diff --git a/.gitignore b/.gitignore index 87836be..4297af2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ main\.glsdefs + +main\.synctex\.gz\(busy\) diff --git a/acronyms.tex b/acronyms.tex index 792f536..b2c24df 100644 --- a/acronyms.tex +++ b/acronyms.tex @@ -14,29 +14,35 @@ \newacronym{cdp}{CDP}{Cisco Discovery Protocol} \newacronym{cli}{CLI}{Command Line Interface} \newacronym{cst}{CST}{Common Spanning Tree} +\newacronym{cest}{CEST}{Central European Summer Time} \newacronym{cwdm}{CWDM}{} \newacronym{db}{DB}{Database} \newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol} \newacronym{dknog}{DKNOG}{Danish Network Operators' Group} \newacronym{dns}{DNS}{Domain Name System} -\newacronym{dst}{DST}{Destination} +\newacronym{dst}{dst}{destination} \newacronym{dwdm}{DWDM}{} \newacronym{eap}{EAP}{Extensible Authentication Protocol} -\newacronym{eapol}{EAPOL}{Extensible Authentication Protocol over Local Area Network} +\newacronym{eapol}{EAPoL}{Extensible Authentication Protocol over Local Area Network} \newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol} \newacronym{erspan}{ERSPAN}{Encapsulated Remote Switch Port Analyzer} \newacronym{evpn}{EVPN}{Ethernet Virtual Private Network} \newacronym{ftp}{FTP}{File Transfer Protocol} \newacronym{ftps}{FTPS}{File Transfer Protocol Secure} +\newacronym{gps}{GPS}{Global Positioning System} +\newacronym{gprs}{GPRS}{General Packet Radio Service} +\newacronym{gsm}{GSM}{Global System for Mobile communications} \newacronym{ieee}{IEEE}{Institute of Electrical and Electronics Engineers} \newacronym{igrp}{IGRP}{Interior Gateway Routing Protocol} \newacronym{imap}{IMAP}{Internet Message Access Protocol} +\newacronym{ios}{IOS}{Internetwork Operating System} \newacronym{ip}{IP}{Internet Protocol} \newacronym{ipv4}{IPv4}{Internet Protocol v4} \newacronym{ipv6}{IPv6}{Internet Protocol v6} \newacronym{irc}{IRC}{Internet Relay Chat} \newacronym{isis}{IS-IS}{Intermediate System to Intermediate System} \newacronym{isp}{ISP}{Internet Service Provider} +\newacronym{junos}{JUNOS}{Juniper Network Operating System} \newacronym{l2}{L2}{Layer 2} \newacronym{l2vpn}{L2VPN}{Layer 2 Virtual Private Network} \newacronym{l3}{L3}{Layer 3} @@ -45,6 +51,7 @@ \newacronym{lldp}{LLDP}{Link Layer Discovery Protocol} \newacronym{mac}{MAC}{Media Access Control address} \newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll} +\newacronym{metdst}{MET-DST}{Middle European Time Daylight Saving Time} \newacronym{mpls}{MPLS}{Multiprotocol Label Switching} \newacronym{mst}{MST}{Multiple Spanning Tree} \newacronym{nms}{NMS}{Network Management Software} @@ -72,7 +79,7 @@ \newacronym{sntp}{SNTP}{Secure Network Time Protocol} \newacronym{sp}{SP}{Service Provider} \newacronym{span}{SPAN}{Switch Port Analyzer} -\newacronym{src}{SRC}{Source} +\newacronym{src}{src}{source} \newacronym{ssh}{SSH}{Secure Shell} \newacronym{stp}{STP}{Spanning Tree Protocol} \newacronym{tcn}{TCN}{Topology Change Notification} diff --git a/chapter/ntp.tex b/chapter/ntp.tex index f94e877..1684497 100644 --- a/chapter/ntp.tex +++ b/chapter/ntp.tex @@ -1,6 +1,97 @@ -\chapter{Network Time Protocol} +\chapter{NTP} + +\gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary. + +\textbf{Configure timezone}\\In this case it\tsq{s} for \gls{metdst}\textbf{:} + +\begin{txt} +clock timezone MET 1 0 +clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00 +\end{txt} + +\textbf{Configure used timezone}\\when doing logging and debugging operations\textbf{:} + +\begin{txt} +service timestamps debug datetime msec localtime show-timezone +service timestamps log datetime msec localtime show-timezone +\end{txt} + +A select number of Cisco switches support synchronization with the hardware clock, too. The standard is to only sync the software clock.\\\cliline{ntp update-calendar} + +\fig{ntp/ntp}{ntp}{\gls{ntp}} + +\gls{ntp} servers are a hierarchical tree with stratum 0 servers as the authoritative in the tree. These servers get their time from either \gls{gprs} satellites or atomic clocks {\footnotesize (i.e. an authoritative time \gls{src})}. + +\subsection{Characteristics} + +\begin{itemize} + \item Uses \gls{udp} port 123 on both \gls{src} and \gls{dst}, + \item polling interval ranging from 64-1024 sec. Length of interval is dependant upon network cond., + \item large differences between \gls{ntp} reference time and local client time will result in increased pooling interval. +\end{itemize} + +\fig{ntp/ntpstratum}{ntpstratum}{Stratum levels} \section{The old NTP from \tsq{85}} +\textbf{Team Cymru} has a nice template for how to enable \gls{ntp} \textbf{with} \textit{access control} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website. + +\begin{cisco} + ! Core NTP configuration + ntp update-calendar ! update hardware clock (certain hardware only, i.e. 6509s) + ntp server 192.0.2.1 ! a time server you sync with + ntp peer 192.0.2.2 ! a time server you sync with and allow to sync to you + ntp source Loopback0 ! we recommend using a loopback interface for sending NTP messages if possible + ! + ! NTP access control + ntp access-group query-only 1 ! deny all NTP control queries + ntp access-group serve 1 ! deny all NTP time and control queries by default + ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only + ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients + ! + ! access control lists (ACLs) + access-list 1 remark utility ACL to block everything + access-list 1 deny any + ! + access-list 10 remark NTP peers/servers we sync to/with + access-list 10 permit 192.0.2.1 + access-list 10 permit 192.0.2.2 + access-list 10 deny any + ! + access-list 20 remark Hosts/Networks we allow to get time from us + access-list 20 permit 192.0.2.0 0.0.0.255 + access-list 20 deny any +\end{cisco} + +\textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master. + \section{Secure NTP} +\subsection{Characteristics} + +\begin{itemize} + \item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along, + \item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}} +\end{itemize} + +\subsubsection{Configure SNTP} + +\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website. + +\begin{cisco} +ntp authenticate ! enable NTP authentication +ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key +ntp trusted-key [key-id] ! mark a NTP authentication key as trusted +ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer +ntp server [server_address] key [key-id] ! form a authenticated session with a server +\end{cisco} + +\subsection{Versions} + +Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is +\begin{itemize} + \item support for \gls{ipv6}. + \item The security in the protocol is upped to with support for X509 certs. + \item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses. + \item \cliline{network-node(config)# ntp-server \textit{\gls{ipv6}-addr} version 4} +\end{itemize} diff --git a/commands.tex b/commands.tex index 9748a1a..dd42187 100644 --- a/commands.tex +++ b/commands.tex @@ -75,4 +75,15 @@ % Enviroment @var cisco -\lstnewenvironment{cisco}{\lstset{language=cisco}}{} \ No newline at end of file +\lstnewenvironment{cisco}{\lstset{language=cisco}}{} + + +%\newcommand{cisline}[1]{\lstinline[columns=fixed]{network-device\# #1}} + + +%\newcommand{cisconf}[2][]{% +%\def\temp{#1}\ifx\temp\empty +%\lstinline[columns=fixed]{network-device(config)\# #2} +%\else +%\lstinline[columns=fixed]{network-device(config-#1)\# #2} +%\fi\} diff --git a/img/ntp/ntp.png b/img/ntp/ntp.png new file mode 100644 index 0000000..aa6adab Binary files /dev/null and b/img/ntp/ntp.png differ diff --git a/img/ntp/ntpstratum.png b/img/ntp/ntpstratum.png new file mode 100644 index 0000000..7ff705c Binary files /dev/null and b/img/ntp/ntpstratum.png differ diff --git a/references.bib b/references.bib index 50d0488..6f2c5cc 100644 --- a/references.bib +++ b/references.bib @@ -1,24 +1,24 @@ -@online{vtpchap4, - author = {Hector Camba Lainez}, - title = {Cap4 implementing vtp}, - year = 2010, +@online{ slideshare:vtpchap4, + author = "Hector Camba Lainez", + title = "Cap4 implementing vtp", + year = "2010", url = {https://www.slideshare.net/lucky0679/cap4-implementing-vtp}, - note = {Last Accessed: 2017-05-22}, + note = "[Online; accessed 22-May-2017]" } -@misc{wp_spanningtree, - title = {Spanning Tree Protocol}, - year = 2017, - url = {https://en.wikipedia.org/w/index.php?title=Spanning_Tree_Protocol&oldid=778662646}, - urldate = {2017-05-24}, - note = {Last Accessed: 2017-05-24}, +@misc{ wiki:Spanning_Tree_Protocol, + author = "Wikipedia", + title = "{Spanning Tree Protocol} --- {W}ikipedia{,} The Free Encyclopedia", + year = "2017", + howpublished = {\url{http://en.wikipedia.org/w/index.php?title=Spanning\%20Tree\%20Protocol&oldid=778662646}}, + note = "[Online; accessed 24-May-2017]" } @book{froom2015implementing, - author = {Froom, Richard}, - title = {Implementing Cisco IP switched networks (SWITCH) : foundation learning guide}, - publisher = {Cisco Press}, - year = {2015}, - address = {Indianapolis, IN}, - isbn = {978-1-58720-664-1} + author = "Froom, Richard", + title = "Implementing Cisco IP switched networks (SWITCH) : foundation learning guide", + publisher = "Cisco Press", + year = "2015", + address = "Indianapolis{,} IN", + isbn = "978-1-58720-664-1" } diff --git a/structure.tex b/structure.tex index 2bfdc9f..b6aaf0a 100644 --- a/structure.tex +++ b/structure.tex @@ -125,6 +125,7 @@ \lstdefinelanguage{cisco}{ keywords={ + access-list, cdp, dhcp, end, @@ -136,6 +137,7 @@ login, network, no, + ntp, router, show, shutdown, @@ -145,6 +147,8 @@ }, keywordstyle=\color{blue}\bfseries, ndkeywords={ + access-group, + addr, address, aux, bgp, @@ -173,7 +177,7 @@ } -\geometry{a4paper,margin=2cm} +\geometry{a4paper,margin=1.5cm} \setlength{\columnsep}{1.5cm} %space between columns \setlength{\headheight}{15pt} \setlength{\footnotesep}{0.5cm} %space between footnotes: