Introduction to PPP on Cisco IOS Router


Very nice post to learn for beginners. Could you please tell me about significance of magic number, which outputs in debug messages. I mean,for what is used for…

Durga Prasad

Hi Durga,

This is used for loopback detection. Each PPP router selects a magic number and sends this to the other router. When it receives its own magic number then it knows that there is a loopback.


Thank you very much Rene for clarifying.


Hi Rene,

Could you give any practical example for the usage of PPP ?

I am still interested in understanding the usage part for this protocol.

Hi Taran,

A common example nowadays is PPPoA (PPP over ATM) or PPPoE (PPP over Ethernet) that is used for DSL sometimes:

How to configure PPPoA DSL

PPPoE Server


Hi Rene,

When you say, “This is used for loopback detection”, What do you mean by loopback? Are you saying this just means there is a return path? Is the magic number just a randomly generated hex string?


Hi Matt W,

The Magic number is randomly generated and provides a way to detect looped-back links and other Data Link Layer anomalies. This Configuration Option may be required by some other Configuration Options such as the Link-Quality-Monitoring Configuration Option.

When the node sends PPP LCP messages, these messages may include a magic number. If a line is looped, the node receives an LCP message with its own magic number, instead of getting a message with the peer’s magic number.

Now what is looped? For this I give you an example: To test a circuit, the phone company might loop the circuit.This means that the phone company takes the electrical signal sent by the CPE device and sends the same electrical current right back to the same device.
As for routers, they cannot send bits to each other while the link is looped. The router might not notice that the link is looped, because the router is still receiving something over the link! PPP helps the router recognize a looped link quickly

I hope I could answer your question.

How about a PAP example too? I used the following commands:

Username TRINITY password cisco

int s0/0
   encapsulation ppp
   ppp authentication pap
   ppp pap sent-username NEO password cisco

But I get the following error:

AAA/AUTHEN/PPP (0000010F): Pick method list 'default'

Hello Chris

In order for PPP authentication to use the PAP password that you have configured, it is necessary to specify the method by which AAA will occur for PPP. By default, the local database is used, that is the credentials created with the username my_username password my_password command. If that has not been set, then authentication cannot take place. Note that what you have configured about is the “calling” side. The other side must be configured with this username and password.

Cisco has excellent documentation on how to set up the PAP connection for PPP. Take a look at their step by step instructions and their examples, and I believe you should be able to troubleshoot the issue.

Let us know how it goes! I hope this has been helpful!


Hi Rene
When when authentication fail the router still keep sending authentication request. would it effect to performance of router?

Hello Heng

The resources, CPU power and memory used to send the authentication requests is minimal. It is configured in this way so that if the problem of authentication is on the other end of the link, when it is fixed, the link should come up immediately. It would not affect the performance of the router…

I hope this has been helpful!


Is this protocol use only connection using serial link ?

Hello Heng

Point to Point Protocol is a data link layer communications protocol It provides authentication transmission encryption and compression. Because it is used on Cisco devices primarily for serial connections, it is often associated with serial, but this is by no means the case. It can be used over many types of physical networks including serial cable, phone line, mobile network, wireless links and fibre optic links such as SONET.

I hope this has been helpful!


Hello team

When we want to enable serial authentication between two routers via PAP or CHAP, do we have to configure both routers as authenticator and to be authenticated for each one? In your CHAP example configuration could we consider R1 as authenticator and omit the command ppp authentication CHAP in R2 as R2 will be the to be authenticated router? Also even if a router is to be authenticated router, does it need the command ppp authentication PAP / CHAP?

Hello Markos,

This is not required, you can have one-way or two-way authentication. If you use PPP between two sites then usually we use two-way authentication. An ISP often uses one-way authentication just to check the customer username/password.

Here’s an example of one way authentication:

interface Serial0/0/0
ip address
encapsulation ppp
ppp chap hostname CUSTOMER
ppp chap password 0 MY_PASSWORD
username CUSTOMER password 0 MY_PASSWORD

interface Serial0/0/0
ip address
encapsulation ppp
ppp authentication chap

Hope this helps!


Thank you Rene
Your explanation was indeed very helpful!

Was hoping someone could check my thought process on how PPP works.
The below is from a cisco article.

“Active Discovery Phase—In this phase, the PPPoE client locates a PPPoE server, called an access concentrator. During this phase, a Session ID is assigned and the PPPoE layer is established.”
To me this sound like the active discover phase relies on LCP to do all the work

“PPP Session Phase—In this phase, PPP options are negotiated and authentication is performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be transferred over the PPP link within PPPoE headers.”
To me this sounds like the session phase uses a combination of LCP and NCP. LCP being used for option negotiation and authentication and NCP being used for the rest.

Am I on the right track or am I missing anything? Thanks for any help anyone can provide.

Hi Kevin,

These two phases are unique to PPPoE. The RFC provides some details:

To provide a point-to-point connection over Ethernet, each PPP session must learn the Ethernet address of the remote peer, as well as establish a unique session identifier. PPPoE includes a discovery protocol that provides this.

PPPoE has two distinct stages. There is a Discovery stage and a PPP Session stage. When a Host wishes to initiate a PPPoE session, it must first perform Discovery to identify the Ethernet MAC address of the peer and establish a PPPoE SESSION_ID. While PPP defines a peer-to-peer relationship, Discovery is inherently a client-server relationship. In the Discovery process, a Host (the client) discovers an Access Concentrator (the server). Based on the network topology, there may be more than one Access Concentrator that the Host can communicate with. The Discovery stage allows the Host to discover all Access Concentrators and then select one. When Discovery completes successfully, both the Host and the selected Access Concentrator have the information they will use to build their point-to-point connection over Ethernet.


Forgive me. Ive never really dealt with serial links before. So why do we care about authentication when it comes to serial links? Why is it important? What exactly is being authenticated? One router is authenticating another router? Is this to prevent rogue routers? Does a Gigabit or Fast Ether router interface not deal with PPP or CHAP authentication?

@jmwalker24 The reason you would care is if you are an ISP. If you are serving customers a DSL connection you want to making sure only paying customers can use your network. Since PPPoE (which uses PPP )is used for DSL connections you can use PAP and CHAP authentication to keep unwanted users off your network. I hope this helps!

Scott Weller

1 Like