HDLC 一般不推荐的,原因是有两个:
1. CISCO 的HDLC帧头格式,携带了一个CISCO的私有位: 其好处: 实现在HDLC的环境中,支持多协议: IP/IPX/AT(AppleTalk) 其缺点: 只能跟CISCO的设备互通,不能兼容各厂商设备 (原因: 标准的HDLC只支持单协议:IP,cisco加了私有位后,可以支持多协议了.但又不兼容其他厂商了.) CISCO默认在串口中,以HDLC为2层封装协议.2. HDLC协议,本身不支持,无法保证安全性
建议使用 ,
PPP有多种可选模块,可以提高网络安全性,提升性能 (PPP可支持认证)SLIP,相当于是PPP前身,功能单一,趋向淘汰
在CISCO的设备上,串行链路默认使用HDLC,
在华为的设备上,默认使用PPP~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PPP (point-to-point protocol)
PPP是业界开放性的标准,支持多协议环境,所有的厂商都可以支持.
HDLC/PPP 的对比:
HDLC 不支持多协议,PPP支持多协议 HDLC 不支持认证,PPP可以支持认证LCP(link control protocol)
负责对L1的物理层链路,进行链路的建立,控制,维护,NCP(network control protocol)
负责对L3的网络层,向下提供无差别的接口( *CP,比如ipcp,ipxcp...)LCP包含了4大模块:
1 authentication (PAP/CHAP)认证 2 callback 回拨 贾雷注:便于对方付费的计费 3 compression 压缩 4 multilink 多链路捆绑~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
默认情况下的接口封装格式:
R1#sh int s0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 12.0.0.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not setR1#sh int e0
Ethernet0 is administratively down, line protocol is down Hardware is Lance, address is 00e0.1e60.5385 (bia 00e0.1e60.5385) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not setR1#sh int lo 0
Loopback0 is up, line protocol is up Hardware is Loopback Internet address is 1.1.1.1/24 MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation LOOPBACK, loopback not setLAB1:encapsulation PPP(从HDLC到ppp的迁移)
Step1: 确认L1/L2/L3通达:全网配置RIPv2
(L2:HDLC)(L3:网络协议/被路由协议(routed):IP,路由协议(routing):RIP) L1: V.35 的同步串行链路 (一层) L2: HDLC (二层) L3: IP/RIP (三层)R1#show interface serial 1
Serial 1 is up ,line protocol is up L1 L2 Encapsulation HDLC , 确认routed协议: R2#show ip route rip r 3.0.0.0 ........ 确认三层联通. Step2: 将R1-R3之间的链路更改为PPP: 要在R1和R3的接口中: R1/R3(config-S1/0)#Encapsulation PPP观察:
R1#debug ppp negotiation(PPP的协商)1. Interface serial 1,changed state to up (L1 up)
2. LCP: state is open 3. PPP的认证:(这是可选项目,如果进行认证,就必需成功,才有NCP的工作)4-1: se1 IPCP: state is open (IP)
4-2: se1 CDPCP: state is open (CDP) (show cdp neighbors )5:line protocol on interface serial 1 ,changed state to up (L2 up)
封装过程: R3#debug ppp negotiation PPP protocol negotiation debugging is onR3#
03:42:05: Se0 PPP: Treating connection as a dedicated line 03:42:05: Se0 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load] 03:42:05: Se0 LCP: O CONFREQ [Closed] id 3 len 10 03:42:05: Se0 LCP: MagicNumber 0xE17BB0DB (0x0506E17BB0DB) 03:42:05: Se0 LCP: I CONFREQ [REQsent] id 13 len 10 03:42:05: Se0 LCP: MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A) 03:42:05: Se0 LCP: O CONFACK [REQsent] id 13 len 10 03:42:05: Se0 LCP: MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A) R3# 03:42:07: Se0 LCP: TIMEout: State ACKsent 03:42:07: Se0 LCP: O CONFREQ [ACKsent] id 4 len 10 03:42:07: Se0 LCP: MagicNumber 0xE17BB0DB (0x0506E17BB0DB) 03:42:07: Se0 LCP: I CONFREQ [ACKsent] id 14 len 10 03:42:07: Se0 LCP: MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A) 03:42:07: Se0 LCP: O CONFACK [ACKsent] id 14 len 10 03:42:07: Se0 LCP: MagicNumber 0xE0EC0D9A (0x0506E0EC0D9A) 03:42:07: Se0 LCP: I CONFACK [ACKsent] id 4 len 10 03:42:07: Se0 LCP: MagicNumber 0xE17BB0DB (0x0506E17BB0DB) 03:42:07: Se0 LCP: State is Open 03:42:07: Se0 PPP: Phase is UP [0 sess, 0 load] 03:42:07: Se0 IPCP: O CONFREQ [Closed] id 2 len 10 03:42:07: Se0 IPCP: Address 13.0.0.3 (0x03060D000003) 03:42:07: Se0 CDPCP: O CONFREQ [Closed] id 2 len 4 03:42:07: Se0 IPCP: I CONFREQ [REQsent] id 1 len 10 03:42:07: Se0 IPCP: Address 13.0.0.1 (0x03060D000001) 03:42:07: Se0 IPCP: O CONFACK [REQsent] id 1 len 10 03:42:07: Se0 IPCP: Address 13.0.0.1 (0x03060D000001) 03:42:07: Se0 CDPCP: I CONFREQ [REQsent] id 1 len 4 03:42:07: Se0 CDPCP: O CONFACK [REQsent] id 1 len 4 03:42:07: Se0 IPCP: I CONFACK [ACKsent] id 2 len 10 03:42:07: Se0 IPCP: Address 13.0.0.3 (0x03060D000003) 03:42:07: Se0 IPCP: State is Open 03:42:07: Se0 CDPCP: I CONFACK [ACKsent] id 2 len 4 03:42:07: Se0 CDPCP: State is Open 03:42:07: Se0 IPCP: Install route to 13.0.0.1 R3# 03:42:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
只要二层PPP封装成功,两台路由器在路由表里就会自动生成一条32位的主机路由
R1#sh ip rou 13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 13.0.0.0/24 is directly connected, Serial1 C 13.0.0.3/32 is directly connected, Serial132位的主机路由解决了很多二层的封装的问题,它确定的指定了网络中的某一个点,当二层封装出问题时,仍然可以通过32位的主机路由到达对方路由器.
检查:
R1#sh int s1 Serial1 is up, line protocol is up Hardware is HD64570 Internet address is 13.0.0.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: CDPCP, IPCP, loopback not set int s1 no peer nieghbor-route 通过此命令不显示32位主机路由;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PAP/CHAP (PPP的认证,是链路的认证)PAP(Password Authentication Protocol)
两次握手,建议在网络工程中都使用双向认证两次握手:
1.被认证方,将对方所定义的帐号/密码,以明文方式,发送给主认证方 2.主认证方,把收到的帐号/密码,与自己数据库进行核对后,发回认证成功与否的信息PAP缺点: 帐号/密码以明文方式在链路上传输,不安全
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LAB2: PAP 认证(R1-R3)全网RIP V2
Step1: 确认链路已经是封装为PPP链路
Step2: 在本路由器的数据库中,为对方构建帐号/密码: (贾雷注:为对方构建帐号,相当于给你的朋友开一个FTP下载,要给他建账号.) R1(config)#username BJ password BJ R3(config)#username SH password SHStep3: 选定PPP的认证方式为: PAP
在R1/R3接口上: (建议之前先把接口shutdown , 修改后再no shutdown )R1/R3(config-if)#PPP authentication PAP
Step4: 将 ”自己在对方数据库中的” 帐号/密码,发送给对方,供对方进行校验
在R1的S1接口上: R1(config-if)#ppp pap sent-username SH password SH在R3的S0接口上:
R3(config-if)#ppp pap sent-username BJ password BJ观察:
R3#debug ppp authentication (ppp的认证)R1#debug ppp authentication
PPP authentication debugging is on R1 *Mar 1 04:28:22.442: Se1 PPP: Using default call direction *Mar 1 04:28:22.442: Se1 PPP: Treating connection as a dedicated line *Mar 1 04:28:22.446: Se1 PPP: Authorization required *Mar 1 04:28:22.454: %LINK-3-UPDOWN: Interface Serial1, changed state to up R1# *Mar 1 04:28:22.462: Se1 PAP: Using hostname from interface PAP *Mar 1 04:28:22.466: Se1 PAP: Using password from interface PAP *Mar 1 04:28:22.466: Se1 PAP: O AUTH-REQ id 2 len 10 from "sh" *Mar 1 04:28:22.470: Se1 PAP: I AUTH-REQ id 2 len 10 from "bj" *Mar 1 04:28:22.474: Se1 PAP: Authenticating peer bj *Mar 1 04:28:22.490: Se1 PAP: I AUTH-ACK id 2 len 5 *Mar 1 04:28:22.502: Se1 PPP: Sent PAP LOGIN Request *Mar 1 04:28:22.510: Se1 PPP: Received LOGIN Response PASS *Mar 1 04:28:22.522: Se1 PPP: Sent LCP AUTHOR Request *Mar 1 04:28:22.530: Se1 LCP: Received AAA AUTHOR Response PASS *Mar 1 04:28:22.534: Se1 PAP: O AUTH-ACK id 2 len 5 R1# *Mar 1 04:28:23.534: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up R1#R3# R3# 04:25:50: %SYS-5-CONFIG_I: Configured from console by console 04:25:51: %LINK-3-UPDOWN: Interface Serial0, changed state to up R3# 04:25:51: Se0 PPP: Treating connection as a dedicated line 04:25:51: Se0 PAP: O AUTH-REQ id 2 len 10 from "bj" 04:25:51: Se0 PAP: I AUTH-REQ id 2 len 10 from "sh" 04:25:51: Se0 PAP: Authenticating peer sh 04:25:51: Se0 PAP: O AUTH-ACK id 2 len 5 04:25:51: Se0 PAP: I AUTH-ACK id 2 len 5 R3#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LAB3:使用"主机名"作为"用户名"的PAP认证先shutdown接口,以求稳定.
step1:
R1(config)#username R3 password R3 R3(config)#username R1 password R1step2:
在R1的S1接口上: R1(config-if)#ppp pap sent-username R1 password R1在R3的S0接口上:
R3(config-if)#ppp pap sent-username R3 password R3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PPP CHAP(challenge handshake authentication protocol)3 次握手:(发起挑战的是主认证方,回应的是被认证方)
1. 主认证方的路由器,发出随机数(X)2. 被认证方的路由器,将接收的随机数,和事先定义好的密码,一起放入MD5加密器,进行HASH 算法加密,把得到的数值Y=49 ,以response 的形式,发送给主认证方
3. 主认证方,同样进行与第2步相同的操作,将得到的数值Y,与从被认证方发来的Y,进行比较 如果一致,发出认证成功信息 如果不一致,发送认证失败信息.贾雷注:马老师举生动例子说明:2个朋友QQ聊天,为避免对方的老婆冒名顶替,双方约定一个密码pwd和算法(比如(pwd+x)乘以2). 当要聊天的时候开始认证:
1.主认证方发出随机数x 2.(pwd+x)*2=Y1,把Y1传给主认证方. 3.主认证方,同样用(pwd+x)*2=Y2,然后比较一Y1和Y2是否一致. CHAP的优点: 从不在链路传送密码,challenge(X)和Response(Y) 都是随机数,这两者间是不可逆运算,可以确保密码不被破译,保证网络的安全性~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LAB3: CHAP 认证:Step1: 确认链路已经是封装PPP链路
Step2:为对方建帐号/密码:
R1(config)#username GZ password G-s ß--(此处密码不一致,将导致链路无法正常建立) R2(config)#username SH password G-s ß--(此处密码不一致,将导致链路无法正常建立)Step3: 选定认证方式是CHAP:
在R1/R2接口上: R1/2(config-if)#ppp authentication chapStep4: 选定某组帐号密码,进行CHAP认证:
R2(config-if)#ppp chap hostname GZ R2(config-if)#ppp chap password GZR1(config-if)#ppp chap hostname SH
R1(config-if)#ppp chap password SH这样子做,在debug ppp authentication会观察到认证失败,原因是密码不一致!!!
Step5: 在CHAP中,密码必须一致:
R1(config)#username GZ password SS R2(config)#username SH password SSStep6: 不使用特定的帐号,而直接使用路由器的主机名,进行CHAP认证:
R1(config)#username R2 password SS R2(config)#username R1 password SS在PPP接口中,只需要以下命令:
int s0 encapsulation ppp ppp authentication chap在R1/R2上: show running-config
可以查看到以下信息: Inteface serial 0 Encapsulation ppp Ppp authentication chap默认情况下,在没有设置其他帐户和密码时,chap协议时默认发主机名
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~LAB3:使用"主机名"作为"用户名"的PAP认证
先shutdown接口,以求稳定.
step1:直接使用路由器的主机名,进行chap认证: R1(config)#username R2 password R12 R2(config)#username R1 password R12 step2:在ppp接口中,只需要以下命令. Inteface serial 0 Encapsulation ppp ppp authentication chap
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PPP multilink PPP/MLP(multilink Protocol) (2层冗余) 对比实验(3层冗余) (RIP) (收敛速度受路由协议的收敛速率影响,通常收敛较慢)通过 Multilink protocol 实现2层冗余:
Step1: 将冗余的物理链路上的接口,原有配置都删除, 但注意要在R2的两个接口都是DCE端,需要配置同步时钟因为:
R2#sh controllers serial HD unit 0, idb = 0x939294, driver structure at 0x940860 buffer size 1524 HD unit 0, V.35 DCE cable, clockrate 64000 cpb = 0xE1, eda = 0x5078, cda = 0x508C RX ring with 16 entries at 0xE15000Step2:
(R2/R4同时做)4个物理接口都封装PPP,并且运行Multilink (无需配置IP地址) Interface S0/S1: Encapsulation ppp Ppp multilinkStep3: 在双方路由器上,创建虚拟模板接口,配置地址,指定MLP
R2(config)# Interface virtual-template 1 ip add 24.0.0.1 255.255.255.252 ppp multilink R4(config)# Interface virtual-template 1 Ip add 24.0.0.2 255.255.255.252 ppp multilinkStep4: 在MLP中,调用虚拟模板:
R2/R4(config)#multilink virtual-template 1设置虚拟接口后,带宽加倍:
R2#show interfaces virtual-access 1 Interface address is 24.0.0.1/30 BW 3088 Kbit, R3#show interfaces virtual-access 1 Interface address is 24.0.0.2/30 BW 3088 Kbit,贾雷注:2条链路带宽加宽,互为冗余.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EC,FEC,GEC LAB:交换机之间的以太网链路二层冗余: EtherChannel: logical aggregation viewed as one logic port switch-level load bananciing & redundancy.interface fastethernet0/21/22
duplex full speed 100 channel-group 1 mode on 交换机自动生成: interface port-channel 1SW2(config)#show interface port-channel 1
BW 2000000 kbit, show spanning-tree po1 root FWD 12 128.65 p2p
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
可以在接口中,关闭PPP的主机路由(host route)
R2# C 12.0.0.1/32 is directly connected , Serial 0
Interface serial 0
No peer neighbor-route~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~