思科路由器HDLC PPP

HDLC 一般不推荐的,原因是有两个:
1. CISCO 的HDLC帧头格式,携带了一个CISCO的私有位:
   其好处: 实现在HDLC的环境中,支持多协议: IP/IPX/AT(AppleTalk)
   其缺点: 只能跟CISCO的设备互通,不能兼容各厂商设备
   (原因: 标准的HDLC只支持单协议:IP,cisco加了私有位后,可以支持多协议了.但又不兼容其他厂商了.)
CISCO默认在串口中,以HDLC为2层封装协议.

2. HDLC协议,本身不支持认证,无法保证安全性

建议使用PPP ,
PPP有多种可选模块,可以提高网络安全性,提升性能
(PPP可支持认证)

SLIP,相当于是PPP前身,功能单一,趋向淘汰

在CISCO的设备上,串行链路默认使用HDLC,
在华为的设备上,默认使用PPP

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PPP (point-to-point protocol)

PPP是业界开放性的标准,支持多协议环境,所有的厂商都可以支持.

HDLC/PPP 的对比:
HDLC 不支持多协议,PPP支持多协议
HDLC 不支持认证,PPP可以支持认证

LCP(link control protocol)
负责对L1的物理层链路,进行链路的建立,控制,维护,

NCP(network control protocol)
负责对L3的网络层,向下提供无差别的接口( *CP,比如ipcp,ipxcp...)

LCP包含了4大模块:
1 authentication (PAP/CHAP)认证
2 callback 回拨     贾雷注:便于对方付费的计费
3 compression 压缩
4 multilink 多链路捆绑

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

默认情况下的接口封装格式:
R1#sh int s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 12.0.0.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set

R1#sh int e0
Ethernet0 is administratively down, line protocol is down
Hardware is Lance, address is 00e0.1e60.5385 (bia 00e0.1e60.5385)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set

R1#sh int lo 0
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 1.1.1.1/24
MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set

 


LAB1:encapsulation PPP(从HDLC到ppp的迁移)

Step1: 确认L1/L2/L3通达:全网配置RIPv2
    (L2:HDLC)(L3:网络协议/被路由协议(routed):IP,路由协议(routing):RIP)
L1: V.35 的同步串行链路  (一层)
L2: HDLC          (二层)
L3: IP/RIP         (三层)

R1#show interface serial 1
Serial 1 is up ,line protocol is up
             L1                   L2
     Encapsulation HDLC ,
确认routed协议:
R2#show ip route rip
r 3.0.0.0  ........
确认三层联通.


Step2: 将R1-R3之间的链路更改为PPP:
要在R1和R3的接口中:
R1/R3(config-S1/0)#Encapsulation PPP

观察:
R1#debug ppp negotiation(PPP的协商)

1. Interface serial 1,changed state to up (L1 up)
2. LCP: state is open
3. PPP的认证:(这是可选项目,如果进行认证,就必需成功,才有NCP的工作)

4-1: se1 IPCP: state is open   (IP)
4-2: se1 CDPCP: state is open (CDP) (show cdp neighbors )

5:line protocol on interface serial 1 ,changed state to up (L2 up)


封装过程:
R3#debug ppp negotiation
PPP protocol negotiation debugging is on

R3#
03:42:05: Se0 PPP: Treating connection as a dedicated line
03:42:05: Se0 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load]
03:42:05: Se0 LCP: O CONFREQ [Closed] id 3 len 10
03:42:05: Se0 LCP:    MagicNumber 0xE17BB0DB (0x0506E17BB0DB)
03:42:05: Se0 LCP: I CONFREQ [REQsent] id 13 len 10
03:42:05: Se0 LCP:    MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A)
03:42:05: Se0 LCP: O CONFACK [REQsent] id 13 len 10
03:42:05: Se0 LCP:    MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A)
R3#
03:42:07: Se0 LCP: TIMEout: State ACKsent
03:42:07: Se0 LCP: O CONFREQ [ACKsent] id 4 len 10
03:42:07: Se0 LCP:    MagicNumber 0xE17BB0DB (0x0506E17BB0DB)
03:42:07: Se0 LCP: I CONFREQ [ACKsent] id 14 len 10
03:42:07: Se0 LCP:    MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A)
03:42:07: Se0 LCP: O CONFACK [ACKsent] id 14 len 10
03:42:07: Se0 LCP:    MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A)
03:42:07: Se0 LCP: I CONFACK [ACKsent] id 4 len 10
03:42:07: Se0 LCP:    MagicNumber 0xE17BB0DB (0x0506E17BB0DB)
03:42:07: Se0 LCP: State is Open
03:42:07: Se0 PPP: Phase is UP [0 sess, 0 load]
03:42:07: Se0 IPCP: O CONFREQ [Closed] id 2 len 10
03:42:07: Se0 IPCP:    Address 13.0.0.3 (0x03060D000003)
03:42:07: Se0 CDPCP: O CONFREQ [Closed] id 2 len 4
03:42:07: Se0 IPCP: I CONFREQ [REQsent] id 1 len 10
03:42:07: Se0 IPCP:    Address 13.0.0.1 (0x03060D000001)
03:42:07: Se0 IPCP: O CONFACK [REQsent] id 1 len 10
03:42:07: Se0 IPCP:    Address 13.0.0.1 (0x03060D000001)
03:42:07: Se0 CDPCP: I CONFREQ [REQsent] id 1 len 4
03:42:07: Se0 CDPCP: O CONFACK [REQsent] id 1 len 4
03:42:07: Se0 IPCP: I CONFACK [ACKsent] id 2 len 10
03:42:07: Se0 IPCP:    Address 13.0.0.3 (0x03060D000003)
03:42:07: Se0 IPCP: State is Open
03:42:07: Se0 CDPCP: I CONFACK [ACKsent] id 2 len 4
03:42:07: Se0 CDPCP: State is Open
03:42:07: Se0 IPCP: Install route to 13.0.0.1
R3#
03:42:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

 

只要二层PPP封装成功,两台路由器在路由表里就会自动生成一条32位的主机路由
R1#sh ip rou
     13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       13.0.0.0/24 is directly connected, Serial1
C       13.0.0.3/32 is directly connected, Serial1

32位的主机路由解决了很多二层的封装的问题,它确定的指定了网络中的某一个点,当二层封装出问题时,仍然可以通过32位的主机路由到达对方路由器.

 

检查:
R1#sh int s1
Serial1 is up, line protocol is up
Hardware is HD64570
Internet address is 13.0.0.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: CDPCP, IPCP, loopback not set


int s1
no peer nieghbor-route
通过此命令不显示32位主机路由;

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PAP/CHAP (PPP的认证,是链路的认证)

PAP(Password Authentication Protocol)
两次握手,建议在网络工程中都使用双向认证

两次握手:
1.被认证方,将对方所定义的帐号/密码,以明文方式,发送给主认证方
2.主认证方,把收到的帐号/密码,与自己数据库进行核对后,发回认证成功与否的信息

PAP缺点: 帐号/密码以明文方式在链路上传输,不安全

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

LAB2: PAP 认证(R1-R3)全网RIP V2

Step1: 确认链路已经是封装为PPP链路
Step2: 在本路由器的数据库中,为对方构建帐号/密码:
(贾雷注:为对方构建帐号,相当于给你的朋友开一个FTP下载,要给他建账号.)
R1(config)#username BJ password BJ
R3(config)#username SH password SH

Step3: 选定PPP的认证方式为: PAP
在R1/R3接口上: (建议之前先把接口shutdown , 修改后再no shutdown )

R1/R3(config-if)#PPP authentication PAP

Step4: 将 ”自己在对方数据库中的” 帐号/密码,发送给对方,供对方进行校验
在R1的S1接口上:
R1(config-if)#ppp pap sent-username SH password SH

