Network Type
Three types of networks
Judging from the data link layer (layer 2) technology
1. Point-to-point (P2P)
In a physical network segment, there can only be two physical nodes, and no layer 2 address is required. For example: stringing.
2. BMA (Broadcast Multiple Access)
In a physical network segment, there can be multiple physical nodes, and there is a broadcast (flooding) mechanism. For example: Ethernet.
3. NBMA (non-broadcast multiple access)
In a physical network segment, there can be multiple physical nodes, but there is no broadcast (flooding) mechanism. For example: Frame Relay, MGRE.
Ethernet technology
Shared network (frequency division, multiple frequencies share the same physical medium), currently has the highest market coverage. In a BMA type network, there can be N nodes in a network segment, and there are broadcast and flooding behaviors.
Follow the 802 standard, use MAC as the Layer 2 unicast address, there are broadcast and flooding mechanisms, and there are physical conflicts. Cable uses CSMA/CD (Carrier Sense Multiple Access/Conflict Detection Technology) or switches to avoid conflicts. The wireless range uses CSMA/CA to avoid conflicts.
HDLC
The advanced link control protocol belongs to the P2P type network and no longer needs the second layer address. In the early two-layer encapsulation technology on the serial link, the HDLC technology of each manufacturer is its own proprietary technology and is incompatible with each other, and only performs the function of media access control.
Instance
Topology diagram:
Set up HDLC
PPP
The point-to-point protocol is a point-to-point network type, does not require a Layer 2 unicast address, and is upgraded on the basis of HDLC.
Upgrade point
①After the IP addresses of different network segments are directly connected, they can still communicate normally. The two devices communicate with the IP address of the interactive interface to generate a 32-bit host route to the opposite interface;
② Both parties can perform identity authentication (using the same account and password);
③Support new virtual link communication.
PPPOE (Dial-up Internet)
Point-to-point protocol based on Ethernet. In order to achieve communication that is not in the same network segment, and the identity is appropriate, a virtual link is established to allocate IP addresses.
Two authentication methods
1. PAP authentication:
Password Authentication Protocol (Password Authentication Protocol), plain text authentication method. The authenticated party continues to repeatedly send user name and password information to the authenticating party until the authenticating party responds or the connection is terminated, which is often used for PPPOE dial-up Internet authentication.
PAP working mode
Step 1: The authenticated party uses the Authenticate-Requset message to transmit the configured user name and password information to the authenticating party in plain text.
Step 2: After the authenticating party receives the user name and password information sent by the authenticated party, it checks whether the user name and password information are correctly matched according to the locally configured user name and password database. If they match correctly, it will reply an Authenticate-Ack message, indicating that the authentication is successful ; If it does not match, an Authenticate-Nak message is returned, indicating that the authentication has failed.
Example
topology diagram:
Specific configuration:
(1) Authenticator (ISP) configuration:
(2) Authenticated party (Client) configuration:
Packet capture: The
visible password is transmitted in clear text.
2. CHAP authentication:
Challenge Handshark Authentication Protocol (Challenge Handshark Authentication Protocol), ciphertext transmission authentication method. The authenticating party periodically initiates authentication inquiries to the authenticated party and periodically performs identity verification, which is often used for remote access authentication of enterprise networks.
The
first step of CHAP working mode : After the connection is established, the primary verifier actively initiates a verification request, and the primary verifier sends a randomly generated Challenge message (ID+random number) to the verified party, and at the same time sends the local user name (if in the interface If there is a configured user name, use this user name, if it is not used, use the name of the router) and send it to the authenticated party;
Step 2: The authenticated party finds the password:
(1) After the authenticated party receives the authentication challenge from the authenticator, it checks whether the default CHAP password is configured on the interface of this section. If it is configured, the authenticated party uses the MD5 algorithm to ID, the default password, and a random number to calculate a hash value, and send the generated hash value and own user name back to the authenticator (Response packet);
(2) If the authenticated party checks that there is no configuration defect on the local interface The authenticated party searches the local user table for the password corresponding to the user according to the authenticator’s user name in this message. If a user with the same user name as the authenticator’s user name is found in the user table, it is convenient to use the MD5 algorithm Calculate a hash value for the message ID, the corresponding password and random number, and send the generated hash value and own user name back to the verifier (Response message);
Step 3: The verifier uses MD5 to calculate the message ID, the password of the verified party, and the random number saved by itself to obtain a hash value, compare whether the hash value is the same as the hash value sent by the authenticated party, and return according to the comparison result Different corresponding (Acknowledge or Not Acknowledge).
Example
topology diagram:
Specific configuration:
(1) Authenticator (ISP) configuration:
(2) Authenticated party (Client) configuration:
Packet capture: The
visible password is transmitted in cipher text.
GRE
General routing encapsulation technology, commonly known as "tunnel", is a simple three-layer VPN encapsulation technology, which belongs to the P2P network type.
Note: VPN, virtual private network. The two networks communicate directly through the intermediate network, and a new point-to-point direct link is logically established between the two networks. Home broadband, download 300M, upload 10-30M, shared, temporary IP, may be non-public IP (multiple NAT), belonging to the bottom of the network architecture; enterprise broadband, download 100M, upload 100M, exclusive, fixed IP, certain public IP , Belongs to the middle layer of the network architecture. Point-to-point physical dedicated lines are too costly. The disadvantages of VPN are security issues and bandwidth issues.
GRE configuration example:
Topology:
Specific configuration:
[RA]
Point-to-point network type, it is better to write out the interface for the next hop of the static route.
[RB]
Test:
MGRE
Multipoint GRE, also known as DSVPN, automatic smart VPN. If you use ordinary GRE to deploy a VPN between multiple network nodes, you need to build two tunnels, which will cause the number of tunnel connections and routing entries to increase exponentially, and all nodes can only have fixed and public IP addresses.
The use of MGRE technology can solve the above problems. MGRE constructs multiple network nodes into a network segment (NBMA network, only pseudo broadcast). The structure is point-to-multipoint structure (central site to branch site). And only the IP address of the central site needs to be fixed, and the IP address of the branch point does not need to be fixed. Each branch site can realize that the IP address is not fixed based on the NHRP protocol, and can let the central site know the IP address and perform VPN encapsulation.
NHRP
The next discovery agreement. After starting the NHRP protocol, the sub-sites with non-fixed IP addresses will take the initiative to register with the central site of the fixed IP address (inform their current IP address), and the central site will generate MAP mapping based on the registration information of these branch sites (record tunnel virtual The corresponding relationship between IP and public network IP address, the virtual IP is unchanged, and the public network IP is variable), and VPN encapsulation is performed according to the mapping relationship. If the branches communicate with each other, the branches can find the mapping relationship by downloading the MAP table at the central site to realize communication.
MGRE configuration example
Topology diagram:
specific configuration:
RA (central site) configuration:
RB (branch site) configuration:
RC (branch site) configuration:
check the MAP table in RB:
hub means central site; local means local site; route tunnel means other branch sites.
Test:
【RA】
【RB】
Routing Protocol (RIP) between MGRE sites
Pseudo-broadcasting mechanism:
When 224.0.0.9 is not available for broadcasting, it will send it by itself without the help of the broadcasting mechanism. After copying a piece of data, sending it to everyone becomes privately sending a copy to everyone. The pseudo-broadcast mechanism is used to achieve the effect of the broadcast mechanism.
Configuration problem:
Because of the existence of the RIP split horizon mechanism, branch sites cannot learn routes from each other through RIP.
Solution:
① If the public IPs corresponding to all tunnels are fixed IP addresses, each router can be a central site, and both routers can be registered (similar to the handshake principle) to form a fully connected mesh structure topology. Then, protocols with split horizon mechanisms like RIP can still converge normally.
②When the topological structure is from the center to the site, it is radial, not all the network points are fixed public IP, and it is impossible for all tunnel devices to register with each other. At this time, you can only achieve normal convergence of the entire network by turning off split horizon.
The configuration to close the split horizon mechanism is:
[R1-Tunnel0/0/0] undo rip split-horizon