RE: Ping Brian McGahan - Your NTP Paper

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Mon Feb 09 2004 - 13:31:05 GMT-3

• Next message: MADMAN: "Re: Duplicate IP Address - Frame-Relay Subinterface"
• Previous message: Danny.Andaluz@triaton-na.com: "RE: DLSW Encapsulation choices"
• Maybe in reply to: Kenneth Wygand: "Ping Brian McGahan - Your NTP Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        Correct. A typical NTP design is for border devices to be clients
of the global time servers, while internal devices are peers of each other
as they are directly connected. Therefore if reachability to a global
server is lost, as least consistent time can be kept internally.

        The application of the "key" on to either the peer or server
statement will initiate a challenge for that peer/server. Without this
command there will be no challenge.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Kenneth Wygand
> Sent: Monday, February 09, 2004 8:57 AM
> To: Brian McGahan; ccielab@groupstudy.com
> Subject: RE: Ping Brian McGahan - Your NTP Paper
>
> Brian,
>
> Two more NTP questions:
>
> 1) If I am synchronizing R1 with an NTP master and synchronizing R2 with
> R1, I assume I do *NOT* need the "ntp master" command on R1. I believe
> R2 can synchronize with any device that is either a) an NTP master, or
> b) a device that has synchronized with an NTP master. Please confirm.
>
> 2) I want to use R1 and R2 to both synchronize with different external
> time sources. The NTP servers they get their time from do *NOT* use
> authentication. I also want them to peer with each other *WITH*
> authentication. I am assuming I need to use the "ntp authenticate" and
> "ntp trusted-key" commands, but that I only tack the "key" attribute
> onto the "ntp peer" configuration lines and leave the "ntp server" line
> without a key. Please confirm.
>
> Thanks again!
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
> Network+, A+
> Custom Computer Specialists, Inc.
> "Success is to be measured not so much by the position one has reached
> in life as by the obstacles which he has overcome while trying to
> succeed."
> -Booker Taliaferro Washington
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brian McGahan
> Sent: Friday, February 06, 2004 6:13 PM
> To: Kenneth Wygand; ccielab@groupstudy.com
> Subject: RE: Ping Brian McGahan - Your NTP Paper
>
> Yep. A master can be a client of another master though, so you
> could end up in the case where you have authentication on a server
> challenging an upstream master.
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
>
>
> > -----Original Message-----
> > From: Kenneth Wygand [mailto:KWygand@customonline.com]
> > Sent: Friday, February 06, 2004 3:56 PM
> > To: Brian McGahan; ccielab@groupstudy.com
> > Subject: RE: Ping Brian McGahan - Your NTP Paper
> >
> > So in other words, since by design only NTP clients should initiate
> > authentication requests, NTP Authenticate should only be configured on
> > NTP clients, correct?
> >
> > Kenneth E. Wygand
> > Systems Engineer, Project Services
> > CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
> > Network+, A+
> > Custom Computer Specialists, Inc.
> > "Success is to be measured not so much by the position one has reached
> > in life as by the obstacles which he has overcome while trying to
> > succeed."
> > -Booker Taliaferro Washington
> >
> > -----Original Message-----
> > From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> > Sent: Friday, February 06, 2004 4:54 PM
> > To: Kenneth Wygand; ccielab@groupstudy.com
> > Subject: RE: Ping Brian McGahan - Your NTP Paper
> >
> > Ken,
> >
> > The point of the command is to show that it is not required and
> > has
> > no effect. The 'ntp authenticate' command instructs the router to
> issue
> > an
> > authentication challenge to servers or peers that have an associated
> > authentication key configured. In case II of the paper, the client is
> > not
> > challenging the server. Therefore the authentication configuration on
> > the
> > server does not have any effect.
> >
> > http://www.internetworkexpert.com/resources/01700369.htm
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > Kenneth Wygand
> > > Sent: Friday, February 06, 2004 2:55 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Ping Brian McGahan - Your NTP Paper
> > >
> > > Brian,
> > >
> > >
> > >
> > > This question relates to your white paper on NTP
> > > (internetworkexpert.com), but can also be answered by the group.
> > >
> > >
> > >
> > > In the cases you list, case II is "Authentication on Master (R1)
> Only"
> > > and case IV is "Authentication on Master (R1) and Client (R2)".
> > >
> > >
> > >
> > > The configuration for R1 in case II is as follows:
> > >
> > >
> > >
> > > <snip>
> > >
> > > R1(config)#ntp master 1
> > >
> > > R1(config)#ntp authenticate
> > >
> > > R1(config)#ntp authentication-key 1 md5 CISCO
> > >
> > > <snip>
> > >
> > >
> > >
> > > Yet the configuration for R1 in case IV is as follows:
> > >
> > >
> > >
> > > <snip>
> > >
> > > R1(config)#ntp master 1
> > >
> > > R1(config)#ntp authentication-key 1 md5 CISCO
> > >
> > > <snip>
> > >
> > >
> > >
> > > Note the command "ntp authenticate" is listed in R1's configuration
> in
> > > case II but not in case IV. The description on both cases is that
> > > Authentication *IS* enabled on R1. Was this done intentionally, and
> > if
> > > so, why is "ntp authenticate" only required in case II.
> > >
> > >
> > >
> > > Thanks!
> > >
> > >
> > >
> > > Kenneth E. Wygand
> > > Systems Engineer, Project Services
> > >
> > > CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP,
> CNA,
> > > Network+, A+
> > > Custom Computer Specialists, Inc.
> > >
> > > "Success is to be measured not so much by the position one has
> reached
> > > in life as by the obstacles which he has overcome while trying to
> > > succeed."
> > > -Booker Taliaferro Washington
> > >
> > >
> >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: MADMAN: "Re: Duplicate IP Address - Frame-Relay Subinterface"
• Previous message: Danny.Andaluz@triaton-na.com: "RE: DLSW Encapsulation choices"
• Maybe in reply to: Kenneth Wygand: "Ping Brian McGahan - Your NTP Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3