From fef679695156aa2e1accfd9183a03e5d42c6e49b Mon Sep 17 00:00:00 2001 From: chhan11 Date: Thu, 1 Jun 2017 20:41:55 +0200 Subject: [PATCH] Changed file structure --- chapter/{section => }/dhcp.tex | 20 +- chapter/fhrp.tex | 7 + chapter/internet.tex | 11 + .../intervlanrouting.tex => l2tol3.tex} | 46 ++-- chapter/layer2.tex | 7 + chapter/{section => layer2}/spanningtree.tex | 0 .../{section => layer2}/switchednetwork.tex | 0 chapter/layer3.tex | 3 + chapter/{section => layer3}/routednetwork.tex | 0 chapter/mgmt.tex | 14 ++ chapter/networkmgmt.tex | 120 +++++++++++ chapter/ntp.tex | 6 + main.tex | 201 +----------------- 13 files changed, 212 insertions(+), 223 deletions(-) rename chapter/{section => }/dhcp.tex (82%) create mode 100644 chapter/fhrp.tex create mode 100644 chapter/internet.tex rename chapter/{section/intervlanrouting.tex => l2tol3.tex} (81%) create mode 100644 chapter/layer2.tex rename chapter/{section => layer2}/spanningtree.tex (100%) rename chapter/{section => layer2}/switchednetwork.tex (100%) create mode 100644 chapter/layer3.tex rename chapter/{section => layer3}/routednetwork.tex (100%) create mode 100644 chapter/mgmt.tex create mode 100644 chapter/networkmgmt.tex create mode 100644 chapter/ntp.tex diff --git a/chapter/section/dhcp.tex b/chapter/dhcp.tex similarity index 82% rename from chapter/section/dhcp.tex rename to chapter/dhcp.tex index d052be5..e050dc0 100644 --- a/chapter/section/dhcp.tex +++ b/chapter/dhcp.tex @@ -1,3 +1,5 @@ +\chapter{DHCP} + \section{DHCP Process} \fig{dhcp/dhcpdiscoverprocess}{dhcpdiscoverprocess}{DHCP Discover Process} @@ -25,18 +27,18 @@ \subsection{Cisco} \begin{txt} -ip dhcp excluded-address 192.168.0.254 -! -ip dhcp pool LAN-1-POOL-DHCP - network 192.168.0.0 255.255.255.0 - default-router 192.168.0.254 - lease 2 ! set in days + ip dhcp excluded-address 192.168.0.254 + ! + ip dhcp pool LAN-1-POOL-DHCP + network 192.168.0.0 255.255.255.0 + default-router 192.168.0.254 + lease 2 ! set in days \end{txt} When configuring a Layer 3 interface as a relay port for DHCP request for a subnet. Set the ip helper command on the interface with one \textit{or} more ip addresses. \begin{txt} -interface GigabitEthernet 0/3 - ip helper-address 192.168.220.220 - ip helper-address 192.168.222.222 + interface GigabitEthernet 0/3 + ip helper-address 192.168.220.220 + ip helper-address 192.168.222.222 \end{txt} diff --git a/chapter/fhrp.tex b/chapter/fhrp.tex new file mode 100644 index 0000000..6a8c61f --- /dev/null +++ b/chapter/fhrp.tex @@ -0,0 +1,7 @@ +\chapter{FHRP} + +\section{VRRP} + +\section{GLBP} + +\section{HSRP} diff --git a/chapter/internet.tex b/chapter/internet.tex new file mode 100644 index 0000000..a9b009f --- /dev/null +++ b/chapter/internet.tex @@ -0,0 +1,11 @@ +\chapter{The Internet {\footnotesize "Post cold-war modern times"}} + +\section{Service Providers} + +\section{IXP} + +\section{MPLS} + +\section{BGP} + +\section{EVPN} diff --git a/chapter/section/intervlanrouting.tex b/chapter/l2tol3.tex similarity index 81% rename from chapter/section/intervlanrouting.tex rename to chapter/l2tol3.tex index d91ff3a..665ab89 100644 --- a/chapter/section/intervlanrouting.tex +++ b/chapter/l2tol3.tex @@ -1,3 +1,5 @@ +\chapter{L2 to L3} + \section{Vlan-to-vlan routing} \myquote{}{Guidance and Understanding of the art of Layer 3 networks. Routing between different slash 24\tsq{s}.\\ \textit{Aka. Inter-vlan routing.}} @@ -26,32 +28,32 @@ There are different ways to go \tsq{bout} Inter-vlan routing and doing it. \subsubsection{Routed interfaces} \begin{txt} -interface GigabitEthernet 0/1.10 - encapsulation dot1q 10 - ip address 192.168.0.1 255.255.255.128 -! -interface GigabitEthernet 0/1.20 - encapsulation dot1q 20 - ip address 192.168.0.129 255.255.255.128 + interface GigabitEthernet 0/1.10 + encapsulation dot1q 10 + ip address 192.168.0.1 255.255.255.128 + ! + interface GigabitEthernet 0/1.20 + encapsulation dot1q 20 + ip address 192.168.0.129 255.255.255.128 \end{txt} \subsubsection{Switches interfaces} \begin{txt} -Vlan10 - name VLAN10 -Vlan20 - name VLAN20 -! -interface Vlan10 - ip address 192.168.1.1 255.255.255.128 -interface Vlan20 - ip address 192.168.1.129 255.255.255.128 -! -interface GigabitEthernet 0/2 - switchport mode trunk - switchport trunk encapsulation dot1q - switchport trunk allowed vlan 10,20 + Vlan10 + name VLAN10 + Vlan20 + name VLAN20 + ! + interface Vlan10 + ip address 192.168.1.1 255.255.255.128 + interface Vlan20 + ip address 192.168.1.129 255.255.255.128 + ! + interface GigabitEthernet 0/2 + switchport mode trunk + switchport trunk encapsulation dot1q + switchport trunk allowed vlan 10,20 \end{txt} \pagebreak @@ -90,4 +92,4 @@ interface GigabitEthernet 0/2 \item Each host has to have the default gateway that is the SVI or Layer 3 interface to communicate with other networks and VLAN. \item Host might not be configured with the default gateway. \end{itemize} -\end{enumerate} \ No newline at end of file +\end{enumerate} diff --git a/chapter/layer2.tex b/chapter/layer2.tex new file mode 100644 index 0000000..e617e85 --- /dev/null +++ b/chapter/layer2.tex @@ -0,0 +1,7 @@ +\chapter{Layer 2} + +\input{layer2/switchednetwork} + +\newpage + +\input{layer2/spanningtree} diff --git a/chapter/section/spanningtree.tex b/chapter/layer2/spanningtree.tex similarity index 100% rename from chapter/section/spanningtree.tex rename to chapter/layer2/spanningtree.tex diff --git a/chapter/section/switchednetwork.tex b/chapter/layer2/switchednetwork.tex similarity index 100% rename from chapter/section/switchednetwork.tex rename to chapter/layer2/switchednetwork.tex diff --git a/chapter/layer3.tex b/chapter/layer3.tex new file mode 100644 index 0000000..6e7db8f --- /dev/null +++ b/chapter/layer3.tex @@ -0,0 +1,3 @@ +\chapter{Layer 3} + +\input{layer3/routednetwork} diff --git a/chapter/section/routednetwork.tex b/chapter/layer3/routednetwork.tex similarity index 100% rename from chapter/section/routednetwork.tex rename to chapter/layer3/routednetwork.tex diff --git a/chapter/mgmt.tex b/chapter/mgmt.tex new file mode 100644 index 0000000..77d452d --- /dev/null +++ b/chapter/mgmt.tex @@ -0,0 +1,14 @@ +\chapter{Management} + +\section{Network management} + +\subsection{Routers} + +\subsection{Switches} + +\subsection{Firewall} + +\section{Out-of-band management} + +\subsection{Console server} + diff --git a/chapter/networkmgmt.tex b/chapter/networkmgmt.tex new file mode 100644 index 0000000..176d831 --- /dev/null +++ b/chapter/networkmgmt.tex @@ -0,0 +1,120 @@ +\chapter{Triple A\tsq{s}} + +\myquote{}{Remember to log the details, too.} + +\xkcd{latitude}{Remember logging when necessary} + +\newpage + +\begin{itemize} + \item \textbf{Authentication:} + \begin{enumerate} + \item Identify the user, + \item Validate the user, + \item Allow/Disallow user based upon credentials. + \end{enumerate} + \item \textbf{Authorization:} + \begin{enumerate} + \item Have defined levels of allowed operations/tasks divided into groups, + \item Validate user-to-groups relations, + \item Allow/Disallow user actions. + \item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node. + \end{enumerate} + \item \textbf{Accounting:} + \begin{enumerate} + \item Network nodes collect user and session information from start to end when connecting to a node, + \item All information is transferred back to \gls{aaa} server, + \item Transferred info can be leveraged for several purposes. Typically logged info is: + \begin{itemize} + \item session duration, + \item user commands, + \item disallowed commands + \end{itemize} + \end{enumerate} +\end{itemize} + +\bigskip + +\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}. + +\newpage + +\begin{table}[!ht] + \centering + \caption{Tacacs+ vs. Radius} + \label{radiusversustacacsplus} + \resizebox{\columnwidth}{!}{% + \begin{tabular}{|l|l|l|l|l|} + \hline + \multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline + Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline + Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline + \gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline + Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline + Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline + \end{tabular}% + } +\end{table} + +\newpage + +\section{RADIUS} + +\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication} + +\begin{txt} +radius server DK-RADIUS-SERVER + address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813 + key unkn0wn!unic@st.|. +! +aaa new-model +aaa group server RADIUS + server name DK-RADIUS-SERVER +! +aaa authentication login radius_list group RADIUS local +! +line vty 0-4 + login authentication radius_list +line vty 5-15 + login authentication radius_list +\end{txt} + +\newpage + +\section{TACACS+} + +\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication} + +\begin{txt} +aaa group server tacacs+ TACACS +server-private 1.1.1.1 unkn0wn!unicAst +ip tacacs source-interface Loopback0 +! +aaa authentication attempts login 1 +aaa authentication login default group TACACS local-case +aaa authentication login console local-case +aaa authentication enable default group TACACS enable +aaa authorization exec default group TACACS local +aaa authorization commands 0 default group TACACS local +aaa authorization commands 15 default group TACACS local +aaa accounting exec default + action-type start-stop + group tacacs+ +! +aaa accounting commands 1 default + action-type start-stop + group tacacs+ +! +aaa accounting commands 2 default + action-type start-stop + group tacacs+ +! +aaa accounting commands 15 default + action-type start-stop + group tacacs+ +! +aaa session-id common +! +tacacs-server host 10.21.0.45 +tacacs-server unkn0wn!unicAst +\end{txt} diff --git a/chapter/ntp.tex b/chapter/ntp.tex new file mode 100644 index 0000000..f94e877 --- /dev/null +++ b/chapter/ntp.tex @@ -0,0 +1,6 @@ +\chapter{Network Time Protocol} + +\section{The old NTP from \tsq{85}} + +\section{Secure NTP} + diff --git a/main.tex b/main.tex index 6f00db4..fa6b8c2 100644 --- a/main.tex +++ b/main.tex @@ -27,208 +27,25 @@ % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -% - \include{chapter/baseconf} -% +\include{chapter/layer2} -\chapter{Layer 2} +\include{chapter/l2tol3} -\input{chapter/section/switchednetwork} +\include{chapter/layer3} -\newpage +\include{chapter/dhcp} -\input{chapter/section/spanningtree} +\include{chapter/fhrp} -% +\include{chapter/networkmgmt} -\chapter{L2 to L3} +\include{chapter/ntp} -\input{chapter/section/intervlanrouting} +\include{chapter/mgmt} -% - -\chapter{DHCP} - -\input{chapter/section/dhcp} - -% - -\chapter{FHRP} - -\section{VRRP} - -\section{GLBP} - -\section{HSRP} - -% - -\chapter{Triple A\tsq{s}} - -\myquote{}{Remember to log the details, too.} - -\xkcd{latitude}{Remember logging when necessary} - -\newpage - -\begin{itemize} - \item \textbf{Authentication:} - \begin{enumerate} - \item Identify the user, - \item Validate the user, - \item Allow/Disallow user based upon credentials. - \end{enumerate} - \item \textbf{Authorization:} - \begin{enumerate} - \item Have defined levels of allowed operations/tasks divided into groups, - \item Validate user-to-groups relations, - \item Allow/Disallow user actions. - \item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node. - \end{enumerate} - \item \textbf{Accounting:} - \begin{enumerate} - \item Network nodes collect user and session information from start to end when connecting to a node, - \item All information is transferred back to \gls{aaa} server, - \item Transferred info can be leveraged for several purposes. Typically logged info is: - \begin{itemize} - \item session duration, - \item user commands, - \item disallowed commands - \end{itemize} - \end{enumerate} -\end{itemize} - -\bigskip - -\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}. - -\newpage - -\begin{table}[!ht] - \centering - \caption{Tacacs+ vs. Radius} - \label{radiusversustacacsplus} - \resizebox{\columnwidth}{!}{% - \begin{tabular}{|l|l|l|l|l|} - \hline - \multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline - Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline - Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline - \gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline - Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline - Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline - \end{tabular}% - } -\end{table} - -\newpage - -\section{RADIUS} - -\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication} - -\begin{txt} -radius server DK-RADIUS-SERVER - address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813 - key unkn0wn!unic@st.|. -! -aaa new-model -aaa group server RADIUS - server name DK-RADIUS-SERVER -! -aaa authentication login radius_list group RADIUS local -! -line vty 0-4 - login authentication radius_list -line vty 5-15 - login authentication radius_list -\end{txt} - -\newpage - -\section{TACACS+} - -\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication} - -\begin{txt} -aaa group server tacacs+ TACACS -server-private 1.1.1.1 unkn0wn!unicAst -ip tacacs source-interface Loopback0 -! -aaa authentication attempts login 1 -aaa authentication login default group TACACS local-case -aaa authentication login console local-case -aaa authentication enable default group TACACS enable -aaa authorization exec default group TACACS local -aaa authorization commands 0 default group TACACS local -aaa authorization commands 15 default group TACACS local -aaa accounting exec default - action-type start-stop - group tacacs+ -! -aaa accounting commands 1 default - action-type start-stop - group tacacs+ -! -aaa accounting commands 2 default - action-type start-stop - group tacacs+ -! -aaa accounting commands 15 default - action-type start-stop - group tacacs+ -! -aaa session-id common -! -tacacs-server host 10.21.0.45 -tacacs-server unkn0wn!unicAst -\end{txt} - -% - -\chapter{Network Time Protocol} - -\section{The old NTP from \tsq{85}} - -\section{Secure NTP} - -% - -\chapter{Managemnt} - -\section{Network management} - -\subsection{Routers} - -\subsection{Switches} - -\subsection{Firewall} - -\section{Out-of-band management} - -\subsection{Console server} - -% - -\chapter{Protocols Layer 3} - -\input{chapter/section/routednetwork} - -% - -\chapter{The Internet {\footnotesize "Post cold-war modern times"}} - -\section{Service Providers} - -\section{IXP} - -\section{MPLS} - -\section{BGP} - -\section{EVPN} +\include{chapter/internet} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % %