1
0
Fork 0
mirror of https://gitlab.com/netravnen/NetworkLabNotes.git synced 2024-11-26 19:27:57 +00:00

Merge branch 'feature/ntp' into develop

This commit is contained in:
chhan11 2017-06-04 23:03:00 +02:00
commit e1edcb060a
8 changed files with 138 additions and 23 deletions

2
.gitignore vendored
View file

@ -1,2 +1,4 @@
main\.glsdefs main\.glsdefs
main\.synctex\.gz\(busy\)

View file

@ -14,29 +14,35 @@
\newacronym{cdp}{CDP}{Cisco Discovery Protocol} \newacronym{cdp}{CDP}{Cisco Discovery Protocol}
\newacronym{cli}{CLI}{Command Line Interface} \newacronym{cli}{CLI}{Command Line Interface}
\newacronym{cst}{CST}{Common Spanning Tree} \newacronym{cst}{CST}{Common Spanning Tree}
\newacronym{cest}{CEST}{Central European Summer Time}
\newacronym{cwdm}{CWDM}{} \newacronym{cwdm}{CWDM}{}
\newacronym{db}{DB}{Database} \newacronym{db}{DB}{Database}
\newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol} \newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol}
\newacronym{dknog}{DKNOG}{Danish Network Operators' Group} \newacronym{dknog}{DKNOG}{Danish Network Operators' Group}
\newacronym{dns}{DNS}{Domain Name System} \newacronym{dns}{DNS}{Domain Name System}
\newacronym{dst}{DST}{Destination} \newacronym{dst}{dst}{destination}
\newacronym{dwdm}{DWDM}{} \newacronym{dwdm}{DWDM}{}
\newacronym{eap}{EAP}{Extensible Authentication Protocol} \newacronym{eap}{EAP}{Extensible Authentication Protocol}
\newacronym{eapol}{EAPOL}{Extensible Authentication Protocol over Local Area Network} \newacronym{eapol}{EAPoL}{Extensible Authentication Protocol over Local Area Network}
\newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol} \newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol}
\newacronym{erspan}{ERSPAN}{Encapsulated Remote Switch Port Analyzer} \newacronym{erspan}{ERSPAN}{Encapsulated Remote Switch Port Analyzer}
\newacronym{evpn}{EVPN}{Ethernet Virtual Private Network} \newacronym{evpn}{EVPN}{Ethernet Virtual Private Network}
\newacronym{ftp}{FTP}{File Transfer Protocol} \newacronym{ftp}{FTP}{File Transfer Protocol}
\newacronym{ftps}{FTPS}{File Transfer Protocol Secure} \newacronym{ftps}{FTPS}{File Transfer Protocol Secure}
\newacronym{gps}{GPS}{Global Positioning System}
\newacronym{gprs}{GPRS}{General Packet Radio Service}
\newacronym{gsm}{GSM}{Global System for Mobile communications}
\newacronym{ieee}{IEEE}{Institute of Electrical and Electronics Engineers} \newacronym{ieee}{IEEE}{Institute of Electrical and Electronics Engineers}
\newacronym{igrp}{IGRP}{Interior Gateway Routing Protocol} \newacronym{igrp}{IGRP}{Interior Gateway Routing Protocol}
\newacronym{imap}{IMAP}{Internet Message Access Protocol} \newacronym{imap}{IMAP}{Internet Message Access Protocol}
\newacronym{ios}{IOS}{Internetwork Operating System}
\newacronym{ip}{IP}{Internet Protocol} \newacronym{ip}{IP}{Internet Protocol}
\newacronym{ipv4}{IPv4}{Internet Protocol v4} \newacronym{ipv4}{IPv4}{Internet Protocol v4}
\newacronym{ipv6}{IPv6}{Internet Protocol v6} \newacronym{ipv6}{IPv6}{Internet Protocol v6}
\newacronym{irc}{IRC}{Internet Relay Chat} \newacronym{irc}{IRC}{Internet Relay Chat}
\newacronym{isis}{IS-IS}{Intermediate System to Intermediate System} \newacronym{isis}{IS-IS}{Intermediate System to Intermediate System}
\newacronym{isp}{ISP}{Internet Service Provider} \newacronym{isp}{ISP}{Internet Service Provider}
\newacronym{junos}{JUNOS}{Juniper Network Operating System}
\newacronym{l2}{L2}{Layer 2} \newacronym{l2}{L2}{Layer 2}
\newacronym{l2vpn}{L2VPN}{Layer 2 Virtual Private Network} \newacronym{l2vpn}{L2VPN}{Layer 2 Virtual Private Network}
\newacronym{l3}{L3}{Layer 3} \newacronym{l3}{L3}{Layer 3}
@ -45,6 +51,7 @@
\newacronym{lldp}{LLDP}{Link Layer Discovery Protocol} \newacronym{lldp}{LLDP}{Link Layer Discovery Protocol}
\newacronym{mac}{MAC}{Media Access Control address} \newacronym{mac}{MAC}{Media Access Control address}
\newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll} \newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll}
\newacronym{metdst}{MET-DST}{Middle European Time Daylight Saving Time}
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching} \newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
\newacronym{mst}{MST}{Multiple Spanning Tree} \newacronym{mst}{MST}{Multiple Spanning Tree}
\newacronym{nms}{NMS}{Network Management Software} \newacronym{nms}{NMS}{Network Management Software}
@ -72,7 +79,7 @@
\newacronym{sntp}{SNTP}{Secure Network Time Protocol} \newacronym{sntp}{SNTP}{Secure Network Time Protocol}
\newacronym{sp}{SP}{Service Provider} \newacronym{sp}{SP}{Service Provider}
\newacronym{span}{SPAN}{Switch Port Analyzer} \newacronym{span}{SPAN}{Switch Port Analyzer}
\newacronym{src}{SRC}{Source} \newacronym{src}{src}{source}
\newacronym{ssh}{SSH}{Secure Shell} \newacronym{ssh}{SSH}{Secure Shell}
\newacronym{stp}{STP}{Spanning Tree Protocol} \newacronym{stp}{STP}{Spanning Tree Protocol}
\newacronym{tcn}{TCN}{Topology Change Notification} \newacronym{tcn}{TCN}{Topology Change Notification}

View file

@ -1,6 +1,97 @@
\chapter{Network Time Protocol} \chapter{NTP}
\gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary.
\textbf{Configure timezone}\\In this case it\tsq{s} for \gls{metdst}\textbf{:}
\begin{txt}
clock timezone MET 1 0
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
\end{txt}
\textbf{Configure used timezone}\\when doing logging and debugging operations\textbf{:}
\begin{txt}
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
\end{txt}
A select number of Cisco switches support synchronization with the hardware clock, too. The standard is to only sync the software clock.\\\cliline{ntp update-calendar}
\fig{ntp/ntp}{ntp}{\gls{ntp}}
\gls{ntp} servers are a hierarchical tree with stratum 0 servers as the authoritative in the tree. These servers get their time from either \gls{gprs} satellites or atomic clocks {\footnotesize (i.e. an authoritative time \gls{src})}.
\subsection{Characteristics}
\begin{itemize}
\item Uses \gls{udp} port 123 on both \gls{src} and \gls{dst},
\item polling interval ranging from 64-1024 sec. Length of interval is dependant upon network cond.,
\item large differences between \gls{ntp} reference time and local client time will result in increased pooling interval.
\end{itemize}
\fig{ntp/ntpstratum}{ntpstratum}{Stratum levels}
\section{The old NTP from \tsq{85}} \section{The old NTP from \tsq{85}}
\textbf{Team Cymru} has a nice template for how to enable \gls{ntp} \textbf{with} \textit{access control} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
\begin{cisco}
! Core NTP configuration
ntp update-calendar ! update hardware clock (certain hardware only, i.e. 6509s)
ntp server 192.0.2.1 ! a time server you sync with
ntp peer 192.0.2.2 ! a time server you sync with and allow to sync to you
ntp source Loopback0 ! we recommend using a loopback interface for sending NTP messages if possible
!
! NTP access control
ntp access-group query-only 1 ! deny all NTP control queries
ntp access-group serve 1 ! deny all NTP time and control queries by default
ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients
!
! access control lists (ACLs)
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 192.0.2.1
access-list 10 permit 192.0.2.2
access-list 10 deny any
!
access-list 20 remark Hosts/Networks we allow to get time from us
access-list 20 permit 192.0.2.0 0.0.0.255
access-list 20 deny any
\end{cisco}
\textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master.
\section{Secure NTP} \section{Secure NTP}
\subsection{Characteristics}
\begin{itemize}
\item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along,
\item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}}
\end{itemize}
\subsubsection{Configure SNTP}
\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
\begin{cisco}
ntp authenticate ! enable NTP authentication
ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key
ntp trusted-key [key-id] ! mark a NTP authentication key as trusted
ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer
ntp server [server_address] key [key-id] ! form a authenticated session with a server
\end{cisco}
\subsection{Versions}
Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is
\begin{itemize}
\item support for \gls{ipv6}.
\item The security in the protocol is upped to with support for X509 certs.
\item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses.
\item \cliline{network-node(config)# ntp-server \textit{\gls{ipv6}-addr} version 4}
\end{itemize}

View file

@ -76,3 +76,14 @@
% Enviroment @var cisco % Enviroment @var cisco
\lstnewenvironment{cisco}{\lstset{language=cisco}}{} \lstnewenvironment{cisco}{\lstset{language=cisco}}{}
%\newcommand{cisline}[1]{\lstinline[columns=fixed]{network-device\# #1}}
%\newcommand{cisconf}[2][]{%
%\def\temp{#1}\ifx\temp\empty
%\lstinline[columns=fixed]{network-device(config)\# #2}
%\else
%\lstinline[columns=fixed]{network-device(config-#1)\# #2}
%\fi\}

BIN
img/ntp/ntp.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 109 KiB

BIN
img/ntp/ntpstratum.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 63 KiB

View file

@ -1,24 +1,24 @@
@online{vtpchap4, @online{ slideshare:vtpchap4,
author = {Hector Camba Lainez}, author = "Hector Camba Lainez",
title = {Cap4 implementing vtp}, title = "Cap4 implementing vtp",
year = 2010, year = "2010",
url = {https://www.slideshare.net/lucky0679/cap4-implementing-vtp}, url = {https://www.slideshare.net/lucky0679/cap4-implementing-vtp},
note = {Last Accessed: 2017-05-22}, note = "[Online; accessed 22-May-2017]"
} }
@misc{wp_spanningtree, @misc{ wiki:Spanning_Tree_Protocol,
title = {Spanning Tree Protocol}, author = "Wikipedia",
year = 2017, title = "{Spanning Tree Protocol} --- {W}ikipedia{,} The Free Encyclopedia",
url = {https://en.wikipedia.org/w/index.php?title=Spanning_Tree_Protocol&oldid=778662646}, year = "2017",
urldate = {2017-05-24}, howpublished = {\url{http://en.wikipedia.org/w/index.php?title=Spanning\%20Tree\%20Protocol&oldid=778662646}},
note = {Last Accessed: 2017-05-24}, note = "[Online; accessed 24-May-2017]"
} }
@book{froom2015implementing, @book{froom2015implementing,
author = {Froom, Richard}, author = "Froom, Richard",
title = {Implementing Cisco IP switched networks (SWITCH) : foundation learning guide}, title = "Implementing Cisco IP switched networks (SWITCH) : foundation learning guide",
publisher = {Cisco Press}, publisher = "Cisco Press",
year = {2015}, year = "2015",
address = {Indianapolis, IN}, address = "Indianapolis{,} IN",
isbn = {978-1-58720-664-1} isbn = "978-1-58720-664-1"
} }

View file

@ -125,6 +125,7 @@
\lstdefinelanguage{cisco}{ \lstdefinelanguage{cisco}{
keywords={ keywords={
access-list,
cdp, cdp,
dhcp, dhcp,
end, end,
@ -136,6 +137,7 @@
login, login,
network, network,
no, no,
ntp,
router, router,
show, show,
shutdown, shutdown,
@ -145,6 +147,8 @@
}, },
keywordstyle=\color{blue}\bfseries, keywordstyle=\color{blue}\bfseries,
ndkeywords={ ndkeywords={
access-group,
addr,
address, address,
aux, aux,
bgp, bgp,
@ -173,7 +177,7 @@
} }
\geometry{a4paper,margin=2cm} \geometry{a4paper,margin=1.5cm}
\setlength{\columnsep}{1.5cm} %space between columns \setlength{\columnsep}{1.5cm} %space between columns
\setlength{\headheight}{15pt} \setlength{\headheight}{15pt}
\setlength{\footnotesep}{0.5cm} %space between footnotes: \setlength{\footnotesep}{0.5cm} %space between footnotes: