RE: Ping Brian McGahan - Your NTP Paper

From: Kenneth Wygand (KWygand@customonline.com)
Date: Mon Feb 09 2004 - 11:56:44 GMT-3

• Next message: MADMAN: "Re: Cat6509 sup720 - WS-6748 module memory check"
• Previous message: Jung, Jin: "Cat6509 sup720 - WS-6748 module memory check"
• Maybe in reply to: Kenneth Wygand: "Ping Brian McGahan - Your NTP Paper"
• Next in thread: kasturi cisco: "RE: Ping Brian McGahan - Your NTP Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian,

Two more NTP questions:

1) If I am synchronizing R1 with an NTP master and synchronizing R2 with
R1, I assume I do *NOT* need the "ntp master" command on R1. I believe
R2 can synchronize with any device that is either a) an NTP master, or
b) a device that has synchronized with an NTP master. Please confirm.

2) I want to use R1 and R2 to both synchronize with different external
time sources. The NTP servers they get their time from do *NOT* use
authentication. I also want them to peer with each other *WITH*
authentication. I am assuming I need to use the "ntp authenticate" and
"ntp trusted-key" commands, but that I only tack the "key" attribute
onto the "ntp peer" configuration lines and leave the "ntp server" line
without a key. Please confirm.

Thanks again!

Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.
"Success is to be measured not so much by the position one has reached
in life as by the obstacles which he has overcome while trying to
succeed."
-Booker Taliaferro Washington

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian McGahan
Sent: Friday, February 06, 2004 6:13 PM
To: Kenneth Wygand; ccielab@groupstudy.com
Subject: RE: Ping Brian McGahan - Your NTP Paper

        Yep. A master can be a client of another master though, so you
could end up in the case where you have authentication on a server
challenging an upstream master.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705

> -----Original Message-----
> From: Kenneth Wygand [mailto:KWygand@customonline.com]
> Sent: Friday, February 06, 2004 3:56 PM
> To: Brian McGahan; ccielab@groupstudy.com
> Subject: RE: Ping Brian McGahan - Your NTP Paper
>
> So in other words, since by design only NTP clients should initiate
> authentication requests, NTP Authenticate should only be configured on
> NTP clients, correct?
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
> Network+, A+
> Custom Computer Specialists, Inc.
> "Success is to be measured not so much by the position one has reached
> in life as by the obstacles which he has overcome while trying to
> succeed."
> -Booker Taliaferro Washington
>
> -----Original Message-----
> From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> Sent: Friday, February 06, 2004 4:54 PM
> To: Kenneth Wygand; ccielab@groupstudy.com
> Subject: RE: Ping Brian McGahan - Your NTP Paper
>
> Ken,
>
> The point of the command is to show that it is not required and
> has
> no effect. The 'ntp authenticate' command instructs the router to
issue
> an
> authentication challenge to servers or peers that have an associated
> authentication key configured. In case II of the paper, the client is
> not
> challenging the server. Therefore the authentication configuration on
> the
> server does not have any effect.
>
> http://www.internetworkexpert.com/resources/01700369.htm
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Kenneth Wygand
> > Sent: Friday, February 06, 2004 2:55 PM
> > To: ccielab@groupstudy.com
> > Subject: Ping Brian McGahan - Your NTP Paper
> >
> > Brian,
> >
> >
> >
> > This question relates to your white paper on NTP
> > (internetworkexpert.com), but can also be answered by the group.
> >
> >
> >
> > In the cases you list, case II is "Authentication on Master (R1)
Only"
> > and case IV is "Authentication on Master (R1) and Client (R2)".
> >
> >
> >
> > The configuration for R1 in case II is as follows:
> >
> >
> >
> > <snip>
> >
> > R1(config)#ntp master 1
> >
> > R1(config)#ntp authenticate
> >
> > R1(config)#ntp authentication-key 1 md5 CISCO
> >
> > <snip>
> >
> >
> >
> > Yet the configuration for R1 in case IV is as follows:
> >
> >
> >
> > <snip>
> >
> > R1(config)#ntp master 1
> >
> > R1(config)#ntp authentication-key 1 md5 CISCO
> >
> > <snip>
> >
> >
> >
> > Note the command "ntp authenticate" is listed in R1's configuration
in
> > case II but not in case IV. The description on both cases is that
> > Authentication *IS* enabled on R1. Was this done intentionally, and
> if
> > so, why is "ntp authenticate" only required in case II.
> >
> >
> >
> > Thanks!
> >
> >
> >
> > Kenneth E. Wygand
> > Systems Engineer, Project Services
> >
> > CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP,
CNA,
> > Network+, A+
> > Custom Computer Specialists, Inc.
> >
> > "Success is to be measured not so much by the position one has
reached
> > in life as by the obstacles which he has overcome while trying to
> > succeed."
> > -Booker Taliaferro Washington
> >
> >
>

• Next message: MADMAN: "Re: Cat6509 sup720 - WS-6748 module memory check"
• Previous message: Jung, Jin: "Cat6509 sup720 - WS-6748 module memory check"
• Maybe in reply to: Kenneth Wygand: "Ping Brian McGahan - Your NTP Paper"
• Next in thread: kasturi cisco: "RE: Ping Brian McGahan - Your NTP Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3