From: Frank Gao (fgao20850@gmail.com)
Date: Sun Nov 18 2007 - 13:49:34 ART
I duplicated this behavior in the real rack. The symptom is same.
There is another way to resolve it.
Step 1: ntp master
Wait the ntp master "sane" with 127.127.7.1
Step 2: ntp access-group serve-only 1
It works without 127.127.7.1 in access-list 1.
If you configure "ntp access-group serve-only" before "ntp master", you have
to put 127.127.7.1 in access-list. You can include 127.127.7.1 in
access-list for either "ntp access-group peer" or "ntp access-group
serve-only".
Frank
On Nov 18, 2007 10:22 AM, Edison Ortiz <edisonmortiz@gmail.com> wrote:
> Well, you do have problems with synchronization. Per your output, your NTP
> master status is 'insane'.
> The correct status is 'sane'. You need to allow the loopback address in
> the
> 'serve-only ACL'.
>
> I duplicated your scenario with Dynamips and I believe you are using the
> same. I wonder if this behavior
> is only seen with Dynamips (I don't have any live gear at the moment)
> hence
> the omission in the DocCD.
>
>
> Edison Ortiz
> Routing and Switching, CCIE # 17943
>
>
> _____
>
> From: George Goglidze [mailto:goglidze@gmail.com]
> Sent: Sunday, November 18, 2007 10:08 AM
> To: Edison Ortiz
> Cc: Cisco certification
> Subject: Re: NTP question
>
>
> Hi Ortiz,
>
> Actually with my configuration it works just fine.
>
> I have no problem with syncronization.
>
> The only question was:
>
> Why do I need to use ACL allowing : 127.127.7.1 <http://127.127.7.1/>
> as
> a peer.
> As well DocCD says nothing about that!
>
> Many thanks for your help,
>
>
>
>
> On Nov 18, 2007 4:02 PM, Edison Ortiz <edisonmortiz@gmail.com> wrote:
>
>
> Ok,
>
> You were almost there with the ACL. 127.127.7.1 needs to be allowed but
> you
> placed it under ACL 2 not ACL 1.
>
> Try placing 127.127.7.1 on ACL 1 and it should work.
>
> Edison Ortiz
> Routing and Switching, CCIE # 17943
>
>
> _____
>
> From: George Goglidze [mailto:goglidze@gmail.com]
> Sent: Sunday, November 18, 2007 9:38 AM
> To: Edison Ortiz
> Subject: Re: NTP question
>
>
> Hi there,
>
> The clock is set manually to correct time.
> I do have correct time information on R1,
>
>
>
>
> On Nov 18, 2007 2:55 PM, Edison Ortiz < <mailto:edisonmortiz@gmail.com>
> edisonmortiz@gmail.com> wrote:
>
>
> What's the current time on R1 ?
>
> From your output it seems the hardware clock is supplying 'Mon Jan 1 1900'
>
> Manually change the clock to a current time with the set clock command.
>
>
> Edison Ortiz
> Routing and Switching, CCIE # 17943
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> George Goglidze
> Sent: Sunday, November 18, 2007 7:32 AM
> To: Cisco certification
> Subject: NTP question
>
> Hi all,
>
> I have been working on NTP and have noticed couple things I'd like to
> share,
>
> I was working on ntp access-group
> Especially when I'm filtering clients that can request time from the
> server.
>
>
> here was initial configuration:
>
> server:
> int lo 0
> ip addr 192.168.1.1
> exit
>
> ntp source Loopback0
> ntp access-group serve-only 1
> ntp master
>
> access-list 1 permit host 192.168.2.2
>
> client:
>
>
> int lo 0
> ip addr 192.168.2.2
> exit
>
> ntp server 192.168.2.2
>
> ---------------
>
> for some reason this does not work:
> and actually, even R1 does not have ntp association OK.
>
> it shows:
>
> R1#sh ntp associations detail
> 127.127.7.1 configured, insane, invalid, unsynced, stratum 7 ref ID
> 127.127.7.1, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) our
> mode active, peer mode unspec, our poll intvl 64, peer poll intvl 64 root
> delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000 delay 0.00 msec,
> offset 0.0000 msec, dispersion 16000.00 precision 2**24, version 3 org
> time
> 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) rcv time
> 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) xmt time
> 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
> filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> 0.00
> filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> 0.00
> filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
> 16000.0
> Reference clock status: Running normally
> Timecode:
>
>
> and for this reason on R2 we get following error on debug:
>
> .Jan 1 05:43:00.374: NTP: packet from 192.168.1.1 failed validity tests
> 20
> .Jan 1 05:43:00.374: Peer/Server Clock unsynchronized
>
> --------------------
>
>
> So on R1 I had to add following line, to be able to let's say make sane
> relationship with NTP master on loopback.
> the final config of R1 server is:
>
> int lo 0
> ip addr 192.168.1.1
> exit
>
> ntp source Loopback0
> ntp access-group peer 2
> ntp access-group serve-only 1
> ntp master
>
>
>
> access-list 1 permit host 192.168.2.2
> access-list 2 permit 127.127.7.1
>
>
> ---------------------------------------------------
>
> I did not find anywhere in DocCd information that I had to do that, but it
> seems like it does not work without that.
>
> Can anyone tell me if I'm wrong?
> Maybe I'm doing something wrong after all.
>
>
> Thanks,
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART