00:00:00 - Now that we've talked about VPN connections, we can move
00:00:04 - into the second category of WAN links, and that is leased
00:00:07 - lines. Now leased lines was something that we talked about in
00:00:11 - the ICND 1 series. It was actually the only WAN link that
00:00:15 - we talked about in ICND 1 because ICND 1 was geared
00:00:19 - around the small business world, where WAN links are a rare occasion.
00:00:23 - Most small businesses have a single site and just a basic internet
00:00:27 - connection. So what I'd like to do as we get into ICND 2
00:00:30 - is do a little bit of review. I know it may have been a while since you
00:00:33 - saw the leased lines in ICND 1, and it is at the end
00:00:36 - of the series in ICND 1 so I realize that there may
00:00:39 - also have been a lot of information going through your head by that
00:00:42 - point. So we'll do a brief review of what leased lines and point-to-point
00:00:46 - connections are all about, both at the layer one and layer
00:00:49 - two. Then we'll get into the configuration. The beauty of leased
00:00:53 - lines is that they are very easy to configure. Actually, if you've
00:00:57 - got two CISCO routers on both sides, there's virtually nothing
00:01:00 - to it. But we're going to go a little beyond that, talk about
00:01:03 - configuring them for PPP, which is the point-to-point protocol, and
00:01:06 - then we'll add on top of that PPP authentication.
00:01:11 - I'd first like to review some of the physical links that are
00:01:14 - in our WAN technology. What I have here is almost like a mini
00:01:18 - flow chart of how WAN connections look and how they
00:01:22 - physically connect in your environment. Up at the top here is, I guess, the
00:01:25 - starting point, which is a CISCO -- this is a 2600
00:01:28 - series router. Now on the back of that you can see that that
00:01:31 - yellow link right there, that is our Ethernet port, and that connects to the
00:01:35 - LAN. Right here is the WAN port, or I guess you could say
00:01:40 - a WIC slot; that stands for WAN interface card. Now you actually
00:01:45 - can put one of three different cards inside of that slot,
00:01:48 - and there's even more than what I'm showing here but these
00:01:50 - are the most common. Right here are the traditional serial port
00:01:54 - connections. The one on the left is known as a WIC 1T,
00:01:57 - which is the old serial style connector. It's still all
00:02:01 - over the place, though. It's
00:02:02 - of those. The one right here, this is known as the WIC 2T.
00:02:06 - They re-engineered their serial interface connection on
00:02:09 - CISCO routers to where they can get two WAN interfaces per
00:02:13 - slot. Pretty powerful. Now let's first talk about these two
00:02:16 - interfaces. If you purchase one of these cards and you've
00:02:20 - purchased a leased line -- let me just get a brief drawing over here. Let's say that
00:02:23 - you have a router and that is supposed to connect to another
00:02:27 - router in Texas, and we'll say this router's in Arizona,
00:02:31 - I am. Now that router connects to the LAN over here. Now this
00:02:35 - router we would plug in right here. This is the physical view
00:02:38 - of my logical diagram down here. We would plug in one of these WAN
00:02:41 - ports, and that WAN port would then require a specialized
00:02:45 - cable. This is known as a DB-60 connector, which would
00:02:50 - connect to that WAN interface over there on the left. Now that
00:02:53 - will then have that
00:02:56 - cable that runs to a -- well, it looks very odd. You see the
00:03:02 - interface connection type right over there. That's actually
00:03:05 - known as a V.35 connector. That will connect
00:03:09 - from your CISCO router, that's the CISCO end of the connection,
00:03:12 - to this device which is known as a CSU/DSU.
00:03:17 - These have been around for decades and those are the devices that
00:03:20 - manage the WAN connections. They set the pace, the clock rate;
00:03:24 - they
00:03:26 - do error checking on the WAN line. They're pretty expensive
00:03:29 - but they really just convert from the V.35
00:03:34 - or there's actually five different types of CSU/DSU
00:03:37 - physical connections. This is just one of them. It converts from
00:03:40 - that kind of connector to a -- it looks like just a standard Ethernet
00:03:44 - jack that the service provider installs. So if you're looking
00:03:47 - for a little simpler flow, you have the wall of your building
00:03:51 - right here. Outside is the grass and the trees that are growing,
00:03:56 - you know, outside. The service writer comes in trenches under
00:03:59 - the land, and marks this wall as the demark.
00:04:03 - demarcation point. That's where their responsibility passes.
00:04:07 - They install a wall jack and they say, if anything on the right
00:04:10 - side of that wall jack breaks, we'll pay for it. And if anything
00:04:12 - on the left breaks, you'll pay for it. You run that cable, you can
00:04:15 - see from that wall jack, little yellow cable to the CSU/DSU.
00:04:19 - CSU/DSU gets one of these specialized serial interfaces
00:04:23 - or serial cables. You buy those from CISCO for a hundred
00:04:26 - bucks or eBay for 10 bucks, and that will allow you to connect from the
00:04:30 - CSU/DSU to the serial interface and you buy the correct
00:04:33 - cable depending on what kind of WIC card you have, and that
00:04:36 - is what brings up your serial link.
00:04:39 - Now you see up here other physical option, which is to take
00:04:42 - a built-in CSU/DSU. Technology has advanced.
00:04:47 - Like I said, these have been around for decades. They've figured out
00:04:51 - how to put all the functions of a CSU/DSU on
00:04:53 - this little card. So if you, if we were to be able to zoom into
00:04:57 - that blue writing it actually says, T1 CSU/DSU
00:05:01 - right on there.
00:05:03 - That means it has a built-in one. That allows you to run the cable
00:05:06 - from the wall jack straight into this interface on your router.
00:05:10 - Pretty fancy. So those are the physical connections of what
00:05:14 - serial leased lines look like.
00:05:17 - In addition to defining a new physical layer connectivity, the
00:05:22 - WAN connections and WAN links define a new data link connectivity
00:05:26 - as well. It blows people's mind when they first find out in
00:05:30 - the WAN in the world, the Wide Area Network world, there are no MAC
00:05:33 - addresses. What? How does that work? You
00:05:39 - know, is the traditional response, because we're so used to working
00:05:43 - with Ethernet where in Ethernet we have MAC addresses. But MAC addresses are
00:05:48 - only Ethernet technology. In the WAN world, we have all
00:05:53 - kinds of different Layer 2 addresses, depending on the WAN link
00:05:56 - you're using. For instance, if you have frame relay which we'll
00:05:59 - talk about a little bit later. DLCIs are the Layer 2. DLCI
00:06:03 - is essentially -- it fills the role of the MAC address. and
00:06:06 - ATM, you have something known as a -- actually it's a VPI/VCI
00:06:11 - pair and that replaces the MAC address. In every can of
00:06:16 - WAN technology there's some other kind of Layer 2 addresses
00:06:19 - and Layer 2 system that it uses to communicate with the other
00:06:23 - side. Now ATM we're not going to talk about at the
00:06:27 - CCNA level, that's actually a more specialized thing and it's
00:06:31 - part of the CCNP track. Frame relay we will, but in here we're going
00:06:34 - to talk about the two
00:06:37 - leased line data link protocols, and that is PPP and HDLC.
00:06:43 - PPP and HDLC are the two languages that you can speak
00:06:47 - when you speak to another router over a WAN link.
00:06:51 - Now remember, we're just doing a technology shift here. So far and everything
00:06:56 - that we've talked about in this series and the previous series,
00:06:58 - all of the language that we spoke with Ethernet, and that's
00:07:01 - what allows me to plug a PC into a switch and it can talk to
00:07:05 - a server or some other device plugged into the same switch.
00:07:08 - That's all using the language of Ethernet, a LAN language. Now
00:07:12 - that we've moved into the WAN, as we look at our leased
00:07:15 - lines we have two different types of WAN languages that we
00:07:18 - can use between routers that are connected on a WAN link.
00:07:24 - HDLC is the default on all CISCO routers. Meaning when you put
00:07:29 - that serial card into the router and turn it on, by default
00:07:32 - it's going to be talking HDLC. The beauty of HDLC is that
00:07:37 - it has extremely low overhead, which means it's pretty fast.
00:07:41 - It's not going to congest the link with all kinds of stuff
00:07:45 - it's adding in the header. It just says, okay, I will work. And the beauty
00:07:49 - of HDLC is in its simplicity. If you have a CISCO router
00:07:53 - on one side and a CISCO router on the other side, and you plug
00:07:56 - in that WAN cable that connects to the service provider -- remember
00:07:59 - this is logical. We have our wall than in the middle of this
00:08:02 - is the service writer and hundreds and thousands of miles between
00:08:05 - these two and then another wall and a wall jack and all of
00:08:08 - that. When you plug your cables together, it just works. As long
00:08:13 - as the service provider has done their side and everything's working
00:08:16 - in the middle, there's no configuration necessary. You just put
00:08:19 - an IP address on each serial interface that is in the same
00:08:23 - subnet and you're good to go.
00:08:25 - The disadvantage of HDLC is this and that. It is CISCO
00:08:32 - proprietary, which means it only works if you have two CISCO
00:08:35 - routers and it has no features at all.
00:08:39 - Meaning if you're looking for it to do some kind of spizazzy
00:08:42 - as the thing, which we'll look at PPP in just a moment, on your
00:08:45 - WAN link it can't do it. That's why we have PPP. This is our
00:08:51 - second choice. If we want to convert over and run PPP, it's just
00:08:56 - one command -- and we'll see that in the next slide -- one command
00:08:59 - that you type in and your writers are now running the point
00:09:02 - to point protocol. The beauty of PPP is that it's industry standard,
00:09:07 - so I can have a CISCO router here connected to --
00:09:11 - we'll just throw out Juniper the company have been very impressed
00:09:15 - with lately. A Juniper router on the other side and they can both
00:09:19 - speak PPP and it will work just fine. You have moderate overhead,
00:09:24 - which means it's not high overhead, it's not really get a ball your
00:09:26 - WAN link down to use PPP. As a matter of fact, if you don't
00:09:30 - turn on any of the features then you're really nearly equivalent
00:09:34 - to HDLC. So it's not too much overhead, but PPP is feature-rific.
00:09:42 - As a matter of fact, there are four major features it supports. Number
00:09:45 - one is what we're going to set up in here -- authentication.
00:09:50 - That means that you can add a username and password to your
00:09:54 - WAN link and the other side must provide that. Now on leased
00:09:57 - lines you can do it, and we're going to set it up in here. It's
00:10:00 - not very common, though, because the only way somebody is getting
00:10:05 - on this leased line is if they walk in the building over here
00:10:08 - you know, kick over the administrator and tie him up in a
00:10:11 - chair on the side and pull the Juniper router off the WAN link and
00:10:15 - put their own router on.
00:10:16 - In that case, you're not so much concerned with them getting
00:10:19 - into your now work as you are the administrator tied up in
00:10:22 - the office over there. So it's not very common that people but
00:10:26 - authentication on WAN links, but PPP can run over just about
00:10:30 - any type of WAN connection, like modems. When somebody dials
00:10:35 - into your network, if it's just connected to a phone line, you
00:10:38 - want to make sure that you prompt them for username and password
00:10:41 - because if not, they're just going to dial a phone number and
00:10:45 - they're in. So that's for authentication comes in very handy
00:10:48 - Second -- compression.
00:10:52 - You can make a trade-off on your router where you trade some
00:10:56 - processor cycles, meaning you're going to cause your processor to get
00:11:01 - use a little bit more on your router, for bandwidth. Because
00:11:04 - what will happen when you turn on compression is as data is
00:11:07 - sent from your LAN through the router and on the WAN, it's
00:11:12 - smushing it down. If you think of a zip file, that's the same concept.
00:11:16 - It's smushing down data as it goes over the WAN, and when reaches
00:11:19 - the other side it unsmushes it so you have the full file
00:11:24 - there again. Now the great idea about compression is that you
00:11:27 - actually use less WAN bandwidth to send the same amount
00:11:32 - of data. You're just smushing it down before you send it. The
00:11:35 - problem with compression is it can eat up quite a few processor
00:11:38 - cycles, so if you're router's already bogged down and you turn that
00:11:41 - on, you've doomed it. It's going to crash or it's going
00:11:44 - to be overwhelmed because compression can eat up quite
00:11:48 - a bit, depending on how busy that WAN link is. Third one
00:11:52 - is called callback.
00:11:54 - This is primarily used on modems, and when you dial into the
00:11:58 - modem and authenticate, meaning type in your username and password,
00:12:02 - the router immediately hangs up on you
00:12:05 - and dials you back at a pre-defined number. That's pretty secure
00:12:10 - in the sense that
00:12:11 - that ensures that somebody can't just steal your username
00:12:15 - and password and dial in from some other location. If you have maybe
00:12:19 - a home that you dial in from, that is the only location or only
00:12:23 - phone number that's allowed to dial in, because the router
00:12:25 - will dial you right back. It's also good because you consolidate
00:12:28 - long distance. Like if I was dialing in and making a long distance
00:12:32 - call to dial up to a network, I could have it hang up and
00:12:36 - the company foots the bill and they'll call from their corporate
00:12:39 - center where they probably get cheaper long distance rates
00:12:41 - than you do at home. Last but not least is the most famous feature
00:12:45 - PPP is known for:
00:12:48 - multilink. Multilink is a system that you can employ that
00:12:55 - allows you to combine the bandwidth of multiple WAN connections
00:12:59 - into one. In recent years, the price of dedicated T1 lines has
00:13:04 - gone down. But T1 doesn't give you too much bandwidth; it's just
00:13:07 - 1.544 Mbps. So you could add
00:13:10 - a second T1 and a third T1. And what multilink allows
00:13:15 - you to do is bundle all of them together and combine the bandwidth
00:13:20 - into one. So it would be 1.5 Mbps
00:13:23 - times three, so you're at about four point five million
00:13:29 - Multilink exactly load balances over all of these. I don't know if
00:13:34 - that was the best way to say that, but it is precise load balancing
00:13:38 - where, to the bit, every single WAN link will get the same amount
00:13:42 - of data sent across it. And that's what's truly combines the bandwidth
00:13:45 - into one.
00:13:48 - Now let's turn our attention to the configuration of PPP. Running
00:13:53 - HDLC right now and my focus is going to be on this
00:13:57 - WAN link between router two router three. I set that up
00:14:01 - just connecting the two using a -- well, it's serial crossover cable
00:14:05 - which is used to simulate a leased line environment. But this
00:14:09 - is exactly how it would work if you were connecting using a service
00:14:12 - provider between these two offices. So let's hop on
00:14:16 - over to router three
00:14:19 - and let me just a clear this off. I was doing a little verification
00:14:23 - beforehand. On router three I'm going to do a show IP interface brief,
00:14:29 - and we can see this is the router than the branch office over
00:14:32 - here with all the loopbacks that we were using for the previous
00:14:35 - videos. Right here is our serial 0/0 interface, and
00:14:39 - I'm going to type in show run interface. We can focus it in on just interface
00:14:44 - serial 0/0. That filters the running config down to just
00:14:47 - that. Underneath interface serial 0/0 I see the IP address that
00:14:51 - we have a summary route that we were using when we set up EIGRP,
00:14:54 - and no fair-queue which is there by default. It is a that's the
00:14:58 - quality of service mechanism. I don't see anything about
00:15:02 - PPP or HDLC. So to really see what it's configured as, need
00:15:08 - in show interface serial 0/0.
00:15:12 - Underneath here
00:15:14 - I can see serial 0/0 is up, line protocol is up, that's good. Right
00:15:18 - here -- encapsulation HDLC. That's the default. As a matter
00:15:27 - of fact, if I go underneath that serial 0/0 interface and type
00:15:27 - in encapsulation HDLC, that's the default command so
00:15:32 - I will not see that in the show run. I don't know if you've gotten used to that
00:15:36 - yet, but when you're looking at the running config, it actually
00:15:39 - will filter out commands that are typically there by default.
00:15:43 - Just like you look under serial 0/0, we had to type
00:15:46 - at some point no shutdown to bring that link up. But you don't
00:15:50 - see the no shutdown command; you only see if it's shut down because
00:15:53 - it's assumed not to be shut down by default. So we've got router
00:15:59 - three running and router two is the identical configuration.
00:16:02 - Let me jump over to there. There we go, router two.
00:16:07 - I'm going to do a show IP interface brief just to make
00:16:13 - sure I see my interface. It is serial 0/1/0.
00:16:17 - I'll do the same command here, show run and serial 0/1/0
00:16:22 - Oh, forgot the interface. Show run interface. There we go, it looks
00:16:27 - very similar, besides a DCE circuit, so it's setting the
00:16:31 - clock rate and a lab environment. And I do a show interface serial
00:16:36 - 0/1/0 and verify once again that is also running
00:16:40 - HDLC. So the initial PPP configuration I'm going to do is very
00:16:44 - simple: turning it on. I'm going to go on router two under interface serial
00:16:49 - 0/1/0, that's our link over to router three, and type in the
00:16:53 - command encapsulation. And you can see have I plenty of options
00:16:56 - but really the only two that work on point-to-point circuits
00:16:59 - is HDLC and PPP.
00:17:03 - As soon as I type that, I've changed the data link language
00:17:07 - for that serial interface. Now look what happens if I do
00:17:11 - a show IP interface brief.
00:17:14 - I see my serial 0/1. It shows it's up, and remember this
00:17:18 - first column, the status, represents physical. It's physically up, there's clocking
00:17:23 - on the line. I've got a cable connected. We're communicating
00:17:26 - physically, but this represents the data link layer. Data link
00:17:30 - layer is currently down because R2 is PPP, R3 is
00:17:35 - HDLC. So I'll jump over there. I got my numbers off here. Jump over to router
00:17:39 - three and fix it. Do the show IP interface brief here, I noticed
00:17:43 - that serial 0/0 is in the same state.
00:17:52 - Encapsulation, PPP. Give it a few moments and we should see
00:17:57 - that interface come back online. There we go. You see the
00:18:01 - line protocol right here has changed to up, and we got our EIGRP
00:18:07 - neighbor back. Go back and do our show IP interface
00:18:10 - and you see we're communicating. Show interface serial 0/0
00:18:13 - is now running PPP. You can see that we're now communicating
00:18:18 - using the industry standard language, and that's all there is
00:18:22 - to it. If you were connecting to a non-CISCO router over a
00:18:25 - WAN link and all you wanted to do was run base PPP, that's the
00:18:29 - only command you would have to type. You can see LCP is open. That's
00:18:34 - the link control protocol. That's what negotiates the PPP features.
00:18:38 - If there was some kind of problem with, for instance, authentication
00:18:42 - compression, multilink where they couldn't negotiate and figure
00:18:46 - out common ground or a wrong password is typed in, it would say
00:18:50 - LCP closed because LCP handles all those features. You can
00:18:55 - see also right here, open IPCP, CDPCP. PPP uses things known as
00:19:01 - control protocols. So when you see IPCP, you're seeing the
00:19:06 - IP control protocol. That is what allows the TCP/IP,
00:19:11 - the IP protocol, to work over a PPP link. CDPCP is the CISCO
00:19:17 - discovery protocol control protocol. That's what allows CDP. Remember
00:19:21 - this? Show CDP neighbors. That allows it to work over a WAN link
00:19:25 - so I can still see my neighbor even though they're using a
00:19:27 - PPP connection.
00:19:29 - Cool. So that's the base configuration of PPP. Now let's add
00:19:34 - authentication. There are two types of PPP authentication that
00:19:39 - have been developed over the years. The old one is known as PAP,
00:19:44 - the password authentication protocol. The new one is known as
00:19:48 - CHAP, the challenge handshake authentication protocol.
00:19:53 - PAP is very rarely used. As a matter of fact, I can with near perfect
00:19:58 - confidence say you will never see PAP used anymore. And
00:20:02 - the reason why is all of the username and password when it's
00:20:06 - sent is sent in clear text. So if someone had some kind of packet
00:20:10 - sniffer between these two routers, they would be able to see
00:20:13 - the username and password come right across, open up the packet
00:20:16 - go, oh, that's what they're using. So PAP is just not used anymore.
00:20:21 - Nowadays people use CHAP, the challenge handshake authentication
00:20:25 - protocol. Now without getting too deep into it, what CHAP does
00:20:29 - is never actually send the password over the wire. It's a little
00:20:34 - weird. It'll send username but not the password. It will
00:20:38 - send a password hash. So here's the idea. The way CHAP works
00:20:42 - is not through encryption, but through hashing. There's
00:20:47 - a big difference between those two and it took me a long time
00:20:49 - myself to come to an understanding of what that meant. Because
00:20:53 - encryption and hashing accomplish the same goal but in very different
00:20:57 - ways. Encryption -- if you were to say encryption, you would be
00:21:01 - talking about something that takes the data, let's say this
00:21:03 - is the data, ENC, and runs it through a mathematical formula so
00:21:08 - it's all scrambled when it comes out. It's just, you know, it looks like a
00:21:12 - swear word. It's just a scrambled mess of that original thing
00:21:18 - that was sent. So if somebody captures that, unless they have the
00:21:22 - decryption formula they can't figure it out. So a decryption
00:21:27 - formula would come in and say, okay, well let's
00:21:31 - put this back into that mathematical formula and spit out ENC
00:21:34 - that was originally what is sent. Hashing.
00:21:39 - Hashing is very different because it uses an irreversible
00:21:45 - formula
00:21:47 - to scramble the data. Here's what I mean. Let's say HASH is
00:21:52 - the data that sense
00:21:54 - It will put that word, HASH, that's the data, through some
00:21:59 - super complex mathematical formula and will end up with
00:22:04 - an answer, you know, 596AB9621.
00:22:11 - The answer is what is sent across the wire. Now in router two, if
00:22:16 - these two are authenticating, if router two, when router two gets that
00:22:20 - answer, when they get the hash, they will not be able to decrypt that
00:22:24 - because remember, this isn't encryption, it's hashing. The only
00:22:29 - way it can know if this is valid or not is if it has the
00:22:33 - same thing typed in on this side and it can run it through
00:22:36 - that irreversible formula and the answer will come out to
00:22:40 - be the same.
00:22:41 - So this brings up a big point.
00:22:44 - CHAP does not use encryption; it uses hashing.
00:22:49 - In order for it to work correctly, we must type in the same
00:22:54 - password on both sides. Because all it will send across is the
00:22:58 - hash of the password. Like I said, the password is never actually
00:23:02 - sent and when I didn't understand what hashing was all about,
00:23:06 - I didn't understand that statement. Well, how do they know if they got the right
00:23:09 - password if you never actually send the password. But they
00:23:12 - don't. They just send the hash of the password, the result of
00:23:16 - some mathematical formula with this hash plugged in there, that
00:23:19 - data, and it gets to the other side. It looks at the answer and
00:23:23 - says, well I can't reverse engineer that I can't quote unquote
00:23:27 - "decrypt" a hash. So let's say, let's say this. Let me give you an example.
00:23:31 - If I wanted to have authentication going between router two
00:23:35 - and router three, I would have to type in the same password
00:23:38 - on both sides. We'll say the password is CISCO.
00:23:43 - Password is CISCO. Once I have that typed in both sides,
00:23:48 - this one, if it needs to authenticate to the other side, will
00:23:51 - run this through a hash. It's technically known as an MD5
00:23:57 - hash. So it will hash that up, come up with some
00:24:02 - gobbledy gook answer, take that answer -- this is my gobbledy gook --
00:24:04 - send it across the wire. Router two gets the answer, has the
00:24:08 - same password typed in, runs that through the same irreversible
00:24:12 - formula, the MD5 hash, and comes out with its answer,
00:24:16 - compares its gobbledy gook to that gobbledy gook and says, oh,
00:24:20 - they're the same. We must be using the same password, thus we
00:24:24 - are authenticated.
00:24:27 - Side note -- this is why when you go onto a router -- let me move my window
00:24:32 - back in here -- and you do a, let me do a show run. No, no, no, no, no, no.
00:24:38 - Let me do this. I'll do enable password CISCO1.
00:24:45 - Service password encryption.
00:24:50 - Now I'm going to do a show run.
00:24:54 - When you're looking right here, think back to ICND1.
00:24:57 - You remember the difference between enable password and
00:25:00 - enable secret? The enable password was the one that stored in
00:25:03 - clear text. At least it was until I type in service password encryption.
00:25:08 - This is an encrypted version of the enable password, an encrypted
00:25:14 - version of CISCO1. Now hold on one second.
00:25:20 - I'm going to go to Google.com, Google, and type in
00:25:25 - break CISCO -- you can see I've done this before -- break CISCO password.
00:25:30 - Google search.
00:25:32 - Right here, the CISCO password cracker. It's the first hit. Go ahead and click
00:25:36 - on that bad boy. Look at that. Type seven password. I look over here.
00:25:39 - My enable password is a type seven password. If I take this,
00:25:46 - copy it to my clipboard and paste it into this website, paste it into
00:25:52 - the website, are you following me here?
00:25:54 - Hit crack, oh. What's the moral of the story, I love it. Don't
00:25:59 - use it. Don't use that because this is encryption. Encryption
00:26:04 - can be broken because you can always reverse the formula. You
00:26:08 - can do a decryption formula, which is exactly what that
00:26:11 - website does. Notice enable secret five. A lot of people think
00:26:15 - oh, well five isn't as good as seven because it's a smaller
00:26:17 - number. Five represents MD5 hashing. When you're
00:26:22 - using your enable secret, this is a hash of whatever your
00:26:27 - enable secret is. You cannot reverse engineer that. So if somebody
00:26:31 - gets that hash, the only way that they can break through it
00:26:35 - is through a brute force attack. And what that means is they
00:26:39 - will use a program that will start trying passwords. It'll start
00:26:42 - with maybe the number one, two, three, four, five, and it generates
00:26:45 - what hash the number one would generate, compares it and says,
00:26:48 - is that the same, no, must not be that one. A good program -- not good,
00:26:52 - but a program that you can use to do that is known as Cain
00:26:56 - and Abel. If you go to Google and search for Cain and Abel, that's a
00:26:59 - program that will do a brute force attack of an MD5
00:27:02 - hash, but it can't reverse engineer this. All it can do is keep trying
00:27:05 - different combinations to see if it can come up with the same
00:27:08 - hash as that. If you make your password long enough, you'll
00:27:11 - never be able to do that. So that's the big difference. And I know I've
00:27:14 - talked a little longer on that but I want to know how good
00:27:19 - CHAP really is. CHAP is using that MD5 hash
00:27:24 - which makes it virtually -- you know, I knock on wood when I say
00:27:28 - this -- unbreakable until some other 12-year-old Swedish
00:27:32 - girl comes along to break through this. But that's the
00:27:35 - idea of CHAP. Now that's the concept, let's configure it.
00:27:39 - There are really two steps to configure PPP authentication:
00:27:44 - create a user account and then turn it on. I'm going to reverse those
00:27:48 - steps because I want you to see what happens when authentication
00:27:51 - isn't working correctly. I'm on router three, which is our far
00:27:55 - end router. I'm going to go under that serial 0/0 interface
00:28:02 - and type in the command to turn on authentication. It is PPP authentication
00:28:07 - and then what kind of authentication you would like to use.
00:28:11 - Now our routers between each other use CHAP or PAP, and I mentioned
00:28:15 - PAP is no longer used by anyone. So we can use CHAP.
00:28:20 - Now you notice a few others in here like EAP. I'm not even going to touch that
00:28:23 - one; that moves into some newer technology out there. Some
00:28:27 - people call it 802.1x. It's a newer type of
00:28:31 - authentication, it's pretty fancy. Down here we have MS-CHAP
00:28:34 - and MS-CHAP-V2.
00:28:37 - Microsoft came out with their own versions of CHAP. So if
00:28:40 - you're dialing up to a router using a Microsoft Windows client,
00:28:44 - you'll have to use MS-CHAP or MS-CHAP-V2
00:28:47 - which is a little more secure. But we're authenticating our routers,
00:28:50 - so I'll just type in PPP authentication, CHAP. That is what I would like to use. Now
00:28:55 - as soon as I do that, you notice that my line protocol on my
00:28:58 - serial interface just went down. The link died. If I go back
00:29:02 - and do a show interface serial 0/0,
00:29:07 - you notice it says encapsulation is still PPP, but LCP TERMsent. That
00:29:13 - means the termination signal was sent. I, router three, sent
00:29:18 - a termination signal to the other side because I was told by
00:29:22 - the administrator to require CHAP authentication. The other
00:29:26 - side was prepared to handle that, so you are terminated, you're
00:29:29 - not successfully authenticating to this router. What we need
00:29:34 - to do, and before we should have done that, is create user
00:29:42 - accounts. By default, when I have routers that are going
00:29:42 - to speak to each other, router two will come across and say,
00:29:46 - hello, I am router two.
00:29:49 - as my username. My password is the gobbledy gook,
00:29:55 - the hash that's generated by CHAP. Now router three is going
00:29:59 - to look at its user database and say, okay, do I have a user
00:30:03 - account defined for router two. And if so, what's router two's
00:30:07 - password that's tacked on to that user account. Let's say, I'll put
00:30:11 - CISCO as the password. It will hash up that password and say,
00:30:14 - okay, well based on the user account I have for router two on
00:30:18 - my router, I came up with this gobbledy gook. Does it match the
00:30:21 - gobbledy gook that router two sent me. Do these hashes match. If so, that
00:30:27 - is a successful authentication. So let me show you how to create
00:30:30 - the user account.
00:30:32 - I'm going to go on router three. I'm going to type in username R2, password
00:30:40 - CISCO.
00:30:43 - Notice I'm in global config mode. I typed in username, this is
00:30:47 - the host name of the router that's coming in R2, and its
00:30:50 - password that it should be sending is CISCO. But remember, it won't be
00:30:53 - sending you that password, it will be a hash version of that. So router three
00:30:57 - you must hash that in order to get the other side. Now when we're
00:31:00 - doing PPP authentication on a leased line, it actually does
00:31:05 - something known as two-way hash. Meaning the routers will authenticate
00:31:11 - each other. Router three will have to supply a username and
00:31:15 - hash to router two, and router two will have to supply a username
00:31:18 - and hash to router three. They both check to make sure they have
00:31:21 - the right passwords.
00:31:23 - If so, then they are good to go. Now the way that two-way hash
00:31:27 - works on a CISCO router is both sides must be configured with
00:31:33 - the same password. So when I go over to router three -- or sorry,
00:31:38 - router two. Router three is done. I'm going to hop over to router two,
00:31:44 - go into global config mode. I'm going to do the exact mirrored configuration.
00:31:47 - Username: R3. Password: CISCO. This password must match.
00:31:55 - Oh, look at that. You see it come up? It must match the password that
00:32:01 - router two -- or sorry, router three has for router two. If these are
00:32:05 - different, the authentication will fail. So last thing I'm going to do on
00:32:09 - router two is go under that serial interface and type in PPP authentication
00:32:15 - CHAP. We now have successful authentication going between each
00:32:19 - other. Let me show you how you can see this happen.
00:32:25 - I'm going to type in debug PPP authentication.
00:32:29 - That will let me watch these two routers authenticate each other.
00:32:32 - Now it's already done, meaning the line is up, they've
00:32:35 - authenticated, so what I'm going to do, so I'm going to cause a catastrophic
00:32:39 - network failure and shut down serial 0/1/0.
00:32:43 - That will force the interface to go down, go into
00:32:46 - administratively down straight, and when I do a no shutdown,
00:32:50 - the PPP will have to authenticate between these two again
00:32:52 - and we can watch it happen. So I'll do a no shut, exit
00:32:56 - back out here. There we go.
00:32:59 - See what happened here? It says, PPP using default call direction.
00:33:03 - This is a dedicated line. Oh, I have noticed authorization is
00:33:07 - required, so I will send a challenge. It says, there is a challenge
00:33:11 - from router two. This is being sent from router two to router
00:33:15 - three. At the same time it received the challenge from
00:33:19 - router three. So they're challenging each other. Do you see the
00:33:23 - two-way hash happening here, or the two-way authentication. They
00:33:26 - both challenged each other. They said using the host name from
00:33:30 - an unknown source, using the password from AAA, that's the local
00:33:33 - user database. So we have challenge, we responded to the challenge,
00:33:37 - router two responds to router three and router three responds to router
00:33:41 - two. Receives the login, the host name, and the password hash,
00:33:46 - sends the user requests and we won't get into what that
00:33:50 - is. But down here you can see success. We have success. The challenge
00:33:55 - is working between these two and they have successfully authenticated.
00:33:59 - If one of those passwords is mismatched, you'll see a failure
00:34:03 - and the link will never come online.
00:34:06 - That is the theory and practical configuration of PPP authentication.
00:34:12 - So let's wrap up. We saw first off a review of the point-to-point
00:34:16 - protocols, looking at the physical layers with serial interfaces
00:34:21 - and the data link layer of HDLC and PPP. We then got into the
00:34:26 - configuration of WAN links, looking at the initial HDLC,
00:34:29 - converting to PPP, and then adding PPP authentication
00:34:33 - on top of it using CHAP. I hope this had been informative for
00:34:37 - you and I'd like to thank you for viewing.