Point-to-Point protocol is a Data Link layer protocol that can be used over asynchronous serial (dial-up) and synchronous serial (ISDN) media and uses the LCP (Link Control Protocol) to build and maintain data-link connections.  The basic purpose of PPP is to transport layer-3 packets over a Data Link layer point-to-point link.  PPP consists of two main components, LCP (Link Control Protocol - used to establish, configure, test, maintain, and terminate the point-to-point connection) and a family of NCPs (Network Control Protocols) for establishing and configuring different Network layer protocols -- PPP is designed to allow the simultaneous use of multiple Network layer protocols.

The PPP Model
Higher-Layer Protocols
Network Control Protocol (NCP)

(specific to each Network-Layer Protocol)

Examples are:

IPCP - Internet Protocol Control Protocol.
IPXCP - Internetwork Packet Exchange Control Protocol.
BCP - Bridge Control Protocol.
Link Control Protocol (LCP)
High Level Data Link Control (HDLC)
Physical Layer (such as EIA/TIA-232, V.24, V.35)
  • Network Control Protocol (NCP)---A PPP protocol for negotiating OSI Layer 3 (the network layer) parameters.
  • Link Control Protocol (LCP)---A protocol that establishes, configures, and tests data link connections used by the PPP.
  • High Level Data Link Control (HDLC)---A method for encapsulating datagrams over serial links.
  • Physical layer ---PPP is capable of operating across any DTE/DCE interface.  Examples include EIA/TIA-232-C, EIA/TIA-422, EIA/TIA-423, and ITU-T V.35.  The only absolute requirement imposed by PPP is the provision of a duplex circuit, either dedicated or switched, that can operate in either an asynchronous or synchronous bit-serial mode, transparent to PPP link-layer frames.  PPP doesn't impose any restrictions regarding transmission rate other than those imposed by the particular DTE/DCE interface in use.

PPP Link-Control Protocol

The PPP LCP provides a method of establishing, configuring, maintaining, and terminating the point-to-point connection.  LCP goes through four distinct phases.

  1. First, link establishment and configuration negotiation occurs.  Before any Network layer datagrams (e.g. IP) can be exchanged, LCP first must open the connection and negotiate configuration parameters.  This phase is complete when a configuration-acknowledgment frame has been both sent and received.
  2. This is followed by link-quality determination.  LCP allows an optional link-quality determination phase following the link-establishment and configuration-negotiation phase.  In this phase, the link is tested to determine whether the link quality is sufficient to bring up Network layer protocols.  This phase is optional.  LCP can delay transmission of Network layer protocol information until this phase is complete.
  3. At this point, Network layer protocol configuration negotiation occurs.  After LCP has finished the link-quality determination phase, Network layer protocols can be configured separately by the appropriate NCP and can be brought up and taken down at any time.  If LCP closes the link, it informs the Network layer protocols so they can take appropriate action.
  4. Finally, link termination occurs.  LCP can terminate the link at any time.  This usually will be done at the request of a user, but can happen because of a physical event, such as the loss of carrier or the expiration of an idle-period timer.
Three classes of LCP frames exist.
  • Link-establishment frames are used to establish and configure a link.
  • Link-termination frames are used to terminate a link.
  • Link maintenance frames are used to manage and debug a link.

Link Control Protocol offers PPP encapsulation different options, including the following:

  • Authentication ---Authentication options include PAP and CHAP.
  • Compression ---Data compression increases the throughput on a network link, by reducing the amount of data that must be transmitted.
  • Error Detection ---Quality and Magic numbers are used by PPP to ensure a reliable, loop-free data link.
  • Multilink ---Supported in IOS 11.1 and later, multilink is supported on PPP links between Cisco routers.  This splits the load for PPP over two or more parallel circuits and is called a bundle.
LCP Configuration Options
Option Function Protocol Command
Authentication Requires a password >>
Performs a challenge handshake >>
ppp authentication pap
ppp authentication chap
Compression Compresses data at the source>>
Reproduces data at the destination >>
ppp compress stacker
ppp compress predictor
Error Detection Monitors the data dropped on the link, avoids frame looping Quality, Magic Number ppp quality <number 1-100>
Multilink Performs load balancing across multiple links MP ppp multilink

PPP Session Establishment

  • Link-establishment phase ---LCP packets are sent by each PPP device to configure and test the link.  LCP packets contain a Configuration Option field that allows devices to negotiate on the use of options such as:
    • Maximum Receive Unit (MRU).
    • Compression of certain PPP fields.
    • Link authentication protocol.
    If a value for a Configuration Option isn't set, the default is used.
  • Authentication phase (optional) ---The peer may be authenticated after the link has been established, using the authentication protocol decided on (CHAP or PAP).  If authentication is used, it must take place prior to starting the Network layer phase.
  • Network layer protocol phase --- In this phase, the PPP devices send NCP packets to choose and configure one or more network layer protocols (such as IP, IPX, or AppleTalk).  Once each of the chosen Network layer protocols has been configured, datagrams from each Network layer protocol can be sent over the PPP link.

PPP Authentication Methods

  • Password Authentication Protocol (PAP)
          PAP provides a simple method for a remote node to establish its identity using a two-way handshake.  This is done only upon initial link establishment.  After the PPP link establishment phase is complete, a username/password pair is repeatedly sent by the remote node until authentication is acknowledged, or the connection is terminated.

    Passwords are sent across the link in plain text and there is no protection from playback or trail-and-error attacks.  The remote node is in control of the frequency and timing of the login attempts.  If the local host rejects the username and password the connection is terminated.

  • Challenge and Handshake Protocol (CHAP)
          CHAP is used to periodically verify the identity of the remote node using a 3-way handshake.  This is done upon initial link establishment and can be repeated any time after the link has been established.  After the PPP link establishment phase is complete, the host sends a challenge messages to the remote node.  The remote node responds with a value calculated using a one-way hash function (typically MD5).  The host checks the response against its own calculation of the expected hash value.  If the values match, the authentication is acknowledged.  Otherwise, the connection is terminated.

    CHAP provides protection against playback attack through the use of a variable challenge value that is unique and unpredictable.  The use of repeated challenges is intended to limit the time of exposure to any single attack.  The host is in control of the frequency and timing of the challenges.

Configuring PPP on a Cisco Router

Follow these commands to configure PPP on a Cisco router.

   Router3#conf t
   Enter configuration commands, one per line.  End with CNTL/Z.
   Router3(config)#int s0
   Router3(config-if)#encapsulation ppp
   Router3(config)#username Router2 password 12pass34

After you set the encapsulation to PPP, you have to exit to global configuration mode and set the username and password.  The username is the hostname of the remote host connecting via PPP on the serial line; the password and encapsulation type must be the same for both routers.

Setting PPP Authentication

Using authentication with PPP is optional, therefore you must specifically configure PPP authentication on each PPP host in order for the host to utilize PPP.

CHAP and PAP are specified in RFC 1334. These protocols are supported on synchronous and asynchronous serial interfaces.  When using CHAP or PAP authentication, each router identifies itself by a name. This identification process prevents a router from placing another call to a router to which it is already connected, and also prevents unauthorized access.  Access control using CHAP or PAP is available on all serial interfaces that use PPP encapsulation.  The authentication feature reduces the risk of security violations on your router.  You can configure either CHAP or PAP for the interface.  Note, to use CHAP or PAP, you must be running PPP encapsulation.  Follow these commands to configure PPP authentication on a Cisco router.

Command Syntax:
   ppp authentication {chap | chap pap | pap chap | pap}
Configure Identification

Add a username entry for each remote system from which the local router requires authentication.  To specify the password to be used in CHAP or PAP caller identification, perform the following task in global configuration mode:

Command Syntax:
   username name password secret  
   Router3(config)#interface serial0
   Router3(config-if)#ppp authentication chap pap
   Router3(config)#username Router_2 password 123pass321

This tells the router to first use CHAP and then go to PAP if CHAP isn't available (only uses one) and allows it to setup a connection to Router_2. The syntax for this command came from the Cisco documentation CD.

Verifying PPP encapsulation

Use the show interface [type#] command to view interface encapsulation type

   Router3#show interface serial0
   Serial0 is up, line protocol is up
   Hardware is HD64570
   Internet address is
     MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
     Encapsulation PPP, loopback not set, keepalive set (10 sec)
     LCP Open
	 Listen: IPXCP
     Open: IPCP, CDPCP
     Last input 00:00:09, output 00:00:12, output hang never
     Last clearing of "show interface" counters never
     Input queue: 0/75/0 (size/max/drops); Total output drops: 0
     Queueing strategy: weighted fair
     Output queue: 0/1000/64/0 (size/max total/threshold/drops)
        Conversations  0/1/256 (active/max active/max total)
        Reserved Conversations 0/0 (allocated/max allocated)
     5 minute input rate 0 bits/sec, 0 packets/sec
     5 minute output rate 0 bits/sec, 0 packets/sec
        1921 packets input, 136287 bytes, 0 no buffer
        Received 1301 broadcasts, 0 runts, 0 giants, 0 throttles
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        2165 packets output, 100238 bytes, 0 underruns
        0 output errors, 0 collisions, 220 interface resets
        0 output buffer failures, 0 output buffers swapped out
        279 carrier transitions
        DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Monitoring PPP

You can monitor PPP activity with the show interface (shown above) and debug ppp chap commands. The debug ppp chap command displays the CHAP packet exchanges and PAP exchanges.  Use no debug all to turn off debugging.

debug ppp

Use the debug ppp EXEC command to display information on traffic and exchanges in an internetwork implementing the Point-to-Point Protocol (PPP). The no form of this command disables debugging output.

debug ppp {packet | negotiation | error | chap}
no debug ppp {packet | negotiation | error | chap} 
debug ppp Syntax Description
packet Causes the debug ppp command to display PPP packets being sent and received. (This command displays low-level packet dumps.)
negotiation Causes the debug ppp command to display PPP packets transmitted during PPP startup, where PPP options are negotiated.
error Causes the debug ppp command to display protocol errors and error statistics associated with PPP connection negotiation and operation.
chap Causes the debug ppp command to display Challenge Authentication Protocol (CHAP) packet exchanges.