mirror of
https://gitlab.com/netravnen/NetworkLabNotes.git
synced 2024-12-23 20:57:53 +00:00
Changed file structure
This commit is contained in:
parent
5b49b43092
commit
fef6796951
|
@ -1,3 +1,5 @@
|
|||
\chapter{DHCP}
|
||||
|
||||
\section{DHCP Process}
|
||||
|
||||
\fig{dhcp/dhcpdiscoverprocess}{dhcpdiscoverprocess}{DHCP Discover Process}
|
||||
|
@ -25,9 +27,9 @@
|
|||
\subsection{Cisco}
|
||||
|
||||
\begin{txt}
|
||||
ip dhcp excluded-address 192.168.0.254
|
||||
!
|
||||
ip dhcp pool LAN-1-POOL-DHCP
|
||||
ip dhcp excluded-address 192.168.0.254
|
||||
!
|
||||
ip dhcp pool LAN-1-POOL-DHCP
|
||||
network 192.168.0.0 255.255.255.0
|
||||
default-router 192.168.0.254
|
||||
lease 2 ! set in days
|
||||
|
@ -36,7 +38,7 @@ ip dhcp pool LAN-1-POOL-DHCP
|
|||
When configuring a Layer 3 interface as a relay port for DHCP request for a subnet. Set the ip helper command on the interface with one \textit{or} more ip addresses.
|
||||
|
||||
\begin{txt}
|
||||
interface GigabitEthernet 0/3
|
||||
interface GigabitEthernet 0/3
|
||||
ip helper-address 192.168.220.220
|
||||
ip helper-address 192.168.222.222
|
||||
\end{txt}
|
7
chapter/fhrp.tex
Normal file
7
chapter/fhrp.tex
Normal file
|
@ -0,0 +1,7 @@
|
|||
\chapter{FHRP}
|
||||
|
||||
\section{VRRP}
|
||||
|
||||
\section{GLBP}
|
||||
|
||||
\section{HSRP}
|
11
chapter/internet.tex
Normal file
11
chapter/internet.tex
Normal file
|
@ -0,0 +1,11 @@
|
|||
\chapter{The Internet {\footnotesize "Post cold-war modern times"}}
|
||||
|
||||
\section{Service Providers}
|
||||
|
||||
\section{IXP}
|
||||
|
||||
\section{MPLS}
|
||||
|
||||
\section{BGP}
|
||||
|
||||
\section{EVPN}
|
|
@ -1,3 +1,5 @@
|
|||
\chapter{L2 to L3}
|
||||
|
||||
\section{Vlan-to-vlan routing}
|
||||
|
||||
\myquote{}{Guidance and Understanding of the art of Layer 3 networks. Routing between different slash 24\tsq{s}.\\ \textit{Aka. Inter-vlan routing.}}
|
||||
|
@ -26,11 +28,11 @@ There are different ways to go \tsq{bout} Inter-vlan routing and doing it.
|
|||
\subsubsection{Routed interfaces}
|
||||
|
||||
\begin{txt}
|
||||
interface GigabitEthernet 0/1.10
|
||||
interface GigabitEthernet 0/1.10
|
||||
encapsulation dot1q 10
|
||||
ip address 192.168.0.1 255.255.255.128
|
||||
!
|
||||
interface GigabitEthernet 0/1.20
|
||||
!
|
||||
interface GigabitEthernet 0/1.20
|
||||
encapsulation dot1q 20
|
||||
ip address 192.168.0.129 255.255.255.128
|
||||
\end{txt}
|
||||
|
@ -38,17 +40,17 @@ interface GigabitEthernet 0/1.20
|
|||
\subsubsection{Switches interfaces}
|
||||
|
||||
\begin{txt}
|
||||
Vlan10
|
||||
Vlan10
|
||||
name VLAN10
|
||||
Vlan20
|
||||
Vlan20
|
||||
name VLAN20
|
||||
!
|
||||
interface Vlan10
|
||||
!
|
||||
interface Vlan10
|
||||
ip address 192.168.1.1 255.255.255.128
|
||||
interface Vlan20
|
||||
interface Vlan20
|
||||
ip address 192.168.1.129 255.255.255.128
|
||||
!
|
||||
interface GigabitEthernet 0/2
|
||||
!
|
||||
interface GigabitEthernet 0/2
|
||||
switchport mode trunk
|
||||
switchport trunk encapsulation dot1q
|
||||
switchport trunk allowed vlan 10,20
|
7
chapter/layer2.tex
Normal file
7
chapter/layer2.tex
Normal file
|
@ -0,0 +1,7 @@
|
|||
\chapter{Layer 2}
|
||||
|
||||
\input{layer2/switchednetwork}
|
||||
|
||||
\newpage
|
||||
|
||||
\input{layer2/spanningtree}
|
3
chapter/layer3.tex
Normal file
3
chapter/layer3.tex
Normal file
|
@ -0,0 +1,3 @@
|
|||
\chapter{Layer 3}
|
||||
|
||||
\input{layer3/routednetwork}
|
14
chapter/mgmt.tex
Normal file
14
chapter/mgmt.tex
Normal file
|
@ -0,0 +1,14 @@
|
|||
\chapter{Management}
|
||||
|
||||
\section{Network management}
|
||||
|
||||
\subsection{Routers}
|
||||
|
||||
\subsection{Switches}
|
||||
|
||||
\subsection{Firewall}
|
||||
|
||||
\section{Out-of-band management}
|
||||
|
||||
\subsection{Console server}
|
||||
|
120
chapter/networkmgmt.tex
Normal file
120
chapter/networkmgmt.tex
Normal file
|
@ -0,0 +1,120 @@
|
|||
\chapter{Triple A\tsq{s}}
|
||||
|
||||
\myquote{}{Remember to log the details, too.}
|
||||
|
||||
\xkcd{latitude}{Remember logging when necessary}
|
||||
|
||||
\newpage
|
||||
|
||||
\begin{itemize}
|
||||
\item \textbf{Authentication:}
|
||||
\begin{enumerate}
|
||||
\item Identify the user,
|
||||
\item Validate the user,
|
||||
\item Allow/Disallow user based upon credentials.
|
||||
\end{enumerate}
|
||||
\item \textbf{Authorization:}
|
||||
\begin{enumerate}
|
||||
\item Have defined levels of allowed operations/tasks divided into groups,
|
||||
\item Validate user-to-groups relations,
|
||||
\item Allow/Disallow user actions.
|
||||
\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
|
||||
\end{enumerate}
|
||||
\item \textbf{Accounting:}
|
||||
\begin{enumerate}
|
||||
\item Network nodes collect user and session information from start to end when connecting to a node,
|
||||
\item All information is transferred back to \gls{aaa} server,
|
||||
\item Transferred info can be leveraged for several purposes. Typically logged info is:
|
||||
\begin{itemize}
|
||||
\item session duration,
|
||||
\item user commands,
|
||||
\item disallowed commands
|
||||
\end{itemize}
|
||||
\end{enumerate}
|
||||
\end{itemize}
|
||||
|
||||
\bigskip
|
||||
|
||||
\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.
|
||||
|
||||
\newpage
|
||||
|
||||
\begin{table}[!ht]
|
||||
\centering
|
||||
\caption{Tacacs+ vs. Radius}
|
||||
\label{radiusversustacacsplus}
|
||||
\resizebox{\columnwidth}{!}{%
|
||||
\begin{tabular}{|l|l|l|l|l|}
|
||||
\hline
|
||||
\multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline
|
||||
Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline
|
||||
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline
|
||||
\gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline
|
||||
Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline
|
||||
Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline
|
||||
\end{tabular}%
|
||||
}
|
||||
\end{table}
|
||||
|
||||
\newpage
|
||||
|
||||
\section{RADIUS}
|
||||
|
||||
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
|
||||
|
||||
\begin{txt}
|
||||
radius server DK-RADIUS-SERVER
|
||||
address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813
|
||||
key unkn0wn!unic@st.|.
|
||||
!
|
||||
aaa new-model
|
||||
aaa group server RADIUS
|
||||
server name DK-RADIUS-SERVER
|
||||
!
|
||||
aaa authentication login radius_list group RADIUS local
|
||||
!
