\myquote{\citealt{wiki:Link_Layer_Discovery_Protocol}}{The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbours on an IEEE 802 local area network, principally wired Ethernet.[1] The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB[2] and IEEE 802.3-2012 section 6 clause 79.}
\gls{lldp} carries information about
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item\gls{vlan} name,
\item\gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item\gls{mac}/PHY info,
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\gls{lldp} has the advantage over \gls{cdp} of being more customizable in regards to the use of \gls{tlv}s. \textbf{However} it has the drawback of not being as lightweight as \gls{cdp}.
\begin{itemize}
\item\itemtitle{Worth to remember}{about \gls{lldp} is the following}
\begin{itemize}
\item is unidirectional,
\item operates in advertising mode only,
\item does not try to obtain information from other nodes,
\item does not monitor link state changes between nodes,
\item uses \gls{l2} multicast to notify others of neighbouring nodes of its presence and properties,
\item will record \textit{all} obtained information from received \gls{lldp} frames.
\end{itemize}
\item\itemtitle{Frames}{Multicast addresses --- One of the following is used.\\Note the \textit{01} signifies a \gls{l2} multicast \gls{dst} address.}
\begin{enumerate}
\item 01:80:c2:00:00:0e,
\item 01:80:c2:00:00:03,
\item 01:80:c2:00:00:00.
\end{enumerate}
\item\itemtitle{Commonly exchanged information}{List includes both mandatory and optional fields.}
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item\gls{vlan} name,
\item\gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\item\itemtitle{Timers}{Default timers for \gls{lldp} on Cisco equipment}
\myquote{\citealt{wiki:Cisco_Discovery_Protocol}}{Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.}
\gls{cdp} functions my sending frame out the wire of all connected interfaces by default
\begin{itemize}
\item Sends frames to multicast addr 01-00-0c-cc-cc-cc\footnote{This multicast address is also used by cisco for \gls{vtp} messages},
\item by default a frame is shot out every 1 minute\footnote{The timer is adjusted in per x second},
\item no security is built-in by default so spoofing \gls{cdp} packets is not hard if the net ops people have forgotten to basic hardening
\begin{enumerate}
\item Taking up resources by filling up tables with invalid \gls{cdp} entries\cite{wiki:CDP_Spoofing} is possible,
\item can be prevented by fx. disabling \gls{cdp} on ports where is it unnecessary to have it enabled. Say client access ports,
\item precaution can be taken by only allowing \gls{cdp} packets on trusted network ports.
\gls{udld} at work does the detection of the link is forwarding traffic in both directions. This is important when operating with Fiberoptic links\footnote{Normal Ethernet links is not as susceptible running traffic in only one direction}. Fiberoptic links has the potential for
\item Have defined levels of allowed operations/tasks divided into groups,
\item Validate user-to-groups relations,
\item Allow/Disallow user actions.
\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
\end{enumerate}
\item\textbf{Accounting:}
\begin{enumerate}
\item Network nodes collect user and session information from start to end when connecting to a node,
\item All information is transferred back to \gls{aaa} server,
\item Transferred info can be leveraged for several purposes. Typically logged info is:
\begin{itemize}
\item session duration,
\item user commands,
\item disallowed commands
\end{itemize}
\end{enumerate}
\end{itemize}
\bigskip
\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.
Developer &\begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular}&\begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular}\\\hline
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\\hline
\gls{aaa} support &\begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular}&\begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular}\\\hline
Security &\begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular}&\begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular}\\\hline
\end{tabular}%
}
\end{table}
\newpage
\section{RADIUS}
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
aaa authentication login radius_list group RADIUS local
!
line vty 0-4
login authentication radius_list
line vty 5-15
login authentication radius_list
\end{txt}
\newpage
\section{TACACS+}
\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}
\begin{txt}
aaa group server tacacs+ TACACS
server-private 1.1.1.1 unkn0wn!unicAst
ip tacacs source-interface Loopback0
!
aaa authentication attempts login 1
aaa authentication login default group TACACS local-case
aaa authentication login console local-case
aaa authentication enable default group TACACS enable
aaa authorization exec default group TACACS local
aaa authorization commands 0 default group TACACS local
aaa authorization commands 15 default group TACACS local
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 1 default
action-type start-stop
group tacacs+
!
aaa accounting commands 2 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa session-id common
!
tacacs-server host 10.21.0.45
tacacs-server unkn0wn!unicAst
\end{txt}
\section{802.1X}
802.1X deviates from standard \gls{aaa} used in network management by also providing support for:
\begin{itemize}
\item user mobility and
\item user access control by way of governing policies.
\end{itemize}
\fig{8021x/8021x}{8021x}{ID Management}
Based upon the user connecting to the network. They can be given access to
\begin{itemize}
\item the resources their group/identity have been assigned or
\item put into a guest \gls{vlan} if nothing is assigned to them or
\item simply block the client/user altogether.
\end{itemize}
Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.
\begin{itemize}
\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.
\item The \textbf{authentication server}
\end{itemize}
\fig{8021X/portauth}{portauth}{802.1X Port Auth}
802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.
\clearpage
\subsection*{Enable with Cisco config}
\begin{txt}
aaa new-model
radius server host radiusserver.example.com key .unkown!unicAst.
aaa group server radius RADIUS-SERVER-DK
server radiusserver.example.com
aaa authetication dot1x default group RADIUS-SERVER-DK
dot1x system-auth-control
interface GigabitEthernet 0/4
switchport mode access ! Port must be an access port prior
dot1x port-control auto ! to enable dot1x on the port
\gls{snmp} is \txtupdown{used heavily} to monitor the status of network nodes all round with a high level of granularity. \textit{Plus} the option to use traps\footnote{\gls{snmp} event triggered by the network node} for instant communication \tsq{bout} current event/events happing on the node.\cite{wiki:Simple_Network_Management_Protocol}
\item\gls{snmp}v2 added \textit{in addition} to 2 extra message types also a complex new security model. This was never widely accepted which is why we have \gls{snmp}v2c existing and considered the \textit{de-facto}\gls{snmp}v2 standard.
\item\gls{snmp}v2c switched from the complex security model \gls{snmp}v2 used to using \texttt{community strings}. This posses a lot of inherent security risks because (amongst other) of the low level Authentication used when polling data from \gls{snmp} agents. Because of this Cisco recommends when using \gls{snmp}v2c to only enable the protocol for data polling from \gls{snmp} agents.
\item\textbf{Never} use v2c to push configuration changes to \gls{snmp} agents because the security level is just not up to standard to provide the necessary security level at all.
\gls{snmp} on any platform is only as good as the software implementation was done by the equipment vendor. Some vendors of network equipment may not implement the same level of functionality in their \gls{snmp} agent as was done in the often proprietary \gls{cli} environment.\cite{wiki:Simple_Network_Management_Protocol}
\begin{itemize}
\item Under implemented features in \gls{snmp} compared to proprietary \gls{cli} environment,
\item badly done \gls{snmp} implementations can sometimes result in unnecessarily high resource utilization,
\item values of \textit{tabular} data formats\footnote{Fx \gls{ip} Routing Table} may not be returned in a consistent format when requesting data from equipment from different vendors,
\item metrics for fx resource utilization\footnote{Fx hdd usage} locally on a device is not always comparable\footnote{Different vendors may have chosen different methods for measuring resource utilization} across equipment from different vendors.