PPP and HDLC are the two dominant Layer 2 encapsulation protocols used on serial links between routers. On the CCNA 200-301 exam, you must know the differences between Cisco HDLC (proprietary) and PPP (open standard), how to configure both, and when to use PPP for features like authentication, compression, and multilink. Real-world networks rely on PPP for secure WAN connections, while HDLC is the default on Cisco serial interfaces.
Jump to a section
Imagine you run a shipping company that moves packages between two warehouses using a fleet of trucks. Each truck's cargo must be packed into standardized containers so that warehouse workers know exactly how to handle them. HDLC and PPP are like two different container designs. HDLC is a simple, one-size-fits-all container that works great when both warehouses are owned by the same company (Cisco routers on both ends). It has a lid that snaps shut, but no extra compartments for special items. If you need to send something fragile or track a package's delivery status, HDLC can't help. PPP is like a modular container system. The basic container is similar, but it has slots where you can insert special modules: one for authentication (like a signature log), one for compression (like a vacuum sealer to make packages smaller), and one for load balancing across multiple trucks (Multilink PPP). The truck driver (the serial interface) uses a protocol called LCP (Link Control Protocol) to negotiate how the container will be used before any packages are loaded. If both ends agree on authentication, they exchange passwords; if they agree on compression, they enable it. PPP also includes NCP (Network Control Protocol) to negotiate which network protocol is inside the container—IPv4, IPv6, or both. This modularity makes PPP the go-to choice when connecting routers from different vendors or when you need advanced features. HDLC is fine for simple Cisco-to-Cisco links, but PPP is the Swiss Army knife of WAN encapsulation.
What Are HDLC and PPP?
HDLC (High-Level Data Link Control) and PPP (Point-to-Point Protocol) are Layer 2 encapsulation protocols used on serial point-to-point links. They define how data is framed, addressed, and error-checked as it travels across a WAN connection. Cisco HDLC is the default encapsulation on Cisco serial interfaces, but it is proprietary—it includes a Cisco-specific 'type' field that other vendors don't support. PPP is an open standard (RFC 1661) that can interoperate between different vendors' equipment.
Why Two Protocols?
In the early days of WANs, each vendor had its own HDLC implementation. Cisco added a 2-byte Protocol Type field to the standard HDLC frame, making it impossible to connect a Cisco router to a non-Cisco router using HDLC. PPP was developed to provide a standardized, extensible encapsulation that supports multiple network layer protocols (IPv4, IPv6, IPX, etc.) and includes features like authentication (PAP, CHAP), compression (Stacker, Predictor), and error detection. On the CCNA exam, you need to know that Cisco HDLC is the default, PPP is used for multi-vendor or feature-rich links, and both are configured at the interface level.
Frame Structures
A standard HDLC frame has three fields: Flag (01111110), Address, Control, Information, and FCS. Cisco HDLC adds a 2-byte Protocol Type field between the Control and Information fields. This allows the router to identify the network protocol (e.g., 0x0800 for IP). PPP frames are similar: Flag, Address (0xFF), Control (0x03), Protocol (2 bytes), Information, Padding, and FCS. The Protocol field indicates the protocol encapsulated (e.g., 0x0021 for IP, 0xC021 for LCP, 0x8021 for IPCP).
PPP Components: LCP and NCP
PPP has two main sublayers: - LCP (Link Control Protocol) – Establishes, configures, and tests the data-link connection. LCP packets are exchanged during link establishment. Options negotiated include Maximum Receive Unit (MRU), authentication protocol (PAP or CHAP), compression, and Multilink PPP. - NCP (Network Control Protocol) – Each network layer protocol has its own NCP. For IPv4, it's IPCP (IP Control Protocol). IPCP negotiates IP addresses and compression. For IPv6, it's IPv6CP.
PPP Link Establishment Phases
PPP link establishment occurs in three phases: 1. Link Establishment (LCP) – LCP packets are exchanged to negotiate configuration options. The link transitions through states: Dead, Establish, Authenticate, Network, and Terminate. Default MRU is 1500 bytes. Authentication is optional but must be configured on both ends. 2. Authentication (Optional) – If configured, PAP or CHAP is used. PAP sends passwords in clear text; CHAP uses a three-way handshake with an MD5 hash. CHAP is more secure and is preferred. 3. Network Layer (NCP) – NCP packets negotiate network-layer parameters. For IPCP, this includes assigning IP addresses if configured with 'ip address negotiated'.
Configuration Commands
To change encapsulation on a serial interface:
R1(config)# interface serial 0/0/0
R1(config-if)# encapsulation hdlc
R1(config-if)# encapsulation pppTo configure PPP authentication (CHAP):
R1(config)# username R2 password cisco123
R1(config)# interface serial 0/0/0
R1(config-if)# encapsulation ppp
R1(config-if)# ppp authentication chapTo verify:
R1# show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.0.0.1/30
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitionsKey indicators: 'Encapsulation PPP' and 'LCP Open' confirm PPP is running. 'Open: IPCP, CDPCP' shows which NCPs are active.
To debug PPP authentication:
R1# debug ppp authentication
PPP authentication debugging is on
*Mar 1 00:00:10.123: Se0/0/0 PPP: Using default call direction
*Mar 1 00:00:10.123: Se0/0/0 PPP: Treating connection as a dedicated line
*Mar 1 00:00:10.123: Se0/0/0 CHAP: O CHALLENGE id 1 len 27 from "R1"
*Mar 1 00:00:10.127: Se0/0/0 CHAP: I RESPONSE id 1 len 27 from "R2"
*Mar 1 00:00:10.127: Se0/0/0 CHAP: O SUCCESS id 1 len 4Interaction with Other Protocols
PPP can carry multiple network layer protocols simultaneously. It supports CDP (Cisco Discovery Protocol) by default, which appears as CDPCP in the 'show interfaces' output. Multilink PPP (MLP) allows load balancing across multiple serial links, appearing as a virtual bundle interface. QoS features like compression and link fragmentation and interleaving (LFI) can be applied over PPP to improve performance.
Verify Current Encapsulation
Before making changes, check the existing encapsulation on the serial interface. Use 'show interfaces serial0/0/0' and look for the line 'Encapsulation HDLC' or 'Encapsulation PPP'. Also note the line protocol status; if it's 'down', the encapsulation mismatch might be the cause. On the CCNA, you might see a scenario where the line protocol is down due to encapsulation mismatch. Always verify both ends.
Change Encapsulation to PPP
Enter interface configuration mode for the serial interface. Issue the command 'encapsulation ppp'. This changes the framing from the default Cisco HDLC to PPP. The change takes effect immediately; there is no need to shut/no shut unless the link was already up. If the other end is still using HDLC, the line protocol will go down because the frame format is incompatible.
Configure PPP Authentication (Optional)
To enable CHAP authentication, first create a local username and password on each router that matches the hostname of the other router (case-sensitive). For example, on R1: 'username R2 password cisco123'. Then, under the interface, issue 'ppp authentication chap'. You can also use 'ppp authentication pap' or 'ppp authentication chap pap' to try CHAP first, then fall back to PAP. Both routers must have matching usernames and passwords.
Configure IP Address Negotiation (Optional)
If you want the remote router to assign an IP address (like a dial-up connection), use 'ip address negotiated' on the interface. This causes the router to use IPCP to obtain an IP address from the peer. On the peer, you must configure a pool of addresses using 'peer default ip address pool <pool-name>' under the interface. This is less common on point-to-point links but may appear in exam scenarios.
Verify PPP Operation
After configuration, use 'show interfaces serial0/0/0' to confirm 'Encapsulation PPP' and 'LCP Open'. Also check 'show ppp interfaces brief' for a summary of PPP interfaces and their status. Use 'debug ppp authentication' to troubleshoot authentication issues. The link should show 'up/up' if everything is configured correctly. If the line protocol is down, check for encapsulation mismatch or authentication failure.
Troubleshoot Common Issues
Common problems include: encapsulation mismatch (one side HDLC, the other PPP), authentication failure (wrong username/password or mismatch), and LCP negotiation failure (e.g., MRU mismatch). Use 'show interfaces' to see if the line protocol is down. Use 'debug ppp negotiation' to see LCP options being exchanged. For authentication, 'debug ppp authentication' shows CHAP or PAP exchanges. Always check both ends of the link.
In enterprise networks, PPP is often used for dedicated T1/E1 lines connecting branch offices to a central site. For example, a retail chain might use PPP over T1 links to connect each store to the corporate data center. The authentication feature (CHAP) ensures that only authorized stores can connect, preventing rogue devices from tapping into the WAN. Compression (e.g., Stacker) can reduce bandwidth usage on slower links, which is critical when paying per megabit. Multilink PPP (MLP) is used when multiple T1s are bonded to increase bandwidth; the router treats them as a single logical link. A network engineer would configure the central router with a large username database or use a RADIUS server for centralized authentication. Common misconfigurations include forgetting to set the same authentication type on both ends (e.g., one side CHAP, the other PAP) or mismatched passwords. When misconfigured, the link may come up but authentication fails, causing repeated LCP renegotiations and flapping interfaces. In production, this can cause intermittent connectivity and application timeouts. Cisco HDLC is typically used only on simple Cisco-to-Cisco links where no authentication or compression is needed, such as internal backbone links within a data center. However, even then, many engineers prefer PPP for its diagnostic features (like LCP keepalives) and flexibility.
The CCNA 200-301 exam tests your understanding of HDLC and PPP in the context of WAN technologies (objective 3.0: Network Access). Key areas include: (1) Identifying the default encapsulation on Cisco serial interfaces (Cisco HDLC). (2) Knowing that Cisco HDLC is proprietary and incompatible with other vendors. (3) Understanding PPP components: LCP and NCP. (4) Configuring PPP authentication (CHAP vs PAP). (5) Troubleshooting encapsulation mismatches. Common wrong answers: Candidates often think HDLC is an open standard (it's not; only the original HDLC is, but Cisco's version is proprietary). Another trap: believing that PPP requires authentication (it does not; it's optional). On the exam, you might see a 'show interfaces' output with 'Encapsulation PPP, LCP Closed' – this indicates LCP negotiation failed, often due to authentication mismatch or MRU mismatch. A classic scenario: two routers with 'encapsulation ppp' and 'ppp authentication chap' configured, but the usernames don't match the remote hostname – the link will be up but authentication fails. The debug output 'CHAP: O FAILURE' is a giveaway. Also remember that PPP supports multiple network layer protocols via NCPs; if you see 'Open: IPCP, CDPCP', it's working. For calculations: none directly, but know that MRU default is 1500 bytes. Elimination strategy: If a question asks 'which encapsulation is standard and supports authentication?', eliminate Cisco HDLC immediately. If it asks about a link between a Cisco and a Juniper router, the answer must be PPP.
Cisco HDLC is the default encapsulation on Cisco serial interfaces and is proprietary.
PPP is an open standard (RFC 1661) that supports authentication, compression, and multilink.
PPP uses LCP to establish and configure the link, and NCP (e.g., IPCP) for network layer parameters.
CHAP uses a three-way handshake with MD5 hashing; PAP sends passwords in clear text.
The command 'encapsulation ppp' changes the encapsulation on a serial interface.
Use 'show interfaces serial x/y/z' to verify encapsulation and LCP/NCP status.
Encapsulation mismatch causes the line protocol to go down.
These come up on the exam all the time. Here's how to tell them apart.
Cisco HDLC
Proprietary (Cisco only)
Default encapsulation on Cisco serial interfaces
No built-in authentication
No compression or multilink support
Simple frame with Protocol Type field
Cannot interoperate with non-Cisco devices
PPP
Open standard (RFC 1661)
Must be explicitly configured
Supports PAP and CHAP authentication
Supports compression (Stacker, Predictor) and Multilink PPP
Uses LCP and NCP for negotiation
Works with any vendor equipment
Mistake
HDLC is an open standard that works between any vendors.
Correct
Standard HDLC is an ISO standard, but Cisco HDLC is proprietary due to a 2-byte Protocol Type field. It only works between Cisco devices.
Candidates confuse the original HDLC with Cisco's implementation.
Mistake
PPP always requires authentication to establish a link.
Correct
Authentication is optional. A PPP link can be established without any authentication if not configured.
Many CCNA labs configure authentication, leading to the assumption it's mandatory.
Mistake
PAP is more secure than CHAP because it uses passwords.
Correct
CHAP is more secure because it uses a three-way handshake and never sends the password in clear text; it uses an MD5 hash. PAP sends the password in clear text.
The word 'password' in PAP might mislead candidates into thinking it's secure.
Mistake
If the line protocol is up, PPP authentication must have succeeded.
Correct
The line protocol can be up even if authentication is not configured or fails (if authentication is optional). However, if authentication is configured and fails, the link will not reach the Network phase and LCP will remain closed or restart.
Candidates assume line protocol up implies full connectivity, but authentication failure can cause a down state in the Network phase.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default encapsulation is Cisco HDLC. This is a proprietary version of HDLC that includes a 2-byte Protocol Type field. It works only between Cisco devices. To use PPP, you must explicitly configure 'encapsulation ppp' on the interface.
First, create a username on each router that matches the hostname of the remote router (case-sensitive). For example, on R1: 'username R2 password cisco123'. Then, under the serial interface, use 'encapsulation ppp' and 'ppp authentication chap'. Both ends need matching usernames and passwords. Optionally, you can use 'ppp authentication chap pap' to try CHAP first, then PAP.
PAP (Password Authentication Protocol) sends the username and password in clear text during authentication. It is a two-way handshake. CHAP (Challenge Handshake Authentication Protocol) uses a three-way handshake: the authenticator sends a challenge, the peer responds with an MD5 hash of the challenge plus the password, and the authenticator compares the hash. CHAP is more secure because the password is never sent over the link.
Yes, authentication is optional. You can configure 'encapsulation ppp' without any 'ppp authentication' command. The link will establish LCP and NCP without authentication. This is common in lab environments or trusted networks.
LCP Closed indicates that the LCP negotiation has not completed or has failed. Possible causes: encapsulation mismatch (one side is HDLC), authentication failure, or mismatched LCP options (e.g., MRU). Use 'debug ppp negotiation' to see the LCP packets and identify the issue.
Use 'show interfaces serial0/0/0' and look for 'Encapsulation PPP, LCP Open'. Also check 'Open: IPCP, CDPCP' to see which NCPs are active. 'show ppp interfaces brief' gives a summary. 'debug ppp authentication' and 'debug ppp negotiation' are useful for troubleshooting.
Multilink PPP (MLP) allows multiple physical serial links to be bundled into one logical link, increasing bandwidth and providing load balancing. It is configured by creating a multilink interface (e.g., 'interface multilink1'), assigning an IP address, and then adding physical interfaces to the bundle with 'ppp multilink group 1'. Each physical interface must have 'encapsulation ppp' and 'ppp multilink' enabled.
You've just covered PPP and HDLC — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?