|
||||
line vty 0-4
|
||||
login authentication radius_list
|
||||
line vty 5-15
|
||||
login authentication radius_list
|
||||
\end{txt}
|
||||
|
||||
\newpage
|
||||
|
||||
\section{TACACS+}
|
||||
|
||||
\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}
|
||||
|
||||
\begin{txt}
|
||||
aaa group server tacacs+ TACACS
|
||||
server-private 1.1.1.1 unkn0wn!unicAst
|
||||
ip tacacs source-interface Loopback0
|
||||
!
|
||||
aaa authentication attempts login 1
|
||||
aaa authentication login default group TACACS local-case
|
||||
aaa authentication login console local-case
|
||||
aaa authentication enable default group TACACS enable
|
||||
aaa authorization exec default group TACACS local
|
||||
aaa authorization commands 0 default group TACACS local
|
||||
aaa authorization commands 15 default group TACACS local
|
||||
aaa accounting exec default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa accounting commands 1 default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa accounting commands 2 default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa accounting commands 15 default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa session-id common
|
||||
!
|
||||
tacacs-server host 10.21.0.45
|
||||
tacacs-server unkn0wn!unicAst
|
||||
\end{txt}
|
6
chapter/ntp.tex
Normal file
6
chapter/ntp.tex
Normal file
|
@ -0,0 +1,6 @@
|
|||
\chapter{Network Time Protocol}
|
||||
|
||||
\section{The old NTP from \tsq{85}}
|
||||
|
||||
\section{Secure NTP}
|
||||
|
201
main.tex
201
main.tex
|
@ -27,208 +27,25 @@
|
|||
% %
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
% <!-- CONFIGURATION EXAMPLES -->
|
||||
|
||||
\include{chapter/baseconf}
|
||||
|
||||
% <!-- LAYER 2 -->
|
||||
\include{chapter/layer2}
|
||||
|
||||
\chapter{Layer 2}
|
||||
\include{chapter/l2tol3}
|
||||
|
||||
\input{chapter/section/switchednetwork}
|
||||
\include{chapter/layer3}
|
||||
|
||||
\newpage
|
||||
\include{chapter/dhcp}
|
||||
|
||||
\input{chapter/section/spanningtree}
|
||||
\include{chapter/fhrp}
|
||||
|
||||
% <!-- INTERVLAN -->
|
||||
\include{chapter/networkmgmt}
|
||||
|
||||
\chapter{L2 to L3}
|
||||
\include{chapter/ntp}
|
||||
|
||||
\input{chapter/section/intervlanrouting}
|
||||
\include{chapter/mgmt}
|
||||
|
||||
% <!-- DHCP -->
|
||||
|
||||
\chapter{DHCP}
|
||||
|
||||
\input{chapter/section/dhcp}
|
||||
|
||||
% <!-- VRRP, GLBP, HSRP -->
|
||||
|
||||
\chapter{FHRP}
|
||||
|
||||
\section{VRRP}
|
||||
|
||||
\section{GLBP}
|
||||
|
||||
\section{HSRP}
|
||||
|
||||
% <!-- ACCOUNTING AND LOGINS, RADIUS, TACACS+ -->
|
||||
|
||||
\chapter{Triple A\tsq{s}}
|
||||
|
||||
\myquote{}{Remember to log the details, too.}
|
||||
|
||||
\xkcd{latitude}{Remember logging when necessary}
|
||||
|
||||
\newpage
|
||||
|
||||
\begin{itemize}
|
||||
\item \textbf{Authentication:}
|
||||
\begin{enumerate}
|
||||
\item Identify the user,
|
||||
\item Validate the user,
|
||||
\item Allow/Disallow user based upon credentials.
|
||||
\end{enumerate}
|
||||
\item \textbf{Authorization:}
|
||||
\begin{enumerate}
|
||||
\item Have defined levels of allowed operations/tasks divided into groups,
|
||||
\item Validate user-to-groups relations,
|
||||
\item Allow/Disallow user actions.
|
||||
\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
|
||||
\end{enumerate}
|
||||
\item \textbf{Accounting:}
|
||||
\begin{enumerate}
|
||||
\item Network nodes collect user and session information from start to end when connecting to a node,
|
||||
\item All information is transferred back to \gls{aaa} server,
|
||||
\item Transferred info can be leveraged for several purposes. Typically logged info is:
|
||||
\begin{itemize}
|
||||
\item session duration,
|
||||
\item user commands,
|
||||
\item disallowed commands
|
||||
\end{itemize}
|
||||
\end{enumerate}
|
||||
\end{itemize}
|
||||
|
||||
\bigskip
|
||||
|
||||
\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.
|
||||
|
||||
\newpage
|
||||
|
||||
\begin{table}[!ht]
|
||||
\centering
|
||||
\caption{Tacacs+ vs. Radius}
|
||||
\label{radiusversustacacsplus}
|
||||
\resizebox{\columnwidth}{!}{%
|
||||
\begin{tabular}{|l|l|l|l|l|}
|
||||
\hline
|
||||
\multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline
|
||||
Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline
|
||||
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline
|
||||
\gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline
|
||||
Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline
|
||||
Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline
|
||||
\end{tabular}%
|
||||
}
|
||||
\end{table}
|
||||
|
||||
\newpage
|
||||
|
||||
\section{RADIUS}
|
||||
|
||||
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
|
||||
|
||||
\begin{txt}
|
||||
radius server DK-RADIUS-SERVER
|
||||
address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813
|
||||
key unkn0wn!unic@st.|.
|
||||
!
|
||||
aaa new-model
|
||||
aaa group server RADIUS
|
||||
server name DK-RADIUS-SERVER
|
||||
!
|
||||
aaa authentication login radius_list group RADIUS local
|
||||
!
|
||||
line vty 0-4
|
||||
login authentication radius_list
|
||||
line vty 5-15
|
||||
login authentication radius_list
|
||||
\end{txt}
|
||||
|
||||
\newpage
|
||||
|
||||
\section{TACACS+}
|
||||
|
||||
\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}
|
||||
|
||||
\begin{txt}
|
||||
aaa group server tacacs+ TACACS
|
||||
server-private 1.1.1.1 unkn0wn!unicAst
|
||||
ip tacacs source-interface Loopback0
|
||||
!
|
||||
aaa authentication attempts login 1
|
||||
aaa authentication login default group TACACS local-case
|
||||
aaa authentication login console local-case
|
||||
aaa authentication enable default group TACACS enable
|
||||
aaa authorization exec default group TACACS local
|
||||
aaa authorization commands 0 default group TACACS local
|
||||
aaa authorization commands 15 default group TACACS local
|
||||
aaa accounting exec default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa accounting commands 1 default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa accounting commands 2 default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa accounting commands 15 default
|
||||
action-type start-stop
|
||||
group tacacs+
|
||||
!
|
||||
aaa session-id common
|
||||
!
|
||||
tacacs-server host 10.21.0.45
|
||||
tacacs-server unkn0wn!unicAst
|
||||
\end{txt}
|
||||
|
||||
% <!-- NTP -->
|
||||
|
||||
\chapter{Network Time Protocol}
|
||||
|
||||
\section{The old NTP from \tsq{85}}
|
||||
|
||||
\section{Secure NTP}
|
||||
|
||||
% <!-- NETWORK MANAGEMENT -->
|
||||
|
||||
\chapter{Managemnt}
|
||||
|
||||
\section{Network management}
|
||||
|
||||
\subsection{Routers}
|
||||
|
||||
\subsection{Switches}
|
||||
|
||||
\subsection{Firewall}
|
||||
|
||||
\section{Out-of-band management}
|
||||
|
||||
\subsection{Console server}
|
||||
|
||||
% <!-- LAYER 3 STUFF -->
|
||||
|
||||
\chapter{Protocols Layer 3}
|
||||
|
||||
\input{chapter/section/routednetwork}
|
||||
|
||||
% <!-- DESCRIBE THE INTERNET -->
|
||||
|
||||
\chapter{The Internet {\footnotesize "Post cold-war modern times"}}
|
||||
|
||||
\section{Service Providers}
|
||||
|
||||
\section{IXP}
|
||||
|
||||
\section{MPLS}
|
||||
|
||||
\section{BGP}
|
||||
|
||||
\section{EVPN}
|
||||
\include{chapter/internet}
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
% %
|
||||
|
|
Loading…
Reference in a new issue