Add link checker and SDA notes

check-links.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Find all internal, cross-page markdown links and checks if the page exists.
+# Must be run at the root of the site.
+
+set -eu -o pipefail
+
+ignored_web_urls="
+/
+"
+
+function print_error {
+    src_file="$1"
+    web_url="$2"
+    target_file="$3"
+    msg="$4"
+
+    echo
+    echo "Error: $msg"
+    echo "Source file: $src_file"
+    echo "Web URL: $web_url"
+    echo "Target file: $target_file"
+}
+
+# Checks if real file for MD-link input exists.
+function check_link {
+    src_file="$1"
+    md_link="$2"
+    name=$(grep -Po '(?<=^\[)[^\[\]]*(?=\])' <<<$md_link || true)
+    web_url=$(grep -Po '(?<=\()[^\(\)]*(?=\)$)' <<<$md_link || true)
+    target_file=$(sed 's|/$|.md|' <<<$web_url)
+
+    # Ignore external (fully-qualified) URLs.
+    if grep -P '^https?://' <<<$web_url >/dev/null; then
+        return
+    fi
+
+    # Ignore if not ending with "/".
+    if ! grep -P '/$' <<<$web_url >/dev/null; then
+        return
+    fi
+
+    # Ignore special targets.
+    if grep -Fx "$web_url" <<<$ignored_web_urls >/dev/null; then
+        return
+    fi
+
+    # Show error if using relative path.
+    if grep -P '/$' <<<$target_file >/dev/null; then
+        print_error "$src_file" "$web_url" "$target_file" "Relative paths not allowed."
+        return
+    fi
+
+    # Show error if file does not exist.
+    if [[ ! -f $target_file ]]; then
+        print_error "$src_file" "$web_url" "$target_file" "Target file does not exist."
+        return
+    fi
+}
+
+# Find all markdown pages and check.
+for file in $(find "." -type f -name '*.md' | sed 's|^\./||' | LC_ALL=C sort -t. -k1,1); do
+    # Extract MD-links and check them.
+    md_link_regex='\[[^\[\]]*\]\([^\(\)]*\)'
+    { grep -Po "$md_link_regex" "$file" || true; } | while read -r md_link; do
+        check_link "$file" "$md_link"
+    done
+done

index.md

@@ -110,7 +110,6 @@ _(Alphabetically sorted, so the ordering might seem a bit strange.)_
 - [Cisco Identity Services Engine (ISE)](/networking/cisco-ise/)
 - [Cisco Nexus Switches (NX-OS)](/networking/cisco-nxos-switches/)
 - [Cisco Software-Defined Access (SDA)](/networking/cisco-sda/)
-- [802.1X & EAP](/networking/dot1x-eap/)
 - [Fibers & Fiber Optics](/networking/fiber/)
 - [FS FSOS Switches](/networking/fs-fsos-switches/)
 - [General](/networking/general/)
@@ -123,6 +122,7 @@ _(Alphabetically sorted, so the ordering might seem a bit strange.)_
 - [Juniper EX Series Switches](/networking/juniper-junos-switches/)
 - [Linksys LGS Switches](/networking/linksys-lgs/)
 - [Linux Switching & Routing](/networking/linux/)
+- [Network Authentication](/networking/net-auth/)
 - [Open Shortest Path First (OSPF)](/networking/ospf/)
 - [pfSense](/networking/pfsense/)
 - [Routing](/networking/routing/)

make-index.sh

@@ -5,7 +5,7 @@
 
 set -eu -o pipefail
 
-index_file="index.md"
+index_file="${1:-index.md}"
 
 # Create/clean the current index file
 > "$index_file"

networking/cisco-sda.md

@@ -7,16 +7,55 @@ breadcrumbs:
 
 ## General
 
-- A zero-trust network fabric for "user networks" (not DC), part of Cisco DNA (often called DNA/SDA).
-- Uses mainly Catalyst switches (plus WLCs and APs).
-- Managed by DNA Center (DNAC), depends heavily on Identity Services Engine (ISE).
+- A full zero-trust network solution for campus/enterprise networks (not DC), part of Cisco DNA (often called DNA/SDA).
+- Relation to Cisco Application Centric Infrastructure (ACI): [Cisco ACI: Relation to SDA](../cisco-aci/#relation-to-sda)
 
-### Relation to ACI
+## Links
 
-See [Cisco ACI: Relation to SDA](../cisco-aci/#relation-to-sda).
+- [Cisco: Cisco SD-Access Solution Design Guide (CVD)](https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html)
+- [Cisco: Cisco SD-Access Multicast](https://community.cisco.com/t5/networking-knowledge-base/cisco-sd-access-multicast/ta-p/4068110)
 
-## Theory
+## Architecture
 
-**TODO**
+- SDA consists of Cisco DNA Center (DNAC) and a campus fabric of DNAC-managed switches. Cisco ISE is also used for policy design and operation.
+- Segmentation:
+    - Virtual networks (VNs) (using VRFs) are used for macro-segmentation and secure/scalable group tags (SGTs) (using VXLAN tagging) are used for micro-segmentation.
+    - SGACLs are used to control traffic flows between SGTs. By default, all SGTs within a VN are allowed to communicate with eachother.
+    - Traffic flows between VNs, as well as to/from external services, should go through a firewall appliance for greater visibility and control. Alternatively, a core *fusion router* may be used to leak select traffic between VNs and to/from external services.
+- Underlay:
+    - Mainly Catalyst 9000 series switches running standard IOS-XE, managed by DNAC.
+    - Catalyst WLCs and APs are integrated for wireless access, with direct traffic handoff from APs to switches for unified wired and wireless access.
+    - Uses IS-IS routing and PaGP port channels.
+    - Only fully supports IPv4, IPv6 support is still lacking.
+- Overlay:
+    - Planes:
+        - Control plane: Uses LISP for locating client MAC and IPv4/IPv6 addresses, with control nodes as LISP map servers.
+        - Data plane: Uses VXLAN for tunneling overlay traffic between fabric nodes.
+        - Policy plane: Uses Cisco TrustSec (CTS) for policy decisions, like SGTs and SGACLs (using Cisco ISE).
+    - Supports IPv4-only, dual-stack and (partially?) IPv6-only.
+    - Anycast gateways are used at all edge nodes for all VNs.
+- Multicast:
+    - For IPv4, it supports head-end replication and native multicast.
+    - For IPv6, it only supports head-end replication. (TODO: Does enabling native multicast for a site kill IPv6 multicast or will it continue to use head-end replication?)
+    - *Head-end replication* runs completely in the overlay and makes edge devices duplicate multicast streams into unicast streams to each edge device with subscribers. This causes increased overhead.
+    - *Native multicast* tunnels multicast streams inside underlay multicast packets and avoids head-end replication.
+    - Supports sources both inside and outside the fabric.
+    - Protocol Independent Multicast (PIM) with both any-source multicast (ASM) and any-source multicast (ASM) is supported in both the underlay and overlay.
+    - For details around rendezvous points (RPs) and stuff, see the design guide.
+- Layer 2 flooding:
+    - Traffic that is normally flooded in traditionally networks, like ARP, is often handled differently and more efficiently in overlay technologies like SDA.
+    - For ARP, the edge looks up the RLOC/address for the edge the target resides at and then the ARP is unicasted to that edge.
+    - Certain applications and protocols requires layer 2 flooding to work. To address this, *layer 2 flooding* may be enabled for a VN/site (if really needed).
+    - Examples of applications/protocols/devices requiring layer 2 flooding:
+        - Dumb clients requiring broadcast ARP to wake up.
+        - Local Wake-on-LAN (WoL).
+        - Certain building management systems.
+        - ???
+    - This will reduce scalability of the VN/site, so it should only be used for /24 subnets and smaller.
+    - The L2 flooding is mapped to a dedicated multicast group in the underlay, using PIM-ASM. All edge nodes active for the VN must listen to this group.
+- mDNS/Bonjour:
+    - **TODO**
+    - https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-access-wired-wireless-dg.html
+    - https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3-1-0/user_guide/cisco_dna_service_for_bonjour/b_cisco-dna-service-for-bonjour_user_guide_2-1-2/m_deploying-wide-area-bonjour-for-cisco-sd-access-network.html
 
 {% include footer.md %}

networking/dot1x-eap.md

@@ -1,21 +0,0 @@
----
-title: 802.1X & EAP
-breadcrumbs:
-- title: Network
----
-{% include header.md %}
-
-## TODO
-
-- WPA Enterprise w/o provider certificate validation is unsafe?
-- PEAP encapsulates inner authentication method, e.e. EAP-MSCHAPv2, using e.g. TLS.
-- MS-CHAPv2 is old and uses DES.
-- Both PEAP and MS-CHAPv2 provide mutual authentication and don't transmit the password in plaintext.
-- EAP-TLS requires the client device to have both the provider cert and a provider-provided client cert (with private key).
-- PEAPv0 with EAP-MSCHAPv2 without CA cert validation = bad and crackable.
-
-## 802.1X General
-
-- Aka dot1x.
-
-{% include footer.md %}

networking/net-auth.md

@@ -0,0 +1,31 @@
+---
+title: Network Authentication
+breadcrumbs:
+- title: Network
+---
+{% include header.md %}
+
+## General
+
+- Most types of network authentication, where a client authenticates itself to a switch or a wireless access point, uses IEEE 802.1X (aka dot1x) (excluding approaches like e.g. PSK and MACsec).
+- Extensible Authentication Protocol (EAP) is generally the framework used for dot1x, using Remote Authentication Dial-In User Service (RADIUS) as the underlying protocol.
+- Examples of authentication servers include FreeRADIUS and Cisco ISE, which may use internal client identities or use an upstream identity provider like Active Directory (AD).
+
+### Usage Examples
+
+- **TODO**
+
+## Extensible Authentication Protocol (EAP)
+
+### TODO
+
+- WPA Enterprise w/o provider certificate validation is unsafe? Yes.
+- PEAP encapsulates inner authentication method, e.e. EAP-MSCHAPv2, using e.g. TLS.
+- MS-CHAPv2 is old and uses DES. Inside PEAP is fine.
+- Both PEAP and MS-CHAPv2 provide mutual authentication and don't transmit the password in plaintext.
+- EAP-TLS requires the client device to have both the provider cert and a provider-provided client cert (with private key).
+- PEAPv0 with EAP-MSCHAPv2 without CA cert validation = bad and crackable.
+
+## Tips and Best Practices
+
+{% include footer.md %}