Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Optional Configuration Tasks
You can perform the following optional PPP configuration tasks:
- Add a text description or alias to a PPP interface.
- Configure the IPCP netmask option (option 0x90).
- Specify the keepalive timeout value.
- Disable magic numbers.
- Control validation of the LCP peer magic number when the peer has not negotiated an LCP magic number.
- Configure the maximum number of LCP, IPCP, or IPv6CP renegotiation attempts that the router accepts before terminating a PPP session.
- Specify the maximum receive units.
- Configure passive mode.
- Specify that the peer IP address is optional for an IPCP negotiation.
- Configure name server addressing.
- Stop or restart a PPP session.
- Configure PPP authentication.
ppp description
- Use to assign a text description or alias to a static PPP interface.
- Examplehost1(config-if)#ppp description pah8999
- Use the no version to remove the description.
- See ppp description.
ppp ipcp lockout
- Use to terminate invalid IPv4 subscribers and prevent additional IPCP negotiations.
- When Internet Protocol version 6 Control Protocol (IPv6CP) is active, this command enables unused IPv4 addresses, which are allocated for the IPv6 subscribers, to be available for the IPCP services for an internally defined time interval (10 seconds). When the time interval elapses, the subscriber must connect again to negotiate IPCP.
- Examplehost1(config-subif)#ppp ipcp lockout
- Use the no version to disable the IPCP lockout option on the interface.
- See ppp ipcp lockout.
ppp ipcp netmask
- Use to specify the IPCP netmask option (option 0x90) for each PPP interface. By default, the IPCP netmask option is disabled on the interface.
- The IPCP netmask option is a nonstandard option that enables a peer to request the netmask associated with the assigned IP address.
- The netmask can be specified via RADIUS attribute 9, Framed-Ip-Netmask. If the netmask is 255.255.255.255, the option is not negotiated. See the radius ignore framed-ip-netmask command.
- You can enable the IPCP netmask option either in a profile or on a static interface.
- Examplehost1(config-subif)#ppp ipcp netmask
- Use the no version to disable the IPCP netmask option on the interface.
- See ppp ipcp netmask.
ppp keepalive
- Use to specify the keepalive timeout value.
- There are two keepalive modes of operation: high-density
mode and low-density mode.
- High-density keepalive mode is automatically selected if PPP is layered over ATM, L2TP, or PPPoE.
- Low-density keepalive mode is selected if PPP is layered over HDLC. Keepalive mode selection is made per interface.
- High-density mode—This mode is also known as smart keepalive. When the keepalive timer expires, the interface first verifies whether any frames were received from the peer in the prior keepalive timeout interval. If so, the interface does not send an LCP echo request (keepalive). Keepalive packets are sent only if the peer is silent (that is, no traffic was received from the peer during the previous keepalive timeout interval). If both sides are configured with keepalive, receipt of an LCP echo request by one end suppresses the transmission of an LCP echo request by that end. Smart keepalive is disabled when the keepalive timeout value is at least 60 seconds, even when in high-density mode. Smart keepalive is always disabled when in low-density mode. This mode suppresses transmission of unnecessary LCP echo requests.
- For high-density keepalive mode, the range is 30–64800 seconds. The default value is 30 seconds.
- Low-density mode—When the keepalive timer expires, the interface always sends an LCP echo request, regardless of whether the peer is silent.
- For low-density keepalive mode, the range is 1–64800 seconds for POS uplink interfaces, and 10–64800 seconds for all other HDLC interfaces. The default value for all interfaces is 30 seconds.
- If the keepalive interval is 30 seconds, a failed link is detected between 90 and 120 seconds after failure.
- Use ppp keepalive without a value to restore the default, 30 seconds.
- Examplehost1(config-if)#ppp keepalive 50
- Use the no version to disable keepalive.
- See ppp keepalive.
ppp magic-number disable
- Use to disable negotiation of the local magic number.
- Issuing this command prevents the router from detecting loopback configurations.
- Examplehost1(config-if)#ppp magic-number disable
- Use the no version to restore negotiation of the local magic number.
- See ppp magic-number disable.
ppp magic-number ignore-mismatch
- Use to cause the router to ignore a mismatch of the LCP peer magic number and retain the PPP connection when the peer has not negotiated an LCP magic number.
- For more information about using this command, see Validation of LCP Peer Magic Number.
- Examplehost1(config-if)#ppp magic-number ignore-mismatch
- Use the no version to restore the default behavior, in which the router terminates the PPP connection if it detects an LCP peer magic number mismatch.
