PPP

Download Report

Transcript PPP 

CCNA 4 v3.0 Module 3
PPP
Cisco Networking Academy
© 2003, Cisco Systems, Inc. All rights reserved.
1
Objectives
•
•
•
•
Serial point-to-point links
HDLC
PPP authentication
Configuring PPP
© 2003, Cisco Systems, Inc. All rights reserved.
2
Introduction to Serial Communication
•
•
WAN technologies are based on serial transmission at the physical layer.
– This means that the bits of a frame are transmitted
one at a time over the physical medium
– Nonreturn to Zero Level (NRZ-L), High Density Binary 3 (HDB3),
and Alternative Mark Inversion (AMI)
Some of the many serial communications standards include the following:
RS-232-E
V.35
High-Speed Serial Interface (HSSI)
© 2003, Cisco Systems, Inc. All rights reserved.
3
Time-Division Multiplexing
• Time-division multiplexing (TDM) is the transmission of
several sources of information using one common channel,
or signal, and the reconstruction of the original streams at
the remote end.
• Each input signal has its own timeslot and each timeslot
usually consists of one byte.
• All timeslots together make up the total bandwidth such as
T1 (23 DS0s).
© 2003, Cisco Systems, Inc. All rights reserved.
4
Demarcation Point
CPE
CPE
The point in the network where the responsibility
of the service provider or "telco" ends.
© 2003, Cisco Systems, Inc. All rights reserved.
5
HDLC Encapsulation
In 1979, the ISO agreed on HDLC as a standard
bit-oriented data link layer protocol that encapsulates
data on synchronous serial data links.
© 2003, Cisco Systems, Inc. All rights reserved.
6
HDLC Encapsulation
• HDLC uses synchronous serial transmission
providing error-free communication between
two points.
• HDLC defines a Layer 2 framing structure that
allows for flow control and error control using
acknowledgments and a windowing scheme.
© 2003, Cisco Systems, Inc. All rights reserved.
7
Cisco HDLC Encapsulation
• Standard HDLC does not inherently support
multiple protocols on a single link, as it does
not have a way to indicate which protocol is
being carried.
• The Cisco HDLC frame uses a proprietary
'type' field that acts as a protocol field.
–The protocol field can be found in PPP frames
• This field enables multiple network layer
protocols to share the same serial link.
–HDLC is the default encapsulation type on Cisco
serial interfaces.
© 2003, Cisco Systems, Inc. All rights reserved.
8
HDLC Sequencing
The first one or two bits of
the control field serve to
identify the frame type.
•
•
•
In the control field of an Information (I) frame, the send-sequence number refers
to the number of the frame to be sent next.
The receive-sequence number provides the number of the frame to be received
next.
Both sender and receiver maintain send and receive sequence numbers.
© 2003, Cisco Systems, Inc. All rights reserved.
9
HDLC Frame Types
• I-Frame: Information frames carry the actual
data.
• U-Frame: Unnumbered frames are used to
manage links.
–U-frames set up the logical link
• S-Frame: Supervisory frames are used for error
correction and flow control.
• Cisco Frame uses it’s own proprietary type field
to indicate the layer 3 protocol being used.
© 2003, Cisco Systems, Inc. All rights reserved.
10
PPP Layered Architecture
•
PPP uses a two layer architecture made up of two sublayers:
–
Link Control Protocol - Used for establishing the point-topoint link (LCP).
–
Network Control Protocol - Used for configuring the
various network layer protocols (NCP).
© 2003, Cisco Systems, Inc. All rights reserved.
11
PPP and the Data Link Layer
• The LCP sits on top of the physical layer and is used to
establish, configure, and test the data-link connection.
• PPP also uses LCP to automatically agree upon
encapsulation format options such as authentication,
compression and multilink.
© 2003, Cisco Systems, Inc. All rights reserved.
12
PPP and the Network Layer
• PPP permits multiple network layer protocols to operate on the same
communications link.
• For every network layer protocol used, a separate Network Control
Protocol (NCP) is provided.
• NCPs include functional fields containing standardized codes (hex) to
indicate the network layer protocol type that PPP encapsulates.
© 2003, Cisco Systems, Inc. All rights reserved.
13
Three PPP Session Establishment Phases
© 2003, Cisco Systems, Inc. All rights reserved.
14
Link-Establishment Phase
• In this phase each PPP device sends LCP frames to configure
and test the data link.
• LCP must first open the connection and negotiate the
configuration parameters.
• This phase is complete when a configuration
acknowledgment frame has been sent and received.
• LCP frames contain a configuration option field that allows
devices to negotiate the use of options such as:
–maximum transmission unit (MTU)
–compression
–authentication protocol
© 2003, Cisco Systems, Inc. All rights reserved.
15
Authentication Phase
• After the link has been established and the
authentication protocol decided on, the
peer may be authenticated.
• Authentication, if used, takes place before
the network layer protocol phase is
entered.
• PPP uses PAP and CHAP as
authentication protocols
© 2003, Cisco Systems, Inc. All rights reserved.
16
Link Control Protocol Summary
© 2003, Cisco Systems, Inc. All rights reserved.
17
Network Layer Protocol Phase
• In this phase the PPP devices send NCP packets
to choose and configure one or more network
layer protocols, such as IP.
• The ‘show interfaces’ command reveals the
LCP and NCP states under PPP configuration.
• The PPP link remains configured for
communications until either of the following:
–LCP (change in authen) or NCP frames close the link
–An inactivity timer expires
–A user intervenes
© 2003, Cisco Systems, Inc. All rights reserved.
18
LCP Options
© 2003, Cisco Systems, Inc. All rights reserved.
19
PPP Configuration Options
• Multilink - Cisco IOS Release 11.1 and later supports multilink
PPP. This alternative provides load balancing over the router
interfaces that PPP uses.
• Compression options increase the effective throughput on PPP
connections by reducing the amount of data in the frame that
must travel across the link.
© 2003, Cisco Systems, Inc. All rights reserved.
20
PPP Authentication Protocols
•
PPP has two authentication types:
1. Password Authentication Protocol (PAP)
2. Challenge Handshake Authentication Protocol
(CHAP)
•
Of the two, CHAP is more secure.
Config-if)# ppp authentication pap|chap
© 2003, Cisco Systems, Inc. All rights reserved.
21
Password Authentication Protocol (PAP)
© 2003, Cisco Systems, Inc. All rights reserved.
22
Challenge Handshake Authentication
Protocol (CHAP)
CHAP provides protection against playback attack through the use
of a variable challenge value that is unique and unpredictable.
In the Cisco CHAP implementation, by default, the called party must
authenticate the calling party.
However, the calling party can also verify the identity of the called
party, resulting in a two-way authentication.
© 2003, Cisco Systems, Inc. All rights reserved.
23
PPP Encapsulation and Authentication
Process
© 2003, Cisco Systems, Inc. All rights reserved.
24
CHAP Authentication Process
1. A CHAP challenge packet is built with the following characteristics:
01 = challenge packet type identifier.
ID = sequential number that identifies the challenge.
random = a random number generated by the router.
3640-1 = the authentication name of the challenger.
2. The ID and random values are kept on the called router.
3. The challenge packet is sent to the calling router. A list of outstanding challenges
is maintained.
© 2003, Cisco Systems, Inc. All rights reserved.
25
CHAP Authentication Process
1. The ID value is fed into the MD5 hash generator.
2. The random value is fed into the MD5 hash generator.
3. The name 3640-1 is used to look up the password.
The router looks for an entry matching the username in the challenge.
username 3640-1 password pc1
4. The password is fed into the MD5 hash generator and the hash is created.
© 2003, Cisco Systems, Inc. All rights reserved.
26
CHAP Authentication Process
(the hashed information
from the challenge packet).
1. The response packet is assembled from the following components:
02 = CHAP response packet type identifier.
ID = copied from the challenge packet.
hash = the output from the MD5 hash generator
766-1 = the username is sent to look up the appropriate password.
2. The response packet is then sent to the challenger.
© 2003, Cisco Systems, Inc. All rights reserved.
27
CHAP Authentication Process
1. The ID is used to find the original challenge packet.
2. The ID is fed into the MD5 hash generator.
3. The original challenge random value is fed into the MD5 hash generator.
4. The name 766-1 is used to look up the password
5. The password is fed into the MD5 hash generator.
6. The hash value received in the response packet is then compared to
the newly calculated MD5 hash value.
© 2003, Cisco Systems, Inc. All rights reserved.
28
CHAP Authentication Process
1. If authentication is successful, a CHAP success packet is built from the
following components:
03 = CHAP success message type.
ID = copied from the response packet.
2. If failed, a CHAP failure packet is built from the following components:
04 = CHAP failure message type.
ID = copied from the response packet.
© 2003, Cisco Systems, Inc. All rights reserved.
29
Configuring PPP Authentication Checklist
© 2003, Cisco Systems, Inc. All rights reserved.
30
CHAP Configuration
© 2003, Cisco Systems, Inc. All rights reserved.
31
Verifying PPP
© 2003, Cisco Systems, Inc. All rights reserved.
32
PPP Configuration Commands
© 2003, Cisco Systems, Inc. All rights reserved.
33
Debug PPP Authentication
© 2003, Cisco Systems, Inc. All rights reserved.
34
Troubleshooting a Serial Interface
•
Five possible problem states can be identified
in the interface status line of the show
interface serial display:
• Serial x is down, line protocol is down.
• Serial x is up, line protocol is down.
• Serial x is up, line protocol is up (looped).
• Serial x is up, line protocol is down (disabled).
• Serial x is administratively down, line protocol is
down.
http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a00800a758d.shtml
© 2003, Cisco Systems, Inc. All rights reserved.
35
Troubleshooting a Serial Interface
© 2003, Cisco Systems, Inc. All rights reserved.
36
Troubleshooting a Serial Interface
• Show interface serial [number]
Light Definition
Purpose
DCD
Data Carrier Detect
Provider Switch Detected
DSR
Data Set Ready
OK to send Data
DTR
Data Terminal Ready data
RTS
Request to Send
Asks the far end if it is OK to send data
CTS
Clear to Send
Tells the far end that it may send data
Notifies the far end that you can receive
© 2003, Cisco Systems, Inc. All rights reserved.
37