Today I was watching the PPP Video-on-Demand from IPExpert´s CCIE R&S Blended Learning Solutions, and learned some new tricks! AWESOME!
PPP is fair simple, configuring it is not that difficult, BUT, as always, there are a couple tricks we can be asked in the exam, and that´s exactly WHERE the Video-on-Demand comes to rescue!
The worse thing that they could ask in the exam about PPP is Authentication! Otherwise, we just set the encapsulation to ppp bring our interfaces up and that´s pretty much it!
In the PPP Video we get the chance to review some scenarios, not difficult ones, but trick!
First, let´s take a look at the topology used in our simulation (again, I was running it in Dynamips, if anybody wants the .NET files, just let me know):
First scenario: R2 should initiate a secure authentication request to R3.
So, how to complete this task?!
Secure means the password cannot be sent in Clear-Text, so PAP is out, we can use CHAP! CHAP sends a MD5 hash, so it´s good!
But, how can we make sure R2 will initiate the authentication, and not R3?! Well... in fact it´s very simple (I didn´t knew about that so far), use the command ppp authentication chap only in R2. The ppp authentication command only specifies what you´re going to send out as an authentication requirement not what you´re going to respond to, you always responding to stuff.
So, our configuration will look pretty much like this one:
| R2: username R3 password 0 cisco ! interface Serial1/1 R3: username R2 password 0 cisco |
To BE SURE that R2 is initiating the request, we can run a debug ppp authentication in both routers and check the Outgoing (O) and Incoming (I) requests, take a look yourself:
| R2(config-if)#do debug ppp authentication R3(config-if)#do debug ppp authentication Se1/1 CHAP: I CHALLENGE id 1 len 23 from "R2" |
So what´s next?! Just try to ping from both sides, and you should be ok at your exam! Nothing more to worry about!
Second scenario: R2 and R3 should be configured to PPP Authentication using DIFFERENT secure authentication protocols.
Hmmm... is that possible?! Yeah, it is! We´ll be using CHAP in R2, and EAP in R3, and everything will be good!
Check the configuration of both routers:
| R2: username R3 password 0 cisco R3: username R2 password 0 cisco ! interface Serial1/1 |
Seens pretty straight-forward! Just a quick overview of this configuration:
In R2 the command ppp eap password cisco needs to be used, because the password in EAP doesn´t need to be symmetric, so we MUST configure it in the CHAP side of the link.
Regarding the ppp eap local configured in R3, this command means, use the LOCAL database (that means username R2 password cisco) for authentication, instead of a Radius Server. If you do not use this command, EAP will expect to have a Radius Server to authenticate the connection, and we do not have it!
Doing that, R2 and R3 will be configured with two different secure authentication protocols! We´re good! That´s what we were asked for!
Take a look at this Debug Output:
| R2(config-if)#do debug ppp authentication R3(config-if)#do debug ppp authentication |
Again, a ping test will not hurt (it worked for me in my Dynamips simulation).
Those are the kind of situations we may encounter during the exam, and for sure, after watching this PPP Video that will not cause me any problems! Cool! :)
There are a lot more tips and advices like that in the Video (not only for PPP, but for everything), you have to check it out! :D
Posts
No comments:
Post a Comment