Friday, 29 April 2011

Point-to-Point authentication (PAP Vs. CHAP)

In computer networking, authentication protocol is a type of security that allows authentication between nodes willing to exchange data securely. In a PPP protocol encapsulation, there are two main authentication protocols: PAP and CHAP.

A point to point or PPP for short is a layer 2 protocol used in computer networking to directly connect two nodes. PAP and CHAP are used not to encrypt data, but so that the nodes will confirm the truth about themselves before data can be transmitted.

Password Authentication Protocol or PAP is rarely used now a day. PAP is less secure and, like TELNET, sends password in plain (clear) text over the medium. With a simple password sniffer a hacker can steal the password, and we all know what happen next.

CHAP, the Challenge Handshake Authentication Protocol is more secure and almost unbreakable. Here is how it works: CHAP will never send the password over the medium. Although it is configured on both nodes, it will send the username and a password hash instead!!!
CHAP does not use encryption at all, hashing is different from encryption. Encryption will scrambled the original data from the source, and the receiving node will use a decryption formula to decrypt and get the original data.

Let’s see this on a Cisco router. Password configuration on the router


After we have configured the enable and the secret passwords, and issued the service password-encryption command, the show run is as shown below


Now we can simply search for a Cisco type 7 password decrypter over the internet, copy and paste the encrypted password and get it in clear text as seen below


Encryption can be reversed or broken, thus recommended to use. Hashing uses an irreversible encrypted formula to come up with a value, and the value is then sent over the medium to the receiving node. Remember that this is not encrypting but hashing.

The only way the receiving router will be able to authenticate is if it has the same password configured. The same password configuration will generate the same hash on both nodes.

Therefore, for CHAP to work correctly over PPP, we have to have the same password configured on the sending and receiving machine. The technique that the password is never sent over the link, but the hash which is the result of a mathematical formula is. See below


Back to the routers screen shots

The enable secret password with a 5 represents and MD5 hashing, so secure that It can’t be reversed.

This concept of PPP authentication came up this morning at 3.20 when I was watching a video, so I decided to share it. I know there is a lot more on to it, but thinking back I remember not to have focused on this concept on the CCNA. To finish, it is not recommended to use the enable password, but the secret password instead. Although the service encryption command encrypts the first, it is easily reversible. In the other hand the later, the secret password uses MD5 hash and the password is never sent over the wire. In order for authentication to succeed, the same password must be configured on both nodes.


Thank you for your comments and questions...
Posted by at No comments:

Friday, 22 April 2011

My home Office Lab

Do you know Scott Morris? Yes probably, look at his Ubber lab!!!!!

Scott Morris is my idol, this man is a networking Gig. Amazing, his qualification are!!!! Look at his resume, and it goes on and on. 4 times CCIE, believe me 4 times. I know some few other people have achieve it, but this guy’s curriculum Vitae is heart backing and scary to 90% of employers out there.

When I first saw his lab on the internet, I could not believe someone would keep such equipment in his at home. But read his stories and followed his advices, and let me tell you that they paid off! The more I when on studying computers and networking in particular, I understood the benefits of having a real routers and switches.

I have worked with fellow students and classmates, very smart guys and even smarter than I am. Reading books is a very good thing, but relying on them only is not enough. We all know how lab sessions are run in colleges or universities! Many won’t allow students to use the lab outside the lab cessions, and will rely on virtual labs such as the Cisco packet tracer or the Graphic Network Simulator GNU3. GNU3 is a freeware, open-source, that can be downloaded free of charge.

Simulations are good tools for your certifications and work most of the times, but real gears do not always work the way you want as there can be many logical and physical constraint.

My point is that not having hands on real gears is not ideal for a computer network student. Having HANDS-ON real router, switches, etc. will strengthen your knowledge. As I said before, I have helped a lot of smarter classmates, just because I own the lab shown below. A lab will allow you to practice, gain confidence, and eliminate fear. I can assure you that a lot of University students are confused when they see a router or a switch; some do not know how to identify a DCE and DTE. If the device is password protected, it is game over.

My first cisco gear was a Cisco 2511 router, bought from an eBay seller and was password protected. The first impression was a disappointment, how on earth does someone sell a router that is password protected? I then realised that some eBay sellers don’t have the technical knowledge about the items they are selling. I spent 1 day researching and trying to use the Ctrl+Break keys to enter the ROM Monitor, and in the end I did it. But it does not end there, doing this in a regular basis allowed me the master the process and discover and build some few tips of my own.

So below is my home lab, this lab keeps me busy...






Please send your tips and comments!!!!!!!
Posted by at No comments:

Tuesday, 19 April 2011

IP Helper

IP address assignment can be static or dynamic. Statically assigned IP address is manually configured by the system administrator, whereas a dynamic IP address also called DHCP automatically configured via a DHCP server.

DHCP allows individual computers to request their IP addresses from a DHCP server, which has been configured to lease addresses to clients. A DHCP malfunction will lead to clients APIPA address auto assignment, and therefore network communication failure.

In order to obtain a lease, the interaction between client and the server has to take place. A series of UDP Broadcast messages exchange are:
  • DHCP Discover. Broadcast message set when the client is connected for the first time
  • DHCP Offer. The server has received the DHCP Discover from the client, it then replies with an IP address offer. The offer has additional configurations such as the default gateway, the subnet mask, the DNS server, etc...
  • DHCP Request. The client has checked the Offer, that’s good, then sends a request “Yes fine by me, please send me this address”.
  • DHCP ACK. This message acknowledges the client’s request, “OK, you can use this address”. At this point the client can join the network and exchange information.
There are other DHCP messages such as DHCP Nack, or DHCP Decline, etc… please visit Microsoft TechNet for more information.
IP Helper

There are times when client computers are not in the same subnet as the DHCP server. In this situation, some clients might talk the server, thanks to the IP helper to make it possible. The IP helper feature allows layer 3 switches or router to relay clients DHCP requests to remote servers.

The router or the switch will receive broadcast messages (UDP service) from clients, and then forward them through unicast to the server’s address initially configured.
IP helper configuration is very efficient and fun. In my experience, it has been one of the most amazing commands I have used so far. I used it for the first time when I was configuring VLANs for a local school…

In order to successfully implement IP Helper, below is a basic recommendation guide:
  • Make sure the client computer IP settings is configures to acquire its IP address via DHCP
  • Make sure the server has the correct address pool configured
  • Make sure the address pools have enough IP addresses for the clients
  • Make sure the pools are configures with the clients subnets and/or default gateway
  • Make sure the IP helper is configured on the router

IP helper configuration


A cisco router ip helper command as below

Router(config-if)#ip helper-address [server IP Address here]
Router(config-if)#exit


A Cisco switch ip helper command

Switch(config-if)#no switchport ##no switchport command first raise the port from layer 2 to layer 3 port
Switch(config-if)#ip help
Switch(config-if)#ip helper-address [DHCP server ip address here]

More about IP helper configuration
Posted by at No comments:

Wednesday, 13 April 2011

Wild Card Mask

The wild card mask or inverse mask is used to tell the routing protocol which part of the IP address is significant. In Cisco IOS systems they are used in routing protocols such as EIGRP, OSPF, etc… and Access Control List (ACL).

Example 1


This is an example of an IP address with a wild card mask.
Ok, but what does it mean?



Where ever there is a 0 (zero) on the wild card mask, it means this is a significant bit and has to be looked at.

  • Look at 113
  • Look at 2
  • Look at 34

Where ever we see a 255 on the wild card mask, means do not care.

  • Do not care about 0


    • So in the example above the routing protocol will look at the first three octets, 113.2.34, only.
    If the command such as “network 113.2.34.0 0.0.0.255” is used on Cisco IOS, the routing protocol will be activated on every interfaces with IP addresses starting with 113.2.34


    Example 2


    This is an IP address with a wild card mask of all zero.
    • Every octet is significant
    • There has to be an exact match

    Example 3



    • The first two octets are significant (113.2)
    • The last two are not looked at


    Note: please make sure you understand that the wild card mask do not influence how a network is being advertised, meaning what the advertised mask or the slash (/..) will be. In the example above, if the network was 113.2.34.0 /30, the /30 will be gossiped across to the neighbour regardless of the wild card mask.
    Posted by at No comments:

    Thursday, 31 March 2011

    OSPF Single Area

    Topology





    Objectives


    - Perform basic router configuration
    - Configure OSPF routing
    - Advertise router into OSPF

    Configure router R1 interfaces

    Router#configure terminal
    Router(config)#hostname R1
    R1(config)#int f0/0
    R1(config-if)#description R1 to Server
    R1(config-if)#ip add 148.1.1.254 255.255.0.0
    R1(config-if)#no shut
    R1(config-if)#exit

    R1(config)#int s0/0
    R1(config-if)#ip add 1.1.1.1 255.0.0.0
    R1(config-if)#description R1 to R2
    R1(config-if)#clock rate 64000
    R1(config-if)#no shut
    R1(config-if)#

    Configure OSPF process 1 on router R1

    R1#configure terminal
    R1(config)#router ospf 1
    R1(config-router)#net 148.1.0.0 0.0.255.255 are 0
    R1(config-router)#net 1.0.0.0 0.255.255.255 area 0
    R1(config-router)#^Z
    R1#

    To verify R1 routing table, issue the show ip route command

    R1#show ip route

    Gateway of last resort is not set

    C 1.0.0.0/8 is directly connected, Serial0/0
    O 2.0.0.0/8 [110/1562] via 1.1.1.2, 00:00:09, Serial0/0
    C 148.1.0.0/16 is directly connected, FastEthernet0/0
    O 148.2.0.0/16 [110/782] via 1.1.1.2, 00:00:09, Serial0/0
    O 148.3.0.0/16 [110/1563] via 1.1.1.2, 00:00:09, Serial0/0
    O 148.4.0.0/16 [110/1563] via 1.1.1.2, 00:00:09, Serial0/0
    R1#



    Configure router R2 interfaces

    Router#config t
    Router(config)#hostname R2
    R2(config)#int s0/0
    R2(config-if)#ip add 1.1.1.2 255.0.0.0
    R2(config-if)#description R2 to R1
    R2(config-if)#no shut
    R2(config)#exit

    R2(config)#interface s0/1
    R2(config-if)#ip add 2.2.2.1 255.0.0.0
    R2(config-if)#description R2 ot R3
    R2(config-if)#clock rate 64000
    R2(config-if)#no shut
    R2(config-if)#exit

    R2(config)#int f0/0
    R2(config-if)#ip add 148.2.2.254 255.255.0.0
    R2(config-if)#description R2 t PCA
    R2(config-if)#no shut

    Configure OSPF routing on R2

    R2#configure terminal
    R2(config)#router ospf 1
    R2(config-router)#net 1.0.0.0 0.255.255.255 area 0
    R2(config-router)#net 148.2.0.0 0.0.255.255 area 0
    R2(config-router)#net 2.0.0.0 0.255.255.255 area 0
    R2(config-router)#

    to verify the routing table, run the show ip route on R2

    R2#show ip route

    C 1.0.0.0/8 is directly connected, Serial0/0
    C 2.0.0.0/8 is directly connected, Serial0/1
    O 148.1.0.0/16 [110/782] via 1.1.1.1, 00:35:43, Serial0/0
    C 148.2.0.0/16 is directly connected, FastEthernet0/0
    O 148.3.0.0/16 [110/782] via 2.2.2.2, 00:37:38, Serial0/1
    O 148.4.0.0/16 [110/782] via 2.2.2.2, 00:37:38, Serial0/1
    R2#


    Configure R3 interfaces

    Router#conf t
    Router(config)#int f0/0
    Router(config-if)#description R3 to PCB
    Router(config-if)#ip add 148.4.3.254 255.255.0.0
    Router(config-if)#no shut

    Router(config-if)#int f1/0
    Router(config-if)#description R3 to PCC
    Router(config-if)#ip add 148.3.3.254 255.255.0.0
    Router(config-if)#no shut

    Router(config-if)#exit
    Router(config)#int s0/1
    Router(config-if)#ip add 2.2.2.2 255.0.0.0
    Router(config-if)#description R3 to R2
    Router(config-if)#no shut

    Configure OSPF process 1 on router R3

    Router(config-if)#exit
    Router(config)#router ospf 1
    Router(config-router)#net 2.0.0.0 0.255.255.255 area 0
    Router(config-router)#net 148.4.0.0 0.0.255.255 area 0
    Router(config-router)#network 148.3.0.0 0.0.255.255 area 0
    Router(config-router)#exit
    Router#


    OSPF routing table verification on R3
    Router#show ip route

    O 1.0.0.0/8 [110/1562] via 2.2.2.1, 00:47:23, Serial0/1
    C 2.0.0.0/8 is directly connected, Serial0/1
    O 148.1.0.0/16 [110/1563] via 2.2.2.1, 00:45:21, Serial0/1
    O 148.2.0.0/16 [110/782] via 2.2.2.1, 00:47:23, Serial0/1
    C 148.3.0.0/16 is directly connected, FastEthernet1/0
    C 148.4.0.0/16 is directly connected, FastEthernet0/0
    Router#

    Now Can you ping between all devices? if Not, verify your configuration step-by-step.

    To finish, clear the routers for the next lab
    Posted by at No comments:

    Wednesday, 30 March 2011

    Denying TELNET using standard Access-Lists

    Topology





    This lab configures access control list on R1, to PCB from telnetting to router R1. To best experience how this works, begin by configuring all the devices interfaces with their IP addresses and apply EIGRP on the routers. Leave the access-list to the end. Make sure you can ping between PCA and PCB, and telnet from PCB to R1.

    Objectives


    - Configuring Standard access-lists
    - denying telnet cession using access-list

    R1 Configuration

    Router#configure terminal
    Router(config)#hostname R1
    R1(config)#line con 0
    R1(config-line)#pass cisco
    R1(config-line)#login

    R1(config-line)#line vty 0 4
    R1(config-line)#pass cisco
    R1(config-line)#login
    R1(config-line)#exit
    R1(config)#enable password cisco

    R1(config)#int f1/0
    R1(config-if)#ip add 148.1.1.254 255.255.0.0
    R1(config-if)#no shut

    R1(config-if)#exit
    R1(config)#int f0/0
    R1(config-if)#ip add 1.1.1.1 255.0.0.0
    R1(config-if)#no shut

    Configure EIGRP or any protocol of your choice

    R1(config-if)#exit
    R1(config)#router eigrp 100
    R1(config-router)#network 1.0.0.0 0.255.255.255

    R1(config-router)#net 148.1.0.0 0.0.255.255
    R1(config-router)#no auto-summary
    R1(config-router)#exit

    Configure your access-lists

    R1(config)#access-list 99 deny 142.2.1.1 0.0.0.0
    R1(config)#access-list 99 permit any

    Apply your access list, as close to the line vty


    R1(config-if)#exit
    R1(config)#line vty 0 4
    R1(config-line)#access-class 99 in
    R1(config-line)#


    R2 Configuration

    Router#configure terminal
    Router(config)#hostname R2

    R2(config)#int f0/0
    R2(config-if)#ip add 1.1.1.2 255.0.0.0
    R2(config-if)#no shut
    R2(config-if)#exit

    R2(config)#int f1/0
    R2(config-if)#ip add 148.2.1.254 255.255.0.0
    R2(config-if)#no shut
    R2(config-if)#exit

    R2(config)#line con 0
    R2(config-line)#pass cisco
    R2(config-line)#login
    R2(config-line)#exit

    R2(config)#line vty 0 4
    R2(config-line)#pass cisco
    R2(config-line)#login
    R2(config-line)#exit

    R2(config)#router eigrp 100
    R2(config-router)#network 148.2.0.0 0.0.255.255
    R2(config-router)#network 1.0.0.0 0.255.255.255
    R2(config-router)#no auto-summary
    R2(config-router)#

    Now try to telnet to R1 s0/0 interface, can you?

    Clear your routers for the next Lab.
    Posted by at No comments:

    Friday, 25 March 2011

    Static Routes

    Now I am configuring static routing, to allow routers to exchange information without the use of routing protocols.

    Topology



    Objectives

    Configure Static route
    Configure a router description

    Router R1 Configuration

    Router#conf t
    Router(config)#hostname R1
    R1(config)#int s0/0
    R1(config-if)#ip add 148.1.1.1 255.255.255.0
    R1(config-if)#description R1 - to -R2
    R1(config-if)#clock rate 64000
    R1(config-if)#no shutdown

    Don't worry about the static route now.


    Router R2 Configuration

    Router#conf t
    R2(config)#int s0/0
    R2(config-if)#ip add 148.1.1.2 255.255.255.0
    R2(config-if)#no shut

    R2(config-if)#int s0/1
    R2(config-if)#ip add 148.1.2.1 255.255.255.0
    R2(config-if)#clock rate 64000
    R2(config-if)#description R2- to -R3
    R2(config-if)#no shut
    R2(config-if)#

    No static route now.


    Router R3 Configuration

    Router#conf t
    Router(config)#hostname R3
    R3(config)#int s0/0
    R3(config-if)#description R3- to -R2
    R3(config-if)#ip add 148.1.2.2 255.255.255.0
    R3(config-if)#no shut

    Ping from directly connected router should work between directly connected routers. R1 and R3 cannot exchange any data at this point.


    Static routes Configuration

    R1

    R1#conf t
    R1(config)#ip route 148.1.2.0 255.255.255.0 148.1.1.2
    R1(config)#

    R2
    R2 doesn’t need a static route to talk to anyone, as they are directly connected.

    R3

    R3#conf t
    R3(config)#ip route 148.1.1.0 255.255.255.0 148.1.2.1
    R3(config)#

    Run the show ip route command on R1 and R3. The s means static, and should appear in the routing table of both routers.

    Gateway of last resort is not set
    148.1.0.0/24 is subnetted, 2 subnets
    C 148.1.1.0 is directly connected, Serial0/0
    S 148.1.2.0 [1/0] via 148.1.1.2

    Now R1 and R3 should ping each other.
    Posted by at 1 comment:

    Standard Access-Lists

    To day I am configuring standard access-list.

    Topology





    Objectives


    Configure a standard access-list to deny traffic from a given network
    Test the ALC configuration


    Router AR Configuration

    Router#configure terminal
    Router(config)#hostname AR
    AR(config)#int f0/0
    AR(config-if)#ip add 148.1.1.254 255.255.255.0
    AR(config-if)#no shut
    AR(config-if)#exit

    Configure the clients IP Addresses as seen on the topology, the default gateway must be the IP Address of router AR interface(148.1.1.254).
    Ping to ensure each client can reach the default gateway.


    Access-list Configuration

    AR(config)#access-list 50 deny 148.1.1.0 0.0.0.255
    AR(config)#access-list 50 permit any

    Pinging from the clients still works at this point.


    Apply Access-List to Fastethernet interface

    AR(config)#int f0/0
    AR(config-if)#ip access-group 50 in
    AR(config-if)#


    Now ping the default gateway from the client computers...................
    Posted by at No comments:
    Subscribe to: Posts (Atom)