1
0
Fork 0
mirror of https://gitlab.com/netravnen/NetworkLabNotes.git synced 2024-11-26 19:27:57 +00:00

Merge branch 'develop'

This commit is contained in:
chhan11 2017-06-04 23:09:20 +02:00
commit 27ca82b8d3
20 changed files with 1015 additions and 642 deletions

2
.gitignore vendored
View file

@ -1,2 +1,4 @@
main\.glsdefs main\.glsdefs
main\.synctex\.gz\(busy\)

View file

@ -7,43 +7,60 @@
%\newacronym{}{}{} %\newacronym{}{}{}
%\newacronym{}{}{} %\newacronym{}{}{}
%\newacronym{}{}{} %\newacronym{}{}{}
\newacronym{ap}{AP}{Access Point}
\newacronym{arp}{ARP}{Address Resolution Protocol} \newacronym{arp}{ARP}{Address Resolution Protocol}
\newacronym{bgp}{BGP}{Border Gateway Protocol} \newacronym{bgp}{BGP}{Border Gateway Protocol}
\newacronym{bpdu}{BPDU}{Bridge Protocol Data Unit} \newacronym{bpdu}{BPDU}{Bridge Protocol Data Unit}
\newacronym{cdp}{CDP}{Cisco Discovery Protocol}
\newacronym{cli}{CLI}{Command Line Interface} \newacronym{cli}{CLI}{Command Line Interface}
\newacronym{cst}{CST}{Common Spanning Tree} \newacronym{cst}{CST}{Common Spanning Tree}
\newacronym{cest}{CEST}{Central European Summer Time}
\newacronym{cwdm}{CWDM}{} \newacronym{cwdm}{CWDM}{}
\newacronym{db}{DB}{Database} \newacronym{db}{DB}{Database}
\newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol} \newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol}
\newacronym{dknog}{DKNOG}{Danish Network Operators' Group} \newacronym{dknog}{DKNOG}{Danish Network Operators' Group}
\newacronym{dns}{DNS}{Domain Name System} \newacronym{dns}{DNS}{Domain Name System}
\newacronym{dst}{dst}{destination}
\newacronym{dwdm}{DWDM}{} \newacronym{dwdm}{DWDM}{}
\newacronym{eap}{EAP}{Extensible Authentication Protocol}
\newacronym{eapol}{EAPoL}{Extensible Authentication Protocol over Local Area Network}
\newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol} \newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol}
\newacronym{erspan}{ERSPAN}{Encapsulated Remote Switch Port Analyzer}
\newacronym{evpn}{EVPN}{Ethernet Virtual Private Network} \newacronym{evpn}{EVPN}{Ethernet Virtual Private Network}
\newacronym{ftp}{FTP}{File Transfer Protocol} \newacronym{ftp}{FTP}{File Transfer Protocol}
\newacronym{ftps}{FTPS}{File Transfer Protocol Secure} \newacronym{ftps}{FTPS}{File Transfer Protocol Secure}
\newacronym{gps}{GPS}{Global Positioning System}
\newacronym{gprs}{GPRS}{General Packet Radio Service}
\newacronym{gsm}{GSM}{Global System for Mobile communications}
\newacronym{ieee}{IEEE}{Institute of Electrical and Electronics Engineers} \newacronym{ieee}{IEEE}{Institute of Electrical and Electronics Engineers}
\newacronym{igrp}{IGRP}{Interior Gateway Routing Protocol} \newacronym{igrp}{IGRP}{Interior Gateway Routing Protocol}
\newacronym{imap}{IMAP}{Internet Message Access Protocol} \newacronym{imap}{IMAP}{Internet Message Access Protocol}
\newacronym{ios}{IOS}{Internetwork Operating System}
\newacronym{ip}{IP}{Internet Protocol} \newacronym{ip}{IP}{Internet Protocol}
\newacronym{ipv4}{IPV4}{Internet Protocol v4} \newacronym{ipv4}{IPv4}{Internet Protocol v4}
\newacronym{ipv6}{IPV6}{Internet Protocol v6} \newacronym{ipv6}{IPv6}{Internet Protocol v6}
\newacronym{irc}{IRC}{Internet Relay Chat} \newacronym{irc}{IRC}{Internet Relay Chat}
\newacronym{isis}{ISIS}{Intermediate System to Intermediate System} \newacronym{isis}{IS-IS}{Intermediate System to Intermediate System}
\newacronym{isp}{ISP}{Internet Service Provider} \newacronym{isp}{ISP}{Internet Service Provider}
\newacronym{junos}{JUNOS}{Juniper Network Operating System}
\newacronym{l2}{L2}{Layer 2} \newacronym{l2}{L2}{Layer 2}
\newacronym{l2vpn}{L2VPN}{Layer 2 Virtual Private Network} \newacronym{l2vpn}{L2VPN}{Layer 2 Virtual Private Network}
\newacronym{l3}{L3}{Layer 3} \newacronym{l3}{L3}{Layer 3}
\newacronym{lacp}{LACP}{Link Aggregation Protocol} \newacronym{lacp}{LACP}{Link Aggregation Protocol}
\newacronym{lan}{LAN}{Local Area Network} \newacronym{lan}{LAN}{Local Area Network}
\newacronym{lldp}{LLDP}{Link Layer Discovery Protocol}
\newacronym{mac}{MAC}{Media Access Control address} \newacronym{mac}{MAC}{Media Access Control address}
\newacronym{mkc}{MKC}{Mikkel Krøll} \newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll}
\newacronym{metdst}{MET-DST}{Middle European Time Daylight Saving Time}
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching} \newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
\newacronym{mst}{MST}{Multiple Spanning Tree} \newacronym{mst}{MST}{Multiple Spanning Tree}
\newacronym{nms}{NMS}{Network Management Software}
\newacronym{ntp}{NTP}{Network Time Protocol}
\newacronym{osi}{OSI}{Open Systems Interconnection} \newacronym{osi}{OSI}{Open Systems Interconnection}
\newacronym{ospf}{OSPF}{Open Shortest Path First} \newacronym{ospf}{OSPF}{Open Shortest Path First}
\newacronym{ospfv3}{OSPFV3}{Open Shortest Path First v3} \newacronym{ospfv3}{OSPFv3}{Open Shortest Path First v3}
\newacronym{pagp}{PAGP}{Port Aggregation Protocol} \newacronym{pagp}{PAGP}{Port Aggregation Protocol}
\newacronym{poe}{PoE}{Power over Ethernet}
\newacronym{pop3}{POP3}{Post Office Protocol} \newacronym{pop3}{POP3}{Post Office Protocol}
\newacronym{pvrst}{PVRST}{Per Vlan Rapid Spanning Tree} \newacronym{pvrst}{PVRST}{Per Vlan Rapid Spanning Tree}
\newacronym{pvrst+}{PVRST+}{Per Vlan Rapid Spanning Tree Plus} \newacronym{pvrst+}{PVRST+}{Per Vlan Rapid Spanning Tree Plus}
@ -51,20 +68,28 @@
\newacronym{pvst+}{PVST+}{Per Vlan Spanning Tree Plus} \newacronym{pvst+}{PVST+}{Per Vlan Spanning Tree Plus}
\newacronym{rfc}{RFC}{Request For Comments} \newacronym{rfc}{RFC}{Request For Comments}
\newacronym{rip}{RIP}{Routing Information Protocol} \newacronym{rip}{RIP}{Routing Information Protocol}
\newacronym{rspt}{RSTP}{Rapid Spanning Tree} \newacronym{rspan}{RSPAN}{Remote Switch Port Analyzer}
\newacronym{rpvst+}{RPVST}{Rapid Per Vlan Spanning Tree} \newacronym{rstp}{RSTP}{Rapid Spanning Tree Protocol}
\newacronym{rpvst}{RPVST}{Rapid Per Vlan Spanning Tree}
\newacronym{rpvst+}{RPVST+}{Rapid Per Vlan Spanning Tree Plus}
\newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol} \newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol}
\newacronym{sla}{SLA}{Service Level Agreement}
\newacronym{smtp}{SMTP}{Simpe Mail Transfer Protocol} \newacronym{smtp}{SMTP}{Simpe Mail Transfer Protocol}
\newacronym{snmp}{SNMP}{Simple Network Management Protocol} \newacronym{snmp}{SNMP}{Simple Network Management Protocol}
\newacronym{sntp}{SNTP}{Secure Network Time Protocol}
\newacronym{sp}{SP}{Service Provider} \newacronym{sp}{SP}{Service Provider}
\newacronym{span}{SPAN}{Switch Port Analyzer}
\newacronym{src}{src}{source}
\newacronym{ssh}{SSH}{Secure Shell} \newacronym{ssh}{SSH}{Secure Shell}
\newacronym{stp}{STP}{Spanning Tree Protocol} \newacronym{stp}{STP}{Spanning Tree Protocol}
\newacronym{tcn}{TCN}{Topology Change Notification} \newacronym{tcn}{TCN}{Topology Change Notification}
\newacronym{tcp}{TCP}{Transmission Control Protocol} \newacronym{tcp}{TCP}{Transmission Control Protocol}
\newacronym{tftp}{TFTP}{Trivial File Transfer Protocol} \newacronym{tftp}{TFTP}{Trivial File Transfer Protocol}
\newacronym{toc}{TOC}{Table Of Contents} \newacronym{tlv}{TLV}{Type, Length, Value}
\newacronym{toc}{ToC}{Table of Contents}
\newacronym{udld}{UDLD}{Unidirectional Link Detection} \newacronym{udld}{UDLD}{Unidirectional Link Detection}
\newacronym{udp}{UDP}{User Datagram Protocol} \newacronym{udp}{UDP}{User Datagram Protocol}
\newacronym{utc}{UTC}{Coordinated Universal Time}
\newacronym{vlan}{VLAN}{Virtual Local Area Network} \newacronym{vlan}{VLAN}{Virtual Local Area Network}
\newacronym{vpn}{VPN}{Virtual Private Network} \newacronym{vpn}{VPN}{Virtual Private Network}
\newacronym{vtp}{VTP}{Virtual Trunking Protocol} \newacronym{vtp}{VTP}{Virtual Trunking Protocol}

View file

@ -1,10 +1,10 @@
\chapter{DHCP} \chapter[DHCP]{Dynamic Host Control Protocol}
\section{DHCP Process} \section[DHCP Process]{Dynamic Host Control Protocol Process}
\fig{dhcp/dhcpdiscoverprocess}{dhcpdiscoverprocess}{DHCP Discover Process} \fig{dhcp/dhcpdiscoverprocess}{dhcpdiscoverprocess}{DHCP Discover Process}
\subsection{DHCP Messages} \subsection[DHCP Messages]{Dynamic Host Control Protocol Messages}
\begin{itemize} \begin{itemize}
\item \textbf{DHCPDECLINE:} Message sent from the client to the server that the address is already in use. \item \textbf{DHCPDECLINE:} Message sent from the client to the server that the address is already in use.
@ -13,7 +13,7 @@
\item \textbf{DHCPINFORM:} A client already has an \gls{ip} address but is requesting other configuration parameters that the \gls{dhcp} server is configured to deliver such as \gls{dns} address. \item \textbf{DHCPINFORM:} A client already has an \gls{ip} address but is requesting other configuration parameters that the \gls{dhcp} server is configured to deliver such as \gls{dns} address.
\end{itemize} \end{itemize}
\section{DHCP Options} \section[DHCP Options]{Dynamic Host Control Protocol Options}
\begin{itemize} \begin{itemize}
\item \textbf{43} Vendor-encapsulated option that enables vendors to have their own list of options on the server. \item \textbf{43} Vendor-encapsulated option that enables vendors to have their own list of options on the server.
@ -22,7 +22,7 @@
\item \textbf{150} \gls{tftp} server that enables your phones to access a list of \gls{tftp} servers. \item \textbf{150} \gls{tftp} server that enables your phones to access a list of \gls{tftp} servers.
\end{itemize} \end{itemize}
\section{DHCP Example Configuration} \section[DHCP Example Configuration]{Dynamic Host Control Protocol Example Configuration}
\subsection{Cisco} \subsection{Cisco}

View file

@ -1,7 +1,589 @@
\chapter{Layer 2} \chapter{Layer 2}
\input{chapter/layer2/switchednetwork} \section{Switch Network}
\subsection{VTP}
\fig{vtp/implementing-vtp}{imp-vtp1}{VTP}
\subsubsection{VTP Modes}
The tree modes a \gls{vtp} \textit{enabled} device can operate are
\begin{itemize}
\item Transparent
\item Server
\item Client
\end{itemize}
Of course you can \textit{disable} \gls{vtp} altogether.
Key things to be aware of \textit{before} enabling \gls{vtp} in your environment is to make double sure of only having 1 \gls{vtp} domain. \textbf{If} 2 or more \gls{vtp} domains exists. Be triple sure to separate them! As to avoid having an \gls{vtp} server \gls{db} overridden with data from another \gls{vtp} domain.
The three \gls{vtp} modes \textit{operates} as follow
\begin{itemize}
\item Transparent
\begin{itemize}
\item Creates, modifies and deletes \textit{local} \gls{vlan} only
\item Forwards advertisements
\item Does \textit{not} synchronizes vlan configurations.
\end{itemize}
\item Server
\begin{itemize}
\item Creates, modifies and deletes vlans
\item Sends and forwards advertisements
\item Synchronizes vlan configurations
\end{itemize}
\item Client
\begin{itemize}
\item Cannot create, modify or delete vlans
\item Send and forwards advertisements
\item Synchronizes vlan configurations
\end{itemize}
\end{itemize}
\subsubsection{VTP Announcement}
\gls{vtp} operates with announcements sent out in intervals. Summarized it amounts to
\begin{itemize}
\item 1 \textit{summary} announcement per 5th minute from the server
\item The summary announcement informs clients of the current revision
\item An announcement is sent out \textit{on the spot} when a change has been made on the\gls{vtp}server
\end{itemize}
Do remember it is \textbf{only} the \gls{vtp} server which has the \gls{vlan} configuration stored \textbf{on disk}. All device clients and transparent nodes do only store the \gls{vlan} delegated by \gls{vtp} in memory.
\subsubsection{Common Issues}
\begin{itemize}
\item Different/Incompatible \gls{vtp} versions
\item Wrong password
\item Incorrect mode name
\item No server set (all devices configured in transparent/client/\gls{vtp} disabled mode)
\end{itemize}
\subsubsection{VTP Versions}
\begin{itemize}
\item Version 1
\item Version 2
\begin{itemize}
\item Version-dependent transparent mode
\item Consistencycheck
\item Token ring support
\item Unrecognized type-length-value support
\end{itemize}
\item Version 3 (not "yet" common)
\begin{itemize}
\item Extended \gls{vlan} support: Allow ranges are 1-1005,1018-2095. Not mentioned \gls{vlan} ranges up to 4095 is still reserved.
\item Domain name is not automatically learned.
\item Better security.
\item Better database propagation.
\item \gls{mst} now supported.
\end{itemize}
\end{itemize}
\subsubsection{VTP Pruning}
The art of only allowing the \gls{vlan} traffic to flow on \textit{necessary} links.
This means if there are no clients in a \gls{vlan} on a device. Then no traffic for the inactive \gls{vlan}s are send down-/upstream on the link in question.
\fig{vtp/vtp-pruning}{vtpruning1}{VTP Pruning}
\subsubsection{Security}
It is \textbf{strongly} recommended to enable the security features supported in \gls{vtp}.
\textbf{Password:} MD5 hashing, Case-sensitive, Length between 8 and 64 chars.
\notice{VTP Scaling}{
As the network grows and grows and grows and grows some more over long/short timespans.
You will \textbf{for certain} come to cross-rode, where you \textbf{must} consider to
go away from using \gls{vtp} in the network. The problems of managing an elderly network and
wiping and re-introducing nodes in the network. You \textbf{will} face the issue of a
wiped vlan database from the \gls{vtp} domain.
}
\subsubsection{Example configuration}
\lstinputlisting{code/vtp/example.cfg}
\subsection{Channel Bundling (aka. EtherChannel, PortChannel)}
Channel bundling is the "art" of using multiple physical links as one single logical link in when viewed from the perspective of the forwarding plane.
Technologies:
\begin{itemize}
\item \textbf{\gls{pagp}:} The Cisco-only thingy
\item \textbf{\gls{lacp}:} The \gls{ieee} standard
\item \textbf{Static:} Just forced on
\end{itemize}
\fig{channelbundling/network-without-channelbundling}{noethernetchannel}%
{No Channelbundling present}
Channel bundling of switch ports in the network may or may not be the best idea, in regards to the networks growth rate in terms of min. required bandwidth.
Channel bundling spreads out the in and egress flows based upon one of several methods configured on the switch:
\begin{itemize}
\item Source to Destination \gls{mac}
\item Source to Destination \gls{ip}
\end{itemize}
Keep in mind this will by no means archive true load balancing. Where all links are equally used based upon number of flows \textit{or} in terms of used bandwidth.
\begin{table}[h]
\centering
\caption{Channel bundling mechanisms}
\label{chbundmech1}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|}
\hline
Hash Input Code & Hash Input Detecision & Switch Model \\ \hline
dst-ip & Dest \gls{ip} addr & All models \\ \hline
dst-mac & Dest \gls{mac} addr & All models \\ \hline
src-dst-ip & Src and dest \gls{ip} addr & All models \\ \hline
src-dst-mac & Src and dest \gls{mac} addr & All models \\ \hline
src-ip & Src \gls{ip} addr & All models \\ \hline
src-mac & Src \gls{mac} addr & All models \\ \hline
src-port & Src port no & 4500,6500 \\ \hline
dst-port & Dest port no & 4500,6500 \\ \hline
src-dst-port & Src and dest port no & 4500,6500 \\ \hline
\end{tabular}%
}
\end{table}
\fig{channelbundling/network-with-channelbundling}{withethernetchannel}%
{Channelbundling present}
\subsubsection{Protocol Properties}
\begin{itemize}
\item \gls{lacp}
\begin{itemize}
\item Active: Enabled
\item Passive: Waits for \gls{lacp} packets on the wire before enabled
\end{itemize}
\item \gls{pagp}
\begin{itemize}
\item Desirable: Enabled
\item Auto: Waits for \gls{pagp} packets on the wire before enabled
\end{itemize}
\end{itemize}
Some other \underline{required} settings to be (equal across all ports) aware of when configuring Channel bundling are
\begin{enumerate}
\item Port speeds
\item Duplex mode
\item Configured \gls{vlan} ranges
\end{enumerate}
\subsubsection{Example configuration}
\lstinputlisting{code/channelbundling/example.cfg}
\newpage \newpage
\input{chapter/layer2/spanningtree} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% SECTION BEGIN spanning tree protocol %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Spanning Tree}
Spanning Tree exists for the \textbf{sole} reason to save "your" network and all the broadcast storms an network engineer having a bad day can by mistake create!
STP comes from the above desire where redundancy was wanted but no protocol existed before \gls{stp} to help in this regard.
\begin{table}[h]
\centering
\caption{Spanning Tree standards}
\label{stpstandards}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|l|l|}
\hline
\textbf{} & \textbf{Standard} & \textbf{Ressource Usage} & \multicolumn{2}{l|}{\textbf{Convergence}} \\ \hline
\gls{cst} & 802.1D & Low & Slow & All vlans \\ \hline
\gls{pvst+} & Cisco & High & Slow & Per vlan \\ \hline
\gls{rstp} & 802.1w & So-so (Med.) & Fast & All vlans \\ \hline
\gls{rpvst+} & Cisco & On-the-double (V.High) & Fast & Per vlan \\ \hline
\gls{mst} & 802.1s & Med. - High & Fast & Vlan list \\ \hline
\end{tabular}%
}
\end{table}
\subsection{Port Roles}
When a switch is enabled for Spanning Tree. One of the following roles will have been assumed by any port on the switch in question.
\begin{itemize}
\item \textbf{Root port:} Only 1 port on any switch (non-counting the root bridge!). Is always the port with the lowest metric (aka. best path) to the root bridge.
\begin{itemize}
\item The upstream/-link port closest to the root bridge on all switches apart from the root bridge.
\end{itemize}
\item \textbf{Designated port:} A designated port is the port on any segment closest to the root bridge and forwarding traffic.
\begin{itemize}
\item The port on any switch in downstream direction closet to the root bridge.
\end{itemize}
\item \textbf{\textit{Non}-designated port:} Put in blocking mode and not currently forwarding traffic.
\begin{itemize}
\item All switch ports which did not get elected as the root or designated port.
\end{itemize}
\item \textbf{Disabled port:} The port has been one-way-or-another shut down.
\end{itemize}
\subsubsection{specific port roles}
\begin{itemize}
\item \textbf{Alternative port} is an active port in network with an alternative path to the root bridge. A port in alternative mode will remain active but \textit{discards} all traffic until the the current designated path fails.
\item \textbf{Backup port} is running in active mode and \textit{discards} all traffic it recieves until the current designated port on the segment the backup port is connected to, fails.
\end{itemize}
Election of ports goes in order of the following values (low is best): 1) root bridge id, 2) lowest path cost to root bridge, 3) sender bridge id, 4) sender port bridge id
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% SECTION BEGIN standards %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Standards}
\begin{itemize}
\item \gls{stp} {\scriptsize Spanning Tree Protocol}
\begin{itemize}
\item \gls{ieee} 802.1D
\item Was created in a time where bridged networks was the norm.
\item Supports a single vlan/lan.
\end{itemize}
\item \gls{cst} {\scriptsize Common Spanning Tree}
\begin{itemize}
\item An evolution of \gls{stp}
\item \gls{cst} still only supports one \gls{stp} instance.
\item But \gls{cst} do thou in contrast to \gls{stp} support \textit{multiple} vlans.
\end{itemize}
\item \gls{pvst} {\scriptsize Per Vlan Spanning Tree}
\begin{itemize}
\item Now obsolute and succeded by \gls{pvst+}
\end{itemize}
\item \gls{pvst+} {\scriptsize Per Vlan Spanning Tree Plus}
\begin{itemize}
\item Runs an instance of \gls{stp} per vlan.
\item Can guarante better utilization of available network bandwidth.
\item Root bridge and port priorities can be configured per vlan.
\item Uses the term alternate for nondesignated port.
\end{itemize}
\item \gls{rstp} {\scriptsize Rapid Spanning Tree Protocol}
\begin{itemize}
\item \gls{ieee} 802.1w
\item A future development of the original 802.1D standard meant to provide faster convergance. As the original \gls{stp} standard wasn't actually that fast.
\end{itemize}
\item \gls{rpvst+} {\scriptsize Rapid Per Vlan Spanning Tree Plus}
\begin{itemize}
\item A cisco implementation of \gls{rstp} based upon \gls{pvst+}.
\end{itemize}
\item \gls{mst} {\scriptsize Multiple Spanning Tree}
\begin{itemize}
\item Originally a cisco developed protocol. \gls{mst} has since been developed as an \gls{ieee} standard.
\item \gls{mst} can as \gls{cst} map multiple vlans to a single \gls{stp} instance.
\item \gls{mst} \textit{differently} than \gls{cst} supports multiple \gls{stp} instances.
\item Fx. Instance 1: Vlan 1-99, Instane 2: Vlan 100-199.
\end{itemize}
\end{itemize}
\subsection{Features}
\subsubsection{BPDU}
\textbf{B}ridge \textbf{P}rotocol \textbf{D}ata \textbf{U}nits is on cisco equipment sent out every 2 seconds and generally catogorizes into 2 categories:
\begin{itemize}
\item \textit{Configuration} \gls{bpdu} used for \gls{stp} calculations and
\item \textit{Topology change notifications} \gls{bpdu}s used to notify other network nodes of a change in the network.
\end{itemize}
Any network node with switchports and \gls{stp} + \gls{bpdu} enabled sends out \gls{bpdu} packets with the ports \gls{mac} as the src address. The destination \gls{mac} is is designated \gls{stp} multicast addr 01:80:C2:00:00:00.
\subsubsection{Root Bridge}
Using a \textbf{R}oot \textbf{B}rigde as the reference point for the \gls{stp} instance and calculation of root/designated/non-designated ports.\\This election process uses a pre-configured bridge priority (ranges from $0$ to $2^{16}$) (defaults to $2^{15}$). If a tie in priority is found the switch in possession of the lowest \gls{mac} address wins the root bridge election.
\begin{txt}
|<-------- bridge id 8 bytes --->|
+----------+---------------------+
| Bridge | MAC |
| priority | Address |
+----------+---------------------+
|< 2 byte >|<----- 6 bytes ----->|
\end{txt}
\subsubsection{Port Cost}
\begin{table}[h]
\centering
\caption{Default port cost in spanning tree}
\label{stpportcost}{!}{%
\begin{tabular}{|l|l|}
\hline
\textbf{Link} & \textbf{Default Cost} \\ \hline
10 Gbps & 1 \\ \hline
1 Gbps & 4 \\ \hline
100 Mbps & 19 \\ \hline
10 Mbps & 100 \\ \hline
\end{tabular}%
}
\end{table}
\fig{spanningtree/portroles}{stpportroles}{Port Election}
\textit{\textbf{NB:} beware that when working with bundled links (aka. ether-/port-channel). Then the link cost will be calculated based upon the summarized bandwidth accross all links.}
\fig{spanningtree/portstates}{stpportstates}{Port States}
\section{Rapid Spanning Tree Protocol}
\fig{rstp/portroles}{rstpportroles}{Port Roles}
\fig{rstp/portlinktypes}{rstpportlinktypes}{Port link types}
Things to be aware of regarding \gls{rstp} port roles
\begin{itemize}
\item \textbf{Shared} port state will only ever be present on segments where a hub is present.
\item \textbf{Point-2-Point} port is connected to a single switch on the other end.
\item \textbf{Edge} port roles is only ever connected to end devices. Status as Edge port is lost if a \gls{bpdu} is ever recieved.
\end{itemize}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% SECTION BEGIN port roles %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Port roles}
\subsection{Fast port roles}
Cisco did on their part early on enhance the original spanning tree standard with some proprietary portroles that can (on cisco switch equipment) skip steps in the port role election process. And configure a \gls{stp} switchport to a specific behavior as described below:
\begin{itemize}
\item PortFast
\begin{itemize}
\item Configures access port to transition directly to forwarding state.
\item Improve convergence times of non-\gls{rstp}.
\item Port does no forwan \gls{tcn} \gls{bpdu}s either.
\item PortFast can be enabled either A) per port \textit{or} B) globally for all ports in access mode.
\begin{enumerate}
\item Per port: {\footnotesize Accesss port}\\\cliline{cisco-switch(config-if)# spanning-tree portfast}
\item Per port: {\footnotesize Trunk port}\\\cliline{cisco-switch(config-if)# spanning-tree portfast trunk}
\item Globally:\\\cliline{cisco-switch(config)# spanning-tree portfast default}
\end{enumerate}
\end{itemize}
\item UplinkFast
\begin{itemize}
\item Enables fast uplink failover on access switch.
\item Improve convergence times of non-\gls{rstp}.
\item Enabled only with non-\gls{rstp}
\item Integrated into Cisco's \gls{rstp} implementaion and enabled by defaut.
\item Cisco proprietary
\item Only works if switch has blocked ports
\item Designed with switches in access layer as deployment target.
\item Enabled for the entire switch. Cannot be enabled pr. vlan.
\item \cliline{cisco-switch(config)# spanning-tree uplinkfast} enables the feature.
\end{itemize}
\item BackboneFast
\begin{itemize}
\item Enables fast convergence in distribution or core layer when \gls{stp} change occurs.
\item Improve convergence times of non-\gls{rstp}.
\item Enabled only with non-\gls{rstp}
\item Integrated into Cisco's \gls{rstp} implementaion and enabled by default.
\item Disabled by default
\item \cliline{cisco-switch(config)# spanning-tree backbonefast} enables the feature.
\item \textit{Scenario:} If switch needs searching new path root bridge. BackboneFast shortens process.
\begin{enumerate}
\item Switch will search for alternative path to root.
\item If \gls{bpdu} recieved on blocked port. Port considered alternative path path to root.
\item If alternate path identified. RQL{\footnotesize \textbf{R}equest \textbf{L}ink \textbf{B}locking} packets are out for identify either A) an alternative path to the root bridge \textit{or} B) an up-/downstream switch with a path to the root bridge.
\end{enumerate}
\end{itemize}
\end{itemize}
\subsection{Loop Prevention}
\begin{itemize}
\item \gls{bpdu} Guard
\begin{itemize}
\item Disables the PortFast-enabled port if a \gls{bpdu} is received. The port goes into mode \texttt{err-disable}.
\item Enable per port:\\\cliline{cisco-switch(config-if)# spanning-tree bpduguard enable}
\item Enable globally for portfast enabled ports:\\\cliline{cisco-switch(config)# spanning-tree portfast bpduguard default}
\end{itemize}
\item \gls{bpdu} Filter
\begin{itemize}
\item Suppresses \gls{bpdu}s on ports
\item Behaves differently depending if enabled
\item A) globally \textit{or}
\begin{enumerate}
\item Affects all active portfast enabled ports, which \underline{don't} have a \gls{bpdu} port configuration.
\item If \gls{bpdu} recieved on port, portfast and \gls{bpdu} filter is disabled.
\item Sends \textbf{10} \gls{bpdu}s on startup. If \gls{bpdu} recieved in this timeframe \textit{same consequence as above} happens to the port.
\item \cliline{cisco-switch(config-if)# spanning-tree bpdufilter enable}
\end{enumerate}
\item B) per-port:
\begin{enumerate}
\item Port ignores all recieved \gls{bpdu}s.
\item Port sends no \gls{bpdu}s.
\item \cliline{cisco-switch(config-if)# spanning-tree bpdufilter enable}
\end{enumerate}
\item Beware to \underline{only} enable \gls{bpdu} filter on ports connected to end hosts. Consequence if not followed \underline{can} result in creating bridging loops.
\item Beware to \underline{only enable either} \gls{bpdu} guard \textbf{\textit{or}} filter. \footnote{Cisco recommendation}
\end{itemize}
\item Root Guard
\begin{itemize}
\item \st{Prevents external switches from becoming roots}
\item If enabled, prevents any ports from becoming a root-port. Ports will remain as designated ports \textit{effectivily} preventing the switch becoming the root bridge.
\item This, too, behaves in s similiar manner as \gls{bpdu} guard, putting the port in \texttt{err-disable} mode when a \gls{bpdu} packet is recieved on the port.
\item Enabled per-port with\\\cliline{cisco-switch(config-if)# spanning-tree guard root}
\end{itemize}
\item Loop Guard
\begin{itemize}
\item Prevents an alternate port from becoming the designated port if no \gls{bpdu}s are received
\begin{enumerate}
\item Normally when cisco swicthes stop recieving \gls{bpdu}s ingress in a port. The port will go to listeting, learning, forwarding state equaling a loop.
\item With Loop guard enabled the will go to \texttt{loop-inconsistent} blocking state instead.
\end{enumerate}
\item Enabled per-port\\\cliline{cisco-switch(config-if)# spanning-tree guard loop}
\item Enabled globally\\\cliline{cisco-switch(config)# spanning-tree loopguard default} {\small only on p2p links}
\item Works on per-vlan basis when \gls{pvst} is used.
\item On ether-channel links with uni-directional link failures, loop guard will put put the whole ether-channel into loop-inconsistent state.
\end{itemize}
\item \textbf{Beware} root and loop guard is mutually exclusive
\begin{itemize}
\item Root guard works on designated ports and does not allow the ports to become \textit{non}-designated ports, where
\item Loop guard works on \textit{non}-designated ports and does not allow the ports to become designated ports {\footnotesize though expiration of times}.
\end{itemize}
\end{itemize}
\subsection{Link}
\begin{itemize}
\item \gls{udld}
\begin{itemize}
\item Cisco proprietary feature.
\item By default only enables on fiber optic links.
\item Works by sending packes every 15 seconds (default timer). If not packet is recieved back, the port can either log (default) a messaage or actively try to re-establish the link (aggresive). 1 packet/second for 8 sec. is send. If non is returned the port will go to \texttt{err-disable} state.
\item \cliline{cisco-switch(config)\# udld \{enable | aggresive\}}
\item On ether-channel links with uni-directional link failures, udld will disable individual failed links.
\item For the best protection. Aggresive mode is recommended.
\item It is recommended to turn on udld in global conf mode.
\end{itemize}
\item FlexLinks
\begin{itemize}
\item Cisco proprietary feature.
\item An alternate solution to running \gls{stp} in the environment.
\begin{itemize}
\item \gls{stp} is auto-disabled on interfaces running FlexLinks.
\item Configured with 2 physical links with and active/backup configuration.
\item Enables convergence time of less than 50 milliseconds.
\end{itemize}
\item FlexLinks is good alternative to running \gls{stp} in an environment with customers who you do \textit{not} want to run \gls{stp} with. Fx. Service Provider/Enterprise/Datacenter environment.
\item Preemtion for FlexLinks is \textit{not} enabled-by-default.
\begin{enumerate}
\item Detects link failure.
\item Moves any dynamic unicast \gls{mac} addresses learned on primary link to standby link.
\item Moves standby link to forwarding state.
\item Transmits dummy multicast packets over new active interface. {\small Dummy multicast packet format is as follows: \textbf{destination:} 01:00:0c:cd:cd:cd, \textbf{source:} \gls{mac} address of the hosts or ports on the newly active FlexLinks port}
\end{enumerate}
\item {\small \textbf{Note:}} Configuring FlexLinks outside of access layer switches can be very complex!
\item Enabled FlexLinks on an interface: \\
\cliline{cisco-switch(config)# interface fa0/1} \\
\cliline{cisco-switch(config-if)# switchport backup interface fa0/2}
\item \textbf{What} FlexLinks can be:
\begin{enumerate}
\item A physical port
\item A Bundled link {\footnotesize (aka. ether-channel)}
\item 1 FlexLink per physical/logical port
\item Link speeds need not be the same
\end{enumerate}
\end{itemize}
\end{itemize}
\begin{table}[h]
\centering
\caption{UDLD|Loopguard compared}
\label{udldloopguard}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|}
\hline
\thead{Functionality} & \thead{Loop guard} & \thead{UDLD} \\ \hline
Action granularity & Per vlan & Per port \\ \hline
\makecell{Protection against \gls{stp}\\failures caused by uni-directional\\ links} & \makecell{Yes, when enabled on all\\potential non-designated ports\\in redundant topology} & \makecell{Yes, when enabled on all\\links in redundant topology} \\ \hline
\makecell{Protection against \gls{stp}\\failures caused by problem in\\software resulting in designated\\switch not sending \gls{bpdu}s} & Yes & No \\ \hline
Protection against mis-wiring & No & Yes \\ \hline
\end{tabular}%
}
\end{table}
\fig{spanningtree/stpbestpractice}{stpbestpractice}{STP best practice}
\section{Multiple Spanning Tree}
\begin{itemize}
\item \itemtitle{Known limitations}{Regarding the cisco world of things}
\begin{enumerate}
\item A maximum of 16 instances is supported. {\footnotesize From 0 to 15.}
\end{enumerate}
\item \textbf{Beware} that instance 0 is the \textit{I}nternal \textit{S}panning \textit{T}ree. And therefore cannot be configured for user-mapped Vlans.
\item Aggregates the configured vlans into groups/instances/processes. This in turn provides lower resource utilization on switches. \dWinkey
\item Backwards compatible with 802.1D \gls{stp}/802.1w/\gls{rstp} and Cisco \gls{pvst+}.
\item Converges faster than \gls{pvrst+}.
\item \itemtitle{Challenges}{Arises because of older hardware and the architecture of the protocol}
\begin{enumerate}
\item Operability with older/legacy hardware/equipment is not always possible.
\item \textit{Of course} it is more complex compared to standard \gls{stp} (older) protocols. {\footnotesize Staff may require teachings of the way of the protocol.}
\end{enumerate}
\end{itemize}
\begin{table}[h]
\centering
\caption{MST Attributes}
\label{mstattr}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|}
\hline
\thead{Data} & \thead{What ?} \\ \hline
32 bytes & alphanumeric configuration name \\ \hline
2 bytes & configuration revision number \\ \hline
Table of 4096 elements & \makecell{associates each of the potential\\4096 VLANs with an instance} \\ \hline
\end{tabular}%
}
\end{table}
\subsection{MST Regions}
It is the network admins job to propagate an even configuration to all switches in a single region by using \gls{cli} or \gls{snmp}. Currently IOS does not support any other options to do the job.
\begin{itemize}
\item \itemtitle{Boundaries}{MST differs between regions by}
\begin{enumerate}
\item sending a digest computer from the Vlan-to-instance mapping table of the switch sending the digest.
\item the characteristics of the \gls{mst} protocol for that single switch.
\end{enumerate}
\item if computed digest and \gls{mst} characteristics between switches is \textit{found matching}, the switches considers themselves part of the same \gls{mst} region.
\item \textbf{Beware} that unlike \gls{vtp}, \gls{mst} does not automatically increase the configuration revision number. This \textit{has to be done} manually.
\end{itemize}
\fig{spanningtree/mstregions}{mstregions}{MST Regions all Vlans running mappen to the default instance 0.}
\fig{spanningtree/mstregions2}{mstregions2}{MST Regions vlans mapped to different instances.}
\pagebreak % avoids column break for the following text
\begin{txt}
|<-------- bridge id ----------->|
+----------+-----------+---------+
| Bridge | Extended | MAC |
| priority | system ID | Address |
+----------+-----------+---------+
/\
||
\gls{mst} inst. no. carried in
Ext. Syst. ID Area
\end{txt}
\subsection{Common Troubleshooting}
\begin{itemize}
\item Duplex mismatch: Mismatch half/full duplex.
\item Unidirectional link failure
\item Frame corruption: Physical interfaces can be defective/with errors.
\item Resource errors: High compute usage in the Control Plane. {\scriptsize Remember the Spanning Tree Process in fx. Cisco Catalyst switches is handled in software.}
\item PortFast configuration error: Can lead to bridging loops when mis-wiring happens together with logical port configuration errors.
\end{itemize}

View file

@ -1,414 +0,0 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% SECTION BEGIN spanning tree protocol %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Spanning Tree}
Spanning Tree exists for the \textbf{sole} reason to save "your" network and all the broadcast storms an network engineer having a bad day can by mistake create!
STP comes from the above desire where redundancy was wanted but no protocol existed before \gls{stp} to help in this regard.
\begin{table}[h]
\centering
\caption{Spanning Tree standards}
\label{stpstandards}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|l|l|}
\hline
\textbf{} & \textbf{Standard} & \textbf{Ressource Usage} & \multicolumn{2}{l|}{\textbf{Convergence}} \\ \hline
\gls{cst} & 802.1D & Low & Slow & All vlans \\ \hline
\gls{pvst+} & Cisco & High & Slow & Per vlan \\ \hline
\gls{rstp} & 802.1w & So-so (Med.) & Fast & All vlans \\ \hline
\gls{rpvst+} & Cisco & On-the-double (V.High) & Fast & Per vlan \\ \hline
\gls{mst} & 802.1s & Med. - High & Fast & Vlan list \\ \hline
\end{tabular}%
}
\end{table}
\subsection{Port Roles}
When a switch is enabled for Spanning Tree. One of the following roles will have been assumed by any port on the switch in question.
\begin{itemize}
\item \textbf{Root port:} Only 1 port on any switch (non-counting the root bridge!). Is always the port with the lowest metric (aka. best path) to the root bridge.
\begin{itemize}
\item The upstream/-link port closest to the root bridge on all switches apart from the root bridge.
\end{itemize}
\item \textbf{Designated port:} A designated port is the port on any segment closest to the root bridge and forwarding traffic.
\begin{itemize}
\item The port on any switch in downstream direction closet to the root bridge.
\end{itemize}
\item \textbf{\textit{Non}-designated port:} Put in blocking mode and not currently forwarding traffic.
\begin{itemize}
\item All switch ports which did not get elected as the root or designated port.
\end{itemize}
\item \textbf{Disabled port:} The port has been one-way-or-another shut down.
\end{itemize}
\subsubsection{specific port roles}
\begin{itemize}
\item \textbf{Alternative port} is an active port in network with an alternative path to the root bridge. A port in alternative mode will remain active but \textit{discards} all traffic until the the current designated path fails.
\item \textbf{Backup port} is running in active mode and \textit{discards} all traffic it recieves until the current designated port on the segment the backup port is connected to, fails.
\end{itemize}
Election of ports goes in order of the following values (low is best): 1) root bridge id, 2) lowest path cost to root bridge, 3) sender bridge id, 4) sender port bridge id
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% SECTION BEGIN standards %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Standards}
\begin{itemize}
\item \gls{stp} {\scriptsize Spanning Tree Protocol}
\begin{itemize}
\item \gls{ieee} 802.1D
\item Was created in a time where bridged networks was the norm.
\item Supports a single vlan/lan.
\end{itemize}
\item \gls{cst} {\scriptsize Common Spanning Tree}
\begin{itemize}
\item An evolution of \gls{stp}
\item \gls{cst} still only supports one \gls{stp} instance.
\item But \gls{cst} do thou in contrast to \gls{stp} support \textit{multiple} vlans.
\end{itemize}
\item \gls{pvst} {\scriptsize Per Vlan Spanning Tree}
\begin{itemize}
\item Now obsolute and succeded by \gls{pvst+}
\end{itemize}
\item \gls{pvst+} {\scriptsize Per Vlan Spanning Tree Plus}
\begin{itemize}
\item Runs an instance of \gls{stp} per vlan.
\item Can guarante better utilization of available network bandwidth.
\item Root bridge and port priorities can be configured per vlan.
\item Uses the term alternate for nondesignated port.
\end{itemize}
\item \gls{rstp} {\scriptsize Rapid Spanning Tree Protocol}
\begin{itemize}
\item \gls{ieee} 802.1w
\item A future development of the original 802.1D standard meant to provide faster convergance. As the original \gls{stp} standard wasn't actually that fast.
\end{itemize}
\item \gls{rpvst+} {\scriptsize Rapid Per Vlan Spanning Tree Plus}
\begin{itemize}
\item A cisco implementation of \gls{rstp} based upon \gls{pvst+}.
\end{itemize}
\item \gls{mst} {\scriptsize Multiple Spanning Tree}
\begin{itemize}
\item Originally a cisco developed protocol. \gls{mst} has since been developed as an \gls{ieee} standard.
\item \gls{mst} can as \gls{cst} map multiple vlans to a single \gls{stp} instance.
\item \gls{mst} \textit{differently} than \gls{cst} supports multiple \gls{stp} instances.
\item Fx. Instance 1: Vlan 1-99, Instane 2: Vlan 100-199.
\end{itemize}
\end{itemize}
\subsection{Features}
\subsubsection{BPDU}
\textbf{B}ridge \textbf{P}rotocol \textbf{D}ata \textbf{U}nits is on cisco equipment sent out every 2 seconds and generally catogorizes into 2 categories:
\begin{itemize}
\item \textit{Configuration} \gls{bpdu} used for \gls{stp} calculations and
\item \textit{Topology change notifications} \gls{bpdu}s used to notify other network nodes of a change in the network.
\end{itemize}
Any network node with switchports and \gls{stp} + \gls{bpdu} enabled sends out \gls{bpdu} packets with the ports \gls{mac} as the src address. The destination \gls{mac} is is designated \gls{stp} multicast addr 01:80:C2:00:00:00.
\subsubsection{Root Bridge}
Using a \textbf{R}oot \textbf{B}rigde as the reference point for the \gls{stp} instance and calculation of root/designated/non-designated ports.\\This election process uses a pre-configured bridge priority (ranges from $0$ to $2^{16}$) (defaults to $2^{15}$). If a tie in priority is found the switch in possession of the lowest \gls{mac} address wins the root bridge election.
\begin{txt}
|<-------- bridge id 8 bytes --->|
+----------+---------------------+
| Bridge | MAC |
| priority | Address |
+----------+---------------------+
|< 2 byte >|<----- 6 bytes ----->|
\end{txt}
\subsubsection{Port Cost}
\begin{table}[h]
\centering
\caption{Default port cost in spanning tree}
\label{stpportcost}{!}{%
\begin{tabular}{|l|l|}
\hline
\textbf{Link} & \textbf{Default Cost} \\ \hline
10 Gbps & 1 \\ \hline
1 Gbps & 4 \\ \hline
100 Mbps & 19 \\ \hline
10 Mbps & 100 \\ \hline
\end{tabular}%
}
\end{table}
\fig{spanningtree/portroles}{stpportroles}{Port Election}
\textit{\textbf{NB:} beware that when working with bundled links (aka. ether-/port-channel). Then the link cost will be calculated based upon the summarized bandwidth accross all links.}
\fig{spanningtree/portstates}{stpportstates}{Port States}
\section{Rapid Spanning Tree Protocol}
\fig{rstp/portroles}{rstpportroles}{Port Roles}
\fig{rstp/portlinktypes}{rstpportlinktypes}{Port link types}
Things to be aware of regarding \gls{rstp} port roles
\begin{itemize}
\item \textbf{Shared} port state will only ever be present on segments where a hub is present.
\item \textbf{Point-2-Point} port is connected to a single switch on the other end.
\item \textbf{Edge} port roles is only ever connected to end devices. Status as Edge port is lost if a \gls{bpdu} is ever recieved.
\end{itemize}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% SECTION BEGIN port roles %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Port roles}
\subsection{Fast port roles}
Cisco did on their part early on enhance the original spanning tree standard with some proprietary portroles that can (on cisco switch equipment) skip steps in the port role election process. And configure a \gls{stp} switchport to a specific behavior as described below:
\begin{itemize}
\item PortFast
\begin{itemize}
\item Configures access port to transition directly to forwarding state.
\item Improve convergence times of non-\gls{rstp}.
\item Port does no forwan \gls{tcn} \gls{bpdu}s either.
\item PortFast can be enabled either A) per port \textit{or} B) globally for all ports in access mode.
\begin{enumerate}
\item Per port: {\footnotesize Accesss port}\\\cliline{cisco-switch(config-if)# spanning-tree portfast}
\item Per port: {\footnotesize Trunk port}\\\cliline{cisco-switch(config-if)# spanning-tree portfast trunk}
\item Globally:\\\cliline{cisco-switch(config)# spanning-tree portfast default}
\end{enumerate}
\end{itemize}
\item UplinkFast
\begin{itemize}
\item Enables fast uplink failover on access switch.
\item Improve convergence times of non-\gls{rstp}.
\item Enabled only with non-\gls{rstp}
\item Integrated into Cisco's \gls{rstp} implementaion and enabled by defaut.
\item Cisco proprietary
\item Only works if switch has blocked ports
\item Designed with switches in access layer as deployment target.
\item Enabled for the entire switch. Cannot be enabled pr. vlan.
\item \cliline{cisco-switch(config)# spanning-tree uplinkfast} enables the feature.
\end{itemize}
\item BackboneFast
\begin{itemize}
\item Enables fast convergence in distribution or core layer when \gls{stp} change occurs.
\item Improve convergence times of non-\gls{rstp}.
\item Enabled only with non-\gls{rstp}
\item Integrated into Cisco's \gls{rstp} implementaion and enabled by default.
\item Disabled by default
\item \cliline{cisco-switch(config)# spanning-tree backbonefast} enables the feature.
\item \textit{Scenario:} If switch needs searching new path root bridge. BackboneFast shortens process.
\begin{enumerate}
\item Switch will search for alternative path to root.
\item If \gls{bpdu} recieved on blocked port. Port considered alternative path path to root.
\item If alternate path identified. RQL{\footnotesize \textbf{R}equest \textbf{L}ink \textbf{B}locking} packets are out for identify either A) an alternative path to the root bridge \textit{or} B) an up-/downstream switch with a path to the root bridge.
\end{enumerate}
\end{itemize}
\end{itemize}
\subsection{Loop Prevention}
\begin{itemize}
\item \gls{bpdu} Guard
\begin{itemize}
\item Disables the PortFast-enabled port if a \gls{bpdu} is received. The port goes into mode \texttt{err-disable}.
\item Enable per port:\\\cliline{cisco-switch(config-if)# spanning-tree bpduguard enable}
\item Enable globally for portfast enabled ports:\\\cliline{cisco-switch(config)# spanning-tree portfast bpduguard default}
\end{itemize}
\item \gls{bpdu} Filter
\begin{itemize}
\item Suppresses \gls{bpdu}s on ports
\item Behaves differently depending if enabled
\item A) globally \textit{or}
\begin{enumerate}
\item Affects all active portfast enabled ports, which \underline{don't} have a \gls{bpdu} port configuration.
\item If \gls{bpdu} recieved on port, portfast and \gls{bpdu} filter is disabled.
\item Sends \textbf{10} \gls{bpdu}s on startup. If \gls{bpdu} recieved in this timeframe \textit{same consequence as above} happens to the port.
\item \cliline{cisco-switch(config-if)# spanning-tree bpdufilter enable}
\end{enumerate}
\item B) per-port:
\begin{enumerate}
\item Port ignores all recieved \gls{bpdu}s.
\item Port sends no \gls{bpdu}s.
\item \cliline{cisco-switch(config-if)# spanning-tree bpdufilter enable}
\end{enumerate}
\item Beware to \underline{only} enable \gls{bpdu} filter on ports connected to end hosts. Consequence if not followed \underline{can} result in creating bridging loops.
\item Beware to \underline{only enable either} \gls{bpdu} guard \textbf{\textit{or}} filter. \footnote{Cisco recommendation}
\end{itemize}
\item Root Guard
\begin{itemize}
\item \st{Prevents external switches from becoming roots}
\item If enabled, prevents any ports from becoming a root-port. Ports will remain as designated ports \textit{effectivily} preventing the switch becoming the root bridge.
\item This, too, behaves in s similiar manner as \gls{bpdu} guard, putting the port in \texttt{err-disable} mode when a \gls{bpdu} packet is recieved on the port.
\item Enabled per-port with\\\cliline{cisco-switch(config-if)# spanning-tree guard root}
\end{itemize}
\item Loop Guard
\begin{itemize}
\item Prevents an alternate port from becoming the designated port if no \gls{bpdu}s are received
\begin{enumerate}
\item Normally when cisco swicthes stop recieving \gls{bpdu}s ingress in a port. The port will go to listeting, learning, forwarding state equaling a loop.
\item With Loop guard enabled the will go to \texttt{loop-inconsistent} blocking state instead.
\end{enumerate}
\item Enabled per-port\\\cliline{cisco-switch(config-if)# spanning-tree guard loop}
\item Enabled globally\\\cliline{cisco-switch(config)# spanning-tree loopguard default} {\small only on p2p links}
\item Works on per-vlan basis when \gls{pvst} is used.
\item On ether-channel links with uni-directional link failures, loop guard will put put the whole ether-channel into loop-inconsistent state.
\end{itemize}
\item \textbf{Beware} root and loop guard is mutually exclusive
\begin{itemize}
\item Root guard works on designated ports and does not allow the ports to become \textit{non}-designated ports, where
\item Loop guard works on \textit{non}-designated ports and does not allow the ports to become designated ports {\footnotesize though expiration of times}.
\end{itemize}
\end{itemize}
\subsection{Link}
\begin{itemize}
\item \gls{udld}
\begin{itemize}
\item Cisco proprietary feature.
\item By default only enables on fiber optic links.
\item Works by sending packes every 15 seconds (default timer). If not packet is recieved back, the port can either log (default) a messaage or actively try to re-establish the link (aggresive). 1 packet/second for 8 sec. is send. If non is returned the port will go to \texttt{err-disable} state.
\item \cliline{cisco-switch(config)\# udld \{enable | aggresive\}}
\item On ether-channel links with uni-directional link failures, udld will disable individual failed links.
\item For the best protection. Aggresive mode is recommended.
\item It is recommended to turn on udld in global conf mode.
\end{itemize}
\item FlexLinks
\begin{itemize}
\item Cisco proprietary feature.
\item An alternate solution to running \gls{stp} in the environment.
\begin{itemize}
\item \gls{stp} is auto-disabled on interfaces running FlexLinks.
\item Configured with 2 physical links with and active/backup configuration.
\item Enables convergence time of less than 50 milliseconds.
\end{itemize}
\item FlexLinks is good alternative to running \gls{stp} in an environment with customers who you do \textit{not} want to run \gls{stp} with. Fx. Service Provider/Enterprise/Datacenter environment.
\item Preemtion for FlexLinks is \textit{not} enabled-by-default.
\begin{enumerate}
\item Detects link failure.
\item Moves any dynamic unicast \gls{mac} addresses learned on primary link to standby link.
\item Moves standby link to forwarding state.
\item Transmits dummy multicast packets over new active interface. {\small Dummy multicast packet format is as follows: \textbf{destination:} 01:00:0c:cd:cd:cd, \textbf{source:} \gls{mac} address of the hosts or ports on the newly active FlexLinks port}
\end{enumerate}
\item {\small \textbf{Note:}} Configuring FlexLinks outside of access layer switches can be very complex!
\item Enabled FlexLinks on an interface: \\
\cliline{cisco-switch(config)# interface fa0/1} \\
\cliline{cisco-switch(config-if)# switchport backup interface fa0/2}
\item \textbf{What} FlexLinks can be:
\begin{enumerate}
\item A physical port
\item A Bundled link {\footnotesize (aka. ether-channel)}
\item 1 FlexLink per physical/logical port
\item Link speeds need not be the same
\end{enumerate}
\end{itemize}
\end{itemize}
\begin{table}[h]
\centering
\caption{UDLD|Loopguard compared}
\label{udldloopguard}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|}
\hline
\thead{Functionality} & \thead{Loop guard} & \thead{UDLD} \\ \hline
Action granularity & Per vlan & Per port \\ \hline
\makecell{Protection against \gls{stp}\\failures caused by uni-directional\\ links} & \makecell{Yes, when enabled on all\\potential non-designated ports\\in redundant topology} & \makecell{Yes, when enabled on all\\links in redundant topology} \\ \hline
\makecell{Protection against \gls{stp}\\failures caused by problem in\\software resulting in designated\\switch not sending \gls{bpdu}s} & Yes & No \\ \hline
Protection against mis-wiring & No & Yes \\ \hline
\end{tabular}%
}
\end{table}
\fig{spanningtree/stpbestpractice}{stpbestpractice}{STP best practice}
\section{Multiple Spanning Tree}
\begin{itemize}
\item \itemtitle{Known limitations}{Regarding the cisco world of things}
\begin{enumerate}
\item A maximum of 16 instances is supported. {\footnotesize From 0 to 15.}
\end{enumerate}
\item \textbf{Beware} that instance 0 is the \textit{I}nternal \textit{S}panning \textit{T}ree. And therefore cannot be configured for user-mapped Vlans.
\item Aggregates the configured vlans into groups/instances/processes. This in turn provides lower resource utilization on switches. \dWinkey
\item Backwards compatible with 802.1D \gls{stp}/802.1w/\gls{rstp} and Cisco \gls{pvst+}.
\item Converges faster than \gls{pvrst+}.
\item \itemtitle{Challenges}{Arises because of older hardware and the architecture of the protocol}
\begin{enumerate}
\item Operability with older/legacy hardware/equipment is not always possible.
\item \textit{Of course} it is more complex compared to standard \gls{stp} (older) protocols. {\footnotesize Staff may require teachings of the way of the protocol.}
\end{enumerate}
\end{itemize}
\begin{table}[h]
\centering
\caption{MST Attributes}
\label{mstattr}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|}
\hline
\thead{Data} & \thead{What ?} \\ \hline
32 bytes & alphanumeric configuration name \\ \hline
2 bytes & configuration revision number \\ \hline
Table of 4096 elements & \makecell{associates each of the potential\\4096 VLANs with an instance} \\ \hline
\end{tabular}%
}
\end{table}
\subsection{MST Regions}
It is the network admins job to propagate an even configuration to all switches in a single region by using \gls{cli} or \gls{snmp}. Currently IOS does not support any other options to do the job.
\begin{itemize}
\item \itemtitle{Boundaries}{MST differs between regions by}
\begin{enumerate}
\item sending a digest computer from the Vlan-to-instance mapping table of the switch sending the digest.
\item the characteristics of the \gls{mst} protocol for that single switch.
\end{enumerate}
\item if computed digest and \gls{mst} characteristics between switches is \textit{found matching}, the switches considers themselves part of the same \gls{mst} region.
\item \textbf{Beware} that unlike \gls{vtp}, \gls{mst} does not automatically increase the configuration revision number. This \textit{has to be done} manually.
\end{itemize}
\fig{spanningtree/mstregions}{mstregions}{MST Regions all Vlans running mappen to the default instance 0.}
\fig{spanningtree/mstregions2}{mstregions2}{MST Regions vlans mapped to different instances.}
\pagebreak % avoids column break for the following text
\begin{txt}
|<-------- bridge id ----------->|
+----------+-----------+---------+
| Bridge | Extended | MAC |
| priority | system ID | Address |
+----------+-----------+---------+
/\
||
\gls{mst} inst. no. carried in
Ext. Syst. ID Area
\end{txt}
\subsection{Common Troubleshooting}
\begin{itemize}
\item Duplex mismatch: Mismatch half/full duplex.
\item Unidirectional link failure
\item Frame corruption: Physical interfaces can be defective/with errors.
\item Resource errors: High compute usage in the Control Plane. {\scriptsize Remember the Spanning Tree Process in fx. Cisco Catalyst switches is handled in software.}
\item PortFast configuration error: Can lead to bridging loops when mis-wiring happens together with logical port configuration errors.
\end{itemize}

View file

@ -1,169 +0,0 @@
\section{Switch Network}
\subsection{VTP}
\fig{vtp/implementing-vtp}{imp-vtp1}{VTP}
\subsubsection{VTP Modes}
The tree modes a \gls{vtp} \textit{enabled} device can operate are
\begin{itemize}
\item Transparent
\item Server
\item Client
\end{itemize}
Of course you can \textit{disable} \gls{vtp} altogether.
Key things to be aware of \textit{before} enabling \gls{vtp} in your environment is to make double sure of only having 1 \gls{vtp} domain. \textbf{If} 2 or more \gls{vtp} domains exists. Be triple sure to separate them! As to avoid having an \gls{vtp} server \gls{db} overridden with data from another \gls{vtp} domain.
The three \gls{vtp} modes \textit{operates} as follow
\begin{itemize}
\item Transparent
\begin{itemize}
\item Creates, modifies and deletes \textit{local} \gls{vlan} only
\item Forwards advertisements
\item Does \textit{not} synchronizes vlan configurations.
\end{itemize}
\item Server
\begin{itemize}
\item Creates, modifies and deletes vlans
\item Sends and forwards advertisements
\item Synchronizes vlan configurations
\end{itemize}
\item Client
\begin{itemize}
\item Cannot create, modify or delete vlans
\item Send and forwards advertisements
\item Synchronizes vlan configurations
\end{itemize}
\end{itemize}
\subsubsection{VTP Announcement}
\gls{vtp} operates with announcements sent out in intervals. Summarized it amounts to
\begin{itemize}
\item 1 \textit{summary} announcement per 5th minute from the server
\item The summary announcement informs clients of the current revision
\item An announcement is sent out \textit{on the spot} when a change has been made on the\gls{vtp}server
\end{itemize}
Do remember it is \textbf{only} the \gls{vtp} server which has the \gls{vlan} configuration stored \textbf{on disk}. All device clients and transparent nodes do only store the \gls{vlan} delegated by \gls{vtp} in memory.
\subsubsection{Common Issues}
\begin{itemize}
\item Different/Incompatible \gls{vtp} versions
\item Wrong password
\item Incorrect mode name
\item No server set (all devices configured in transparent/client/\gls{vtp} disabled mode)
\end{itemize}
\subsubsection{VTP Versions}
\begin{itemize}
\item Version 1
\item Version 2
\begin{itemize}
\item Version-dependent transparent mode
\item Consistencycheck
\item Token ring support
\item Unrecognized type-length-value support
\end{itemize}
\item Version 3 (not "yet" common)
\begin{itemize}
\item Extended \gls{vlan} support: Allow ranges are 1-1005,1018-2095. Not mentioned \gls{vlan} ranges up to 4095 is still reserved.
\item Domain name is not automatically learned.
\item Better security.
\item Better database propagation.
\item \gls{mst} now supported.
\end{itemize}
\end{itemize}
\subsubsection{VTP Pruning}
The art of only allowing the \gls{vlan} traffic to flow on \textit{necessary} links.
This means if there are no clients in a \gls{vlan} on a device. Then no traffic for the inactive \gls{vlan}s are send down-/upstream on the link in question.
\fig{vtp/vtp-pruning}{vtpruning1}{VTP Pruning}
\subsubsection{Security}
It is \textbf{strongly} recommended to enable the security features supported in \gls{vtp}.
\textbf{Password:} MD5 hashing, Case-sensitive, Length between 8 and 64 chars.
\notice{VTP Scaling}{
As the network grows and grows and grows and grows some more over long/short timespans.
You will \textbf{for certain} come to cross-rode, where you \textbf{must} consider to
go away from using \gls{vtp} in the network. The problems of managing an elderly network and
wiping and re-introducing nodes in the network. You \textbf{will} face the issue of a
wiped vlan database from the \gls{vtp} domain.
}
\subsubsection{Example configuration}
\lstinputlisting{code/vtp/example.cfg}
\subsection{Channel Bundling (aka. EtherChannel, PortChannel)}
Channel bundling is the "art" of using multiple physical links as one single logical link in when viewed from the perspective of the forwarding plane.
Technologies:
\begin{itemize}
\item \textbf{\gls{pagp}:} The Cisco-only thingy
\item \textbf{\gls{lacp}:} The \gls{ieee} standard
\item \textbf{Static:} Just forced on
\end{itemize}
\fig{channelbundling/network-without-channelbundling}{noethernetchannel}%
{No Channelbundling present}
Channel bundling of switch ports in the network may or may not be the best idea, in regards to the networks growth rate in terms of min. required bandwidth.
Channel bundling spreads out the in and egress flows based upon one of several methods configured on the switch:
\begin{itemize}
\item Source to Destination \gls{mac}
\item Source to Destination \gls{ip}
\end{itemize}
Keep in mind this will by no means archive true load balancing. Where all links are equally used based upon number of flows \textit{or} in terms of used bandwidth.
\begin{table}[h]
\centering
\caption{Channel bundling mechanisms}
\label{chbundmech1}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|}
\hline
Hash Input Code & Hash Input Detecision & Switch Model \\ \hline
dst-ip & Dest \gls{ip} addr & All models \\ \hline
dst-mac & Dest \gls{mac} addr & All models \\ \hline
src-dst-ip & Src and dest \gls{ip} addr & All models \\ \hline
src-dst-mac & Src and dest \gls{mac} addr & All models \\ \hline
src-ip & Src \gls{ip} addr & All models \\ \hline
src-mac & Src \gls{mac} addr & All models \\ \hline
src-port & Src port no & 4500,6500 \\ \hline
dst-port & Dest port no & 4500,6500 \\ \hline
src-dst-port & Src and dest port no & 4500,6500 \\ \hline
\end{tabular}%
}
\end{table}
\fig{channelbundling/network-with-channelbundling}{withethernetchannel}%
{Channelbundling present}
\subsubsection{Protocol Properties}
\begin{itemize}
\item \gls{lacp}
\begin{itemize}
\item Active: Enabled
\item Passive: Waits for \gls{lacp} packets on the wire before enabled
\end{itemize}
\item \gls{pagp}
\begin{itemize}
\item Desirable: Enabled
\item Auto: Waits for \gls{pagp} packets on the wire before enabled
\end{itemize}
\end{itemize}
Some other \underline{required} settings to be (equal across all ports) aware of when configuring Channel bundling are
\begin{enumerate}
\item Port speeds
\item Duplex mode
\item Configured \gls{vlan} ranges
\end{enumerate}
\subsubsection{Example configuration}
\lstinputlisting{code/channelbundling/example.cfg}

View file

@ -1,3 +1,11 @@
\chapter{Layer 3} \chapter{Layer 3}
\input{chapter/layer3/routednetwork} \section{Routed Network}
\section{OSPF}
\section{IS-IS}
\section{EIGRP}
\section{RIP}
\section{Static}
\section{BGP}

View file

@ -1,8 +0,0 @@
\section{Routed Network}
\section{OSPF}
\section{IS-IS}
\section{EIGRP}
\section{RIP}
\section{Static}
\section{BGP}

View file

@ -1,6 +1,160 @@
\chapter{Management} \chapter{Campus Network}
\section{Network Mgmt} \section{Discover Nodes}
Protocols to do link discovery on the network between nodes is commonly used
\begin{itemize}
\item incorporated in many \gls{nms} tools to support it's underling functionally like alerts triggering and monitoring,
\item when the ops people do debugging on the \gls{cli},
\item doing network discovery to find "what am I connected to ?"
\end{itemize}
Information by the protocols is only sent and processed locally. Information transmitted is not send beyond the local \gls{l2} link.
\newpage
\subsection[LLDP]{Link Layer Discovery Protocol}
\myquote{\citealt{wiki:Link_Layer_Discovery_Protocol}}{The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbours on an IEEE 802 local area network, principally wired Ethernet.[1] The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB[2] and IEEE 802.3-2012 section 6 clause 79.}
\gls{lldp} carries information about
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item \gls{vlan} name,
\item \gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item \gls{mac}/PHY info,
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\gls{lldp} has the advantage over \gls{cdp} of being more customizable in regards to the use of \gls{tlv}s. \textbf{However} it has the drawback of not being as lightweight as \gls{cdp}.
\begin{itemize}
\item \itemtitle{Worth to remember}{about \gls{lldp} is the following}
\begin{itemize}
\item is unidirectional,
\item operates in advertising mode only,
\item does not try to obtain information from other nodes,
\item does not monitor link state changes between nodes,
\item uses \gls{l2} multicast to notify others of neighbouring nodes of its presence and properties,
\item will record \textit{all} obtained information from received \gls{lldp} frames.
\end{itemize}
\item \itemtitle{Frames}{Multicast addresses --- One of the following is used.\\Note the \textit{01} signifies a \gls{l2} multicast \gls{dst} address.}
\begin{enumerate}
\item 01:80:c2:00:00:0e,
\item 01:80:c2:00:00:03,
\item 01:80:c2:00:00:00.
\end{enumerate}
\item \itemtitle{Commonly exchanged information}{List includes both mandatory and optional fields.}
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item \gls{vlan} name,
\item \gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\item \itemtitle{Timers}{Default timers for \gls{lldp} on Cisco equipment}
\begin{enumerate}
\item hello packet sent once per ½ minute.
\item hold timer is 2 minutes.
\end{enumerate}
\end{itemize}
\subsubsection{Configuration Example}
\begin{cisco}
! Enable lldp. Beware lldp is enabled by default
! on select cisco platforms.
lldp run
!
! Ensure lldp is enables on select ports
interface range gi0/1-2
lldp transmit
lldp recieve
!
! Disable sending lldp packets on ports facing downstream
! to clients/workstations. But keep recieving lldp packets enabled
! so we can allways use the information for troubleshooting purpose.
interface range fa0/1-24
no lldp transmit
lldp recieve
\end{cisco}
\newpage
\subsection[CDP]{Cisco Discovery Protocol}
\myquote{\citealt{wiki:Cisco_Discovery_Protocol}}{Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.}
\gls{cdp} functions my sending frame out the wire of all connected interfaces by default
\begin{itemize}
\item Sends frames to multicast addr 01-00-0c-cc-cc-cc\footnote{This multicast address is also used by cisco for \gls{vtp} messages},
\item by default a frame is shot out every 1 minute\footnote{The timer is adjusted in per x second},
\item no security is built-in by default so spoofing \gls{cdp} packets is not hard if the net ops people have forgotten to basic hardening
\begin{enumerate}
\item Taking up resources by filling up tables with invalid \gls{cdp} entries\cite{wiki:CDP_Spoofing} is possible,
\item can be prevented by fx. disabling \gls{cdp} on ports where is it unnecessary to have it enabled. Say client access ports,
\item precaution can be taken by only allowing \gls{cdp} packets on trusted network ports.
\end{enumerate}
\end{itemize}
\subsubsection{Configuration Example}
\begin{cisco}
! Enable CDP globally
cdp run
!
! Ensure cdp is enables on select ports
interface range gi0/1-2
cdp enable
!
! Disable CDP on ports facing downstream to clients/workstations
interface range fa0/1-24
no cdp enable
\end{cisco}
\section{Failure Detection}
\subsection[UDLD]{Unidirectional Link Detection}
\gls{udld} at work does the detection of the link is forwarding traffic in both directions. This is important when operating with Fiberoptic links\footnote{Normal Ethernet links is not as susceptible running traffic in only one direction}. Fiberoptic links has the potential for
\begin{enumerate}
\item bent and damages cables,
\item damaged connectors,
\item damaged ports,
\item impurities between connector and port.
\end{enumerate}
\fig{udld/malfunction}{udldmalfunction}{UDLD not working ?}
Other things can go wrong, too. Such as
\begin{itemize}
\item hardware failures,
\item software defects,
\item abnormal interface converter \textit{behaviour},
\item abnormal interface converter \textit{failure},
\item cabling done wrong,
\item inline sniffer/tap \textit{gone wrong},
\item inline sniffer/tap \textit{misconfigured}
\end{itemize}
\section[SPAN]{Switch Port Analyzer}
\subsection[RSPAN]{Remote Switch Port Analyzer}
\subsection[ERSPAN]{Encapsulated Remote Switch Port Analyzer}
\chapter[Mgmt]{Management}
\section[Network Mgmt]{Network Management}
\subsection{Routers} \subsection{Routers}
@ -8,7 +162,11 @@
\subsection{Firewall} \subsection{Firewall}
\section{OOB Mgmt} \section[OOB Mgmt]{Out-of-Band Management}
\subsection{Console Server} \subsection{Console Server}
\begin{itemize}
\item OpenGEAR
\end{itemize}

View file

@ -130,3 +130,37 @@ tacacs-server unkn0wn!unicAst
\end{itemize} \end{itemize}
\fig{8021x/8021x}{8021x}{ID Management} \fig{8021x/8021x}{8021x}{ID Management}
Based upon the user connecting to the network. They can be given access to
\begin{itemize}
\item the resources their group/identity have been assigned or
\item put into a guest \gls{vlan} if nothing is assigned to them or
\item simply block the client/user altogether.
\end{itemize}
Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.
\begin{itemize}
\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.
\item The \textbf{authentication server}
\end{itemize}
\fig{8021X/portauth}{portauth}{802.1X Port Auth}
802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.
\clearpage
\subsection*{Enable with Cisco config}
\begin{txt}
aaa new-model
radius server host radiusserver.example.com key .unkown!unicAst.
aaa group server radius RADIUS-SERVER-DK
server radiusserver.example.com
aaa authetication dot1x default group RADIUS-SERVER-DK
dot1x system-auth-control
interface GigabitEthernet 0/4
switchport mode access ! Port must be an access port prior
dot1x port-control auto ! to enable dot1x on the port
\end{txt}

View file

@ -1,6 +1,97 @@
\chapter{Network Time Protocol} \chapter{NTP}
\gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary.
\textbf{Configure timezone}\\In this case it\tsq{s} for \gls{metdst}\textbf{:}
\begin{txt}
clock timezone MET 1 0
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
\end{txt}
\textbf{Configure used timezone}\\when doing logging and debugging operations\textbf{:}
\begin{txt}
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
\end{txt}
A select number of Cisco switches support synchronization with the hardware clock, too. The standard is to only sync the software clock.\\\cliline{ntp update-calendar}
\fig{ntp/ntp}{ntp}{\gls{ntp}}
\gls{ntp} servers are a hierarchical tree with stratum 0 servers as the authoritative in the tree. These servers get their time from either \gls{gprs} satellites or atomic clocks {\footnotesize (i.e. an authoritative time \gls{src})}.
\subsection{Characteristics}
\begin{itemize}
\item Uses \gls{udp} port 123 on both \gls{src} and \gls{dst},
\item polling interval ranging from 64-1024 sec. Length of interval is dependant upon network cond.,
\item large differences between \gls{ntp} reference time and local client time will result in increased pooling interval.
\end{itemize}
\fig{ntp/ntpstratum}{ntpstratum}{Stratum levels}
\section{The old NTP from \tsq{85}} \section{The old NTP from \tsq{85}}
\textbf{Team Cymru} has a nice template for how to enable \gls{ntp} \textbf{with} \textit{access control} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
\begin{cisco}
! Core NTP configuration
ntp update-calendar ! update hardware clock (certain hardware only, i.e. 6509s)
ntp server 192.0.2.1 ! a time server you sync with
ntp peer 192.0.2.2 ! a time server you sync with and allow to sync to you
ntp source Loopback0 ! we recommend using a loopback interface for sending NTP messages if possible
!
! NTP access control
ntp access-group query-only 1 ! deny all NTP control queries
ntp access-group serve 1 ! deny all NTP time and control queries by default
ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients
!
! access control lists (ACLs)
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 192.0.2.1
access-list 10 permit 192.0.2.2
access-list 10 deny any
!
access-list 20 remark Hosts/Networks we allow to get time from us
access-list 20 permit 192.0.2.0 0.0.0.255
access-list 20 deny any
\end{cisco}
\textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master.
\section{Secure NTP} \section{Secure NTP}
\subsection{Characteristics}
\begin{itemize}
\item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along,
\item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}}
\end{itemize}
\subsubsection{Configure SNTP}
\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
\begin{cisco}
ntp authenticate ! enable NTP authentication
ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key
ntp trusted-key [key-id] ! mark a NTP authentication key as trusted
ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer
ntp server [server_address] key [key-id] ! form a authenticated session with a server
\end{cisco}
\subsection{Versions}
Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is
\begin{itemize}
\item support for \gls{ipv6}.
\item The security in the protocol is upped to with support for X509 certs.
\item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses.
\item \cliline{network-node(config)# ntp-server \textit{\gls{ipv6}-addr} version 4}
\end{itemize}

View file

@ -49,8 +49,14 @@
\DTMfetchTZminute{now} \DTMfetchTZminute{now}
} }
\newcommand{\itemtitle}[2]{\textbf{#1:}\\% \newcommand{\itemtitle}[2]{%
{\footnotesize #2}} \sbox0{#1}%
\ifdim\wd0=0pt
{\textbf{#1:}} %if #1 is empty
\else
{\textbf{#1:}\\{\footnotesize #2}}
\fi
}
\newcommand{\myquote}[2]{% \newcommand{\myquote}[2]{%
@ -69,4 +75,15 @@
% Enviroment @var cisco % Enviroment @var cisco
\lstnewenvironment{cisco}{\lstset{style=cisco}}{} \lstnewenvironment{cisco}{\lstset{language=cisco}}{}
%\newcommand{cisline}[1]{\lstinline[columns=fixed]{network-device\# #1}}
%\newcommand{cisconf}[2][]{%
%\def\temp{#1}\ifx\temp\empty
%\lstinline[columns=fixed]{network-device(config)\# #2}
%\else
%\lstinline[columns=fixed]{network-device(config-#1)\# #2}
%\fi\}

BIN
img/8021X/portauth.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 211 KiB

BIN
img/ntp/ntp.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 109 KiB

BIN
img/ntp/ntpstratum.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 63 KiB

BIN
img/udld/malfunction.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 103 KiB

View file

@ -137,7 +137,7 @@
% % % %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\bibliography{references} \bibliography{references,references-wikipedia}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% % % %

27
references-wikipedia.bib Normal file
View file

@ -0,0 +1,27 @@
@comment Please use:
@comment https://irl.github.io/bibwiki/
@comment when generating Wikipedia entriees for this DB file!
@misc{ wiki:Link_Layer_Discovery_Protocol,
author = "Wikipedia",
title = "{Link Layer Discovery Protocol} --- {W}ikipedia{,} The Free Encyclopedia",
year = "2017",
howpublished = {\url{http://en.wikipedia.org/w/index.php?title=Link\%20Layer\%20Discovery\%20Protocol&oldid=755990989}},
note = "[Online; accessed 04-June-2017]"
}
@misc{ wiki:Cisco_Discovery_Protocol,
author = "Wikipedia",
title = "{Cisco Discovery Protocol} --- {W}ikipedia{,} The Free Encyclopedia",
year = "2017",
howpublished = {\url{http://en.wikipedia.org/w/index.php?title=Cisco\%20Discovery\%20Protocol&oldid=779112658}},
note = "[Online; accessed 04-June-2017]"
}
@misc{ wiki:CDP_Spoofing,
author = "Wikipedia",
title = "{CDP Spoofing} --- {W}ikipedia{,} The Free Encyclopedia",
year = "2017",
howpublished = {\url{http://en.wikipedia.org/w/index.php?title=CDP\%20Spoofing&oldid=740946635}},
note = "[Online; accessed 04-June-2017]"
}

View file

@ -1,24 +1,24 @@
@online{vtpchap4, @online{ slideshare:vtpchap4,
author = {Hector Camba Lainez}, author = "Hector Camba Lainez",
title = {Cap4 implementing vtp}, title = "Cap4 implementing vtp",
year = 2010, year = "2010",
url = {https://www.slideshare.net/lucky0679/cap4-implementing-vtp}, url = {https://www.slideshare.net/lucky0679/cap4-implementing-vtp},
note = {Last Accessed: 2017-05-22}, note = "[Online; accessed 22-May-2017]"
} }
@misc{wp_spanningtree, @misc{ wiki:Spanning_Tree_Protocol,
title = {Spanning Tree Protocol}, author = "Wikipedia",
year = 2017, title = "{Spanning Tree Protocol} --- {W}ikipedia{,} The Free Encyclopedia",
url = {https://en.wikipedia.org/w/index.php?title=Spanning_Tree_Protocol&oldid=778662646}, year = "2017",
urldate = {2017-05-24}, howpublished = {\url{http://en.wikipedia.org/w/index.php?title=Spanning\%20Tree\%20Protocol&oldid=778662646}},
note = {Last Accessed: 2017-05-24}, note = "[Online; accessed 24-May-2017]"
} }
@book{froom2015implementing, @book{froom2015implementing,
author = {Froom, Richard}, author = "Froom, Richard",
title = {Implementing Cisco IP switched networks (SWITCH) : foundation learning guide}, title = "Implementing Cisco IP switched networks (SWITCH) : foundation learning guide",
publisher = {Cisco Press}, publisher = "Cisco Press",
year = {2015}, year = "2015",
address = {Indianapolis, IN}, address = "Indianapolis{,} IN",
isbn = {978-1-58720-664-1} isbn = "978-1-58720-664-1"
} }

View file

@ -21,8 +21,6 @@
\usepackage[nottoc]{tocbibind} \usepackage[nottoc]{tocbibind}
\usepackage{url} \usepackage{url}
\usepackage[showisoZ]{datetime2} \usepackage[showisoZ]{datetime2}
%\usepackage{lipsum}
%\usepackage{titling}
\usepackage{transparent} \usepackage{transparent}
\usepackage{soul} \usepackage{soul}
\usepackage{caption} \usepackage{caption}
@ -40,6 +38,7 @@
\usepackage{epigraph} % used to style quotes \usepackage{epigraph} % used to style quotes
\usepackage{titling} % makes available \thetitle \theauthor \thedate \usepackage{titling} % makes available \thetitle \theauthor \thedate
\usepackage[toc,acronym,footnote,nomain]{glossaries} % Load the package with the acronym option \usepackage[toc,acronym,footnote,nomain]{glossaries} % Load the package with the acronym option
\usepackage{chngcntr}
\bibliographystyle{unsrtnat} %styles list https://www.sharelatex.com/learn/Natbib_bibliography_styles \bibliographystyle{unsrtnat} %styles list https://www.sharelatex.com/learn/Natbib_bibliography_styles
@ -126,18 +125,21 @@
\lstdefinelanguage{cisco}{ \lstdefinelanguage{cisco}{
keywords={ keywords={
access-list,
cdp,
dhcp,
end, end,
hostname, hostname,
Interface int, interface,
ip, ip,
line, line,
lldp,
login, login,
network, network,
no, no,
ntp,
router, router,
sh,
show, show,
shut,
shutdown, shutdown,
version, version,
vlan, vlan,
@ -145,21 +147,25 @@
}, },
keywordstyle=\color{blue}\bfseries, keywordstyle=\color{blue}\bfseries,
ndkeywords={ ndkeywords={
access-group,
addr, addr,
address, address,
aux, aux,
bgp, bgp,
con,
console, console,
dhcp, dhcp,
eigrp, eigrp,
g, enable,
fa,
FastEthernet,
gi,
GigabitEthernet, GigabitEthernet,
isis, isis,
ospf, ospf,
ospfv3, ospfv3,
pool, pool,
rip, rip,
run,
vty, vty,
}, },
ndkeywordstyle=\color{darkgray}\bfseries, ndkeywordstyle=\color{darkgray}\bfseries,
@ -171,7 +177,7 @@
} }
\geometry{a4paper,margin=2cm} \geometry{a4paper,margin=1.5cm}
\setlength{\columnsep}{1.5cm} %space between columns \setlength{\columnsep}{1.5cm} %space between columns
\setlength{\headheight}{15pt} \setlength{\headheight}{15pt}
\setlength{\footnotesep}{0.5cm} %space between footnotes: \setlength{\footnotesep}{0.5cm} %space between footnotes:
@ -220,3 +226,17 @@
\renewcommand*{\acronymname}{Abbreviations} \renewcommand*{\acronymname}{Abbreviations}
% Do not reset counter for footnotes at all
% through the document from start to finish.
% https://tex.stackexchange.com/questions/10448/continuous-footnote-numbering
\counterwithout{footnote}{chapter}
% Set footnote numeration
% https://www.sharelatex.com/learn/Footnotes
% This command need to be run AFTER
% "\counterwithout{footnote}{chapter}" for the
% changes to be able to take effect.
\renewcommand{\thefootnote}{\arabic{footnote}}