# PPP帧结构与HDLC类似,做了少量修改 # LCP包有3类: # 1.链路配置包,用于建立和配置链路(Configure-Request,Configure-Ack,Configure-Nak,和Configure-Reject)。 # 2.链路结束包被用于结束一个链路(Terminate-Request 和 Terminate-Ack) # 3.链路维修包被用于管理和调试一个链路(Code-Reject,Protocol-Reject, Echo-Request, Echo-Reply, 和 Discard-Request)。 # LCP (link control protocal) R2#username r2 password 0 r2 R2#interface Serial2/2 R2#ip address 202.100.23.2 255.255.255.0 R2#encapsulation ppp R2#ppp authentication pap # 当配置encapsulation ppp 时,发送 Configure-Request Frame 49: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff # 0xFF, standard broadcast address ,表示接受数据包 Control: 0x03 Protocol: Link Control Protocol (0xc021) # 协议字段,0xC021 for LCP, 0x80xy for various NCPs, 0x0021 for IP PPP Link Control Protocol Code: Configuration Request (1) # LCP 连接建立请求: Configure-Request Identifier: 1 (0x01) Length: 10 Options: (6 bytes), Magic Number # Magic Number用于环路检测,判断是否与自身Magic Numberi相同 Magic Number: 0xbc0f842c Type: Magic Number (5) # Magic Number Length: 6 Magic Number: 0xbc0f842c
R3#interface Serial3/3 R3#ip address 202.100.23.3 255.255.255.0 R3#encapsulation ppp # 当接收到 Configure-Request ,但是其中参数(未配置pap)不能接受,则回复 Configuration Nak Frame 50: 13 bytes on wire (104 bits), 13 bytes captured (104 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Link Control Protocol (0xc021) PPP Link Control Protocol Code: Configuration Nak (3) Identifier: 1 (0x01) Length: 9 Options: (5 bytes), Authentication Protocol Authentication Protocol: Challenge Handshake Authentication Protocol (0xc223) Type: Authentication Protocol (3) Length: 5 Authentication Protocol: Challenge Handshake Authentication Protocol (0xc223) Algorithm: CHAP with MD5 (5)
R3#interface Serial3/3 R3#ip address 202.100.23.3 255.255.255.0 R3#encapsulation ppp R3#ppp pap sent-username r2 password r2 # 如果Configure-Request中收到的每一个配置选项和全部的值都是能接受的,那么该必须传送一个Configure-Ack Frame 51: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Link Control Protocol (0xc021) PPP Link Control Protocol Code: Configuration Ack (2) # LCP 连接建立确认: Configuration Ack Identifier: 1 (0x01) # 最近收到的Configure-Request中所有LCP选项值都可识别和接受时发送该消息。 Length: 10 # PPP对端发送和收到Configure-Acks时,LCP协商便完成了 Options: (6 bytes), Magic Number Magic Number: 0xbc0f842c Type: Magic Number (5) Length: 6 Magic Number: 0xbc0f842cFrame
R3#interface Serial3/3 R3#ip address 202.100.23.3 255.255.255.0 R3#encapsulation ppp # 如果Configure-Request中收到的一些配置选项是不可辨认的或者不被商议所接受(由网络管理员配置的),则该执行必须传送一个Configure-Reject # 具有用户认证功能 -- PAP Frame 61: 12 bytes on wire (96 bits), 12 bytes captured (96 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Link Control Protocol (0xc021) PPP Link Control Protocol Code: Configuration Reject (4) Identifier: 6 (0x06) Length: 8 Options: (4 bytes), Authentication Protocol Authentication Protocol: Password Authentication Protocol (0xc023) Type: Authentication Protocol (3) Length: 4 Authentication Protocol: Password Authentication Protocol (0xc023)
# 用户认证失败后(密码错误),结束链路 328 84.473122 N/A N/A PPP PAP 14 Authenticate-Request (Peer-ID='r2', Password='r1') # 明文传输 329 84.477776 N/A N/A PPP PAP 30 Authenticate-Nak (Message='Authentication failed') 330 84.478314 N/A N/A PPP LCP 8 Termination Request 331 84.479937 N/A N/A PPP LCP 8 Termination Ack # Echo-Request 和 Echo-Reply包必须仅在LCP的Opened(打开)状态下发送, # 在其他不是Opened(打开)状态下接收到的Echo-Request 和 Echo-Reply包应该被静静的丢弃。 # 具有keep-alive功能 568 214.489492 N/A N/A PPP LCP 16 Echo Request 569 214.490944 N/A N/A PPP LCP 16 Echo Reply
#IPCP只包括7种报文,但它的报文类型只是LCP数据报文的一个子集 #(只有LCP代码域从1到7这七种报文:Config-Request,Config-Ack,Config-Nak,Config-Reject,Terminate-Request,Terminate-Ack和Code-Reject), # 而且实际的数据报文交换过程中链路终止报文一般而言是不在网络协议阶段使用的。 # LCP处于OPEN状态后,进行NCP协议协商,分为静态协商和动态协商 25 71.185532 N/A N/A PPP LCP 14 Configuration Ack 26 71.187428 N/A N/A PPP LCP 14 Configuration Ack 27 71.198927 N/A N/A PPP IPCP 14 Configuration Request 29 71.219095 N/A N/A PPP IPCP 14 Configuration Request # 静态协商,也即是不协商。点对点的通信设备两端在PPP协商之前已配置好了IP地址, # 所以就无须在网络层协议阶段协商IP地址,而双方唯一要做的就是告诉对方自身的IP地址。 Frame 27: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol # ipcp 互推地址,生成路由表,(不在同网段也可以通讯) Code: Configuration Request (1) # Configuration Request Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 # 在静态协商时,如果IPCP的Config-Request报文中只含有地址配置参数选项时 Type: IP address (3) # 无论是发送方还是接收方都同时发送Config-Request报文,其中配置选项中只含有各自的IP地址。 Length: 6 IP Address: 202.100.23.2 Frame 27: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Request (1) Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2 Frame 31: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Ack (2) # 当对端收到该报文后,会发送一个Config-Ack报文,这个目的是告诉对端我已经知道了你的IP地址, Identifier: 1 (0x01) # 对路由器而言会增加一条到对端接口的主机路由。 Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2 Frame 32: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Ack (2) Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.3 Type: IP address (3) Length: 6 IP Address: 202.100.23.3 # 可以获取路由,形成不同网段直连路由 2#sh ip route 202.100.23.3 Routing entry for 202.100.23.3/32 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Serial2/2 Route metric is 0, traffic share count is 1 R2#sh ip route 202.100.33.3 Routing entry for 202.100.33.3/32 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Serial2/2 Route metric is 0, traffic share count is 1 R2#sh ip route 1.1.1.1 Routing entry for 1.1.1.1/32 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Serial2/2 Route metric is 0, traffic share count is 1
# 动态协商是一端配置为动态获取IP地址,另一端通过手动方式配置IP地址,且允许给对端分配IP地址。 # 在这种情况下,发送方连续发送了两次Config-Request报文,才能完成发送方的协商过程。 # 而接收方仍然只需要发送一次Config-Request即可完成本端的协商过程。 R3(config-if)#ip address negotiated 470 1059.708060 N/A N/A PPP IPCP 14 Configuration Request #发送方第一次Config-Request 471 1059.708540 N/A N/A PPP IPCP 14 Configuration Request #接受方第一次Config-Request 472 1059.712205 N/A N/A PPP IPCP 14 Configuration Reject #接收方拒绝发送方第一次Config-Request 473 1059.712677 N/A N/A PPP IPCP 14 Configuration Ack #发送方确认接收方的第一次Config-Request 474 1059.713186 N/A N/A PPP IPCP 8 Configuration Request #发送方第二次Config-Request 475 1059.718640 N/A N/A PPP IPCP 8 Configuration Ack #接收方确认第二次Config-Request #由于发送方没有配置IP地址(而是动态获取IP地址),所以在IPCP的Config-Request报文的IP地址配置参数配置选项中的IP地址填充全0(也即是0.0.0.0), Frame 470: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Request (1) # IPCP的Config-Request报文 Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 0.0.0.0 # IP地址填充全0 Type: IP address (3) Length: 6 IP Address: 0.0.0.0 # 指定IP的正常IPCP报文 Frame 471: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Request (1) Identifier: 2 (0x02) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2 # 当接收方收到该配置请求报文后会检测IP地址的内容,如果发送为全0,则认为对端的这个IP地址不是我所希望的值, # 这样就回应一个Config-Nak报文,并将希望分配给对方的IP地址填充到Config-Nak报文内。 Frame 472: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Reject (4) Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 0.0.0.0 Type: IP address (3) Length: 6 IP Address: 0.0.0.0 # 指定IP的正常ACK报文 Frame 473: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Ack (2) Identifier: 2 (0x02) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2 # 这时当接收方收到Config-Nak报文后,就会重新发送一个Config-Request报文,这个报文中的IP地址配置选项为对方在Nak报文中所提供的。 Frame 474: 8 bytes on wire (64 bits), 8 bytes captured (64 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Request (1) Identifier: 2 (0x02) Length: 4 Frame 475: 8 bytes on wire (64 bits), 8 bytes captured (64 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021) PPP IP Control Protocol Code: Configuration Ack (2) Identifier: 2 (0x02) Length: 4 # 显示协商获取IP地址,存在本网段路由 R3(config-if)#do sh ip int s3/3 Serial3/3 is up, line protocol is up Internet address will be negotiated using IPCP Broadcast address is 255.255.255.255 R2(config-if)#do sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Ethernet1/1 L 192.168.1.2/32 is directly connected, Ethernet1/1 202.100.23.0/24 is variably subnetted, 2 subnets, 2 masks C 202.100.23.0/24 is directly connected, Serial2/2 L 202.100.23.2/32 is directly connected, Serial2/2 R2(config-if)#
# PPP认证,相比于HDLC具有用户认证 # 挑战握手认证协议 Challenge-Handshake Authentication Protocol # 挑战握手认证协议(CHAP)通过三次握手周期性的认证对端的身份,在初始链路建立时完成,可以在链路建立之后的任何时候重复进行。 R2#interface Serial2/2 R2#ip address 202.100.23.2 255.255.255.0 R2#encapsulation ppp R2#ppp authentication chap R2#serial restart-delay 0 # 1、链路建立阶段结束之后,认证者向被认证者发送“挑战”消息 1 0.000000 N/A N/A PPP LCP 14 Configuration Request # 相互发送Configuration Request和Configuration Ack后,完成LCP链路建立过程 2 0.021263 N/A N/A PPP LCP 19 Configuration Request 3 0.021402 N/A N/A PPP LCP 14 Configuration Ack 4 0.028010 N/A N/A PPP LCP 19 Configuration Ack 5 0.059900 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0xe8affa5379025f888c6d22ff52aff757) # LCP链路建立完成后,R2主动发送Challenge Frame 3317: 27 bytes on wire (216 bits), 27 bytes captured (216 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Challenge Handshake Authentication Protocol (0xc223) PPP Challenge Handshake Authentication Protocol Code: Challenge (1) Identifier: 1 Length: 23 Data Value Size: 16 Value: e85aa3c02b52edb78c6d22ff000a1cfb Name: R2 R3#interface Serial3/3 R3#ip address 202.100.23.3 255.255.255.0 R3#encapsulation ppp R3#ppp chap hostname r2 R3#ppp chap password 0 r2 #缺点:密钥配置为明文 R3#serial restart-delay 0 # 2、被认证者 计算hash值作为应答 Frame 3318: 27 bytes on wire (216 bits), 27 bytes captured (216 bits) on interface 0 Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Challenge Handshake Authentication Protocol (0xc223) PPP Challenge Handshake Authentication Protocol Code: Response (2) Identifier: 1 Length: 23 Data Value Size: 16 Value: 2f9020d01b7b41ba6c754b014a8e6767 # hash值 Name: r2 # 用户名 # 3、认证者根据它自己的预期哈希值的计算来检查应答,如果值匹配,认证得到承认;否则,连接应该终止。 # 认证失败,终止连接 3317 1534.518709 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0xe85aa3c02b52edb78c6d22ff000a1cfb) 3318 1534.525085 N/A N/A PPP CHAP 27 Response (NAME='r2', VALUE=0x2f9020d01b7b41ba6c754b014a8e6767) 3319 1534.526536 N/A N/A PPP CHAP 29 Failure (MESSAGE='Authentication failed') 3320 1534.527368 N/A N/A PPP LCP 8 Termination Request 3321 1534.528521 N/A N/A PPP LCP 8 Termination Ack # 认证成功,进行NCP协议互推地址 3874 1669.630159 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0x3695e79508d494098c6d22fffd432110) 3875 1669.635094 N/A N/A PPP CHAP 27 Response (NAME='r2', VALUE=0x0695a3e64fb3a059987d1ff616e1a846) 3876 1669.643600 N/A N/A PPP CHAP 8 Success (MESSAGE='') 3877 1669.645975 N/A N/A PPP IPCP 14 Configuration Request 3878 1669.646095 N/A N/A PPP IPCP 14 Configuration Request 3880 1669.646844 N/A N/A PPP IPCP 14 Configuration Ack 3881 1669.647354 N/A N/A PPP IPCP 14 Configuration Ack
PPP其他知识点 环路检测:magic number(是否与本身magic number相同) Multiple port-channel