
The end that connects to the DCE device is
defined by these standards. However, the end
that connects to the Cisco router is proprietary
in nature. Cisco’s cables have two different end
connectors that connect to the serial interfaces

of their routers:
■
DB-60 Has 60 pins
■
DB-26 Has 26 pins and is flat, like a USB cable
Note that these connectors are for synchronous serial connections. Cisco has other
cable types, typically RJ-45, for asynchronous connections.
Encapsulation Methods
There are many different methods for encapsulating data for serial connections.
Table 15-2 shows the most common ones.
The following sections cover HDLC and PPP
in more depth.
10
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
Synchronous serial
interfaces have either a DB-60 or DB-26
connector for connecting to Cisco routers.
Protocol Explanation
High-Level Data Link Control (HDLC) Based on ISO standards, it is used with synchronous and
asynchronous connections.
Synchronous Data Link Control Protocol
(SDLC)
Used in IBM SNA environments, it has been replaced by
HDLC.
Link Access Procedure Balanced (LAPB) Used in X.25, it has extensive error detection and correction.
Link Access Procedure D Channel
(LAPD)
It is used by ISDN to signal call setup and teardown of phone
connections.

Link Access Procedure Frame mode bearer
services (LAPF)
It is used in Frame Relay between a DTE and a DCE and is
similar to LAPD.
Point-to-Point Protocol (PPP) Based on RFC standards, PPP is the most common
encapsulation used for dialup. It provides for authentication,
handling multiple protocols, compression, and error detection.
TABLE 15-2 Common Encapsulation Methods
Know the data link
encapsulation types listed in Table 15-2.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:19 PM
Color profile: Generic CMYK printer profile
Composite Default screen
CERTIFICATION OBJECTIVE 15.02
HDLC
Based on ISO standards, the HDLC (High-Level Data Link Control) protocol can be
used with synchronous and asynchronous connections and defines the frame type and
interaction between two devices at the data link layer. The following sections cover how
Cisco implements HDLC and how it is configured on serial interfaces.
Frame Type
Cisco’s implementation of HDLC is based on ISO’s standards, but Cisco has made a
change in the frame format, making it proprietary. In other words, Cisco’s HDLC will
work only if the remote end also supports Cisco’s HDLC. Figure 15-5 shows examples
of some WAN frame formats, including ISO’s HDLC, Cisco’s HDLC, and PPP. Notice
that the main difference between ISO’s HDLC and Cisco’s frame format is that Cisco
has a proprietary field. One of the problems with ISO’s HDLC is that it does not define
how to carry multiple protocols across a single link, as does Cisco’s HDLC. Therefore,
ISO’s HDLC is typically used on serial links where there is only a single protocol to
transport. The default encapsulation on Cisco’s synchronous serial interfaces is HDLC.

Actually, Cisco supports only its own implementation of HDLC.
HDLC
11
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
FIGURE 15-5 WAN frame types
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:19 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Configuring HDLC
As mentioned in the preceding section, the default encapsulation on Cisco’s synchronous
serial interfaces is HDLC. You need to use the following configuration only if you changed
the data link layer protocol to something else and then need to set it back to HDLC:
Router(config)# interface serial [
module_#/
]
port
_
#
Router(config-if)# encapsulation hdlc
Notice that you must be in the serial interface to change its data link layer
encapsulation. If you had a different encapsulation configured on the serial interface,
executing the preceding command would set the frame format to HDLC. Note that the
other side must be set to Cisco’s HDLC or the data link layer will fail on the interface.
After you have configured HDLC, use the show interfaces command to view
the data link layer encapsulation:
Router# show interfaces serial 1
Serial1 is up, line protocol is up
Hardware is MCI Serial
Internet address is 192.168.2.2 255.255.255.0

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
Last input 0:00:02, output 0:00:00, output hang never
Last clearing of "show interface" counters never
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
< output omitted >
Notice in this example that the physical and data link layers are up and that the
encapsulation is set to HDLC (Encapsulation HDLC).
12
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
HDLC is the default
encapsulation on synchronous serial
interfaces of Cisco routers. Use the
show interfaces
command to
see the encapsulation type. Use the
encapsulation hdlc
command
to change the serial interface’s
encapsulation to Cisco’s HDLC. Please
note that if one router is a Cisco router
and the other a non-Cisco one, the physical
layer will be up, but the data link layer
will fail (down).
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:20 PM
Color profile: Generic CMYK printer profile
Composite Default screen
15.01. The CD contains a multimedia demonstration of configuring HDLC

on a router.
PPP
Where Cisco’s HDLC is a proprietary protocol, PPP (the Point-to-Point Protocol) is
based on a standard, defined in RFCs including 1332, 1661, and 2153. PPP works with
asynchronous and synchronous serial interfaces as well as High-Speed Serial Interfaces
(HSSI) and ISDN interfaces (BRI and PRI). The following sections offer an overview
of PPP and how to configure PPP, including authentication.
PPP Components
PPP has many more features than HDLC. Like HDLC, PPP defines a frame type and how
two PPP devices communicate with each other, including the multiplexing of network
and data link layer protocols across the same link. However, PPP also
■ Performs dynamic configuration of links
■
Allows for authentication
■
Compresses packet headers
■
Tests the quality of links
■
Performs error detection and correction
■
Allows multiple PPP physical connections to be bound together as a single
logical connection
PPP has three main components:
■
Frame format
■
LCP (Link Control Protocol)
■
NCP (Network Control Protocol)

Each of these three components plays an
important role in the setup, configuration, and
transfer of information across a PPP connection.
The following sections cover these components.
PPP
13
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
Memorize the preceding
list of features of PPP.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:20 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Frame Type
The first component of PPP is the frame type that it uses. The frame type defines how
network layer packets are encapsulated in a PPP frame as well as the format of the PPP
frame. PPP is typically used for serial WAN connections because of its open-standard
character. It works on both asynchronous (modem) and synchronous (ISDN, point-to-
point, and HSSI) connections. If you are dialing up to your ISP, you’ll be using the PPP
protocol. PPP’s frame format is based on ISO’s HDLC, as you can see in earlier Figure 15-5.
The main difference is that the PPP frame has a protocol field, which defines the protocol
of the network layer data that is encapsulated.
LCP and NCP
The second and third components of PPP are LCP and NCP. LCP, defined in RFCs 1548
and 1570, has as its primary responsibility to establish, configure, authenticate, and test
a PPP connection. It handles all of the up-front work in setting up a connection. Here
are some of the things that LCP will negotiate when setting up a PPP connection:
■
Authentication method used (PAP or CHAP), if any
■

Compression algorithm used (Stacker or Predictor), if any
■
Callback phone number to use, if defined
■
Multilink: other physical connections to use, if configured
There are three steps that LCP and NCP go through in order to establish a PPP
connection:
1. Link establishment (LCP)
2. Authentication (LCP)
3. Protocol negotiation (NCP)
The first step is the link establishment phase. In this step, LCP negotiates the PPP
parameters that are to be used for the connection, which may include the authentication
method and compression algorithms. If authentication has been configured, the
authentication type is negotiated. This can either be PAP or CHAP. These are discussed
later, in the section “PPP Authentication.” If authentication is configured and there
is a match on the authentication type on both sides, then authentication is performed
in the second step. If this is successful, NCP, in the third step, will negotiate the upper-
layer protocols, which can include network layer protocols such as IP and IPX as well
as data link layer protocols (bridged traffic, like Ethernet, and Cisco’s CDP) that will
be transmitted across the PPP link.
14
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:20 PM
Color profile: Generic CMYK printer profile
Composite Default screen
NCP defines the process for how the two PPP peers negotiate which network layer
protocols, such as IP and IPX, will be used across the PPP connection. Once LCP and
NCP perform their negotiation and the connection has been authenticated (if this

has been defined), the data link layer will come up.
Once a connection is enabled, LCP uses error detection to monitor dropped data
on the connection as well as loops at the data link layer. The Quality and Magic
Numbers protocol is used by LCP to ensure that the connection remains reliable.
Configuring PPP
The configuration of PPP is as simple as that of HDLC. To specify that PPP is to be used
on a WAN interface, use the following configuration:
Router(config)# interface
type
[
slot_#
]
port_#
Router(config-if)# encapsulation ppp
As you can see, you need to specify the ppp parameter only in the
encapsulation Interface Subconfiguration mode command. With the exception
of authentication, other PPP options are not discussed in this book. These configuration
commands are covered on Cisco’s CCNP Remote Access exam.
15.02. The CD contains a multimedia demonstration of configuring PPP
on a router.
Troubleshooting PPP
Once you have configured PPP on your router’s interface, you can verify the status of the
interface with the show interfaces command:
Router# show interfaces serial 0
Serial0 is up, line protocol is up
Hardware is MCI Serial
Internet address is 192.168.1.2 255.255.255.0
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
PPP
15

CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
LCP is responsible for
negotiating and maintaining a PPP
connection, including any optional
authentication. NCP is responsible for
negotiating upper-layer protocols that
will be carried across the PPP connection.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:20 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Encapsulation PPP, loopback not set, keepalive set (10 sec)
lcp state = OPEN
ncp ccp state = NOT NEGOTIATED ncp ipcp state = OPEN
ncp osicp state = NOT NEGOTIATED ncp ipxcp state = NOT NEGOTIATED
ncp xnscp state = NOT NEGOTIATED ncp vinescp state = NOT NEGOTIATED
ncp deccp state = NOT NEGOTIATED ncp bridgecp state = NOT NEGOTIATED
ncp atalkcp state = NOT NEGOTIATED ncp lex state = NOT NEGOTIATED
ncp cdp state = OPEN
Last input 0:00:00, output 0:00:00, output hang never
Last clearing of "show interface" counters never
< output omitted >
In the fifth line of output, you can see that the
encapsulation is set to PPP. Below this is the status
of LCP (lcp state = OPEN). An OPEN state
indicates that LCP has successfully negotiated
its parameters and brought up the data link layer.
The statuses of the protocols by NCP follow.
In this example, only two protocols are running
across this PPP connection: IP (ncp icp state

= OPEN) and CDP (ncp cdp state = OPEN).
If you are having problems with the data link layer coming up when you’ve
configured PPP, you can use the following debug command to troubleshoot the
connection:
Router# debug ppp negotiation
PPP protocol negotiation debugging is on
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface serial 0
Router(config-if)# no shutdown
%LINK-3-UPDOWN: Interface Serial0, changed state to up
ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 4FEFE5
PPP Serial0: received config for type = 0x5 (MAGICNUMBER) value =
0x561036 acked
PPP Serial0: state = ACKSENT fsm_rconfack(0xC021): rcvd id 0x2
ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 4FEFE5
ipcp: sending CONFREQ, type = 3 (CI_ADDRESS), Address = 192.168.2.1
ppp Serial0: Negotiate IP address: her address 192.168.2.2 (ACK)
ppp: ipcp_reqci: returning CONFACK.
ppp: cdp_reqci: returning CONFACK
PPP Serial0: state = ACKSENT fsm_rconfack(0x8021): rcvd id 0x2
ipcp: config ACK received, type = 3 (CI_ADDRESS), Address = 192.168.2.1
PPP Serial0: state = ACKSENT fsm_rconfack(0x8207): rcvd id 0x2
ppp: cdp_reqci: received CONFACK
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
16
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
If one side is configured
for PPP and the other side is configured

with a different encapsulation type (like
HDLC), the physical layer will be up, but
the data link layer will be down.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:20 PM
Color profile: Generic CMYK printer profile
Composite Default screen
In this example, debug was first enabled and then the serial interface was enabled.
Notice that the two connected routers go through a negotiation process. They first
verify their IP addresses, 192.168.2.1 and 192.168.2.2, to make sure they are not the
same, and then they negotiate the protocols (ipcp_reqci and cdp_reqci). In
this example, IP and CDP are negotiated and the data link layer comes up after the
successful negotiation.
15.03. The CD contains a multimedia demonstration of troubleshooting PPP
on a router.
PPP Authentication
PPP, unlike HDLC, supports device authentication. You have two methods to choose
from to implement authentication: the PPP Authentication Protocol (PAP) and the
Challenge Handshake Authentication Protocol (CHAP). Both of these authentication
methods are defined in RFC 1334; RFC 1994 replaces the CHAP component of
RFC 1334. The authentication process is performed before the network and data link
layer protocols are negotiated for the PPP connection by NCP. If the authentication
fails, then the serial data link connection will not come up. Authentication is optional and
adds very little overhead to the connection. As you will see in the following PAP and
CHAP sections, the setup and troubleshooting of PAP and CHAP are easy.
PAP
Of the two PPP authentication protocols, PAP is the simplest, but the least secure.
During the authentication phase, PAP goes through a two-way handshake process. In
this process, the source sends its username (or hostname) and password, in clear text, to
the destination. The destination compares this information with a list of locally stored

usernames and passwords. If it finds a match, the destination sends back an accept message.
If it doesn’t find a match, it sends back a reject message. The top part of Figure 15-6 shows
an example of PAP authentication.
PPP
17
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
Use the
encapsulation
ppp
command to change a serial interface’s
encapsulation to PPP. When you
look at the output of the
show
interfaces
command, any
protocol listed as “
OPEN
” has been
negotiated correctly. If you are having
problems with the LCP negotiation,
use the
debug ppp negotiation
command.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:20 PM
Color profile: Generic CMYK printer profile
Composite Default screen
The configuration of PAP is straightforward. First, you need to determine which
side will be the client side (sends the username and password) and which will be the
server side (validates the username and password). To configure PAP for a PPP client,

use this configuration:
Router(config)# interface
type
[
slot_#
]
port
_#
Router(config-if)# encapsulation ppp
Router(config-if)# ppp pap sent-username
your_hostname
password
password
The first thing you must do on the router’s interface is to define the encapsulation
type as PPP. Second, you must specify that PAP will be used for authentication and
provide the username and password that will be used to perform the authentication on
the server side. This is accomplished with the ppp pap sent-username command.
To configure the server side of a PPP PAP connection, use the following
configuration:
Router(config)# hostname
your_router’s_hostname
Router(config)# username
remote_hostname
password
matching_password
Router(config)# interface
type
[
slot_#
/]

port
_#
Router(config-if)# encapsulation ppp
Router(config-if)# ppp authentication pap
18
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
FIGURE 15-6 PAP and CHAP authentication
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:20 PM
Color profile: Generic CMYK printer profile
Composite Default screen
The first thing you must do is to give your router a unique hostname. Second, you
must list the remote host names and passwords these remote hosts will use when
authenticating to your router. This is accomplished with the username command.
Please note that the password you configure on this side must match the password
on the remote side. On your router’s WAN interface, you need to enable PPP with
the encapsulation ppp command. Then, you can specify PAP authentication
with the ppp authentication pap command.
The previous client and server code listings performs a one-way authentication—
the client authenticates to the server and not vice versa. If you want to perform two-way
authentication, where each side must authenticate to the other side, then configure
both devices as PAP servers and clients.
15.04. The CD contains a multimedia demonstration of configuring PPP
authentication using PAP on a router.
CHAP
One big problem with PAP is that it sends the username and password across the
WAN connection in clear text. If someone is tapping into the WAN connection and
eavesdropping on the PPP communication, they’ll see the actual password that is being
used. In other words, PAP is not a secure method of authentication.