- See ppp magic-number ignore-mismatch.
ppp max-negotiations
- Use to configure the maximum number of LCP, IPCP, or IPv6CP renegotiation attempts, in the range 1–65535, that the router accepts before terminating a PPP session.
- Configuring the maximum number of renegotiation attempts helps avoid massive renegotiation loops that can occur between the router and a noncompliant PPP client. Such renegotiation loops can cause excessive CPU utilization and can prevent the PPP client from coming up properly.
- When a PPP client exceeds the configured maximum number of renegotation attempts, the router sends a termination request to end the PPP session. When the PPP session is terminated and LCP goes into a stopped (closed) state, static PPP or MLPPP interfaces go into passive mode and wait for the other side of the connection to start the LCP negotiation process.
- If you do not specify the optional lcp, ipcp, or ipv6cp keyword, the ppp max-negotiations command sets the maximum number of renegotiation attempts for each of LCP, IPCP, and IPv6CP to the value you specify, or to the default value (30) if you omit the optional value for maximum renegotiation attempts.
- When both IPv4 interface columns and IPv6 interface columns are configured over a PPP link-layer interface, the router terminates the PPP session only when the PPP client exceeds the configured maximum number of renegotiation attempts for both the IPv4 interface and the IPv6 interface.
- Example 1—Sets the maximum number of LCP renegotiation
attempts to 5host1(config-if)#ppp max-negotiations lcp 5
- Example 2—Sets the maximum number of IPCP renegotiation
attempts to 30 (the default)host1(config-if)#ppp max-negotiations ipcp
- Example 3—Sets the maximum number of LCP, IPCP,
and IPv6CP renegotiation attempts to 15host1(config-if)#ppp max-negotiations 15
- Example 4—Restores the maximum number of LCP, IPCP,
and IPv6CP renegotiation attempts to the default value, 30host1(config-if)#no ppp max-negotiations
- Use the no version to restore the default value, 30 renegotiation attempts.
- See ppp max-negotiations.
ppp mru
- Use to control the negotiation of the maximum receive unit (MRU).
- Specify the number of bytes, in the range 64–65535.
- We recommend you coordinate this value with the network administrator on the other end of the line.
- If the value configured for the PPP MRU is greater than the value of the lower-layer MRU minus the PPP header length, the router logs a warning message and uses the lesser of the configured MRU value or the lower-layer MRU value minus the PPP header length to negotiate the local MRU.
- If the value configured for the PPP MRU conflicts with a similar value configured for another protocol, such as the MTU value for PPPoE, the router uses the lesser of the two values.
- Examplehost1(config-if)#ppp mru 576
- Use the no version to restore the default value, which causes PPP to use the lower-layer MRU minus the PPP header length as the MRU value.
- See ppp mru.
ppp passive-mode
- Use to force a static or dynamic PPP interface into passive mode before LCP negotiation begins, for a period of one second. This delay enables slow clients to start up and initiate the LCP negotiation.
- Examplehost1(config-if)#ppp passive-mode
- Use the no version to disable passive mode.
- See ppp passive-mode.
ppp peer
- Use to resolve conflicts when the router and the PPP peer have the primary and secondary DNS and WINS name server addresses configured with different values.
- By default, the DNS and WINS addresses configured on the router take precedence.
- Use the dns keyword or the wins keyword to configure which PPP peer address takes precedence. This command has no effect unless both routers have the address configured and the address is in conflict. If the PPP peer has the address and the router does not, the peer always supplies the address regardless of how you have configured the PPP peer.
- Examplehost1(config-if)#ppp peer dns
- Use the no version when you want the router to take precedence during setup negotiations between the router and the peer. If the IP addresses that the peer sends to the router differ from the ones configured on your router, the router returns the values that you configured as the correct values to the peer.
- See ppp peer.
ppp peer-ip-address-optional
- Use to specify that the peer IP address is optional in an IPCP configuration request. By default this command is disabled.
- Examplehost1(config)#ppp peer-ip-address-optional
- Use the no version to restore the default behavior
- See ppp peer-ip-address-optional.
ppp shutdown
ppp shutdown ip
ppp shutdown ipv6
ppp shutdown mpls
ppp shutdown osi
- Use to terminate a PPP session.
- To administratively disable the interface, use the ppp shutdown command.
- To administratively disable IPCP, use the ppp shutdown ip command.
- To administratively disable IPv6CP, use the ppp shutdown ipv6 command.
- To administratively disable MPLS, use the ppp shutdown mpls command.
- To administratively disable OSINLCP, use the ppp shutdown osi command.
- All PPP sessions are enabled by default.
- Examplehost1(config-if)#ppp shutdown
- Use the no version to restart a disabled session.
- See ppp shutdown.
Configuring PPP Authentication
Perform the following optional tasks to configure PPP authentication:
- Specify one or more PPP authentication types, and select an authentication virtual router context.
- Specify the CHAP challenge length.
- Specify the maximum number of retries.
Note: The JunosE Software’s PPP application accepts null usernames during PAP and CHAP authentication. When the PPP application receives an authentication request that includes a null username, PPP passes the request to AAA. To take advantage of this feature, configure your authentication server to support the use of null usernames.
ppp authentication
- Use to request authentication from a PPP peer and set the authentication method.
- To specify the name of a virtual router (VR) to be used
as the authentication VR context, use the virtual-router keyword. Keep the following points in mind when you use the ppp authentication virtual-router command:
- When you specify a VR in the ppp authentication command, AAA does not query the domain map for the assigned VR context. Instead, AAA uses the VR specified in the ppp authentication command as the authentication VR context and issues the authentication request to the authentication server in the assigned VR context.
- If you specify the default VR as the authentication VR context, AAA loosely binds the user to the default VR. This means that RADIUS can override the default VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies the default VR, AAA returns either the default VR or the VR specified by RADIUS.
- If you specify a VR other than the default VR as the authentication VR, AAA tightly binds the user to the specified VR. This means that RADIUS cannot override the specified VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies a nondefault VR, AAA returns the specified VR.
- The router supports the MD5 authentication algorithm for CHAP authentication.
- You can specify one or more authentication protocols in order of preference. If the peer router refuses the first choice, then the local router requests the next authentication protocol, if specified. If the peer refuses that protocol, then the local router requests the third protocol, if specified. If the peer refuses all specified authentication protocols, then the local router terminates the session.
- Example 1—Specifies the order of preference for
the primary authentication protocolhost1(config-if)#ppp authentication pap chap eap
The router requests the use of PAP as the authentication protocol (because it appears first in the command line). If the peer refuses to use PAP, the router requests the CHAP protocol. If the peer refuses to use CHAP, the router requests the EAP protocol. If the peer refuses to negotiate authentication, the router terminates the PPP session.
- Example 2—Specifies a virtual router for the authentication
virtual router contexthost1(config-if)#ppp authentication virtual-router boston pap chap
This command is available in static configurations and in profiles.
- Example 3—Configures only EAP on a static PPP interface host1(config)#interface atm 3/2.100 host1(config-subif)#ppp authentication eap
- Example 4—Configures EAP or PAP on a static PPP
interfacehost1(config)#interface atm 3/2.100 host1(config-subif)#ppp authentication eap pap
EAP negotiation is attempted first. If PPP receives a NAK from the peer in response to the EAP request, then PAP is attempted. If PAP is also rejected, then PPP terminates the session.
- Example 5—Configures only EAP on a dynamic PPP interface host1(config)#profile ppptest host1(config-profile)#ppp authentication eap
- Example 6—Configures EAP or CHAP or PAP on a dynamic
PPP interfacehost1(config)#profile ppptest host1(config-profile)#ppp authentication eap chap pap
In this example, the router first attempts EAP negotiation. If PPP receives a NAK from the peer in response to the EAP request, then the router attempts CHAP negotiation. If PPP receives a NAK from the peer in response to the CHAP request, then the router attempts PAP negotiation. If PAP is also rejected, then PPP terminates the session.
- Use the no version to specify that the router does not require authentication.
- See ppp authentication.
ppp chap-challenge-length
- Use to modify the length of the CHAP challenge by specifying the allowable minimum length and maximum length.
- Specify the minimum and maximum lengths in bytes in the
range 8–63.
Caution: Do not decrease the range. Increasing the range is acceptable, provided that you do not lower the minimum to do so. The recommended minimum is 16. A longer challenge and a more unpredictable challenge length provide a higher level of security.
- The maximum length must be greater than or equal to the minimum length.
- Examplehost1(config-if)#ppp chap-challenge-length 24 28
- Use the no version to restore the default minimum (16 bytes) and default maximum (32 bytes).
- See ppp chap-challenge-length.
ppp max-bad-auth
- Use to specify the maximum number of authentication retries the router allows before terminating a PPP session
- This value applies to PAP and CHAP authentication.
- The range is 0–7. The default is 0, which indicates that no retries are allowed.
- Examplehost1(config-if)#ppp max-bad-auth 3
- Use the no version to return the number of retries to the default, 0.
- See ppp max-bad-auth.
