mirror of
https://gitlab.com/netravnen/NetworkLabNotes.git
synced 2024-11-26 19:27:57 +00:00
Merge branch 'feature/ntp' into develop
This commit is contained in:
commit
e1edcb060a
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,2 +1,4 @@
|
||||||
|
|
||||||
main\.glsdefs
|
main\.glsdefs
|
||||||
|
|
||||||
|
main\.synctex\.gz\(busy\)
|
||||||
|
|
13
acronyms.tex
13
acronyms.tex
|
@ -14,29 +14,35 @@
|
||||||
\newacronym{cdp}{CDP}{Cisco Discovery Protocol}
|
\newacronym{cdp}{CDP}{Cisco Discovery Protocol}
|
||||||
\newacronym{cli}{CLI}{Command Line Interface}
|
\newacronym{cli}{CLI}{Command Line Interface}
|
||||||
\newacronym{cst}{CST}{Common Spanning Tree}
|
\newacronym{cst}{CST}{Common Spanning Tree}
|
||||||
|
\newacronym{cest}{CEST}{Central European Summer Time}
|
||||||
\newacronym{cwdm}{CWDM}{}
|
\newacronym{cwdm}{CWDM}{}
|
||||||
\newacronym{db}{DB}{Database}
|
\newacronym{db}{DB}{Database}
|
||||||
\newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol}
|
\newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol}
|
||||||
\newacronym{dknog}{DKNOG}{Danish Network Operators' Group}
|
\newacronym{dknog}{DKNOG}{Danish Network Operators' Group}
|
||||||
\newacronym{dns}{DNS}{Domain Name System}
|
\newacronym{dns}{DNS}{Domain Name System}
|
||||||
\newacronym{dst}{DST}{Destination}
|
\newacronym{dst}{dst}{destination}
|
||||||
\newacronym{dwdm}{DWDM}{}
|
\newacronym{dwdm}{DWDM}{}
|
||||||
\newacronym{eap}{EAP}{Extensible Authentication Protocol}
|
\newacronym{eap}{EAP}{Extensible Authentication Protocol}
|
||||||
\newacronym{eapol}{EAPOL}{Extensible Authentication Protocol over Local Area Network}
|
\newacronym{eapol}{EAPoL}{Extensible Authentication Protocol over Local Area Network}
|
||||||
\newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol}
|
\newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol}
|
||||||
\newacronym{erspan}{ERSPAN}{Encapsulated Remote Switch Port Analyzer}
|
\newacronym{erspan}{ERSPAN}{Encapsulated Remote Switch Port Analyzer}
|
||||||
\newacronym{evpn}{EVPN}{Ethernet Virtual Private Network}
|
\newacronym{evpn}{EVPN}{Ethernet Virtual Private Network}
|
||||||
\newacronym{ftp}{FTP}{File Transfer Protocol}
|
\newacronym{ftp}{FTP}{File Transfer Protocol}
|
||||||
\newacronym{ftps}{FTPS}{File Transfer Protocol Secure}
|
\newacronym{ftps}{FTPS}{File Transfer Protocol Secure}
|
||||||
|
\newacronym{gps}{GPS}{Global Positioning System}
|
||||||
|
\newacronym{gprs}{GPRS}{General Packet Radio Service}
|
||||||
|
\newacronym{gsm}{GSM}{Global System for Mobile communications}
|
||||||
\newacronym{ieee}{IEEE}{Institute of Electrical and Electronics Engineers}
|
\newacronym{ieee}{IEEE}{Institute of Electrical and Electronics Engineers}
|
||||||
\newacronym{igrp}{IGRP}{Interior Gateway Routing Protocol}
|
\newacronym{igrp}{IGRP}{Interior Gateway Routing Protocol}
|
||||||
\newacronym{imap}{IMAP}{Internet Message Access Protocol}
|
\newacronym{imap}{IMAP}{Internet Message Access Protocol}
|
||||||
|
\newacronym{ios}{IOS}{Internetwork Operating System}
|
||||||
\newacronym{ip}{IP}{Internet Protocol}
|
\newacronym{ip}{IP}{Internet Protocol}
|
||||||
\newacronym{ipv4}{IPv4}{Internet Protocol v4}
|
\newacronym{ipv4}{IPv4}{Internet Protocol v4}
|
||||||
\newacronym{ipv6}{IPv6}{Internet Protocol v6}
|
\newacronym{ipv6}{IPv6}{Internet Protocol v6}
|
||||||
\newacronym{irc}{IRC}{Internet Relay Chat}
|
\newacronym{irc}{IRC}{Internet Relay Chat}
|
||||||
\newacronym{isis}{IS-IS}{Intermediate System to Intermediate System}
|
\newacronym{isis}{IS-IS}{Intermediate System to Intermediate System}
|
||||||
\newacronym{isp}{ISP}{Internet Service Provider}
|
\newacronym{isp}{ISP}{Internet Service Provider}
|
||||||
|
\newacronym{junos}{JUNOS}{Juniper Network Operating System}
|
||||||
\newacronym{l2}{L2}{Layer 2}
|
\newacronym{l2}{L2}{Layer 2}
|
||||||
\newacronym{l2vpn}{L2VPN}{Layer 2 Virtual Private Network}
|
\newacronym{l2vpn}{L2VPN}{Layer 2 Virtual Private Network}
|
||||||
\newacronym{l3}{L3}{Layer 3}
|
\newacronym{l3}{L3}{Layer 3}
|
||||||
|
@ -45,6 +51,7 @@
|
||||||
\newacronym{lldp}{LLDP}{Link Layer Discovery Protocol}
|
\newacronym{lldp}{LLDP}{Link Layer Discovery Protocol}
|
||||||
\newacronym{mac}{MAC}{Media Access Control address}
|
\newacronym{mac}{MAC}{Media Access Control address}
|
||||||
\newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll}
|
\newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll}
|
||||||
|
\newacronym{metdst}{MET-DST}{Middle European Time Daylight Saving Time}
|
||||||
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
|
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
|
||||||
\newacronym{mst}{MST}{Multiple Spanning Tree}
|
\newacronym{mst}{MST}{Multiple Spanning Tree}
|
||||||
\newacronym{nms}{NMS}{Network Management Software}
|
\newacronym{nms}{NMS}{Network Management Software}
|
||||||
|
@ -72,7 +79,7 @@
|
||||||
\newacronym{sntp}{SNTP}{Secure Network Time Protocol}
|
\newacronym{sntp}{SNTP}{Secure Network Time Protocol}
|
||||||
\newacronym{sp}{SP}{Service Provider}
|
\newacronym{sp}{SP}{Service Provider}
|
||||||
\newacronym{span}{SPAN}{Switch Port Analyzer}
|
\newacronym{span}{SPAN}{Switch Port Analyzer}
|
||||||
\newacronym{src}{SRC}{Source}
|
\newacronym{src}{src}{source}
|
||||||
\newacronym{ssh}{SSH}{Secure Shell}
|
\newacronym{ssh}{SSH}{Secure Shell}
|
||||||
\newacronym{stp}{STP}{Spanning Tree Protocol}
|
\newacronym{stp}{STP}{Spanning Tree Protocol}
|
||||||
\newacronym{tcn}{TCN}{Topology Change Notification}
|
\newacronym{tcn}{TCN}{Topology Change Notification}
|
||||||
|
|
|
@ -1,6 +1,97 @@
|
||||||
\chapter{Network Time Protocol}
|
\chapter{NTP}
|
||||||
|
|
||||||
|
\gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary.
|
||||||
|
|
||||||
|
\textbf{Configure timezone}\\In this case it\tsq{s} for \gls{metdst}\textbf{:}
|
||||||
|
|
||||||
|
\begin{txt}
|
||||||
|
clock timezone MET 1 0
|
||||||
|
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
|
||||||
|
\end{txt}
|
||||||
|
|
||||||
|
\textbf{Configure used timezone}\\when doing logging and debugging operations\textbf{:}
|
||||||
|
|
||||||
|
\begin{txt}
|
||||||
|
service timestamps debug datetime msec localtime show-timezone
|
||||||
|
service timestamps log datetime msec localtime show-timezone
|
||||||
|
\end{txt}
|
||||||
|
|
||||||
|
A select number of Cisco switches support synchronization with the hardware clock, too. The standard is to only sync the software clock.\\\cliline{ntp update-calendar}
|
||||||
|
|
||||||
|
\fig{ntp/ntp}{ntp}{\gls{ntp}}
|
||||||
|
|
||||||
|
\gls{ntp} servers are a hierarchical tree with stratum 0 servers as the authoritative in the tree. These servers get their time from either \gls{gprs} satellites or atomic clocks {\footnotesize (i.e. an authoritative time \gls{src})}.
|
||||||
|
|
||||||
|
\subsection{Characteristics}
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item Uses \gls{udp} port 123 on both \gls{src} and \gls{dst},
|
||||||
|
\item polling interval ranging from 64-1024 sec. Length of interval is dependant upon network cond.,
|
||||||
|
\item large differences between \gls{ntp} reference time and local client time will result in increased pooling interval.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\fig{ntp/ntpstratum}{ntpstratum}{Stratum levels}
|
||||||
|
|
||||||
\section{The old NTP from \tsq{85}}
|
\section{The old NTP from \tsq{85}}
|
||||||
|
|
||||||
|
\textbf{Team Cymru} has a nice template for how to enable \gls{ntp} \textbf{with} \textit{access control} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
|
||||||
|
|
||||||
|
\begin{cisco}
|
||||||
|
! Core NTP configuration
|
||||||
|
ntp update-calendar ! update hardware clock (certain hardware only, i.e. 6509s)
|
||||||
|
ntp server 192.0.2.1 ! a time server you sync with
|
||||||
|
ntp peer 192.0.2.2 ! a time server you sync with and allow to sync to you
|
||||||
|
ntp source Loopback0 ! we recommend using a loopback interface for sending NTP messages if possible
|
||||||
|
!
|
||||||
|
! NTP access control
|
||||||
|
ntp access-group query-only 1 ! deny all NTP control queries
|
||||||
|
ntp access-group serve 1 ! deny all NTP time and control queries by default
|
||||||
|
ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only
|
||||||
|
ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients
|
||||||
|
!
|
||||||
|
! access control lists (ACLs)
|
||||||
|
access-list 1 remark utility ACL to block everything
|
||||||
|
access-list 1 deny any
|
||||||
|
!
|
||||||
|
access-list 10 remark NTP peers/servers we sync to/with
|
||||||
|
access-list 10 permit 192.0.2.1
|
||||||
|
access-list 10 permit 192.0.2.2
|
||||||
|
access-list 10 deny any
|
||||||
|
!
|
||||||
|
access-list 20 remark Hosts/Networks we allow to get time from us
|
||||||
|
access-list 20 permit 192.0.2.0 0.0.0.255
|
||||||
|
access-list 20 deny any
|
||||||
|
\end{cisco}
|
||||||
|
|
||||||
|
\textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master.
|
||||||
|
|
||||||
\section{Secure NTP}
|
\section{Secure NTP}
|
||||||
|
|
||||||
|
\subsection{Characteristics}
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along,
|
||||||
|
\item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}}
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\subsubsection{Configure SNTP}
|
||||||
|
|
||||||
|
\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
|
||||||
|
|
||||||
|
\begin{cisco}
|
||||||
|
ntp authenticate ! enable NTP authentication
|
||||||
|
ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key
|
||||||
|
ntp trusted-key [key-id] ! mark a NTP authentication key as trusted
|
||||||
|
ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer
|
||||||
|
ntp server [server_address] key [key-id] ! form a authenticated session with a server
|
||||||
|
\end{cisco}
|
||||||
|
|
||||||
|
\subsection{Versions}
|
||||||
|
|
||||||
|
Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is
|
||||||
|
\begin{itemize}
|
||||||
|
\item support for \gls{ipv6}.
|
||||||
|
\item The security in the protocol is upped to with support for X509 certs.
|
||||||
|
\item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses.