CHAP, on the other hand, uses a one-way hash function based on the Message
Digest 5 (MD5) hashing algorithm to hash the password. This hashed value is then
sent across the wire. In this situation, the actual password is never sent. Anyone
tapping the wire will not be able to reverse the hash to come up with the original
password. This is why MD5 is referred to as a one-way function—it cannot be reverse-
engineered.
CHAP uses a three-way handshake process to perform the authentication. The
bottom part of Figure 15-6 shows the CHAP authentication process. First, the source
sends its username (not its password) to the destination. The destination sends back
a challenge, which is a random value generated by the destination. The challenge
contains the following information:
■
Packet Identifier Set to 01 for a challenge, 02 for the reply to a challenge, 03
for allowing the PPP connection, and 04 for denying the connection
■
ID A local sequence number assigned by the challenger to distinguish among
multiple authentication processes
■
Random number The random value used in the MD5 hash function
■
Router name The name of the challenging router (the server), which is
used by the source to find the appropriate password to use for authentication
PPP
19
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:21 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Both sides then take the source’s username, the matching password, and the

challenge and run them through the MD5 hashing function. The source then takes
the result of this function and sends it to the destination. The destination compares
this value to the hashed output that it generated—if the two values match, then the
password used by the source must have been the same as was used by the destination,
and thus the destination will permit the connection.
The following configuration shows how to set up two-way CHAP authentication:
Router(config)# hostname
your_router’s_hostname
Router(config)# username
remote_hostname
password
matching_password
Router(config)# interface
type
[
slot_#
/]
port
_#
Router(config-if)# encapsulation ppp
Router(config-if)# ppp authentication chap
Notice that this is the same configuration as used with PPP PAP, with the exception
of the omission of the sent username. The only difference is that the chap parameter
is specified in the ppp authentication command.
Actually, here is the full syntax of the PPP authentication command:
Router(config-if)# ppp authentication
chap|pap|chap pap|pap chap
If you specify pap chap or chap pap, the router will negotiate both authentication
parameters in the order that you specified them. For example, if you configure chap
pap, your router will first try to negotiate CHAP; if this fails, then it will negotiate PAP.

15.05. The CD contains a multimedia demonstration of configuring PPP
authentication using CHAP on a router.
Troubleshooting Authentication
To determine if authentication was successful, use the show interfaces command:
Router# show interfaces serial 0
Serial0 is up, line protocol is down
Hardware is MCI Serial
Internet address is 192.168.1.2 255.255.255.0
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 254/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
lcp state = ACKRCVD
ncp ccp state = NOT NEGOTIATED ncp ipcp state = CLOSED
ncp osicp state = NOT NEGOTIATED ncp ipxcp state = NOT NEGOTIATED
20
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:21 PM
Color profile: Generic CMYK printer profile
Composite Default screen
ncp xnscp state = NOT NEGOTIATED ncp vinescp state = NOT NEGOTIATED
ncp deccp state = NOT NEGOTIATED ncp bridgecp state = NOT NEGOTIATED
ncp atalkcp state = NOT NEGOTIATED ncp lex state = NOT NEGOTIATED
ncp cdp state = CLOSED
Last input 0:00:01, output 0:00:01, output hang never
< output omitted >
Notice the lcp state in this example: it’s
not OPEN. Also, notice the states for IP and CDP:
CLOSED. These things indicates that there is
something wrong with the LCP setup process.

In this example, the CHAP passwords on the two
routers didn’t match.
Of course, looking at the preceding output, you
don’t really know that this was an authentication problem. To determine this, use the
debug ppp authentication command. Here’s an example of the use of this
command with two-way CHAP authentication:
RouterA# debug ppp authentication
%LINK-3-UPDOWN: Interface Serial0, changed state to up
Se0 PPP: Treating connection as a dedicated line
Se0 PPP: Phase is AUTHENTICATING, by both
Se0 CHAP: O CHALLENGE id 2 len 28 from "RouterA"
Se0 CHAP: I CHALLENGE id 3 len 28 from "RouterB"
Se0 CHAP: O RESPONSE id 3 len 28 from "RouterA"
Se0 CHAP: I RESPONSE id 2 len 28 from "RouterB"
Se0 CHAP: O SUCCESS id 2 len 4
Se0 CHAP: I SUCCESS id 3 len 4
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
In this example, notice that both routers—RouterA and RouterB—are using
CHAP for authentication. Both routers send a CHALLENGE, and both receive a
corresponding RESPONSE. Notice the I and O following Se0 CHAP: This indicates
the direction of the CHAP message. I is for in and O is for out. Following this is the
status of the hashed passwords: SUCCESS. And last, you can see the data link layer
coming up for the serial interface.
Here’s an example of a router using PAP with two-way authentication:
RouterA# debug ppp authentication
%LINK-3-UPDOWN: Interface Serial0, changed state to up
Se0 PPP: Treating connection as a dedicated line
Se0 PPP: Phase is AUTHENTICATING, by both
Se0 PAP: O AUTH-REQ id 2 len 18 from "RouterA"
Se0 PAP: I AUTH-REQ id 3 len 18 from "RouterB"

PPP
21
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
Remember how to use
the
show interfaces
command when
troubleshooting PPP connections.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:21 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Se0 PAP: Authenticating peer RouterB
Se0 PAP: O AUTH-ACK id 2 len 5
Se0 PAP: I AUTH-ACK id 3 len 5
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
In this example, notice that the authentication messages are different. The AUTH-
REQ shows the server requesting the authentication from a router, and the AUTH-ACK
acknowledges the successful password matching by a router. Notice that since both
routers are requesting authentication, both routers are set up in server mode for PAP.
15.06. The CD contains a multimedia demonstration of troubleshooting PPP
authentication on a router.
EXERCISE 15-1
ON THE CD
Configuring PPP
These last few sections dealt with the configuration of PPP on IOS routers. This exercise
will help you reinforce this material by configuring PPP and authentication. You’ll
perform this lab using Boson’s NetSim™ simulator. This exercise has you first set static
routes two routers (2600 and 2500) and verify network connectivity. Following this,
you’ll configure your ACL. After starting up the simulator, click on the LabNavigator

button. Next, double-click on Exercise 15-1 and click on the Load Lab button. This will
load the lab configuration based on Chapter 5’s and 7’s exercises.
22
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
PAP authentication sends
the username and password across the
wire in clear text. CHAP doesn’t send the
password in clear text—instead, a hashed
value from the MD5 algorithm is sent.
PAP uses a two-way handshake, while
CHAP uses a three-way handshake. Use
the
ppp authentication
command to
specify which PPP authentication method
to use. The
username
command allows
you to build a local authentication table,
which lists the remote names and passwords
to use for authentication. The
debug ppp
authentication
command can help you
troubleshoot PPP problems—be familiar
with the output of this command.
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:21 PM
Color profile: Generic CMYK printer profile

Composite Default screen
1. Check network connectivity between the two routers.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2600. From the 2600 router, verify the status of the serial interface:
show interface s0. Make sure the encapsulation is HDLC. From the 2600
router, ping the 2500: ping 192.168.2.2. The ping should be successful.
2. On the 2600 router, make sure its hostname is 2600. On the 2500 router, make
sure its hostname is 2500.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2600. On the 2600, examine the prompt. If the name of the router
isn’t 2600, change it: hostname 2600. At the top of the simulator in the
menu bar, click on the eRouters icon and choose 2500. On the 2500, examine
the prompt. If the name of the router isn’t 2500, change it: hostname 2500.
3. On the 2600 router, set up PPP as the encapsulation on the serial0 interface.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2600. On the 2600, enter the serial interface: configure terminal
and interface serial 0. Set up PPP as the data link frame type:
encapsulation ppp and end. View the status of the interface: show
interface serial 0. The physical layer should be up and the data link
layer should be down—the 2500 still has HDLC configured. Also, examine
the output of the show command to verify that the encapsulation is PPP.
4. On the 25000 router, set up PPP as the encapsulation on the serial0
interface.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2500. On the 2500, enter the serial interface: configure terminal
and interface serial 0. Set up PPP as the data link frame type:
encapsulation ppp and end. View the status of the interface: show
interface serial 0. The physical and data link layers should be up
(this should also be true on the 2600 router). Also check to make sure the
encapsulation is PPP.

5. Set up PPP CHAP authentication on the 2600. Use a password of richard. Test
the authentication.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2600. Access Configuration mode: configure terminal.On
the 2600, set up your username and password: username 2500 password
richard. Enter the serial interface: interface serial 0. Set the
PPP
23
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:21 PM
Color profile: Generic CMYK printer profile
Composite Default screen
authentication to CHAP: ppp authentication chap. Shut down the
interface: shutdown. Bring the interface back up: no shutdown. Exit
Configuration mode: end. Examine the status of the interface: show
interface serial 0. The data link layer should be down, and the LCP
should be ACKRCVD. Please note that you don’t really need to bring the
interface down and back up, because after a period of time, LCP will notice
that authentication configuration and will perform it.
6. Set up PPP CHAP authentication on the 2500. Use a password of richard. Test
the authentication. Test the connection.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2500. Access Configuration mode: configure terminal.On
the 2500, set up your username and password: username 2600 password
richard. Enter the serial interface: interface serial 0. Set the
authentication to CHAP: ppp authentication chap. Shut down the
interface: shutdown. Bring the interface back up: no shutdown. Exit
Configuration mode: end. Examine the status of the interface: show
interface serial 0. The data link layer should come up and the LCP

should be OPEN. IP and CDP should be the two protocols in an OPEN state.
Ping the 2600: ping 192.168.2.1. The ping should be successful.
EXERCISE 15-2
ON THE CD
Basic PPP Troubleshooting
This chapter dealt with HDLC and PPP. This exercise is a troubleshooting exercise and
differs from the exercise you performed earlier in this chapter. In that exercise, you set
up a PPP CHAP connection between the 2500 and 2600 routers. In this exercise, the
network is already configured; however, there are three problems in this network you’ll
need to find and fix in order for it to operate correctly. All of these problems deal with
connectivity between the 2500 and 2600 routers. You’ll perform this exercise using Boson’s
NetSim™ simulator. You can find a picture of the network diagram for Boson’s NetSim™
simulator in the Introduction of this book. The addressing scheme is the same. After
starting up the simulator, click on the LabNavigator button. Next, double-click on
Exercise 15-2 and click on the Load Lab button. This will load the lab configuration
based on Chapter 5 and 7’s exercises.
24
Chapter 15: WAN Introduction
CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:21 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Let's start with your problem: the PPP data link layer between the 2500 and 2600
won’t come up. Your task is to figure out what the three problems are and fix them.
I recommend that you try this troubleshooting process on your own at first; if you
experience difficulties,return to the steps and solutions providedhere.
1. Examine the status of the serial interface on the 2600.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2600. Examine serial0: show interfaces serial0. Note that

the interface is down and down. This indicates a physical layer problem.
2. Check the status of serial0 on the 2500.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2500. Examine the status of the interface: show interfaces
serial0. Notice that the interface is administratively down. Activate
the interface: configure terminal, no shutdown, and end. Examine the
status of the interface: show interfaces serial0. Notice that the status
of the interface is up and down, indicating that there is a problem with the
data link layer. Notice that the encapsulation, though, is set to PPP.
3. Check the 2600’s serial encapsulation and the rest of its configuration.
Examine the status of the interface: show interfaces serial0. Notice
that the status of the interface is up and down, indicating that there is a
problem with the data link layer. Notice that the encapsulation, though, is
set to PPP. Since both sides are set to PPP, there must be an authentication
problem. Examine the 2600’s active configuration: show running-config.
CHAP is configured for authentication on serial0. Notice, though, that
the username has the 2600’s, and not the 2500’s. Fix this by doing the
following: configure terminal, no username 2600 password
cisco, username 2500 password cisco, and end. Re-examine the
router’s configuration: show running-config. Examine the status of the
interface: show interfaces serial0. The data link layer is still down,
so there must be a problem on the 2500 router.
4. Access the 2500 router and determine the PPP problem.
At the top of the simulator in the menu bar, click on the eRouters icon and
choose 2500. Examine the active configuration: show running-config.
The username command is correct, with the 2600’s hostname and a password
of cisco. However, there is a problem with the PPP authentication method on
the serial interface: it’s set to PAP. Fix this problem: configure terminal,
PPP
25

CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 15
D:\omh\CertPrs8\934-9\ch15.vp
Monday, August 04, 2003 12:15:22 PM
Color profile: Generic CMYK printer profile
Composite Default screen