Cisco PPP Authentication

As a network engineer, you most probably already had to do with PPP authentication at least once or two times in your daily operation.  Even more, if you are going for a Cisco certification (and not only) you should know some stuff about PPP authentication. For today, I’ve planned to deal with back-to-back PPP authentication.

For this back to back scenario, we have the following simple topology:

When we talk about PPP authentication on a end-to-end line we are dealing with 3 major authentication method:




Now, when we think at security, we can easily observe that PAP is the less secure one and CHAP or EAP are the strongest one.

PAP (Password Authetication Protocol) transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It should be used only as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure protocol as it uses a three-way handshake and the shared secret (password) is never sent on the wires. Instead a MD5 hash checksum is calculated based on the share secret and this one is sent as a challenge to the other peer.
EAP (Extensible Authentication Protocol) is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.

When we think of PPP authentication direction there are 2 types:

– one way authentication

– two ways authentication

Pretty obvious, no?

OK, enough with the theory. If you need some more deep understanding of PPP, there is always Internet. Next, I will show you some simple example with PPP authetication using PAP, CHAP and EAP.

PAP type authentication

Let’s assume that in the scenario above, R1 is sending a challenge to R2. Very important! From PPP authentication configuration, you don’t have to do anything to response to a challenge. This is done automatically.

username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication pap

int s0/0
encapsulation ppp
ppp pap sent-user R2 password cisco

Actually that’s it. As I said, pretty simple. You configure R1 to send an authentication challenge to R2 with “ppp authentication pap”. R2 has to reply to this challenge with a username and a password defined with “ppp pap sent-user R2 password cisco”. This username and password have to be defined on R1. No matter what user and password you define on challenged part to be sent back, that information you have to define on challenger.

CHAP authentication type

Configuring CHAP is even easier. In the example below, I will configure R2 to send a CHAP challenge to R1

username R2 password cisco
int s0/0
encapsulation ppp

username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication chap

By default, CHAP is sending the router hostname the user in the three-way handshake process, so there is no need to specify what user to send like in PAP method. As I said before, this method is more secure than PAP.

EAP authetication type

To be honest I didn’t saw too many PPP connections being authenticated with EAP, but is there and I saw some CCIE lab topics so, you should keep an eye on it. Like the other two method this one is easy to implement and is offering more secure level of authetication than PAP.

username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R1
ppp eap password cisco
ppp eap local

username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R2
ppp eap password cisco
ppp eap local

I believe that the command syntax is telling pretty much all there is. With “identity” you define the user to be send to the peer, “password” it what word is saying and last option “local” is the quite important. By default EAP needs a RADIUS server for authentication. If you don’t have one (exams, quick testing…) then you want EAP to use local database instead of RADIUS.

This  are the basics of PPP authentication. Even if there are not so much in use, try to remember this small steps as you might need them sometimes.

Cisco Borderless Network – Phase 2

Everywhere where I turn my look in the last days I hear about the quick coming of Phase 2 of Cisco Borderless Network. If you are interested, you can register for the event on Cisco website .

I tried to search some documentation to understand what is Cisco Borderless Network and which is the big difference from Unified Communication , but all I could find is mostly marketing related documents which promise the next network miracle, everything interconnected, controlled and monitored from distance.

Then I turn myself to the Cisco blogging community to see what’s there, but also it seems that the things are not so clear there as well. Everybody know about the 5 phases of the new Cisco service:

  • Phase 1: Borderless Network Services – Delivering innovations IN and ON the network that optimize network availability, performance, and security.
  • Phase 2: Borderless User Services – Embedding key services spanning mobility, security, and application performance across all elements of the network.
  • Phase 3: Borderless Policy – Implementing a unified policy framework for managing security, identity, and access to the network and network resources.
  • Phase 4: Borderless Integration Framework – Bringing end-to-end network-to-endpoint intelligence through open, extensible interfaces into the network.
  • Phase 5: Borderless Experience – Converging services and systems to provide a superior customer and employee experience regardless of location, device, or application.

but I which also look more like a marketing ad, than network related topics. On phase 1, I was lucky enough and I could find some direction on technical blog of Ivan Pepelnjak, and in this phase it seems that everything was about the new ISR G2 release. Ivan have some objective observation about the Phase 1 of Cisco Borderless Network:

  • All the embedded “WAN” ports are Gigabit Ethernet uplinks. Good.
  • They claim up to 5-times higher performance than the previous routers. Average. The ISR series was launched in 2004 and Moore’s law predicts 5.8-times increase.
  • Lots of the old interface modules are supported. Amazing; I’m just hoping it doesn’t hurt the performance.
  • They’ve replaced the old half-hearted attempts to include an x86 generic application platform within a router with the Service Ready Engine (another great marketing invention … sounds so much better than a Linux blade) modules, having up to 4GB of RAM and 1TB of hard disk. I don’t want to know how the people who bought the old AXP platform feel reading these specs.
Now going back to the Phase 2, Jim Duffy on Cisco subnet is presuming that this will include :
  • innovations in Cisco’s switching portfolio and how they are relevant to the company’s business
  • service-enabling solutions for video, energy management and trusted access
  • a competitive switching offer for the price-sensitive market segment
  • enhanced support and services

but still there is enough fog around the subject. I think I will register for the Phase 2 European event, on March 18 maybe I will get some more clues about Cisco Borderless Network.

Skipping all this marketing and technical stuff, I’m wondering if the world is really prepared for this. And when I’m saying world I mean networks. I really don’t know what to say. I mean I know it’s cool and maybe positive from financial perspective to turn off light in some remote location, but how your network will support this. If you turn your look around you’ll see that network engineers have more stressing problems with day by day operation like VoIP services, slow data transfer between data centers and LAN security, just to name a couple of my problems.

Another problem is the word of the day: costs. How much it will cost to implement all of this and will companies be interested in implementing such a solution? I know that from marketing perspective everything looks great, because that’s their job, to make it look great, but network engineers might have a different opinion.

If you have some news or thoughts in regard to this topic, please use with trust the comment form.

Draw network diagrams with Visio under Mac or Linux

Maybe one of the biggest loss of mine when I switched from PC to Mac, was the Microsoft Visio is not available for any other platform than Windows OS. Now, I’m not a big fan of Microsoft products, but I have to admit that they have some good products, and one of this is Visio. Like it or not, more than 75%  of the network diagrams that I get are in  VSD format, which we all know (or we should) is a closed proprietary format and cannot be imported in any other products until now.

I have no problem in drawing new diagrams in NeoOffice (as example) but, what should I do with the ones that I receive and I have to modify. Of course that before I use the solution below, I tried others like ConceptDraw or Omnigraffle, which are also good products and which promise that they can import a format called VDX in which Visio can export diagrams. I don’t know if only for me but most VDX files exported from Visio, looked not so nice when opened in another product. Lines where not aligned, some objects where moved, and so on. The final draw was looking nice, but not as expected and ready to work on it. And then again, I cannot call, e-mail everybody that send me a Visio diagram and say “well, you see, cannot you just export it to VDX…” so that I can check. It’s not professional and it’s a headache. On the other hand I really like my Mac, so I struggled my brains to find a solution.

The easiest one, it’s to have on a Mac or Linux, dual boot or a virtual Windows OS with Visio installed on it. Called me a freak, but I didn’t invest in a Mac to havea Windows running on it. In not saying anything about Linux which is open source and see Windows as it’s worst nightmare.

I decided to use something called Application Virtualization, which can deliver on your screen only the user interface of the software that you open. The solution is not new and I’m not the “genius” who think of it, but it’s the best that fit me as I can open any software (in our case Visio) over any network (including Internet) and compared with remote desktop solutions, proved to be more faster. What do you need for this to work properly?

First, you need a Windows Server OS available somewhere online, if you plan to have access to this applications when you are on the move. There are multiple solution. You can host one yourself at home if you have a 24/7 running machine (you can run it even on a virtual machine), maybe you have access to one at your company or maybe you can afford a VPS. As you don’t need so much power take the cheapest VPS with Windows Server (I saw some starting at 18$ / month). OK, this are some ideas, the important thing is to have one available.

Next, you need this Windows Server to have IIS and Terminal Services enabled as this is mandatory for the next step.

This step was the hard part. I needed some Application Virtualization software capable to stream application to any environment (mac, linux, windows) and to have affordable price or , unexpected, free. I found some out there in the Internet, but mostly were able to stream virtual application only to Windows platforms or they where doing something else that Application Virtualization. One product that immediately appeared was XenApp from Citrix. I used this in the past, and I know that it is reliable good product. But you can get it as trial only for 30 days and it was quite hard for me to achieve a working installation. Well, I’m not an expert in Citrix applications, so I assume that this is my fault, otherwise a great product but not for me.

I keeped searching and I found the X2 products webpage.

2x - virtualization When I saw there Free download, I was thinking immediately about Trial free download. I was right, the download of the product has a trial of 30 days. But then digging a little bit deeper, I saw that after this 30 days, you can still use the product free of charge, the only limitation is that you have to stick to 3 concurrent connections and one server (so you cannot use the LoadBalancer feature). I don’t care about LoadBalancer as I only have one server, and anyhow I’m the only person using it. The 3 concurrent connections is enough for 1-2 users with decent usage. I think is fair that if you use this for your productive environment and want more support and resources to pay for them.

I registered, got the free license immediately and started installation on a VPS with Windows 2003 Server. The installation was quite easy and configuration as well due to existing documentation their site. Just read and follow the instructions and you will end with a working software.

After the installation is finished, all you have to do is to provision the software that you want to be able to access over the network, directly on your screen. Also if you want to have the full virtualized desktop, X2 is capable to provide this.

Since a short screencast can show more than 1000 words, please have a look below, where I’ll try to show you the major benefits of this software and how you can manage it to obtain the desired result:


I know that this is not the easiest way to do it, and maybe some of you just prefer to use a virtual machine or dual boot, but as I said this fits most to me and maybe you can use the same solution to solve your problems with other Windows based software, not only Visio. Regarding Visio, the best would be that Microsoft open the VSD format or release a Mac version. For Linux, I don’t think that they even consider such a possibility.

How to integrate GNS3 with Virtual PC

In this article I want to show you how to extend your posibilities to test a network in GNS3. Sure, it’s simple sometime to use a Loobpack interface on one of your edge routers to simulate an external network, but sometime is useful to have something connected to the router port. Take as an example QoS marking and classification. If you want to mark something inbound, then you need a connection to the router port where you want to mark the packets.

Additional to my example here, which include Virtual PC Simulator, you can find useful tutorial about GNS3 and VMware integration on or how to emulate a voice lab with the same tools on

Even most of you are familiar with GNS3 and maybe Virtual PC Simulator, let me begin with some short description about this 2 software.

GNS3 is a Graphical Network Simulator that allows emulation of complex networks. It allows you to run a Cisco IOS in a virtual environment on your computer (running Linux, MacOS X or Linux). GNS3 is a graphical front end to a product called Dynagen. Dynamips is the core program that allows IOS emulation.

The Virtual PC Simulator (VPCS) allow you to simulate up to 9 PCs. You can ping/traceroute them, or ping/traceroute the other hosts/routers from the virtual PCs when you study the Cisco routers in the Dynamips. VPCS is not the traditional PC, it is just a program running on the Linux or Windows, and only few network commands can be used in it. But VPCS can give you a big hand when you study the Cisco devices in the Dynamips. VPCS can replace the routers or VMware boxes which are used as PCs in the Dynamips network.

Before we start, I assume that you already have these tools installed. If not, please download and install GNS3 and VPCS.

On the following example I will show you how to configure a network topology including 2 Virtual PCs and one router and how to interconnect them in GNS3. This presentation is simulate a basic network, but after you learn how to do it, you can configure more complex one. You can have a look to the topology to understand better what I’m talking about.

Please see the video presentation below: