##实验 2-1 HDLC 和 PPP 配置
学习目标
掌握HDLC的基本配置方法
掌握DCE时钟波特率的配置方法
掌握PPP的基本配置方法
掌握PPP链路的PAP认证的配置方法
掌握PPP链路的CHAP认证的配置方法
场景
您是公司的网络管理员。公司总部有一台路由器R2,R1和R3分别是其他两
个分部的路由器。现在您需要将总部网络和分部网络通过广域网连接起来。在广域网链路上尝试使用HDLC和PPP协议,并在使用PPP协议时配置了不同的认证方式保证安全。
步骤一. 实验环境准备
如果本任务中您使用的是空配置设备,需要从步骤1开始,然后跳过步骤2。
如果使用的设备包含上一个实验的配置,请直接从步骤2开始。
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
步骤二. 清除设备上原有的配置
删除缺省静态路由的配置并关闭指定的以太网接口。删除无关的VLAN配置。
[R1]undo ip route-static 0.0.0.0 0
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]shutdown
[R3]undo ip route-static 0.0.0.0 0
[R3]interface GigabitEthernet 0/0/2
[R3-GigabitEthernet0/0/2]shutdown
[S1]undo interface Vlanif 3
[S1]undo interface Vlanif 5
[S1]undo vlan batch 3 5 to 7
Warning: The configurations of the VLAN will be deleted. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment…done.
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]undo port default vlan
[S1-GigabitEthernet0/0/1]quit
[S1]undo ospf 1
[S2]undo interface Vlanif 5
[S2]undo interface Vlanif 7
[S2]undo vlan batch 3 to 5 7
Warning: The configurations of the VLAN will be deleted. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment…done.
[S2]interface GigabitEthernet 0/0/3
[S2-GigabitEthernet0/0/3]undo port default vlan
[S2-GigabitEthernet0/0/3]quit
[S2]undo ospf 1
[S3]undo interface Vlanif 1
[S4]undo interface Vlanif 1
步骤三. 为 R1、R2 和 R3 的串行接口配置 IP 地址
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
[R2]interface Serial 1/0/0
[R2-Serial1/0/0]ip address 10.0.12.2 24
[R2-Serial1/0/0]quit
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]ip address 10.0.23.2 24
[R3]interface Serial 2/0/0
[R3-Serial2/0/0]ip address 10.0.23.3 24
步骤四. 在串行接口上启用 HDLC 协议
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R2]interface Serial 1/0/0
[R2-Serial1/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R2-Serial1/0/0]quit
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R3]interface Serial 2/0/0
[R3-Serial2/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
配置完成后,查看串行接口的状态。以R1上的显示信息为例。
[R1]display interface Serial1/0/0
确认该接口的物理状态和协议状态均已UP后,检测直连链路的连通性。
ping 10.0.12.1
步骤五. 配置 RIPv2
在三台路由器上都启用RIPv2路由协议,并发布各自的直连路由。
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]network 10.0.0.0
[R2]rip
[R2-rip-1]version 2
[R2-rip-1]network 10.0.0.0
[R3]rip
[R3-rip-1]version 2
[R3-rip-1]network 10.0.0.0
配置完成后,检查设备是否通过RIPv2协议学习到了相应的路由。
display ip routing-table
步骤六. 管理串口连接
查看串行接口连接的线缆的类型、接口状态和时钟频率,并修改时钟频率。
display interface Serial1/0/0
回显信息表明R1的S1/0/0接口连接的是DCE线缆,时钟频率是64000bit/s。
DCE设备可以控制时钟频率和带宽。
将R1和R2间链路的时钟频率修改为128000bit/s。这一操作需在DCE设备
R1上执行。
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]baudrate 128000
配置完成后,查看串行接口的状态确认时钟频率已修改。
display interface Serial1/0/0
步骤七. 修改串行接口的封装类型为 PPP
在R1和R2以及R2和R3间修改串行接口使用PPP封装。链路两端必须配置相
同的封装类型,否则接口状态会出现“Down”的情况。
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R2]interface Serial 1/0/0
[R2-Serial1/0/0]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R2-Serial1/0/0]quit
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R3]interface Serial 2/0/0
[R3-Serial2/0/0]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
配置完成后,检测链路连通性。
ping 10.0.12.1
ping 10.0.23.3
如果无法Ping通,请查看接口状态,观察协议状态是否正常。
display interface Serial1/0/0
步骤八. 检查路由表项的变化
PPP配置完成后,路由器之间会建立数据链路层的连接。本地路由器会向远
端路由器发送一条主机路由,路由信息中包含本地接口的IP地址,掩码为32位。
以R2为例,可以查看到R1和R3发送的主机路由。
[R2]display ip routing-table
可以看出,路由表中已经包含通往R1和R3的路由。回顾下这两条路由的由
来和功能,回答下面两个问题:
如果配置的是HDLC封装,路由表中还会有这两条路由吗?
如果R1和R2上的S1/0/0接口IP地址不在同一网段,它们之间还能够通过
HDLC或PPP实现通信吗?
步骤九. 在 R1 和 R2 间的 PPP 链路启用 PAP 认证功能。
配置PAP认证功能,并将R1配置为PAP认证方。
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ppp authentication-mode pap
[R1-Serial1/0/0]quit
[R1]aaa
[R1-aaa]local-user huawei password cipher huawei123
info: A new user added
[R1-aaa]local-user huawei service-type ppp
将R2配置为PAP被认证方。
[R2]interface Serial 1/0/0
[R2-Serial1/0/0]ppp pap local-user huawei password cipher huawei123
配置完成后,检测R1和R2间的连通性,并可以通过debug功能观察PAP认
证报文的交互。
debugging ppp pap packet
terminal debugging
display debugging
PPP PAP packets debugging switch is on
system-view
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]shutdown
[R1-Serial1/0/0]undo shutdown
步骤十. 在 R2 和 R3 间的 PPP 链路启用 CHAP 认证功能
将R3配置为CHAP的认证方。
[R3]interface Serial 2/0/0
[R3-Serial2/0/0]ppp authentication-mode chap
[R3-Serial2/0/0]quit
[R3]aaa
[R3-aaa]local-user huawei password cipher huawei123
info: A new user added
[R3-aaa]local-user huawei service-type ppp
[R3-aaa]quit
[R3]interface Serial 2/0/0
[R3-Serial2/0/0]shutdown
[R3-Serial2/0/0]undo shutdown
注意,此时R3上会有如下提示:
Mar 10 2016 15:06:00+00:00 R3 %%01PPP/4/PEERNOCHAP(l)[5]:On the interface
Serial2/0/0, authentication failed and PPP link was closed because CHAP was
disabled on the peer.
[R3-Serial2/0/0]
Mar 10 2016 15:06:00+00:00 R3 %%01PPP/4/RESULTERR(l)[6]:On the interface
Serial2/0/0, LCP negotiation failed because the result cannot be accepted.
回显信息中灰色阴影标注的部分表明与对端认证时失败。
将R2配置为CHAP的被认证方。
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]ppp chap user huawei
[R2-Serial2/0/0]ppp chap password cipher huawei123
配置完成后,接口变为Up状态。执行ping命令测试连通性。
ping 10.0.23.3
步骤十一. 使用debug 命令查看 R2 和 R3 之间使用CHAP建立PPP
连接的协商过程
查看R2与R3建立PPP连接时的协商情况,为了看到完整的协商过程,需要
先关闭R2的S2/0/0接口,然后启动debug命令,再打开接口,即可看到完整协
商过程。
首先关闭R2的物理接口。
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]shutdown
执行debugging ppp chap
执行debugging ppp chap all和terminal debugging命令,查看debug
信息。
[R2-Serial2/0/0]return
debugging ppp chap all
terminal debugging
Info: Current terminal debugging is on.
display debugging
打开R2的物理接口,发起认证。
system-view
Enter system view, return user view with Ctrl+Z.
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]undo shutdown
附加练习:分析并验证
为什么PPP中CHAP认证比PAP认证的安全性更高?
配置文件
[R1]display current-configuration
[V200R007C00SPC600]
sysname R1
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %
=i~>Xp&aY+*2cEVcS-A23Uwe%
local-user admin service-type http
local-user huawei password cipher %
B:%I)Io0H8)[%SB[idM3C/!#%
local-user huawei service-type ppp
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode pap
ip address 10.0.12.1 255.255.255.0
baudrate 128000
rip 1
version 2
network 10.0.0.0
user-interface con 0
authentication-mode password
set authentication password
cipher %
dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QKK6tI}cc-;k_oC.+L,%
user-interface vty 0 4
return
[R2]display current-configuration
[V200R007C00SPC600]
sysname R2
interface Serial1/0/0
link-protocol ppp
ppp pap local-user huawei password cipher %
u[hr6d<JVHR@->T7xr1<
%$
ip address 10.0.12.2 255.255.255.0
interface Serial2/0/0
link-protocol ppp
ppp chap user huawei
ppp chap password cipher %
e{5h)gh"/Uz0mUC%vEx3
%$
ip address 10.0.23.2 255.255.255.0
rip 1
version 2
network 10.0.0.0
user-interface con 0
authentication-mode password
set authentication password
cipher %
|nRPL^hr2IXi7LHDID!/,.%.8%h;3:,hXO2dk#ikaWI.(,%
user-interface vty 0 4
return
[R3]display current-configuration
[V200R007C00SPC600]
sysname R3
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %
=i~>Xp&aY+2cEVcS-A23Uwe%
local-user admin service-type http
local-user huawei password cipher %
fZsyUk1=O=>:L4’ytgR~DIm%
local-user huawei service-type ppp
interface Serial2/0/0
link-protocol ppp
ppp authentication-mode chap
ip address 10.0.23.3 255.255.255.0
rip 1
version 2
network 10.0.0.0
user-interface con 0
authentication-mode password
set authentication password
cipher %
W|KaTeX parse error: Expected 'EOF', got '}' at position 5: )M5D}̲v@bY^gK\;>QR,.*…%$
user-interface vty 0 4
return