Three Legacy WAN Protocols You’ll Still See
HDLC, PPP, and Frame Relay are all on the way out, replaced by MPLS, SD-WAN, and Internet-based VPN. But all three still appear on Cisco certifications, on inherited networks running 10-year-old gear, and in service-provider environments where the underlying transport hasn’t been refreshed. This article covers the configuration patterns and key differences for all three.
HDLC — The Cisco Default
HDLC (High-Level Data Link Control) is Cisco’s proprietary point-to-point encapsulation for serial links. It’s the default; if you bring up a serial interface and don’t configure encapsulation, you get HDLC.
R1(config)# interface Serial0/0
R1(config-if)# encapsulation hdlc
R1(config-if)# ip address 10.0.0.1 255.255.255.252
R1(config-if)# no shutdownWhat HDLC gives you: simple framing, point-to-point. What it doesn’t: authentication, compression, multilink, multi-protocol support. Cisco-only — doesn’t interoperate with non-Cisco devices’ HDLC implementations.
Use HDLC only when both ends are Cisco and you don’t need authentication. Otherwise, PPP.
PPP — The Standard, with Authentication
PPP (Point-to-Point Protocol) is the IETF standard, supports any-vendor interop, and gives you PAP/CHAP authentication out of the box. Modern WAN serial: PPP.
R1(config)# interface Serial0/0
R1(config-if)# encapsulation ppp
R1(config-if)# ip address 10.0.0.1 255.255.255.252
R1(config-if)# no shutdownThat alone gets you PPP without authentication. To add CHAP:
! On both routers
R1(config)# username R2 password Sec
R1(config)# interface Serial0/0
R1(config-if)# ppp authentication chap
R2(config)# username R1 password Sec
R2(config)# interface Serial0/0
R2(config-if)# ppp authentication chapNote the cross-username pattern: R1 has a local username for R2 (and vice versa). The password must match on both ends. CHAP uses challenge-response with a hash — the password never crosses the wire.
PAP — Cleartext Authentication
R1(config-if)# ppp authentication pap
R1(config-if)# ppp pap sent-username R1 password 0 SecPAP sends the password in cleartext. Don’t use it unless interop with a peer that doesn’t support CHAP forces you to.
PPP Compression and Multilink
R1(config-if)# compress stac
! Multilink groups two serial interfaces into one logical link
R1(config-if)# ppp multilink
R1(config-if)# ppp multilink group 1
R1(config)# interface Multilink1
R1(config-if)# ip address 10.0.0.1 255.255.255.252PPPoA — PPP over ATM (DSL)
Common for DSL access where the ISP delivers via ATM:
R1(config)# interface ATM0
R1(config-if)# no ip address
R1(config-if)# pvc 0/35
R1(config-if-atm-vc)# encapsulation aal5mux ppp dialer
R1(config-if-atm-vc)# dialer pool-member 1
R1(config)# interface Dialer1
R1(config-if)# ip address negotiated
R1(config-if)# encapsulation ppp
R1(config-if)# dialer pool 1
R1(config-if)# ppp authentication chap callin
R1(config-if)# ppp chap hostname customer@isp.net
R1(config-if)# ppp chap password 0 ISPPasswordFrame Relay — Multi-Site WAN of the 1990s
Frame Relay is a packet-switched WAN technology with virtual circuits identified by DLCIs. Almost entirely retired in favor of MPLS, but still tested.
Basic Frame Relay (single physical interface)
R1(config)# interface Serial0/0
R1(config-if)# encapsulation frame-relay
R1(config-if)# ip address 10.0.0.1 255.255.255.0
R1(config-if)# frame-relay lmi-type cisco
R1(config-if)# frame-relay map ip 10.0.0.2 102 broadcast
R1(config-if)# no shutdownThree things specific to Frame Relay:
- DLCI (Data Link Connection Identifier) — locally significant number identifying a virtual circuit. The provider gives you DLCIs at provisioning.
- LMI (Local Management Interface) — signaling between you and the provider switch. Cisco, ANSI, or Q.933a; usually auto-detected.
- Frame Relay Map — manual map of remote-IP → DLCI. Required if Inverse ARP doesn’t auto-discover.
broadcastkeyword needed for routing protocols to work over Frame Relay.
Frame Relay with sub-interfaces (recommended)
Sub-interfaces solve the split-horizon problem on multipoint Frame Relay:
R1(config)# interface Serial0/0
R1(config-if)# encapsulation frame-relay
R1(config-if)# no ip address
R1(config-if)# no shutdown
R1(config)# interface Serial0/0.102 point-to-point
R1(config-subif)# ip address 10.0.0.1 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 102
R1(config)# interface Serial0/0.103 point-to-point
R1(config-subif)# ip address 10.0.1.1 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 103Each sub-interface treats its DLCI as a point-to-point link — routing protocols work without manual broadcast keyword and split-horizon doesn’t block routing-info propagation.
Verifying Frame Relay
R1# show frame-relay map
R1# show frame-relay pvc
R1# show frame-relay lmi
R1# show interface Serial0/0Common Pitfalls
- HDLC mismatch with non-Cisco peer. Cisco HDLC isn’t standards-compliant. If the other end isn’t Cisco, use PPP.
- PPP CHAP password mismatch. Both ends must agree exactly.
service password-encryptionin the middle of debugging makes diffs hard to read. - Frame Relay split-horizon. On a multipoint Frame Relay interface with one DLCI per spoke, EIGRP/RIP routes from spoke A don’t propagate to spoke B because of split-horizon. Use sub-interfaces or disable split-horizon explicitly.
- Inverse ARP not working. Some Frame Relay configurations need explicit
frame-relay mapstatements. Tryshow frame-relay map— if the remote IP isn’t there, add it manually. - DCE clocking on lab serial. One end needs
clock rate; production has CSU/DSU clocking. In labs, decide which side is DCE and putclock rate 64000there. - Frame Relay LMI mismatch. Defaults to auto-detect on modern IOS. If LMI shows down, the type is wrong — manually set
frame-relay lmi-type cisco | ansi | q933a.
Conclusion
HDLC, PPP, and Frame Relay represent three eras of Cisco serial WAN. The decision tree is short:
- Both ends Cisco, no auth needed: HDLC works.
- Mixed vendors, or auth needed: PPP with CHAP.
- Multi-site WAN over a service-provider Frame Relay cloud: Frame Relay with point-to-point sub-interfaces.
For greenfield deployments today: none of these. Use Ethernet handoffs from the provider, MPLS L3VPN, or SD-WAN over Internet. But for legacy gear and certifications, all three remain table stakes.