From: Keith Leonard (kleonard@xxxxxxxxxxx)
Date: Mon Nov 12 2001 - 23:36:47 GMT-3
Michael,
I was playing around with this recently, and was also confused at first with ho
w this was supposed to work.
Basically, both are correct configs, however, only the client on config 1 is au
thenticated.
The authentication is for the clients benefit, so as it can validate the source
of the NTP packets.
Any client can authenticate with the server here, however only a client with th
e correct key can be sure that it
came from that particular server.
If you add an incorrect key for example to the client 'ntp server' command in e
xample 2, then it will fail to sync up.
If you want to restrict clients getting time from an NTP Master, you would need
to use an ACL
and specify the group in an 'ntp access-group serve/serve-only' command.
Cheers,
Keith
>>> Michael Wong <Michael.Wong@nec.com.au> 11/13/01 12:57pm >>>
Hey Group ..... I have 2 working configs for NTP and can't seem to find a valid
resource to indicate to me which one is correct. The difference between the 2
configs is the configuration of the client and the "key" option after the "ntp
server" command.
Working Config 1
Router A (Master)
ntp authentication-key 1 md5 121A0C041104 7
ntp authenticate
ntp trusted-key 1
ntp master 1
Router B (Client)
ntp authentication-key 1 md5 030752180500 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17208086
ntp server 10.1.1.1 key 1
Working Config 2
Router A (Master)
ntp authentication-key 1 md5 121A0C041104 7
ntp authenticate
ntp trusted-key 1
ntp master 1
Router B (Client)
ntp authentication-key 1 md5 030752180500 7
ntp authenticate
ntp clock-period 17208086
ntp server 10.1.1.1
TIA ..... MW :)
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:14 GMT-3