#PPP帧结构与HDLC类似,做了少量修改#LCP包有3类:# 1.链路配置包,用于建立和配置链路(Configure-Request,Configure-Ack,Configure-Nak,和Co
.
# PPP帧结构与HDLC类似,做了少量修改# LCP包有3类:# 1.链路配置包,用于建立和配置链路(Configure-Request,Configure-Ack,Configure-Nak,和Configure-Reject)。# 2.链路结束包被用于结束一个链路(Terminate-Request 和 Terminate-Ack)# 3.链路维修包被用于管理和调试一个链路(Code-Reject,Protocol-Reject, Echo-Request, Echo-Reply, 和 Discard-Request)。 # LCP (link control protocal) R2#username r2 password 0 r2R2#interface Serial2/2R2#ip address 202.100.23.2 255.255.255.0R2#encapsulation pppR2#ppp authentication pap# 当配置encapsulation ppp 时,发送 Configure-Request Frame 49: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff # 0xFF, standard broadcast address ,表示接受数据包 Control: 0x03 Protocol: Link Control Protocol (0xc021) # 协议字段,0xC021 for LCP, 0x80xy for various NCPs, 0x0021 for IPPPP Link Control Protocol Code: Configuration Request (1) # LCP 连接建立请求: Configure-Request Identifier: 1 (0x01) Length: 10 Options: (6 bytes), Magic Number # Magic Number用于环路检测,判断是否与自身Magic Numberi相同 Magic Number: 0xbc0f842c Type: Magic Number (5) # Magic Number Length: 6 Magic Number: 0xbc0f842c
R3#interface Serial3/3R3#ip address 202.100.23.3 255.255.255.0R3#encapsulation ppp # 当接收到 Configure-Request ,但是其中参数(未配置pap)不能接受,则回复 Configuration Nak Frame 50: 13 bytes on wire (104 bits), 13 bytes captured (104 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Link Control Protocol (0xc021)PPP Link Control Protocol Code: Configuration Nak (3) Identifier: 1 (0x01) Length: 9 Options: (5 bytes), Authentication Protocol Authentication Protocol: Challenge Handshake Authentication Protocol (0xc223) Type: Authentication Protocol (3) Length: 5 Authentication Protocol: Challenge Handshake Authentication Protocol (0xc223) Algorithm: CHAP with MD5 (5)
R3#interface Serial3/3R3#ip address 202.100.23.3 255.255.255.0R3#encapsulation pppR3#ppp pap sent-username r2 password r2 # 如果Configure-Request中收到的每一个配置选项和全部的值都是能接受的,那么该必须传送一个Configure-AckFrame 51: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Link Control Protocol (0xc021)PPP Link Control Protocol Code: Configuration Ack (2) # LCP 连接建立确认: Configuration Ack Identifier: 1 (0x01) # 最近收到的Configure-Request中所有LCP选项值都可识别和接受时发送该消息。 Length: 10 # PPP对端发送和收到Configure-Acks时,LCP协商便完成了 Options: (6 bytes), Magic Number Magic Number: 0xbc0f842c Type: Magic Number (5) Length: 6 Magic Number: 0xbc0f842cFrame
R3#interface Serial3/3R3#ip address 202.100.23.3 255.255.255.0R3#encapsulation ppp# 如果Configure-Request中收到的一些配置选项是不可辨认的或者不被商议所接受(由网络管理员配置的),则该执行必须传送一个Configure-Reject # 具有用户认证功能 -- PAPFrame 61: 12 bytes on wire (96 bits), 12 bytes captured (96 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Link Control Protocol (0xc021)PPP Link Control Protocol Code: Configuration Reject (4) Identifier: 6 (0x06) Length: 8 Options: (4 bytes), Authentication Protocol Authentication Protocol: Password Authentication Protocol (0xc023) Type: Authentication Protocol (3) Length: 4 Authentication Protocol: Password Authentication Protocol (0xc023)
# 用户认证失败后(密码错误),结束链路328 84.473122 N/A N/A PPP PAP 14 Authenticate-Request (Peer-ID='r2', Password='r1') # 明文传输329 84.477776 N/A N/A PPP PAP 30 Authenticate-Nak (Message='Authentication failed')330 84.478314 N/A N/A PPP LCP 8 Termination Request331 84.479937 N/A N/A PPP LCP 8 Termination Ack# Echo-Request 和 Echo-Reply包必须仅在LCP的Opened(打开)状态下发送,# 在其他不是Opened(打开)状态下接收到的Echo-Request 和 Echo-Reply包应该被静静的丢弃。# 具有keep-alive功能568 214.489492 N/A N/A PPP LCP 16 Echo Request569 214.490944 N/A N/A PPP LCP 16 Echo Reply
#IPCP只包括7种报文,但它的报文类型只是LCP数据报文的一个子集#(只有LCP代码域从1到7这七种报文:Config-Request,Config-Ack,Config-Nak,Config-Reject,Terminate-Request,Terminate-Ack和Code-Reject),# 而且实际的数据报文交换过程中链路终止报文一般而言是不在网络协议阶段使用的。# LCP处于OPEN状态后,进行NCP协议协商,分为静态协商和动态协商25 71.185532 N/A N/A PPP LCP 14 Configuration Ack26 71.187428 N/A N/A PPP LCP 14 Configuration Ack27 71.198927 N/A N/A PPP IPCP 14 Configuration Request29 71.219095 N/A N/A PPP IPCP 14 Configuration Request# 静态协商,也即是不协商。点对点的通信设备两端在PPP协商之前已配置好了IP地址,# 所以就无须在网络层协议阶段协商IP地址,而双方唯一要做的就是告诉对方自身的IP地址。Frame 27: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol # ipcp 互推地址,生成路由表,(不在同网段也可以通讯) Code: Configuration Request (1) # Configuration Request Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 # 在静态协商时,如果IPCP的Config-Request报文中只含有地址配置参数选项时 Type: IP address (3) # 无论是发送方还是接收方都同时发送Config-Request报文,其中配置选项中只含有各自的IP地址。 Length: 6 IP Address: 202.100.23.2Frame 27: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Request (1) Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2Frame 31: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Ack (2) # 当对端收到该报文后,会发送一个Config-Ack报文,这个目的是告诉对端我已经知道了你的IP地址, Identifier: 1 (0x01) # 对路由器而言会增加一条到对端接口的主机路由。 Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2Frame 32: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Ack (2) Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.3 Type: IP address (3) Length: 6 IP Address: 202.100.23.3# 可以获取路由,形成不同网段直连路由2#sh ip route 202.100.23.3Routing entry for 202.100.23.3/32 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Serial2/2 Route metric is 0, traffic share count is 1R2#sh ip route 202.100.33.3Routing entry for 202.100.33.3/32 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Serial2/2 Route metric is 0, traffic share count is 1R2#sh ip route 1.1.1.1 Routing entry for 1.1.1.1/32 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Serial2/2 Route metric is 0, traffic share count is 1
# 动态协商是一端配置为动态获取IP地址,另一端通过手动方式配置IP地址,且允许给对端分配IP地址。# 在这种情况下,发送方连续发送了两次Config-Request报文,才能完成发送方的协商过程。# 而接收方仍然只需要发送一次Config-Request即可完成本端的协商过程。R3(config-if)#ip address negotiated 470 1059.708060 N/A N/A PPP IPCP 14 Configuration Request #发送方第一次Config-Request471 1059.708540 N/A N/A PPP IPCP 14 Configuration Request #接受方第一次Config-Request 472 1059.712205 N/A N/A PPP IPCP 14 Configuration Reject #接收方拒绝发送方第一次Config-Request 473 1059.712677 N/A N/A PPP IPCP 14 Configuration Ack #发送方确认接收方的第一次Config-Request 474 1059.713186 N/A N/A PPP IPCP 8 Configuration Request #发送方第二次Config-Request475 1059.718640 N/A N/A PPP IPCP 8 Configuration Ack #接收方确认第二次Config-Request #由于发送方没有配置IP地址(而是动态获取IP地址),所以在IPCP的Config-Request报文的IP地址配置参数配置选项中的IP地址填充全0(也即是0.0.0.0),Frame 470: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Request (1) # IPCP的Config-Request报文 Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 0.0.0.0 # IP地址填充全0 Type: IP address (3) Length: 6 IP Address: 0.0.0.0# 指定IP的正常IPCP报文 Frame 471: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Request (1) Identifier: 2 (0x02) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2# 当接收方收到该配置请求报文后会检测IP地址的内容,如果发送为全0,则认为对端的这个IP地址不是我所希望的值,# 这样就回应一个Config-Nak报文,并将希望分配给对方的IP地址填充到Config-Nak报文内。Frame 472: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Reject (4) Identifier: 1 (0x01) Length: 10 Options: (6 bytes), IP address IP address: 0.0.0.0 Type: IP address (3) Length: 6 IP Address: 0.0.0.0# 指定IP的正常ACK报文Frame 473: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Ack (2) Identifier: 2 (0x02) Length: 10 Options: (6 bytes), IP address IP address: 202.100.23.2 Type: IP address (3) Length: 6 IP Address: 202.100.23.2# 这时当接收方收到Config-Nak报文后,就会重新发送一个Config-Request报文,这个报文中的IP地址配置选项为对方在Nak报文中所提供的。 