实验目的:
实验拓扑图:
实验过程:
一:按照图示配置所有设备的IP地址
(1)R1和R2使用PPP链路直连
(2)R2和R3把2条PPP链路捆绑为PPP MP直连
二:PPP协议的CHAP验证
(3)R2 对 R1 的 PPP 进行单向 chap 验证
(4)R2对R3的PPP进行双向chap验证
1、R2为主验证方,R3为被验证方(用户名:gao密码:1234567)
2、R3为主验证方,R2为被验证方(用户名:gaoxc密码:1234567)
实验目的:
R1和R2使用PPP链路直连,R2和R3把2条PPP链路捆绑为PPP MP直连
按照图式配置IP地址
R2对R1的PPP进行单向chap验证
R2对R3的PPP进行双向chap验证
实验拓扑图:
实验过程:
一:按照图示配置所有设备的IP地址
(1)R1和R2使用PPP链路直连
R1:
<Huawei>sys
[Huawei]sysname R1
[R1]int Serial 3/0/0
[R1-Serial3/0/0]ip add 192.168.1.1 24
R2:
[Huawei]sysname R2
[R2]int Serial 3/0/0
[R2-Serial3/0/0]ip add 192.168.1.2 24
(2)R2和R3把2条PPP链路捆绑为PPP MP直连
R2:
[R2]interface Mp-group 0/0/0
[R2-Mp-group0/0/0]q
[R2]int Serial 3/0/1
[R2-Serial3/0/1]ppp mp Mp-group 0/0/0
[R2-Serial3/0/1]q
[R2]int Serial 4/0/0
[R2-Serial4/0/0]ppp mp Mp-group 0/0/0
[R2]interface Mp-group 0/0/0
[R2-Mp-group0/0/0]ip add 192.168.2.2 24
查看一下R2路由表中ip配置是否完善:
[R2]display ip interface brief
R3:
[Huawei]sysname R3
[R3]int Mp-group 0/0/0
[R3-Mp-group0/0/0]q
[R3]int Serial 3/0/0
[R3-Serial3/0/0]ppp mp Mp-group 0/0/0
[R3-Serial3/0/0]q
[R3]int Serial 3/0/1
[R3-Serial3/0/1]ppp mp Mp-group 0/0/0
[R3-Mp-group0/0/0]ip add 192.168.2.3 24
查看一下R3路由表中ip配置是否完善:
[R3]display ip interface brief
测试一下:
[R2]ping 192.168.2.3
PING 192.168.2.3: 56 data bytes, press CTRL_C to break
0.00% packet loss
二:PPP协议的CHAP验证
(3)R2 对 R1 的 PPP 进行单向 chap 验证
分析:R2 对 R1 进行单向验证,表示 R2 是主验证方,R1 是被验证方。所以需要在 R2 上创建用于验证的用户(用户名:gxc密码:1234567)
主验证方配置:
[R2]aaa
[R2-aaa]local-user gxc password cipher 1234567
[R2-aaa]local-user gxc service-type ppp
[R2-aaa]q
[R2]int Serial 3/0/0
[R2-Serial3/0/0]ppp authentication-mode chap
被验证方配置:
[R1]int Serial 3/0/0
[R1-Serial3/0/0]ppp chap user gxc
[R1-Serial3/0/0]ppp chap password cipher 1234567
测试一下:(关闭再开启 R1 和 R2 的 PPP 链路,检查验证是否能够通过)
未关闭时:
[R1]ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press CTRL_C to break
0.00% packet loss
证明CHAP验证是通过的
测试一下,先关闭R1-Serial3/0/0j接口,再开启R1-Serial3/0/0接口后再pingR2
[R1-Serial3/0/0]shutdown
[R1-Serial3/0/0] undo shutdown
[R1-Serial3/0/0]ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press CTRL_C to break
0.00% packet loss
或者我们可以修改一下R1被验证方的用户名或是密码,然后又关闭R1-Serial3/0/0接口,再开启R1-Serial3/0/0接口后再pingR2(这里修改用户名为例,原来是gxc,改成GXCgxc)
[R1-Serial3/0/0]undo ppp chap user
[R1-Serial3/0/0]ppp chap user GXCgxc
[R1-Serial3/0/0]shutdown
[R1-Serial3/0/0] undo shutdown
[R1-Serial3/0/0]ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press CTRL_C to break
100.00% packet loss
现在修改为原来的用户名gxc
[R1-Serial3/0/0]undo ppp chap user
[R1-Serial3/0/0]ppp chap user gxc
[R1-Serial3/0/0]shutdown
[R1-Serial3/0/0]undo shutdown
[R1-Serial3/0/0]ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press CTRL_C to break
0.00% packet loss
测试通过!!!
(4)R2对R3的PPP进行双向chap验证
分析:双向验证意味着 R2 和 R3 双方都需要创建用于验证的用户,且需要在各自接口上配置对端的用户名。
另外,虽然R2 和 R3 之间的 PPP 链路配置了 PPP-MP,但是身份验证仍然需要配置在物理接口上,所以 R2 和 R3 相连的所有 PPP 接口上都需要配置验证。
分两种情况进行讨论:(两种情况的用户名和密码可以相同,也可以不同。如果两次情况的用户名与密码相同时,第二次配置时CHAP验证就不用给被验证方配置用户名和密码也可以)
1、R2为主验证方,R3为被验证方(用户名:gao密码:1234567)
主验证方配置[R2]:
[R2]aaa
[R2-aaa]local-user gao password cipher 1234567
[R2-aaa]q
[R2]int Serial 3/0/1
[R2-Serial3/0/1]ppp authentication-mode chap
[R2-Serial3/0/1]q
[R2]int Serial 4/0/0
[R2-Serial4/0/0]ppp authentication-mode chap
被验证方配置[R3]:
[R3]int Serial 3/0/0
[R3-Serial3/0/0]ppp chap user gao
[R3-Serial3/0/0]ppp chap password cipher 1234567
[R3-Serial3/0/0]q
[R3]int Serial 3/0/1
[R3-Serial3/0/1]ppp chap user gao
[R3-Serial3/0/1]ppp chap password cipher 1234567
2、R3为主验证方,R2为被验证方(用户名:gaoxc密码:1234567)
主验证方配置[R3]:
[R3]aaa
[R3-aaa]local-user gaoxc password cipher 1234567
[R3-aaa]q
[R3]int s 3/0/0
[R3-Serial3/0/0]ppp authentication-mode chap
[R3-Serial3/0/0]q
[R3]int s 3/0/1
[R3-Serial3/0/1]ppp authentication-mode chap
被验证方配置[R2]:
[R2]int s 3/0/1
[R2-Serial3/0/1]ppp chap user gaoxc
[R2-Serial3/0/1]ppp chap password cipher 1234567
[R2-Serial3/0/1]q
[R2]int s 4/0/0
[R2-Serial4/0/0]ppp chap user gaoxc
[R2-Serial4/0/0]ppp chap password cipher 1234567
测试一下:使用R2pingR3
[R2]ping 192.168.2.3
PING 192.168.2.3: 56 data bytes, press CTRL_C to break
0.00% packet loss
先关闭R2-Serial3/0/1接口,再开启R2-Serial3/0/1接口后再pingR3
[R2]int s 3/0/1
[R2-Serial3/0/1]sh
[R2-Serial3/0/1]shutdown
[R2-Serial3/0/1]undo shutdown
[R2-Serial3/0/1]ping 192.168.2.3
PING 192.168.2.3: 56 data bytes, press CTRL_C to break
0.00% packet loss
测试通过!!!