CCNP Switch

Chapter 7

Network Management
Chapter 7 Network Management

 AAA 305
– Authentication Options 307
– RADIUS and TACACS+ Overview 308
– RADIUS Authentication Process 309
– TACACS+ Authentication Process 310
– Configuring AAA 311
– Configuring RADIUS for Console and vty Access 311
– Configuring TACACS+ for Console and vty Access 312
– AAA Authorization 313
– AAA Accounting 314
– Limitations of TACACS+ and RADIUS 315

 Identity-Based Networking 316

– IEEE 802.1X Port-Based Authentication Overview 316
– IEEE 802.1X Configuration Checklist 318

2
Chapter 7 Network Management

 Network Time Protocols 319

– The Need for Accurate Time 320
– Configuring the System Clock Manually 320
– Network Time Protocol Overview 323
– NTP Modes 324
– Other NTP Configuration Options 326
– NTP Example 326
– NTP Design Principles 329
– Securing NTP 331
– NTP Source Address 333
– NTP Versions 333
– SNTP 335
– PTP/IEEE-1588 336

3
Chapter 7 Network Management

 SNMP 336
– SNMP Overview 337
– SNMP Versions 339
– SNMP Best Practices 339
– SNMPv3 Configuration Example 340
– Verifying SNMP Version 3 Configuration 342

4
 AAA

 AAA 305
– Authentication Options 307
– RADIUS and TACACS+ Overview 308
– RADIUS Authentication Process 309
– TACACS+ Authentication Process 310
– Configuring AAA 311
– Configuring RADIUS for Console and vty Access 311
– Configuring TACACS+ for Console and vty Access 312
– AAA Authorization 313
– AAA Accounting 314
– Limitations of TACACS+ and RADIUS 315

 Identity-Based Networking 316

– IEEE 802.1X Port-Based Authentication Overview 316
– IEEE 802.1X Configuration Checklist 318
Authentication Options

 There are 4 options for administrative access:

– Password only
– Local database
– AAA Local Authentication (self-contained AAA)
– AAA Server-based

6
 Easy to configure but limited and does not
Password Only Method scale well.

User Access Verification

Internet
Password: cisco
Password: cisco1
Password: cisco12
% Bad passwords

R1(config)# line vty 0 4

R1(config-line)# password cisco
R1(config-line)# login
R1(config-line)# transport input ssh
R1(config-line)#

7
 However,greater
Provides it also does
security
not than
scaleawell
simple
as the
Local Database Method password,
local and has
database it’sSolution?
atocost
be replicated
effective and
on easily
several devices
implemented …
security solution.

Internet User Access Verification

Username: Admin
Password: cisco1
% Login invalid

Username: Admin
Password: cisco12
% Login invalid

R1(config)# ip domain-name cisco-academy.com

R1(config)# crypto key generate rsa general-keys modulus 2048
R1(config)# username Admin algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local

8
Using AAA

 AAA is an architectural framework for configuring:

– Authentication
– Authorization
Authentication Authorization
– Accounting Who are you?
How much can you spend?

Accounting
What did you spend it on?

9
Local AAA Authentication
Local AAA Authentication

 Method stores usernames and passwords locally in the Cisco router, and users
authenticate against the local database.
– Also called “Self-contained AAA”

Client enters
The client usernamea and
establishes password.
connection with the router.

Establish
ADMIN SSH
/ cisco123
connection

Username / Password
Pass! Router>please …

The The AAA

router router prompts
authenticates the the user forand
username a username
passwordand password.
using its local
database.
• If successful, the user has access to user EXEC mode.
• Otherwise the VTY connection is terminated.

11
AAA Local Authentication

 Is good for small networks:

– Local AAA Authentication should be configured for smaller networks with one or two
routers that provide access to a limited number of users.

 Method is not scalable:

– Administrator would have to populate and maintain the local database on each device.

 Method is similar to using the login local command ….

– Except that it also provides a way to configure backup methods of authentication!

12
Configuring Local AAA Authentication

1. Add usernames and passwords to the local router database for users that need
administrative access to the router.

2. Enable AAA globally on the router.

– Router(config)# aaa new-model

3. Configure AAA parameters on the router.

– Router(config)# aaa authentication login

4. Apply the method lists to a particular interface or line (if required)

5. Confirm and troubleshoot the AAA configuration.

13
aaa new-model

Router(config)#
aaa new-model

 The aaa new-model command enables the AAA feature.

– Other AAA commands can now be configured.
– To disable AAA, use the no aaa new-model command.

CAUTION:
– Do not issue the command unless you are prepared to configure AAA authentication.
 Could force Telnet users to authenticate with a username, even if no username database or
authentication method is configured.

14
 The list-name This
If
must the identifies
authentication
then the type of methods
method denies
Define a list-name
Use default to apply When
Up to
to apply
thea
fouruser a attempts
methods canto logdefined,
be in, the
aaa authentication login applied
specific
specified
to a
AAA
line that
the
using
authentication the
first
will
user
methods
method
providing
method list
users. to
be
login
all
queried
access,
list theto authenticate
authentication
listed methods
fallback is used. should one
the
authentication
to a line. •list-name
process
If there stops and no other
is no response, then (and only
lines method
including console, VTY,
authenticationnot
andbe available.
methods aremethod
allowed.
line configuration command.then) would the subsequent be
AUX. used.

Router(config)#
aaa authentication login {default | list-name} method1 … [method4]

Parameter Description
• Uses the listed authentication methods that follow this keyword as the default list of
default
methods when a user logs in.
• Character string used to name the list of authentication methods activated when a
list-name
user logs in.
• Identifies the list of methods that the AAA authentication process can query in the
method1 … [method4] given sequence.
• At least one method must be specified and up to 4 methods can be specified.

method Authenticates the user against …

enable • The privileged EXEC password.

local • The local database. The username is not case-sensitive but the password is.

local-case • The local database. The username and password are case-sensitive.

none • Nothing …. The user would successfully authenticate. Use only in test or lab environments.

15
Configuring Local AAA Authentication

R1(config)# username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

R1(config)# username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)#
R1(config)# aaa new-model
R1(config)#
R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login SSH-LOGIN local-case
R1(config)#
R1(config)# line vty 0 4
R1(config-line)# login authentication SSH-LOGIN
R1(config-line)#

1. Create local database accounts for authorized users.

2. Enable AAA globally on the router.
3. Configure AAA parameters on the router.
4. Apply the named list to a line.
5. Confirm and troubleshoot the AAA configuration.

16
Server-Based AAA Authentication
Server-Based AAA Authentication

 Method requires the services of one or more AAA servers (e.g., Cisco Secure ACS)
to manage the administrative access needs for an entire corporate network.

 For increased redundancy, multiple AAA servers can be implemented.

18
Server-Based AAA Authentication

Client enters The AAA router forwards the

The client establishes a
username and authentication
The AAA router and AAA request to the
server communicate using either the:
connection with the router.
password. AAA server
• RADIUS - Remote Authentication Dial-In User Service protocol
• TACACS+ - Terminal Access Controller Access Control System protocol

R1>
Establish
ADMIN SSH
/ cisco123
connection ADMIN / cisco123

RADIUS or TACACS+

Username / Router>
Password please … Pass!

The AAA router prompts

grants
The AAA server either
the user
user EXECfor access
a username
accepts
to the or rejects the
and password.
remote user. authentication credentials.

19
TACACS+ and RADIUS

 TACACS+ and RADIUS are protocols that are used to communicate between a
AAA router and AAA servers.

 The choice depends on the needs of the organization.

– RADIUS supports the detailed accounting required for billing users.
– TACACS requires authorization policies to be applied on a per-user or per-group basis.

20
TACACS+ Authentication
 TACACS+ is a Cisco protocol that provides separate AAA services.
– Separates authentication and authorization
– Encrypts all communication
– Utilizes TCP port 49
Connect
Username?
JR-ADMIN
Password?
“Str0ngPa55w0rd”
Separating the AAA services provides
flexibility in implementation such as using
RADIUS for authentication and TACACS+ for
authorization and accounting.
Username prompt?
Use “Username”
JR-ADMIN
Password prompt?
Use “Password”
“Str0ngPa55w0rd”
Accept/Reject
21
RADIUS Authentication

 RADIUS was developed by Livingston Enterprises but is now an IETF standard.

– RADIUS is currently defined by RFCs 2865, 2866, 2867, and 2868.
– Combines RADIUS authentication and authorization as one process which means when a
user is authenticated, that user is also authorized.
– Encrypts only the password
– Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
– RADIUS uses UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for
accounting.

Access-Request
Username? (JR_ADMIN, “Str0ngPa55w0rd”)

JR-ADMIN Access-Accept
Password?

Str0ngPa55w0rd

22
TACACS+ vs. RADIUS

RADIUS TACACS+

• Livingston Enterprise
Developer • Cisco proprietary
• Now an Open/RFC standard

• UDP port 1645 or 1812 for authentication

Transport Protocol • TCP port 49
• UDP port 1646 or 1813 for accounting

• Implements AAA architecture in modular

• Combines authentication and authorization
AAA support and separates accounting.
components consisting of authentication,
authorization, and accounting.

