netravnen
/
NetworkLabNotes
mirror of https://gitlab.com/netravnen/NetworkLabNotes.git
1
0
Fork 0
Code Releases Activity

Changed file structure

This commit is contained in:
chhan11 2017-06-01 20:41:55 +02:00
parent 5b49b43092
commit fef6796951
13 changed files with 212 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
chapter/section/dhcp.tex → chapter/dhcp.tex
View File

@ -1,3 +1,5 @@
\chapter{DHCP}
\section{DHCP Process}
\fig{dhcp/dhcpdiscoverprocess}{dhcpdiscoverprocess}{DHCP Discover Process}
@ -25,18 +27,18 @@
\subsection{Cisco}
\begin{txt}
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool LAN-1-POOL-DHCP
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
lease 2 ! set in days
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool LAN-1-POOL-DHCP
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
lease 2 ! set in days
\end{txt}
When configuring a Layer 3 interface as a relay port for DHCP request for a subnet. Set the ip helper command on the interface with one \textit{or} more ip addresses.
\begin{txt}
interface GigabitEthernet 0/3
ip helper-address 192.168.220.220
ip helper-address 192.168.222.222
interface GigabitEthernet 0/3
ip helper-address 192.168.220.220
ip helper-address 192.168.222.222
\end{txt}

7
chapter/fhrp.tex Normal file
View File

@ -0,0 +1,7 @@
\chapter{FHRP}
\section{VRRP}
\section{GLBP}
\section{HSRP}

11
chapter/internet.tex Normal file
View File

@ -0,0 +1,11 @@
\chapter{The Internet {\footnotesize "Post cold-war modern times"}}
\section{Service Providers}
\section{IXP}
\section{MPLS}
\section{BGP}
\section{EVPN}

46
chapter/section/intervlanrouting.tex → chapter/l2tol3.tex
View File

@ -1,3 +1,5 @@
\chapter{L2 to L3}
\section{Vlan-to-vlan routing}
\myquote{}{Guidance and Understanding of the art of Layer 3 networks. Routing between different slash 24\tsq{s}.\\ \textit{Aka. Inter-vlan routing.}}
@ -26,32 +28,32 @@ There are different ways to go \tsq{bout} Inter-vlan routing and doing it.
\subsubsection{Routed interfaces}
\begin{txt}
interface GigabitEthernet 0/1.10
encapsulation dot1q 10
ip address 192.168.0.1 255.255.255.128
!
interface GigabitEthernet 0/1.20
encapsulation dot1q 20
ip address 192.168.0.129 255.255.255.128
interface GigabitEthernet 0/1.10
encapsulation dot1q 10
ip address 192.168.0.1 255.255.255.128
!
interface GigabitEthernet 0/1.20
encapsulation dot1q 20
ip address 192.168.0.129 255.255.255.128
\end{txt}
\subsubsection{Switches interfaces}
\begin{txt}
Vlan10
name VLAN10
Vlan20
name VLAN20
!
interface Vlan10
ip address 192.168.1.1 255.255.255.128
interface Vlan20
ip address 192.168.1.129 255.255.255.128
!
interface GigabitEthernet 0/2
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
Vlan10
name VLAN10
Vlan20
name VLAN20
!
interface Vlan10
ip address 192.168.1.1 255.255.255.128
interface Vlan20
ip address 192.168.1.129 255.255.255.128
!
interface GigabitEthernet 0/2
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
\end{txt}
\pagebreak
@ -90,4 +92,4 @@ interface GigabitEthernet 0/2
\item Each host has to have the default gateway that is the SVI or Layer 3 interface to communicate with other networks and VLAN.
\item Host might not be configured with the default gateway.
\end{itemize}
\end{enumerate}
\end{enumerate}

7
chapter/layer2.tex Normal file
View File

@ -0,0 +1,7 @@
\chapter{Layer 2}
\input{layer2/switchednetwork}
\newpage
\input{layer2/spanningtree}

0
chapter/section/spanningtree.tex → chapter/layer2/spanningtree.tex
View File

0
chapter/section/switchednetwork.tex → chapter/layer2/switchednetwork.tex
View File

3
chapter/layer3.tex Normal file
View File

@ -0,0 +1,3 @@
\chapter{Layer 3}
\input{layer3/routednetwork}

0
chapter/section/routednetwork.tex → chapter/layer3/routednetwork.tex
View File

14
chapter/mgmt.tex Normal file
View File

@ -0,0 +1,14 @@
\chapter{Management}
\section{Network management}
\subsection{Routers}
\subsection{Switches}
\subsection{Firewall}
\section{Out-of-band management}
\subsection{Console server}

120
chapter/networkmgmt.tex Normal file
View File

@ -0,0 +1,120 @@
\chapter{Triple A\tsq{s}}
\myquote{}{Remember to log the details, too.}
\xkcd{latitude}{Remember logging when necessary}
\newpage
\begin{itemize}
\item \textbf{Authentication:}
\begin{enumerate}
\item Identify the user,
\item Validate the user,
\item Allow/Disallow user based upon credentials.
\end{enumerate}
\item \textbf{Authorization:}
\begin{enumerate}
\item Have defined levels of allowed operations/tasks divided into groups,
\item Validate user-to-groups relations,
\item Allow/Disallow user actions.
\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
\end{enumerate}
\item \textbf{Accounting:}
\begin{enumerate}
\item Network nodes collect user and session information from start to end when connecting to a node,
\item All information is transferred back to \gls{aaa} server,
\item Transferred info can be leveraged for several purposes. Typically logged info is:
\begin{itemize}
\item session duration,
\item user commands,
\item disallowed commands
\end{itemize}
\end{enumerate}
\end{itemize}
\bigskip
\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.
\newpage
\begin{table}[!ht]
\centering
\caption{Tacacs+ vs. Radius}
\label{radiusversustacacsplus}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|l|l|}
\hline
\multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline
Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline
\gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline
Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline
Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline
\end{tabular}%
}
\end{table}
\newpage
\section{RADIUS}
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
\begin{txt}
radius server DK-RADIUS-SERVER
address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813
key unkn0wn!unic@st.|.
!
aaa new-model
aaa group server RADIUS
server name DK-RADIUS-SERVER
!
aaa authentication login radius_list group RADIUS local
!
line vty 0-4
login authentication radius_list
line vty 5-15
login authentication radius_list
\end{txt}
\newpage
\section{TACACS+}
\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}
\begin{txt}
aaa group server tacacs+ TACACS
server-private 1.1.1.1 unkn0wn!unicAst
ip tacacs source-interface Loopback0
!
aaa authentication attempts login 1
aaa authentication login default group TACACS local-case
aaa authentication login console local-case
aaa authentication enable default group TACACS enable
aaa authorization exec default group TACACS local
aaa authorization commands 0 default group TACACS local
aaa authorization commands 15 default group TACACS local
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 1 default
action-type start-stop
group tacacs+
!
aaa accounting commands 2 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa session-id common
!
tacacs-server host 10.21.0.45
tacacs-server unkn0wn!unicAst
\end{txt}

6
chapter/ntp.tex Normal file
View File

@ -0,0 +1,6 @@
\chapter{Network Time Protocol}
\section{The old NTP from \tsq{85}}
\section{Secure NTP}

201
main.tex
View File

@ -27,208 +27,25 @@
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% <!-- CONFIGURATION EXAMPLES -->
\include{chapter/baseconf}
% <!-- LAYER 2 -->
\include{chapter/layer2}
\chapter{Layer 2}
\include{chapter/l2tol3}
\input{chapter/section/switchednetwork}
\include{chapter/layer3}
\newpage
\include{chapter/dhcp}
\input{chapter/section/spanningtree}
\include{chapter/fhrp}
% <!-- INTERVLAN -->
\include{chapter/networkmgmt}
\chapter{L2 to L3}
\include{chapter/ntp}
\input{chapter/section/intervlanrouting}
\include{chapter/mgmt}
% <!-- DHCP -->
\chapter{DHCP}
\input{chapter/section/dhcp}
% <!-- VRRP, GLBP, HSRP -->
\chapter{FHRP}
\section{VRRP}
\section{GLBP}
\section{HSRP}
% <!-- ACCOUNTING AND LOGINS, RADIUS, TACACS+ -->
\chapter{Triple A\tsq{s}}
\myquote{}{Remember to log the details, too.}
\xkcd{latitude}{Remember logging when necessary}
\newpage
\begin{itemize}
\item \textbf{Authentication:}
\begin{enumerate}
\item Identify the user,
\item Validate the user,
\item Allow/Disallow user based upon credentials.
\end{enumerate}
\item \textbf{Authorization:}
\begin{enumerate}
\item Have defined levels of allowed operations/tasks divided into groups,
\item Validate user-to-groups relations,
\item Allow/Disallow user actions.
\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
\end{enumerate}
\item \textbf{Accounting:}
\begin{enumerate}
\item Network nodes collect user and session information from start to end when connecting to a node,
\item All information is transferred back to \gls{aaa} server,
\item Transferred info can be leveraged for several purposes. Typically logged info is:
\begin{itemize}
\item session duration,
\item user commands,
\item disallowed commands
\end{itemize}
\end{enumerate}
\end{itemize}
\bigskip
\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.
\newpage
\begin{table}[!ht]
\centering
\caption{Tacacs+ vs. Radius}
\label{radiusversustacacsplus}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|l|l|}
\hline
\multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline
Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline
\gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline
Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline
Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline
\end{tabular}%
}
\end{table}
\newpage
\section{RADIUS}
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
\begin{txt}
radius server DK-RADIUS-SERVER
address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813
key unkn0wn!unic@st.|.
!
aaa new-model
aaa group server RADIUS
server name DK-RADIUS-SERVER
!
aaa authentication login radius_list group RADIUS local
!
line vty 0-4
login authentication radius_list
line vty 5-15
login authentication radius_list
\end{txt}
\newpage
\section{TACACS+}
\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}
\begin{txt}
aaa group server tacacs+ TACACS
server-private 1.1.1.1 unkn0wn!unicAst
ip tacacs source-interface Loopback0
!
aaa authentication attempts login 1
aaa authentication login default group TACACS local-case
aaa authentication login console local-case
aaa authentication enable default group TACACS enable
aaa authorization exec default group TACACS local
aaa authorization commands 0 default group TACACS local
aaa authorization commands 15 default group TACACS local
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 1 default
action-type start-stop
group tacacs+
!
aaa accounting commands 2 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa session-id common
!
tacacs-server host 10.21.0.45
tacacs-server unkn0wn!unicAst
\end{txt}
% <!-- NTP -->
\chapter{Network Time Protocol}
\section{The old NTP from \tsq{85}}
\section{Secure NTP}
% <!-- NETWORK MANAGEMENT -->
\chapter{Managemnt}
\section{Network management}
\subsection{Routers}
\subsection{Switches}
\subsection{Firewall}
\section{Out-of-band management}
\subsection{Console server}
% <!-- LAYER 3 STUFF -->
\chapter{Protocols Layer 3}
\input{chapter/section/routednetwork}
% <!-- DESCRIBE THE INTERNET -->
\chapter{The Internet {\footnotesize "Post cold-war modern times"}}
\section{Service Providers}
\section{IXP}
\section{MPLS}
\section{BGP}
\section{EVPN}
\include{chapter/internet}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %