Layer 1 and 2 gets turned on its head a bit in this section, there’s more than just CAT5 cables to worry about you get introduced properly to serial cables and all sorts. On the Layer 2 level MAC addresses aren’t something you consider in the same way that you would in a LAN connection – that’s Ethernet technology – you end up with different technologies and connection types depending on the kind of WAN you’re implementing.
Layer 3 and up is exactly the same when dealing with WAN. Once you have an IP address in there we know what we’re doing.
Some Terminology
WAN link – something that connects your Local Network to something that’s far away.
Point to Point link – A direct connection from one location to another. A serial connection is an example of a point to point link.
“T1” Line, or an “E1” line.etc (T1 in the states, E1 in Eurpoe) – While technically this is the speed of a line e.g. 1.544Mitb/s line – colloquially people might say it as that’s just the kind of line that’s in use. Maybe (probably) copper cable in the UK.
Other terms for the same kind of thing: Serial Line /Leased line / Leased Circuit. – Worth noting that this can also be used to describe Leased Fibre lines.
POP (Point of Presence) – Where the network comes out close to a premises from the exchange – Here in openreach land we tend to call these cabinets.
The term is used for other things too, it can really be used to describe any entry point to a network or service but for the sake of this – Cabinets. End customers speeds will vary based on how far they are from the POP.
DEMARC – Stands for Demarkation point, this is going to be the socket that’s installed in the customers premises. – 48
PPP (Point to Point Protocol) and MLPPP (Multilink Point to Point Protocol)
Note – WAN Serial links are encapsulated using the HDLC protocol by default on Cisco equipment. This is a proprietary protocol, so in order to communicate with non cisco Routers over a WAN link you’ll need to use a protocol like PPP. PPP is the industry standard one.
Multilink – A feature of PPP that allows it to combine multiple WAN connections into a single pipe. Essentially you can splice connections together over the WAN.
PPP Multilink actually takes packets of data, chops it up and distributes it equally down the connections. This results in the utilisation of these lines always being equal. – But puts a heavier load on the Routers CPU than something like EtherChannel.
Authentication – Using the PAP (password authentication protocol) and CHAP (challenge handshake authentication protocol – the encrypted version) protocols 2 way authentication can be implemented on a PPP connection.
Configuring PPP on Routers
The above diagram has 2 routers with their default setup – all that has been added is the IP addressing and subnet as shown in the diagram. By default these will be HDLC links, but it is straight forward changing them to PPP links. This is done in the interface using the encapsulation ppp command. – Repeated on both sides of the connection.
Once this has been done both sides ppp is running. Nice and easy. This can then be confirmed with the show interfaces S2/0 command.
The LCP Open part is also well worth looking at, that means the protocol is doing what it’s supposed to. If it’s closed it means a feature hasn’t been negotiated properly.
Underneath that is the “Open: IPCP, CDPCP” which shows that these control protocols are running and have been negotiated successfully.
Configuring PPP Authentication
PAP Authentication
The objective here is to authenticate Router1 to Router2 and vice versa to make sure they are authorised to connect over that WAN conncetion. (To make the screenshots clearer I’m going to give them hostnames to match the diagram)
Step 1 is ‘creating the account’ on both ends of the connection, it will make sure that both the username and password match.
On each side you create a user account for the other side. So below we will be creating an account for Router2 on Router1 in general config mode: username [USERNAME] password [PASSWORD]
Step 2 is ‘assigning the credentials’ – When Router1 makes the connection to Router 2 it needs to be able to tell Router2 what its name / password are. This is assigned on a per interface basis. This is configured on the interface of the device that will be sending the credentials: ppp pap sent-username [USERNAME] password [PASSWORD]
Step 3 is enabling PAP. – While still in the interface level you run the command to enable PAP: ppp authentication pap
And then repeat those steps on the other side (Router2). Don’t get too nervous when the connection doesn’t come back immediately. It can take a while to come up.
The problem with PAP is that it is completely unencrypted, the messages are sent across in cleartext so a man in the middle would be able to grab the username and password. This brings us nicely into CHAP
Configuring CHAP Authentication
CHAP uses MD5 hashing. Unlike with PAP, when using CHAP the passwords have to be the same on both sides of the connection (Like a shared key). In this situation when the PPP link comes up a two way authentication process happpens and if that goes through the connection is made. The password is never actually sent, only the hash is sent so even if it was intercepted you couldn’t grab the password.
After wiping all of the PAP settings you can enable CHAP using the method below:
Step 1: Set username and password in the same way you do for PAP, only this time the password will be the same on both Routers. NOTE – The username in this is the HOSTNAME which must be configured on both devices and cannot be the same.
After that you go into the interface and run the ppp authentication chap command.
And repeat both steps on the other Router.
WAN Multilink
Carrying on from the CHAP authentication section – this is how you set up PPP multilink. Using PPP multilink you can configure multiple serial connections to be treated as one connection, which is more precise than merely load balancing.
This is nice and easy in packet tracer, you just drag and drop, but in real life it will probably take you a while as you’ll have to deal with service providers.
Starting on your first Router (Router1) configure the newly connected serial interface (S3/0) to use ppp encapsulation (encapsulation ppp) and bring it up with the no shutdown command. There is no need to assign an IP address to this interface.
Then repeat the same steps on Router2. This should change the interface state to up. Next up we are going to remove the existing IP address of the serial connection we applied in the previous section on both Routers (shown below):
This is because we are going to configure multilink – which acts as a single logical interface. This is done with the command interface multilink [MULTILINK INTERFACE NUMBER]. You can choose the multilink interface number, and it does not have to match on both sides, same as any other interface.
Frustratingly packet tracer does not have the facility to do multilink. >: (
So I’ve put the commands below to set up and verify that multilink is working.
enable
configure terminal
interface multilink 1
encapsulation ppp
ppp multilink
ip address 10.1.1.1 255.255.255.0
ppp multilink group 1
Quick break here to explain what ppp multilink group command does. It is essentially what is used to connect the logical interface of multilink1 to the physical serial interfaces. You then go into each of the physical serial interfaces and you assign them to the same group. Additionally this is where we can set the bandwidth for each of the serial interfaces (in kb).
interface s2/0
ppp multilink group 1
bandwidth 64
interface s3/0
ppp multilink group 1
bandwidth 64
This config is then repeated on the other Router. In this case Router2, with identical commands only changing the IP address of the multilink to another one in that subnet.
Once this has been done you can confirm that the link is up by doing a show ip interface brief, and if you want to go into more detail you can look at show interfaces multilink 1 – Specifically you’ll be looking for: Encapsulation PPP, LCP Open and multilink Open
Alternatively you can run the show ppp multilink command and that will show you which multilink connections are active and how long they have been active for.