CCIE Blog

Unlike PAP, CHAP does not actually send a password over the line. Instead, a hash value made up of the password and magic number is sent. Unless the hash matches from both authenticating parties, authentication is not successful.

By default, the router sends it’s hostname for authentication when using chap. The router on the other side does a lookup in its local database, radius server, or tacacs server, and finds the password that is paired with that username. If there is no matching username in the database, the password specified with the interface level command ‘ppp chap password’ is used as the default password.

Suppose you have a central office that has many remote clients dialing into it. If you don’t want to create an entry in the user database for each remote client, you can just specify a default password with ‘ppp chap password’. As long as the remote clients have an entry for the central site in their user database, authentication will be successful.

“async mode dedicated” is strictly for PPP and SLIP connections. “async mode interactive”, on the other hand, can be used for PPP, SLIP, ARAP, along with EXEC access to the router. Suppose you’re dialing into the router’s AUX port to access the CLI. In this case you want interactive mode. If you’re dialing into the router strictly for a PPP connection, use dedicated mode.

When using interactive mode, you can also use the command “autoselect” on the line to have the router automatically determine whether you want a PPP connection or an EXEC connection.

“async default routing” enables routing on an async interface by default. This means when you dial into the interface, routing is already set up. “async dynamic routing” means that the user must manually initiate the PPP session from the EXEC mode. “async dynamic routing” would be used if you have an “async mode interactive” for which you want EXEC access, and then want to call a PPP session.

Under normal use, you would pair “async mode dedicated” along with “async default routing” when running PPP over a dial-in connection. “async mode interactive” will be used to get remote access to the router via a modem attached to the AUX port. You most likely would not use “async dynamic routing”, since you can just say “autoselect PPP” if you want interactive EXEC and PPP access.

Prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows:

ip prefix-list LIST permit w.x.y.z/len

Where w.x.y.z is your exact prefix
And where len is your exact prefix-length

“ip prefix-list LIST permit 1.2.3.0/24″ would be an exact match for the prefix 1.2.3.0 with a subnet mask of 255.255.255.0. This does not match 1.2.0.0/24, nor does it match 1.2.3.4/32, nor anything in between.

When you add the keywords “GE” and “LE” to the prefix-list, the “len” value changes its meaning. When using GE and LE, the len value specifies how many bits of the prefix you are checking, starting with the most significant bit.

ip prefix-list LIST permit 1.2.3.0/24 le 32

This means:
Check the first 24 bits of the prefix 1.2.3.0
The subnet mask must be less than or equal to 32

This equates to the access-list syntax:

access-list 1 permit 1.2.3.0 0.0.0.255

ip prefix-list LIST permit 0.0.0.0/0 le 32

This means:
Check the first 0 bits of the prefix 0.0.0.0
The subnet mask must be less than or equal to 32
This equates to anything

ip prefix-list LIST permit 0.0.0.0/0

This means:
The exact prefix 0.0.0.0, with the exact prefix-length 0.
This is matching a default route.

ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29

This means:
Check the first 8 bits of the prefix 10.0.0.0
The subnet mask must be greater than or equal to 21, and less than or
equal to 29.

ip prefix-list CLASS_A permit 0.0.0.0/1 ge 8 le 8

This matches all class A addresses with classful masks. It means:
Check the first bit of the prefix, it must be a 0.
The subnet mask must be greater than or equal to 8, and less than or equal to 8. ( It is exactly 8 )

When using the GE and LE values, you must satisfy the condition:

Len < GE <= LE

Therefore “ip prefix-list LIST permit 1.2.3.0/24 ge 8″ is not a valid list.

What you can not do with the prefix-list is match on arbitrary bits like you can in an access-list. Prefix-lists cannot be used to check if a number is even or odd, nor check if a number is divisible by 15, etc… Bit checking in a prefix-list is sequential, starting with the most significant (leftmost) bit.

Suppose we have the following scenario:

R1—R2–R3–R4—R5

R1 is AS 100
R2, R3, R4 are AS 200
R5 is AS 300

R2, R3, R4 are confederated, with sub as’s 65002, 65003, and 65004 respectively. They are also originating prefixes A, B, & C respectively. If AS 200 does not want to be transit, we must only advertise out prefixes originated in these three sub AS’s.

From R2’s perspective, we see the following prefixes, and the following AS-Path’s:

A - EMPTY
B - (65003)
C - (65003,65004)

From R4’s perspective, we see the following prefixes, and the following AS-Path’s:

A - (65002,65003)
B - (65003)
C - EMPTY

Now we must consider how to match all of these cases in a single line. Remember that parentheses are special characters within the as-path list.

Our minimum case to match would be:

^$

This is our empty AS-PATH, which is prefixes locally originated in our sub-as.

Our maximum case to match would be:

\(X\)

where X is any number of AS’s, or a comma. Remember that we need to escape the parens.

To satisfy our condition of X, we should be matching 1 or more instance of any character, which equates to:

.+

Therefore our maximum case is now:

^\(.+\)$

However, we must match the minimum case at the same time. Therefore, our current expression \(.+\) is either true or false. True or false (0 or 1 instance) is covered by the expression ?.

Therefore, our final regular expression will read:

^(\(.+\))?$

Tada!

Advertise only prefixes which match this expression outbound on your border routers, and your confederated AS’s will not be transit.

Access-list address and wildcard pair calculations are based
around the AND and XOR logic gates.

AND: The output is high only when both inputs A and B are high.

A AND B
______________
| A | B | out |
| 0 | 0 |  0  |
| 0 | 1 |  0  |
| 1 | 0 |  0  |
| 1 | 1 |  1  |
--------------

XOR: The output is high when either of inputs A or B is high, but not if
both A and B are high.

A XOR B
______________
| A | B | out |
| 0 | 0 |  0  |
| 0 | 1 |  1  |
| 1 | 0 |  1  |
| 1 | 1 |  0  |
--------------

To find the most specific address and wildcard pair that will
match two addresses, A and B, we use the gates AND and XOR. The address
we will check in the access-list is A AND B. The wildcard used to check
in this list will be A XOR B.

access-list 1 permit [address_to_check] [wildcard_used_to_check]

Take the following example:

We have two IP addresses, 10.20.30.40, and 40.30.20.10. How do we
create an access-list that is the most specific match for these two
addresses? First, write both addresses out in binary:

10.20.30.40 = 00001010.00010100.00011110.00101000
40.30.20.10 = 00101000.00011110.00010100.00001010

To find the address_to_check, take the logical AND of these addresses.

   00001010.00010100.00011110.00101000
&& 00101000.00011110.00010100.00001010
--------------------------------------
   00001000.00010100.00010100.00001000

This is our address_to_check: 8.20.20.8

To find the matching wildcard_used_to_check, we take the logical XOR of
these addresses.

    00001010.00010100.00011110.00101000
XOR 00101000.00011110.00010100.00001010
---------------------------------------
    00100010.00001010.00001010.00100010

This is our wildcard_used_to_check: 34.10.10.34

Therefore, the most specific match for both 10.20.30.40 and 40.30.20.10
would be:

access-list 1 permit 8.20.20.8 34.10.10.34

Here’s one more:

A = 1.2.3.4
B = 5.6.7.8

1.2.3.4 = 00000001.00000010.00000011.00000100
5.6.7.8 = 00000101.00000110.00000111.00001000

A && B  = 00000001.00000010.00000011.00000000
A XOR B = 00000100.00000100.00000100.00001100

Therefore the access-list would read:

access-list 1 permit 1.2.3.0 4.4.4.12