Re: NTP Server

From: Radioactive Frog (pbhatkoti@gmail.com)
Date: Sun Jan 04 2009 - 00:44:27 ARST

• Next message: Pavel Bykov: "Re: disable mls qos on interface level"
• Previous message: Jared Scrivener: "RE: NTP Server"
• Maybe in reply to: Ed Man: "NTP Server"
• Next in thread: Tony Varriale: "RE: NTP Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

thanks Jerrad. It's just like a database of keys in the "server".

On Sun, Jan 4, 2009 at 1:38 PM, Jared Scrivener <jscrivener@ipexpert.com>wrote:

> Nope. For what you want to do, you need:
>
> Server:
> ntp authentication-key 1 md5 CISCO1
> ntp authentication-key 2 md5 CISCO2
> ntp authentication-key 3 md5 CISCO3
> ntp master 4
>
> Client1:
> ntp authentication-key 2 md5 CISCO2
>
> ntp trusted-key 2
> ntp authenticate
> ntp clock-period 17179828
> ntp server 1.1.1.1 key 1
>
>
>
> J
>
>
>
> Cheers,
>
>
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
>
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
>
> Fax: +1.810.454.0130
>
> Mailto: jscrivener@ipexpert.com
> ------------------------------
>
> *From:* Radioactive Frog [mailto:pbhatkoti@gmail.com]
> *Sent:* Saturday, 3 January 2009 9:24 PM
> *To:* Mr.M
> *Cc:* John Edom; Jared Scrivener; Eric Brouwers; GS; Ed Man
> *Subject:* Re: NTP Server
>
>
>
> Interesting.....
>
> What will happen in below scenario?
>
> Server:
> ntp authentication-key 1 md5 CISCO1
> ntp authentication-key 2 md5 CISCO2
> ntp authentication-key 3 md5 CISCO3
> ntp trusted-key 2 <----------------------------------?
> ntp master 4
>
> Client1:
> ntp authentication-key 1 md5 032772382520 7
> ntp authenticate
> ntp clock-period 17179828
> ntp server 1.1.1.1 key 1
>
>
>
> NTP server has 3 keys - key1, key2 key3
> I want client1 to be authenticated with servers' key#2 only. Will 'ntp
> trusted-key2' on sever play any role in this scenario/?
>
> -frog
>
>
>
>
> On Sat, Jan 3, 2009 at 7:28 AM, Mr.M <mnoktes@gmail.com> wrote:
>
> Kewl....thanks for getting back. Just lab it up too..you are right.
>
> ----- Original Message -----
> From: John Edom
> To: Jared Scrivener
> Cc: Mr.M ; Eric Brouwers ; GS ; Ed Man
> Sent: Friday, January 02, 2009 3:17 PM
> Subject: Re: NTP Server
>
> Yes, AFAIK, client authenticate server is it valid ntp server so client
> will
> use trusted-key to verify server...
>
> Regards
>
>
> On Fri, Jan 2, 2009 at 11:58 PM, Jared Scrivener <jscrivener@ipexpert.com
> >
> wrote:
>
> Hey Guys,
>
> Eric is right on this one (as is the IE blog). The NTP trusted-key
> command
> is only needed on an NTP client to specify which server's NTP packets to
> trust based on their NTP key.
>
>
> http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#
> wp1<http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#wp1>
> 015038
>
> Cheers,
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
> Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: jscrivener@ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Mr.M
> Sent: Friday, 2 January 2009 2:39 PM
> To: Eric Brouwers; GS
> Cc: Ed Man
> Subject: Re: NTP Server
>
> Eric,
> I don't know if that is correct statement. Please refer to cisco
> website
> below and look at step 4.
>
>
> http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdmhelp/5
> _0p<http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdmhelp/5_0p>
> rocs/conf-ips/ntpserv.htm
>
> Also I dont' see from internetworkexpert states that this command using
> only
>
> on client. From what i understand, if you have more than one key on
> server,
> then you can use this command to specific the one you want.
>
> Cheers,
> Monty
> ----- Original Message -----
> From: "Eric Brouwers" <EricBrouwers@vodafone.nl>
> To: "GS" <ccielab@groupstudy.com>
> Cc: "Ed Man" <networkexpert08@gmail.com>
> Sent: Friday, January 02, 2009 1:05 PM
> Subject: Re: NTP Server
>
>
> > Ed,
> >
> > Note that client authenticates server. ntp trusted-key statement is
> only
> > needed on client. Server side only needs the ntp authentication-key.
> > Check out this link:
> > http://www.internetworkexpert.com/resources/ntp-authentication.htm
> >
> > It shows following example:
> >
> > Server:
> >
> > ntp master 1
> > ntp authentication-key 1 md5 CISCO
> >
> > Client:
> >
> > ntp authenticate
> > ntp authentication-key 1 md5 CISCO
> > ntp trusted-key 1
> > ntp server 12.0.0.1 key 1
> >
> > Eric Brouwers
> >
> > Radioactive Frog wrote:
> >
> > Hi Ed,
> > 'ntp trusted-key 1' is to tell router which key is valid for NTP
> > authentication.
> > Mind you, ntp server will still be syncing time with other
> > non-authenticated
> > clients. e.g. client not configured to use authentication with
> server.
> > The only way to do that is to apply ACL.
> >
> > HTH
> > -Frog
> > CCIE voice#21569
> >
> > On Sat, Jan 3, 2009 at 12:10 AM, Ed Man <networkexpert08@gmail.com
> >
> > wrote:
> >
> > Hi Group,
> >
> > Got confused when labbing with NTP...
> >
> > Server:
> > ntp authentication-key 1 md5 CISCO 0
> > ntp trusted-key 1
> > ntp master 4
> >
> > Client:
> > ntp authentication-key 1 md5 032772382520 7
> > ntp authenticate
> > ntp clock-period 17179828
> > ntp server 1.1.1.1 key 1
> >
> > If "ntp trusted-key 1" is removed from server, client can
> synchronized
> > with
> > server.
> >
> > My question is that do we really need server to have "ntp
> trusted-key
> > 1"
> > configured.
> >
> > Thanks
> > Ed.
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > --------------------------------------------------------------------
> >
> > No virus found in this incoming message.
> > Checked by AVG - http://www.avg.com
> > Version: 8.0.176 / Virus Database: 270.10.2/1871 - Release Date:
> 1-1-2009
>
> > 17:01
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Pavel Bykov: "Re: disable mls qos on interface level"
• Previous message: Jared Scrivener: "RE: NTP Server"
• Maybe in reply to: Ed Man: "NTP Server"
• Next in thread: Tony Varriale: "RE: NTP Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:36 ARST