1
0
Fork 0
mirror of https://gitlab.com/netravnen/NetworkLabNotes.git synced 2024-11-23 19:17:54 +00:00
NetworkLabNotes/chapter/mgmt.tex
2017-06-06 06:45:10 +02:00

431 lines
17 KiB
TeX

\chapter{Campus Network}
\section{Discover Nodes}
Protocols to do link discovery on the network between nodes is commonly used
\begin{itemize}
\item incorporated in many \gls{nms} tools to support it's underling functionally like alerts triggering and monitoring,
\item when the ops people do debugging on the \gls{cli},
\item doing network discovery to find "what am I connected to ?"
\end{itemize}
Information by the protocols is only sent and processed locally. Information transmitted is not send beyond the local \gls{l2} link.
\newpage
\subsection[LLDP]{Link Layer Discovery Protocol}
\myquote{\citealt{wiki:Link_Layer_Discovery_Protocol}}{The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbours on an IEEE 802 local area network, principally wired Ethernet.[1] The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB[2] and IEEE 802.3-2012 section 6 clause 79.}
\gls{lldp} carries information about
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item \gls{vlan} name,
\item \gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item \gls{mac}/PHY info,
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\gls{lldp} has the advantage over \gls{cdp} of being more customizable in regards to the use of \gls{tlv}s. \textbf{However} it has the drawback of not being as lightweight as \gls{cdp}.
\begin{itemize}
\item \itemtitle{Worth to remember}{about \gls{lldp} is the following}
\begin{itemize}
\item is unidirectional,
\item operates in advertising mode only,
\item does not try to obtain information from other nodes,
\item does not monitor link state changes between nodes,
\item uses \gls{l2} multicast to notify others of neighbouring nodes of its presence and properties,
\item will record \textit{all} obtained information from received \gls{lldp} frames.
\end{itemize}
\item \itemtitle{Frames}{Multicast addresses --- One of the following is used.\\Note the \textit{01} signifies a \gls{l2} multicast \gls{dst} address.}
\begin{enumerate}
\item 01:80:c2:00:00:0e,
\item 01:80:c2:00:00:03,
\item 01:80:c2:00:00:00.
\end{enumerate}
\item \itemtitle{Commonly exchanged information}{List includes both mandatory and optional fields.}
\begin{enumerate}
\item System name,
\item System description,
\item Port name,
\item Port description,
\item \gls{vlan} name,
\item \gls{ip} mgmt addr,
\item System capabilities\footnote{Support for fx. switching, routing etc.},
\item MDI\footnote{MDI refers to modes in PoE} power,
\item Link aggregation.
\end{enumerate}
\item \itemtitle{Timers}{Default timers for \gls{lldp} on Cisco equipment}
\begin{enumerate}
\item hello packet sent once per ½ minute.
\item hold timer is 2 minutes.
\end{enumerate}
\end{itemize}
\subsubsection*{Configuration Example}
\begin{cisco}
! Enable lldp. Beware lldp is enabled by default
! on select cisco platforms.
lldp run
!
! Ensure lldp is enables on select ports
interface range gi0/1-2
lldp transmit
lldp recieve
!
! Disable sending lldp packets on ports facing downstream
! to clients/workstations. But keep recieving lldp packets enabled
! so we can allways use the information for troubleshooting purpose.
interface range fa0/1-24
no lldp transmit
lldp recieve
\end{cisco}
\newpage
\subsection[CDP]{Cisco Discovery Protocol}
\myquote{\citealt{wiki:Cisco_Discovery_Protocol}}{Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.}
\gls{cdp} functions my sending frame out the wire of all connected interfaces by default
\begin{itemize}
\item Sends frames to multicast addr 01-00-0c-cc-cc-cc\footnote{This multicast address is also used by cisco for \gls{vtp} messages},
\item by default a frame is shot out every 1 minute\footnote{The timer is adjusted in per x second},
\item no security is built-in by default so spoofing \gls{cdp} packets is not hard if the net ops people have forgotten to basic hardening
\begin{enumerate}
\item Taking up resources by filling up tables with invalid \gls{cdp} entries\cite{wiki:CDP_Spoofing} is possible,
\item can be prevented by fx. disabling \gls{cdp} on ports where is it unnecessary to have it enabled. Say client access ports,
\item precaution can be taken by only allowing \gls{cdp} packets on trusted network ports.
\end{enumerate}
\end{itemize}
\subsubsection*{Configuration Example}
\begin{cisco}
! Enable CDP globally
cdp run
!
! Ensure cdp is enables on select ports
interface range gi0/1-2
cdp enable
!
! Disable CDP on ports facing downstream to clients/workstations
interface range fa0/1-24
no cdp enable
\end{cisco}
\section{Failure Detection}
\subsection[UDLD]{Unidirectional Link Detection}
\gls{udld} at work does the detection of the link is forwarding traffic in both directions. This is important when operating with Fiberoptic links\footnote{Normal Ethernet links is not as susceptible running traffic in only one direction}. Fiberoptic links has the potential for
\begin{enumerate}
\item bent and damages cables,
\item damaged connectors,
\item damaged ports,
\item impurities between connector and port.
\end{enumerate}
\fig{udld/malfunction}{udldmalfunction}{UDLD not working ?}
Other things can go wrong, too. Such as
\begin{itemize}
\item hardware failures,
\item software defects,
\item abnormal interface converter \textit{behaviour},
\item abnormal interface converter \textit{failure},
\item cabling done wrong,
\item inline sniffer/tap \textit{gone wrong},
\item inline sniffer/tap \textit{misconfigured}
\end{itemize}
\section[SPAN]{Switch Port Analyzer}
\subsection[RSPAN]{Remote Switch Port Analyzer}
\subsection[ERSPAN]{Encapsulated Remote Switch Port Analyzer}
\chapter[Network Mgmt]{Network Management}
\section[AAA]{Triple A\tsq{s}}
\myquote{}{Remember to log the details, too.}
\xkcd{latitude}{Remember logging when necessary}
\newpage
\begin{itemize}
\item \textbf{Authentication:}
\begin{enumerate}
\item Identify the user,
\item Validate the user,
\item Allow/Disallow user based upon credentials.
\end{enumerate}
\item \textbf{Authorization:}
\begin{enumerate}
\item Have defined levels of allowed operations/tasks divided into groups,
\item Validate user-to-groups relations,
\item Allow/Disallow user actions.
\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
\end{enumerate}
\item \textbf{Accounting:}
\begin{enumerate}
\item Network nodes collect user and session information from start to end when connecting to a node,
\item All information is transferred back to \gls{aaa} server,
\item Transferred info can be leveraged for several purposes. Typically logged info is:
\begin{itemize}
\item session duration,
\item user commands,
\item disallowed commands
\end{itemize}
\end{enumerate}
\end{itemize}
\bigskip
\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.
\newpage
\begin{table}[!ht]
\centering
\caption{Tacacs+ vs. Radius}
\label{radiusversustacacsplus}
\resizebox{\columnwidth}{!}{%
\begin{tabular}{|l|l|l|l|l|}
\hline
\multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline
Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline
\gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline
Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline
Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline
\end{tabular}%
}
\end{table}
\newpage
\section{RADIUS}
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
\begin{txt}
radius server DK-RADIUS-SERVER
address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813
key unkn0wn!unic@st.|.
!
aaa new-model
aaa group server RADIUS
server name DK-RADIUS-SERVER
!
aaa authentication login radius_list group RADIUS local
!
line vty 0-4
login authentication radius_list
line vty 5-15
login authentication radius_list
\end{txt}
\newpage
\section{TACACS+}
\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}
\begin{txt}
aaa group server tacacs+ TACACS
server-private 1.1.1.1 unkn0wn!unicAst
ip tacacs source-interface Loopback0
!
aaa authentication attempts login 1
aaa authentication login default group TACACS local-case
aaa authentication login console local-case
aaa authentication enable default group TACACS enable
aaa authorization exec default group TACACS local
aaa authorization commands 0 default group TACACS local
aaa authorization commands 15 default group TACACS local
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 1 default
action-type start-stop
group tacacs+
!
aaa accounting commands 2 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa session-id common
!
tacacs-server host 10.21.0.45
tacacs-server unkn0wn!unicAst
\end{txt}
\section{802.1X}
802.1X deviates from standard \gls{aaa} used in network management by also providing support for:
\begin{itemize}
\item user mobility and
\item user access control by way of governing policies.
\end{itemize}
\fig{8021x/8021x}{8021x}{ID Management}
Based upon the user connecting to the network. They can be given access to
\begin{itemize}
\item the resources their group/identity have been assigned or
\item put into a guest \gls{vlan} if nothing is assigned to them or
\item simply block the client/user altogether.
\end{itemize}
Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.
\begin{itemize}
\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.
\item The \textbf{authentication server}
\end{itemize}
\fig{8021X/portauth}{portauth}{802.1X Port Auth}
802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.
\clearpage
\subsection*{Enable with Cisco config}
\begin{txt}
aaa new-model
radius server host radiusserver.example.com key .unkown!unicAst.
aaa group server radius RADIUS-SERVER-DK
server radiusserver.example.com
aaa authetication dot1x default group RADIUS-SERVER-DK
dot1x system-auth-control
interface GigabitEthernet 0/4
switchport mode access ! Port must be an access port prior
dot1x port-control auto ! to enable dot1x on the port
\end{txt}
\section[SNMP]{Simple Network Management Protocol}
\gls{snmp} is used heavily to monitor the status of network nodes all round with a high level of granularity. \textit{Plus} the option to use traps\footnote{\gls{snmp} event triggered by the network node} for instant communication \tsq{bout} current event/events happing on the node.\cite{wiki:Simple_Network_Management_Protocol}
\fig{snmp/snmphandshake}{snmphandshake}{\gls{snmp} handshake}
\begin{itemize}
\item \itemhead{v1}
\begin{itemize}
\item \itemhead[]{Message Types}
\begin{enumerate}
\item Get Request,
\item Get Next Request,
\item Set Request,
\item Get Response, and
\item Trap.
\end{enumerate}
\item \textit{Rarely} used these days!
\end{itemize}
\newpage %do column break
\item \itemhead{v2}
\begin{itemize}
\item \itemhead[]{Message Types}
\begin{enumerate}
\item Get Request,
\item Get Next Request,
\item Set Request,
\item Get Response,
\item Trap,
\item \textit{Get Bulk Request}\footnote{To pull data from a network node in bulk}, and
\item \textit{Inform Request}\footnote{\gls{snmp} trap message added with a requirement for an acknowledgement returned back to the network node}.
\end{enumerate}
\item \gls{snmp}v2 added \textit{in addition} to 2 extra message types also a complex new security model. This was never widely accepted which is why we have \gls{snmp}v2c existing and considered the \textit{de-facto} \gls{snmp}v2 standard.
\end{itemize}
\item \itemhead{v2c}
\begin{itemize}
\item \gls{snmp}v2c switched from the complex security model \gls{snmp}v2 used to using \texttt{community strings}. This posses a lot of inherent security risks because (amongst other) of the low level Authentication used when polling data from \gls{snmp} agents. Because of this Cisco recommends when using \gls{snmp}v2c to only enable the protocol for data polling from \gls{snmp} agents.
\item \textbf{Never} use v2c to push configuration changes to \gls{snmp} agents because the security level is just not up to standard to provide the necessary security level at all.
\end{itemize}
\item \itemhead{v3}
\begin{itemize}
\item Is the recommended version to run if your aren\tsq{t} forced use fx v2c for some weird legacy reason,
\item \texttt{best in class} regarding modern security principals
\end{itemize}
\end{itemize}
\fig[http://ccieordie.com/tag/6-1b/]{snmp/snmpcomparison2}{snmpcomparison2}{\gls{snmp} comparison}
\begin{cisco}
! Block SNMP access to all but the loghost
access-list 20 remark SNMP ACL
access-list 20 permit 10.0.10.211
access-list 20 permit 192.0.2.0 0.0.0.127
access-list 20 deny any log
!
! SNMP is VERY important, particularly with MRTG.
! For SNMP version 3
snmp-server view OPS sysUpTime included
snmp-server view OPS ifDescr included
snmp-server view OPS ifAdminStatus included
snmp-server view OPS ifOperStatus included
!
snmp-server view V3Read iso included
snmp-server view V3Write iso included
!
snmp-server enable traps
!
snmp-server group OpGroup v3 auth read OPS
snmp-server group V3Group v3 auth read V3Read write V3Write
!
snmp-server user OpersU OpGroup v3 auth sha Scrtpwd2200 priv aes256 Scrtpwd2220
snmp-server user V3User V3Group v3 auth sha MyPassword1 priv aes256 MyPassword2
!
snmp-server host 192.0.2.10 traps version 3 priv OpersU cpu port-security
snmp-server host 10.0.10.211 traps version 3 priv V3User cpu port-security
!
snmp-server ifindex persist
\end{cisco}
\subsection{Implementation Problems with SNMP}
\gls{snmp} on any platform is only as good as the software implementation was done by the equipment vendor. Some vendors of network equipment may not implement the same level of functionality in their \gls{snmp} agent as was done in the often proprietary \gls{cli} environment.\cite{wiki:Simple_Network_Management_Protocol}
\begin{itemize}
\item Under implemented features in \gls{snmp} compared to proprietary \gls{cli} environment,
\item badly done \gls{snmp} implementations can sometimes result in unnecessarily high resource utilization,
\item values of \textit{tabular} data formats\footnote{Fx \gls{ip} Routing Table} may not be returned in a consistent format when requesting data from equipment from different vendors,
\item metrics for fx resource utilization\footnote{Fx hdd usage} locally on a device is not always comparable\footnote{Different vendors may have chosen different methods for measuring resource utilization} across equipment from different vendors.
\end{itemize}
\section{Routers}
\section{Switches}
\section{Firewall}
\section[OOB Mgmt]{Out-of-Band Management}
\subsection{Console Server}
\begin{itemize}
\item OpenGEAR
\end{itemize}
\subsection[Remote Mgmt]{Remote Management}
\subsubsection{3G/4G}
\subsubsection{ADSL}