LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@jp_yen(切手 一円)

Cisco ルータで pppoe サーバーになる (Dynamic IP と Static IP の併用)

Last updated at Posted at 2024-01-02

Cisco ルーターで pppoe サーバーを作成する

image.png

セグメント
pppoe サーバ 172.31.0.0/32
Site-x 172.31.254.x/24
Center 172.31.255.x/24

では

  1. Site-x をダイナミック IP で設定する (Dynamic IP-1)
  2. Center を別セグメントのダイナミック IP で設定する (Dynamic IP-2)
  3. Center を固定 IP で設定する。 (Static IP)
    の 2番目、接続元によって ip プールを切り替える方法です。

pppoe クライアントのアドレスプールを定義

pppoe の IP プール
ip local pool PPPOE_pool_Center 172.31.255.1 172.31.255.254

aaa の attribute で振り分けるため aaa new-model にする

aaa new-model

aaa attribute list に ip プールを割り当てる

aaa attribute list PPPoE_aaa_Center
 attribute type addr-pool PPPOE_pool_Center service ppp protocol ip

認証と認可に PPPoE という名前を定義

aaa authentication ppp PPPoE local
aaa authorization network PPPoE local

ppp の認証に PPPoE という名前を付け、ローカルデータベースを参照する
network の認可に PPPoE という名前を付け、ローカルデータベースを参照する

ユーザーとパスワードの登録

userの登録
username center@Cisco password pass-center
username center@Cisco aaa attribute list PPPoE_aaa_Center

ユーザに ip pool を関連付ける

secret だと認証が通らないので password で登録すること。

サーバー側のトンネルの定義

interface Virtual-Template1
 mtu 1454
 ip unnumbered Loopback1
 peer default ip address pool PPPOE_POOL
 ppp authentication chap PPPoE
 ppp authorization PPPoE
 ppp ipcp dns 8.8.8.8

ppp authentication chap PPPoEppp authorization PPPoE を追加、変更。

pppoe サーバの config 全体 
PPPoE-Server#show running-config
Building configuration...

Current configuration : 3399 bytes
!
! Last configuration change at 22:25:20 JST Tue Jan 2 2024
! NVRAM config last updated at 22:25:22 JST Tue Jan 2 2024
! NVRAM config last updated at 22:25:22 JST Tue Jan 2 2024
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname PPPoE-Server
!
boot-start-marker
boot-end-marker
!
!
vrf definition MGT
 description Managemane_LAN
 rd 1:100
 !
 address-family ipv4
 exit-address-family
!
enable secret 8 $8$teuDSdtG0iIdea$henhMywyRCNfuUhnYlUumScM6UJjhN2tEky.lqYn9DI
!
aaa new-model
!
!
aaa authentication ppp PPPoE local
aaa authorization network PPPoE local
!
aaa attribute list PPPoE_aaa_Center
 attribute type addr-pool "PPPOE_pool_Center" service ppp protocol ip
!
!
!
!
!
aaa session-id common
!
clock timezone JST 9 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name my.home
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL184220QJ
!
!
!
spanning-tree portfast bpduguard
username admin secret 8 $8$CCGMBxg4ABCUA.$aVExfgR1/d7ZICsH8cxolmobF101ghx0WROUEZ7Eei2
username site-A@Cisco password 0 pass-A
username site-B@Cisco password 0 pass-B
username site-C@Cisco password 0 pass-C
username site-D@Cisco password 0 pass-D
username site-E@Cisco password 0 pass-E
username center@Cisco password 0 pass-center
username center@Cisco aaa attribute list PPPoE_aaa_Center
!
redundancy
!
!
!
!
ip ssh version 2
!
!
!
!
!
!
bba-group pppoe PPPOE_GROUP
 virtual-template 1
 sessions auto cleanup
!
!
interface Loopback1
 ip address 172.31.0.0 255.255.255.255
!
interface Loopback10
 ip address 100.64.10.10 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 vrf forwarding MGT
 ip address dhcp
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
!
interface GigabitEthernet0/0/3
 no ip address
!
interface Virtual-Template1
 mtu 1454
 ip unnumbered Loopback1
 peer default ip address pool PPPOE_POOL
 ppp authentication chap PPPoE
 ppp authorization PPPoE
 ppp ipcp dns 8.8.8.8
 ppp ipcp mask 255.255.255.240
 ppp ipcp username unique
!
interface Vlan1
 no ip address
 pppoe enable group PPPOE_GROUP
!
ip local pool PPPOE_POOL 172.31.254.1 172.31.254.254
ip local pool PPPOE_pool_Center 172.31.255.1 172.31.255.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
ip access-list extended MGT_SSH
 permit tcp 10.0.0.0 0.255.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 permit tcp 172.16.0.0 0.15.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 permit tcp 192.168.0.0 0.0.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 permit tcp 100.64.0.0 0.63.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 deny   ip any host 0.0.0.0 log MGT_SSH
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class MGT_SSH in vrf-also
 transport input ssh
line vty 5 15
 transport input none
!
scheduler allocate 20000 1000
ntp server vrf MGT 210.173.160.87 minpoll 4

クライアント側の設定

ユーザ名とパスワードしか変わらないので省略

情報

show ppp all (pppoe サーバ)
PPPoE-Server#show ppp all
Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2.4        LCP+ CHAP+ IPCP+      LocalT   172.31.255.1    center@Cisco
Vi2.3        LCP+ CHAP+ IPCP+      LocalT   172.31.254.9    site-C@Cisco
Vi2.2        LCP+ CHAP+ IPCP+      LocalT   172.31.254.6    site-B@Cisco
Vi2.1        LCP+ CHAP+ IPCP+      LocalT   172.31.254.2    site-A@Cisco

interface以外に、クライアントの IP アドレス、ユーザ名が分かります。

クライアント IX2215 のアドレス取得状態
Center(config)# show ip address GigaEthernet0.1
Interface GigaEthernet0.1 is up, line protocol is up
  Internet address is 172.31.255.1/32
  Broadcast address is 255.255.255.255
  Peer address is 172.31.0.0
  Address determined by IPCP
  Primary DNS server is 8.8.8.8
  Secondary DNS server is 8.8.4.4

固定 IP の配布

では 3番目
3. Center を固定 IP で設定する。 (Static IP)
pppoe クライアントに固定 IP を配布する方法です。

セグメント
pppoe サーバ 172.31.0.0/32
Site-x 172.31.254.x/24
Center 172.31.255.x/24
Static-1➡ 172.31.10.1/32

IP プールではなく aaa attribute list で、IP アドレスを指定する

aaa attribute list PPPoE_aaa_Static_1
 attribute type addr 172.31.10.1 service ppp protocol ip

username Static-1@Cisco password Static_1
username Static-1@Cisco aaa attribute list PPPoE_aaa_Static_1

pppoe サーバーでの状態

show ppp all
PPPoE-Server#show ppp all
Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2.3        LCP+ CHAP+ IPCP+      LocalT   172.31.10.1     Static-1@Cisco
Vi2.4        LCP+ CHAP+ IPCP+      LocalT   172.31.255.1    center@Cisco
Vi2.2        LCP+ CHAP+ IPCP+      LocalT   172.31.254.6    site-B@Cisco
Vi2.1        LCP+ CHAP+ IPCP+      LocalT   172.31.254.2    site-A@Cisco
pppoe サーバーの config 
PPPoE-Server#show running-config
Building configuration...

Current configuration : 3602 bytes
!
! Last configuration change at 23:37:32 JST Tue Jan 2 2024
! NVRAM config last updated at 23:37:35 JST Tue Jan 2 2024
! NVRAM config last updated at 23:37:35 JST Tue Jan 2 2024
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname PPPoE-Server
!
boot-start-marker
boot-end-marker
!
!
vrf definition MGT
 description Managemane_LAN
 rd 1:100
 !
 address-family ipv4
 exit-address-family
!
enable secret 8 $8$teuDSdtG0iIdea$henhMywyRCNfuUhnYlUumScM6UJjhN2tEky.lqYn9DI
!
aaa new-model
!
!
aaa authentication ppp PPPoE local
aaa authorization network PPPoE local
!
aaa attribute list PPPoE_aaa_Static_1
 attribute type addr 172.31.10.1 service ppp protocol ip
!
aaa attribute list PPPoE_aaa_Center
 attribute type addr-pool "PPPOE_pool_Center" service ppp protocol ip
!
!
!
!
!
aaa session-id common
!
clock timezone JST 9 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name my.home
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL184220QJ
!
!
!
spanning-tree portfast bpduguard
username admin secret 8 $8$CCGMBxg4ABCUA.$aVExfgR1/d7ZICsH8cxolmobF101ghx0WROUEZ7Eei2
username site-A@Cisco password 0 pass-A
username site-B@Cisco password 0 pass-B
username site-C@Cisco password 0 pass-C
username site-D@Cisco password 0 pass-D
username site-E@Cisco password 0 pass-E
username center@Cisco password 0 pass-center
username center@Cisco aaa attribute list PPPoE_aaa_Center
username Static-1@Cisco password 0 Static_1
username Static-1@Cisco aaa attribute list PPPoE_aaa_Static_1
!
redundancy
!
!
!
!
ip ssh version 2
!
!
!
!
!
!
bba-group pppoe PPPOE_GROUP
 virtual-template 1
 sessions auto cleanup
!
!
interface Loopback1
 ip address 172.31.0.0 255.255.255.255
!
interface Loopback10
 ip address 100.64.10.10 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 vrf forwarding MGT
 ip address dhcp
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
!
interface GigabitEthernet0/0/3
 no ip address
!
interface Virtual-Template1
 mtu 1454
 ip unnumbered Loopback1
 peer default ip address pool PPPOE_POOL
 ppp authentication chap PPPoE
 ppp authorization PPPoE
 ppp ipcp dns 8.8.8.8
 ppp ipcp mask 255.255.255.240
 ppp ipcp username unique
!
interface Vlan1
 no ip address
 pppoe enable group PPPOE_GROUP
!
ip local pool PPPOE_POOL 172.31.254.1 172.31.254.254
ip local pool PPPOE_pool_Center 172.31.255.1 172.31.255.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
ip access-list extended MGT_SSH
 permit tcp 10.0.0.0 0.255.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 permit tcp 172.16.0.0 0.15.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 permit tcp 192.168.0.0 0.0.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 permit tcp 100.64.0.0 0.63.255.255 host 0.0.0.0 eq 22 log MGT_SSH
 deny   ip any host 0.0.0.0 log MGT_SSH
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class MGT_SSH in vrf-also
 transport input ssh
line vty 5 15
 transport input none
!
scheduler allocate 20000 1000
ntp server vrf MGT 210.173.160.87 minpoll 4
end

Cisco ルーターの ssh のポート番号を変更する

試しに、8224番ポートに変更する

ip ssh port 8224 rotary 1

ip access-list extended MGT_SSH
 permit tcp 10.0.0.0  0.255.255.255 host 0.0.0.0 eq 8224
 permit tcp 172.16.0.0 0.15.255.255 host 0.0.0.0 eq 8224
 permit tcp 192.168.0.0 0.0.255.255 host 0.0.0.0 eq 8224
 permit tcp 100.64.0.0 0.63.255.255 host 0.0.0.0 eq 8224
 deny   ip any host 0.0.0.0

line vty 0 4
 access-class MGT_SSH in vrf-also
 rotary 1

access-list で絞らなければ 22番ポートも、8224番ポートも両方接続できるようになる。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?