This article focuses on the WAN technologyPoint to Point Protocol or PPP.

After reading this article, you will know:

  1. the functions provided by PPP;
  2. what are the LCP features;
  3. how to configure basic PPP;
  4. how to configure CHAP/PAP authentication; and
  5. how to configure PPP multilink interfaces.

Along with High-Level Data Link protocol (HDLC) and Frame Relay, these three protocols constitute the foundation over which WAN communication is built on.

CCNA Training – Resources (Intense)

All three are currently part of the CCNA curriculum presently and to improve your chances to pass the CCNA exam, a good understanding of all three is required.

HDLC is a simple Layer 2 protocol that’s used to connect point to point serial devices. Cisco’s version of HDLC is proprietary because of the protocol type field.

HDLC is the default protocol on all Cisco serial interfaces. If you would check the configuration of a serial interface, you would see that there is no encapsulation configured. However, ‘show interface’ command displays that the encapsulation is HDLC.

Frame Relay is a set of WAN standards that aim to create a more efficient WAN service as compared to point-to-point links. However, Frame Relay protocols are more complicated and are outside of the scope of this article.

The PPP is a data link protocol which sets a direct and private connection between two network devices, which is always two routers.

Point-to-point means:

  1. A logical connection that is established between two and only two points.
  2. A circuit connecting two points without intermediary devices.

PPP provides the following functions to the two routers connected over a leased line:

  1. A protocol type field in the header that allow multiple Layer 3 protocols to pass over the same link.
  2. Authentication methods: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
  3. Control protocols for each upper layer that crosses the PPP link.

The PPP frame structure looks like this:

One of the most important features of the PPP protocol is the protocol field. The protocol field, which is 2 bytes long, identifies the type of the packet which is transported over the link.

The protocol field values can start with 0, 8 and C. If it starts with 0, then it identifies the protocol. If it starts with 8, then it identifies the control protocol that will negotiate the network protocol used over the link. If it starts with C, then the protocol field indicates that a LCP Link Control Protocol (LCP) is encapsulated in the next field of a PPP frame, the Information field. For instance, 0021 means that the protocol transported is IP.

LCP provides four important features:

1. Loop detection

This detects if the link is looped and brings down the interface.LCP detects the looped links using the magic numbers. When PPP is used, the routers on the link send PPP LCP messages. These messages include a magic number, which is unique for every router. When an interface is looped, whatever a router is sending over an interface is coming back.

In case of a loop, the router receives the LCP messages containing its own magic number instead of getting an LCP message with a different magic number, hence a different router. When this happens, the router knows that the interface is looped and can bring it down.

Bringing down a looped interface quickly might speed up the routing protocols convergence. Instead of waiting for, let’s say, the OSPF dead interval to expire, the router can bring the interface down right away and OSPF will recalculate the network topology.

2. Error detection

The purpose of the FCS field in the PPP frame is to check if the frame is correct and, if not, to be dropped by the router as it’s an erroneous frame. Additionally, the router can monitor the rate of the error frames and if that rate goes above a threshold over an interface, the interface can be brought down.

Link Quality Monitoring is monitoring the error rate on a PPP link. Each LQM implementation counts the packets and bytes sent and successfully received. This information is exchanged over the PPP link at regular time intervals. By comparing the counters in successive messages, a receiver can calculate how many packets/bytes the other router sent and how many were successfully received.

One thing to be noted is that there is no reason to bring a link down that has the number of errors above the configured rate if it’s the only link available. It would make sense to bring down the interface only if there is an alternate link.

3. PPP Multilink

PPP Multilink is a feature of LCP that allows two routers to signal to each other that they are able to treat more than one physical link as a logical one, with the bandwidth being the sum of the physical interfaces’ bandwidth.

Multilink PPP load balances the traffic over the links equally, allowing IP routing lookup to treat the multiple links as just one. When the packet is encapsulated in PPP, the packet is fragmented into smaller frames which are equally distributed over the links that are part of the multilink.

4. Authentication

As previously said, the two authentication methods for PPP are PAP and CHAP. CHAP is the preferred method because it uses MD5, whereas PAP sends the passwords over the link in clear text.

Both PAP and CHAP exchange messages across the link between the two routers. If PAP is used, then the username and password are sent across the link in the first message.

This is what happens during CHAP authentication:

  1. When CHAP starts to be negotiated, one of the sides, called the authenticator, will send a challenge message to the other side, called the peer.
  2. The peer replies with a MD5 hash value.
  3. The authenticator calculates what hash value the peer should send. In case they don’t match, the connection between them is dropped. In case the values are identical, then the peer is authenticated by the authenticator.

The interesting thing about CHAP authentication is that the authentication is based on secret information that is known only by the two routers but is never sent between them. Each one calculates an MD5 value which is compared with what the other router sent. What was explained above is a one way authentication and should be enough to have a secure link between two routers. There is also a two way CHAP authentication where each router plays the role of authenticator and peer at a time.

The case study will assume this topology and addressing as shown on the diagram:

This section will show you how you can configure PPP, PAP/CHAP authentication and multilink interfaces, including how to check that the PPP is working using ‘show’ and ‘debug’ commands.

To enable PPP on a link, you just have to configure ‘encapsulation ppp’ on both routers on the link. This is the configuration needed on R1:

and on R2:

If the link is up and running, you should see a similar output as below:

The highlighted lines show that PPP encapsulation was configured on the link and that the LCP phase has successfully completed. Also, as you can see, two Control Protocols, IPCP and CDPCP, were enabled.

Suppose that you remove the IP configuration from the PPP link on both routers. IPCP will then be in a Closed state:

So, what are IPCP and CDPCP? For features related to the Layer 3 protocols, PPP uses PPP Control Protocols (CP). For each PPP link, PPP uses a single instance of LCP and one instance of CP for each Layer 3 protocol configured on the link. In our case, the PPP link is using IP and CDP, therefore we’re seeing a single instance of LCP, IPCP (for IPv4) and CDPCP (for CDP). As you saw, if we disable the IP configuration, then IPCP goes into a Closed state.

If you want to see the messages exchanged when a PPP link comes up, you can use this debug command: ‘debug ppp negotiation’.

Below, the interface Serial0/0 from R1 was disabled and the debug was activated. Right after the link is brought up, R1 starts to exchange messages with R2:

Let’s configure CHAP authentication on the PPP link between R1 and R2.

Before doing that though, let’s see the steps in configuring CHAP authentication:

  1. Configure the router’s hostname.
  2. Configure the name of the other router and the shared secret password.
  3. Enable CHAP authentication on the interface.

This is the configuration needed on R1 to enable CHAP authentication:

And the configuration on R2:

The steps to configure CHAP authentication and the commands for them are not complicated, but the problem is that it’s easy to incorrectly configure the hostnames. Each router in the ‘username’ configuration must reference the other router’s hostname. As might seem obvious, the passwords are case-sensitive, as well as hostnames.

If the authentication was successful, then the interfaces should be in ‘up up’ state:

To debug the authentication, either CHAP or PAP, one could use the command ‘debug ppp authentication’.

The debug was enabled and the Serial0/0 interface from R1 was brought back up:

As you can see from the output, some lines are starting with ‘O’ and others with ‘I’. This stands for Output and Input from the point of view of the switch where the debug is enabled. Each router is authenticating the other one.

Let’s follow the R2 router being authenticated by R1.The authentication starts here with R1 sending the challenge:

Apr 23 15:33:37.974: Se0/0 CHAP: O CHALLENGE id 11 len 23 from “R1”

R2 sends back the response:

Apr 23 15:33:37.994: Se0/0 CHAP: I RESPONSE id 11 len 23 from “R2”

Because the authentication is successful, R1 sends the success message back to R2:

Apr 23 15:33:37.994: Se0/0 CHAP: O SUCCESS id 11 len 4

Now that we configured CHAP authentication on the link between R1 and R2, let’s configure PAP authentication between R3 and R4, with R3 requesting R4 to authenticate. If R4 agrees, then it will send the username and password to R3.

This is the configuration of R3:

And the configuration on R4:

This is what happens during a PAP authentication:

The last configuration that we will do is the multilink configuration between R2 and R3. We will configure the two links between R2 and R3 to be part of the same bundle, called a multilink.

Let’s see what the configuration on R2 is:

The configuration on R3 is almost identical.

As previously noted in the introduction about PPP Multilink, any layer 3 configuration will be done on a Multilink interface. Let’s check the connectivity between R2 and R3:

You can check what interfaces are part of a multilink by using the command ‘show ppp multilink’:

To troubleshoot a multilink you can use ‘debug ppp multilink events’:

If you reached this point of the article, then you should be able to:

  1. Have a good understanding of the PPP protocol and what it provides;
  2. Know what features can be configured on PPP links; and
  3. Know how to configure PPP, authentication and multilink interfaces.


  1. CCNA Official Certification Guide – Wendell Odom
  2. RFC 1661 – PPP (
  3. RFC 1717 – PPP Multilink(
  4. RFC 1994 – PPP CHAP(