Cisco CCNP Enterprise 300-410 ENARSI – CCNP ENCOR (350-401) : NETWORK MANAGEMENT
- 7_1- AAA
In this section we are going to talk about Triple A which is a security feature that provides secure access to network resources. Let’s start with what is Triple A. We have three main features of play. The first one is authentication. Authentication provides users must enter username and password before accessing the devices. An authorization provides users must be authorized at various levels. For example, you may have operator users and you may have administrator level users so you can define different command line interface commands for the operator and administrator level. And accounting provides configuration change in user access should be recorded. Let’s talk about two benefits of the Triple A demo. We have four different benefits of Triple A and the first one is flexibility in common line access command or interface based authorization can be made by AAA for the access to the command line interface.
That’s the first benefit. The second benefit is scalability. Managing a large number of users on a large number of devices is very difficult as the network grows with AAA, you can handle it easily. The third benefit is standard authentication methods supports Radius protocol which is an industry standard. So a standard authentication method can be created even for different vendor devices and the last minute benefit is multiple backup systems. When configuring authentication options, multiple servers can be specified and these servers can be combined into a single group. Let’s talk about some radios and Tacax Plus. Radius and Tacax plus are both AAA protocols. For example, the terminal user sends an access request to the network device and the network access device exchange this request with the AAA service by exchanging the Radius or Takax message.
As you can see in the figure, if the authorization succeeds, the user can provide access to the device otherwise it cannot. Here’s some differences of the radius and tacax. Radius uses UDP, while Takax plus is using TCP. Radius encrypts only the passwords while Tagax encrypts the full payload of each packet. And as I told you before, Radius is an open standard and Tagax is a Cisco propriety. Let’s see how we can verify identity with Tagax Ten. The first message going from the client to server is the Start message. Tagax server gets the Start message and sends a Get user message back to client and demands the username. Takax client sends the Continue message and sends the username per meter to Takax server.
Then Takax demands the Get pass message and sends the password request to client. Clients replies back with the continued packet and sends the password inside this packet. As you can see and with the final status, takax sends an Accept or a Reject message. Here is how we can configure the AAA we have four main steps of the configuration. In the first step, AAA is enabled globally by using AAA new model command. In the second Takak server IP addresses and shaped secrets to be used in communication with servers are determined as you can see that the command is Techax server host and the IP address of the tech act server and key command with the shared key that we are going to use.
In the third step we have AAA authentication login command first which identifies the information to be used for login. The default word represents the list name. The remaining comments are authentication methods, group tagax plus as you can see here comes in the sense of using all configured tagax plus servers and we have Local keyword in here as you can see and Local defines the second authentication mechanism. If authentication servers cannot be accessed, local usernames and passwords defined in the router Local can be used and the fourth step is to default list for console and remote access is applied to the relevant lines. As you can see, the configuration is like this you get under the line by using line console zero to reach the console port and line VTY 00:15 by reaching to the Talent or remote access ports. And the command is Login authentication and the name of our list.
- 7_2- Identity-Based Networking
In this section we are going to talk about identitybased networking. identitybased networking is a concept that units several features to include authentication, access control, mobility and user policy components with the aim to provide and restrict users with the network services that they are entitled to. And let’s take a look at these figures. First we have clients authenticator and authentication server. Authenticator can be an access point or switch. In this method users are assigned to a villain that is related with their identities. Users who do not perform the required validation will not be taken to the system or can be taken to guest, villan or et cetera until the client identity is verified. Dot one X access control allows only epolcp I’m sorry, CDP and SCP traffic to passthrough the port which the supplicant is connected.
Once authentication is successful, normal traffic can pass through the relevant portal as well and here is the configuration of that one X. First we can create the AAA new module. We can enable the AAA method by using AAA new module command. Then we can define a readiness server which is the IP address of eleven and the shared key is Cisco four five six. Then we can define a redis group server which is name is my group tree and we define our server into this group. Then here is the onex configuration and that’s it. AAA authentication onexdefault group my group three which defines this IP address and we define that one x system out control and we go under the interface mode and use the onex port control author and that said.
- 7_3- NTP (Network Time Protocol)
NTP is the protocol used for clock synchronization between network devices over packet switched where I believe latency data networks with an NTP server and uses port number 123 over UDP. NTP uses a hierarchical, semi layered system of time sources and each level of this hierarchy is termed as stretching. Stratum Zero consists of high precision timekeeping devices such as atomic clocks and the GPS clocks and stretch one is directly connected to Stratum Zero, as you can see, and other layers are connected through network and they get their clock from the upper layer. To configure the NTP, we have just one command and our command is NTP server and the IP address of our NTP server, which is this IP address for this example. And we can use the Showantp Status and Show Entity Association for where.
- 7_4- SNMP
Simple network management protocol. SNMP is an Internet standard protocol for collecting and organizing information about managed device on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switch servers, workstations, printers and more. SNMP is widely used in network management for network monitoring. SNMP exposes management data in the form of variables on the managed systems organized in a managed information based MIB which describe the system status and the configuration. These variables can then be remotely queried and in some circumstances manipulated by managing applications. SNMP process consists of some steps.
The first step that we are going to take a look is Get request. Get request is used to get the value of a specific MIB and that is a manager to agent message. The second thing is the Get response message. Yes, get response is used to retrieve the next instance value of the MIB variable and then the third is the Set request. Set request is used to change the value of a variable or list of variables. Let’s go ahead with the agent to manage your message which are the GetResponse and the trap. Get response is the receipt notification message from Agent to manager and Trap allows an agent to notify manager of important events via an unsolicited SNMP message. We have three types of the SNMP. SNMP version one is the initial implementation of the SNMP protocol.
SNMP version two revises version one and includes improvements in the areas of performance, security and confidentiality. And SNMP version three primarily adds to security and the remote configuration enhancements to the SNMP. Let’s go ahead with the SNMP community string term. The SNMP Community string is like a user ID or password that allows access to a routers or other devices statistics. If the command string is correct, the device responds with the requested information. If the command string is not correct, the device simply discards the request and does not respond. It SNMP Committee string is used in SNMP version one and the SNMP version two. And we have two types of the SNMP command strings. The first thing is the read only.
That means you can access the map but you cannot make any change. The second type is the read write. That means you can access and modify the MIP. And to configure the SNLP version three, what we are doing is we are just defining an access list in here as you can see IP access list standard and the access list name and we are defining the IP address that we are going to permit. Then we are using the SNMP server commands. SNMP server will just monitor ISO included and we are defining an administrator group and we’re we are defining the rights of that group as you can see in here. And then we are defining a single user in here as you can see in here. To verify the SNMP version three configuration we can use the show SNMP group command.