1.Lease Line(專線):承租專線,費用高,穩定性佳,獨立使用,不與他人共享,安全性高。
2.Circuit Switch(電路交換):臨時性專線,如電話撥接或ISDN。傳輸延遲較小,不會發生線路衝突,可靠性和即時回應能力都很優異,缺點是需要花費一段時間建立線路。
3.Packet Switch(分封交換):ATM、Frame Relay。
DTE與DCE
DTE(Data Terminal Equipment)
將本地端的資料轉換成適合傳輸用的資料類型(或稱為資料封裝)。
DCE(Data Communication Equipment)
將DTE封裝後的資料,轉換成合適在線路上傳輸的訊號,再傳送出去。
電腦透過本地端的DTE+DCE做轉換後,才能將資料轉換成類比訊號從電話線(傳輸媒介)傳出去。
DTE與DCE之間的溝通必須有同步時脈,由DCE(sync clock)與DTE同步。
資料的封裝
Cisco Router的Serial Interface
1.HDLC (High-level Data Link Control)
2.PPP (Point to Pont Protocol)
3.Frame-Relay
Lease Line(專線):HDLC、PPP
Circuit Switch(撥接或ISDN):HDLC、PPP
Packet Switch(Frame Relay或ATM):HDLC、Frame Relay
HDLC協定
Cisco Serial介面的預設封裝,適用於點對點協定。是專屬協定非標準協定,不支援認證。
Router-1(config)#int s1/0
Router-1(config-if)#encapsulation hdlc
Router-1(config-if)#clock rate 500000
Router-1(config-if)#no sh
Router-2(config)#int s1/0
Router-2(config-if)#encapsulation hdlc
Router-2(config-if)#no sh
Router-1#sh int serial 1/0
Serial1/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 10.1.1.1/24
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 96 kilobits/sec
5 minute input rate 15 bits/sec, 0 packets/sec
5 minute output rate 13 bits/sec, 0 packets/sec
26 packets input, 1732 bytes, 0 no buffer
Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
26 packets output, 1732 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
PPP協定
是種標準協定,除了可以用在專線,還可以用在撥接或是ISDN線路上,支援認證,動態定址(DHCP),回Call(Call Back),像ADSL,就採用PPP封裝協定。
PPP的驗證方式
1.PAP(Password Authentication Protocol)
PAP驗證是一種雙向交握(Two way handshake)協定,一旦建立網路連線後,驗證程序就停止。
分單向驗證與雙向驗證
a.單向驗證:Server端,建立一組帳密,Client端送出同一組帳密像Server端來驗證。
b.雙向驗證:A、B端同時各設定帳號密碼,A送出帳密給B驗證,B送出帳密給A驗證,通過後即可建立連線。
2.CHAP(Challenge Handshake Authentication Protocol)
CHAP採用三向交握(3-way handshake),當PPP連線建立階段完成時,Client端就會送出Challenge封包給遠端設備,接著遠端設備用One way hash函數的方式,根據傳送來的Challenge值和密碼計算出一個特定的值,後將這值傳回給Client端。Client端比對自己算出來的值,相同表認證已通過,否則會立刻中斷目前這個PPP連線。
<PPP-PAP單向驗證>
Router-1(config)#int serial 1/0
Router-1(config-if)#clock rate 1000000
Router-1(config-if)#encapsulation ppp (變更PPP封裝)
Router-1(config-if)#ppp authentication pap (PAP驗證)
Router-1(config-if)#exit
Router-1(config)#username user1 password pass1 (設定Server端要驗證的帳密)
Router-2(config)#int se 1/0
Router-2(config-if)#encapsulation ppp
Router-2(config-if)#ppp ?
authentication Set PPP link authentication method
pap Set PAP authentication parameters
Router-2(config-if)#ppp pap sent-username user1 password pass1 (要驗證的帳密)
Router-2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
<PPP-PAP雙向驗證>
Router-1(config)#int serial 1/0
Router-1(config-if)#clock rate 1000000
Router-1(config-if)#encapsulation ppp (變更PPP封裝)
Router-1(config-if)#ppp authentication pap (PAP驗證)
Router-1(config-if)#exit
Router-1(config)#username user1 password pass1 (驗證的帳密)
Router-2(config-if)#ppp pap sent-username user2 password pass2 (要驗證的帳密)
Router-2(config)#int se 1/0
Router-2(config-if)#encapsulation ppp (變更PPP封裝)
Router-2(config-if)#ppp authentication pap (PAP驗證)
Router-2(config-if)#exit
Router-2(config)#username user2 password pass2 (驗證的帳密)
Router-2(config-if)#ppp ?
authentication Set PPP link authentication method
pap Set PAP authentication parameters
Router-2(config-if)#ppp pap sent-username user1 password pass1 (要驗證的帳密)
Router-2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
<PPP-CHAP單向驗證>(目前Packet Tracer v5.3.2.0027無法實作CHAP驗證)
Router-1(config)#int serial 1/0
Router-1(config-if)#clock rate 1000000
Router-1(config-if)#no sh
Router-1(config-if)#encapsulation ppp (啟用PPP封裝)
Router-1(config-if)#ppp authentication chap (啟用CHAP驗證)
Router-1(config-if)#exit
Router-1(config)#username user1 password pass1 (建立帳號、密碼)
Router-2(config)#int serial 1/0
Router-2(config-if)#no sh
Router-2(config-if)#encapsulation ppp (啟用PPP封裝)
Router-2(config-if)#ppp chap hostname user1 (傳送PPP-CHAP帳號)
Router-2(config-if)#ppp chap password pass1
(傳送PPP-CHAP密碼)
<PPP-CHAP雙向驗證>(目前Packet Tracer v5.3.2.0027無法實作CHAP驗證)
PPP-CHAP雙向驗證,Username要設定為對方的Hostname,且兩端的密碼要設為相同。
Router-1(config)#int serial 1/0
Router-1(config-if)#no sh
Router-1(config-if)#encapsulation ppp
Router-1(config-if)#ppp authentication chap
Router-1(config-if)#exit
Router-1(config)#username Router-2 password ABC
Router-1(config-if)#ppp chap hostname Router-1 (傳送PPP-CHAP帳號)
Router-1(config-if)#ppp chap password ABC (傳送PPP-CHAP密碼)
Router-2(config)#int serial 1/0
Router-2(config-if)#encapsulation ppp
Router-2(config-if)#ppp authentication chap
Router-2(config-if)#no sh
Router-2(config-if)#exit
Router-2(config)#username Router-1 password ABC
Router-2(config-if)#ppp chap hostname Router-2 (傳送PPP-CHAP帳號)
Router-2(config-if)#ppp chap password ABC (傳送PPP-CHAP密碼)
Frame Relay訊框中繼
Local Access Rate區域專線存取速度
Frame Relay的實體線路架構,由各區域辦公室,申請區域專線連接到當地ISP最近的機房,這條區域專線的速度就是Local Access Rate,也就是該線路能夠乘載的最高頻寬。
CIR(Committed Information Rate)保證資料傳輸速率
CIR是ISP業者保證可以傳送的速度。
Frame Relay的封裝
1.Frame Relay Cisco:Cisco專屬協定。
2.Frame Relay IEFT:標準協定。
Virtual Circuit(虛擬電路)
1.固接式(PVC)
2.交換式(SVC):當有資料要傳遞時才建立,傳遞完成後就中斷。
DLCI(Data Link Connection Identifier)資料連結連線識別碼
建立PVC時,使用DLCI來識別連接點,DLCI由ISP業者提供。
LMI(Local Manager Interface)區域管理介面
Router到所連接Frame Relay交換機之間所用的訊號標準,Router可藉由LMI得知整個線路狀況。
格式:(由ISP業者決定)
1.Cisco
2.ANSI
3.Q.933A
Inverse ARP
建立PVC時,可以手動指定DLCI與IP對應關係,也可以使用Inverse ARP讓Router自動搜尋PVC另一端的設備位置。
FECN(Forward Explicit Congestion Notification)
FECN是Frame Relay封包表頭內的一個位元。當Router(DTE)發送Frame Relay封包出去時,如果網路發生雍塞,Frame Relay交換機(DCE)就會把FECN的值設成1。當目的端設備看到這個FECN的值是1時,就知道網路雍塞狀況。Router(DTE)設備就可以針對網路雍塞狀況做出處置動作(如降低傳送速率)。
BECN(Backward Explicit Congestion Notification)
BECN也是Frame Relay封包表頭內的一個位元。當Frame Relay交換機(DCE)以反方向發送回給Router(DTE),而FECN的值為1的時候,Frame Relay交換機(DCE)就會把BECN的值也設成1,來告訴來源端的DTE設備,Frame Relay發生壅塞的狀況,來源端的Router(DTE)設備就會針對網路雍塞做出處置裝置。
<點對點Frame Relay設定>
1.LMI使用Cisco格式
2.Router-1的DLCI=100
3.Router-2的DLCI=200
Router-1(config)#int serial 1/0
Router-1(config-if)#ip address 10.1.1.1 255.255.255.0
Router-1(config-if)#encapsulation frame-relay ?
ietf Use RFC1490/RFC2427 encapsulation
<cr>
Router-1(config-if)#encapsulation frame-relay (即為Frame Relay Cisco封裝)
Router-1(config-if)#frame-relay ?
interface-dlci Define a DLCI on an interface/subinterface
lmi-type Use CISCO-ANSI-CCITT type LMI
map Map a protocol address to a DLCI address
Router-1(config-if)#frame-relay lmi-type ?
ansi
cisco
q933a
Router-1(config-if)#frame-relay lmi-type cisco
Router-1(config-if)#frame-relay interface-dlci ?
<16-1007> Define a switched or locally terminated DLCI
Router-1(config-if)#frame-relay interface-dlci 100
Router-1(config-if)#frame-relay map ip 10.1.1.2 ?
<16-1007> DLCI
Router-1(config-if)#frame-relay map ip 10.1.1.2 100 (告知DLCI 100可以通到10.1.1.2)
Router-1(config-if)#no sh
Router-2(config)#int serial 1/0
Router-2(config-if)#ip address 10.1.1.2 255.255.255.0
Router-2(config-if)#encapsulation frame-relay
Router-2(config-if)#frame-relay lmi-type cisco
Router-2(config-if)#frame-relay interface-dlci 200
Router-2(config-if)#frame-relay map ip 10.1.1.1 200 (告知DLCI 200可以通到10.1.1.1)
Router-2(config-if)#no sh
Router-1#sh run
Building configuration...
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 10.1.1.2 100
frame-relay interface-dlci 100
Router-1#sh interfaces serial 1/0
Serial1/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 10.1.1.1/24
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation Frame Relay, loopback not set, keepalive set (10 sec)
LMI enq sent 110, LMI stat recvd 109, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
<點對點Frame Relay設定-IETF封裝>
1.Encapsulation:IETF
2.LMI:Q933a
3.Router-1 DLCI=110
4.Router-2 DLCI=210
Router-1(config)#int serial 1/0
Router-1(config-if)#ip address 10.1.1.1 255.255.255.0
Router-1(config-if)#encapsulation frame-relay ietf
Router-1(config-if)#frame-relay lmi-type q933a
Router-1(config-if)#frame-relay interface-dlci 110
Router-1(config-if)#frame-relay map ip 10.1.1.2 110
Router-1(config-if)#no sh
Router-2(config)#int serial 1/0
Router-2(config-if)#ip address 10.1.1.2 255.255.255.0
Router-2(config-if)#encapsulation frame-relay ietf
Router-2(config-if)#frame-relay lmi-type q933a
Router-2(config-if)#frame-relay interface-dlci 210
Router-2(config-if)#frame-relay map ip 10.1.1.1 210
Router-2(config-if)#no sh
<多點Frame Relay連線>(點對點模式)
可以在一個實體介面中,建立出多個虛擬子介面,給予不同的IP與不同的相關設定。
用子介面建立Frame Relay連線有兩種模式,一種是Point to Point(點對點模式),另一種是MultiPoint(多點模式)。實體介面只設定封裝協定,不指定IP。
Router-1
S 1/0.130 10.1.1.1 130
S 1/0.120 10.1.2.1 120
Router-2
S 1/0.210 10.1.2.2 210
S 1/0.230 10.1.3.1 230
Router-3
S 1/0.310 10.1.1.2 310
S 1/0.320 10.1.3.2 320
Router-1(config)#int serial 1/0
Router-1(config-if)#encapsulation frame-relay
Router-1(config-if)#no sh
Router-1(config-if)#exit
Router-1(config)#int serial 1/0.120 point-to-point
Router-1(config-subif)#ip address 10.1.2.1 255.255.255.0
Router-1(config-subif)#frame-relay interface-dlci 120
Router-1(config-subif)#exit
Router-1(config)#int serial 1/0.130 point-to-point
Router-1(config-subif)#ip address 10.1.1.1 255.255.255.0
Router-1(config-subif)#frame-relay interface-dlci 130
Router-1(config)#do sh run
Building configuration...
!
!
interface Serial1/0
no ip address
encapsulation frame-relay
!
interface Serial1/0.120 point-to-point
ip address 10.1.2.1 255.255.255.0
frame-relay interface-dlci 120
!
interface Serial1/0.130 point-to-point
ip address 10.1.1.1 255.255.255.0
frame-relay interface-dlci 130
!
Router-1(config)#router rip (設定路由)
Router-1(config-router)#network 10.0.0.0
同方式,設定Router-2、Router-3
<多點Frame Relay連線>(多點模式)
Router(config)#int serial 1/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#int serial 1/0.2 multipoint
Router(config-subif)#ip address 10.1.1.1 255.255.255.0
Router(config-subif)#frame-relay map ip 10.1.1.3 130
Router(config-subif)#frame-relay map ip 10.1.1.2 120
Router(config-subif)#frame-relay interface-dlci 120
Router(config-subif)#frame-relay interface-dlci 130
Router(config-subif)#do sh run
Building configuration...
Current configuration : 891 bytes
!
!
interface Serial1/0
no ip address
encapsulation frame-relay
!
interface Serial1/0.2 multipoint
ip address 10.1.1.1 255.255.255.0
frame-relay map ip 10.1.1.3 130
frame-relay map ip 10.1.1.2 120
frame-relay interface-dlci 120
frame-relay interface-dlci 130
!
同方式設定,Router-2、Router-3
Frame Relay檢修指令
1.Sh Frame-Relay LMI:檢視Router介面與Frame Relay交換機LMI封裝協定與流量統計數據。
Router#sh frame-relay lmi
LMI Statistics for interface Serial1/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 169 Num Status msgs Rcvd 168
Num Update Status Rcvd 0 Num Status Timeouts 16
LMI Statistics for interface Serial1/0.2 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 0 Num Status msgs Rcvd 0
Num Update Status Rcvd 0 Num Status Timeouts 16
2.Sh Frame-Relay PVC:檢視PVC與DLCI編碼,每條PVC的連線流量統計數據。
Router#sh frame-relay pvc
PVC Statistics for interface Serial1/0 (Frame Relay DTE)
DLCI = 120, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.2
input pkts 14055 output pkts 32795 in bytes 1096228
out bytes 6216155 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 32795 out bcast bytes 6216155
DLCI = 130, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.2
input pkts 14055 output pkts 32795 in bytes 1096228
out bytes 6216155 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 32795 out bcast bytes 6216155
3.Sh Frame-Relay MAP:檢視IP與DLCI編碼的對應關係。
Router#sh frame-relay map
Serial1/0.2 (up): ip 10.1.1.3 dlci 130, static, CISCO, status defined, active
Serial1/0.2 (up): ip 10.1.1.2 dlci 120, static, CISCO, status defined, active
4.Debug Frame-Relay LMI:可檢視Router介面與ISP Frame Relay交換機的溝通訊息,協助我們觀察Router與交換機是否正確地交換LMI資訊。
Router#no debug frame-relay lmi
Frame Relay LMI debugging is off
Displaying all Frame Relay LMI data
Router#debug frame-relay lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
Serial1/0(out): StEnq, myseq 1, yourseen 0, DTE up
datagramstart = 0xE7829994, datagramsize = 13
FR encap = 0x00010308
00 75 51 01 00 53 02 01 00
Serial1/0(in): Status, myseq 1, pak size 21
nRT IE 1, length 1, type 0
nKA IE 3, length 2, yourseq 1 , myseq 1
nPVC IE 0x7 , length 0x6 , dlci 120, status 0x0 , bw 0
補充
PAP(Password Autherntication Protocol)密碼驗證協定
1. 使用者與認證方進行連結(PPP連接).
2. 使用者送出帳號與密碼提供系統進行身分的認證.(PAP認證)
3. 系統取得帳號與密碼並進行驗證是否正確.
4. 驗證完畢,進行Internet連線或中斷連接.
CHAP(Challenge-Handshake Authentication Protocol)查問交握(挑戰式的互握)驗證協定
1. 在連結建立階段完成之後,認證方送出Challenge(口令)信號給peer.
2. Peer用One-Way Hash函數計算出來一個值,並將值回應回去.
3. 認證方用自己所算出的值來和Peer回應的值來核對.
4. 假如資料是吻合,則Accept.反之則否,Reject.
PAP 與 CHAP的比較
PAP在Peer與Authenticator的認證作業中,提供的簡易的認證協議,這會在傳輸中暴露帳號與密碼
, 這並不符合今日網路使用上的安全連線需求
, 這容易導致使用者的帳戶資料與密碼外洩或招到第三者的惡意盜取。然而
, CHAP使用了加密的機制來進行,密碼不會出現在傳輸的過程中
, 縱使擷取封包可取得帳號
, MD5的加密仍提供了一道安全鎖
, 使CHAP在Peer與Authenticator雙方的另一個比較有安全保障的選項。
沒有留言:
張貼留言