Re: NTP question

From: Ali.Huang (zero5291@gmail.com)
Date: Mon Nov 19 2007 - 04:05:41 ART

• Next message: subodh.rawat@wipro.com: "RE: Got my number in San Jose! :) :)"
• Previous message: Joseph Brunner: "RE: IE ver 4.1 vol2 lab 11 question 3.7 - 3.8"
• Maybe in reply to: George Goglidze: "NTP question"
• Next in thread: Vladimir Sousa: "Re: NTP question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think you should check your clinet configuration,because your client
uses itslef as ntp server.

On 11/19/07, Edison Ortiz <edisonmortiz@gmail.com> wrote:
> Frank,
>
> I'm afraid if you wait enough time it will go 'insane' :)
> If you want to verify, create add an entry with deny log on that ACL and you
> will see 127.127.7.1 packets.
>
> Edison Ortiz
> Routing and Switching, CCIE # 17943
>
>
> _____
>
> From: fanggao@gmail.com [mailto:fanggao@gmail.com] On Behalf Of Frank Gao
> Sent: Sunday, November 18, 2007 11:50 AM
> To: Edison Ortiz; George Goglidze
> Cc: Cisco certification
> Subject: Re: NTP question
>
>
> I duplicated this behavior in the real rack. The symptom is same.
>
> There is another way to resolve it.
> Step 1: ntp master
>
> Wait the ntp master "sane" with 127.127.7.1
> Step 2: ntp access-group serve-only 1
>
> It works without 127.127.7.1 in access-list 1.
>
> If you configure "ntp access-group serve-only" before "ntp master", you have
> to put 127.127.7.1 in access-list. You can include 127.127.7.1
> <http://127.127.7.1> in access-list for either "ntp access-group peer" or
> "ntp access-group serve-only".
>
> Frank
>
> On Nov 18, 2007 10:22 AM, Edison Ortiz <edisonmortiz@gmail.com> wrote:
>
>
> Well, you do have problems with synchronization. Per your output, your NTP
> master status is 'insane'.
> The correct status is 'sane'. You need to allow the loopback address in the
> 'serve-only ACL'.
>
> I duplicated your scenario with Dynamips and I believe you are using the
> same. I wonder if this behavior
> is only seen with Dynamips (I don't have any live gear at the moment) hence
> the omission in the DocCD.
>
>
>
> Edison Ortiz
> Routing and Switching, CCIE # 17943
>
>
> _____
>
> From: George Goglidze [mailto:goglidze@gmail.com]
>
> Sent: Sunday, November 18, 2007 10:08 AM
> To: Edison Ortiz
> Cc: Cisco certification
> Subject: Re: NTP question
>
>
>
> Hi Ortiz,
>
> Actually with my configuration it works just fine.
>
> I have no problem with syncronization.
>
> The only question was:
>
>
> Why do I need to use ACL allowing : 127.127.7.1 <http://127.127.7.1/>
> <http://127.127.7.1/> as
>
> a peer.
> As well DocCD says nothing about that!
>
> Many thanks for your help,
>
>
>
>
> On Nov 18, 2007 4:02 PM, Edison Ortiz <edisonmortiz@gmail.com
> <mailto:edisonmortiz@gmail.com> > wrote:
>
>
> Ok,
>
> You were almost there with the ACL. 127.127.7.1 <http://127.127.7.1/> needs
> to be allowed but you
> placed it under ACL 2 not ACL 1.
>
> Try placing 127.127.7.1 <http://127.127.7.1/> on ACL 1 and it should work.
>
> Edison Ortiz
> Routing and Switching, CCIE # 17943
>
>
> _____
>
> From: George Goglidze [mailto:goglidze@gmail.com]
> Sent: Sunday, November 18, 2007 9:38 AM
> To: Edison Ortiz
> Subject: Re: NTP question
>
>
> Hi there,
>
> The clock is set manually to correct time.
> I do have correct time information on R1,
>
>
>
>
>
> On Nov 18, 2007 2:55 PM, Edison Ortiz < <mailto:edisonmortiz@gmail.com>
>
> edisonmortiz@gmail.com> wrote:
>
>
> What's the current time on R1 ?
>
> From your output it seems the hardware clock is supplying 'Mon Jan 1 1900'
>
> Manually change the clock to a current time with the set clock command.
>
>
> Edison Ortiz
> Routing and Switching, CCIE # 17943
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> George Goglidze
> Sent: Sunday, November 18, 2007 7:32 AM
> To: Cisco certification
> Subject: NTP question
>
> Hi all,
>
> I have been working on NTP and have noticed couple things I'd like to share,
>
> I was working on ntp access-group
> Especially when I'm filtering clients that can request time from the server.
>
>
>
> here was initial configuration:
>
> server:
> int lo 0
> ip addr 192.168.1.1 <http://192.168.1.1/>
> exit
>
> ntp source Loopback0
> ntp access-group serve-only 1
> ntp master
>
> access-list 1 permit host 192.168.2.2 <http://192.168.2.2/>
>
> client:
>
>
> int lo 0
> ip addr 192.168.2.2 <http://192.168.2.2/>
> exit
>
> ntp server 192.168.2.2 <http://192.168.2.2/>
>
> ---------------
>
> for some reason this does not work:
> and actually, even R1 does not have ntp association OK.
>
> it shows:
>
> R1#sh ntp associations detail
> 127.127.7.1 <http://127.127.7.1/> configured, insane, invalid, unsynced,
> stratum 7 ref ID
> 127.127.7.1 <http://127.127.7.1/> , time 00000000.00000000 (00:00:00.000 UTC
> Mon Jan 1 1900) our
> mode active, peer mode unspec, our poll intvl 64, peer poll intvl 64 root
> delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000 delay 0.00 msec,
> offset 0.0000 msec, dispersion 16000.00 precision 2**24, version 3 org time
> 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) rcv time
> 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) xmt time
> 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
> filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
> Reference clock status: Running normally
> Timecode:
>
>
> and for this reason on R2 we get following error on debug:
>
> .Jan 1 05:43:00.374: NTP: packet from 192.168.1.1 <http://192.168.1.1/>
> failed validity tests 20
> .Jan 1 05:43:00.374: Peer/Server Clock unsynchronized
>
> --------------------
>
>
> So on R1 I had to add following line, to be able to let's say make sane
> relationship with NTP master on loopback.
> the final config of R1 server is:
>
> int lo 0
> ip addr 192.168.1.1 <http://192.168.1.1/>
> exit
>
> ntp source Loopback0
> ntp access-group peer 2
> ntp access-group serve-only 1
> ntp master
>
>
>
> access-list 1 permit host 192.168.2.2 <http://192.168.2.2/>
> access-list 2 permit 127.127.7.1 <http://127.127.7.1/>
>
>
> ---------------------------------------------------
>
> I did not find anywhere in DocCd information that I had to do that, but it
> seems like it does not work without that.
>
> Can anyone tell me if I'm wrong?
> Maybe I'm doing something wrong after all.
>
>
> Thanks,
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
THX.
Ali.huang

• Next message: subodh.rawat@wipro.com: "RE: Got my number in San Jose! :) :)"
• Previous message: Joseph Brunner: "RE: IE ver 4.1 vol2 lab 11 question 3.7 - 3.8"
• Maybe in reply to: George Goglidze: "NTP question"
• Next in thread: Vladimir Sousa: "Re: NTP question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART