WAN Access/Interconnect configuration and Management--2

Source: Internet
Author: User

Configure shared DCC

A physical interface in shared DCC can belong to more than one dialer bundle (dial bundle), serving multiple dialer interfaces but one dialer interface only corresponds to one destination address, and only one dialer bundle is used; one dialer Bundles can contain multiple physical interfaces, each with a different priority.

The physical interfaces that support shared DCC include: ADSL interface, G.SHDSL interface, VDSL interface, E1-ima interface, WAN side Ethernet interface, ISDN PRI interface, and ISDN BRI interface.

The main configuration tasks for shared DCC are as follows (only the first three items are required)

---Configuring link layer protocols and IP addresses

---Enables the sharing of DCC and configures the correlation of DCC dialing ACLs and interfaces.

---configuring shared DCC Calls

---(optional) Configure DCC dial Interface properties.

---(optional) Configure DCC Call MP bundle

---(optional) configuration for dynamic routing backup via DCC

1) Configure the link layer protocol and IP address

The same as the link layer protocol configuration in the poll DCC, only for shared DCC, if it is the calling side, it is necessary to configure PPP-related commands under the dialer interface, but it is recommended that the user also configure the same PPP-related commands under the physical dial-up interface to ensure the reliability of PPP link parameter negotiation; PPP-related commands need to be configured under the physical dial-up interface.

2) Enable shared DCC and configure DCC dialing ACLs and associations to interfaces

In shared DCC, enabling the sharing of DCC, configuring the DCC dial ACL, and the association with the interface can only be configured under the dialer interface and cannot be configured under the physical interface.


3) Configuring shared DCC Calls

When using shared DCC for dial-on-demand, because the physical interface has different properties as the dial string differs, the DCC parameter must be configured on the dialer interface, and only the dialer number command can be used to call the peer dial string. A dialer interface can only be configured with one dial string.


4) Configure DCC Dial Interface properties

The steps are the same as in table 4-6, except that they can only be configured on the dialer interface.

5) Configure DCC Call MP bundle

The steps are the same as in table 4-7.

6) Configure dynamic routing backup via DCC

Steps and Table 4-8, only can be configured on the dialer interface.

DCC Management

1) Display Dialer "interface Interface-type Interface-number": View DCC information for the Dial-up interface (available on the physical dial-up interface, also on the dialer interface), including parameters related to the dialer interface

2) Display Interface Dialer "number": View information about the dialer interface, including status information and statistics for the dialer interface.

3) Reset counters Interface "Dialer" number "": Once the dialer interface statistics are cleared, the previous statistics cannot be recovered.

If you need to temporarily remove the dial-up link in order to relieve network pressure or adjust the dial-up configuration, you can manually remove the dial-up link by dialer disconnect "interface Interface-type interface-number" arbitrary view command. However, this command only temporarily removed the dial-up link: If automatic dialing is configured, the dial-up link is re-established when the automatic dialing time is reached, and if automatic dialing is not configured, the dialing is triggered again when there is a message transmission.

PPP Configuration and Management

PPP is a kind of link layer protocol that carries the network layer data packets on the point-to-point link, and the protocol that the serial interface link in the router runs by default is PPP. Async interface, CPOs interface, ISDN BRI interface, E1-F interface, CE1/PRI interface, T1-F interface, CT1/PRI interface, 3G cellular interface, dialer interface, virtual template interface, POS interface all can run PPP.

1. Introduction of PPP and basic working mechanism

PPP is developed on the basis of slip (Serial line Internet Protocol, serial wire IP). PPP can provide user authentication, easy to expand, and support the same/asynchronous communication for a wide range of applications. Configuring PPP enables PPPoE, PPPoA, PPPOEOA Dial-Up Networking, and WAN interconnection.

Compared with other link layer protocols, PPP has the following advantages:

1) for the physical layer, PPP supports both synchronous link and asynchronous link, while X., FR, etc. only support synchronous link, slip only supports asynchronous link;

2) PPP has good extensibility.

3) LCP (Link Control Protocol, link-controlled protocol), mainly used to establish, dismantle and monitor PPP data link;

4) provide a variety of NCP (network control Protocol), such as IPCP, IPXCP, mainly used to negotiate the format and type of packets transmitted on the data link, better support the network layer protocol;

5) Provide authentication protocol CHAP (Challenge-handshake authentication Protocol, Challenge Handshake Authentication Protocol), PAP (Password authentication Protocol, Password Authentication protocol), For authentication in the area of network security;

6) No retransmission mechanism, small network overhead, fast speed.

LCP, NCP, and CHAP/PAP are the three extended sub-protocols contained in PPP, and the working mechanism of PPP is implemented on the basis of the cooperative work of these three large scale sub-protocols.

The entire PPP run process is divided into five phases, namely the dead (death) phase, the Establish (link setup) phase, the authentication (authentication) phase, the network control negotiation stage, and the Terminate (end) phase. Different stages of the negotiation of different agreements, only the previous agreement negotiated results, can be transferred to the next phase of the agreement negotiations.


    1. When both parties begin to establish a PPP link, they first enter the establish phase.

    2. In the establish phase, the PPP link carries out LCP negotiation. The negotiated content includes options such as SP (Single-link PPP) or MP (Multilink PPP), Maximum Receive Unit MRU (Maximum received unit), authentication mode, and magic word. LCP negotiated successfully entered the opened state, indicating that the underlying link has been established.

    3. If authentication is configured, it enters the authenticate phase and begins CHAP or PAP authentication. If no authentication is configured, go directly to the network stage.

    4. In the authenticate phase, if validation fails, enter the Terminate phase, remove the link, and the LCP status turns down. If the validation succeeds, enter the network stage, at which time the LCP status is still opened.

    5. In the network phase, the PPP link carries out NCP negotiation. An NCP negotiation is adopted to select and configure a network layer protocol and to negotiate network layer parameters. Only after the corresponding network layer protocol negotiation succeeds, the Network layer protocol can send the message through this PPP link.

      NCP negotiations include IPCP (IP control Protocol), MPLSCP (MPLS control Protocol), and so on. IPCP negotiation content mainly includes the IP address of both sides.

    6. After the NCP negotiation succeeds, the PPP link will remain in communication. During the process of PPP operation, the connection can be interrupted at any time, physical link disconnection, authentication failure, time-out timer, and the administrator to close the connection through configuration can cause the link to enter the Terminate phase.

    7. In the Terminate phase, if all the resources are released, the communication parties will return to the dead phase until the communication parties reestablish the PPP connection and start the new PPP link establishment.

Basic architecture of PPP:

Position of PPP protocol in the protocol stack


PPP consists mainly of three types of protocol families:

    • Link Control Protocol family, which is used primarily to establish, dismantle, and monitor PPP data links (Protocol). (should be used primarily in establish and terminate phases)

    • The network layer controls the Protocol family, which is used primarily to negotiate the format and type of packets transmitted over the data link. (Network Stage)

    • Extended Protocol family CHAP (Challenge-handshake authentication Protocol) and PAP (Password authentication Protocol), primarily for network security validation. (Authentication stage)


The meanings of each field are as follows:

    • Flag field

      The Flag field identifies the start and end of a physical frame, which is 0x7e.

    • Address field

      The address domain can uniquely identify the peer. The PPP protocol is used on a point-to-point link, so two communication devices that use the PPP protocol interconnect need not know the other's data link layer address. This byte is populated as a broadcast address of 1 according to the Protocol, which is of no practical significance for PPP protocol.

    • Control field

      The default value for this field is 0x03, which indicates that there is no ordinal frame, and PPP does not use serial number and acknowledgement response for reliable transmission by default.

      The address and control domain together identify this message as a PPP message, that is, the PPP message header is FF03.

    • Protocol domain

      The protocol domain can be used to differentiate the types of packets that are hosted by information fields in PPP data frames.

      The contents of the protocol domain must be based on the provisions of the ISO 3309 address extension mechanism. This mechanism stipulates that the content populated by the protocol domain must be an odd number, that is, the least significant bit that requires the least significant byte is "1".

    • Information domain
      The maximum length of the information domain is 1500 bytes, which includes the contents of the filled domain. The maximum length of the information domain is called the maximum Receive Unit MRU (Maximum receive units). The default value for MRU is 1500 bytes, which can be used for MRU negotiation in practice.
      If the information domain is not long enough, it can be populated, but not required. If the fill is required both sides of the communication can identify the fill information and the information that really needs to be transmitted before the normal communication.

    • FCS domain
      The function of FCS domain is mainly to detect the correctness of frame transmission of PPP data.
      Some transport guarantees are introduced in the data frame, which introduces more overhead, which may increase the latency of application-tier interactions.

If the protocol domain field of the PPP data frame sent by the sender does not conform to the above, the receiving end will assume that the data frame is not recognized. The receiving end sends a protocol-reject message to the sender, and the protocol number of the rejected message is populated at the end of the message.

During the link establishment phase, the PPP protocol establishes and negotiates the link through the LCP message. The LCP message is encapsulated in the information domain of the PPP data frame as the net payload of PPP, and the value of the protocol domain of the PPP data frame is fixed to fill the 0xc021.

Throughout the link establishment phase, the content of the information domain is varied, and it includes many types of messages, so the messages are also distinguished by the corresponding fields.

    • Code domain

      The code domain is a single byte long and is primarily used to identify the type of LCP data message.

      During the link establishment phase, the receiver receives the LCP data message. When the value of its Code field is invalid, a LCP code reject message (Code-reject message) is sent to the peer.

    • Identifier domain

      The identifier domain is 1 bytes, which is used to match the request and response, and the message is discarded when the identifier domain value is illegal.

      Typically, the ID of a configuration request message is incrementally added 1 from 0x01. When the peer receives the configuration request message, regardless of which message is used to respond to the other, it must require that the ID in the response message be consistent with the ID in the receiving message.

    • Length field

      The value of the Length field is the total byte data of the LCP message. It is the sum of the four domain lengths of the code domain, the identifier domain, the length field, and the data domain.

      bytes other than the number of bytes indicated by the length field are ignored as padding bytes, and the contents of the field cannot exceed the MRU value.

    • Data domain

      The data domain contains the contents of the negotiation message, which contains the following fields.

      • Type is a negotiation option.

      • Length is the negotiation option, which refers to the total length of the data domain, which is the type, length, and data.

      • Data is the details of the negotiation option.


2. Configure PPP Basic functions

The PPP basic functionality consists of configuring the interface's link-layer protocol for PPP and configuring the port's IP address. Once the basic functionality is configured, you can initially establish a PPP link. The following two tasks are mainly included:

1) Configure the interface-encapsulated link-layer protocol for PPP

2) Configure the IP address of the interface

One is to configure the IP address directly on the interface, and the other is to obtain the IP address through the IP address negotiation. There are two different scenarios for configuring PPP negotiation IP addresses:

--Configure the device as a PPP client: If the link layer protocol encapsulated by the local device interface is PPP and the IP address is not configured, the local device can be configured as a client, so that the local device interface receives the IP address assigned by the peer from PPP negotiation. This approach is primarily used to access the Internet through ISPs

---Configuring a device as a PPP server

A device can specify an IP address for the peer as a server, but first configure the local IP address pool in System view to indicate the address range of the address pool.




3. Configuring the PAP authentication for PPP

After the PPP basic ability is realized, the user configures PAP or CHAP authentication as needed.

1) PAP authentication: This is a two-way handshake authentication protocol. Send the authentication password on the link in clear text, after the PPP link is established, the authenticated party repeatedly sends the user name and password on the link until the authentication process is over and the security is not high.

PAP certification has PAP authentication and PAP two-way authentication: PAP authentication refers to one end as the authentication party, the other end as the authenticated party. Two-way authentication is a simple superposition of one-way authentication, that is, both sides both as the authentication side and as the authenticated party.

2) CHAP authentication: is a three-time Handshake authentication protocol. The user name is transmitted only on the network, and the user's password is not transmitted, which is high security.

CHAP authentication has chap one-way authentication and mutual CHAP authentication:
CHAP unidirectional authentication refers to one end as the authenticating party and the other end as the authenticated party. Two-way authentication is a simple superposition of one-way authentication, that is, both sides both as the authentication side and as the authenticated party.
The CHAP authentication process is divided into two situations: The authentication party has configured the user name and the authentication party does not have the user name configured. It is recommended to use the authentication party to configure the user name, so that the authentication party's user name can be confirmed.

The PAP certification needs to be configured at the same time as the authenticating party (the party implementing the certification) and the authenticated party. In the authentication party local to create a good for the authenticated party to authenticate the user account information (including user name and password), and the authenticated party to be configured to send the user account information to be sent, and the authentication party locally used for authentication user account information exactly the same. Of course, both ends are configured with the same PPP authentication method.




4, configure the PPP CHAP authentication

When the authentication party has configured the user name, it can make the authenticated party to verify the qualification of the authentication party, in order to prevent the connection to the illegal server side, that is, the authenticated party is also eligible to verify that the other person is qualified to authenticate themselves. is equivalent to a two-way certification: Not only the certification party can be certified, the certification party can also authenticate the certification party, this is the basic principle of chap three handshake process. The CHAP authentication process is the same as the PAP authentication process when the authentication party does not have a user name configured.

The authentication party has configured the user name after the CHAP authentication steps as follows in table 4-13. Both parties are required to configure the authentication user name to create a local username account for the authentication of the other party, so the authenticated parties will need to confirm the qualification of the certification at this time. Certification party does not configure the user name of the CHAP authentication steps, such as table 4-14, at this time the certification party does not need to confirm the qualification.

The tables listed are for CHAP one-way authentication, and two-way authentication requires both the authenticating party and the authenticated party in the same configuration table.



5. Configure PPP Negotiation parameters

On the device you can also have a choice of configuration some of the parameters for negotiation include the following optional configuration tasks

1) Negotiation time-out interval

In the PPP negotiation process, if there is no reply packet received at a certain time interval, PPP will resend the sent message, which is called the "time-out interval".

2) Negotiation Polling time interval

Refers to the period during which the interface sends KeepAlive (remains active) messages. KeepAlive messages are used for link state monitoring and maintenance, and if the interface fails to receive keepalive messages after 5 keepalive cycles, the link is considered to be faulty.

3) Negotiate DNS server address

The device can negotiate DNS addresses during PPP address negotiation, at which point the device can be configured to accept the DNS address assigned to the end, or it can be configured to provide a DNS address to the peer. When it is not possible to match at the same time.


6) PPP Management

    • Display this: Configure PPP authentication information under corresponding interface view under corresponding interface view
    • Display Local-user: View the configuration of the local user.
    • Reset PPP compression IPHC "interface Interface-type interface-number": Clear IPHC Compression statistics
    • Reset PPP compression Stac-lzs "interface Interface-type interface-number": Clears Stac-lzs compression statistics.
7) Pap One-way authentication Configuration example:


Routera to Routerb for one-way certification, routerb do not need to Routera certification. The use of PPP PAP authentication is the simplest, routera as a PAP certification party, Routerb as a PAP certified certified party.

Configuration on the authentication party Routera

The IP address of the ① configuration Interface serial1/0/0 and the encapsulated Link layer protocol are PPP.


② Configuration PPP Authentication mode is PAP, authentication domain name is System


③ Configure local user accounts and domains. Because authentication is required, you need to create a username and password locally for authentication.


④ restart the interface to ensure the configuration is in effect.


Configuration on the authenticated party Routerb

The IP address of the ① configuration Interface serial2/0/0 and the encapsulated Link layer protocol are PPP.


Ping 10.10.10.9 is not a pass at this time.

② Configuring the PAP username and password to send the PAP authentication to the authenticating party Routera


③ restart interface to ensure the configuration is in effect


Test connectivity:



8) Pap Two-way authentication configuration example:

Topology, the difference is not only want to Routera Routerb for a simple PAP certification, but also want to routerb Routera certification.

Configuration on the Routera

The IP address of the ① configuration Interface color rial/0/0 and the encapsulated Link layer protocol are PPP.


② Configuration PPP Authentication mode is PAP, authentication domain name is System


③ Configure local Users and domains where the user name is consistent with the PAP authentication username and password sent by Routerb


④ Configure the local PAP authenticated user name and password sent to Routerb, and restart the interface for the configuration to take effect


Configuration on the Routerb

① Configuration Interface serial2/0/0 IP address and Encapsulated link layer protocol for PPP


② Configuration PPP Authentication mode is PAP, authentication domain is System


③ Configure local Users and domains. The user name here is consistent with the PAP authenticated username and password sent by Routera (e-mail protected],huawei2)


④ Configure local to Routera send the PAP authentication user name and password, and restart the interface for the configuration to take effect.


Here deliberately to send Routerb to Routera authentication password write wrong, found that Ping does not pass, modify come over:


The user must write the whole, the above test, if [email protected] Written User1, also does not pass.

9) Chap One-way authentication configuration Example :

Topology diagram with the above, the difference is that you want Routera to ROUTERB reliable CHAP authentication, and Routerb do not need to authenticate routera. Only need to configure Routera as the authentication party for CHAP authentication, ROUTERB as the authenticated party of CHAP authentication.

Configuration on the authentication party Routera


Configuration on the authenticated party Routerb


When configuring CHAP users RouterB sent by Routera CHAP authentication on ROUTERB, the user name is configured only, no password is configured, the ping is different, and PPP chap password cipher is used Password command with password after pass.


WAN Access/Interconnect configuration and Management--2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.