Posts from ‘CCNP’
The following question was recently sent to me regarding PPP and CHAP:
At the moment I only have packet tracer to practice on, and have been trying to setup CHAP over PPP.
It seems that the “PPP CHAP username xxxx” and “PPP CHAP password xxxx” commands are missing in packet tracer.
I have it set similar to this video… (you can skip the first 1 min 50 secs)
As he doesn’t use the missing commands, if that were to be done on live kit would it just use the hostname and magic number to create the hash?
Also, in bi-directional authentication, do both routers have to use the same password or can they be different as long as they match what they expect from the other router?
Here was my reply:
When using PPP CHAP keep in mind four fundamental things:
- The “magic number” that you see in PPP LCP messages has nothing to do with Authentication or CHAP. It is simply PPPs way of trying to verify that it has a bi-directional link with a peer. When sending a PPP LCP message a random Magic Number is generated. The idea is that you should NOT see your own Magic Number in LCP messages received from your PPP Peer. If you DO see the same magic number that you transmited, that means you are talking to yourself (your outgoing LCP CONFREQ message has been looped back to you). This might happen if the Telco that is providing your circuit is doing some testing or something and has temporarily looped-back your circuit.
- At least one of the devices will be initiating the CHAP challenge. In IOS this is enabled with the interface command, “ppp authentication chap”. Technically it only has to be configured on one device (usually the ISP router that wishes to “challenge” the incoming caller) but with CHAP you can configure it on both sides if you wish to have bi-directional CHAP challenges.
- Both routers need a CHAP password, and you have a couple of options on how to do this.
- The “hash” that is generated in an outgoing PPP CHAP Response is created as a combination of three variables, and without knowing all three values the Hash Response cannot be generated:
- A router’s Hostname
- The configured PPP CHAP password
- The PPP CHAP Challenge value
I do all of my lab testing on real hardware so I can’t speak to any “gotchas” that might be present in simulators like Packet Tracer. But what I can tell you, is that on real routers the side that is receiving the CHAP challenge must be configured with an interface-level CHAP password.
The relevant configurations are below as an example.
ISP router that is initiating the CHAP Challenge for incoming callers:
username Customer password cisco ! interface Serial1/3 encapsulation ppp ppp authentication chap ip address x.x.x.x y.y.y.y !
Customer router placing the outgoing PPP call to ISP:
hostname Customer ! interface Serial1/3 encapsulation ppp ppp chap password cisco ip address x.x.x.x y.y.y.y !
If you have a situation where you expect that the Customer Router might be using this same interface to “call” multiple remote destinations, and use a different CHAP password for each remote location, then you could add the following:
Customer router placing the outgoing PPP call to ISP-1 (CHAP password = Bob) and ISP-2 (CHAP password = Sally):
hostname Customer ! username ISP-1 password Bob
username ISP-2 password Sally
interface Serial1/3 encapsulation ppp ppp chap password cisco ip address x.x.x.x y.y.y.y !
Notice in the example above, the “username x password y” commands supercede the interface-level command, “ppp chap password x”. But please note that the customer (calling) router always needs the “ppp chap password” command configured at the interface level. A global “username x password y” in the customer router does not replace this command. In this situation, if the Customer router placed a call to ISP-3 (for which there IS no “username/password” statement) it would fallback to using the password configured at the interface-level.
Lastly, the “username x password y” command needs to be viewed differently depending on whether or not it is configured on the router that is RESPONDING to a Challenge…or is on the router that is GENERATING the Challenge:
- When the command “username X password Y” is configured on the router that is responding to the CHAP Challenge (Customer router), the router’s local “hostname” and password in this command (along with the received Challenge) will be used in the Hash algorithm to generate the CHAP RESPONSE.
- When the command “username X password Y” is configured on the router that is generating the CHAP Challenge (ISP Router), once the ISP router receives the CHAP Authentication Response (which includes the hostname of the Customer/calling router) it will match that received Hostname to a corresponding “username X password Y” statement. If one is found that matches, then the ISP router will perform its own CHAP hash of the username, password, and Challenge that it previously created to see if its own, locally-generated result matches the result that was received in the CHAP Response.
Lastly, you asked, “ Also, in bi-directional authentication, do both routers have to use the same password or can they be different as long as they match what they expect from the other router?”
Hopefully from my explanations above it is now clear that in the case of bi-directional authentication, the passwords do indeed have to be the same on both sides.
Hope that helps!
We are excited to announce the arrival of INE’s CCNP Routing & Switching 10-Day Bootcamps!
Both live on-site and online interactive Bootcamp formats are available for purchase. As an added bonus, if you purchase the CCNP Routing & Switching 10-Day Bootcamp, you will receive a complimentary 1-Year All Access Pass!
Visit INE’s website for course dates/locations. Be sure to reserve your seat today, and let one of our Training Advisors know if you require additional assistance. We look forward to seeing you at one of our upcoming CCNP Routing & Switching 10-Day Bootcamps!
Week 1 Topics Include:
- IP Routing Overview
- EIGRP Protocol Overview
- EIGRP DUAL Calculation
- EIGRP Authentication & Summarization
- Advanced EIGRP Features
- EIGRP Troubleshooting
- OSPF Protocol Overview
- OSPF SPF Calculation
- OSPF Media Dependencies
- OSPF Areas & LSA Types
- OSPF Single and Multiple Area
- OSPF Authentication and Summarization
- Advanced OSPF Features
- OSPF Troubleshooting
- BGP Protocol Overview
- BGP Attributes & Bestpath Selection
- BGP Peering & NLRI Advertisements
- BGP Route Reflectors & Confederations
- BGP Authentication and Summarization
- BGP Troubleshooting
- Route Filtering &Traffic Engineering
- Running Multiple Routing Protocols
- Understanding Distribute-Lists, Prefix-Lists & Route-Maps
- One-Point Route Redistribution
- Multi-Point Route Redistribution
- Fixing Routing Loops
- Route Redistribution Troubleshooting
- Policy-Based Routing & Path Control
- IPv6 Overview
Week 2 Topics Include:
- Enterprise Campus Network Architecture
- Layer 2 Switching vs. Layer 3 Routing
- VLAN Design
- Private VLAN
- DTP & Trunking
- VTP Overview & VLAN Pruning
- VLAN Troubleshooting
- STP Protocol Overview
- Rapid STP & Multiple STP
- STP Advanced Features & Security
- STP Troubleshooting
- Layer 2 & Layer 3 EtherChannel
- EtherChannel Troubleshooting
- Inter-VLAN Routing
- DHCP Protocol Overview
- Multilayer Switching Overview
- High Availability with NSF & SSO
- Layer 3 Redundancy Protocols – HSRP, VRRP, GLBP
- First Hop Redundancy Troubleshooting
- Layer 2 Security Features (802.1x, VACL, Port Security)
- DHCP Snooping, Dynamic ARP Inspection & Source Guard
- Layer 2 Security Troubleshooting
- Layer 2 Voice & Video Support
- Wireless Design Overview
- Wireless Standards & Protocols
- WLC Deployments (Local & HREAP)
Between now and the end of the week we will be releasing our January to June 2013 schedule. You will see a lot of new classes/bootcamps added covering a wide range of topics. These include CCNA Data Center, CCNP Data Center, CCNP Wireless, CCNA Service Provider, CCNP Service Provider, Nexus 1000v & Open vSwitch, UCS & OpenStack, Nexus Live Online Bootcamps, Nexus Live Onsite Bootcamps, etc. You will also notice we are adding new 2 day online courses covering a wide range of topics (ISE, WSE, IOS XR, IOS XE, OpenFlow, etc).
The biggest change that you will notice for 2013 is that for ALL of our new products we will offer hands-on labs and equipment rentals. We’ve made a big push for new hardware in 2012 and we’ll be making an even bigger push for 2013. During the first week of January you will see the new CCNP and CCIE Security racks along with the new CCIE Data Center racks coming online. Additionally our new CCNP Security course will have hands-on labs available around the same time frame.
In 2013 we will be making all of our CCNA courses available free of charge like how our CCNA and CCNA Voice courses are now. Not only will they be free to stream online, we will offer hands-on labs and equipment access for all tracks (CCNA Service Provider, CCNA Data Center tracks, etc). Some of the equipment will be offered free of charge for AAP members and some equipment even free of charge to the general public. The key to learning at this level isn’t to be bored to death with some “professional presenter” going over hours and hours of PowerPoint slides or some low budget video production with a “professional presenter” dancing around the screen. You need to be engaged by watching a real instructor cover the topics hands-on while you also following along on the equipment. Lastly in regards to the CCNA, you will see the current courses redone to allow for this new format.
For the workbooks will be retiring the workbook volume structure (Vol 1, Vol 2, etc) that we first introduced years ago and is now copied by nearly every vendor. We will be moving to a new format that is a single solution laid out in a structured manner as opposed to a portfolio of products. This new format allows for quicker updates and additions to the products along with many other benefits. The new CCIE Security and CCIE Data Center products will be the first to be offered in our new format.
Lastly I will be making a separate post later this month in regarding a new series of online classes that I personally will be doing next year.
Just ahead of our brand new CCNA Voice live online bootcamp beginning this Monday, I thought it might be nice to provide an easy-to-follow graphic for those starting out in Voice (or on any other Cisco networking track). This graphic was from last year, but remains quite easy to follow for each and every Cisco track.
Be sure you have a high resolution set if you wish to see the entire thing, otherwise scrolling may be necessary.
The BGP MED attribute, commonly referred to as the BGP metric, provides a means to convey to a neighboring Autonomous System (AS) a preferred entry point into the local AS. BGP MED is a non-transitive optional attribute and thus the receiving AS cannot propagate it across its AS borders. However, the receiving AS may reset the metric value upon receipt, if it so desires.
Previous versions of BGP (v2 and v3) defined this attribute as the inter-AS metric (INTER_AS_METRIC) but in BGPv4 it is defined as the multi-exit discriminator (MULTI_EXIT_DISC). The MED is an unsigned 32bit integer. The MED value can be any from 0 to 4,294,967,295 (2^32-1) with a lower value being preferred. Certain implementations of BGP will treat a path with a MED value of 4,294,967,295 as infinite and hence the path would be deemed unusable so the MED value will be reset to 4,294,967,294. This rewriting of the MED value could lead to inconsistencies, unintended path selections or even churn. I’ll do a follow up article on how BGP MED can possibly cause an endless convergence loop in certain topologies.
We have a new feature on our All Access Pass streaming video playlists that we believe will help tremendously help you in your studies – but we’ll leave you to be the judge of that. We have added the ability for you to save unlimited bookmarks (and take notes on those bookmarks) for each video playlist you have in your online, streaming All Access Pass. Please login to your members account, then navigate to one of the streaming video playlists in order to access the new bookmark feature (i.e. you won’t see it on the sample video playlists).
Here is a sample screenshot of the new feature in action. Click to see it larger.
By the way, one other important thing to note about this new feature is that if you take a bookmark, it is not specific to the streaming quality that you chose when saving the bookmark. So if you were watching in the “High” quality, and save a bookmark for a specific spot, you can always choose a different quality level (e.g. “HD”) and then click your bookmark, or vice-versa, to watch that bookmark at the different streaming quality. Also, you will be able to copy the links from those bookmarks, and send them to your peers studying with you, that also have an INE AAP membership, and they will be able to access that same spot to comment on something important that you found, and would like to share with them. You will find the appendix to the existing video URL very
similar to that of the way YouTube codes theirs, for easy use.
Enjoy, and be sure to tell us how you like the new feature and if or how it is helping you in your studies, in the comments section!
A while back, in May, we asked you all what you thought of adding closed captioning to all of our videos, and your response – both in comments and private emails – was overwhelmingly positive. This functionality would not only provide better assistance for those with difficulty hearing, but also give everyone the incredible ability to search anywhere within any video for a particular topic or keyword that had been spoken about in the audio track, and immediately jump to that timecode spot in the video. This would every single minute of every video we have the ablility to be searched and subsequently accessed within just a few moments vs. having to watch the entire video over and over each time you wished to return to a particular spot in it for some remedial learning.
Well, you needn’t wait much longer.
Well I finally did it! After a year and half of studying practically every day I am happy to say I am CCIE #27143! I am proud to say I failed the exam 4 times, I wear each one like a badge of honor. And for $1,400 each, those badges are made of a rare gold/titanium/diamond composite material, they are beautiful. My road to becoming a CCIE had many unexpected twists and turns. I got my CCNA back in 2002. I studied for 2 months and passed it on my 1st try, so I must be pretty darn good right? Well in 2005 I decided to try for my CCNP. I soon discovered I had let my CCNA expire, so I had to retake that first. Within 6 months I passed the CCNA and all 4 CCNP tests, so I must be the man right? Then I got my first real networking job and soon discovered that I was truly just a paper champion and had no clue how to design or configure anything. I learned on the job and quickly got up to speed.
Tags: Shared Success
When we ask students “what are your weakest areas” or “what are your biggest areas of concern” for the CCIE Lab Exam, we typically always here non-core topics like Multicast, Security, QoS, BGP, etc. As such, INE has responded with a series of bootcamps focused on these disciplines.
The IPv4/IPv6 Multicast 3-Day live, online bootcamp, and the associated Class On-Demand version seeks to address the often confounding subject of Multicast. Detailed coverage of Multicast topics for the following certifications is provided:
Cisco Certified Network Professional (CCNP)
Cisco Certified Design Associate (CCDA)
Cisco Certified Design Professional (CCDP)
Cisco Certified Design Expert (CCDE)
Cisco Certified Internetwork Expert Routing & Switching (CCIE R&S)
Cisco Certified Internetwork Expert Service Provider (CCIE Service Provider)
Cisco Certified Internetwork Expert Security (CCIE Security)
To purchase the live and on-demand versions of the course for just an amazing $295 – just click here. The live course runs 11 AM to 6 PM EST US on September 29,30, and October 1.
The preliminary course outline is as follows:
- Module 1 Introduction to Multicast
Lesson 1 The Need for Multicast
Lesson 2 Multicast Traffic Characteristics and Behavior
Lesson 3 Multicast Addressing
Lesson 4 IGMP
Lesson 5 Protocol Independent Multicast
- Module 2 IGMP
Lesson 1 IGMP Version 1
Lesson 2 IGMP Version 2
Lesson 3 IGMP Version 3
Lesson 4 CGMP
Lesson 5 IGMP Snooping
Lesson 6 IGMP Optimization
Lesson 7 IGMP Security
Lesson 8 Advanced IGMP Mechanisms
Take the latest SWITCH Command Recall exam by clicking the link below. Good luck – and let us know how you scored in the comments area of this post.
Remember to read, AND TYPE, very carefully! I failed my first attempt due to just plain sloppiness.