\myquote{\citealt{wiki:Link_Layer_Discovery_Protocol}}{The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbours on an IEEE 802 local area network, principally wired Ethernet.[1] The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB[2] and IEEE 802.3-2012 section 6 clause 79.}
\gls{lldp} carries information about
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item\gls{vlan} name,
\item\gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item\gls{mac}/PHY info,
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\gls{lldp} has the advantage over \gls{cdp} of being more customizable in regards to the use of \gls{tlv}s. \textbf{However} it has the drawback of not being as lightweight as \gls{cdp}.
\begin{itemize}
\item\itemtitle{Worth to remember}{about \gls{lldp} is the following}
\begin{itemize}
\item is unidirectional,
\item operates in advertising mode only,
\item does not try to obtain information from other nodes,
\item does not monitor link state changes between nodes,
\item uses \gls{l2} multicast to notify others of neighbouring nodes of its presence and properties,
\item will record \textit{all} obtained information from received \gls{lldp} frames.
\end{itemize}
\item\itemtitle{Frames}{Multicast addresses --- One of the following is used.\\Note the \textit{01} signifies a \gls{l2} multicast \gls{dst} address.}
\begin{enumerate}
\item 01:80:c2:00:00:0e,
\item 01:80:c2:00:00:03,
\item 01:80:c2:00:00:00.
\end{enumerate}
\item\itemtitle{Commonly exchanged information}{List includes both mandatory and optional fields.}
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item\gls{vlan} name,
\item\gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\item\itemtitle{Timers}{Default timers for \gls{lldp} on Cisco equipment}
\myquote{\citealt{wiki:Cisco_Discovery_Protocol}}{Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.}
\gls{cdp} functions my sending frame out the wire of all connected interfaces by default
\begin{itemize}
\item Sends frames to multicast addr 01-00-0c-cc-cc-cc\footnote{This multicast address is also used by cisco for \gls{vtp} messages},
\item by default a frame is shot out every 1 minute\footnote{The timer is adjusted in per x second},
\item no security is built-in by default so spoofing \gls{cdp} packets is not hard if the net ops people have forgotten to basic hardening
\begin{enumerate}
\item Taking up resources by filling up tables with invalid \gls{cdp} entries\cite{wiki:CDP_Spoofing} is possible,
\item can be prevented by fx. disabling \gls{cdp} on ports where is it unnecessary to have it enabled. Say client access ports,
\item precaution can be taken by only allowing \gls{cdp} packets on trusted network ports.
\gls{udld} at work does the detection of the link is forwarding traffic in both directions. This is important when operating with Fiberoptic links\footnote{Normal Ethernet links is not as susceptible running traffic in only one direction}. Fiberoptic links has the potential for
\item Have defined levels of allowed operations/tasks divided into groups,
\item Validate user-to-groups relations,
\item Allow/Disallow user actions.
\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
\end{enumerate}
\item\textbf{Accounting:}
\begin{enumerate}
\item Network nodes collect user and session information from start to end when connecting to a node,
\item All information is transferred back to \gls{aaa} server,
\item Transferred info can be leveraged for several purposes. Typically logged info is:
\begin{itemize}
\item session duration,
\item user commands,
\item disallowed commands
\end{itemize}
\end{enumerate}
\end{itemize}
\bigskip
\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.
Developer &\begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular}&\begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular}\\\hline
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\\hline
\gls{aaa} support &\begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular}&\begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular}\\\hline
Security &\begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular}&\begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular}\\\hline
\end{tabular}%
}
\end{table}
\newpage
\section{RADIUS}
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
802.1X deviates from standard \gls{aaa} used in network management by also providing support for:
\begin{itemize}
\item user mobility and
\item user access control by way of governing policies.
\end{itemize}
\fig{8021x/8021x}{8021x}{ID Management}
Based upon the user connecting to the network. They can be given access to
\begin{itemize}
\item the resources their group/identity have been assigned or
\item put into a guest \gls{vlan} if nothing is assigned to them or
\item simply block the client/user altogether.
\end{itemize}
Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.
\begin{itemize}
\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.
\item The \textbf{authentication server}
\end{itemize}
\fig{8021X/portauth}{portauth}{802.1X Port Auth}
802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.
\gls{snmp} is \txtupdown{used heavily} to monitor the status of network nodes all round with a high level of granularity. \textit{Plus} the option to use traps\footnote{\gls{snmp} event triggered by the network node} for instant communication \tsq{bout} current event/events happing on the node.\cite{wiki:Simple_Network_Management_Protocol}
\item\gls{snmp}v2 added \textit{in addition} to 2 extra message types also a complex new security model. This was never widely accepted which is why we have \gls{snmp}v2c existing and considered the \textit{de-facto}\gls{snmp}v2 standard.
\item\gls{snmp}v2c switched from the complex security model \gls{snmp}v2 used to using \texttt{community strings}. This posses a lot of inherent security risks because (amongst other) of the low level Authentication used when polling data from \gls{snmp} agents. Because of this Cisco recommends when using \gls{snmp}v2c to only enable the protocol for data polling from \gls{snmp} agents.
\item\textbf{Never} use v2c to push configuration changes to \gls{snmp} agents because the security level is just not up to standard to provide the necessary security level at all.
\gls{snmp} on any platform is only as good as the software implementation was done by the equipment vendor. Some vendors of network equipment may not implement the same level of functionality in their \gls{snmp} agent as was done in the often proprietary \gls{cli} environment.\cite{wiki:Simple_Network_Management_Protocol}
\begin{itemize}
\item Under implemented features in \gls{snmp} compared to proprietary \gls{cli} environment,
\item badly done \gls{snmp} implementations can sometimes result in unnecessarily high resource utilization,
\item values of \textit{tabular} data formats\footnote{Fx \gls{ip} Routing Table} may not be returned in a consistent format when requesting data from equipment from different vendors,
\item metrics for fx resource utilization\footnote{Fx hdd usage} locally on a device is not always comparable\footnote{Different vendors may have chosen different methods for measuring resource utilization} across equipment from different vendors.
The topic of availability is and \textbf{old} one. Been around since the start of electronics with \textit{\bsq{so-called}} mission-critical functions. Something along the following type if infrastructure servicing the public: Power Plants, Hospitals, Water Stations, \glspl{chp}. IT/Network infrastructure has become close to if not more important in some cases.
The server park churning out numbers, reports, handling image processing, journals, billing, employer salary payments, company payments etcetera. You get the picture by now. If the IT/Network infrastructure is somehow not available or under-performing. It can have a large impact on the day-to-day operations of few/several/many things/people/money. Happen you do not get your salary on time, the company is down with no production possible, there isn't running water in the tap in households, no electricity, no gas to cook or heat with. No hospital operations possible because of a non-functioning network rendering desktop computers/PDAs/mobile hospital units unusable for a lengthy period of time.
\item The stack is always managed as one single logical unit. All the normal day-to-day operations on the CLI/SNMP Agents/Integrated web server is made to the management \gls{ip}.
\item The switches run a modified protocol to communicate all things from the master switch to the slaves and vice-versa.
\item New switches are automatically brought up to speed with the operating software from the master node in the stack and will be ready to operate after plug-and-play operation is finished.
\item Channel bundling can be performed with member ports across the whole stack. Say 4 ports each in port TenGigE x/1 in member switch 0-3. Now its a 4x10G Channel.
\item We can avoid \glspl{stp} internally on the stack as a whole. \textit{Yes}. Fever Layer 2 loops and/or errors.
\end{itemize}
\textbf{\gls{cli}}
\begin{itemize}
\item View members of stack: \cliline{show switch}
\item View members status of stack ports: \cliline{show switch stack-ports}
\myquote{\citealt{wiki:Category:First-hop_redundancy_protocols}}{is a computer networking protocol which is designed to protect the default gateway used on a subnetwork by allowing two or more routers to provide backup for that address}
\item Priority 100\footnote{Higher is better. Range is 0x00--0xFF}
\item Priority 0 is special. Forces master role whenever possible
\item Hello time 1s\footnote{Per \gls{rfc} 3768 gls{vrrp} do \textbf{not} support milliseconds timer. Cisco has chosen to implement this. Work only with cisco devices!}
\item Hold time 3s
\item Multicast grp 224.0.0.18 protocol no. 112
\item 1 master router and the rest is just backup routers
\end{itemize}
\item\itemhead[]{Properties}
\begin{enumerate}
\item Can only do object tracking {\footnotesize (Think objects combined with ip sla objects),}
\item virtual ip can match interface ip of master router.