在R3的S0接口上:
R3(config-if)#ppp pap sent-username BJ password BJ

观察:
R3#debug ppp authentication (ppp的认证)

R1#debug ppp authentication
PPP authentication debugging is on
R1
*Mar 1 04:28:22.442: Se1 PPP: Using default call direction
*Mar 1 04:28:22.442: Se1 PPP: Treating connection as a dedicated line
*Mar 1 04:28:22.446: Se1 PPP: Authorization required
*Mar 1 04:28:22.454: %LINK-3-UPDOWN: Interface Serial1, changed state to up
R1#
*Mar 1 04:28:22.462: Se1 PAP: Using hostname from interface PAP
*Mar 1 04:28:22.466: Se1 PAP: Using password from interface PAP
*Mar 1 04:28:22.466: Se1 PAP: O AUTH-REQ id 2 len 10 from "sh"
*Mar 1 04:28:22.470: Se1 PAP: I AUTH-REQ id 2 len 10 from "bj"
*Mar 1 04:28:22.474: Se1 PAP: Authenticating peer bj
*Mar 1 04:28:22.490: Se1 PAP: I AUTH-ACK id 2 len 5
*Mar 1 04:28:22.502: Se1 PPP: Sent PAP LOGIN Request
*Mar 1 04:28:22.510: Se1 PPP: Received LOGIN Response PASS
*Mar 1 04:28:22.522: Se1 PPP: Sent LCP AUTHOR Request
*Mar 1 04:28:22.530: Se1 LCP: Received AAA AUTHOR Response PASS
*Mar 1 04:28:22.534: Se1 PAP: O AUTH-ACK id 2 len 5
R1#
*Mar 1 04:28:23.534: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
R1#

 


R3#
R3#
04:25:50: %SYS-5-CONFIG_I: Configured from console by console
04:25:51: %LINK-3-UPDOWN: Interface Serial0, changed state to up
R3#
04:25:51: Se0 PPP: Treating connection as a dedicated line
04:25:51: Se0 PAP: O AUTH-REQ id 2 len 10 from "bj"
04:25:51: Se0 PAP: I AUTH-REQ id 2 len 10 from "sh"
04:25:51: Se0 PAP: Authenticating peer sh
04:25:51: Se0 PAP: O AUTH-ACK id 2 len 5
04:25:51: Se0 PAP: I AUTH-ACK id 2 len 5
R3#

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LAB3:使用"主机名"作为"用户名"的PAP认证

先shutdown接口,以求稳定.

step1:
R1(config)#username R3 password R3
R3(config)#username R1 password R1

step2:
在R1的S1接口上:
R1(config-if)#ppp pap sent-username R1 password R1

在R3的S0接口上:
R3(config-if)#ppp pap sent-username R3 password R3


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PPP CHAP(challenge handshake authentication protocol)

3 次握手:(发起挑战的是主认证方,回应的是被认证方)
1. 主认证方的路由器,发出随机数(X)

2. 被认证方的路由器,将接收的随机数,和事先定义好的密码,一起放入MD5加密器,进行HASH 算法加密,把得到的数值Y=49 ,以response 的形式,发送给主认证方

3. 主认证方,同样进行与第2步相同的操作,将得到的数值Y,与从被认证方发来的Y,进行比较
如果一致,发出认证成功信息
如果不一致,发送认证失败信息.

贾雷注:马老师举生动例子说明:2个朋友QQ聊天,为避免对方的老婆冒名顶替,双方约定一个密码pwd和算法(比如(pwd+x)乘以2). 当要聊天的时候开始认证:
1.主认证方发出随机数x  
2.(pwd+x)*2=Y1,把Y1传给主认证方.
3.主认证方,同样用(pwd+x)*2=Y2,然后比较一Y1和Y2是否一致.


CHAP的优点:
从不在链路传送密码,challenge(X)和Response(Y) 都是随机数,这两者间是不可逆运算,可以确保密码不被破译,保证网络的安全性

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

LAB3: CHAP 认证:

Step1: 确认链路已经是封装PPP链路

Step2:为对方建帐号/密码:
R1(config)#username GZ password G-s ß--(此处密码不一致,将导致链路无法正常建立)
R2(config)#username SH password G-s ß--(此处密码不一致,将导致链路无法正常建立)

Step3: 选定认证方式是CHAP:
在R1/R2接口上:
R1/2(config-if)#ppp authentication chap

Step4: 选定某组帐号密码,进行CHAP认证:
R2(config-if)#ppp chap hostname GZ
R2(config-if)#ppp chap password GZ

R1(config-if)#ppp chap hostname SH
R1(config-if)#ppp chap password SH

这样子做,在debug ppp authentication会观察到认证失败,原因是密码不一致!!!

Step5: 在CHAP中,密码必须一致:
R1(config)#username GZ password SS
R2(config)#username SH password SS

Step6: 不使用特定的帐号,而直接使用路由器的主机名,进行CHAP认证:
R1(config)#username R2 password SS
R2(config)#username R1 password SS

在PPP接口中,只需要以下命令:
int s0
encapsulation ppp
ppp authentication chap

在R1/R2上: show running-config
可以查看到以下信息:
Inteface serial 0
Encapsulation ppp
Ppp authentication chap

默认情况下,在没有设置其他帐户和密码时,chap协议时默认发主机名
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

LAB3:使用"主机名"作为"用户名"的PAP认证

先shutdown接口,以求稳定.
step1:直接使用路由器的主机名,进行chap认证:
R1(config)#username R2 password R12
R2(config)#username R1 password R12
step2:在ppp接口中,只需要以下命令.
Inteface serial 0
Encapsulation ppp
ppp authentication chap

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PPP multilink


PPP/MLP(multilink Protocol) (2层冗余)
对比实验(3层冗余) (RIP)
(收敛速度受路由协议的收敛速率影响,通常收敛较慢)

通过 Multilink protocol 实现2层冗余:
    
Step1:
将冗余的物理链路上的接口,原有配置都删除,
但注意要在R2的两个接口都是DCE端,需要配置同步时钟

因为:
R2#sh controllers serial
HD unit 0, idb = 0x939294, driver structure at 0x940860
buffer size 1524 HD unit 0, V.35 DCE cable, clockrate 64000
cpb = 0xE1, eda = 0x5078, cda = 0x508C
RX ring with 16 entries at 0xE15000

Step2:
(R2/R4同时做)4个物理接口都封装PPP,并且运行Multilink (无需配置IP地址)
Interface S0/S1:
Encapsulation ppp
Ppp multilink

Step3: 在双方路由器上,创建虚拟模板接口,配置地址,指定MLP
R2(config)#
Interface virtual-template 1
ip add 24.0.0.1 255.255.255.252
ppp multilink

R4(config)#
Interface virtual-template 1
Ip add 24.0.0.2 255.255.255.252
ppp multilink

Step4: 在MLP中,调用虚拟模板:
R2/R4(config)#multilink virtual-template 1

设置虚拟接口后,带宽加倍:
R2#show interfaces virtual-access 1
Interface address is 24.0.0.1/30
           BW 3088 Kbit,
R3#show interfaces virtual-access 1
Interface address is 24.0.0.2/30
           BW 3088 Kbit,

贾雷注:2条链路带宽加宽,互为冗余.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EC,FEC,GEC
LAB:交换机之间的以太网链路二层冗余:
EtherChannel:
logical aggregation viewed as one logic port
switch-level load bananciing & redundancy.

interface fastethernet0/21/22
duplex full
speed 100
channel-group 1 mode on


交换机自动生成:
interface port-channel 1

SW2(config)#show interface port-channel 1
BW 2000000 kbit,
show spanning-tree
po1     root FWD 12                 128.65 p2p

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

可以在接口中,关闭PPP的主机路由(host route)

R2# C     12.0.0.1/32 is directly connected , Serial 0

Interface serial 0
No peer neighbor-route

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

你可能感兴趣的:(安全性,认证,的)