Security • Only the password is encrypted • Entire packet encrypted

• One-way, unidirectional • Two-way, bidirectional

Challenge response
• (single challenge response) • (multiple challenges and response)

23
Configuring Server-Based AAA Authentication

1. Enable AAA globally on the router.

– Router(config)# aaa new-model

1. Configure TACACS+ or RADIUS server specifics.

TACACS+
tacacs server server-name
address ipv4 ip-address
single-connection
key secret-key
RADIUS
radius server server-name
address ipv4 ip-address [auth-port port-# | acct-port port-#]
key secret-key

3. Configure AAA parameters on the router.

– Router(config)# aaa authentication login

4. Apply the method lists to a particular interface or line (if required)

5. Confirm and troubleshoot the AAA configuration.

24
 Commands will only appear if
Configure TACACS Server Specifics aaa new-model has been
preconfigured.

 Enter TACACS+ server configuration mode.

Router(config)#
tacacs server server-name

 Identify the IP address of the server.

Router(config-server-tacacs)#
address ipv4 ip-address

 Enhance TCP performance by having the TCP connection maintained for the life of
the session.
Router(config-server-tacacs)#
single-connection

 Configure the shared secret key to encrypt the data transfer between the
TACACS+ server and AAA-enabled router.
Router(config-server-tacacs)#
key secret-key

25
Configure RADIUS Server Specifics

 Enter RADIUS server configuration mode.

Router(config)#
radius server server-name

 Identify the IP address of the server.

Router(config-radius-server)#
address ipv4 ip-address [auth-port port-# | acct-port port-#]

 By default, Cisco routers use UDP port 1645 for the authentication and UDP port 1646 for the
accounting.
 However, the IANA has reserved ports 1812 for authentication and port 1813 for the accounting
If a custom UDP port is desired, then configure port integer command.

 Configure the shared secret key to encrypt the data transfer between the RADIUS
server and AAA-enabled router.
Router(config-radius-server)#
key secret-key

26
 Along with the methods enable, local,
local-case, and none, we can also specify
aaa authentication login TACACS+ or RADIUS servers.

Router(config)#
aaa authentication login {default | list-name} method1 … [method4]

Parameter Description
• Uses the listed authentication methods that follow this keyword as the default list of
default
methods when a user logs in.
• Character string used to name the list of authentication methods activated when a
list-name
user logs in.
• Identifies the list of methods that the AAA authentication process can query in the
method1 … [method4] given sequence.
• At least one method must be specified and up to 4 methods can be specified.

method Authenticates the user against …

group radius • All RADIUS servers.

group tacacs+ • All TACACS+ servers.

• Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the

group group-name
aaa group server radius or aaa group server tacacs+ command.

27
Configuring Server-Based AAA Authentication

R1(config)# aaa new-model

R1(config)#
R1(config)# radius server SERVER-R
R1(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
R1(config-radius-server)# key RADIUS-Pa55w0rd
R1(config-radius-server)# exit
R1(config)#
R1(config)# tacacs server SERVER-T
R1(config-server-tacacs)# address ipv4 192.168.1.101
R1(config-server-tacacs)# single-connection
R1(config-server-tacacs)# key TACACS-Pa55w0rd
R1(config-server-tacacs)# exit
R1(config)#

28
Configuring Server-Based AAA Authentication

R1(config)# aaa authentication login default ?

cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support

R1(config)#
R1(config)# aaa authentication login default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

R1(config)#
R1(config)# aaa authentication login default group tacacs+ group radius local-case
R1(config)#

29
AAA Authorization
Authorization

 Once a user has authenticated, AAA authorization services determine which:

– Resources the user can access
– Operations the user is allowed to perform.
 E.g., "User 'student' can access host serverZ using Telnet only.”

 The TACACS+ protocol allows the separation of authentication from authorization.

– A router can be configured to restrict the user to performing only certain functions after
successful authentication.

 Authorization provides controlled access to configuration commands

– Greatly simplifies the infrastructure security in large enterprise networks.

 The RADIUS does not separate the authentication from the authorization process.
– Once a user is authenticated, that user has authorization

31
AAA Authorization

User enters the The AAA router requests command authorization from
show version a AAA server to verify that the JR-ADMIN user has the
command. authorization to use the show version command.

R1>
show R1> show version Permit show version?
version

TACACS+

Display “show version” output Accept!

The AAA router executes

The AAA server either
the command andaccepts
sends or rejects the
the output to the user.
command request.

32
aaa authorization

Router(config)#
aaa authorization {network | exec | commands level} {default | list-name}
method1 … [method4]

Parameter Description
network • For network services such as PPP.

exec • For starting an exec (shell).

commands level • For exec (shell) commands.

33
Configuring Server-Based AAA Authorization

R1(config)# aaa authorization exec default ?

cache Use Cached-group
group Use server-group.
if-authenticated Succeed if user has authenticated.
krb5-instance Use Kerberos instance privilege maps.
local Use local database.
none No authorization (always succeeds).

R1(config)#
R1(config)# aaa authorization exec default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

R1(config)#
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config)#

34
Server-Based Accounting
Accounting

 AAA accounting provides a method for collecting and sending

security server information.
– Used for billing, auditing, and reporting, such as user identities, start and stop times,
executed commands, number of packets / bytes, …

 With AAA accounting activated, the router reports user activity to the TACACS+
security server in the form of accounting records.

36
Server-Based AAA Accounting

When a user has been authenticated,

When the user logs out, a stop
the AAA accounting process generates
message is recorded and the
a start message to begin the
accounting process ends..
accounting process.

R1> User:
User: JR-ADMIN,
JR-ADMIN, Start:
Stop: 14:36:01
14:45:41
show
version

RADIUS or TACACS+

37
aaa accounting

Router(config)#
aaa accounting {network | exec | connection} {default | list-name}
{start-stop | stop-only | none} {broadcast} method1 … [method4]

Parameter Description
network • Runs accounting for all network-related service requests, including PPP.

exec • Runs accounting for the EXEC shell session.

connection • Runs accounting on all outbound connections such as SSH and Telnet.

Parameter Description
• Sends a "start" accounting notice at the beginning of a process and a "stop"
start-stop
accounting notice at the end of a process.

stop-only • Sends a "stop" accounting record for all cases including authentication failures.

none • Disables accounting services on a line or interface.

R1(config)# aaa accounting exec default start-stop group tacacs+

R1(config)# aaa accounting network default start-stop group tacacs+

38
 Identity-Based Networking

 AAA 305
– Authentication Options 307
– RADIUS and TACACS+ Overview 308
– RADIUS Authentication Process 309
– TACACS+ Authentication Process 310
– Configuring AAA 311
– Configuring RADIUS for Console and vty Access 311
– Configuring TACACS+ for Console and vty Access 312
– AAA Authorization 313
– AAA Accounting 314
– Limitations of TACACS+ and RADIUS 315

 Identity-Based Networking 316

– IEEE 802.1X Port-Based Authentication Overview 316
– IEEE 802.1X Configuration Checklist 318
Port-Based Authentication

 AAA is great for administrative access.

– What about user access?

 AAA can also be configured to use the IEEE 802.1X standard.

 802.1X defines a port-based access control and authentication protocol which

restricts unauthorized workstations from connecting to a LAN.
– Each workstation must be authenticated before providing any services.
– Workstation is only allowed to communicate using the Extensible Authentication
Protocol over LAN (EAPOL).
– Once authenticated, normal traffic is permitted through the port.

40
 The RADIUS security system with EAP extensions
Port-Based Authentication is the only supported authentication server.

Because the switch acts as the proxy, the

authentication service is transparent to the client.

The Authenticator is an intermediary

(proxy) between the client (Supplicant) and
The Authenticator
the Authentication Server.is the switch
• They
thatrequest
controls physical
identifying access to
information from the
Supplicant
client, verifying that
the network information
based on the with the
authentication
authentication status relaying
server, and a response
of the client.
to the client.
The switch uses a
RADIUS
RADIUS software Authentication
Supplicants are hosts, running Authenticator agent, which is Server

802.1X-compliant client software. responsible for

• They request access to the LAN and encapsulating and de-
respond to requests from the switch. encapsulating the EAP
frames and interacting
Supplicant
with the authentication
server.
The Authentication server
validates the identity of the client
and notifies the switch whether
the client is authorized to access
the LAN and switch services

41
 EAPOL EAP
802.1X Port-Based Authentication

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity RADIUS Access-Request

EAP-Request/OTP (One-Time-Password) RADIUS Access-Challenge

EAP-Response/OTP RADIUS Access-Request

EAP-Success RADIUS Access-Accept

Port Authorized

EAPOL-Logoff

Port Unauthorized
42
Configuring IEEE 802.1X

1. Enable AAA:
Switch(config)# aaa new-model

2. Create an 802.1X port-based authentication method list:

Switch(config)# aaa authentication dot1x {default | name} group radius

3. Globally enable 802.1X port-based authentication:

Switch(config)# dot1x system-auth-control

4. Enter interface configuration mode:

Switch(config)# interface type slot/port

5. Enable 802.1X port-based authentication on the interface:

Switch(config-if)# authentication port-control auto

43
aaa authentication dot1x

 Create an 802.1X port-based authentication method list.

Switch(config)#
aaa authentication dot1x {default | list-name} group radius

Parameter Description
• Uses the listed authentication methods that follow this keyword as the default list of
default
methods when a user logs in.
• Character string used to name the list of authentication methods activated when a
list-name
user logs in.

44
dot1x system-auth-control

 Globally enable 802.1X port-based authentication.

Switch(config)#
dot1x system-auth-control

45
 Commands will only appear if
authentication port-control switchport mode access
has been preconfigured.

 Enable port-based authentication on the interface.

Switch(config-if)#
authentication port-control {auto | force-authorized | force-unauthorized}

Parameter Description

• Enables 802.1X port-based authentication.

• The port begins in unauthorized state, enabling only EAPOL frames to be sent and
received through the port.
auto • When the link state of the port transitions to up (authenticator initiation) or when an
EAPOL-start frame is received (supplicant initiation) the switch requests the identity of
the client and begins relaying authentication messages between the client and the
authentication server.

• (Default setting) Disables 802.1x port-based authentication and causes the port to
force-authorized
allow normal traffic without authenticating the client.

• Causes the port to remain in the unauthorized state, ignoring all attempts by the client
force-unauthorized to authenticate because the switch cannot provide authentication services.
• Can be enabled to prevent connections from any users from unauthorized ports.

46
IEEE 802.1X Configuration Example

S1(config)# aaa new-model

S1(config)#
S1(config)# radius server CCNAS
S1(config-radius-server)# address ipv4 10.1.1.50 auth-port 1812 acct-port 1813
S1(config-radius-server)# key RADIUS-Pa55w0rd
S1(config-radius-server)# exit
S1(config)#
S1(config)# aaa authentication dot1x default group radius
S1(config)# dot1x system-auth-control
S1(config)#
S1(config)# interface F0/1
S1(config-if)# switchport mode access
S1(config-if)# authentication port-control auto
S1(config-if)#

47
IEEE 802.1X Configuration Example

48
 Network Time Protocol

 Network Time Protocols 319

– The Need for Accurate Time 320
– Configuring the System Clock Manually 320
– Network Time Protocol Overview 323
– NTP Modes 324
– Other NTP Configuration Options 326
– NTP Example 326
– NTP Design Principles 329
– Securing NTP 331
– NTP Source Address 333
– NTP Versions 333
– SNTP 335
– PTP/IEEE-1588 336
 Network Time Protocols
"The only reason for time is so that everything doesn't happen at once."
How do you change the system clock on a device?

 The system clock can be set using the set clock privileged EXEC command.

 It keeps track of time internally based on Coordinated Universal Time (UTC).

– All Cisco devices support local time zone configurations and daylight savings time
adjustments such that the time is displayed correctly relative to the devices locality.

Some Cisco devices also have a battery powered hardware clock that is configured using
the calendar set hh:mm:ss < 1-31 > month year command.

S1# clock set 12:13:00 10 January 2017

S1#
S1# show clock detail
12:13:03.487 UTC Sun Jan 10 2017
S1#
S1# conf t
S1(config)# clock timezone EDT -5
S1(config)# clock summer-time EDT recurring
S1(config)# exit
S1# show clock detail
07:44:12.370 EDT Sat Jan 10 2017
Time source is user configuration
Summer time starts 02:00:00 EDT Sun Mar 8 2017
Summer time ends 02:00:00 EDT Sun Nov 1 2017

51
How do you change the system clock on a device?

S1# sho clock detail

 The system clock can be set
using the clock set
privileged EXEC command.
 Time is based on
Coordinated Universal
Time (UTC).
– Cisco devices support local
time zone configurations and
daylight savings time
adjustments.
Some Cisco devices also have a
battery powered hardware clock that is
configured using the calendar set
hh:mm:ss < 1-31 > month year
command.
10:00:40.316 UTC Wed Jan 10 2018
Time source is user configuration
S1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# clock ?
calendar-valid Calendar time is authoritative
summer-time Configure summer (daylight savings) time
timezone Configure time zone
S1(config)#
S1(config)# clock timezone EDT -5
S1(config)#
Jan 10 10:01:09.187: %SYS-6-CLOCKUPDATE: System clock has been
updated from 10:01:09 UTC Wed Jan 10 2018 to 05:01:09 EDT Wed Jan
10 2018, configured from console by console.
S1(config)#
S1(config)# clock summer-time EDT recurring
S1(config)#
Jan 10 10:01:22.316: %SYS-6-CLOCKUPDATE: System clock has been
updated from 05:01:22 EDT Wed Jan 10 2018 to 05:01:22 EDT Wed Jan
10 2018, configured from console by console.
S1(config)# exit
S1#
Jan 10 10:01:26.927: %SYS-5-CONFIG_I: Configured from console by
console
S1# clock set 9:09:00 6 Mar 2018
S1#
S1# show clock detail
09:09:05.468 EDT Tue Mar 6 2018
Time source is user configuration
Summer time starts 02:00:00 EDT Sun Mar 11 2018
Summer time ends 02:00:00 EDT Sun Nov 4 2018
S1#

52
Network Time Protocol (NTP)

 Many features in a computer network depend on time synchronization.

– Syslog / SNMP messages
– ACLs with time range configuration (S1(config)# access-list 100 permit ip any any time-range LUNCH)

– Public key infrastructure X.509 certificates which are valid for specific time periods.

 Network devices synchronize their time using the Network Time Protocol (NTP).
– NTP client poll NTP servers in intervals of 64 and 1024 seconds (1 minute to 17 minutes).
– NTP uses UDP port 123 and is documented in RFC 1305.
– Current versions include NTPv3 and NTPv4.

 NTP can be implemented in two ways depending on the network type:

1. P2P: NTP server (master) and client.
2. Broadcast: NTP Server broadcasts and NTP clients listen.

53
Network Time Protocol (NTP)

 NTP can operate in one of four different NTP roles.

NTP Role Description

Server • Provides accurate time information to clients on the network

• Synchronizes its time to an NTP server.

Client • Most suited for file server and workstation clients that are not required to provide any form of
time synchronization to other local clients.

• Peers only exchange time synchronization information.

Peer
• Also commonly known as symmetric mode

Broadcast / • Special “push” mode of NTP server where the local LAN is flooded with updates.
Multicast • Used only when time accuracy is imperative.

54
NTP Design Principles

 Use a hierarchical tiered model in large network deployments.

– Consumes less administrative overhead
– Time convergence is minimized because every customer edge router is not associated
with every other customer edge router.

55
Configuring NTP Master

 A time source can be privately controlled or it can be an

authoritative time source, such as a radio clock, GPS, or an atomic
clock attached to an NTP time server somewhere in the network.

 To configure a private NTP time source:

Router(config)#
ntp master [stratum]

– stratum is the number of hops away (trustworthiness) from an

authoritative time source

R1(config)# ntp master 1

R1(config)# end
R1#
R1# show clock
13:03:03.487 UTC Tue Jan 10 2017
R1#

56
Configuring NTP Server

 Identifies the NTP master from which to get a time source.

Router(config)#
ntp server {ip-add | hostname} [version {3 | 4}] [key keyid] [source int]
[prefer]

R2(config)# ntp server 10.10.10.1

R2(config)# end Note: NTP can be slow to synchronize and can take between 1
R2# to 17 minutes to synchronize with an upstream server.
R2# show clock
13:01:15.735 UTC Tue Jan 10 2017
R2#
R2# show ntp status
Clock is synchronized, stratum 2, reference is 10.10.10.1 nominal freq is 250.0000 Hz,
actual freq is 249.9992 Hz, precision is 2**18 reference time is CCF22553E.5DC2A53B
(13:22:50.366 UTC Tue Jan 10 2017) clock offset is 0.3072 msec, root delay is 23.32 msec
root dispersion is 0.38 msec, peer dispersion is 0.05 msec
R2#
57
NTP Peer

 You can identify an NTP peer.

Router(config)#
ntp peer ip-address

 Each router will act both as a client and server with every other router.

 Two or three routers should be configured to synchronize their time with external
time servers as a best practice to ensure redundancy to external time servers.

58
NTP in a Broadcast Network

 Instead of identifying a specific server, an NTP client can be configured to listen to

broadcast packets on an interface-by-interface basis.

 Configure the NTP server to send NTP broadcasts.

Router(config-if)#
ntp broadcast

 Configure the NTP clients to listen for the NTP broadcasts.

Router(config-if)#
ntp broadcast client

59
Verifying NTP

 To validate that the client is synchronized with the NTP server.

R1# show ntp status
Clock is synchronized, stratum 2, reference is 209.165.201.193
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 77100 (1/100 of seconds), resolution is 4000
reference time is D7BA39F5.26A7F008 (18:46:13.151 PST Tue Sep 9 2017)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 7.35 msec, peer dispersion is 3.44 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000004 s/s
system poll interval is 128, last update was 43 sec ago.
R1#
R1# show ntp associations
address ref clock st when poll reach delay offset disp
+~ 209.165.201.225 .LOCL. 1 116 128 177 0.000 0.000 2.800
*~ 209.165.201.193 .LOCL. 1 55 128 3 0.000 0.000 3.446
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#

First column has flags that tell us the status of association with each server.
• ~ means configured
• * means it is a peer
• + means it is a candidate

60
NTP Security

 The time that a machine keeps is a critical resource, so the security features of
NTP should be used to avoid the accidental or malicious setting of incorrect time

 Two mechanisms are available:

– an ACL-based restriction scheme
– an encrypted authentication mechanism.

 For example:
– To create an NTP access list restricting peers

Router(config)# access-list 1 permit 10.0.1.0 0.0.255.255

Router(config)# ntp access-group peer 1

61
Configuring NTP Authentication

 Enable NTP authentication.

Router(config)#
ntp authentication

 Define the NTP authentication key

Router(config)#
ntp authentication-key key-number md5 key-value

 Identify the trusted key

Router(config)#
ntp trusted-key key-number

R1(config)# ntp authentication

R1(config)# ntp authentication-key 1 md5 NeVeRgUeSs
R1(config)# ntp trusted-key 1

62
NTP Configuration Example

Source(config)# ntp master 1

Source(config)#
Source(config)# ntp authentication-key 1 md5 secretsource
Source(config)# ntp trusted-key 1

Intermediate(config)# ntp server 172.16.0.1

Intermediate(config)# interface Fastethernet0/0
Intermediate(config-if)# ntp broadcast
Intermediate(config-if)# exit
Intermediate(config)#
Intermediate(config)# ntp authentication-key 1 md5 secretsource
Intermediate(config)# ntp authentication-key 2 md5 secretclient
Intermediate(config)# ntp trusted-key 1

Client(config)# interface Fastethernet0/1

Client(config-if)# ntp broadcast client
Client(config-if)# exit
Client(config)#
Client(config)# ntp authentication-key 2 md5 secretclient
Client(config)# ntp trusted-key 2
Client(config)#

63
NTP Versions

 NTP Versions 3 and 4 currently available.

– NTP Version 3 is the most common version

 NTPv4 provides the following capabilities:

– NTPv4 is an extension of NTP Version 3.
– NTPv4 supports IPv4 and IPv6, and is backward compatible with NTPv3.
– Security is improved over NTPv3.
– NTPv4 leverages multicasts to automatically configure the hierarchy servers to achieve the
best time accuracy.

Router(config)#
ntp server ipv6-address version 4

64
 SNMP

 SNMP 336
– SNMP Overview 337
– SNMP Versions 339
– SNMP Best Practices 339
– SNMPv3 Configuration Example 340 NMS
– Verifying SNMP Version 3 Configuration 342

Network Management
Systems (NMSs) collect
and process data using
SNMP.
Network Management System (NMS)

 An NMS is a set of hardware / software that are use for:

– Network device discovery:
 Identifies what devices are present on a network.

– Network performance monitoring:

 Uses SNMP to monitor devices to determine the NMS
health of network components and the extent to
which their performance matches capacity plans
and service-level agreements (SLAs).

– Network traffic analysis:

 Uses SNMP to track device performance
indicators such as bandwidth utilization, packet
loss, latency, availability, device uptime.

– Intelligent notifications:
 Includes configurable alerts that will respond to
specific network scenarios by paging, emailing,
calling or texting a network administrator.

69
Simple Network Management Protocol (SNMP)

 SNMP consists of 3 elements:

SNMP Description
Element
• Workstation(s) that runs SNMP management
software and listens to UDP port 162.
• Retrieves MIB information from an SNMP
SNMP agent using get requests. NMS
Manager
• Collects MIB traps sent by agents
• Can control and configure some device
parameters on an agent using set requests.
• These are managed nodes (i.e., routers,
switches, servers, workstations, etc) that run
an SNMP agent software module and listens
to UDP port 161.
SNMP
Agents • Agents are configured to provide access to
the local MIB to the SNMP Manager.
• Commonly configured to forward notifications
(traps) directly to an SNMP manager.
• The MIB is a database of the objects that can
Management be managed on a device.
Information
Base (MIB) • The managed objects, or variables, can be
set or read to provide information on the
network devices and interfaces.

70
Management Information Base (MIB)

 The MIB are files that specify

the set of manageable objects
available for a specific device.
– Objects relate to a specific
device entity / attribute (e.g.,
system uptime, interface status, interface
packet statistics, routing protocol statistics
etc.)

 MIBs are organized in a

hierarchical tree like structure.

 Each MIB file has a unique

object ID (OID) that define:
– List of objects supported for a
specific protocol/entity
– Type of each object Cisco provides the SNMP Object
– Hierarchical relationship Navigator tool that allows you to research
between all the objects of a details about a particular OID.
given protocol/entity 71
SNMP Actions

Get-Request

Get-Next-Request

Get-Bulk-Request

SNMP
Set-Request Agent
SNMP
Manager Response

Trap

Inform-Request

To another Manager
Report

72
SNMP Manager

http://www.kiwisyslog.com/products/kiwi-syslog-server/product-overview.aspx

73
SNMP Versions

 Several versions of SNMP are available:

Version Description

• Defined in RFC 1157

SNMPv1
• Provided no authentication or encryption mechanism

• Defined in RFCs 1901 to 1908

SNMPv2c
• Improved upon SNMPv1 but provided no authentication or encryption mechanism

• Defined in RFCs 2273 to 2275

SNMPv3
• Provides secure access to devices by authenticating and encrypting packets over the network

74
SNMPv1 and SNMPv2 Security Concerns

Traps or notifications are not authenticated or encrypted.

Trap

Get-Request

Set-Request

Agents can be polled with get requests and accept

configuration changes with set requests (e.g., reboot the
device, send a configuration file, or receive a configuration
file)

75
SNMPv3

 SNMPv3 is an interoperable standards-based protocol for network management.

– SNMPv3 provides secure access to devices by a combination of authenticating and
encrypting packets over the network.

 There are three security features that SNMPv3 provides:

Version Description

Message integrity and • Ensures that a packet has not been tampered with in transit, and is from a
authentication valid source

• Scrambles the contents of a packet to prevent it from being seen by an

Encryption
unauthorized source

Access control • Restricts each principal to certain actions on specific portions of data

76
 SNMPv1
SNMP read-only community
and SNMPv2
read-write strings
stringscan
use community
community can
SNMP Security Models be used
string as to get
set information
passwords from
to access
on an an SNMP-
router
SNMP-
enabled device.
SNMP agents.

77
Configuring SNMPv3

 Configuring SNMPv3 requires several steps.

1. Configure an access list to be used to restrict subnets for SNMP access.

2. (Optional) Configure an SNMP Engine ID using the snmp-server engineID
local number command.
3. (Optional) Configure the SNMPv3 views to limit access to specific MIBs.
4. Configure the SNMPv3 security groups.
5. Configure the SNMPv3 users.
6. Configure the SNMPv3 trap receivers.
7. Configure ifindex persistence to prevent ifindex changes.

78
Configuring SNMPv3 – Identify Management Network

 Step 1: Configure an ACL to permit the protected management network.

Router(config)# ip access-list standard acl-name
Router(config-std-nacl)# permit source_net

– This will permit access to authorized SNMP managers.

Protected Management Network

192.168.1.0/24

R1(config)# ip access-list standard PERMIT-ADMIN

R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)#

79
Configuring SNMPv3 – Configure a View

 Step 2: (Optional) Configure an SNMP view.

Router(config)# snmp-server view view-name oid-tree {included | excluded}

– Include only the MIB OIDs that are necessary for monitoring and managing the network.
– To identify the subtree, specify a name or a text string consisting of numbers (e.g.,
1.3.6.2.4)
 Replace a single subidentifier with the asterisk (*) wildcard to specify a subtree family (e.g., 1.3.*.4).
– included adds to the view while excluded explicitly excludes from the view.

R1(config)# ip access-list standard PERMIT-ADMIN

R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)#
R1(config)# snmp-server view SNMP-RO iso included
R1(config)#

80
Configuring SNMPv3 – Configure a Group Specifics

 Step 3: Configure an SNMP group.

Router(config)# snmp-server group group-name v3 priv read view-name access
[acl-number | acl-name]

– Assign a group name

– Set the SNMP version to 3 with the v3 keyword
– Require authentication and encryption (priv)
– Associate a view to the group and give it read only access with the read command
– Specify the ACL configured.

R1(config)# ip access-list standard PERMIT-ADMIN

R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)#
R1(config)# snmp-server view SNMP-RO iso included
R1(config)#
R1(config)# snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
R1(config)#

81
Configuring SNMPv3 – Configure an SNMP User

 Step 4: Configure a user as a member of the SNMP group.

Router(config)# snmp-server user username group-name v3 auth {md5 | sha}
auth-password priv {des | 3des | aes {128 | 192 | 256}} privpassword

– Set the SNMP version to 3 with the v3 keyword

– Set the authentication type to either md5 or sha (preferred) and configure an
authentication password.
– Require encryption with the priv keyword and configure an encryption password.

R1(config)# ip access-list standard PERMIT-ADMIN

R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)#
R1(config)# snmp-server view SNMP-RO iso included
R1(config)#
R1(config)# snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
R1(config)#
R1(config)# snmp-server user BOB ADMIN v3 auth sha cisco12345 priv aes 128 cisco54321
R1(config)# end
R1#

82
Verify SNMPv3

 Verify most of the configuration using the show running-config command.

R1# show run | include snmp

snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
snmp-server view SNMP-RO iso included
R1#

Notice how the user information snmp-server user BOB ADMIN v3 auth sha
cisco12345 priv aes 128 cisco54321 is not displayed for security purposes.

83
Verify SNMPv3

 Use the show snmp user command to view the user information.

R1# show snmp user

User name: BOB

Engine ID: 80000009030030F70DA30DA0
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ADMIN

R1#

84
 Verify that the data
SNMP was
manager
encrypted
canby
send
get requests
running a protocol
by using
analyzer,
an SNMPsuch as
SNMP Manager management
Wireshark, and
tool,
capture
such the
as the
SNMP
ManageEngine’s SNMP MIB Browser.
packets

85
 CCNP Switch
Chapter 7

Network Management