JUNOSe 9.1.x Link Layer Configuration Guide > Configuring Point-to-Point Protocol > Optional Configuration Tasks

Optional Configuration Tasks

You can perform the following optional PPP configuration tasks:

• Add a text description or alias to a PPP interface.
• Configure the IPCP netmask option (option 0x90).
• Specify the keepalive timeout value.
• Disable magic numbers.
• Control validation of the LCP peer magic number when the peer has not negotiated an LCP magic number.
• Specify the maximum receive units.
• Configure passive mode.
• Configure name server addressing.
• Stop or restart a PPP session.
• Configure PPP authentication.

ppp description

• Use to assign a text description or alias to a static PPP interface.
• Example

host1(config-if)#ppp description pah8999

• Use the no version to remove the description.

ppp ipcp netmask

• Use to specify the IPCP netmask option (option 0x90) for each PPP interface. By default, the IPCP netmask option is disabled on the interface.
• The IPCP netmask option is a nonstandard option that enables a peer to request the netmask associated with the assigned IP address.
• The netmask can be specified via RADIUS attribute 9, Framed-Ip-Netmask. If the netmask is 255.255.255.255, the option is not negotiated. See the radius ignore framed-ip-netmask command.
• You can enable the IPCP netmask option either in a profile or on a static interface.
• Example

host1(config-subif)#ppp ipcp netmask

• Use the no version to disable the IPCP netmask option on the interface.

ppp keepalive

• Use to specify the keepalive timeout value.
• There are two keepalive modes of operation: high-density mode and low-density mode.

• High-density keepalive mode is automatically selected if PPP is layered over ATM, L2TP, or PPPoE.
• Low-density keepalive mode is selected if PPP is layered over HDLC. Keepalive mode selection is made per interface.

• High-density mode—This mode is also known as smart keepalive. When the keepalive timer expires, the interface first verifies whether any frames were received from the peer in the prior keepalive timeout interval. If so, the interface does not send an LCP echo request (keepalive). Keepalive packets are sent only if the peer is silent (that is, no traffic was received from the peer during the previous keepalive timeout interval). If both sides are configured with keepalive, receipt of an LCP echo request by one end suppresses the transmission of an LCP echo request by that end. Smart keepalive is disabled when the keepalive timeout value is at least 60 seconds, even when in high-density mode. Smart keepalive is always disabled when in low-density mode. This mode suppresses transmission of unnecessary LCP echo requests.
• For high-density keepalive mode, the range is 30–64800 seconds. The default value is 30 seconds.
• Low-density mode—When the keepalive timer expires, the interface always sends an LCP echo request, regardless of whether the peer is silent.
• For low-density keepalive mode, the range is 1–64800 seconds for POS uplink interfaces, and 10–64800 seconds for all other HDLC interfaces. The default value for all interfaces is 30 seconds.
• If the keepalive interval is 30 seconds, a failed link is detected between 90 and 120 seconds after failure.
• Use ppp keepalive without a value to restore the default, 30 seconds.
• Example

host1(config-if)#ppp keepalive 50

• Use the no version to disable keepalive.

ppp magic-number disable

• Use to disable negotiation of the local magic number.
• Issuing this command prevents the router from detecting loopback configurations.
• Example

host1(config-if)#ppp magic-number disable

• Use the no version to restore negotiation of the local magic number.

ppp magic-number ignore-mismatch

• Use to cause the router to ignore a mismatch of the LCP peer magic number and retain the PPP connection when the peer has not negotiated an LCP magic number.
• For more information about using this command, see Validation of LCP Peer Magic Number.
• Example

host1(config-if)#ppp magic-number ignore-mismatch

• Use the no version to restore the default behavior, in which the router terminates the PPP connection if it detects an LCP peer magic number mismatch.

ppp mru

• Use to control the negotiation of the maximum receive unit (MRU).
• Specify the number of bytes, in the range 64–65535.
• We recommend you coordinate this value with the network administrator on the other end of the line.
• If the value configured for the PPP MRU is greater than the value of the lower-layer MRU minus the PPP header length, the router logs a warning message and uses the lesser of the configured MRU value or the lower-layer MRU value minus the PPP header length to negotiate the local MRU.
• If the value configured for the PPP MRU conflicts with a similar value configured for another protocol, such as the MTU value for PPPoE, the router uses the lesser of the two values.
• Example

host1(config-if)#ppp mru 576

• Use the no version to restore the default value, which causes PPP to use the lower-layer MRU minus the PPP header length as the MRU value.

ppp passive-mode

• Use to force a static or dynamic PPP interface into passive mode before LCP negotiation begins, for a period of one second. This delay enables slow clients to start up and initiate the LCP negotiation.
• Example

host1(config-if)#ppp passive-mode

• Use the no version to disable passive mode.

ppp peer

• Use to resolve conflicts when the router and the PPP peer have the primary and secondary DNS and WINS name server addresses configured with different values.
• By default, the DNS and WINS addresses configured on the router take precedence.
• Use the dns keyword or the wins keyword to configure which PPP peer address takes precedence. This command has no effect unless both routers have the address configured and the address is in conflict. If the PPP peer has the address and the router does not, the peer always supplies the address regardless of how you have configured the PPP peer.
• Example

host1(config-if)#ppp peer dns

• Use the no version when you want the router to take precedence during setup negotiations between the router and the peer. If the IP addresses that the peer sends to the router differ from the ones configured on your router, the router returns the values that you configured as the correct values to the peer.

ppp shutdown

    ppp shutdown ip

    ppp shutdown ipv6

    ppp shutdown mpls

    ppp shutdown osi

• Use to terminate a PPP session.
• To administratively disable the interface, use the ppp shutdown command.
• To administratively disable IPCP, use the ppp shutdown ip command.
• To administratively disable IPv6CP, use the ppp shutdown ipv6 command.
• To administratively disable MPLS, use the ppp shutdown mpls command.
• To administratively disable OSINLCP, use the ppp shutdown osi command.
• All PPP sessions are enabled by default.
• Example

host1(config-if)#ppp shutdown

• Use the no version to restart a disabled session.

Configuring PPP Authentication

Perform the following optional tasks to configure PPP authentication:

• Specify one or more PPP authentication types, and select an authentication virtual router context.
• Specify the CHAP challenge length.
• Specify the maximum number of retries.
  

  NOTE: The JUNOSe software's PPP application accepts null usernames during PAP and CHAP authentication. When the PPP application receives an authentication request that includes a null username, PPP passes the request to AAA. To take advantage of this feature, configure your authentication server to support the use of null usernames.

  
  

ppp authentication

• Use to request authentication from a PPP peer and set the authentication method.
• To specify the name of a virtual router (VR) to be used as the authentication VR context, use the virtual-router keyword. Keep the following points in mind when you use the ppp authentication virtual-router command:

• When you specify a VR in the ppp authentication command, AAA does not query the domain map for the assigned VR context. Instead, AAA uses the VR specified in the ppp authentication command as the authentication VR context and issues the authentication request to the authentication server in the assigned VR context.
• If you specify the default VR as the authentication VR context, AAA loosely binds the user to the default VR. This means that RADIUS can override the default VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies the default VR, AAA returns either the default VR or the VR specified by RADIUS.
• If you specify a VR other than the default VR as the authentication VR, AAA tightly binds the user to the specified VR. This means that RADIUS cannot override the specified VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies a nondefault VR, AAA returns the specified VR.

• The router supports the MD5 authentication algorithm for CHAP authentication.
• You can specify one or more authentication protocols in order of preference. If the peer router refuses the first choice, then the local router requests the next authentication protocol, if specified. If the peer refuses that protocol, then the local router requests the third protocol, if specified. If the peer refuses all specified authentication protocols, then the local router terminates the session.
• Example 1—Specifies the order of preference for the primary authentication protocol

host1(config-if)#ppp authentication pap chap eap

The router requests the use of PAP as the authentication protocol (because it appears first in the command line). If the peer refuses to use PAP, the router requests the CHAP protocol. If the peer refuses to use CHAP, the router requests the EAP protocol. If the peer refuses to negotiate authentication, the router terminates the PPP session.

• Example 2—Specifies a virtual router for the authentication virtual router context

host1(config-if)#ppp authentication virtual-router boston pap chap

This command is available in static configurations and in profiles.

• Example 3—Configures only EAP on a static PPP interface

host1(config)#interface atm 3/2.100

host1(config-subif)#ppp authentication eap

• Example 4—Configures EAP or PAP on a static PPP interface

host1(config)#interface atm 3/2.100

host1(config-subif)#ppp authentication eap pap

EAP negotiation is attempted first. If PPP receives a NAK from the peer in response to the EAP request, then PAP is attempted. If PAP is also rejected, then PPP terminates the session.

• Example 5—Configures only EAP on a dynamic PPP interface

host1(config)#profile ppptest

host1(config-profile)#ppp authentication eap

• Example 6—Configures EAP or CHAP or PAP on a dynamic PPP interface

host1(config)#profile ppptest

host1(config-profile)#ppp authentication eap chap pap

In this example, the router first attempts EAP negotiation. If PPP receives a NAK from the peer in response to the EAP request, then the router attempts CHAP negotiation. If PPP receives a NAK from the peer in response to the CHAP request, then the router attempts PAP negotiation. If PAP is also rejected, then PPP terminates the session.

• Use the no version to specify that the router does not require authentication.

ppp chap-challenge-length

• Use to modify the length of the CHAP challenge by specifying the allowable minimum length and maximum length.
• Specify the minimum and maximum lengths in bytes in the range 8–63.
  

  CAUTION: Do not decrease the range. Increasing the range is acceptable, provided that you do not lower the minimum to do so. The recommended minimum is 16. A longer challenge and a more unpredictable challenge length provide a higher level of security.

  
  
• The maximum length must be greater than or equal to the minimum length.
• Example

host1(config-if)#ppp chap-challenge-length 24 28

• Use the no version to restore the default minimum (16 bytes) and default maximum (32 bytes).

ppp max-bad-auth

• Use to specify the maximum number of authentication retries the router allows before terminating a PPP session
• This value applies to PAP and CHAP authentication.
• The range is 0–7. The default is 0, which indicates that no retries are allowed.
• Example

host1(config-if)#ppp max-bad-auth 3

• Use the no version to return the number of retries to the default, 0.