Network stuff

config/network/brocade-fastiron-switches.md

@@ -6,12 +6,10 @@ breadcrumbs:
 ---
 {% include header.md %}
 
-**TODO:** Reorganize.
-
 ### Using
 {:.no_toc}
 
-- Brocade/Ruckus ICX 6610 running router/L3 software (**TODO** Version?)
+- Brocade/Ruckus ICX 6610 (v08.0.30 router edition).
 
 ### Disclaimer
 {:.no_toc}
@@ -21,129 +19,158 @@ Security features like port security, dynamic ARP inspection, DHCP snooping, IP
 ## Initial Configuration
 
 1. Connect using serial: 9600bps baud, 8 data bits, no paroty, 1 stop bit, no flow control.
-2. Enter privileged exec mode: `enable`
-3. Enter configuration mode: `conf t`
-4. Set the correct boot preference: boot system flash primary
-   1. Check it with `sh boot-pref` in privileged exec mode.
-5. Set the hostname: `hostname <name>`
-6. Configure time zone (Norway):
-   1. Time zone: `clock timezone gmt gmt+01`
-   2. Manual summer time: `clock summer-time`
-7. Configure NTP client:
-   1. `ntp`
-   2. `server <address>`
-   3. Show status:
-      1. `sh ntp assoc`
-      2. `sh ntp status`
-8. Set the superuser enable password: `enable super-user-password <password>`
-9. Add a user and enable login:
-   1. Enable password encryption: `service password-encryption sha256`
-   2. Add user: `user <username> privilege 0 create-password <password>`
-      1. Privilege 0 is the highest.
-      2. The default password hashing algorithm is MD5.
-   3. Enable local login: `aaa authentication login default local`
-      1. **TODO**: It doesn't work for console.
-      2. Enable for enable instead: `aaa authentication enable default local`
-   4. Enable login log messages and traps: `logging enable user-login`
-10. Enable SSH:
-    1. Delete the old key: `crypto key zeroize rsa`
-    2. Generate new key: `crypto generate rsa modulus 2048`
-    3. Remove old public keys: `ip ssh pub-key-file remove`
-    4. Disable unused authentication methods:
-       1. `ip ssh interactive-authentication no`
-       2. `ip ssh key-authentication no`
-       3. Note: SSH may crash if key-authentication is enabled but not configured.
-    5. Make it secure:
-       1. `ip ssh encryption aes-only`
-       2. `ip ssh encryption disable-aes-cbc`
-       3. `jitc enable`
-    6. Set the idle timer: `ip ssh idle-time <minutes>` (e.g. 10)
-    7. Both password and key based authentication is enabled by default.
-    8. SCP is enabled by default.
-11. (Optional) Enable HTTPS:
+1. Enter privileged exec mode: `enable`
+1. Enter configuration mode: `conf t`
+1. Shut down all interfaces:
+    1. Alternatively, shut down unused interfaces afterwards.
+    1. Select range of innterfaces: `int e1/1/1 to 1/1/24` (example)
+    1. Shut them down: `disable`
+    1. Repeat for other interface ranges.
+1. Set the correct boot preference:
+    1. Change it: `boot system flash primary`
+    1. Check it (priv exec): `sh boot-pref`
+1. Set the hostname: `hostname <name>`
+1. Disable unused features:
+    1. Web management: `no web-management`
+    1. VSRP: `no router vsrd`
+    1. Telnet: `no telnet server`
+1. Set the superuser enable password: `enable super-user-password <password>`
+1. Add a user and enable login:
+    1. Enable password encryption (requires v8.0.40 or later): `service password-encryption sha256`
+    1. Add user: `user <username> privilege 0 create-password <password>`
+        - Privilege 0 is the highest.
+        - The default password hashing algorithm is MD5.
+        - The password can't contain spaces.
+    1. Enable remote login: `aaa authentication login default local`
+    1. Make remote login enter priv exec mode: `aaa authentication login privilege-mode`
+    1. Enable priv exec mode login: `aaa authentication enable default local`
+    1. Enable login log messages and traps: `logging enable user-login`
+1. Configure time zone (Norway):
+    1. Time zone: `clock timezone gmt gmt+01`
+    1. Manual summer time: `clock summer-time`
+    1. Set the time (priv exec): `clock set <hh:mm:ss> <mm-dd-yyyy>`
+1. Setup DNS:
+    1. IPv4 DNS servers: `ip dns server-address <address> [...]`
+    1. IPv6 DNS servers: `ipv6 dns server-address <address> [...]`
+1. Enable SSH:
+    1. Delete the old key: `crypto key zeroize [rsa]`
+    1. Generate new key: `crypto key generate rsa modulus 2048`
+    1. Remove old public keys: `ip ssh pub-key-file remove`
+    1. Disable unused authentication methods:
+        1. `ip ssh interactive-authentication no`
+        1. `ip ssh key-authentication no`
+    1. Make it secure:
+        1. `ip ssh encryption aes-only`
+        1. `ip ssh encryption disable-aes-cbc`
+        1. `jitc enable`
+    1. Set the idle timer: `ip ssh idle-time <minutes>` (e.g. 15)
+    1. Notes:
+        - SSH may crash if key-authentication is enabled but not configured.
+        - Both password and key based authentication is enabled by default.
+        - SCP is enabled by default.
+1. (Optional) Enable HTTPS:
     1. Delete the old SSL/TLS certificate: `crypto-ssl certificate zeroize`
-    2. Generate new SSL/TLS certificate: `crypto-ssl certificate generate`
-    3. `web-management https`
-    4. `no web-management http`
-    5. `aaa authentication web-server default local`
-12. Disable extra features:
-    1. VSRP (Brocade proprietary): `no router vsrd`
-    2. Telner: `no telnet`
-13. Configure link aggregation (LAG/LACP):
-    1. Create it: `lag <name> [static | passive]`
-    2. Add ports to it: `ports ethernet <if> [to <if>]`
-       1. Use `no` to remove ports.
-    3. Set the primary port: `primary-port <if>`
-       1. All other ports will inherit the config for the primary port.
-    4. (Optional) Make it fast manually: `lacp-timeout short`
-    5. Deploy/enable it: `deploy`
-    6. If the LAG is not facing a STP-capable device, disable it. I've had problems where the LAG entered `LACP-BLOCKED` state and STP _seemed_ to have something to do with it.
-14. Configure VLANs:
-    1. Enter VLAN config: `vlan <VID> [name <name>]`
-       1. Providing a name will automatically create it.
-    2. Create untagged og tagged ports: `<untagged | tagged> <if> [<if>*]`
-       1. Access ports and trunk ports in Cisco terms.
-    3. (Optional) Set a dual mode VLAN (native VLAN for in Cisco terms):
-       1. Add the port as tagged.
-       2. `dual-mode <VID>`
-    4. Enable spanning tree (same type as global): `spanning-tree`
-15. Configure normal interfaces (`int eth <stack_unit>/slot/port [to ...]`):
+    1. Generate new SSL/TLS certificate: `crypto-ssl certificate generate`
+    1. Enable HTTPS: `web-management https`
+    1. Disable HTTP: `no web-management http`
+    1. Use local auth: `aaa authentication web-server default local`
+1. Configure physical interfaces (`int eth <unit/slot/port> [to ...]`):
     1. Set the port name: `post-name <name>`
-    2. If required, set the post speed and duplex mode: `speed-duplex <mode>`
-       1. Note: SFP+ are disabled until a speed and duplex has been set.
-    3. See VLAN configuration for making the interface untagged, tagged or dual-mode.
-16. Configure the management interface and VLAN for IPv4:
+    1. (SFP+ ports) Set the post speed and duplex: `speed-duplex 10g-full`
+    1. VLAN configuration: See separate section.
+1. Configure link aggregation:
+    1. Create it: `lag <name> dynamic`
+        - The "dynamic" can be omitted once created.
+    1. Add ports to it: `ports ethernet <if> [to <if>]`
+        - Use `no` to remove ports.
+    1. Set the primary port: `primary-port <if>`
+        - All other ports will inherit the config for the primary port.
+    1. Use frequent LACPDUs: `lacp-timeout short`
+    1. Deploy/enable it: `deploy`
+1. Configure VLANs:
+    1. Create VLAN: `vlan <VID> name <name>`
+        - The name can be omitted once created.
+    1. Create untagged og tagged ports: `<untagged | tagged> <if> [<if>*]`
+    1. (Optional) Set a dual mode VLAN (aka native VLAN):
+        1. Add the port as tagged.
+        1. Enter the physical interface configuration.
+        1. Set it for the current interface: `dual-mode <VID>`
+    1. Enable spanning tree (same type as global): `spanning-tree`
+1. Enable IPv6 forwarding: `ipv6 unicast-routing`
+1. Configure in-band management interface and disable out-of-band interface:
     1. Disable the OOB mgmt. interface:
-       1. `int man 1`
-       2. `disable`
-    2. Enter management VLAN config: `vlan 10` (assuming 10 is the VID)
-    3. Add router interface to the VLAN: `router-interface ve 10` (10 should be same as VID)
-    4. Enter router interface: `int ve 10`
-    5. Set address for it: `ip address <address>/length`
-    6. Exit router interface.
-    7. Add a default route: `ip route 0.0.0.0/0 <gateway>`
-17. Configure spanning tree (802-1w):
+        1. Enter: `int man 1`
+        1. Disable: `disable`
+    1. Enter management VLAN config: `vlan <VID>`
+    1. Add router interface to the VLAN: `router-interface ve <VID>`
+    1. Exit VLAN config.
+    1. Enter router interface: `int ve <VID>`
+    1. Set IPv4 address for it: `ip address <address>/length`
+    1. Set IPv6 address for it: `ipv6 address <address>/length`
+    1. Exit router interface.
+    1. Add a default IPv4 route: `ip route 0.0.0.0/0 <gateway>`
+    1. Add a default IPv6 route: `ipv6 route ::/0 <gateway>`
+    1. Disable sending IPv6 RAs: `ipv6 nd suppress-ra`
+1. Configure spanning tree (802-1w):
     1. Enable globally: `spanning-tree single 802-1w`
-    2. Set priority: `spanning-tree single 802-1w priority 12288`
-    3. Configure a port as edge port (portfast in Cisco lingo): `spanning-tree 802-1w admin-edge-port`
-    4. Enable root guard on a port: `spanning-tree root-protect`
-    5. Enable BPDU guard on a port: `stp-bpdu-guard`
-    6. Enable BPDU filter on a port: `stp-protect`
-18. SNMP daemon:
-    1. Page 149
-19. SNMP traps:
-    1. Page 28
-20. Syslog:
-    1. Page 269
-21. Save the config: `write memory`
+    1. Set priority: `spanning-tree single 802-1w priority 0` (0 for root)
+    1. Set a port as edge port (aka portfast): `spanning-tree 802-1w admin-edge-port`
+    1. Enable root guard on a port: `spanning-tree root-protect`
+    1. Enable BPDU guard on a port: `stp-bpdu-guard`
+    1. Enable BPDU filter on a port: `stp-protect`
+    1. Show status: `show 802-1w`
+1. (Optional) Configure NTP client:
+    1. Enter config: `ntp`
+    1. Enable with server: `server <address>`
+    1. Show status:
+        - `sh ntp assoc`
+        - `sh ntp status`
+1. Save the config: `write memory`
 