|
||||||
|
\item \cliline{network-node(config)# ntp-server \textit{\gls{ipv6}-addr} version 4}
|
||||||
|
\end{itemize}
|
||||||
|
|
11
commands.tex
11
commands.tex
|
@ -76,3 +76,14 @@
|
||||||
|
|
||||||
% Enviroment @var cisco
|
% Enviroment @var cisco
|
||||||
\lstnewenvironment{cisco}{\lstset{language=cisco}}{}
|
\lstnewenvironment{cisco}{\lstset{language=cisco}}{}
|
||||||
|
|
||||||
|
|
||||||
|
%\newcommand{cisline}[1]{\lstinline[columns=fixed]{network-device\# #1}}
|
||||||
|
|
||||||
|
|
||||||
|
%\newcommand{cisconf}[2][]{%
|
||||||
|
%\def\temp{#1}\ifx\temp\empty
|
||||||
|
%\lstinline[columns=fixed]{network-device(config)\# #2}
|
||||||
|
%\else
|
||||||
|
%\lstinline[columns=fixed]{network-device(config-#1)\# #2}
|
||||||
|
%\fi\}
|
||||||
|
|
BIN
img/ntp/ntp.png
Normal file
BIN
img/ntp/ntp.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 109 KiB |
BIN
img/ntp/ntpstratum.png
Normal file
BIN
img/ntp/ntpstratum.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 63 KiB |
|
@ -1,24 +1,24 @@
|
||||||
@online{vtpchap4,
|
@online{ slideshare:vtpchap4,
|
||||||
author = {Hector Camba Lainez},
|
author = "Hector Camba Lainez",
|
||||||
title = {Cap4 implementing vtp},
|
title = "Cap4 implementing vtp",
|
||||||
year = 2010,
|
year = "2010",
|
||||||
url = {https://www.slideshare.net/lucky0679/cap4-implementing-vtp},
|
url = {https://www.slideshare.net/lucky0679/cap4-implementing-vtp},
|
||||||
note = {Last Accessed: 2017-05-22},
|
note = "[Online; accessed 22-May-2017]"
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{wp_spanningtree,
|
@misc{ wiki:Spanning_Tree_Protocol,
|
||||||
title = {Spanning Tree Protocol},
|
author = "Wikipedia",
|
||||||
year = 2017,
|
title = "{Spanning Tree Protocol} --- {W}ikipedia{,} The Free Encyclopedia",
|
||||||
url = {https://en.wikipedia.org/w/index.php?title=Spanning_Tree_Protocol&oldid=778662646},
|
year = "2017",
|
||||||
urldate = {2017-05-24},
|
howpublished = {\url{http://en.wikipedia.org/w/index.php?title=Spanning\%20Tree\%20Protocol&oldid=778662646}},
|
||||||
note = {Last Accessed: 2017-05-24},
|
note = "[Online; accessed 24-May-2017]"
|
||||||
}
|
}
|
||||||
|
|
||||||
@book{froom2015implementing,
|
@book{froom2015implementing,
|
||||||
author = {Froom, Richard},
|
author = "Froom, Richard",
|
||||||
title = {Implementing Cisco IP switched networks (SWITCH) : foundation learning guide},
|
title = "Implementing Cisco IP switched networks (SWITCH) : foundation learning guide",
|
||||||
publisher = {Cisco Press},
|
publisher = "Cisco Press",
|
||||||
year = {2015},
|
year = "2015",
|
||||||
address = {Indianapolis, IN},
|
address = "Indianapolis{,} IN",
|
||||||
isbn = {978-1-58720-664-1}
|
isbn = "978-1-58720-664-1"
|
||||||
}
|
}
|
||||||
|
|
|
@ -125,6 +125,7 @@
|
||||||
|
|
||||||
\lstdefinelanguage{cisco}{
|
\lstdefinelanguage{cisco}{
|
||||||
keywords={
|
keywords={
|
||||||
|
access-list,
|
||||||
cdp,
|
cdp,
|
||||||
dhcp,
|
dhcp,
|
||||||
end,
|
end,
|
||||||
|
@ -136,6 +137,7 @@
|
||||||
login,
|
login,
|
||||||
network,
|
network,
|
||||||
no,
|
no,
|
||||||
|
ntp,
|
||||||
router,
|
router,
|
||||||
show,
|
show,
|
||||||
shutdown,
|
shutdown,
|
||||||
|
@ -145,6 +147,8 @@
|
||||||
},
|
},
|
||||||
keywordstyle=\color{blue}\bfseries,
|
keywordstyle=\color{blue}\bfseries,
|
||||||
ndkeywords={
|
ndkeywords={
|
||||||
|
access-group,
|
||||||
|
addr,
|
||||||
address,
|
address,
|
||||||
aux,
|
aux,
|
||||||
bgp,
|
bgp,
|
||||||
|
@ -173,7 +177,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
\geometry{a4paper,margin=2cm}
|
\geometry{a4paper,margin=1.5cm}
|
||||||
\setlength{\columnsep}{1.5cm} %space between columns
|
\setlength{\columnsep}{1.5cm} %space between columns
|
||||||
\setlength{\headheight}{15pt}
|
\setlength{\headheight}{15pt}
|
||||||
\setlength{\footnotesep}{0.5cm} %space between footnotes:
|
\setlength{\footnotesep}{0.5cm} %space between footnotes:
|
||||||
|
|
Loading…
Reference in a new issue