10.以太网验证(PPPOE)
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
由于以太网技术本身没有身份验证机制,而PPPoE则在以太网上引入PPP,利用PPP的验证
功能来实现用户接入控制(即对接入的用户进行身份验证、授权以及记帐)。
【配置】
R2需要经过PPPoE过程、验证成功后才能接入到网络中。
R1:
username user01 password cisco
bba-group pppoe ALD 定义PPPoE的bba-group(宽带接入组)
virtual-template 1 指定PPPoE使用的虚拟模板(virtual-template)
!
interface Ethernet0/0
no ip address
pppoe enable group ALD 连接PPPoE客户端的接口启用PPPoE(指定使用的bba-group)
interface Virtual-Template1 创建虚拟模板
ip address 192.168.1.254 255.255.255.0
peer default ip address pool PPPOE_POOL 设置PPPoE客户端的IP地址分配(使用地址池PPPOE_POOL中定义的IP地址)ppp authentication chap 设置使用CHAP验证PPPoE客户端
ip local pool PPPOE_POOL 192.168.1.1 192.168.1.100 定义地址池PPPOE_POOL
R2:
interface Ethernet0/0
no ip address
pppoe enable 连接到PPPoE服务器的以太网接口启用PPPoE
pppoe-client dial-pool-number 1 指定PPPoE客户端使用的拨号池编号(注意:需要与后面的Dialer接口的dialer pool一致)
interface Dialer0
ip address negotiated 设置IP地址通过PPP来自动分配(利用PPP的IPCP阶段协商来获取IP地址)encapsulation ppp 设置Dialer接口的封装协议为PPP
dialer pool 1 设置拨号池的编号(注意:必须与前面以太网接口的dialer-pool-number一致)ppp chap hostname user01 设置CHAP验证的用户名
ppp chap password cisco 设置CHAP验证的密码
!
ip route 0.0.0.0 0.0.0.0 Dialer0 设置默认路由,PPPoE拨号成功后,使用此默认路由访问到外部网络。
在R2上使用debug pppoe event观察PPPoE拨号过程
R2#
*Mar 1 00:11:31.143: Sending PADI: Interface = Ethernet0/0
*Mar 1 00:11:31.227: PPPoE 0: I PADO R:cc00.10cc.0000 L:cc01.10cc.0000 Et0/0
*Mar 1 00:11:33.191: PPPOE: we've got our pado and the pado timer went off
*Mar 1 00:11:33.191: OUT PADR from PPPoE Session
*Mar 1 00:11:33.247: PPPoE 4: I PADS R:cc00.10cc.0000 L:cc01.10cc.0000 Et0/0
*Mar 1 00:11:33.247: IN PADS from PPPoE Session
*Mar 1 00:11:33.255: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
PPPoE的交互过程包括PPPoE客户端发出PADI、PPPoE服务器回应PADO、PPPoE客户端发出PADR、PPPoE服务器回复PADS(其中包含PPPoE 服务器为此PPPoE客户端分配的SessionID)。在PPPoE服务器上将使用此SessionID(本例中为4)来识别PPPoE客户端,可以在PPPoE服务器或客户端上使用show pppoe session来查看。
R1#show pppoe session
1 session in LOCALLY_TERMINATED (PTA) State
1 session total
Uniq ID PPPoE RemMAC Port VT VA State
SID LocMAC VA-st
4 4cc01.10cc.0000 Et0/0 1 Vi1.1 PTA
cc00.10cc.0000 UP
R2#show pppoe session
1 client session
Uniq ID PPPoE RemMAC Port VT VA State
SID LocMAC VA-st
N/A 4c00.10cc.0000 Et0/0 Di1 Vi1 UP
c01.10cc.0000 UP
在PPPoE服务器和PPPoE客户端完成PPPoE阶段后,确定了SessionID号,接着进行PPP的协商过程(包括LCP、验证--可选、IPCP):R2#debug pppoe event
R2#debug ppp negotiation
*Mar 1 00:17:40.979: Sending PADI: Interface = Ethernet0/0
*Mar 1 00:17:41.055: PPPoE 0: I PADO R:cc00.10cc.0000 L:cc01.10cc.0000 Et0/0
*Mar 1 00:17:43.027: PPPOE: we've got our pado and the pado timer went off
*Mar 1 00:17:43.027: OUT PADR from PPPoE Session
*Mar 1 00:17:43.091: PPPoE 4: I PADS R:cc00.10cc.0000 L:cc01.10cc.0000 Et0/0
*Mar 1 00:17:43.091: IN PADS from PPPoE Session
*Mar 1 00:17:43.099: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar 1 00:17:43.103: PPPoE: Virtual Access interface obtained.
*Mar 1 00:17:43.103: PPPoE : encap string prepared
*Mar 1 00:17:43.103: [0]PPPoE 5: data path set to Virtual Acess
*Mar 1 00:17:43.107: Vi1 PPP: Phase is DOWN, Setup
*Mar 1 00:17:43.107: Vi1 PPP: Using dialer call direction
*Mar 1 00:17:43.111: Vi1 PPP: Treating connection as a callout
*Mar 1 00:17:43.111: Vi1 PPP: Session handle[4200000A] Session id[0]
*Mar 1 00:17:43.111: Vi1 PPP: Phase is ESTABLISHING, Active Open
*Mar 1 00:17:43.111: Vi1 PPP: No remote authentication for call-out
*Mar 1 00:17:43.115: Vi1 LCP: O CONFREQ [Closed] id 1 len 10
*Mar 1 00:17:43.115: Vi1 LCP: MagicNumber 0x012104E8 (0x0506012104E8)
*Mar 1 00:17:43.115: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Mar 1 00:17:43.123: Vi1 LCP: I CONFACK [REQsent] id 1 len 10
*Mar 1 00:17:43.123: Vi1 LCP: MagicNumber 0x012104E8 (0x0506012104E8)
R2#
*Mar 1 00:17:45.059: Vi1 LCP: I CONFREQ [ACKrcvd] id 2 len 19
*Mar 1 00:17:45.059: Vi1 LCP: MRU 1492 (0x010405D4)
*Mar 1 00:17:45.059: Vi1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:17:45.063: Vi1 LCP: MagicNumber 0x002105FD (0x0506002105FD)
*Mar 1 00:17:45.063: Vi1 LCP: O CONFNAK [ACKrcvd] id 2 len 8
*Mar 1 00:17:45.063: Vi1 LCP: MRU 1500 (0x010405DC)
*Mar 1 00:17:45.079: Vi1 LCP: Timeout: State ACKrcvd
*Mar 1 00:17:45.079: Vi1 LCP: O CONFREQ [ACKrcvd] id 2 len 10
*Mar 1 00:17:45.079: Vi1 LCP: MagicNumber 0x012104E8 (0x0506012104E8)
*Mar 1 00:17:45.107: Vi1 LCP: I CONFREQ [REQsent] id 3 len 19
*Mar 1 00:17:45.107: Vi1 LCP: MRU 1500 (0x010405DC)
*Mar 1 00:17:45.107: Vi1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:17:45.107: Vi1 LCP: MagicNumber 0x002105FD (0x0506002105FD)
*Mar 1 00:17:45.107: Vi1 LCP: O CONFACK [REQsent] id 3 len 19
*Mar 1 00:17:45.107: Vi1 LCP: MRU 1500 (0x010405DC)
*Mar 1 00:17:45.107: Vi1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:17:45.107: Vi1 LCP: MagicNumber 0x002105FD (0x0506002105FD)
*Mar 1 00:17:45.111: Vi1 LCP: I CONFACK [ACKsent] id 2 len 10
*Mar 1 00:17:45.111: Vi1 LCP: MagicNumber 0x012104E8 (0x0506012104E8)
*Mar 1 00:17:45.111: Vi1 LCP: State is Open
*Mar 1 00:17:45.115: Vi1 PPP: Phase is AUTHENTICATING, by the peer
*Mar 1 00:17:45.115: Vi1 CHAP: I CHALLENGE id 1 len 23 from "R1"
*Mar 1 00:17:45.123: Vi1 CHAP: Using hostname from interface CHAP
*Mar 1 00:17:45.123: Vi1 CHAP: Using password from interface CHAP
*Mar 1 00:17:45.123: Vi1 CHAP: O RESPONSE id 1 len 27 from "user01"
*Mar 1 00:17:45.387: Vi1 CHAP: I SUCCESS id 1 len 4
*Mar 1 00:17:45.387: Vi1 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 00:17:45.391: Vi1 PPP: Phase is ESTABLISHING, Finish LCP
*Mar 1 00:17:45.395: Vi1 PPP: Phase is UP
*Mar 1 00:17:45.395: Vi1 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 1 00:17:45.395: Vi1 IPCP: Address 0.0.0.0 (0x030600000000)
*Mar 1 00:17:45.399: Vi1 PPP: Process pending ncp packets