mirror of
https://gitlab.com/netravnen/NetworkLabNotes.git
synced 2024-11-14 18:49:38 +00:00
276 lines
8 KiB
TeX
276 lines
8 KiB
TeX
% Declare Document Class
|
|
\documentclass[a4paper,12pt,twoside,twocolumn,landscape]{book}
|
|
|
|
\include{structure} % Load structure cfg for document
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
% %
|
|
% BEGIN DOCUMENT %
|
|
% %
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\begin{document}
|
|
|
|
\include{frontpage}
|
|
|
|
\tableofcontents
|
|
|
|
% Only applied after generation of TOC
|
|
\setlength{\parskip}{0.35em} % Define length between paragrahps
|
|
\renewcommand{\baselinestretch}{1.15} % Define lineheight
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
% %
|
|
% BEGIN chapters %
|
|
% %
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
% <!-- CONFIGURATION EXAMPLES -->
|
|
|
|
\include{chapter/baseconf}
|
|
|
|
% <!-- LAYER 2 -->
|
|
|
|
\chapter{Layer 2}
|
|
|
|
\input{chapter/section/switchednetwork}
|
|
|
|
\newpage
|
|
|
|
\input{chapter/section/spanningtree}
|
|
|
|
% <!-- INTERVLAN -->
|
|
|
|
\chapter{L2 to L3}
|
|
|
|
\input{chapter/section/intervlanrouting}
|
|
|
|
% <!-- DHCP -->
|
|
|
|
\chapter{DHCP}
|
|
|
|
\input{chapter/section/dhcp}
|
|
|
|
% <!-- VRRP, GLBP, HSRP -->
|
|
|
|
\chapter{FHRP}
|
|
|
|
\section{VRRP}
|
|
|
|
\section{GLBP}
|
|
|
|
\section{HSRP}
|
|
|
|
% <!-- ACCOUNTING AND LOGINS, RADIUS, TACACS+ -->
|
|
|
|
\chapter{Triple A\tsq{s}}
|
|
|
|
\myquote{}{Remember to log the details, too.}
|
|
|
|
\xkcd{latitude}{Remember logging when necessary}
|
|
|
|
\newpage
|
|
|
|
\begin{itemize}
|
|
\item \textbf{Authentication:}
|
|
\begin{enumerate}
|
|
\item Identify the user,
|
|
\item Validate the user,
|
|
\item Allow/Disallow user based upon credentials.
|
|
\end{enumerate}
|
|
\item \textbf{Authorization:}
|
|
\begin{enumerate}
|
|
\item Have defined levels of allowed operations/tasks divided into groups,
|
|
\item Validate user-to-groups relations,
|
|
\item Allow/Disallow user actions.
|
|
\item On network gear the Allow/Disallowed actions can be stored on either the central \acrshort{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
|
|
\end{enumerate}
|
|
\item \textbf{Accounting:}
|
|
\begin{enumerate}
|
|
\item Network nodes collect user and session information from start to end when connecting to a node,
|
|
\item All information is transferred back to \acrshort{aaa} server,
|
|
\item Transferred info can be leveraged for several purposes. Typically logged info is:
|
|
\begin{itemize}
|
|
\item session duration,
|
|
\item user commands,
|
|
\item disallowed commands
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
\end{itemize}
|
|
|
|
\bigskip
|
|
|
|
\textbf{Obvious} benefits by using the \acrshort{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \acrshort{aaa} servers are configured on the node}.
|
|
|
|
\newpage
|
|
|
|
\begin{table}[!ht]
|
|
\centering
|
|
\caption{Tacacs+ vs. Radius}
|
|
\label{radiusversustacacsplus}
|
|
\resizebox{\columnwidth}{!}{%
|
|
\begin{tabular}{|l|l|l|l|l|}
|
|
\hline
|
|
\multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline
|
|
Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline
|
|
Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline
|
|
\acrshort{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \acrshort{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline
|
|
Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline
|
|
Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline
|
|
\end{tabular}%
|
|
}
|
|
\end{table}
|
|
|
|
\newpage
|
|
|
|
\section{RADIUS}
|
|
|
|
\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}
|
|
|
|
\begin{txt}
|
|
radius server DK-RADIUS-SERVER
|
|
address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813
|
|
key unkn0wn!unic@st.|.
|
|
!
|
|
aaa new-model
|
|
aaa group server RADIUS
|
|
server name DK-RADIUS-SERVER
|
|
!
|
|
aaa authentication login radius_list group RADIUS local
|
|
!
|
|
line vty 0-4
|
|
login authentication radius_list
|
|
line vty 5-15
|
|
login authentication radius_list
|
|
\end{txt}
|
|
|
|
\newpage
|
|
|
|
\section{TACACS+}
|
|
|
|
\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}
|
|
|
|
\begin{txt}
|
|
aaa group server tacacs+ TACACS
|
|
server-private 1.1.1.1 unkn0wn!unicAst
|
|
ip tacacs source-interface Loopback0
|
|
!
|
|
aaa authentication attempts login 1
|
|
aaa authentication login default group TACACS local-case
|
|
aaa authentication login console local-case
|
|
aaa authentication enable default group TACACS enable
|
|
aaa authorization exec default group TACACS local
|
|
aaa authorization commands 0 default group TACACS local
|
|
aaa authorization commands 15 default group TACACS local
|
|
aaa accounting exec default
|
|
action-type start-stop
|
|
group tacacs+
|
|
!
|
|
aaa accounting commands 1 default
|
|
action-type start-stop
|
|
group tacacs+
|
|
!
|
|
aaa accounting commands 2 default
|
|
action-type start-stop
|
|
group tacacs+
|
|
!
|
|
aaa accounting commands 15 default
|
|
action-type start-stop
|
|
group tacacs+
|
|
!
|
|
aaa session-id common
|
|
!
|
|
tacacs-server host 10.21.0.45
|
|
tacacs-server unkn0wn!unicAst
|
|
\end{txt}
|
|
|
|
% <!-- NTP -->
|
|
|
|
\chapter{Network Time Protocol}
|
|
|
|
\section{The old NTP from \tsq{85}}
|
|
|
|
\section{Secure NTP}
|
|
|
|
% <!-- NETWORK MANAGEMENT -->
|
|
|
|
\chapter{Managemnt}
|
|
|
|
\section{Network management}
|
|
|
|
\subsection{Routers}
|
|
|
|
\subsection{Switches}
|
|
|
|
\subsection{Firewall}
|
|
|
|
\section{Out-of-band management}
|
|
|
|
\subsection{Console server}
|
|
|
|
% <!-- LAYER 3 STUFF -->
|
|
|
|
\chapter{Protocols Layer 3}
|
|
|
|
\input{chapter/section/routednetwork}
|
|
|
|
% <!-- DESCRIBE THE INTERNET -->
|
|
|
|
\chapter{The Internet {\footnotesize "Post cold-war modern times"}}
|
|
|
|
\section{Service Providers}
|
|
|
|
\section{IXP}
|
|
|
|
\section{MPLS}
|
|
|
|
\section{BGP}
|
|
|
|
\section{EVPN}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
% %
|
|
% BEGIN list of acronyms %
|
|
% %
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\clearpage
|
|
|
|
\section*{Section with acronyms}
|
|
|
|
\printglossary[type=\acronymtype,title=Special Terms,toctitle=List of terms]
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
% %
|
|
% BEGIN list of figures %
|
|
% %
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\renewcommand{\listfigurename}{List of {\footnotesize hidden} Figures}
|
|
\listoffigures
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
% %
|
|
% BEGIN list of tables %
|
|
% %
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\renewcommand{\listtablename}{Tables {\footnotesize hidding} on the pages}
|
|
\listoftables
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
% %
|
|
% BEGIN references %
|
|
% %
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\bibliography{references}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
% %
|
|
% END DOCUMENT %
|
|
% %
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
\end{document}
|