Frame 474: 8 bytes on wire (64 bits), 8 bytes captured (64 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Request (1) Identifier: 2 (0x02) Length: 4Frame 475: 8 bytes on wire (64 bits), 8 bytes captured (64 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Internet Protocol Control Protocol (0x8021)PPP IP Control Protocol Code: Configuration Ack (2) Identifier: 2 (0x02) Length: 4# 显示协商获取IP地址,存在本网段路由R3(config-if)#do sh ip int s3/3 Serial3/3 is up, line protocol is up Internet address will be negotiated using IPCP Broadcast address is 255.255.255.255R2(config-if)#do sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop overrideGateway of last resort is not set 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.0/24 is directly connected, Ethernet1/1L 192.168.1.2/32 is directly connected, Ethernet1/1 202.100.23.0/24 is variably subnetted, 2 subnets, 2 masksC 202.100.23.0/24 is directly connected, Serial2/2L 202.100.23.2/32 is directly connected, Serial2/2R2(config-if)#
# PPP认证,相比于HDLC具有用户认证# 挑战握手认证协议 Challenge-Handshake Authentication Protocol# 挑战握手认证协议(CHAP)通过三次握手周期性的认证对端的身份,在初始链路建立时完成,可以在链路建立之后的任何时候重复进行。R2#interface Serial2/2R2#ip address 202.100.23.2 255.255.255.0R2#encapsulation pppR2#ppp authentication chap R2#serial restart-delay 0# 1、链路建立阶段结束之后,认证者向被认证者发送“挑战”消息1 0.000000 N/A N/A PPP LCP 14 Configuration Request # 相互发送Configuration Request和Configuration Ack后,完成LCP链路建立过程2 0.021263 N/A N/A PPP LCP 19 Configuration Request3 0.021402 N/A N/A PPP LCP 14 Configuration Ack4 0.028010 N/A N/A PPP LCP 19 Configuration Ack5 0.059900 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0xe8affa5379025f888c6d22ff52aff757) # LCP链路建立完成后,R2主动发送ChallengeFrame 3317: 27 bytes on wire (216 bits), 27 bytes captured (216 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Challenge Handshake Authentication Protocol (0xc223)PPP Challenge Handshake Authentication Protocol Code: Challenge (1) Identifier: 1 Length: 23 Data Value Size: 16 Value: e85aa3c02b52edb78c6d22ff000a1cfb Name: R2R3#interface Serial3/3R3#ip address 202.100.23.3 255.255.255.0R3#encapsulation pppR3#ppp chap hostname r2R3#ppp chap password 0 r2 #缺点:密钥配置为明文R3#serial restart-delay 0 # 2、被认证者 计算hash值作为应答Frame 3318: 27 bytes on wire (216 bits), 27 bytes captured (216 bits) on interface 0Point-to-Point Protocol Address: 0xff Control: 0x03 Protocol: Challenge Handshake Authentication Protocol (0xc223)PPP Challenge Handshake Authentication Protocol Code: Response (2) Identifier: 1 Length: 23 Data Value Size: 16 Value: 2f9020d01b7b41ba6c754b014a8e6767 # hash值 Name: r2 # 用户名# 3、认证者根据它自己的预期哈希值的计算来检查应答,如果值匹配,认证得到承认;否则,连接应该终止。# 认证失败,终止连接3317 1534.518709 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0xe85aa3c02b52edb78c6d22ff000a1cfb)3318 1534.525085 N/A N/A PPP CHAP 27 Response (NAME='r2', VALUE=0x2f9020d01b7b41ba6c754b014a8e6767)3319 1534.526536 N/A N/A PPP CHAP 29 Failure (MESSAGE='Authentication failed')3320 1534.527368 N/A N/A PPP LCP 8 Termination Request3321 1534.528521 N/A N/A PPP LCP 8 Termination Ack# 认证成功,进行NCP协议互推地址3874 1669.630159 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0x3695e79508d494098c6d22fffd432110)3875 1669.635094 N/A N/A PPP CHAP 27 Response (NAME='r2', VALUE=0x0695a3e64fb3a059987d1ff616e1a846)3876 1669.643600 N/A N/A PPP CHAP 8 Success (MESSAGE='')3877 1669.645975 N/A N/A PPP IPCP 14 Configuration Request3878 1669.646095 N/A N/A PPP IPCP 14 Configuration Request3880 1669.646844 N/A N/A PPP IPCP 14 Configuration Ack3881 1669.647354 N/A N/A PPP IPCP 14 Configuration Ack
PPP其他知识点 环路检测:magic number(是否与本身magic number相同) Multiple port-channel
