Meinberg M300 Cisco 5548

By Andreja Jarc and Doug Arnold.

Meinberg M300 Cisco 5548 Error
Meinberg M300 Cisco 5548 Series
Cisco 5548 Visio Stencil

Which types of devices are preferred to be used as NTP servers? Particularly for an environment of 1000 NTP Cisco clients. I understand that it's a matter of preference, but I am just trying to understand what most engineers prefer. The LANTIME M300 Time Server is an extremely flexible platform for applications that require a reliable, stable and accurate source of network time. It offers two 10/100baseT Ethernet ports (four or six optionally) and includes an integrated Meinberg reference clock and a TCXO precision internal oscillator.

The Simple Network Managment Protocol

Most network connected devices support a number of management options including the Simple Network Management Protocol, or SNMP. SNMP is a network protocol which allows a single network management system to monitor a large number of devices on the network. Indeed this is one of the chief reasons why SNMP is prevalent. An entire network summarized in one screen with the ability to drill down into more detail when needed. Popular management software options include HP’s Openview and IBM’s Tivoli Netview.

The way it works is each network element has an Agent which communicates with the Manager via SNMP (Figure 1). Each Agent has a corresponding Management Information Base, or MIB. The MIBs organize data elements in a tree structure. It is written in a standard, highly structured language so that the MIBs from all of the devices on the network can be compiled into the same Manager. See examples in the next section taken from a Meinberg network time server.

Figure 1:Communication between Agents and Manager via SNMP.

MIB elements are called Object Identifiers or OIDs. They consist of configuration variables, status variables, tree structure labels and notifications. The OIDs can be read or changed using SNMP SET and GET commands. In practice SNMP is often used for monitoring only, so GETs are more common than SETs. There are also recursive commands which allow the Manager to ask for all of the OIDs in a branch (subtree), or even the whole tree. This process is referred to as “walking the MIB”. Event Notifications, commonly referred to as traps, are a special type of OID. A trap can be configured so that when the status of the device changes a message is immediately sent from the Agent to the Manager.

The ability for the Agents to tell the Manager that something significant has just happened is most important property of SNMP. Indeed many network administrators use SNMP solely for this event driven monitoring capability. The latest version of SNMP is SNMPv3. It is standardized with a series of documents created by the Internet Engineering Task Force. These are the fine people who brought us the Internet Protocol, http, NTP, and many of the other protocols which make the Internet function. Among many features, SNMPv3 includes a security mechanism to encrypt and authenticate SNMP messages. For more information on SNMP see the Open Directory Project SNMP page.

Using SNMP with Meinberg Time Servers

Here is an example of SNMP management software and LANTIME specific OIDs:

Figure 2: Example of LANTIME SNMP Monitoring. “mbgLantimeNGStatus” marked green is a subtree which includes all of the main OIDs for LANTIME monitoring.

As shown in Figure 2 the main OIDs for LANTIME monitoring are in the mbgLantimeNGStatus subtree. “NG” label stands for “New Generation” which corresponds to V6.x versions of LANTIME CPU firmware. This is in contrast to MIB objects from V5.x firmware which have no NG label in their names.

Here is a detailed description of the most important OIDs which can be found in the NGStatus subtree:

1: Refclock subtree

mbgLtNgRefclockState This OID describes a current state of a LANTIME refclock (hardware clock module) referring to GPS or any other time source signal in MRS (Multi Reference Source) model.
Status	Description
0:	refclock is not available: See the possible troubleshooting: Refclock module cannot be accessed. Check if it is damaged and replace it if necessary.
1:	synchronized: The reflock of your system is correctly synchronized to the selected time source (GPS or MRS). In an MRS system, a refclock can be synchronized to a reference time source from the priority list. See an example in the next figure. *Figure 3:* LANTIME M600 MRS priority list. The MRS system above synchronizes first to GPS, but if the GPS signal is unavailable, the refclock switches to the next time source from the priority list (PTP in our case). The switch happens only after a trust time of the unavailable time source (GPS signal) has run out. This is to prevent hopping from one time source to another in short time periods. If GPS becomes available again, the refclock switches back to GPS, without waiting for the PTP trust time in this case, since GPS itself a higher precision than PTP.
2:	not synchronized: Obviously the refclock is not synchronized to its time source. Here is the possible troubleshooting: Check if the GPS antenna is connected and reference time received. More about how to mount and position Meinberg GPS antenna correctly learn here. If GPS is the current time source, check number of satellites in view. There should be at least four to provide sync information. Start “warm boot” to refresh current satellite position. This is useful especially if the physical position of your LANTIME has been displaced by more than 100 km from its previous location and therefore obsolete satellite data are still stored in the system. Start “cold boot” to update a satellite almanac. If nothing from above helps, the GPS clock module needs to be changed.
It is recommended configuring your network management software to check this status regularly, if possible every 60 s.

mbgLtNgRefclockLeapSecondDate This OID conveys information about the next Leap Second Date. If the upcoming Leap Second Date has not been announced yet, the OID holds information about the previous leap second event.
Here is short summary of the leap seconds. There are two different timescales we usually talk about in the sync environment: GPS, which stands for Global Positioning System time and UTC (Universal Time Coordinated), formerly known as GMT (Greenwich Mean Time). They differ from each other by number of leap seconds introduced since beginning of GPS time on 6-Jan-1980. In the moment of writing the UTC is 16 seconds behind the GPS time, which is due to the uneven rotation of the Earth.
Since the introduction of a new leap second influences the time in the whole system being synchronized, we suggest to check this status regularly, e.g. 1/hour.

Next in a row of OIDs are those referring to NTP status. They can be found in the “mbgLtNgNtp” subtree.

2: NTP subtree

mbgLtNgNtpCurrentState This is one of the most important OID in this subtree to check regularly. It informs about the NTP service of your LANTIME. There are three states possible:
Status	Description
0:	not available: See the possible troubleshooting: Check if NTP service is actually enabled at a given LAN interface. To check it, log in to a webinterface. Factory default credentials: root/timeserver. Go to menus: Network->Network Services and activate the service of the corresponding interface. See Figure 3 for details. NTP service (also known as NTP daemon) terminated since an offset between UTC and the system time of more than 1024s has been detected. When no following leap time is detected NTP daemon will start automatically after the leap gets compensated.
1:	not synchronized: In case of“not synchronized” the NTP service is not yet synchronized to a reference clock. Possible causes for this state are as follows: NTP daemon is still in its initialization phase for which it needs approx. 3-5 min. Therefore wait a while and see if the status changes. If a refclock is not sync, the same is indicated in the NTP status. In such case NTP daemon is switched to synchronize to its local clock and its stratum value changes to 12. Please check the possible troubleshooting for a refclock status as described above.
2:	synchronized: The NTP service is in normal operation. The LANTIME is now working properly.
It is recommended to check NTP status regularly, but not more than every 64 s.

3: Hardware subtree

mbgLtNgSysPsStatus If a LANTIME has a redundant power supply (RPS) unit, it is important to check the status of both RPS modules regularly. This PowerSupplyStatus OID can be found in the System Hardware subtree. The following states are available:
Status	Description
0:	notAvailable: The queried power supply unit is not recognized by a system. Check to see if it is damaged, and replace it if necessary.
1:	down: The power supply unit of interest is not in service. Check to see if it is damaged, and replace it if necessary.
2:	up: The queried power supply module is in operation.
It is recommended to check this OID every 60 s.

4: Misc subtree

mbgLtNgEthPortLinkState In the mbgLtNgMisc subtree one can find an EthPortLinkState OID which identifies the status of each physical Ethernet port of a LANTIME. Available values:
Status	Description
0:	down: The queried port is down, check the link LED. If faulty, replace the network card.
1:	up: The port of interest is in normal operation.
It is recommend that you check this OID every 60 s.

5: PTP subtree

If your LANTIME has IEEE 1588 PTPv2 functionality, the corresponding PTP OIDs can be found in the “mbgLtNgPtp” subtree.

These are the most important OIDs to monitor:

mbgLtNgPtpPortState The following PTP Port States are possible:
Status	Description
0:	uninitialized: The port is booting up, the software daemon has not yet started, the IP address is not yet assigned.
1:	initializing: In this state the port initializes its data sets, hardware, and communication facilities.
2:	faulty: Not defined in a LANTIME.
3:	disabled: PTP service has been disabled on this port, either by user configuration or because the module is in a standby mode.
4:	listening: The port is waiting for the announceReceiptTimeout to expire or to receive an Announce message from a master.
5:	preMaster: A short transitional state while the port is becoming a master.
6:	master: The port is a current master.
7:	passive: The port is in passive mode, meaning there is another master clock active in the PTP domain. The port can enter master state when it wins the BMCA due to a failure/service degradation of the current master.
8:	uncalibrated: One or more master ports have been detected in the domain.
9:	slave: The port has successfully subscribed to a master and receives all expected messages. It also successfully measured the path delay using delay request messages.
It is recommended to monitor the PtpPortState OID every 3 s.

No related posts found.

By Andreja Jarc.

Synchronized timing is vitally important when many systems work together in a network. Services such as Logfiles, Correlation of Events, User Authentication Mechanisms, Job Scheduling e.g. for backups or Active Directories running on distributed platforms use accurate timestamps to record events in chronological order and to avoid conflicts with data replication. Without accurate time synchronization these services cannot operate.

As is true for other network services, time synchronization is exposed to numerous cyber vulnerabilities such as hacker attempts and security hazards. Spoofing or falsifying of time information may severely influence the operation of time-critical applications and degrade stability of networks.

Meinberg therefore dedicates special care and attention to safety and security procedures which are implemented and regularly upgraded on LANTIME NTP servers to protect the time service from undesired attacks and keep synchronization operating properly.

In this post I will introduce you to some efficient safeguards available in LANTIME Generation 6 Servers which can protect against the vulnerability threats and reduce risks to an acceptable level.

Access Control and User Management

It is possible to create multiple user accounts on a LANTIME system; each account can be assigned to one of three user privilege levels:
• Super-User full read / write control over Web GUI and Command Line functions
• Admin-User restricted read / write control over Web GUI and CLI functions
• Info-User read permission only

Meinberg M300 Cisco 5548 Error

Figure 1: A list of multiple users on a LANTIME with different privileges.

Password Options

All users can be password protected. One can activate special options to enhance security features of the user passwords as follows:
• Minimum password length
• Allowance of secure password only
• List of valid special characters
• User must change the password periodically in provided intervals

Figure 2: Security levels for password generation.

Activation / Deactivation of unsecured network services

All available Network Services can be activated /deactivated separately for every interface. Therefore any unsecured network protocols such as FTP, HTTP or Telnet can be deactivated respectively. See the following example:

Figure 3: Activation / deactivation of network services for each interface separately.

External authentication via TACACS+ and RADIUS

There are several user account authentication methods available on LANTIME systems. One option is an external authentication with TACACS+ or Radius. TACACS+ by contrast to Radius refers to a family of protocols for remote authentication and network access control where entire packets are encrypted.

TACACS+: Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks.

RADIUS: Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication for MEINBERG Time Servers to connect and use the network services. RADIUS is a client/server protocol that runs in the application layer, using UDP as transport.

Figure 4: Activation of Remote Authentication in the User Administration dialog.

Client / Server Authentication via Autokeys and Symmetric Keys

NTP Version 4 supports symmetric keys and additionally provides also the Autokey feature. Both supported by Meinberg LANTIME systems.

The authenticity of received time at NTP clients is ensured by the symmetric key technique. By this method every packet is equipped with a 32 bit key ID and a cryptographic 64/128 bit checksum of the packet. This checksum is built with MD5 or DES, both algorithms offer a sufficient protection against data manipulation.

Figure 5: Web GUI dialog for NTP MD5 Keys generation.

Hardware Protection enabled by Redundant Configuration Setups

There are a number of methods to assure highly available and reliable operation of Meinberg LANTIME systems. Different redundant configuration setups enable a time server to operate seamlessly if some of its components experience operational difficulties.
Meinberg LANTIME and IMS (Intelligent Modular Synchronization) systems allow redundant configuration to protect from the following potential failures:
1. Power supply failure
2. Reference clock failure (signal loss or malicious disturbing)
3. Network unavailability
4. Inadequate server performance
5. Physical damage.

More about various redundant configuration setups using LANTIME systems refer to one of the older posts:
https://blog.meinbergglobal.com/2013/11/27/ntp-network-redundancy/

If you wish to learn more on NTP safety and protection measures of the network timing, visit a NTP Complete Training at Meinberg Sync Academy.
More information about NTP Time servers for networks of different sizes and industries you can find at Meinberg website: www.meinbergglobal.com.

Meinberg M300 Cisco 5548 Series

Enjoy Your Summer and Stay In Sync with Us!

Cisco 5548 Visio Stencil

No related posts found.

nowbotuniversal