周末的时候翻出来了一台Cisco 871W 路由器,为了榨干闲置设备的每一份能力,我用这个设备替代了家里的一台家用级小路由器实现了PPPoE 接IPv4 + Tunnel Broker方式接入 IPv6 + 多SSID WiFi。
本文记录的是这个小方案的第一部分,实现PPPoE拨号(以及对PPPoE过程的一些研究),后续几天空闲时再继续写后面的部分。
871W是一台相对老的路由器(已经停售),但是本文中用的软件是相对比较新的IOS15.1,配置命令对其他使用IOS15的ISR路由器可以作为参照。
➡ *本文(以及本blog中其他正文部分文字)涉及内容仅代表个人,与公司及日常工作完全无关。
总体想要达到的目标
- PPPoE拨号连接到Internet (本文)
- 保证IPv4 到互联网的连通 (对内网做DHCP,在出口做NAT) (已实现,待续)
- 多SSID 提供WiFi接入,以便将家里的实验设备和日常设备分开 (已实现,待续)
- 通过tunnel broker实现IPv6接入, 包括WiFi也要有IPv6支持 (已实现,待续)
- 对IPv6 提供基本的安全保护,禁止外界访问内部的IPv6地址 (已实现,待续)
- 其他企业级设备能支持但是家用级设备不支持的功能…… (待开发……)
使用的设备
Cisco ISR 871W 路由器,软件版本Cisco IOS Software 15.1(4)M8
拓扑及连线
非常简单,就不画图了,871W上的Fa4 (WAN口)连接 ONU的一个以太口,Fa0口连接家里的PC。
设备配置
用ISR路由器实现PPPoE拨号
注意:我用的ISP服务是包月的,因此完全没有考虑“不用时”自动断线的问题。
参考Configuring PPP over Ethernet with NAT,但是由于我使用的IOS是15.1版,因此命令有些细微却别,比如我完全没有做vpdn-group那部分。
配置如下,Fa4口为WAN口连光猫(ONU):
interface FastEthernet4 no ip address duplex auto speed auto pppoe-client dial-pool-number 1 dial-on-demand no cdp enable ! interface Dialer0 ip address negotiated ip mtu 1492 encapsulation ppp dialer pool 1 dialer-group 1 ppp pap sent-username <username> password 0 <mypassword> no cdp enable !
上面配置是通过pap方式发送PPPoE的用户名密码,实测北京联通的光纤接入可用。用chap方式倒是不行,推测应与ISP那端的设置有关(后面通过debug命令得到了证实)。
接通之后执行”show interface dialer 0″可以up/up状态,并能看到获取的IP。
jsr#show int dialer 0 Dialer0 is up, line protocol is up (spoofing) Hardware is Unknown Internet address is <some ip>/32 ……
对PPPoE更多的一些探索及debug命令
如果好奇PPP的认证过程,可以试试看”debug ppp authentication“命令,想看看PPP的协商过程可以用”debug ppp negotiation”。
注意:生产网慎用debug命令,自己自学(折腾)就多看看debug命令的输出吧…… LCP和NCP (IPCP)到底都做了些什么,在debug的输出里面看的很清楚。
有两篇文档可以作为辅助,以便更容易的读懂debug的输出:
执行”clear ppp all”命令可以强制打断并重建PPPoE连接。
首先想看看研究一下为啥chap失败,执行debug ppp negotitation之后再执行”clear ppp all”得到了一堆的输出,摘录一段在这里:
.May 6 16:21:06.558: PPP: Alloc Context [851CAE40] .May 6 16:21:06.558: ppp96 PPP: Phase is ESTABLISHING .May 6 16:21:06.558: Vi1 PPP: Using dialer call direction .May 6 16:21:06.558: Vi1 PPP: Treating connection as a callout .May 6 16:21:06.558: Vi1 PPP: Session handle[FE000022] Session id[96] .May 6 16:21:06.558: Vi1 LCP: Event[OPEN] State[Initial to Starting] .May 6 16:21:06.558: Vi1 LCP: O CONFREQ [Starting] id 1 len 15 .May 6 16:21:06.558: Vi1 LCP: AuthProto CHAP (0x0305C22305) .May 6 16:21:06.558: Vi1 LCP: MagicNumber 0x2C9EB206 (0x05062C9EB206) .May 6 16:21:06.562: Vi1 LCP: Event[UP] State[Starting to REQsent] .May 6 16:21:06.586: Vi1 LCP: I CONFREQ [REQsent] id 1 len 10 .May 6 16:21:06.586: Vi1 LCP: MagicNumber 0xB43B2631 (0x0506B43B2631) .May 6 16:21:06.586: Vi1 LCP: O CONFACK [REQsent] id 1 len 10 .May 6 16:21:06.586: Vi1 LCP: MagicNumber 0xB43B2631 (0x0506B43B2631) .May 6 16:21:06.586: Vi1 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent] .May 6 16:21:06.586: Vi1 LCP: I CONFREJ [ACKsent] id 1 len 9 .May 6 16:21:06.586: Vi1 LCP: AuthProto CHAP (0x0305C22305) .May 6 16:21:06.586: Vi1 LCP: O CONFREQ [ACKsent] id 2 len 15 .May 6 16:21:06.586: Vi1 LCP: AuthProto CHAP (0x0305C22305) .May 6 16:21:06.586: Vi1 LCP: MagicNumber 0x2C9EB206 (0x05062C9EB206) .May 6 16:21:06.586: Vi1 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent] .May 6 16:21:06.586: Vi1 LCP: I TERMREQ [ACKsent] id 4 len 4 .May 6 16:21:06.586: Vi1 LCP: O TERMACK [ACKsent] id 4 len 4 .May 6 16:21:06.590: Vi1 LCP: Event[Receive TermReq] State[ACKsent to REQsent] .May 6 16:21:06.590: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di0 .May 6 16:21:06.590: Vi1 PPP: Block vaccess from being freed [0x10] .May 6 16:21:06.594: Vi1 PPP DISC: PPP Renegotiating .May 6 16:21:06.594: PPP: NET STOP send to AAA. .May 6 16:21:06.594: Vi1 LCP: Event[DOWN] State[REQsent to Starting] .May 6 16:21:06.594: Vi1 PPP: Unlocked by [0x10] Still Locked by [0x0] .May 6 16:21:06.594: Vi1 PPP: Free previously blocked vaccess .May 6 16:21:06.594: Vi1 PPP: Phase is DOWN
参考Understanding debug ppp negotiation Output这里可以知道PPP的协商过程是如下图所示:
上面debug输出的就是Establishing到Down的这段,原因其实就是LCP协商失败。
上面输出比较重要的两段单独拿出来看看:
.May 6 16:30:48.539: Vi1 LCP: I CONFREQ [ACKrcvd] id 2 len 18 .May 6 16:30:48.539: Vi1 LCP: MRU 1492 (0x010405D4) .May 6 16:30:48.539: Vi1 LCP: AuthProto PAP (0x0304C023) .May 6 16:30:48.539: Vi1 LCP: MagicNumber 0xF5FD2887 (0x0506F5FD2887) .May 6 16:30:48.539: Vi1 LCP: O CONFNAK [ACKrcvd] id 2 len 13 .May 6 16:30:48.539: Vi1 LCP: MRU 1500 (0x010405DC) .May 6 16:30:48.539: Vi1 LCP: AuthProto CHAP (0x0305C22305)
” I CONFREQ”是ISP那边送来的,大概意思就是说我要用PAP方式做验证好不好?MTU是1492。”O CONFNAK”是我的router在说”我要用CHAP做验证,MTU 1500″。而且这个过程在不断重复,这要是在现实生活中估计俩人早就该打起来了……好在对”Magic Number”两边还是能好好的协商的……
在经过多次之后失败后(我这里看到的是15次)debug输出中会出现这样一句:
.May 6 16:31:12.759: Vi1 LCP: Sent too many CONFNAKs. Switch to CONFREJ .May 6 16:31:12.759: Vi1 LCP: O CONFREJ [ACKrcvd] id 7 len 12 .May 6 16:31:12.759: Vi1 LCP: MRU 1492 (0x010405D4) .May 6 16:31:12.759: Vi1 LCP: AuthProto PAP (0x0304C023)
如果说”CNFNAKs”是路由器“稍显含蓄”的表达对部分协商的内容拒绝且我同意的方式是下面的,你看看如何;那”CONFREJ”表示路由器“真急了”,直接说对下面这些你说的我不同意。
根据上面看到的结果,乖乖的把验证方式修改成pap,然后再看看debug的输出:
.May 6 17:11:44.174: Vi1 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd] .May 6 17:11:46.159: Vi1 LCP: O CONFREQ [ACKrcvd] id 3 len 10 .May 6 17:11:46.159: Vi1 LCP: MagicNumber 0x2CCCFF0F (0x05062CCCFF0F) .May 6 17:11:46.159: Vi1 LCP: Event[Timeout+] State[ACKrcvd to REQsent] .May 6 17:11:46.159: Vi1 LCP: I CONFACK [REQsent] id 3 len 10 .May 6 17:11:46.159: Vi1 LCP: MagicNumber 0x2CCCFF0F (0x05062CCCFF0F) .May 6 17:11:46.159: Vi1 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd] .May 6 17:11:47.115: Vi1 LCP: I CONFREQ [ACKrcvd] id 2 len 18 .May 6 17:11:47.115: Vi1 LCP: MRU 1492 (0x010405D4) .May 6 17:11:47.115: Vi1 LCP: AuthProto PAP (0x0304C023) .May 6 17:11:47.115: Vi1 LCP: MagicNumber 0xF9D28078 (0x0506F9D28078) .May 6 17:11:47.115: Vi1 LCP: O CONFNAK [ACKrcvd] id 2 len 8 .May 6 17:11:47.115: Vi1 LCP: MRU 1500 (0x010405DC) .May 6 17:11:47.115: Vi1 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd] .May 6 17:11:47.119: Vi1 LCP: I CONFREQ [ACKrcvd] id 3 len 18 .May 6 17:11:47.119: Vi1 LCP: MRU 1500 (0x010405DC) .May 6 17:11:47.123: Vi1 LCP: AuthProto PAP (0x0304C023) .May 6 17:11:47.123: Vi1 LCP: MagicNumber 0xAD3A4DCE (0x0506AD3A4DCE) .May 6 17:11:47.123: Vi1 LCP: O CONFACK [ACKrcvd] id 3 len 18 .May 6 17:11:47.123: Vi1 LCP: MRU 1500 (0x010405DC) .May 6 17:11:47.123: Vi1 LCP: AuthProto PAP (0x0304C023) .May 6 17:11:47.123: Vi1 LCP: MagicNumber 0xAD3A4DCE (0x0506AD3A4DCE) .May 6 17:11:47.123: Vi1 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open] .May 6 17:11:47.151: Vi1 PPP: No authorization without authentication .May 6 17:11:47.151: Vi1 PPP: Phase is AUTHENTICATING, by the peer .May 6 17:11:47.151: Vi1 PAP: Using hostname from interface PAP .May 6 17:11:47.151: Vi1 PAP: Using password from interface PAP .May 6 17:11:47.151: Vi1 PAP: O AUTH-REQ id 1 len 19 from "<username>" .May 6 17:11:47.151: Vi1 LCP: State is Open .May 6 17:11:47.163: Vi1 PAP: I AUTH-ACK id 1 len 36 msg is "Authentication success,Welcome!" .May 6 17:11:47.167: Vi1 PPP: Queue IPCP code[1] id[1] .May 6 17:11:47.171: Vi1 PPP: Phase is ESTABLISHING, Finish LCP .May 6 17:11:47.171: Vi1 PPP: Phase is UP
这回协商的过程就客气多了,先是两边统一好了magic number(部分debug输出过程省略),之后的“对话过程如下”:
- ISP那边的设备说“MRU 1492, PAP验证 magic number是…”
- 我这边的路由器回答“部分不同意(CONFNAK),MRU 1500如何?”
- ISP那边的设备说”MRU 1500, PAP验证,magic number是…”
- 我这边的路由器确认方案(CONFACK)并复述了一遍方案
再之后进入了进入”AUTHENTICATING”状态,使用配置好的用户名密码做了身份验证,收到确认后就进入到了”UP”状态了。
再往后就是NCP (IPCP)协商阶段,从ISP那边拿到IP地址等参数了。
对配置的进一步的小改进-调整MTU
如果想要在LCP协商过程中直接接受ISP那边提出的MRU,那么可以在dailer接口下设置 “ppp mtu adaptive”,那么LCP协商阶段就会减少一次“讨价还价”,直接按ISP那边提供的MRU 1492。debug输出如下(完全没有协商使用1500的过程):
.May 6 18:19:44.429: Vi1 LCP: I CONFREQ [ACKrcvd] id 2 len 18 .May 6 18:19:44.429: Vi1 LCP: MRU 1492 (0x010405D4) .May 6 18:19:44.429: Vi1 LCP: AuthProto PAP (0x0304C023) .May 6 18:19:44.429: Vi1 LCP: MagicNumber 0x8816C41F (0x05068816C41F) .May 6 18:19:44.429: Vi1 LCP: O CONFACK [ACKrcvd] id 2 len 18 .May 6 18:19:44.429: Vi1 LCP: MRU 1492 (0x010405D4) .May 6 18:19:44.429: Vi1 LCP: AuthProto PAP (0x0304C023) .May 6 18:19:44.429: Vi1 LCP: MagicNumber 0x8816C41F (0x05068816C41F)
然后Dialer接口 上设置ip mtu 1492 (前面其实已经设置了),对内的接口上设置“ip tcp adjust-mss 1452”,具体原因可以参考这里:Cisco IOS IP Application Services Command Reference
实际测试时,我使用的北京联通的网络看似是接受1500的,不修改成1492没有影响我上网使用。仅供参考。