Dada la siguiente topologia: Nombre de host Router0 Router1 (clockrate 64000) s0/0/0 R1 R2 netmask 172.16.2.1 172.16.2.2 funcin 255.255.255.

0 255.255.255.0 DTE DCE

- Configura Router0 con los parmetros dados. - Configura Router1 con los parmetros dados. - Demuestra la conectividad entre ambos routers. Por defecto qu tipo de encapsulacin tiene el enlace serial al unir dos dispositivos Cisco?. Demustralo a travs de la salida de algn comando. Cambia la encapsulacin HDLC del enlace serial a encapsulacin ppp. Ten presente los comandos show ip interface brief y show interface s0/0/0 para comprobar que las interfaces estn al final up y up, en ambos extremos. - Qu comando muestra una salida semejante a la siguiente salida? ________________________________________________. Serial0/0/0 is up, line protocol is down (disabled) Hardware is HD64570 Internet address is 172.16.2.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Closed Closed: LEXCP, BRIDGECP, IPCP, CCP, CDPCP, LLC2, BACP Last input never, output never, output hang never Router#show interface se0/0/0 Serial0/0/0 is up, line protocol is down (disabled) Hardware is HD64570 Internet address is 172.16.2.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec)

LCP Closed Closed: LEXCP, BRIDGECP, IPCP, CCP, CDPCP, LLC2, BACP Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 28 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1 packets output, 28 bytes, 0 underruns Router#

Security & Networking

Tips & Video Tutoriales, BackTrack, Wifiway, VMware, GNS3, Cisco Routers & Switches, [ Programming ]

jueves 9 de junio de 2011

Configuracin de PPP y CHAP
En este post veremos como configurar PPP (Point-to-Point Protocol) y CHAP (Challenge Handshake Authentication Protocol), en primer lugar debemos de comprender que tipo de conexin estamos haciendo. Un diagrama de red nos podra ayudar, tal como se muestra en la siguiente imagen donde se muestra una conexin bsica de PPP y CHAP.

Configuracin de PPP y CHAP en el Router2

Router#configure terminal Router(config)#hostname Router1 Router1(config)#username Router2 password cisco Router1(config)#interface serial1/0 Router1(config-if)#clockrate 64000 Router1(config-if)#ip address 192.168.1.130 255.255.255.252 Router1(config-if)#encapsulation ppp Router1(config-if)#ppp authentication chap Router1(config-if)#no shut Router1(config-if)#end Router1#ping 192.168.1.129 Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.129, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/72/156 ms

Configuracin de PPP y CHAP en el Router2

Router#configure terminal Router(config)#hostname Router2 Router2(config)#username Router1 password cisco Router2(config)#interface serial1/0 Router2(config-if)#ip address 192.168.1.129 255.255.255.252 Router2(config-if)#encapsulation ppp Router2(config-if)#ppp authentication chap Router2(config-if)#no shut Router2(config-if)#end Router2#ping 192.168.1.130 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.130, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/46/92 ms

Troubleshooting PPP y CHAP

Ahora que tenemos configurado PPP + CHAP, verificaremos la configuracin de PPP en las interfaces configurada con el comando show interface, como se muestra a continuacin. Verificacion de la interface serial1/0 en el Router1
Router1#show interface serial1/0 Serial1/0 is up, line protocol is up Hardware is M4T Internet address is 192.168.1.130/30 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP, CDPCP, crc 16, loopback not set Keepalive set (10 sec) Restart-Delay is 0 secs Last input 00:00:25, output 00:00:00, output hang never Last clearing of "show interface" counters 00:04:19 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 31 packets input, 1988 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 33 packets output, 1419 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up

Verificacin de la interface serial1/0 en el Router2

Router2#show interface serial1/0 Serial1/0 is up, line protocol is up

Hardware is M4T Internet address is 192.168.1.129/30 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP, CDPCP, crc 16, loopback not set Keepalive set (10 sec) Restart-Delay is 0 secs Last input 00:00:07, output 00:00:00, output hang never Last clearing of "show interface" counters 00:03:09 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 34 packets input, 1727 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 35 packets output, 2052 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up

Comandos debug de PPP

Estos comandos nos puedes ser utilices para mostrar el proceso de PPP en las interfaces. Tambin sirven de gran ayuda para administrar la red y as resolver problemas de enlace. Los comandos mas tiles son los siguientes. Debugging PPP Authentication

El comando debug ppp authentication nos mostrara el proceso de autenticacin de CHAP. Si la encapsulacion PPP y la autencin estan configurados correctamente en los routers, asi como los nombres de usuario con sus respectivas contraseas, se mostrara en la salida algo similar a lo siguiente.
Router1#debug ppp authentication PPP authentication debugging is on Router1# *Mar 1 00:16:42.699: Se1/0 PPP: Authorization required *Mar 1 00:16:42.707: Se1/0 CHAP: O CHALLENGE id 3 len 28 from "Router1" *Mar 1 00:16:42.707: Se1/0 CHAP: I CHALLENGE id 3 len 28 from "Router2" *Mar 1 00:16:42.711: Se1/0 CHAP: I RESPONSE id 3 len 28 from "Router2" *Mar 1 00:16:42.723: Se1/0 PPP: Sent CHAP LOGIN Request *Mar 1 00:16:42.723: Se1/0 CHAP: Using hostname from unknown source *Mar 1 00:16:42.727: Se1/0 CHAP: Using password from AAA *Mar 1 00:16:42.727: Se1/0 CHAP: O RESPONSE id 3 len 28 from "Router1" *Mar 1 00:16:42.731: Se1/0 PPP: Received LOGIN Response PASS *Mar 1 00:16:42.735: Se1/0 PPP: Sent LCP AUTHOR Request *Mar 1 00:16:42.739: Se1/0 PPP: Sent IPCP AUTHOR Request *Mar 1 00:16:42.743: Se1/0 LCP: Received AAA AUTHOR Response PASS *Mar 1 00:16:42.747: Se1/0 IPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:16:42.747: *Mar 1 00:16:42.935: *Mar 1 00:16:42.939: *Mar 1 00:16:42.943: *Mar 1 00:16:42.955: Router1#

Se1/0 Se1/0 Se1/0 Se1/0 Se1/0

CHAP: O SUCCESS id 3 len 4 CHAP: I SUCCESS id 3 len 4 PPP: Sent CDPCP AUTHOR Request PPP: Sent IPCP AUTHOR Request CDPCP: Received AAA AUTHOR Response PASS

Debug PPP Negotiation Este comando nos muestra los procesos de negociacion de PPP, aqui un ejemplo.
Router1#debug ppp negotiation PPP protocol negotiation debugging is on Router1# *Mar 1 00:20:47.199: Se1/0 LCP: I CONFREQ [Open] id 5 len 15 *Mar 1 00:20:47.199: Se1/0 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:20:47.199: Se1/0 LCP: MagicNumber 0x011C567B (0x0506011C567B) *Mar 1 00:20:47.203: Se1/0 CDPCP: State is Closed *Mar 1 00:20:47.203: Se1/0 IPCP: State is Closed *Mar 1 00:20:47.207: Se1/0 PPP: Phase is TERMINATING *Mar 1 00:20:47.211: Se1/0 PPP: Phase is ESTABLISHING *Mar 1 00:20:47.211: Se1/0 LCP: O CONFREQ [Open] id 8 len 15 *Mar 1 00:20:47.211: Se1/0 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:20:47.215: Se1/0 LCP: MagicNumber 0x001D100F (0x0506001D100F) *Mar 1 00:20:47.215: Se1/0 LCP: O CONFACK [Open] id 5 len 15 *Mar 1 00:20:47.215: Se1/0 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:20:47.215: Se1/0 LCP: MagicNumber 0x011C567B (0x0506011C567B) *Mar 1 00:20:47.219: Se1/0 IPCP: Remove route to 192.168.1.129 *Mar 1 00:20:47.223: Se1/0 LCP: I CONFACK [ACKsent] id 8 len 15 *Mar 1 00:20:47.227: Se1/0 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:20:47.227: Se1/0 LCP: MagicNumber 0x001D100F (0x0506001D100F) *Mar 1 00:20:47.227: Se1/0 LCP: State is Open *Mar 1 00:20:47.227: Se1/0 PPP: Phase is AUTHENTICATING, by both *Mar 1 00:20:47.231: Se1/0 CHAP: O CHALLENGE id 5 len 28 from "Router1" *Mar 1 00:20:47.231: Se1/0 CHAP: I CHALLENGE id 5 len 28 from "Router2" *Mar 1 00:20:47.235: Se1/0 CHAP: I RESPONSE id 5 len 28 from "Router2" *Mar 1 00:20:47.235: Se1/0 PPP: Phase is FORWARDING, Attempting Forward *Mar 1 00:20:47.243: Se1/0 PPP: Phase is AUTHENTICATING, Unauthenticated User *Mar 1 00:20:47.247: Se1/0 CHAP: Using hostname from unknown source *Mar 1 00:20:47.247: Se1/0 CHAP: Using password from AAA *Mar 1 00:20:47.247: Se1/0 CHAP: O RESPONSE id 5 len 28 from "Router1" *Mar 1 00:20:47.251: Se1/0 PPP: Phase is FORWARDING, Attempting Forward *Mar 1 00:20:47.255: Se1/0 PPP: Phase is AUTHENTICATING, Authenticated User *Mar 1 00:20:47.263: Se1/0 CHAP: O SUCCESS id 5 len 4 *Mar 1 00:20:47.455: Se1/0 CHAP: I SUCCESS id 5 len 4 *Mar 1 00:20:47.459: Se1/0 PPP: Phase is UP *Mar 1 00:20:47.459: Se1/0 IPCP: O CONFREQ [Closed] id 1 len 10 *Mar 1 00:20:47.459: Se1/0 IPCP: Address 192.168.1.130 (0x0306C0A80182) *Mar 1 00:20:47.463: Se1/0 PPP: Process pending ncp packets *Mar 1 00:20:47.463: Se1/0 IPCP: I CONFREQ [REQsent] id 1 len 10

*Mar 1 00:20:47.467: Se1/0 IPCP: Address 192.168.1.129 (0x0306C0A80181) *Mar 1 00:20:47.467: Se1/0 AAA/AUTHOR/IPCP: Start. Her address 192.168.1.129, we want 0.0.0.0 *Mar 1 00:20:47.471: Se1/0 CDPCP: I CONFREQ [Closed] id 1 len 4 *Mar 1 00:20:47.479: Se1/0 AAA/AUTHOR/IPCP: Reject 192.168.1.129, using 0.0.0.0 *Mar 1 00:20:47.479: Se1/0 AAA/AUTHOR/IPCP: Done. Her address 192.168.1.129, we want 0.0.0.0 *Mar 1 00:20:47.483: Se1/0 IPCP: O CONFACK [REQsent] id 1 len 10 *Mar 1 00:20:47.483: Se1/0 IPCP: Address 192.168.1.129 (0x0306C0A80181) *Mar 1 00:20:47.483: Se1/0 IPCP: I CONFACK [ACKsent] id 1 len 10 *Mar 1 00:20:47.483: Se1/0 IPCP: Address 192.168.1.130 (0x0306C0A80182) *Mar 1 00:20:47.487: Se1/0 IPCP: State is Open *Mar 1 00:20:47.487: Se1/0 CDPCP: O CONFREQ [Closed] id 1 len 4 *Mar 1 00:20:47.499: Se1/0 IPCP: Install route to 192.168.1.129 *Mar 1 00:20:47.547: Se1/0 CDPCP: I CONFACK [REQsent] id 1 len 4 *Mar 1 00:20:49.463: Se1/0 CDPCP: Timeout: State ACKrcvd *Mar 1 00:20:49.463: Se1/0 CDPCP: O CONFREQ [ACKrcvd] id 2 len 4 *Mar 1 00:20:49.503: Se1/0 CDPCP: I CONFACK [REQsent] id 2 len 4 *Mar 1 00:20:49.527: Se1/0 CDPCP: I CONFREQ [ACKrcvd] id 2 len 4 *Mar 1 00:20:49.527: Se1/0 CDPCP: O CONFACK [ACKrcvd] id 2 len 4 *Mar 1 00:20:49.527: Se1/0 CDPCP: State is Open

Los otros comandos utiles son los siguientes:

debug ppp packet debug ppp error debug ppp chap

Configuracin de PPP y PAP en Cisco

Uno de los protocolos de WAN ms utilizados en la actualidad es PPP por ser un estndar abierto y porque tiene muchas caractersticas avanzadas que lo convierten en un protocolo muy interesante. En este post explicar cmo configurarlo en un router Cisco sin autenticacin y luego agregndole autenticacin PAP en un sentido y en dos sentidos. Para ello utilizar una topologa extremadamente simple, con dos routers conectados directamente a travs de un enlace serial. NOTA: si intentan hacerlo en el Packet Tracer o en un laboratorio debern tener en cuenta que uno de los equipos (el que tenga el extremo DCE) debe tener configurado su clock rate. Puede consultarse un post anterior que explica la configuracin bsica de un router Cisco.

Configuracin de PPP
LaPlata# configure terminal LaPlata(config)# interface serial 0/0/0 LaPlata(config-if)# ip address 192.168.1.1 255.255.255.252 LaPlata(config-if)# encapsulation ppp LaPlata(config-if)# no shutdown BuenosAires# configure terminal BuenosAires(config)# interface serial 0/0/0 BuenosAires(config-if)# ip address 192.168.1.2 255.255.255.252 BuenosAires(config-if)# encapsulation ppp BuenosAires(config-if)# no shutdown

Como vern, configurar PPP en un router Cisco es extremadamente sencillo. De hecho, slo es necesario cambiar la encapsulacin de HDLC (encapsulacin que dichos equipos traen por defecto) por PPP. Resulta apenas ms difcil agregar autenticacin con PAP a este enlace.

Autenticacin con PAP

En este caso es necesario tener en cuenta que PAP acepta dos casos:

Unidireccional: un equipo autentica al otro y con eso se establece el enlace. En este caso, uno de los dos routers enva su usuario y contrasea y el otro espera recibirlo. Este ltimo verifica los datos recibidos con los que espera: si coinciden se establece el enlace, de lo contrario se lo rechaza. Bidireccional: es simplemente realizar dos autenticaciones unidireccionales, una para cada equipo.

A continuacin se muestra cmo configurar PPP con autenticacin PAP unidireccional, siendo LaPlata el autenticador. Se asume que PPP ya est configurado, tal como se mostr en la seccin anterior.
LaPlata# configure terminal LaPlata(config)# username BSAS password 1234 LaPlata(config)# interface serial 0/0/0 LaPlata(config-if)# ppp authentication pap BuenosAires# configure terminal BuenosAires(config)# interface serial 0/0/0 BuenosAires(config-if)# ppp pap sent-username BSAS password 1234

Ahora bien, configurar la autenticacin bidireccional es trivial. Slo es necesario indicarle ahora a BuenosAires que requiere autenticacin PAP y el nombre de usuario y

contrasea que utilizar el otro extremo; de la misma manera, se le debe indicar a LaPlata el nombre de usuario y contrasea que tiene que enviar.
BuenosAires# configure terminal BuenosAires(config)# username LaPlata password 3456 BuenosAires(config)# interface serial 0/0/0 BuenosAires(config-if)# ppp authentication pap LaPlata# configure terminal LaPlata(config)# interface serial 0/0/0 LaPlata(config-if)# ppp pap sent-username LaPlata password 3456

Resumen
Con lo visto se puede configurar PPP con autenticacin PAP unidireccional y bidireccional en equipos Cisco. En un prximo post explicar cmo realizar la autenticacin con CHAP.