PPP封装 (point to point protocol 点到点协议)
配置
Branch
Branch(config)#int s4/0
Branch(config-if)#en
Branch(config-if)#encapsulation ppp
Branch(config-if)#ip add 12.1.1.1 255.255.255.252
Branch(config-if)#no sh
Branch(config-if)#
HQ
HQ(config)#int s4/0
HQ(config-if)#en
HQ(config-if)#encapsulation ppp
HQ(config-if)#ip add 12.1.1.2 255.255.255.252
HQ(config-if)#no sh
HQ(config-if)#
查看
Branch#sh int s4/0
Serial4/0 is up, line protocol is up
Hardware is M4T
Internet address is 12.1.1.1/30
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
HQ#sh int s4/0
Serial4/0 is up, line protocol is up
Hardware is M4T
Internet address is 12.1.1.2/30
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Branch#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/13 ms
Branch#
拿掉一端的PPP封装,就会看到接口up,协议down的情况
Branch(config-if)#do sh ip int b
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Serial4/0 12.1.1.1 YES manual up down
--------------------------------------------------------------------------
PAP认证,密码认证协议
配置
HQ(config)#username branch password cisco
HQ(config)#int s4/0
HQ(config-if)#ppp au
HQ(config-if)#ppp authen
HQ(config-if)#ppp authentication pap //要求对端做CHAP认证
HQ(config-if)#
*Jan 7 11:38:58.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0, changed state to down
Branch(config)#int s4/0
Branch(config-if)#ppp pap sent
Branch(config-if)#ppp pap sent-username branch pass
Branch(config-if)#ppp pap sent-username branch password 0 cisco
Branch(config-if)#no sh
Branch(config-if)#
*Jan 7 11:41:38.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0, changed state to up
查看
Branch(config)#int s4/0
Branch(config-if)#shut
Branch(config-if)#no sh
*Jan 7 11:45:12.465: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0, changed state to down
*Jan 7 11:45:12.465: %LINK-5-CHANGED: Interface Serial4/0, changed state to administratively down
Branch(config-if)#no sh
Branch#debug ppp authentication
PPP authentication debugging is on
Branch#shut
Translating "shut"...domain server (255.255.255.255) % Name lookup aborted
Translating "shut"...domain server (255.255.255.255)
//这里是由于域名解析的原因,shutdown在特权模式下,Cisco IOS软件无法识别,路由器会把这条命令向解析服务器发想查询,实验环境下,用Route(config)#no ip domain-lookup来关闭解析查询
Branch(config-if)#
*Jan 7 11:45:19.664: %LINK-3-UPDOWN: Interface Serial4/0, changed state to up
*Jan 7 11:45:19.665: Se4/0 PPP: Using default call direction
*Jan 7 11:45:19.716: Se4/0 PPP: Treating connection as a dedicated line
*Jan 7 11:45:19.716: Se4/0 PPP: Session handle[6000000D] Session id[12]
*Jan 7 11:45:19.750: Se4/0 PPP: No authorization without authentication
*Jan 7 11:45:19.750: Se4/0 PAP: Using hostname from interface PAP
*Jan 7 11:45:19.750: Se4/0 PAP: Using password from interface PAP
*Jan 7 11:45:19.760: Se4/0 PAP: O AUTH-REQ id 1 len 17 from "branch"
*Jan 7 11:45:19.769: Se4/0 PAP: I AUTH-ACK id 1 len 5
Branch#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/11/13 ms
Branch#
------------------------------------------------------------------------------------
CHAP认证,挑战握手验证协议
在基于PAP认证的基础上,所以要拿掉一些命令
Branch(config)#int s4/0
Branch(config-if)#no ppp pap sent-username branch password 0 cisco
Branch(config-if)#
配置
Branch(config)#int s4/0
Branch(config-if)#ppp chap
Branch(config-if)#ppp chap hos
Branch(config-if)#ppp chap hostname Branch //配置被用来认证的用户名
Branch(config-if)#ppp chap pass
Branch(config-if)#ppp chap password cisco //配置被用来认证的密码
Branch(config-if)#no sh
Branch(config-if)#
HQ(config)#int s4/0
HQ(config-if)#ppp authen
HQ(config-if)#ppp authentication chap //要求对端做CHAP认证
HQ(config-if)#
在Branch上开启debug如下
Branch#debug ppp authentication
PPP authentication debugging is on
Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int s4/0
Branch(config-if)#no sh
Branch(config-if)#
*Jan 7 12:36:07.847: %LINK-3-UPDOWN: Interface Serial4/0, changed state to up
*Jan 7 12:36:07.848: Se4/0 PPP: Using default call direction
*Jan 7 12:36:07.848: Se4/0 PPP: Treating connection as a dedicated line
*Jan 7 12:36:07.848: Se4/0 PPP: Session handle[C000014] Session id[18]
*Jan 7 12:36:07.876: Se4/0 PPP: No authorization without authentication
*Jan 7 12:36:07.904: Se4/0 CHAP: I CHALLENGE id 1 len 23 from "HQ"
*Jan 7 12:36:07.904: Se4/0 PPP: Sent CHAP SENDAUTH Request
*Jan 7 12:36:07.904: Se4/0 PPP: Received SENDAUTH Response FAIL
*Jan 7 12:36:07.904: Se4/0 CHAP: Using hostname from interface CHAP
*Jan 7 12:36:07.904: Se4/0 CHAP: Using password from interface CHAP
*Jan 7 12:36:07.904: Se4/0 CHAP: O RESPONSE id 1 len 27 from "Branch"
*Jan 7 12:36:07.917: Se4/0 CHAP: I SUCCESS id 1 len 4
Branch(config-if)#
这是单向的CHAP认证,如果配置双向的,一定要保证两端的密码一致。其中PAP认证使用的是明文密码,CHAP认证中使用了MDS的散列算法加密后的密码。
====================================================================================================
本文中知识点不保证是全是对的,个人学习笔记,纯属为了强化记忆!!