 ## General Configuration
 
-### Simple Actions
+### Basics
 
 - Console:
-  - Enable logging to the serial console: `logging console`
-  - Enable logging to SSH/Telnet: `terminal monitor`(in privileged exec mode)
+    - Enable logging to the serial console: `logging console`
+    - Enable logging to SSH/Telnet: `terminal monitor`(in privileged exec mode)
 - Hardware:
-  - Reboot: `boot system`
-  - Show hardware: `sh chassis`
-  - Log: `sh log`
-  - CPU usage: `sh cpu`
+    - Reboot: `boot system`
+    - Show hardware: `sh chassis`
+    - Log: `sh log`
+    - CPU usage: `sh cpu`
 - Interfaces:
-  - Interface list: `sh int br`
-  - Interface stats: `sh int`
+    - Interface list: `sh int br`
+    - Interface stats: `sh int`
 - Spanning tree:
-  - Show: `sh span`
+    - Show: `sh span`
 - Link aggregation (LAG):
-  - Show info: `sh lag`
+    - Show info: `sh lag`
 - File management:
-  - Show directory contents: `sh dir`
-  - Show file contents: `copy flash console`
+    - Show directory contents: `sh dir`
+    - Show file contents: `copy flash console`
 - Config management:
-  - Save running config: `write memory`
-  - Restore the startup config: `reload`
-- Special:
-  - Enable SFP+ ports: `speed-duplex 10g-full`
+    - Save running config: `write memory`
+    - Restore the startup config: `reload`
+- Transceivers:
+    - Show transceivers: `show media validation`
+
+### Ports
+
+- Enable SFP+ ports: `speed-duplex 10g-full`
+
+## Tasks
+
+### Reset Configuration
+
+Run `erase startup-config` and then `reload`. Don't `write mem` as it will recreate the startup config.
+
+## Features
+
+### Virtual Switch Redundancy Protocol (VSRP)
+
+- A Ruckus-proprietary protocol for L2/L3 redundancy and failover.
+- Enabled by default.
 
 ## Theory
 

config/network/cisco-ios-general.md

@@ -19,41 +19,9 @@ Software configuration for Cisco switches and routers running IOS or derivatives
 
 - [Cisco Config Analysis Tool (CCAT)](https://github.com/cisco-config-analysis-tool/ccat)
 
-## System
+## General Configuration
 
-- Memories:
-    - ROM: For bootstrap stuff.
-    - Flash: For IOS images.
-    - NVRAM: For startup configuration files.
-    - RAM: For running config, tables, etc.
-
-### Boot
-
-- IOS image sources (in default order): Flash, TFTP, ROM.
-- Startup config sources (in default order): NVRAM, TFTP, system configuration dialog.
-- Some details may be configured using the configuration register.
-
-### Modes
-
-- User EXEC mode (`Router>`):
-    - Used to run basic, non-privileged commands, like `ping` or `show` (limited).
-    - Entered when logging in as "not very privileged" users.
-- Privileged EXEC mode (`Router#`) (aka enable mode):
-    - Used to run more privileged (all) commands.
-    - Entered when logging in as "privileged" users or when running `enable` from user EXEC mode.
-- Global configuration mode (`Router(config)#`) and special configuration mode (`Router(config-xxx)#`):
-    - Used to configure the unit.
-    - Global configuration mode is entered by running `configure terminal` in privileged EXEC mode.
-    - "Special" configuration mode (it's not actually collectively called that) is entered when configuring an interface, a virtual router interface, a console line, a VLAN etc. from global configuration mode.
-- Setup mode:
-    - Used to interactivly configure some the "basics".
-    - Entered when loggin into a factory reset unit or when running `setup`.
-    - Completely useless, never use it.
-- ROM monitor mode (aka ROMMON).
-
-## Configuration
-
-### Usage and Basics
+### CLI Usage
 
 - Most commands take effect immediately.
 - Select range of interfaces: `int range g1/0/1-52` (example)
@@ -62,11 +30,19 @@ Software configuration for Cisco switches and routers running IOS or derivatives
     - Tab: Auto-complete.
     - `?`: Prints the allowed keywords.
     - `| <filter>`: Can be used to filter the output using one of the filter commands.
-- Save running config: `copy run start` or `write mem`
-- Restore startup config: `copy start run`
 - Show configurations: `show [run|start]`
     - `| section <section>` can be used to show a specific section.
 
+### Basics
+
+- Save/load config:
+    - Save running config: `copy run start` or `write mem`
+    - Restore startup config: `copy start run`
+- Interface status:
+    - L2/L3 oiverview: `sh ip int br`
+- Optics:
+    - Show transceivers: `sh interfaces transceiver`
+
 ### AAA
 
 - Disable the `password-encryption` service, use encrypted passwords instead. Perferrably type 9 (scrypt) secrets if available.
@@ -96,7 +72,72 @@ Software configuration for Cisco switches and routers running IOS or derivatives
     1. Enable login: `login`
     1. Set to use the local database: `login authentication default`
 
-## Miscellanea
+## Features
+
+### Port Aggregation Protocol (PAgP)
+
+- Cisco-proprietary protocol for link aggregation.
+- Use LACP instead.
+
+### Link Aggregation Control Protocol (LACP)
+
+- An IEEE protocol (aka 802.3ad) for link aggregation.
+
+### UniDirectional Link Detection (UDLD)
+
+- A Cisco-proprietary protocol for detecting unidirectional links.
+- Disabled by default.
+- This can happen when one fiber strand has been damaged but the other one works, which would make it hard to know that the link is down and it could cause STP loops.
+- It's mostly used for fiber ports, but can also be used for copper ports.
+- Use aggressive mode to err-disable the port when it stops receiving periodic UDLD messages.
+- A partial alternative is to use single member LACP.
+- Configuration:
+    - Set message interval: `udld message time <seconds>`
+    - Enable in normal og aggressive mode globally on all fiber ports: `udld <enable|aggressive>`
+    - Enable per-interface: `udld port <enable|aggressive>`
+
+### Cisco Discovery Protocol (CDP)
+
+- A Cisco-proprietary protocol for interchanging device information to neighbor devices.
+- Use LLDP instead.
+- Disable globally: `no cdp run`
+
+### Link Layer Discovery Protocol (LLDP)
+
+- An IEEE protocol (defined in IEEE 802.1AB) for interchanging device information to neighbor devices.
+- **TODO** LLDP and LLDP-MED
+
+## Information
+
+- Memories:
+    - ROM: For bootstrap stuff.
+    - Flash: For IOS images.
+    - NVRAM: For startup configuration files.
+    - RAM: For running config, tables, etc.
+
+### Boot
+
+- IOS image sources (in default order): Flash, TFTP, ROM.
+- Startup config sources (in default order): NVRAM, TFTP, system configuration dialog.
+- Some details may be configured using the configuration register.
+
+### Modes
+
+- User EXEC mode (`Router>`):
+    - Used to run basic, non-privileged commands, like `ping` or `show` (limited).
+    - Entered when logging in as "not very privileged" users.
+- Privileged EXEC mode (`Router#`) (aka enable mode):
+    - Used to run more privileged (all) commands.
+    - Entered when logging in as "privileged" users or when running `enable` from user EXEC mode.
+- Global configuration mode (`Router(config)#`) and special configuration mode (`Router(config-xxx)#`):
+    - Used to configure the unit.
+    - Global configuration mode is entered by running `configure terminal` in privileged EXEC mode.
+    - "Special" configuration mode (it's not actually collectively called that) is entered when configuring an interface, a virtual router interface, a console line, a VLAN etc. from global configuration mode.
+- Setup mode:
+    - Used to interactivly configure some the "basics".
+    - Entered when loggin into a factory reset unit or when running `setup`.
+    - Completely useless, never use it.
+- ROM monitor mode (aka ROMMON).
 
 ### Version and Image String Notations
 

config/network/cisco-ios-routers.md

@@ -18,16 +18,143 @@ Software configuration for Cisco routers running IOS or derivatives.
 ### Using
 {:.no_toc}
 
-- ISR 2801 (**TODO** Version?)
+- ASR 920 (IOS XE 16.9)
 
 ## Initial Configuration
 
-**TODO**
+An example of a full configuration.
 
