Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network....
Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network.

The two-exam CCNA process covers lots of innovative features, which better reflect the skills and knowledge you'll need on the job. Passing both exams is your first step towards higher-level Cisco certification, and trainer Jeremy Cioara has mapped these CCNA training videos to the 640-816 test. This CCNA training is not to be missed.

Here's how one user described Jeremy's training: "By the way, Jeremy Cioara has to be by far one of the BEST Cisco trainers I have ever had the privilege to learn from overall. He not only keeps your attention but his energy is contagious and he provides the information at a level where you grasp it rather easily."

The last day to take the 640-816 exam is Sept. 30, 2013. After that date, the only ICND2 exam available will be 200-101. CBT Nuggets has a training course for the 200-101 exam here.

All trademarks and copyrights are the property of their respective holders.
1. Review: Rebuilding the Small Office Network, Part 1 (33 min)
2. Review: Rebuilding the Small Office Network, Part 2 (28 min)
3. Review: Rebuilding the Small Office Network, Part 3 (23 min)
4. Switch VLANs: Understanding VLANs (16 min)
5. Switch VLANs: Understanding Trunks and VTP (39 min)
6. Switch VLANs: Configuring VLANs and VTP, Part 1 (35 min)
7. Switch VLANs: Configuring VLANs and VTP, Part 2 (39 min)
8. Switch STP: Understanding the Spanning-Tree Protocol (28 min)
9. Switch STP: Configuring Basic STP (21 min)
10. Switch STP: Enhancements to STP (29 min)
11. General Switching: Troubleshooting and Security Best Practices (29 min)
12. Subnetting: Understanding VLSM (18 min)
13. Routing Protocols: Distance Vector vs. Link State (26 min)
14. Routing Protocols: OSPF Concepts (30 min)
15. Routing Protocols: OSPF Configuration and Troubleshooting (39 min)
16. Routing Protocols: EIGRP Concepts and Configuration (32 min)
17. Access-Lists: The Rules of the ACL (27 min)
18. Access-Lists: Configuring ACLs (34 min)
19. Access-Lists: Configuring ACLs, Part 2 (48 min)
20. NAT: Understanding the Three Styles of NAT (20 min)
21. NAT: Command-line NAT Configuration (35 min)
22. WAN Connections: Concepts of VPN Technology (33 min)
23. WAN Connections: Implementing PPP Authentication (34 min)
24. WAN Connections: Understanding Frame Relay (28 min)
25. WAN Connections: Configuring Frame Relay (30 min)
26. IPv6: Understanding Basic Concepts and Addressing (34 min)
27. IPv6: Configuring, Routing, and Interoperating (23 min)
28. Certification: Some Last Words for Test Takers (13 min)
29. Advanced TCP/IP: Working with Binary (25 min)
30. Advanced TCP/IP: IP Subnetting, Part 1 (55 min)
31. Advanced TCP/IP: IP Subnetting, Part 2 (22 min)
32. Advanced TCP/IP: IP Subnetting, Part 3 (19 min)

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

00:00:00

Now that we've talked about VPN connections, we can move into the second category of WAN links, and that is leased lines. Now leased lines was something that we talked about in the ICND 1 series. It was actually the only WAN link that we talked about in ICND 1 because ICND 1 was geared around the small business world, where WAN links are a rare occasion.

00:00:23

Most small businesses have a single site and just a basic internet connection. So what I'd like to do as we get into ICND 2 is do a little bit of review. I know it may have been a while since you saw the leased lines in ICND 1, and it is at the end of the series in ICND 1 so I realize that there may also have been a lot of information going through your head by that point. So we'll do a brief review of what leased lines and point-to-point

00:00:46

connections are all about, both at the layer one and layer two. Then we'll get into the configuration. The beauty of leased lines is that they are very easy to configure. Actually, if you've got two CISCO routers on both sides, there's virtually nothing to it. But we're going to go a little beyond that, talk about

00:01:03

configuring them for PPP, which is the point-to-point protocol, and then we'll add on top of that PPP authentication. I'd first like to review some of the physical links that are in our WAN technology. What I have here is almost like a mini flow chart of how WAN connections look and how they physically connect in your environment. Up at the top here is, I guess, the

00:01:25

starting point, which is a CISCO -- this is a 2600 series router. Now on the back of that you can see that that yellow link right there, that is our Ethernet port, and that connects to the LAN. Right here is the WAN port, or I guess you could say a WIC slot; that stands for WAN interface card. Now you actually

00:01:45

can put one of three different cards inside of that slot, and there's even more than what I'm showing here but these are the most common. Right here are the traditional serial port connections. The one on the left is known as a WIC 1T, which is the old serial style connector. It's still all

00:02:01

over the place, though. It's of those. The one right here, this is known as the WIC 2T. They re-engineered their serial interface connection on CISCO routers to where they can get two WAN interfaces per slot. Pretty powerful. Now let's first talk about these two

00:02:16

interfaces. If you purchase one of these cards and you've purchased a leased line -- let me just get a brief drawing over here. Let's say that you have a router and that is supposed to connect to another router in Texas, and we'll say this router's in Arizona, I am. Now that router connects to the LAN over here. Now this

00:02:35

router we would plug in right here. This is the physical view of my logical diagram down here. We would plug in one of these WAN ports, and that WAN port would then require a specialized cable. This is known as a DB-60 connector, which would connect to that WAN interface over there on the left. Now that

00:02:53

will then have that cable that runs to a -- well, it looks very odd. You see the interface connection type right over there. That's actually known as a V.35 connector. That will connect from your CISCO router, that's the CISCO end of the connection, to this device which is known as a CSU/DSU.

00:03:17

These have been around for decades and those are the devices that manage the WAN connections. They set the pace, the clock rate; they do error checking on the WAN line. They're pretty expensive but they really just convert from the V.35 or there's actually five different types of CSU/DSU physical connections. This is just one of them. It converts from

00:03:40

that kind of connector to a -- it looks like just a standard Ethernet jack that the service provider installs. So if you're looking for a little simpler flow, you have the wall of your building right here. Outside is the grass and the trees that are growing,

00:03:56

you know, outside. The service writer comes in trenches under the land, and marks this wall as the demark. demarcation point. That's where their responsibility passes. They install a wall jack and they say, if anything on the right side of that wall jack breaks, we'll pay for it. And if anything

00:04:12

on the left breaks, you'll pay for it. You run that cable, you can see from that wall jack, little yellow cable to the CSU/DSU. CSU/DSU gets one of these specialized serial interfaces or serial cables. You buy those from CISCO for a hundred bucks or eBay for 10 bucks, and that will allow you to connect from the CSU/DSU to the serial interface and you buy the correct cable depending on what kind of WIC card you have, and that is what brings up your serial link.

00:04:39

Now you see up here other physical option, which is to take a built-in CSU/DSU. Technology has advanced. Like I said, these have been around for decades. They've figured out how to put all the functions of a CSU/DSU on this little card. So if you, if we were to be able to zoom into

00:04:57

that blue writing it actually says, T1 CSU/DSU right on there. That means it has a built-in one. That allows you to run the cable from the wall jack straight into this interface on your router. Pretty fancy. So those are the physical connections of what serial leased lines look like.

00:05:17

In addition to defining a new physical layer connectivity, the WAN connections and WAN links define a new data link connectivity as well. It blows people's mind when they first find out in the WAN in the world, the Wide Area Network world, there are no MAC addresses. What? How does that work? You

00:05:39

know, is the traditional response, because we're so used to working with Ethernet where in Ethernet we have MAC addresses. But MAC addresses are only Ethernet technology. In the WAN world, we have all kinds of different Layer 2 addresses, depending on the WAN link you're using. For instance, if you have frame relay which we'll

00:05:59

talk about a little bit later. DLCIs are the Layer 2. DLCI is essentially -- it fills the role of the MAC address. and ATM, you have something known as a -- actually it's a VPI/VCI pair and that replaces the MAC address. In every can of WAN technology there's some other kind of Layer 2 addresses and Layer 2 system that it uses to communicate with the other side. Now ATM we're not going to talk about at the

00:06:27

CCNA level, that's actually a more specialized thing and it's part of the CCNP track. Frame relay we will, but in here we're going to talk about the two leased line data link protocols, and that is PPP and HDLC. PPP and HDLC are the two languages that you can speak when you speak to another router over a WAN link.

00:06:51

Now remember, we're just doing a technology shift here. So far and everything that we've talked about in this series and the previous series, all of the language that we spoke with Ethernet, and that's what allows me to plug a PC into a switch and it can talk to a server or some other device plugged into the same switch.

00:07:08

That's all using the language of Ethernet, a LAN language. Now that we've moved into the WAN, as we look at our leased lines we have two different types of WAN languages that we can use between routers that are connected on a WAN link. HDLC is the default on all CISCO routers. Meaning when you put

00:07:29

that serial card into the router and turn it on, by default it's going to be talking HDLC. The beauty of HDLC is that it has extremely low overhead, which means it's pretty fast. It's not going to congest the link with all kinds of stuff it's adding in the header. It just says, okay, I will work. And the beauty

00:07:49

of HDLC is in its simplicity. If you have a CISCO router on one side and a CISCO router on the other side, and you plug in that WAN cable that connects to the service provider -- remember this is logical. We have our wall than in the middle of this is the service writer and hundreds and thousands of miles between these two and then another wall and a wall jack and all of that. When you plug your cables together, it just works. As long

00:08:13

as the service provider has done their side and everything's working in the middle, there's no configuration necessary. You just put an IP address on each serial interface that is in the same subnet and you're good to go. The disadvantage of HDLC is this and that. It is CISCO

00:08:32

proprietary, which means it only works if you have two CISCO routers and it has no features at all. Meaning if you're looking for it to do some kind of spizazzy as the thing, which we'll look at PPP in just a moment, on your WAN link it can't do it. That's why we have PPP. This is our

00:08:51

second choice. If we want to convert over and run PPP, it's just one command -- and we'll see that in the next slide -- one command that you type in and your writers are now running the point to point protocol. The beauty of PPP is that it's industry standard,

00:09:07

so I can have a CISCO router here connected to -- we'll just throw out Juniper the company have been very impressed with lately. A Juniper router on the other side and they can both speak PPP and it will work just fine. You have moderate overhead, which means it's not high overhead, it's not really get a ball your WAN link down to use PPP. As a matter of fact, if you don't

00:09:30

turn on any of the features then you're really nearly equivalent to HDLC. So it's not too much overhead, but PPP is feature-rific. As a matter of fact, there are four major features it supports. Number one is what we're going to set up in here -- authentication.

00:09:50

That means that you can add a username and password to your WAN link and the other side must provide that. Now on leased lines you can do it, and we're going to set it up in here. It's not very common, though, because the only way somebody is getting on this leased line is if they walk in the building over here you know, kick over the administrator and tie him up in a chair on the side and pull the Juniper router off the WAN link and put their own router on.

00:10:16

In that case, you're not so much concerned with them getting into your now work as you are the administrator tied up in the office over there. So it's not very common that people but authentication on WAN links, but PPP can run over just about any type of WAN connection, like modems. When somebody dials

00:10:35

into your network, if it's just connected to a phone line, you want to make sure that you prompt them for username and password because if not, they're just going to dial a phone number and they're in. So that's for authentication comes in very handy Second -- compression.

00:10:52

You can make a trade-off on your router where you trade some processor cycles, meaning you're going to cause your processor to get use a little bit more on your router, for bandwidth. Because what will happen when you turn on compression is as data is sent from your LAN through the router and on the WAN, it's smushing it down. If you think of a zip file, that's the same concept.

00:11:16

It's smushing down data as it goes over the WAN, and when reaches the other side it unsmushes it so you have the full file there again. Now the great idea about compression is that you actually use less WAN bandwidth to send the same amount of data. You're just smushing it down before you send it. The

00:11:35

problem with compression is it can eat up quite a few processor cycles, so if you're router's already bogged down and you turn that on, you've doomed it. It's going to crash or it's going to be overwhelmed because compression can eat up quite a bit, depending on how busy that WAN link is. Third one

00:11:52

is called callback. This is primarily used on modems, and when you dial into the modem and authenticate, meaning type in your username and password, the router immediately hangs up on you and dials you back at a pre-defined number. That's pretty secure in the sense that that ensures that somebody can't just steal your username and password and dial in from some other location. If you have maybe

00:12:19

a home that you dial in from, that is the only location or only phone number that's allowed to dial in, because the router will dial you right back. It's also good because you consolidate long distance. Like if I was dialing in and making a long distance

00:12:32

call to dial up to a network, I could have it hang up and the company foots the bill and they'll call from their corporate center where they probably get cheaper long distance rates than you do at home. Last but not least is the most famous feature PPP is known for: multilink. Multilink is a system that you can employ that

00:12:55

allows you to combine the bandwidth of multiple WAN connections into one. In recent years, the price of dedicated T1 lines has gone down. But T1 doesn't give you too much bandwidth; it's just 1.544 Mbps. So you could add a second T1 and a third T1. And what multilink allows you to do is bundle all of them together and combine the bandwidth into one. So it would be 1.5 Mbps times three, so you're at about four point five million Multilink exactly load balances over all of these. I don't know if

00:13:34

that was the best way to say that, but it is precise load balancing where, to the bit, every single WAN link will get the same amount of data sent across it. And that's what's truly combines the bandwidth into one. Now let's turn our attention to the configuration of PPP. Running

00:13:53

HDLC right now and my focus is going to be on this WAN link between router two router three. I set that up just connecting the two using a -- well, it's serial crossover cable which is used to simulate a leased line environment. But this is exactly how it would work if you were connecting using a service provider between these two offices. So let's hop on

00:14:16

over to router three and let me just a clear this off. I was doing a little verification beforehand. On router three I'm going to do a show IP interface brief, and we can see this is the router than the branch office over here with all the loopbacks that we were using for the previous videos. Right here is our serial 0/0 interface, and I'm going to type in show run interface. We can focus it in on just interface

00:14:44

serial 0/0. That filters the running config down to just that. Underneath interface serial 0/0 I see the IP address that we have a summary route that we were using when we set up EIGRP, and no fair-queue which is there by default. It is a that's the quality of service mechanism. I don't see anything about

00:15:02

PPP or HDLC. So to really see what it's configured as, need in show interface serial 0/0. Underneath here I can see serial 0/0 is up, line protocol is up, that's good. Right here -- encapsulation HDLC. That's the default. As a matter of fact, if I go underneath that serial 0/0 interface and type in encapsulation HDLC, that's the default command so I will not see that in the show run. I don't know if you've gotten used to that

00:15:36

yet, but when you're looking at the running config, it actually will filter out commands that are typically there by default. Just like you look under serial 0/0, we had to type at some point no shutdown to bring that link up. But you don't see the no shutdown command; you only see if it's shut down because it's assumed not to be shut down by default. So we've got router

00:15:59

three running and router two is the identical configuration. Let me jump over to there. There we go, router two. I'm going to do a show IP interface brief just to make sure I see my interface. It is serial 0/1/0. I'll do the same command here, show run and serial 0/1/0 Oh, forgot the interface. Show run interface. There we go, it looks

00:16:27

very similar, besides a DCE circuit, so it's setting the clock rate and a lab environment. And I do a show interface serial 0/1/0 and verify once again that is also running HDLC. So the initial PPP configuration I'm going to do is very simple: turning it on. I'm going to go on router two under interface serial

00:16:49

0/1/0, that's our link over to router three, and type in the command encapsulation. And you can see have I plenty of options but really the only two that work on point-to-point circuits is HDLC and PPP. As soon as I type that, I've changed the data link language for that serial interface. Now look what happens if I do

00:17:11

a show IP interface brief. I see my serial 0/1. It shows it's up, and remember this first column, the status, represents physical. It's physically up, there's clocking on the line. I've got a cable connected. We're communicating physically, but this represents the data link layer. Data link

00:17:30

layer is currently down because R2 is PPP, R3 is HDLC. So I'll jump over there. I got my numbers off here. Jump over to router three and fix it. Do the show IP interface brief here, I noticed that serial 0/0 is in the same state. Encapsulation, PPP. Give it a few moments and we should see

00:17:57

that interface come back online. There we go. You see the line protocol right here has changed to up, and we got our EIGRP neighbor back. Go back and do our show IP interface and you see we're communicating. Show interface serial 0/0 is now running PPP. You can see that we're now communicating

00:18:18

using the industry standard language, and that's all there is to it. If you were connecting to a non-CISCO router over a WAN link and all you wanted to do was run base PPP, that's the only command you would have to type. You can see LCP is open. That's the link control protocol. That's what negotiates the PPP features.

00:18:38

If there was some kind of problem with, for instance, authentication compression, multilink where they couldn't negotiate and figure out common ground or a wrong password is typed in, it would say LCP closed because LCP handles all those features. You can

00:18:55

see also right here, open IPCP, CDPCP. PPP uses things known as control protocols. So when you see IPCP, you're seeing the IP control protocol. That is what allows the TCP/IP, the IP protocol, to work over a PPP link. CDPCP is the CISCO discovery protocol control protocol. That's what allows CDP. Remember

00:19:21

this? Show CDP neighbors. That allows it to work over a WAN link so I can still see my neighbor even though they're using a PPP connection. Cool. So that's the base configuration of PPP. Now let's add authentication. There are two types of PPP authentication that

00:19:39

have been developed over the years. The old one is known as PAP, the password authentication protocol. The new one is known as CHAP, the challenge handshake authentication protocol. PAP is very rarely used. As a matter of fact, I can with near perfect confidence say you will never see PAP used anymore. And

00:20:02

the reason why is all of the username and password when it's sent is sent in clear text. So if someone had some kind of packet sniffer between these two routers, they would be able to see the username and password come right across, open up the packet go, oh, that's what they're using. So PAP is just not used anymore.

00:20:21

Nowadays people use CHAP, the challenge handshake authentication protocol. Now without getting too deep into it, what CHAP does is never actually send the password over the wire. It's a little weird. It'll send username but not the password. It will send a password hash. So here's the idea. The way CHAP works

00:20:42

is not through encryption, but through hashing. There's a big difference between those two and it took me a long time myself to come to an understanding of what that meant. Because encryption and hashing accomplish the same goal but in very different ways. Encryption -- if you were to say encryption, you would be

00:21:01

talking about something that takes the data, let's say this is the data, ENC, and runs it through a mathematical formula so it's all scrambled when it comes out. It's just, you know, it looks like a swear word. It's just a scrambled mess of that original thing

00:21:18

that was sent. So if somebody captures that, unless they have the decryption formula they can't figure it out. So a decryption formula would come in and say, okay, well let's put this back into that mathematical formula and spit out ENC that was originally what is sent. Hashing.

00:21:39

Hashing is very different because it uses an irreversible formula to scramble the data. Here's what I mean. Let's say HASH is the data that sense It will put that word, HASH, that's the data, through some super complex mathematical formula and will end up with an answer, you know, 596AB9621. The answer is what is sent across the wire. Now in router two, if

00:22:16

these two are authenticating, if router two, when router two gets that answer, when they get the hash, they will not be able to decrypt that because remember, this isn't encryption, it's hashing. The only way it can know if this is valid or not is if it has the same thing typed in on this side and it can run it through that irreversible formula and the answer will come out to be the same.

00:22:41

So this brings up a big point. CHAP does not use encryption; it uses hashing. In order for it to work correctly, we must type in the same password on both sides. Because all it will send across is the hash of the password. Like I said, the password is never actually

00:23:02

sent and when I didn't understand what hashing was all about, I didn't understand that statement. Well, how do they know if they got the right password if you never actually send the password. But they don't. They just send the hash of the password, the result of

00:23:16

some mathematical formula with this hash plugged in there, that data, and it gets to the other side. It looks at the answer and says, well I can't reverse engineer that I can't quote unquote "decrypt" a hash. So let's say, let's say this. Let me give you an example.

00:23:31

If I wanted to have authentication going between router two and router three, I would have to type in the same password on both sides. We'll say the password is CISCO. Password is CISCO. Once I have that typed in both sides, this one, if it needs to authenticate to the other side, will run this through a hash. It's technically known as an MD5 hash. So it will hash that up, come up with some

00:24:02

gobbledy gook answer, take that answer -- this is my gobbledy gook -- send it across the wire. Router two gets the answer, has the same password typed in, runs that through the same irreversible formula, the MD5 hash, and comes out with its answer, compares its gobbledy gook to that gobbledy gook and says, oh, they're the same. We must be using the same password, thus we

00:24:24

are authenticated. Side note -- this is why when you go onto a router -- let me move my window back in here -- and you do a, let me do a show run. No, no, no, no, no, no. Let me do this. I'll do enable password CISCO1. Service password encryption. Now I'm going to do a show run.

00:24:54

When you're looking right here, think back to ICND1. You remember the difference between enable password and enable secret? The enable password was the one that stored in clear text. At least it was until I type in service password encryption. This is an encrypted version of the enable password, an encrypted version of CISCO1. Now hold on one second. I'm going to go to Google.com, Google, and type in

00:25:25

break CISCO -- you can see I've done this before -- break CISCO password. Google search. Right here, the CISCO password cracker. It's the first hit. Go ahead and click on that bad boy. Look at that. Type seven password. I look over here. My enable password is a type seven password. If I take this,

00:25:46

copy it to my clipboard and paste it into this website, paste it into the website, are you following me here? Hit crack, oh. What's the moral of the story, I love it. Don't use it. Don't use that because this is encryption. Encryption can be broken because you can always reverse the formula. You

00:26:08

can do a decryption formula, which is exactly what that website does. Notice enable secret five. A lot of people think oh, well five isn't as good as seven because it's a smaller number. Five represents MD5 hashing. When you're using your enable secret, this is a hash of whatever your enable secret is. You cannot reverse engineer that. So if somebody

00:26:31

gets that hash, the only way that they can break through it is through a brute force attack. And what that means is they will use a program that will start trying passwords. It'll start with maybe the number one, two, three, four, five, and it generates what hash the number one would generate, compares it and says, is that the same, no, must not be that one. A good program -- not good,

00:26:52

but a program that you can use to do that is known as Cain and Abel. If you go to Google and search for Cain and Abel, that's a program that will do a brute force attack of an MD5 hash, but it can't reverse engineer this. All it can do is keep trying different combinations to see if it can come up with the same hash as that. If you make your password long enough, you'll

00:27:11

never be able to do that. So that's the big difference. And I know I've talked a little longer on that but I want to know how good CHAP really is. CHAP is using that MD5 hash which makes it virtually -- you know, I knock on wood when I say this -- unbreakable until some other 12-year-old Swedish girl comes along to break through this. But that's the

00:27:35

idea of CHAP. Now that's the concept, let's configure it. There are really two steps to configure PPP authentication: create a user account and then turn it on. I'm going to reverse those steps because I want you to see what happens when authentication isn't working correctly. I'm on router three, which is our far

00:27:55

end router. I'm going to go under that serial 0/0 interface and type in the command to turn on authentication. It is PPP authentication and then what kind of authentication you would like to use. Now our routers between each other use CHAP or PAP, and I mentioned PAP is no longer used by anyone. So we can use CHAP.

00:28:20

Now you notice a few others in here like EAP. I'm not even going to touch that one; that moves into some newer technology out there. Some people call it 802.1x. It's a newer type of authentication, it's pretty fancy. Down here we have MS-CHAP and MS-CHAP-V2. Microsoft came out with their own versions of CHAP. So if

00:28:40

you're dialing up to a router using a Microsoft Windows client, you'll have to use MS-CHAP or MS-CHAP-V2 which is a little more secure. But we're authenticating our routers, so I'll just type in PPP authentication, CHAP. That is what I would like to use. Now

00:28:55

as soon as I do that, you notice that my line protocol on my serial interface just went down. The link died. If I go back and do a show interface serial 0/0, you notice it says encapsulation is still PPP, but LCP TERMsent. That means the termination signal was sent. I, router three, sent

00:29:18

a termination signal to the other side because I was told by the administrator to require CHAP authentication. The other side was prepared to handle that, so you are terminated, you're not successfully authenticating to this router. What we need to do, and before we should have done that, is create user accounts. By default, when I have routers that are going

00:29:42

to speak to each other, router two will come across and say, hello, I am router two. as my username. My password is the gobbledy gook, the hash that's generated by CHAP. Now router three is going to look at its user database and say, okay, do I have a user account defined for router two. And if so, what's router two's

00:30:07

password that's tacked on to that user account. Let's say, I'll put CISCO as the password. It will hash up that password and say, okay, well based on the user account I have for router two on my router, I came up with this gobbledy gook. Does it match the

00:30:21

gobbledy gook that router two sent me. Do these hashes match. If so, that is a successful authentication. So let me show you how to create the user account. I'm going to go on router three. I'm going to type in username R2, password CISCO. Notice I'm in global config mode. I typed in username, this is

00:30:47

the host name of the router that's coming in R2, and its password that it should be sending is CISCO. But remember, it won't be sending you that password, it will be a hash version of that. So router three you must hash that in order to get the other side. Now when we're

00:31:00

doing PPP authentication on a leased line, it actually does something known as two-way hash. Meaning the routers will authenticate each other. Router three will have to supply a username and hash to router two, and router two will have to supply a username and hash to router three. They both check to make sure they have

00:31:21

the right passwords. If so, then they are good to go. Now the way that two-way hash works on a CISCO router is both sides must be configured with the same password. So when I go over to router three -- or sorry, router two. Router three is done. I'm going to hop over to router two,

00:31:44

go into global config mode. I'm going to do the exact mirrored configuration. Username: R3. Password: CISCO. This password must match. Oh, look at that. You see it come up? It must match the password that router two -- or sorry, router three has for router two. If these are

00:32:05

different, the authentication will fail. So last thing I'm going to do on router two is go under that serial interface and type in PPP authentication CHAP. We now have successful authentication going between each other. Let me show you how you can see this happen.

00:32:25

I'm going to type in debug PPP authentication. That will let me watch these two routers authenticate each other. Now it's already done, meaning the line is up, they've authenticated, so what I'm going to do, so I'm going to cause a catastrophic network failure and shut down serial 0/1/0. That will force the interface to go down, go into administratively down straight, and when I do a no shutdown, the PPP will have to authenticate between these two again and we can watch it happen. So I'll do a no shut, exit

00:32:56

back out here. There we go. See what happened here? It says, PPP using default call direction. This is a dedicated line. Oh, I have noticed authorization is required, so I will send a challenge. It says, there is a challenge from router two. This is being sent from router two to router

00:33:15

three. At the same time it received the challenge from router three. So they're challenging each other. Do you see the two-way hash happening here, or the two-way authentication. They both challenged each other. They said using the host name from an unknown source, using the password from AAA, that's the local user database. So we have challenge, we responded to the challenge,

00:33:37

router two responds to router three and router three responds to router two. Receives the login, the host name, and the password hash, sends the user requests and we won't get into what that is. But down here you can see success. We have success. The challenge

00:33:55

is working between these two and they have successfully authenticated. If one of those passwords is mismatched, you'll see a failure and the link will never come online. That is the theory and practical configuration of PPP authentication. So let's wrap up. We saw first off a review of the point-to-point

00:34:16

protocols, looking at the physical layers with serial interfaces and the data link layer of HDLC and PPP. We then got into the configuration of WAN links, looking at the initial HDLC, converting to PPP, and then adding PPP authentication on top of it using CHAP. I hope this had been informative for

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
16 hrs 32 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003