網絡工程師Day2---實驗2-1：HDLC和PPP配置

網絡工程師Day2—實驗2-1：HDLC和PPP配置

學習目標

掌握HDLC的基本配置方法

掌握DCE時鐘波特率的配置方法

掌握PPP的基本配置方法

掌握PPP鏈路的PAP認證的配置方法

掌握PPP鏈路的CHAP認證的配置方法

拓撲圖

場景

您是公司的網絡管理員，公司總部有一臺路由器R2，R1和R3分別是其他兩個分部的路由器。現在您需要將總部網絡和分部網絡通過廣域網連接起來。在廣域網鏈路上嘗試使用HDLC和PPP協議，並在使用PPP協議時配置了不同的認證方式保證安全。

操作步驟

步驟一 實驗環境準備

R1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[R1]un in en
[Huawei]sysn R1
Info: Information center is disabled.
[R1]int s0/0/0
[R1-Serial0/0/0]ip add 10.0.12.1 24
[R1-Serial0/0/0]quit

R2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysn R2
[R2]int s0/0/0
[R2-Serial0/0/0]ip add 10.0.12.2 24
[R2-Serial0/0/0]int s0/0/1
[R2-Serial0/0/1]ip add 10.0.23.2 24
[R2-Serial0/0/1]quit

R3

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysn R3
[R3]int s0/0/0
[R3-Serial0/0/0]ip add 10.0.23.3 24
[R3-Serial0/0/0]quit

步驟二 在串行接口上啓用HDLC協議

R1

[R1]int s0/0/0  
[R1-Serial0/0/0]link-protocol hdlc  
Warning: The encapsulation protocol of the link will be changed.   
Continue? [Y/N]:y

R2

[R2]int s0/0/0  
[R2-Serial0/0/0]link-protocol hdlc  
Warning: The encapsulation protocol of the link will be changed.   
Continue? [Y/N]:y  
[R2-Serial0/0/0]int s0/0/1  
[R2-Serial0/0/1]link-protocol hdlc  
Warning: The encapsulation protocol of the link will be changed.   
Continue? [Y/N]:y  

R3

[R3]int s0/0/0    
[R3-Serial0/0/0]link-protocol hdlc  
Warning: The encapsulation protocol of the link will be changed.   
Continue? [Y/N]:y  

配置完成後，查看串行接口的狀態，以R1上的顯示信息爲例：

[R1]disp int s0/0/0
Serial0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2019-08-21 15:12:45 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
Link layer protocol is nonstandard HDLC
Last physical up time   : 2019-08-21 15:06:26 UTC-08:00
Last physical down time : 2019-08-21 15:06:25 UTC-08:00
Current system time: 2019-08-21 15:15:56-08:00Interface is V35
Last 300 seconds input rate 2 bytes/sec, 0 packets/sec
Last 300 seconds output rate 2 bytes/sec, 0 packets/sec
Input: 2480 bytes, 175 Packets
Ouput: 2556 bytes, 164 Packets
Input bandwidth utilization  : 0.02%
Output bandwidth utilization : 0.02%

確定該接口的物理狀態和協議狀態均以UP後，檢測直連鏈路的連通性。

<R2>ping 10.0.12.1
PING 10.0.12.1: 56  data bytes, press CTRL_C to break
Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=90 ms
Reply from 10.0.12.1: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=50 ms

  --- 10.0.12.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
 0.00% packet loss
round-trip min/avg/max = 10/46/90 ms

步驟三 配置OSPF

在三臺路由器上都啓用OSPF路由協議，併發布各自的直連路由

R1

<R1>sys
Enter system view, return user view with Ctrl+Z.
[R1]ospf
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]quit

R2

<R2>sys
Enter system view, return user view with Ctrl+Z.
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]quit

R3

<R3>sys
Enter system view, return user view with Ctrl+Z.
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]quit
[R3-ospf-1]quit

當所有的路由都學習到之後，使用R1pingR3測試是否網絡聯通

[R1]ping 10.0.23.3
PING 10.0.23.3: 56  data bytes, press CTRL_C to break
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=50 ms
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=70 ms
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=40 ms

  --- 10.0.23.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
  0.00% packet loss
round-trip min/avg/max = 40/56/80 ms

步驟四 管理串口連接

查看串行接口連接的線纜類型、接口狀態和時鐘頻率，並修改時鐘頻率。

[R1]dis int s0/0/0
Serial0/0/0 current state : **UP**
Line protocol current state : **UP**
## Last line protocol up time : 2019-08-21 15:12:45 UTC-08:00 ##
Description:
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
Link layer protocol is nonstandard HDLC
Last physical up time   : 2019-08-21 15:06:26 UTC-0	8:00
Last physical down time : 2019-08-21 15:06:25 UTC-08:00
Current system time: 2019-08-21 21:48:31-08:00Interface is V35
Last 300 seconds input rate 10 bytes/sec, 0 packets/sec
Last 300 seconds output rate 10 bytes/sec, 0 packets/sec
Input: 20792 bytes, 822 Packets
Ouput: 21164 bytes, 818 Packets
Input bandwidth utilization  : 0.12%
Output bandwidth utilization : 0.12%

回顯信息表明R1的S0/0/0接口連接的是DCE線纜，時鐘頻率是64000bit/s。DCE設備可以控制時鐘頻率和帶寬。
將R1和R2間鏈路的時鐘頻率修改爲128000bit/s。這一操作需在DCE設備R1上執行。

這個地方發現實驗設備沒有和指導書中一樣。

不能修改端口速率

嘗試其他設備特別是書中的R2220 AR2220沒有Serical口。

步驟五 修改串行接口的封裝類型爲PPP

在R1和R2以及R2和R3間修改串行接口使用PPP封裝，鏈路兩端必須配置相同的封裝類型，否則接口狀態就會出現DOWN的情況

R1

[R1]int s0/0/0
[R1-Serial0/0/0]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. 
Continue? [Y/N]:y

R2

<R2>sys
Enter system view, return user view with Ctrl+Z.
[R2]int s0/0/0
[R2-Serial0/0/0]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. 
Continue? [Y/N]:y
[R2-Serial0/0/0]quit
[R2]link-protocol ppp
[R2]int s0/0/1
[R2-Serial0/0/1]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. 
Continue? [Y/N]:y
[R2-Serial0/0/1]quit

R3

<R3>sys
Enter system view, return user view with Ctrl+Z.
[R3]int s0/0/0
[R3-Serial0/0/0]
[R3-Serial0/0/0]link-protocol ppp
Warning: The encapsulation protocol of the link will be changed. 
Continue? [Y/N]:y
[R3-Serial0/0/0]quit

配置完成後，檢測鏈路聯通性。

R2

[R2]ping 10.0.12.1
  PING 10.0.12.1: 56  data bytes, press CTRL_C to break
Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 10.0.12.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=40 ms

  --- 10.0.12.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/46/60 ms

[R2]ping 10.0.23.3
  PING 10.0.23.3: 56  data bytes, press CTRL_C to break
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=20 ms

  --- 10.0.23.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/22/50 ms

查看端口狀態

[R2]dis int s0/0/0 
Serial0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2019-08-21 22:32:06 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.2/24
Link layer protocol is PPP
LCP opened, IPCP opened
Last physical up time   : 2019-08-21 22:32:06 UTC-08:00
Last physical down time : 2019-08-21 22:32:06 UTC-08:00
Current system time: 2019-08-21 22:43:45-08:00Interface is V35
Last 300 seconds input rate 10 bytes/sec, 0 packets/sec
Last 300 seconds output rate 10 bytes/sec, 0 packets/sec
Input: 54874 bytes, 1589 Packets
Ouput: 64946 bytes, 1597 Packets
Input bandwidth utilization  : 0.12%
Output bandwidth utilization : 0.12%

步驟六 檢查路由表項的變化

PPP配置完成後，路由器之間會建立數據鏈路層的連接。本地路由器會向遠端路由器發送一條主機路由，路由信息中包含本地接口的IP地址，掩碼爲32位。

[R2]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
 Destinations : 8Routes : 8

Destination/MaskProto   Pre  Cost  Flags NextHop Interface

  10.0.12.0/24  Direct  00   D   10.0.12.2   Serial0/0/0
  10.0.12.1/32  Direct  00   D   10.0.12.1   Serial0/0/0
  10.0.12.2/32  Direct  00   D   127.0.0.1   Serial0/0/0
  10.0.23.0/24  Direct  00   D   10.0.23.2   Serial0/0/1
  10.0.23.2/32  Direct  00   D   127.0.0.1   Serial0/0/1
  10.0.23.3/32  Direct  00   D   10.0.23.3   Serial0/0/1
  127.0.0.0/8   Direct  00   D   127.0.0.1   InLoopBack0
  127.0.0.1/32  Direct  00   D   127.0.0.1   InLoopBack0

可以看出，路由表中已經包含通往R1和R3的路由，回顧下這兩條路由的由來和功能，回答下面兩個問題：

如果配置的是HDLC封裝，路由表中還會有這兩條路由嗎

將其改爲HDLC封裝，其路由表爲

[R2]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
 Destinations : 6Routes : 6

Destination/MaskProto   Pre  Cost  Flags NextHop Interface

  10.0.12.0/24  Direct  00   D   10.0.12.2   Serial0/0/0
  10.0.12.2/32  Direct  00   D   127.0.0.1   Serial0/0/0
  10.0.23.0/24  Direct  00   D   10.0.23.2   Serial0/0/1
  10.0.23.2/32  Direct  00   D   127.0.0.1   Serial0/0/1
  127.0.0.0/8   Direct  00   D   127.0.0.1   InLoopBack0
  127.0.0.1/32  Direct  00   D   127.0.0.1   InLoopBack0

如果R1和R2上的S1/0/0接口IP地址不在同一網段，它們之間還能夠通過HDLC或者PPP通信嗎？

[R1]ping 10.0.22.1 
  PING 10.0.22.1: 56  data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out

  --- 10.0.22.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss

步驟七 在R1和R2間的PPP鏈路啓用PAP認證功能

配置PAP認證功能，並將R1配置爲PAP認證方。

[R1]interface s0/0/0
[R1-Serial0/0/0]ppp authentication-mode pap
[R1-Serial0/0/0]quit
[R1]display interface s0/0/0
Serial0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2019-08-21 23:13:29 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
Link layer protocol is PPP
LCP opened, IPCP opened
Last physical up time   : 2019-08-21 23:13:14 UTC-08:00
Last physical down time : 2019-08-21 23:13:13 UTC-08:00
Current system time: 2019-08-21 23:14:01-08:00Interface is V35
Last 300 seconds input rate 7 bytes/sec, 0 packets/sec
Last 300 seconds output rate 10 bytes/sec, 0 packets/sec
Input: 80612 bytes, 2000 Packets
Ouput: 84272 bytes, 2057 Packets
Input bandwidth utilization  : 0.08%
Output bandwidth utilization : 0.12%

將R2配置爲PAP的被認證方

[R2-Serial0/0/0]ppp pap local-user huawei password cipher huawei123
[R2-Serial0/0/0]quit
[R2]dis int s0/0/0
Serial0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2019-08-21 23:13:29 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.2/24
Link layer protocol is PPP
LCP opened, IPCP opened
Last physical up time   : 2019-08-21 23:13:28 UTC-08:00
Last physical down time : 2019-08-21 23:13:27 UTC-08:00
Current system time: 2019-08-21 23:16:38-08:00Interface is V35
Last 300 seconds input rate 11 bytes/sec, 0 packets/sec
Last 300 seconds output rate 11 bytes/sec, 0 packets/sec
Input: 85712 bytes, 2102 Packets
Ouput: 82142 bytes, 2047 Packets
Input bandwidth utilization  : 0.13%
Output bandwidth utilization : 0.13%

