manualshive.com logo in svg

H3C H3C SecPath F1800-A, Operation Manual, Page: 13 / 30

Share
Download
H3C H3C SecPath F1800-A Operation Manual Download Page 13

Operation Manual - Link Layer Protocol 
H3C SecPath F1800-A Firewall 

Chapter 2  PPP Configuration

 

4-11 

z

 

The requester will look for the user password based on the authenticator’s 

hostname in the received packet and its own user list. If it finds the user in the 

user list with the same name as the authenticator’s hostname, the requester 

encrypts this random packet with the packet ID, user’s key (password) by using 

the MD5 algorithm. Then it sends the generated encrypted text and its own 

hostname to the authenticator. 

z

 

The authenticator encrypts the original random packet with its locally saved 

password of requestor by using the MD5 algorithm. Then it compares the 

encryption result with the response from the requester. If both are identical, the 

“Acknowledge” response is returned; if both are different, the “Not Acknowledge” 

response is returned. 

III. PPP Operation Process 

1) 

When the physical layer is unavailable, the PPP link is in the “dead” phase. The 

link must start with and end in this phase. When the physical layer becomes 

available, the PPP link enters the “establish” phase. 

2)  LCP negotiation should be carried out on the PPP link in the “establish” phase, 

including operating mode (SP or MP), authentication mode and MTU. After LCP 

negotiation is successful, the status of LCP is “opened”, which indicates that the 

lower layer link has been established. 

3) 

If the authentication is not configured, it enters network negotiation phase. At this 

moment, the status of LCP is still “opened”, while the status of NCP changes 

from “initial” to “request-sent” and enters 5); If the authentication (the remote 

verifies the local or the local verifies the remote) is configured, it enters the 

“authenticate” phase and begins CHAP or PAP authentication and enters 4). 

4) 

If the authentication fails, it enters the “terminate” phase, the link is removed and 

LCP turns to Down. After successful authentication, the network negotiation 

phase (NCP) begins. At this time, the status of LCP is still “opened”, while the 

status of NCP is changed from “initial” to “request-sent”. 

5)  NCP negotiation supports the negotiations of IPCP and IPXCP, of which IPCP 

negotiation mainly includes the IP addresses of two parties. Network layer 

protocols are selected and configured through the NCP negotiation. The related 

network layer protocol must be negotiated successfully before this network layer 

protocol sends messages through this PPP link. 

6) 

PPP link will remain in communication status until a specific LCP or NCP frame 

closes this link or some external events take place (for example, the intervention 

of users). 

Summary of Contents for H3C SecPath F1800-A

Page 1: ...figuring PPP 4 12 2 2 1 Configuring Link Layer Protocol for Interface Encapsulation as PPP 4 12 2 2 2 Setting Polling Interval 4 12 2 2 3 Setting PPP Authentication Mode User Name and User Password 4 13 2 2 4 Configuring PPP Authentication Mode of AAA 4 15 2 2 5 Setting PPP Negotiation Parameters 4 15 2 2 6 Configuring PPP Compression 4 16 2 2 7 Configuring PPP Link Quality Monitoring 4 16 2 2 8 C...

Page 2: ... 2 1 Enabling or Disabling PPPoE 4 23 3 2 2 Setting PPPoE Parameters 4 24 3 3 Configuring PPPoE Client 4 24 3 3 1 Configuring a Dialer Interface 4 24 3 3 2 Configuring a PPPoE Session 4 25 3 3 3 Resetting or Deleting a PPPoE Session 4 26 3 4 Displaying and Debugging PPPoE 4 26 3 5 Typical Examples for Configuring PPPoE 4 27 ...

Page 3: ...ove problems can be solved by using the Transparent Bridge or LAN switch to interconnect the LANs The switch establishes a MAC PORT mapping table with the source MAC addresses of received frames For the received data frames the switch will look up their destination MAC address in the mapping table If it can find the destination MAC address the switch will send the frame only to the corresponding p...

Page 4: ...ter Figure 1 1 An example of VLAN The buildup of VLAN is not restricted by physical locations that is to say one VLAN can be within in one switch or across switches or even across routers The VLAN can be classified z Based on the port z Based on the MAC address z Based on the protocol type z Based on IP address mapping z Based on multicast z Based on the policy At present the VLAN is usually class...

Page 5: ...outers so as to extend the VLAN z The other is super trunk Namely several VLANs run on such a link The common protocol used to implement Trunk is IEEE 802 1Q dot1q is a standard protocol of IEEE It identifies the VLAN through adding a 4 byte VLAN tag to the end of the source address field in the original Ethernet packet VLANs cannot directly interconnect with each other So routers supporting VLAN ...

Page 6: ... and associated VLAN ID for the sub interface 2 In transparent mode Only high speed interfaces such as 8FE interfaces and GE interfaces support the transparent mode When configuring the relevant VLAN do as follows z Creating a VLAN and entering VLAN view z Entering VLAN interface view when a VLAN is created z Adding or deleting a port z Configuring a Trunk port 3 In composite mode Only high speed ...

Page 7: ...Do as follows in system view Table 1 2 Creating a VLAN and entering VLAN view Action Command Create a VLAN and enter VLAN view vlan vlan id Delete a VLAN undo vlan vlan id 1 2 3 Entering VLAN Interface View When a VLAN Is Created Do as follows in system view Table 1 3 Entering VLAN interface view when a VLAN is created Action Command Enter VLAN interface view when a VLAN is created interface vlani...

Page 8: ...e view Table 1 6 Configuring a Trunk port Action Command Configure a port as Trunk port and set the allowed VLAN ID on the port port trunk allow pass vlan vlan id to vlan id 1 10 all Configure a Trunk port to non trunk port and delete all the allowed VLAN IDs undo port trunk allow pass vlan vlan id to vlan id 1 10 all 1 2 6 Setting Sub interface Encapsulation Type and Related VLAN ID Do as follows...

Page 9: ...Requirements The following is a configuration example of layer 3 forwarding mode sub interface As shown in Figure 1 2 Switch 1 and Switch 2 specify the VLAN attributes of ports Thus the workstations A B C and D connected to these Switches belong to VLAN 10 or VLAN 20 It is required z The addresses of the SecPath F1800 A sub interfaces Ethernet 3 0 0 1 Ethernet 3 0 0 2 Ethernet 4 0 0 1 and Ethernet...

Page 10: ... F1800 A is configured as follows Create an Ethernet sub interface Ethernet 3 0 0 1 and enter its view SecPath system view SecPath interface ethernet 3 0 0 1 Assign the IP address to Ethernet 3 0 0 1 SecPath Ethernet3 0 0 1 ip address 1 0 0 1 255 0 0 0 Set the encapsulation type of Ethernet 3 0 0 1 and the related VLAN ID SecPath Ethernet3 0 0 1 vlan type dot1q 10 Note The encapsulation type of th...

Page 11: ...0 1 Assign the IP address to Ethernet 4 0 0 1 SecPath Ethernet4 0 0 1 ip address 3 0 0 1 255 0 0 0 Set the encapsulation of Ethernet 4 0 0 1 and the related VLAN ID SecPath Ethernet4 0 0 1 vlan type dot1q 10 Create an Ethernet sub interface Ethernet 4 0 0 2 and enter its view SecPath interface ethernet 4 0 0 2 Assign the IP address to Ethernet 4 0 0 2 SecPath Ethernet4 0 0 2 ip address 4 0 0 1 255...

Page 12: ... to negotiate parameters of network layer protocols II PPP Authentication 1 PAP authentication PAP is a 2 way handshake authentication protocol and it sends the user name and password in plain text The process of PAP authentication is as follows z The requester under authentication sends its user name and password to the authenticator z The authenticator checks if the user name exists and the pass...

Page 13: ...g mode SP or MP authentication mode and MTU After LCP negotiation is successful the status of LCP is opened which indicates that the lower layer link has been established 3 If the authentication is not configured it enters network negotiation phase At this moment the status of LCP is still opened while the status of NCP changes from initial to request sent and enters 5 If the authentication the re...

Page 14: ...tion and accounting parameter of PPP Optional PPP configuration includes z Setting PPP negotiation parameters z Configuring PPP compression algorithm z Configuring PPP link quality monitoring z Configuring callback z Configuring dialing string needed for the SecPath F1800 A callback z Configuring DNS server address negotiation z Configuring VJ TCP header compression 2 2 1 Configuring Link Layer Pr...

Page 15: ...peer in CHAP and PAP modes Action Command Configure the local device to support both CHAP and PAP modes ppp authentication mode chap pap Remove CHAP and PAP negotiation modes undo ppp authentication mode After configuration the local device authenticates the peer in CHAP negotiation first If the remote does not support CHAP the local device then authenticates the peer in PAP negotiation CHAP and P...

Page 16: ... PAP Mode Table 2 6 Configuring the peer to authenticate the local device in PAP mode Action Command Set PAP user name and password sent by the local when the peer authenticates the local in PAP mode ppp pap local user user name password simple cipher password Delete the user name and password sent during authentication in PAP mode undo ppp pap local user V Configuring the Peer to Authenticate the...

Page 17: ...authentication mode chap pap pap call in For PPP authentication method of AAA refer to the 06 Security Defence Operation module in this manual After the above configuration basic PPP configuration is completed You can configure the following advanced configuration as required 2 2 5 Setting PPP Negotiation Parameters The following PPP negotiation parameters can be set z Interval between negotiation...

Page 18: ...interface undo ppp compression stac lzs Allow the IPHC compression on an interface ppp compression iphc nonstandard rtp connections rtp connections tcp connections tcp connections Disable the IPHC compression on an interface undo ppp compression iphc rtp connections tcp connections 2 2 7 Configuring PPP Link Quality Monitoring PPP link quality monitoring can monitor the PPP link quality including ...

Page 19: ...uality in every ten LQR packets The link will not be resumed unless the calculation results of link quality are qualified for three consecutive times Therefore the link can only be resumed after at least 30 polling intervals when it is disabled If the polling interval is set too long it may cause the link fails to resume for a long time 2 2 8 Configuring Callback Do as follows in interface view Ta...

Page 20: ...imary dns address secondary dns address Remove the DNS address configuration undo ppp ipcp dns primary dns address secondary dns address admit any By default DNS address negotiation is denied Currently only the firewall can serve as DNS address negotiation server 2 2 11 Configuring VJ TCP Header Compression Van Jacobson TCP Header Compression VJ TCP Header Compression is a kind of compression algo...

Page 21: ...e for Configuring PPP 2 4 1 PAP Authentication Example I Networking Requirement As shown in Figure 2 2 the SecPath F1800 A and the router are interconnected through the Serial 3 0 0 and the SecPath F1800 A is required to authenticate the router in PAP mode II Networking Diagram SecPath Serial3 0 0 Router Serial3 0 0 Figure 2 2 Networking diagram of PAP and CHAP authentication III Configuration Pro...

Page 22: ...mode chap 2 Configuring the router SecPath aaa local user SecPath1 password simple hello SecPath aaa quit SecPath interface serial 3 0 0 SecPath Serial3 0 0 ppp chap user SecPath2 2 5 Troubleshooting PPP Fault 1 Link always fails to turn to the Up status Analysis PPP authentication parameters are likely to be set incorrectly As a result PPP authentication fails Troubleshooting 1 Debug PPP and it i...

Page 23: ...e DOWN Link layer protocol current state DOWN 2 The interface is activated but link negotiation is not successful Serial3 1 0 current state UP Link layer protocol current state DOWN 3 The link negotiation that is the LCP negotiation on this interface succeeds Serial3 1 0 current state UP Link layer protocol current state UP ...

Page 24: ...rent from PPP the discovery phase of PPPoE creates a Client Server relationship rather than the peer relationship created by PPP During the discovery phase a host client can discover an access concentrator server After the discovery phase the host and the concentrator can establish PPPoE session through the MAC address and session ID z The PPP Session phase At the beginning of the PPP session phas...

Page 25: ...ealized without installing PPPoE client dialing software by the user 3 2 PPPoE Server Configuration The configuration of PPPoE server includes z Enabling or disabling PPPoE z Setting PPPoE parameters 3 2 1 Enabling or Disabling PPPoE These commands take effect only on Ethernet interfaces Namely when the PPPoE server is enabled on one Ethernet interface it is not enabled on other Ethernet interface...

Page 26: ...um number of PPPoE sessions that could be set up on a local MAC address pppoe server max sessions local mac number Restore the default value of the maximum number of PPPoE sessions that could be set up on a local MAC address undo pppoe server max sessions local mac Set the maximum number of PPPoE sessions that could be set up the on local system pppoe server max sessions total number Restore the d...

Page 27: ...p on an interface dialer group group number As required such parameters as PPP authentication may also be configured on a Dialer interface 3 3 2 Configuring a PPPoE Session Do as follows in Ethernet interface view Table 3 4 Configuring a PPPoE session Action Command Configure a PPPoE in session permanently on line mode pppoe client dial bundle number number no hostuniq Configure a PPPoE session in...

Page 28: ...orarily terminates a PPPoE session while the latter permanently deletes a PPPoE session z When a PPPoE session works in permanent on line mode if it is terminated by the reset pppoe client command the router will automatically re create a PPPoE session later z When a PPPoE session works in packet triggering mode if it is terminated by the reset pppoe client command the router will re create a PPPo...

Page 29: ...t through Ethernet 1 0 0 and the Internet through Ethernet 3 0 0 Internet Host Host SecPath Ethernet1 0 0 Ethernet3 0 0 Figure 3 2 PPPoE networking diagram III Configuration Procedure Add a PPPoE user SecPath aaa local user testuser password simple testpwd Set PPPoE parameters on the SecPath F1800 A SecPath interface ethernet 1 0 0 SecPath Ethernet1 0 0 pppoe server bind virtual template 1 Set vir...

Page 30: ...stuser and testpwd respectively is set on hosts every host on the Ethernet can use PPPoE to access the Internet through the SecPath F1800 A After the above parameters are set such parameters as AAA or RADIUS can still be set on the SecPath F1800 A Thus the SecPath F1800 A can achieve charging For configuration procedures in detail refer to the part 06 Security Defence Operation 4 ...

Reviews:

No comments