Module 3: PPP 
  
3.1 Serial Point-to-Point Links 
   
3.1.1 Introduction to serial communication 

WAN technologies are based on serial transmission at the physical layer. This means that the bits of a frame are transmitted one at a time over the physical medium.

廣域網路技術以實體層的串列傳輸為基礎。意思是,在實體的媒體上傳輸訊框的資料,是一次傳輸一個位元。

The bits that make up the Layer 2 frame are signaled one at a time by physical layer processes onto the physical medium. The signaling methods include Nonreturn to Zero Level (NRZ-L), High Density Binary 3 (HDB3), and Alternative Mark Inversion (AMI). These are examples of physical layer encoding standards, similar to Manchester encoding for Ethernet. Among other things, these signaling methods differentiate between one serial communication method and another. Some of the many different serial communications standards are as follows:

第二層的訊框是由位元所組成的,在實體層將資料一次發送一個位元到實體媒體。 訊號發送的方式包含不再回到零準位(Nonreturn to Zero Level—NRZ-L)、高密度二進位3(High Density Binary 3—HDB3)以及交替標號反轉碼(Alternative Mark Inversion—AMI)。這些是實體層標準編碼的例子,與乙太網路用的曼徹斯特編碼(Manchester encoding)類似。這些串列傳輸方式使用不同的訊號傳輸方法,有以下幾種標準:

3.1.2 Time-division multiplexing 

In TDM, the output timeslot is always present whether or not the TDM input has any information to transmit. TDM output can be compared to a train with 32 railroad cars. Each is owned by a different freight company and every day the train leaves with the 32 cars attached. If one of the companies has product to send, the car is loaded. If the company has nothing to send, the car remains empty, but it is still part of the train.

在分時多工中,無論輸入端是否有資料需要傳輸,輸出端的時段(timeslot)是一直存在的。分時多工的輸出可以比喻為一輛火車有32節運貨車廂。每節車廂屬於不同運貨公司所有,每天火車出發時都掛上32節車廂。如果其中一家公司有產品要運送,車廂就裝貨物。如果該公司沒有東西要送,車廂空著,但是仍然掛在火車後面。

TDM is a physical layer concept, it has no regard for the nature of the information that is being multiplexed onto the output channel. TDM is independent of the Layer 2 protocol that has been used by the input channels.

分時多工屬於實體層的概念,當資料被多工處理送到輸出通道,是不需要理會資料種類的。分時多工為輸入通道所使用 與第二層協定無關。

One TDM example is Integrated Services Digital Network (ISDN). ISDN basic rate (BRI) has three channels consisting of two 64 kbps B-channels (B1 and B2), and a 16 kbps D-channel. The TDM has nine timeslots, which are repeated.

一個分時多工的例子是整合型服務數位網路(Integrated Services Digital Network—ISDN)。整合型服務數位網路的基本速度(BRI)有三個通道,由兩個64 kbps的B-通道(B1, B2)與一個16 kbps的D-通道所組成。分時多工有九個時段重複使用。 當電信公司設備與用戶端租用設備之劃分點在網路終端設備(network terminating unit—NTU)之後,也就是網路終端設備1(NT1)不是用戶終端設備(CPE)的一部份,電信公司仍然可以管理與偵錯本地迴(local loop)。

3.1.3 Demarcation point 

The demarcation point, or "demarc" as it is commonly known, is the point in the network where the responsibility of the service provider or "telco" ends. In the United States, a telco provides the local loop into the customer premises and the customer provides the active equipment such as the channel service unit/data service unit (CSU/DSU) on which the local loop is terminated. This termination often occurs in a telecommunications closet and the customer is responsible for maintaining, replacing, or repairing the equipment.

電信公司設備與用戶端租用設備之劃分點 (demarcation或 demarc),是指服務提供者或電信業者負責的終點。在美國,電信業者提供本地迴路到用戶的建築物,而用戶則提供運作的終端設備,例如,通道服務元件(channel service unit—CSU)/資料服務單位(data service unit—DSU)。該終端通常在電信機櫃中,用戶負責該設備的維護、更換或修護。

In other countries around the world, the network terminating unit (NTU) is provided and managed by the telco. This allows the telco to actively manage and troubleshoot the local loop with the demarcation point occurring after the NTU. The customer connects a customer premises equipment (CPE) device, such as a router or frame relay access device, into the NTU using a V.35 or RS-232 serial interface.

在全球其他的國家,網路終端設備是由電信公司提供與管理的。電信公司可以主動管理與偵錯在網路終端設備之後劃分點的本地迴路。用戶使用一個V.35或RS-232串列介面將用戶終端設備(例如,路由器或訊框中繼存取設備)連接到網路終端設備。

3.1.4 DTE/DCE 

A serial connection has a data terminal equipment (DTE) device at one end of the connection and a data communications equipment (DCE) device at the other end. The connection between the two DCEs is the WAN service provider transmission network. The DTE, which is generally a router, is the DTE. 

串列連接的一端是資料終端設備,另一端是資料通訊設備。在兩個資料通訊設備之間連接的是廣域網路服務提供者的傳輸網路。用戶終端設備通常是一台路由器,也就是資料終端設備。

3.1.5 HDLC encapsulation 

In 1979, the ISO agreed on HDLC as a standard bit-oriented data link layer protocol that encapsulates data on synchronous serial data links. This standardization led to other committees adopting it and extending the protocol. Since 1981, ITU-T has developed a series of HDLC derivative protocols. The following examples of derivative protocols are called link access protocols:

1979年國際標準化組織(ISO)同意高階資料連結控制 (HDLC)成為一個標準化位元導向資料連結層協定,在同步的串列資料連結上封裝資料。這個標準化帶動其他組織接受該標準並擴展該協定。從1981年開始,國際電訊聯盟的電訊標準化部門發展一系列高階資料連結控制的衍生協定。以下是衍生協定的範例,被稱為連結存取協定:

HDLC uses synchronous serial transmission providing error-free communication between two points. HDLC defines a Layer 2 framing structure that allows for flow control and error control using acknowledgments and a windowing scheme. Each frame has the same format, whether it is a data frame or a control frame.

高階資料連結控制使用同步串列傳輸,提供兩端無錯誤的通訊。高階資料連結控制定義第二層的訊框架構,利用確認與視窗技術達到資料流控制與錯誤控制。無論是資料訊框或控制訊框,每個訊框都有相同的格式。

Standard HDLC does not inherently support multiple protocols on a single link, as it does not have a way to indicate which protocol is being carried. Cisco offers a proprietary version of HDLC. The Cisco HDLC frame uses a proprietary 'type' field that acts as a protocol field. This field enables multiple network layer protocols to share the same serial link. HDLC is the default Layer 2 protocol for Cisco router serial interfaces.

標準的高階資料連結控制在單一連結上不支援多個協定,因為它無法分辨傳送的是哪種協定。Cisco提出自行研發的高階資料連結控制。Cisco高階資料連結控制訊框利用自行研發的'type'欄位,當作協定欄位。該欄位使得多個網路層協定能共用同一個串列連結。高階資料連結控制是Cisco路由器串列介面卡上預設的第二層協定。

3.1.6 Configuring HDLC encapsulation 

The default encapsulation method used by Cisco devices on synchronous serial lines is Cisco HDLC. If the serial interface is configured with another encapsulation protocol, and the encapsulation must be changed back to HDLC, enter the interface configuration mode of the serial interface. Then enter the encapsulation hdlc command to specify the encapsulation protocol on the interface.

使用於Cisco設備上同步串列線的預設封裝方法是Cisco高階資料連結控制。如果該串列介面被組態成其他的封裝協定,必須輸入該串列介面的介面組態方式,將封裝方法改回高階資料連結控制。然後輸入encapsulation hdlc指令,指定介面上的封裝協定。

Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices. When communicating with a non-Cisco device, synchronous PPP is a more viable option.

Cisco高階資料連結控制是點對點協定,可以被用在兩台Cisco設備間的租用線路上。如果與一台非Cisco設備通訊時,使用同步的點對點協定,將是一個更可行的選擇。

3.1.7 Troubleshooting a serial interface 

The output of the show interfaces serial command displays information specific to serial interfaces. When HDLC is configured, "Encapsulation HDLC" should be reflected in the output. When PPP is configured, "Encapsulation PPP" should be seen in the output.

show interfaces serial指令的輸出結果,可以得知串列介面的資訊。當組態了高階資料連結控制,輸出結果會看到"Encapsulation HDLC"。 當組態了點對點協定時,輸出結果會看到"Encapsulation PPP"。

Five possible problem states can be identified in the interface status line of the show interfaces serial display:

show interfaces serial 顯示的介面狀態資訊,大致上可識別五種可能的問題狀態

The show controllers command is another important diagnostic tool when troubleshooting serial lines. The show controllers output indicates the state of the interface channels and whether a cable is attached to the interface. In Figure , serial interface 0/0 has a V.35 DTE cable attached. The command syntax varies, depending on platform. For serial interfaces on Cisco 7000 series routers, use the show controllers cbus command.

在串列線路上除錯,show controllers指令是另一個重要的診斷工具。show controller指令的輸出結果顯示介面通道的狀態,以及纜線是否接在介面上。在圖 中串列介面0/0連接著一條V.35 DTE纜線。指令語法隨著平台之不同而不一樣。Cisco 7000系列路由器的串列介面,使用show controllers cbus指令。

If the electrical interface output is shown as UNKNOWN, instead of V.35, EIA/TIA-449, or some other electrical interface type, an improperly connected cable is the likely problem. A problem with the internal wiring of the card is also possible. If the electrical interface is unknown, the corresponding display for the show interfaces serial <X> command will show that the interface and line protocol are down.

The following are some debug commands that are useful when troubleshooting serial and WAN problems:

想要解決串列介面與廣域網路的問題時,下面列出一些可以用的偵錯指令:

3.2 PPP Authentication 
   
3.2.1 PPP layered architecture 

PPP uses a layered architecture. PPP provides a method for encapsulating multi-protocol datagrams over a point-to-point link, and uses the data link layer for testing the connection. Therefore PPP is made up of two sub-protocols:

點對點協定使用階層式架構。在點對點協定連結上,點對點協定提供一種方法封裝多個協定的資料元(datagram),並且利用資料連結測試連線。點對點協定是由兩個次要協定所組成:

PPP can be configured on the following types of physical interfaces:

點對點協定可以被組態在以下種類的實體介面上:

PPP uses Link Control Protocol (LCP) to negotiate and setup control options on the WAN data link. The LCP sits on top of the physical layer and is used to establish, configure, and test the data-link connection.

在廣域網路資料連結上,點對點協定使用連結控制協定(LCP)溝通與建立的控制選項。連結控制協定在實體層的上面,被用於建立、組態與測試資料連結的連線。

PPP also uses LCP to automatically agree upon encapsulation format options such as:

點對點協定也利用連結控制協定,使封裝格式的選項自動地達成一致,例如:

LCP will also do the following:

連結控制協定也完成以下工作:

PPP permits multiple network layer protocols to operate on the same communications link. For every network layer protocol used, a separate Network Control Protocol (NCP) is provided. For example, Internet Protocol (IP) uses the IP Control Protocol (IPCP), and Internetwork Packet Exchange (IPX) uses the Novell IPX Control Protocol (IPXCP). NCPs include functional fields containing standardized codes to indicate the network layer protocol type that PPP encapsulates.

點對點協定允許多個網路層協定運作在相同的通訊連結上。每一種網路層協定都使用另一種網路控制協定(Network Control Protocol—NCP)。例如,IP(Internet Protocol)使用IP控制協定(IP Control Protocol—IPCP),IPX(Internetwork Packet Exchange)使用Novell IPX控制協定(IPX Control Protocol—IPXCP)。網路控制協定包括的功能欄位,包含了標準化的指令以顯示點對點協定所封裝成網路層協定的型態。

 The fields of a PPP frame are as follows:

點對點協定訊框的欄位顯示如下:

3.2.2 Establishing a PPP session 

PPP session establishment progresses through three phases. These phases are link establishment, authentication, and the network layer protocol phase. LCP frames are used to accomplish the work of each of the LCP phases. The following three classes of LCP frames are used in a PPP session:

點對點協定交談的建立是經由三個階段進行的。這些階段是連結建立、驗證以及網路層協定等階段。 連結控制協定訊框被用來完成每個連結控制協定階段的工作。以下三類的連結控制協定訊框被使用在點對點協定交談:

The three PPP session establishment phases are:

三種點對點協定交談建立的階段是:

The PPP link remains configured for communications until either of the following:

點對點協定連結保持通訊組態,直到以下其中之一發生為止:

3.2.3 PPP authentication protocols 

The authentication phase of a PPP session is optional. After the link has been established and the authentication protocol chosen, the peer can be authenticated. If it is used, authentication takes place before the network layer protocol configuration phase begins.

點對點協定交談的驗證階段是可選擇的。當連結建立好並選擇好驗證的協定後,端點可以被驗證。如果使用驗證,驗證工作在進入網路層協定階段之前開始。

The authentication options require that the calling side of the link enter authentication information. This helps to ensure that the user has the permission of the network administrator to make the call. Peer routers exchange authentication messages.

驗證選項要求連結的呼叫端輸入驗證資訊。這樣保證使用者得到網路管理者的同意進行呼叫工作。點對點的路由器交換驗證訊息。

When configuring PPP authentication, the network administrator can select Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). In general, CHAP is the preferred protocol.

組態點對點協定的驗證時,網路管理者可以選擇密碼驗證協定或查問式握換驗證協定。 一般而言,查問式握換驗證協定是更受歡迎的協定。

3.2.4 Password Authentication Protocol (PAP) 

PAP provides a simple method for a remote node to establish its identity, using a two-way handshake. After the PPP link establishment phase is complete, a username/password pair is repeatedly sent by the remote node across the link until authentication is acknowledged or the connection is terminated.

密碼驗證協定提供遠端節點一種簡單的方法,使用二步驟式握手交談(two-way handshake)方式建立該節點的資訊。 點對點協定連結建立階段完成後,遠端節點透過連結重複地發送使用者帳號/密碼組合,直到驗證被確認或連接被終止為止。

PAP is not a strong authentication protocol. Passwords are sent across the link in clear text and there is no protection from playback or repeated trial-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.

密碼驗證協定並不是一個有力的驗證協定,發送的密碼經過連結傳的是明碼,對於播放或重複的嘗試錯誤(trial-and-error)攻擊,完全無法防範。使得遠端節點容易處於頻繁與定時的登入攻擊控制之下。

3.2.5 Challenge Handshake Authentication Protocol (CHAP) 

CHAP is used at the startup of a link and periodically verifies the identity of the remote node using a three-way handshake. CHAP is performed upon initial link establishment and is repeated during the time the link is established.

查問式握換驗證協定被使用在連結開始時,並且利用三步驟式握手交談定時地確認遠端節點的資訊。查問式握換驗證協定是在連結建立初始化時執行,等連結建立好之後還是會重複執行。

After the PPP link establishment phase is complete, the local router sends a "challenge" message to the remote node. The remote node responds with a value calculated using a one-way hash function, which is typically Message Digest 5 (MD5). This response is based on the password and challenge message. The local router checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged, otherwise the connection is immediately terminated.

點對點協定連結建立階段完成後,本地路由器發送 "challenge" 訊息給遠端節點。 遠端節點利用單方雜湊函數回覆一個數值,一般回覆的值是訊息摘錄5(Message Digest 5 — MD5)。這個回覆是根據密碼與查證訊息作回應的。 本地路由器對照自己計算期待雜湊函數的數值來檢查回覆。如果該數值符合,驗證被確認,否則連結立刻中斷。

CHAP provides protection against playback attack through the use of a variable challenge value that is unique and unpredictable. Since the challenge is unique and random, the resulting hash value will also be unique and random. The use of repeated challenges is intended to limit the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.

查問式握換驗證協定藉由使用不固定的查問式值(唯一的與無法預測的),以提供對抗播放攻擊的保護。因為該查問式是唯一的與隨機的,結果得到的雜湊值也是唯一的與隨機的。使用重複的查問式是要限制暴露在任何單一攻擊下的時間。本地路由器或其他廠商的驗證伺服器是在查問式的頻率與時間控制

3.2.6 PPP encapsulation and authentication process  

When the encapsulation ppp command is used, either PAP or CHAP authentication can be optionally added. If no authentication is specified the PPP session starts immediately. If authentication is required the process proceeds through the following steps:

當使用encapsulation ppp指令時,可以選擇性地加上密碼驗證協定或查問式握換驗證協定。如果沒有指定任何驗證方式,點對點協定交談立刻開始。如果需要驗證程序,必須經由以下步驟進行:

The Figure and corresponding Figure  details the CHAP authentication process.

「查問式握換驗證協定」驗證的詳細程序,顯示如圖 與相對應圖

3.3 Configuring PPP 
   
3.3.1 Introduction to configuring PPP 

Configurable aspects of PPP include methods of authentication, compression, error detection, and whether or not multilink is supported. The following section describes the different configuration options for PPP.

點對點協定可組態的選項,包括驗證、壓縮、錯誤偵測以及是否支援多個連結等方法。以下章節敘述點對點協定不同組態的選項。

Cisco routers that use PPP encapsulation may include the LCP configuration options described in Figure .

Cisco路由器使用的點對點協定封裝,包括連結控制協定組態的選項,敘述於圖 中。

3.3.2 Configuring PPP 

The following example enables PPP encapsulation on serial interface 0/0:

以下的例子是在串列介面0/0上啟動點對點協定封裝:

Router#configure terminal

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Point-to-point software compression can be configured on serial interfaces that use PPP encapsulation. Compression is performed in software and might significantly affect system performance. Compression is not recommended if most of the traffic consists of compressed files.

使用點對點協定封裝方式,可以將點對點軟體壓縮設定在串列介面上。壓縮是以軟體完成,對系統的執行成效影響顯著。如果大部分的網路流量是以壓縮檔為主,就不建議使用壓縮選項了。

To configure compression over PPP, enter the following commands:

在點對點協定上組態壓縮,輸入以下指令:

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Router(config-if)#compress [predictor | stac]

Enter the following to monitor the data dropped on the link, and avoid frame looping:

輸入以下指令檢視連結上被丟棄的資料,並且預防訊框迴路:

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Router(config-if)#ppp quality percentage

The following commands perform load balancing across multiple links:

以下指令可以達到跨過多個連結的負載平衡:

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Router(config-if)#ppp multilink

Lab Exercise: Configuring PPP Encapsulation

Lab練習:組態點對點協定封裝

In this lab, the student will configure a serial interface on the Washington and Dublin routers with the PPP protocol.

在此lab中,學生在Washington與Dublin路由器上使用點對點協定組態串列介面。

3.3.3 Configuring PPP authentication 

The procedure outlined in the table describes how to configure PPP encapsulation and PAP/CHAP authentication protocols.

在表格中摘要的步驟是敘述如何組態點對點協定封裝以及密碼驗證協定(PAP)/查問式握換驗證協定(CHAP)的驗證協定。

Figure is an example of a two-way PAP authentication configuration. Both routers authenticate and are authenticated, so the PAP authentication commands mirror each other. The PAP username and password that each router sends must match those specified with the usernamename passwordpassword command of the other router.

是一個二階段式密碼驗證協定的驗證組態例子。兩台路由器都驗證與被驗證,所以密碼驗證協定的驗證指令反映在每台路由器上。每台路由器所發送密碼驗證協定的使用者名稱與密碼必須與另一台路由器usernamename passwordpassword 指令所設定的相同。

PAP provides a simple method for a remote node to establish its identity using a two-way handshake. This is done only upon initial link establishment. The hostname on one router must match the username the other router has configured. The passwords must also match.

密碼驗證協定提供遠端節點一個簡單的方法,利用二步驟式握手交談建立其資訊。這只在連結建立初始化時才做。在一台路由器上的主機名稱必須與另一台路由器組態的使用者名稱相同。密碼也必須一致。

CHAP is used to periodically verify the identity of the remote node using a three-way handshake. The hostname on one router must match the username the other router has configured. The passwords must also match. This is done upon initial link establishment and can be repeated any time after the link has been established.

查問式握換驗證協定被使用在定期地查證遠端節點的資訊,這採用了三步驟式握手交談完成。在一台路由器上的主機名稱必須與另一台路由器上組態的使用者名稱相同。密碼也必須一致。這在連結建立初始化時完成,在連結建立之後的任何時間還會重複地檢測。

Lab Exercise: Configuring PPP Authentication

Lab練習:組態點對點協定的驗證

In this lab, the student will configure a serial interface on the Madrid and Tokyo routers.

在這個lab中,學生會在Madrid and Tokyo路由器的串列介面上組態。

 

3.3.4 Verifying the serial PPP encapsulation configuration 

Use the show interfaces serial command to verify proper configuration of HDLC or PPP encapsulation. The command output in Figure illustrates a PPP configuration. When high-level data link control (HDLC) is configured, "Encapsulation HDLC" should be reflected in the output of the show interfaces serial command. When PPP is configured, its Link Control Protocol (LCP) and Network Control Protocol (NCP) states can be checked using the show interfaces serial command.

利用show interfaces serial指令確認高階資料連結控制(HDLC)或點對點協定封裝作了適當的組態。指令執行結果如圖 所示,說明點對點協定的組態。當組態了高階資料連結控制,"Encapsulation HDLC"將會反應在show interfaces serial指令的輸出結果。當組態了點對點協定,可以使用show interfaces serial指令檢查連結控制協定(LCP)與網路控制協定(NCP)的狀態。

Figure lists commands used when enabling, configuring, and verifying PPP.

當啟動、組態與查證點對點協定時,圖 列出可以使用的指令。

Lab Exercise: Verifying PPP Configuration

Lab練習:查證點對點協定組態

In this lab, the student will configure a serial interface on the Brasilia and Warsaw routers with the PPP protocol.

在這個lab中,學生在Brasilia與Warsaw路由器上以點對點協定組態串列介面。

 

3.3.5 Troubleshooting the serial encapsulation configuration 

The debug ppp authentication command displays the authentication exchange sequence. Figure illustrates the Left router output during CHAP authentication with the router on the right when debug ppp authentication is enabled. With two-way authentication configured, each router authenticates the other. Messages appear for both the authenticating process and the process of being authenticated. Use the debug ppp authentication command to display the exchange sequence as it occurs.

debug ppp authentication指令顯示驗證交換的順序。當啟動debug ppp authentication時,圖 顯示左邊路由器與右邊路由器在查問式握換驗證協定驗證中的輸出結果。當組態了兩步驟式驗證時,路由器之間相互驗證。兩者為了驗證程序與被驗證程序產生一些訊息。使用debug ppp authentication指令可以顯示交換訊息的順序。

Figure highlights router output for a two-way PAP authentication.

標示出兩步驟式密碼驗證協定驗證的路由器輸出結果。

The debug ppp command is used to display information about the operation of PPP. The no form of this command disables debugging output.

使用debug ppp指令顯示點對點協定運作的資訊。以no形式出現指令,可以停止除錯結果的輸出。

Router#debug ppp {authentication | packet | negotiation | error | chap} Router#no debug ppp {authentication | packet | negotiation | error | chap}

Lab Exercise: Troubleshooting PPP Configuration

Lab練習:點對點協定組態除錯

In this lab, the student will configure a serial interface on the London and Paris routers and troubleshoot the connection.

在這個lab中,學生在London與Paris 路由器上組態串列介面,並且針對該連結除錯。