配置完成後，檢測R1和R2間的連通性，並通過debug功能觀察PAP認證報文的交互

<R1>debugging ppp pap packet 
<R1>terminal debugging 
Info: Current terminal debugging is on.
 PPP Packet: 
  Serial0/0/0 Input  PAP(c023) Pkt, Len 25 
  State ServerListen, code Request(01), id 1, len 21 
  Host Len:  6  Name:huawei 
  Pwd Len:  9  Pwd:huawei123
  <R1>undo debugging all 

步驟八 在R2和R3間的PPP鏈路上啓用CHAP認證功能

將R3配置爲CHAP的認證方

 [R3-Serial0/0/0]ppp authentication-mode chap
[R3-Serial0/0/0]quit
[R3]aaa
[R3-aaa]local-user huawei password cipher huawei123
Info: Add a new user.
[R3-aaa]local-user huawei service-type ppp
[R3-aaa]quit

將R2的S0/0/1接口配置成被認證方

[R2-Serial0/0/1]ppp chap user huawei
[R2-Serial0/0/1]ppp chap password cipher huawei123

使用R2進行鏈路的測試

[R2]ping 10.0.23.3
  PING 10.0.23.3: 56  data bytes, press CTRL_C to break
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=10 ms

  --- 10.0.23.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/38/50 ms

步驟九 使用debug命令查看R2和R3之間使用CHAP建立PPP連接的協商過程

查看R2與R3建立ppp連接時的協商情況，爲了看到完整的協商過程，需要先關閉R2的S0/0/1接口，然後啓動debug命令，再打開接口，就可以看到完整的協商過程。

首先關閉R2的S0/0/1接口。

[R2-Serial0/0/1]shutdown

爲了避免S0/0/0接口信息對我們的干擾，此時也可關閉S0/0/0

[R2-Serial0/0/0]shutdown

執行debugging ppp chap all 和terminal debugging 命令，查看debug信息。

<R2>debugging ppp chap all
<R2>terminal debugging 
Info: Current terminal debugging is on.
<R2>display debugging
PPP CHAP packets debugging switch is on
PPP CHAP events debugging switch is on
PPP CHAP errors debugging switch is on
PPP CHAP state change debugging switch is on

打開R2的物理接口S0/0/1，發起認證

[R2-Serial0/0/1]un shutdown 

此時可以看到相應的debug信息流出

PPP State Change: 
  Serial0/0/1 CHAP : Initial --> ListenChallenge 
Aug 21 2019 23:41:55.130.4-08:00 R2 PPP/7/debug2:
  PPP Packet: 
  Serial0/0/1 Input  CHAP(c223) Pkt, Len 25 
  State ListenChallenge, code Challenge(01), id 1, len 21 
  Value_Size:  16  Value: f2 47 48 13 d9 66 37 2a af 4f f6 3f 34 39 90 29 
  Name: 
Aug 21 2019 23:41:55.130.5-08:00 R2 PPP/7/debug2:

附加練習

爲什麼PPP中CHAP認證比PAP認證的安全性更高？

鏈接：https://www.nowcoder.com/questionTerminal/23017970388842c4b3181f37da7e085d?toCommentId=622758
來源：牛客網

PAP：密碼口令驗證協議，全稱：Password Authentication Protocol。PAP是兩次握手認證協議，在鏈路首次初始化時，被認證端首先發起認證請求，向認證端發送用戶名和密碼信息進行身份認證。密碼口令以明文發送，所以安全性較低。 CHAP：挑戰握手認證協議，全稱：Challenge Handshake Authentication Protocol。CHAP通過三次握手驗證被認證端的身份，在初始鏈路建立時完成，爲了提高安全性，在鏈路建立之後週期性進行驗證。CHAP比PAP更安全，因爲CHAP不在線路上發送明文，而是發送經過MD5過的隨機數序列。