PPP CHAP PAP Authentication

[Dyehouse1]

We have a T1 leased line which my ISP says does not need authentication - this strikes me as wrong. Also I do not have a server hostname for the authentication if this was to take place is this correct?

 

[jgercken]

Cisco devices need to authenticate if using PPP on ISDN and async lines but I don't believe it is required on a T1.
-Jeff ----------------------------------------
Wasabi Pop Tarts! Write Kellogs today!

 

[thethmon]

Jeff is correct. T1's can use PPP without using CHAP or PAP authentication. Authentication is generally only used in situation where multiple people could connect to the same endpoint. With a leased line T1 the endpoints are fixed and dedicated, thus no need for authentication. Todd Hethmon
thethmon@hethmon.com

 

[Dyehouse1]

All I am trying to do is get this serial line hooked up to y ISP. I am using 'IP unnumbered ethernet 0' to use the IP of the ethernet interface and I am using 'IP route 0.0.0.0 0.0.0.0 serial 0' to use the serial line as the 'gateway' I am also using PPP encapsulation. According to the ISP this is all I need but the line keeps going administratively down. Am I missing something?

 

[jgercken]

Is the Eth0 interface up and running? You can't reference a down interface. That's why it's best to point to a loopback interface because it never goes down. The administratively down message means you have a required interface configured as 'shutdown'.

-Jeff
----------------------------------------
Wasabi Pop Tarts! Write Kellogs today!

 

[Dyehouse1]

I finally feel like I am making some headway although I haven't got it perfect YET. All lines and protocols are up but I can't ping to anything from the router. NAT is off and IPs are all set, here is my running config below - can you see any errors?

version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1600
!
enable secret ??????
enable password ??????
!
ip subnet-zero
no ip routing
!
!
!
interface Ethernet0
ip address 212.240.134.17 255.255.255.240
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
interface Serial0
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
!
ip classless
!
!
line con 0
exec-timeout 0 0
transport input none
line vty 0 4
password ??????
login
!
end

Well it all looks OK to me but I am a novice to all this - any ideas anyone?

 

[svermill]

With 'no ip routing' in your config, you're pretty limitted. I think you're going to need to enable that and come up with some static route statements or a routing protocol. Or set up a bridge group. Without knowing your full network topology and objectives, it's hard to offer advice. If it were that easy, we'd all be out of a job.

 

[Dyehouse1]

Now I was told by my ISP that I didnt need an IP route to work - hear me out before U start laughing - I did have the IP route set as follows:

ip route 0.0.0.0 0.0.0.0 serial 0

This means that the serial line would be the default route however I was told this wasnt required. Am I barking up the wrong tree here or do U mean a route elsewhere?

 

[svermill]

Again, these are generalizations since we have no idea what you are trying to accomplish. Also, we only see the config for one side. But 'no ip routing' turns your router into a host. It's just some dumb box sitting on the wire right now. You would generally only have that in your config if you were setting up a bridge group (in which case you wouldn't even need 'ip unnumbered'). As it is, your router doesn't route and it doesn't have a default gateway. So not only are pings not going to work, but nothing is going to work.

In general, if you're splitting the same subnet with this connection, you need to bridge. If you have different subnets on each side of this connection, you need to route. You do that by enabling ip routing and

a) entering static routes pointing to the subnets on either side

b) entering default routes

c) enabling a routing protocol

I personally would go with a. If I remember correctly, you first need a static route pointing to the distant end subnet via the distant end IP (the "borrowed" ip in the unnumbered command). You then need a static route pointing to the distant end "borrowed" IP via the local serial interface. This has to do with how routers handle IP unnumbered. I don't do unnumbered, so my memeory might be failing me. But I do seem to recall that you need two static route statements to reach a distant end when using unnumbered.

If you were trying to reach 192.168.1.0 and the borrowed E0 IP was 192.168.1.1

'ip route 192.168.1.0 192.168.1.1'
'ip route 192.168.1.1 s0'

And vice versa on the distant end.

But again, these are all guesses based on far too little information. Design of even simple networks isn't simple until you know all of the facts.

 

[jgercken]

There's really no point in using a routing protocol in this instance. It's not like you could somehow route around the single link if it failed. A static route is fine and actually preferred.

His IP addressing scheme is also really simple. By having the serial port use the ethernet port's IP address everyone (router, upstream router, and hosts) can be on the same subnet.

Whether this is the best configuration depends on the application. It provides no protection but would be fine for a DMZ router. Depending on what's behind it you may consider using NAT, ACLs and maybe the IOS firewall option.

Your configuration looks ok and should work (I was able to ping the ip you gave). It is wide open, however, so depending on its intended use needs some attention.

-Jeff
----------------------------------------
Wasabi Pop Tarts! Write Kellogs today!

 

[Dyehouse1]

OK guys I will try to give you some more info about whats happening here. The router is on a T1 line to our ISP. I have been told by them that all I need to do on our end is setup PPP encapsulation and use the 212 address on the e0 interface then on the s0 set that unnumbered to the e0 and thats all I have been told to do! Having done exactly that I can't even ping an external address. Just to calm the worries out there I have a firewall sitting behind the router.

What am I missing that is preventing my access to the internet? No authentication is required according to the ISP also. Please help I could do with this being fixed before Christmas cuz after that its time for a new firewall and I start again in the next forum

My current config is as follows:

version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1600
!
enable secret ??????
enable password ??????
!
ip subnet-zero
no ip routing
!
!
!
interface Ethernet0
ip address 212.240.134.17 255.255.255.240
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
interface Serial0
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 serial0
!
!
line con 0
exec-timeout 0 0
transport input none
line vty 0 4
password ??????
login
!
end

What is wrong cuz I am stumped? WHen I change them out do I have to reset my optical line box?

 

[pplewis]

Your config states "no ip routing"!!

 

[Dyehouse1]

ahem <blushes> oops I guess thats not on by default!

 

[svermill]

The 'no ip routing' problem has been pointed out several times in this thread. Also, I think you'll need that default route back, at a minimum. What will the router do with outbound traffic if it doesn't have a routing protocol and it doesn't have a default route? Dump it I would guess. Also, remember that using 'ip unnumbered' presents some unusual issues (at least it used to). You may need a default route that points to the ISP's IP (type that three times fast) and then a specific route that points to the ISP's IP (there's two) via S0.

Something like:

'ip route 0.0.0.0 0.0.0.0 123.45.67.89'
'ip route 123.45.67.89 s0'

That used to be necessesary but I haven't used ip unnumbered in a long time. Maybe just

'ip route 0.0.0.0 0.0.0.0 s0'

will work?

IPS's IP (ha!)

 

[svermill]

DANG IT!!!

ISP's IP ISP's IP ISP's IP

 

[Dyehouse1]

You cut and pasted that