-## Security
+1. Connect using serial.
+1. Don't enter initial configuration (it's useless).
+1. Enter privileged exec mode: `enable`
+1. Enter configuration mode: `conf t`
+1. Disable unused features/services:
+    1. `no service config`
+    1. `no service pad`
+    1. `no service password-encryption`
+    1. `no cdp run`
+    1. `no ip source-route`
+    1. `no ip domain-lookup`
+    1. `no ip http server`
+    1. `no ip http secure-server`
+1. Set the hostname and domain name:
+    1. `hostname <hostname>`
+    1. `ip domain-name <domain>` (the part after the hostname)
+1. Set the time zone (for Norway) and time:
+    1. Time zone: `clock timezone UTC 1 0` (Norway)
+    1. Automatic summer time: `clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00` (Norway)
+    1. Set the time (exec mode): `clock set 10:50:00 Oct 26 2006` (example)
+    1. Show the current time (exec mode): `show clock`
+1. Setup console:
+    1. Enter console config: `line con 0`
+    1. Enable synchronous logging: `logging synchronous`
+1. Setup user login:
+    1. Enable new model AAA: `aaa new-model`
+    1. Set the enable secret (e.g. to "secret"): `enable algorithm-type scrypt secret <secret>`
+        - While this seems pointless, it's required to enter priv exec mode from VTY.
+    1. Add a user: `username <username> privilege 15 algorithm-type scrypt secret <password>`
+    1. Set local login as default: `aaa authentication login default local`
+    1. Enable console local login:
+        1. `line con 0`
+        1. `login authentication default`
+1. Configure SSH:
+    1. Set hostname and domain name (see above).
+    1. Generate SSH server cert: `crypto key generate rsa modulus 2048`
+    1. Set version: `ip ssh version 2`
+    1. Set VTY lines to use SSH:
+        1. Enter line config: `line vty 0 15`
+        1. Set to use SSH: `transport input ssh`
+        1. Set the timeout: `exec-timeout <minutes> <seconds>` (e.g. 15 minutes)
+        1. Enter priv exec mode after login: `privilege level 15`
+1. Configure DNS: `ip name-server <addr1> <addr2> [...]`
+1. Enable IPv6 forwarding: `ipv6 unicast-routing`
+1. Enable Cisco Express Forwarding (CEF):
+    1. Note: This may be enabled by default and the commands below to enable it may not work.
+    1. Enable for IPv4: `ip cef`
+    1. Enable for IPv6: `ipv6 cef`
+    1. Show status: `sh cef state` (should show "enabled/running" for both IPv4 and IPv6)
+1. (Optional) Add black hole route for the site prefixes:
+    1. Note: To avoid leakage of local traffic without a route.
+    1. IPv4 prefix: `ip route <address> <mask> Null 0`
+    1. IPv6 prefix: `ipv6 route <prefix> Null 0`
+1. (Optional) Configure management interface:
+    1. Note: The management interface is out-of-band by being contained in the special management interface VRF "Mgmt-intf".
+    1. Enter the mgmt interface config: `interface GigabitEthernet 0` (example)
+    1. Set an IPv4 and IPv6 address: See "configure interface".
+    1. Set a default IPv4 route: `ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 <gateway>`
+    1. Set a default IPv6 route: `ip route vrf Mgmt-intf ::/0 <gateway>`
+    1. Set other interface stuff: See "configure interface".
+1. Configure interface:
+    1. Set description: `desc <desc>`
+    1. (Optional) Set IPv4 address: `ip address <address> <mask>`
+    1. (Optional) Set IPv6 address: `ipv6 address <address>/<prefix-length>`
+    1. (Optional) Disable sending IPv6 RAs: `ipv6 nd ra suppress all`
+    1. Enable strict uRPF for IPv4: `ip verify unicast source reachable-via rx`
+    1. Enable strict uRPF for IPv6: `ipv6 verify unicast source reachable-via rx`
+    1. VLAN subinterfaces: See separate section.
+    1. IPv6 router advertisements: See separate section.
+1. Setup default routes:
+    1. Set a default IPv4 route: `ip route 0.0.0.0 0.0.0.0 <gateway>`
+    1. Set a default IPv6 route: `ip route ::/0 <gateway>`
+1. Enable LLDP: `lldp run`
+1. Add an ACL to protect management services:
+    1. Create IPv4 ACL:
+        1. Create and enter it: `ip access-list standard <name-v4>`
+        1. Add a permitted prefix: `permit <address> <wildcard-mask>`
+    1. Create IPv6 ACL:
+        1. Create and enter it: `ipv6 access-list <name-v6>`
+        1. Add a permitted prefix: `permit <src-prefix> <dst-prefix>`
+    1. Apply it to VTY lines:
+        1. IPv4 non-VRF: `access-class <name-v4> in`
+        1. IPv4 VRF: `access-class <name-v4> in vrfname Mgmt-intf`
+        1. IPv6 non-VRF: `ipv6 access-class <name-v6> in`
+        1. IPv6 VRF: `ipv6 access-class <name-v6> in vrfname Mgmt-intf`
+1. (Optional) Configure NTP client:
+    1. `ntp server <address>`
+    1. Show status:
+        1. `sh ntp assoc`
+        1. `sh ntp status`
+1. (Optional) Configure remote syslog delivery:
+    1. `logging host <address>`
+    1. `logging facility syslog`
+1. (Optional) Configure SNMP daemon:
+    1. With IPv4 and IPv6 ACL: `snmp-server community public ro ipv6 <acl-name-v6> <acl-name-v4>`
+1. (Optional) Configure SNMP traps:
+    1. **TODO**
+1. Save the config: `copy run start` or `write mem`
+1. (Optional) Copy the config to a TFTP server: `copy start tftp://<host>/<path>`
 
-- Disable directed broadcasts:
-  - Config: `no ip directed-broadcast`
-  - Used by smurf and fraggle attacks.
+## General Configuration
+
+### VLAN Subinterfaces (IOS XE)
+
+- Add a bridge domain for the VLAN: `bridge-domain <VID>`
+    - It'll enter the section, but you can immediately exit it.
+- Enter the interface containing the tagged VLAN.
+- (Optional) Enter IP addresses to terminate the native VLAN.
+- Setup a service config for the subinterface:
+    - Create and enter: `service instance <VID> ethernet`
+    - Set 802.1Q VID: `encapsulation dot1q <VID>`
+    - Terminate the tag: `rewrite ingress tag pop 1 symmetric`
+    - Set the bridge domain to terminate it into: `bridge-domain <VID>`
+- Exit to global.
+- Setup a bridge domain interface to terminate the VLAN:
+    - Create and enter: `int BDI <VID>`
+    - Set a description and IP addresses.
+    - Enable it: `no shut`
+
+### IPv6 Router Advertisements
+
+- Disable sending router advertisements: `ipv6 nd ra suppress all`
+    - This prevents both periodic and solicited advertisements.
+    - Without the `all`, it may in certain versions still send solicited advertisements.
+- **TODO**
+
+### Bogon Filtering
+
+- Related:
+    - Add black hole routes for local prefixes to avoid leakage when a local route is missing.
+    - Enable strict unicast reverse path forwarding to avoid having traffic from places it shouldn't come from (typically spoofed).
+- **TODO**
 
 {% include footer.md %}

config/network/cisco-ios-switches.md

@@ -24,46 +24,48 @@ Software configuration for Cisco switches running IOS or derivatives.
 
 ## Initial Configuration
 
+An example of a full configuration.
+
 1. Connect using serial.
 1. Don't enter initial configuration (it's useless).
 1. Enter privileged exec mode: `enable`
 1. Enter configuration mode: `conf t`
 1. Set the hostname and domain name:
-   1. `hostname <hostname>`
-   1. `ip domain-name <domain>` (the part after the hostname)
+    1. `hostname <hostname>`
+    1. `ip domain-name <domain>` (the part after the hostname)
 1. Set the time zone (for Norway) and time:
-   1. Time zone: `clock timezone UTC 1 0`
-   1. Automatic summer time: `clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00`
-   1. Set the time (exec mode): `clock set 10:50:00 Oct 26 2006` (example)
-   1. Show the current time (exec mode): `show clock`
+    1. Time zone: `clock timezone UTC 1 0` (Norway)
+    1. Automatic summer time: `clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00` (Norway)
+    1. Set the time (exec mode): `clock set 10:50:00 Oct 26 2006` (example)
+    1. Show the current time (exec mode): `show clock`
 1. Disable unused features/services:
-   1. `no service config`
-   2. `no service pad`
-   3. `no service password-encryption`
-   4. `vtp mode off`
-   5. `no cdp run`
-   6. `no ip source-route`
-   7. `no ip domain-lookup`
-   8. `no ip http server`
-   9. `no ip http secure-server`
+    1. `no service config`
+    2. `no service pad`
+    3. `no service password-encryption`
+    4. `vtp mode off`
+    5. `no cdp run`
+    6. `no ip source-route`
+    7. `no ip domain-lookup`
+    8. `no ip http server`
+    9. `no ip http secure-server`
 1. Setup console:
-   1. Enter console config: `line con 0`
-   2. Enable synchronous logging: `logging synchronous`
+    1. Enter console config: `line con 0`
+    2. Enable synchronous logging: `logging synchronous`
 1. Setup user login:
     1. Enable new model AAA: `aaa new-model`
     2. Set the enable secret (e.g. to "secret"): `enable algorithm-type scrypt secret <secret>`
     3. Add a user: `username <username> privilege 15 algorithm-type scrypt secret <password>`
     4. Set local login as default: `aaa authentication login default local`
     5. Enable console local login:
-       1. `line con 0`
-       2. `login authentication default`
+        1. `line con 0`
+        2. `login authentication default`
 1. Configure SSH:
     1. Generate SSH server cert: `crypto key generate rsa modulus 2048`
     2. Set version: `ip ssh version 2`
     3. Set VTY lines to use SSH:
-       1. Enter line config: `line vty 0 15`
-       2. Set to use SSH: `transport input ssh`
-       3. Set the timeout: `exec-timeout <minutes> <seconds>` (e.g. 10 minutes)
+        1. Enter line config: `line vty 0 15`
+        2. Set to use SSH: `transport input ssh`
+        3. Set the timeout: `exec-timeout <minutes> <seconds>` (e.g. 15 minutes)
 1. (Optional) Add default native vlan and black hole VLAN:
     1. Never use the default native VLAN.
     2. Use the black hole VLAN as the native VLAN for trunks without an untagged VLAN, as it can't be simply disabled on some switches.
@@ -83,74 +85,74 @@ Software configuration for Cisco switches running IOS or derivatives.
     4. Add interfaces (int config): `channel-group <id> mode active`
 1. Configure ports:
     1. If using LAG:
-       1. Connect it: `channel-group <id> mode active`
-       2. Configure the LAG, not the interface range.
+        1. Connect it: `channel-group <id> mode active`
+        2. Configure the LAG, not the interface range.
     2. Add access port:
-       1. `switchport access vlan <VID>`
-       2. `switchport mode access`
-       3. Disable DTP: `switchport nonegotiate`
-       4. `spanning-tree portfast`
-       5. `spanning-tree bpduguard enable` (if not enabled globally)
-       6. Setup other security features (see section below.)
+        1. `switchport access vlan <VID>`
+        2. `switchport mode access`
+        3. Disable DTP: `switchport nonegotiate`
+        4. `spanning-tree portfast`
+        5. `spanning-tree bpduguard enable` (if not enabled globally)
+        6. Setup other security features (see section below.)
     3. Add trunk port:
-       1. `switchport trunk encapsulation dot1q` (the default on 2960G and cannot be set manually)
-       2. `switchport trunk native vlan <vid>`
-       3. `switchport trunk allowed vlan <vid>[,<vid>]*`
-       4. `switchport mode trunk`
-       5. Disable DTP: `switchport nonegotiate`
-       6. Enable root guard if facing a lower-tier switch: `spanning-tree guard root`
+        1. `switchport trunk encapsulation dot1q` (the default on 2960G and cannot be set manually)
+        2. `switchport trunk native vlan <vid>`
+        3. `switchport trunk allowed vlan <vid>[,<vid>]*`
+        4. `switchport mode trunk`
+        5. Disable DTP: `switchport nonegotiate`
+        6. Enable root guard if facing a lower-tier switch: `spanning-tree guard root`
     4. Disable unused ports: `shutdown`
 1. Configure spanning tree (rapid-pvst):
     1. Mode: `spanning-tree mode rapid-pvst`
     2. `spanning-tree extend system-id`
     3. Configure VLANs:
-       1. `spanning-tree vlan <vid-list>`
-       2. `spanning-tree vlan <vid-list> priority <priority>`
+        1. `spanning-tree vlan <vid-list>`
+        2. `spanning-tree vlan <vid-list> priority <priority>`
 1. Set management IP address and default gateway:
     1. Enter the chosen management VLAN.
     2. Set a management IP address: `ip address <address> <subnet-mask>`
     3. Set the default gateway (global config): `ip default-gateway <address>`
 1. (Optional) Configure NTP client:
-   1. `ntp server <address>`
-   2. Show status:
-      1. `sh ntp assoc`
-      2. `sh ntp status`
+    1. `ntp server <address>`
+    2. Show status:
+        1. `sh ntp assoc`
+        2. `sh ntp status`
 1. Configure access port security features:
     1. Storm control:
-       1. Enter the interface config.
-       2. `storm-control broadcast level bps 3m` (3Mbps broadcast)
-       3. `storm-control multicast level bps 3m` (3Mbps multicast)
-       4. By default it will only filter excess packets.
+        1. Enter the interface config.
+        2. `storm-control broadcast level bps 3m` (3Mbps broadcast)
+        3. `storm-control multicast level bps 3m` (3Mbps multicast)
+        4. By default it will only filter excess packets.
     1. DHCP snooping:
-       1. DHCP snooping keeps a database DHCP leases. It can provide certain DHCP protection features, like rate limiting. It is used by some other security features.
-       2. `ip dhcp snooping`
-       3. `ip dhcp snooping vlan <vid-list>` (for user VLANs)
-       4. `ip dhcp snooping verify mac-address` (applies to DHCP packets)
-       5. Set trusted interfaces (if config): `ip dhcp snooping trust`
-       6. Limit DHCP packets (if config): `ip dhcp snooping limit rate 25` (25/s)
-       7. Verify that it's enabled: `sh ip dhcp snooping`
+        1. DHCP snooping keeps a database DHCP leases. It can provide certain DHCP protection features, like rate limiting. It is used by some other security features.
+        2. `ip dhcp snooping`
+        3. `ip dhcp snooping vlan <vid-list>` (for user VLANs)
+        4. `ip dhcp snooping verify mac-address` (applies to DHCP packets)
+        5. Set trusted interfaces (if config): `ip dhcp snooping trust`
+        6. Limit DHCP packets (if config): `ip dhcp snooping limit rate 25` (25/s)
+        7. Verify that it's enabled: `sh ip dhcp snooping`
     1. Port security:
-       1. Port security limites the amount of MAC addresses that may be used by a single port.
-       2. TL;DR, it validates MAC-to-port bindings.
-       3. Enter the interface config.
-       4. `switch port-sec`
-       5. `switch port-sec max 1` (1 MAC address)
-       6. `switch port-sec violation restrict` (don't shut down port)
-       7. `switch port-sec aging type inactivity`
-       8. `switch port-sec aging time 1` (1 minute)
+        1. Port security limites the amount of MAC addresses that may be used by a single port.
+        2. TL;DR, it validates MAC-to-port bindings.
+        3. Enter the interface config.
+        4. `switch port-sec`
+        5. `switch port-sec max 1` (1 MAC address)
+        6. `switch port-sec violation restrict` (don't shut down port)
+        7. `switch port-sec aging type inactivity`
+        8. `switch port-sec aging time 1` (1 minute)
     1. IP source guard (IPSG) (IPv4):
-       1. IPSG verifies that packets from a port match the IP addresses and optionally MAC adresses in the DHCP snooping DB.
-       2. TL;DR, it validates IP-to-port bindings.
-       3. Enter interface config.
-       4. `ip verify source`
-       5. An extra argument `port-security` can be specified which specified that MAC addresses should also be checked. If not specified, it only checks IP addresses. It requires that the server supports option 82.
+        1. IPSG verifies that packets from a port match the IP addresses and optionally MAC adresses in the DHCP snooping DB.
+        2. TL;DR, it validates IP-to-port bindings.
+        3. Enter interface config.
+        4. `ip verify source`
+        5. An extra argument `port-security` can be specified which specified that MAC addresses should also be checked. If not specified, it only checks IP addresses. It requires that the server supports option 82.
     1. Dynamic ARP inspection (DAI) (IPv4):
-       1. DAI uses the DHCP snooping DB and is similar to IPSG, but only applies to ARP packets.
-       2. TL;DR, it validates IP-to-MAC bindings.
-       3. `ip arp inspection vlan <vid-list>`
-       4. Enter the interface config.
-       5. On trusted interfaces: `ip arp inspection trust`
-       6. Verify configuration: `sh ip arp inspection`
+        1. DAI uses the DHCP snooping DB and is similar to IPSG, but only applies to ARP packets.
+        2. TL;DR, it validates IP-to-MAC bindings.
+        3. `ip arp inspection vlan <vid-list>`
+        4. Enter the interface config.
+        5. On trusted interfaces: `ip arp inspection trust`
+        6. Verify configuration: `sh ip arp inspection`
     1. **TODO:** DHCPv6 snooping and other IPv6 security mechanisms.
 1. Configure remote syslog delivery:
     1. `logging host <address>`
@@ -165,7 +167,7 @@ Software configuration for Cisco switches running IOS or derivatives.
 
 ## General Configuration
 
-### Simple Actions
+### Basics
 
 - Show statuses:
     - L3 port overview: `sh ip int br`
@@ -176,6 +178,31 @@ Software configuration for Cisco switches running IOS or derivatives.
     - STP blocked VLANS: `sh span summary`
 - Show/search log: `sh log | i <search-text>`
 
+### Spanning Tree
+
+- Enable BPDU guard globally to automatically enable it om ports with portfast. Or don't.
+- Only enable loop guard for links which may become uni-directional and which have UDLD enabled.
+- Show err-disabled ports: `sh int status err-disabled`
+- Show blocked ports: `sh span blockedports`
+- Show blocked VLANS: `sh span summary`
+- Show STP neighbors: `` **TODO**
+
+## Features
+
+### VLAN Trunking Protocol (VTP)
+
+- Cisco-proprietary.
+- It may fuck up the trunks when an out-of-sync VTP switch joins.
+- Disable globally: `vtp mode (off | transparent)`
+
+### Dynamic Trunking Protocol (DTP)
+
+- Cisco-proprietary.
+- It may facilitate switch spoofing and VLAN hopping.
+- Disable it for each switch port: `switchport nonegotiate`
+
+## Tasks
+
 ### Reset the Configuration
 
 1. Show files: `sh flash:`
@@ -193,31 +220,7 @@ Software configuration for Cisco switches running IOS or derivatives.
 
 Hold the "mode" button for 30 seconds or until it says in the console that it's restarting and clearing the configuration.
 
-### Services and Features
-
-- CDP:
-    - It may leak information.
-    - Disable globally: `no cdp run`
-- VTP:
-    - It may fuck up the trunks when an out-of-sync VTP switch joins.
-    - Disable globally: `vtp mode (off | transparent)`
-- DTP:
-    - It may facilitate switch spoofing and VLAN hopping.
-    - Disable it for each switch port: `switchport nonegotiate`
-- UDLD:
-    - Generally only useful for fiber.
-    - Disable globally: **TODO**
-
-### Spanning Tree
-
-- Enable BPDU guard globally to automatically enable it om ports with portfast. Or don't.
-- Only enable loop guard for links which may become uni-directional and which have UDLD enabled.
-- Show err-disabled ports: `sh int status err-disabled`
-- Show blocked ports: `sh span blockedports`
-- Show blocked VLANS: `sh span summary`
-- Show STP neighbors: ``
-
-## Theory
+## Information
 
 ### Ports and VLANs
 

config/network/linux.md

@@ -32,9 +32,9 @@ Issues may also be related to stupid things like which ports you're using on the
 - Setup the firewall for filtering both forwarded traffic and input/output to the router.
 - Setup the firewall for NAT.
 - Enable IP forwarding in `/etc/sysctl.conf`, then run `sysctl -p`:
-  - `net.ipv4.ip_forward=1`
-  - `net.ipv6.conf.all.forwarding=1`
-  - Run `sysctl -p` to reload.
+    - `net.ipv4.ip_forward=1`
+    - `net.ipv6.conf.all.forwarding=1`
+    - Run `sysctl -p` to reload.
 - Setup the network interfaces for all the directly connected networks.
 - Setup a default gateway, static routes and/or routing protocols.
 - Setup radvd for IPv6 NDP.

config/network/pfsense.md

@@ -20,16 +20,16 @@ breadcrumbs:
 ### Initial Configuration
 
 1. Connect to the website and finish the wizard.
-2. Set upstream DNS and NTP servers.
-3. Enable password protection for the console.
-4. Add a personal user and disable the admin user.
-5. Enable "PowerD" in "hiadaptive" mode to enable power saving while still focusing on performance.
-6. Enable AES-NI hardware crypto.
-7. Set the correct thermal sensors.
-8. Enable RAM disks with e.g. 1024MiB and 4096MiB and e.g. 3 hour backups.
-9. Increase network memory buffer size: Add a new system tunable with key `kern.ipc.nmbclusters` and value `1000000`.
-10. Disable TCP segmentation offload (TSO) and large receive offload (LRO). Most hardware/drivers have issues with them.
-11. See [this page](https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html) for NIC-specific tuning.
+1. Set upstream DNS and NTP servers.
+1. Enable password protection for the console.
+1. Add a personal user and disable the admin user.
+1. Enable "PowerD" in "hiadaptive" mode to enable power saving while still focusing on performance.
+1. Enable AES-NI hardware crypto.
+1. Set the correct thermal sensors.
+1. Enable RAM disks with e.g. 1024MiB and 4096MiB and e.g. 3 hour backups.
+1. Increase network memory buffer size: Add a new system tunable with key `kern.ipc.nmbclusters` and value `1000000`.
+1. Disable TCP segmentation offload (TSO) and large receive offload (LRO). Most hardware/drivers have issues with them.
+1. See [this page](https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html) for NIC-specific tuning.
 
 ## Configuration
 
@@ -38,31 +38,31 @@ breadcrumbs:
 #### Basic Setup
 
 1. Install `freeradius3`.
-2. Go to the FreeRADIUS settings.
-3. Add an interface for authentication: Listen on all interfaces (or only localhost), port 1812, type "authentication", IPv4. Add a separate interface for IPv6.
-4. Add an interface for accounting: Listen on all interfaces (or only localhost), port 1813, type "accounting", IPv4. Add a separate interface for IPv6.
-5. Add clients/NAS.
-6. Add RADIUS users.
-7. (Optional) Use FreeRADIUS as an authentication backend.
-   1. Create a RADIUS client with client IP address `127.0.0.1`.
-   2. Add the RADIUS client in "System/User Manager/Authentication Servers".
-   3. **TODO** What's the "RADIUS NAS IP Attribute"?
+1. Go to the FreeRADIUS settings.
+1. Add an interface for authentication: Listen on all interfaces (or only localhost), port 1812, type "authentication", IPv4. Add a separate interface for IPv6.
+1. Add an interface for accounting: Listen on all interfaces (or only localhost), port 1813, type "accounting", IPv4. Add a separate interface for IPv6.
+1. Add clients/NAS.
+1. Add RADIUS users.
+1. (Optional) Use FreeRADIUS as an authentication backend.
+    1. Create a RADIUS client with client IP address `127.0.0.1`.
+    1. Add the RADIUS client in "System/User Manager/Authentication Servers".
+    1. **TODO** What's the "RADIUS NAS IP Attribute"?
 
 #### Setup RADIUS as an Authentication Backend
 
 1. Create a RADIUS client with client IP address `127.0.0.1`.
-2. Add the RADIUS client in "System/User Manager/Authentication Servers".
+1. Add the RADIUS client in "System/User Manager/Authentication Servers".
 
 #### Setup OTP
 
 1. Make sure the server's time is synchronized, e.g. using NTP.
-2. Use the PAP protocol, so that the OTP code can be transmitted along with the password. PAP is not the most secure protocol, but it's fine for running locally, such as when using OpenVPN with RADIUS as the auth backend.
-3. Enable OTP support in the RADIUS settings.
-4. Enable OTP for each user that should have it:
-   1. Clear the user's password. It will no longer be used.
-   2. Enable OTP using the Google Authenticator method.
-   3. Set/generate a 4-8 digit PIN for the user.
-   4. To log in with this user, the supplied password must consist of the PIN concatenated with the OTP code.
+1. Use the PAP protocol, so that the OTP code can be transmitted along with the password. PAP is not the most secure protocol, but it's fine for running locally, such as when using OpenVPN with RADIUS as the auth backend.
+1. Enable OTP support in the RADIUS settings.
+1. Enable OTP for each user that should have it:
+    1. Clear the user's password. It will no longer be used.
+    1. Enable OTP using the Google Authenticator method.
+    1. Set/generate a 4-8 digit PIN for the user.
+    1. To log in with this user, the supplied password must consist of the PIN concatenated with the OTP code.
 
 #### Notes
 
@@ -74,76 +74,76 @@ breadcrumbs:
 #### Setup
 
 1. Install `ntopng`.
-2. Enable it.
-3. Set an admin password. (The username is "admin".)
-4. Enable all interfaces to monitor.
-5. Update GeoIP data (save first, it reloads the page).
-6. New users can be added through the web panel.
-7. It uses a bit of storage and processing power, so disable it if it's not being used.
+1. Enable it.
+1. Set an admin password. (The username is "admin".)
+1. Enable all interfaces to monitor.
+1. Update GeoIP data (save first, it reloads the page).
+1. New users can be added through the web panel.
+1. It uses a bit of storage and processing power, so disable it if it's not being used.
 
 ### OpenVPN
 
 #### Setup
 
 1. OpenVPN is built in.
-2. Install `openvpn-client-export`.
-3. (Recommended) Use RADIUS as the local auth backend. OpenVPN + FreeRADIUS supports authentication with cert. + PIN + TOTP.
-4. Use the wizard.
-5. Use hardware crypto if you have it.
-6. Use server mode with TLS cert. and password.
+1. Install `openvpn-client-export`.
+1. (Recommended) Use RADIUS as the local auth backend. OpenVPN + FreeRADIUS supports authentication with cert. + PIN + TOTP.
+1. Use the wizard.
+1. Use hardware crypto if you have it.
+1. Use server mode with TLS cert. and password.
 
 ### Suricata
 
 #### Setup
 
 1. Disable hardware checksum offloading. Suricata doesn't work well with it.
-2. Insall `suricata`.
-3. Update the rule set manually the first time.
-4. Select which rule sets to install. E.g. the ETOpen Emerging Threats (ET) Open which is free and modular.
-5. Set the rule update interval. E.g. 6 or 12 hours.
-6. Enable "live rule swap on update".
-7. Set the "remove blocked host interval". E.g. 15 minutes.
-8. Add the WAN interface.
-   1. Enable desired logs.
-   2. Don't enable "block offenders" (yet).
-   3. Set the detect-engine profile appropriately. Use "high" if you have more than 4GB of memory and an okay machine.
-9. Enable "resolve flowbits", which allows rules to match based on multiple packets by setting bits on the flow (or something like that).
-10. Select which installed rule sets to use.
+1. Insall `suricata`.
+1. Update the rule set manually the first time.
+1. Select which rule sets to install. E.g. the ETOpen Emerging Threats (ET) Open which is free and modular.
+1. Set the rule update interval. E.g. 6 or 12 hours.
+1. Enable "live rule swap on update".
+1. Set the "remove blocked host interval". E.g. 15 minutes.
+1. Add the WAN interface.
+    1. Enable desired logs.
+    1. Don't enable "block offenders" (yet).
+    1. Set the detect-engine profile appropriately. Use "high" if you have more than 4GB of memory and an okay machine.
+1. Enable "resolve flowbits", which allows rules to match based on multiple packets by setting bits on the flow (or something like that).
+1. Select which installed rule sets to use.
     1. Description of some ET Open rule sets: [Here](https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#What_is_the_general_intent_of_ea)
-    2. Some rule sets contain a short description at the top of the file.
-    3. Only enable rule sets if you know what they do.
-    4. Only enable rule sets if you need them.
-    5. Some rules produce alerts even for safe traffic.
-    6. Some rule sets may be slower than others.
-    7. More rules means more processing overhead.
-    8. More rules means more problems and debugging.
-11. Double all the "memory cap" values. It can fail to start if it runs out of memory.
-12. Enable/start the WAN interface.
+    1. Some rule sets contain a short description at the top of the file.
+    1. Only enable rule sets if you know what they do.
+    1. Only enable rule sets if you need them.
+    1. Some rules produce alerts even for safe traffic.
+    1. Some rule sets may be slower than others.
+    1. More rules means more processing overhead.
+    1. More rules means more problems and debugging.
+1. Double all the "memory cap" values. It can fail to start if it runs out of memory.
+1. Enable/start the WAN interface.
     1. If it doesn't start, check the error log. If it contains "alloc error" or "pool grow failed", increase "Stream Memory Cap" to e.g. `100663296` (96MiB).
-    2. If it failed to start, it may have failed to remove its PID file. Remove it manually if it refuses to restart because of it.
-13. Watch for alerts and resolve false alerts by changing and tweaking the settings.
+    1. If it failed to start, it may have failed to remove its PID file. Remove it manually if it refuses to restart because of it.
+1. Watch for alerts and resolve false alerts by changing and tweaking the settings.
     1. Torrenting is a useful way of load testing.
-    2. Try using different applications: Web browsing, games, torrenting, streaming, pinging.
-14. Enable "block offenders" when there's no more false alerts, using the desired mode.
+    1. Try using different applications: Web browsing, games, torrenting, streaming, pinging.
+1. Enable "block offenders" when there's no more false alerts, using the desired mode.
     1. Legacy mode copies packets and inspects the copies. It may allow some packets to leak through before blocking.
-    2. Inline mode inspects packets before the host network stack. It will affect performance/latency but will not leak, thus making it more secure. It requires support from the NIC driver.
-15. Test it by trying to do bad stuff.
+    1. Inline mode inspects packets before the host network stack. It will affect performance/latency but will not leak, thus making it more secure. It requires support from the NIC driver.
+1. Test it by trying to do bad stuff.
     1. Try downloading the EICAR file.
-16. (Optional) Add LAN interfaces.
+1. (Optional) Add LAN interfaces.
 
 ### Unbound
 
 #### Setup
 
 1. Use only the DNS resolver (Unbound), not the older DNS forwarder (dnsmasq).
-2. Receive from and transmit to every interface.
-3. Use a "transparent" local zone.
-4. Enable DNSSEC.
-5. Enable forwarding mode if you want to query a set of selected servers instead of the root servers. The selected servers are the ones specified in the system settings. Check that you're not using the DNS servers provided by DHCP, unless you want that for some reason.
-6. Use TLS for outgoing queries if using forwarding mode and the selected servers supports it (such as Cloudflare).
-7. Don't register DHCP or OpenVPN clients.
-8. Enable DNSSEC hardening.
-9. Enable DNS rebinding protection in the system settings (enabled by default).
+1. Receive from and transmit to every interface.
+1. Use a "transparent" local zone.
+1. Enable DNSSEC.
+1. Enable forwarding mode if you want to query a set of selected servers instead of the root servers. The selected servers are the ones specified in the system settings. Check that you're not using the DNS servers provided by DHCP, unless you want that for some reason.
+1. Use TLS for outgoing queries if using forwarding mode and the selected servers supports it (such as Cloudflare).
+1. Don't register DHCP or OpenVPN clients.
+1. Enable DNSSEC hardening.
+1. Enable DNS rebinding protection in the system settings (enabled by default).
 
 #### Usage
 

config/network/ubiquiti-unifi-aps.md

@@ -35,7 +35,7 @@ breadcrumbs:
 - The APs can be adopted wirelessly if one of them is connected to the network.
 - APs that are adopted wirelessly are will automatically allow meshing to other APs while APs that are adopted while wired will not. This can be changed in the AP settings.
 - Disable wireless uplinks (meshing) if not used:
-  - (Alternative 1) Disable per site: Go to site settings and disable "uplink connectivity monitor".
-  - (Alternative 2) Disable per AP: Go to AP settings, "wireless uplinks" and disable everything.
+    - (Alternative 1) Disable per site: Go to site settings and disable "uplink connectivity monitor".
+    - (Alternative 2) Disable per AP: Go to AP settings, "wireless uplinks" and disable everything.
 
 {% include footer.md %}

it/network/architecture.md

@@ -42,7 +42,7 @@ breadcrumbs:
 
 - Similar to the three-layer hierarchical model, but with the core and distribution layers collapsed into the same devices.
 - This generally means that there is only one routed layer.
-- Distro layer devices may be interconnected directly or through one or more core _switches_ (not routers) which are not themselves interconnected.
+- Distro layer devices may be interconnected directly or through one or more core _switches_ (not routers) which are _not_ themselves interconnected.
 - Appropriate for medium/small sites without multiples regions, where a separate core network is not needed.
 
 ### Collapsed Distribution

it/network/ipv6.md

@@ -28,6 +28,11 @@ breadcrumbs:
 | `fe80::/10` | Link-scoped unicast (non-routable) |
 | `ff00::/8` | Multicast |
 
+### Special addresses
+
+- Subnet-router anycast: The first interface ID in every subnet. (Does not apply to /127 and /128 addresses.)
+- Reserved: The last 128 interface IDs in every subnet. (Does not apply to /127 and /128 addresses.)
+
 ## Advantages over IPv4
 
 - Designed based on experience with the strengths and limitations of IPv4 and other protocols.
@@ -71,7 +76,7 @@ breadcrumbs:
     - May use any unicast address.
     - Treated like unicast except by the last routers toward the hosts using the anycast address.
     - Some important addresses:
-        - Subnet-router: The first interface ID in every subnet. All routers are required to listen to it. (RFC 4291)
+        - Subnet-router anycast: The first interface ID in every subnet. All routers are required to listen to it. (RFC 4291)
         - Reserved: The last 128 interface IDs in every subnet. (RFC 2526)
     - Shared unicast address approach:
         - An alternative approach to anycast.