# Network Services 

[passwords](#Passwords) | [telnet](#Telnet) | [SSH](#Secure-Shell) | [ACLs](#Access-Control-Lists) | [portSecurity](#Port-Security) | [APIs](#Commonly-Known-Ports) [vLANs](#Virtual-LANs) | [stick(R)](#InterVLAN-Routing) | [DHCP]() | [NTP]() | [sysLog]()
<br>

## Passwords

<br>

level | Features| Code
:--- | :--- | :---
User exec | console first level | **line console** 0
 | | **passwork/secret** PASSWD
 | | **login**
 | | 
privilege exec | privilege and config level | **enable secret** SECRET PASSWD
 | MD5 encryption, hard to break | 
 | recommended over plain text password |
 
<br>

## Telnet

access | | Code
:--- | :--- | :---
general | | **line vty** 0 [max number of users]
 | | **login**
 | | **password** PASSWD
 | |
user specific | | **username** USER **secret** SECRET
 | | **line vty** 0 15
 | | **login local**

<br>

## Secure Shell

block | | Code
:--- | :--- | :---
 user and machine| | **username** USER **secret** PASSWD
 | | **ip domain-name** domain.com
ssh | |  **crypto key generate rsa modulus** 1024
 | | **[ip ssh version 2]**
apply | | **line vty** 0 5
 | | **login local**
 | | **transport input** ssh
 
<br>

<img src="pics/ACLs.png" width=450 height=430 style="float: right;">
## Access Control Lists

- Permit or deny specific traffic in and/or out of the network
  - Inbound
    - Tested on arrival
    - saves routing overhead lookup
  - Outbound
    - Before leaving device
    - Unnecessary overhead lookup if discarded eventually 


- wildcard implementation
  - 0 match all bits
  - 1 ignore bits


- Used on switches and routers


- Escapes statements below once a match is made 

ACL | Control| code
:--- | :--- | :---
Standard | Checks the source IP only |
 | 1-99 and 1300-1999 |
 | Applies to the entire protocol suite |
Extended | validates both the  source and destination |
 | 100-199 and 2000-2699 |
 | allows for identification of IPs and Ports |

<br>

## Port Security 

- Restricts access to the network to clients with unknown MAC address
  - Layer 2 security feature, for plug and play devices

- security features are written on switch ports. Network access or denial is as follows:

Violation | | Status
:--- | --- | :---
Shutdown (default) | | Administratively disabled
 | | Sends a trap log to SNMP
 | | port power cycle to enable again
Protect | | Drops packets
 | | Reovers when the violating host is removed
Restrict | | Similar to Protect, added benefit of event logging 


- Port security is as follows:

Security | Feature | Code
:--- | :--- | :---
Static Learning | Define the Mac address for the port |
Dynamin Learning | Define the max number of MACs to access the port |
Combo? | Define the maximum number of MACs with some preferred mac  addresses |
Sticky | Dynamic learned address is converted to sticky secured addresses |
 | Addresses do not age out | 
 
<br>

## Commonly Known Ports 

In [25]:
from IPython.display import HTML

HTML('''<script>
code_show=true; 
function code_toggle() {
 if (code_show){
 $('div.input').hide();
 } else {
 $('div.input').show();
 }
 code_show = !code_show
} 
$( document ).ready(code_toggle);
</script>
<form action="javascript:code_toggle()"><input type="submit" value="Click here to toggle on/off the raw code."></form>''')

In [27]:
import pandas as pd
ports =      {
                'port number' : [20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 143, 443, 546, 547, 3389],
                'process name': ['FTP-Data', 'FTP', 'SSH', 'Telnet', 'SMTP', 'DNS', 'DHCPv4', 'DHCPv4', 
                                  'TFTP', 'HTTP', 'POP3', 'NTP', 'IMAP', 'HTTPS', 'DHCPv6', 'DHCPv6', 'RDP'],
                'Tx Protocol' : ['TCP', 'TCP', 'TCP', 'TCP', 'TCP', 'TCP and UDP', 'UDP', 'UDP', 'UDP', 
                                 'TCP and UDP', 'TCP', 'TCP', 'TCP', 'TCP', 'UDP', 'UDP', 'TCP'],
                'Description' : ['File Transfer-Data', 'File Transfer-Control', 'Secure Shell', 'Telnet',
                                 'Simple Mail Transfer Protocol', 'Domain Name System', 'Dynamic Host Configuration Protocol v4',
                                 'Dynamic Host Configuration Protocol v4', 'Trivial File Transfer Procol', 'Hypertext Transfer Protocol',
                                 'Post Office Protocol 3', 'Network Time Protocol', 'Internet Message Access Protocol', 'Secure HTTP',
                                 'Dynamic Host Configuration Protocol v6', 'Dynamic Host Configuration Protocol v4', 'Remote Desktop Protocol']
               }
sockets = pd.DataFrame(ports); sockets = sockets.set_index('port number') 
sockets

Unnamed: 0_level_0,Description,Tx Protocol,process name
port number,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1
20,File Transfer-Data,TCP,FTP-Data
21,File Transfer-Control,TCP,FTP
22,Secure Shell,TCP,SSH
23,Telnet,TCP,Telnet
25,Simple Mail Transfer Protocol,TCP,SMTP
53,Domain Name System,TCP and UDP,DNS
67,Dynamic Host Configuration Protocol v4,UDP,DHCPv4
68,Dynamic Host Configuration Protocol v4,UDP,DHCPv4
69,Trivial File Transfer Procol,UDP,TFTP
80,Hypertext Transfer Protocol,TCP and UDP,HTTP


[HOME](#Network-Services)

<br>

<img src="pics/vLANs.png" width=450 height=430 style="float: right;">
## Virtual LANs 

- Remember a LAN is group of devices in a single broadcast domain 


- Virtual LANs (VLANs) are individual broadcast domains created by a switch
  - become separate broadcast domains
  -	logical subnets


- **The need for VLANs is** 
  - Segmentation
    - Increased performance
  - Flexibility
    - Span across wans; inter-VLAN routing
    - Associated with ip subnet addresses
  - Security
    - Access and policies to group <img src="pics/vlans.png" width=400 height=430 style="float: right;">

vlan | | code | Debug
---: | ---: | :--- | :---
 | | |
create | | **vlan** vlanID | **show vlan brief**
 | | **name** NAME | **show vlan id** vlanID
 | | |
Host | | **interface** INT SLOT/PORT | **show interface** INT **switchport**
 | | **switchport mode access** | **show interfaces switchport**
 | | **switchport access vlan** VLAN |
 | | |
.1Q Trunking | | **interface** INT SLOT/PORT | **show interfaces switchport**
 | | **switchport mode trunk** |
 | | **switchport trunk native vlan** vlanID |

<br>

- **TRUNKING with 802.1Q**
  - Traditionally, all vlans would need to be individually connected between switches. <img src="pics/vlanTrunk.png" width=450 height=500 style="float: right;">
  - Trunking
    - vLANS between switches are switched on a single Trunk link
      - vLANs share the same native logical LAN
      - Link carries frames from different vlans
      - vLAN traffice is Identified by a *TAG* inserted in the frame header 
    - vLANS need to be in identical native vlans <img src="pics/dot1Q.png" height=450 style="float: right;">

[HOME](#Network-Services)

<br>

<img src="pics/routerOnStick.png" width=450 height=500 style="float: right;">
## InterVLAN Routing

- Vlans create a separate switching segment
  - Traffic cannot be switched between vlans
  - Each vlan has a different IP subnet description
  - thus Routing is needed


- for layer 2 switches a Router is needed


- Router on a stick
  - switches switch vlan frames
  - the Router routes traffic between vlans
    - route 
 

