RE: NTP Server

From: Tony Varriale (tvarriale@flamboyaninc.com)
Date: Sun Jan 04 2009 - 02:02:40 ARST

• Next message: Jared Scrivener: "RE: NTP Server"
• Previous message: Pavel Bykov: "Re: disable mls qos on interface level"
• Maybe in reply to: Ed Man: "NTP Server"
• Next in thread: Jared Scrivener: "RE: NTP Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually, the "ntp clock-period" command is generated by the router when NTP
is enabled...it should not be entered by the person on it. So, that is not
needed.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jared Scrivener
Sent: Saturday, January 03, 2009 8:38 PM
To: 'Radioactive Frog'; 'Mr.M'
Cc: 'John Edom'; 'Eric Brouwers'; 'GS'; 'Ed Man'
Subject: RE: NTP Server

Nope. For what you want to do, you need:

Server:
ntp authentication-key 1 md5 CISCO1
ntp authentication-key 2 md5 CISCO2
ntp authentication-key 3 md5 CISCO3
ntp master 4

Client1:
ntp authentication-key 2 md5 CISCO2

ntp trusted-key 2
ntp authenticate
ntp clock-period 17179828
ntp server 1.1.1.1 key 1

:-)

Cheers,

Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP

Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444

Fax: +1.810.454.0130

Mailto: <mailto:jscrivener@ipexpert.com> jscrivener@ipexpert.com

  _____

From: Radioactive Frog [mailto:pbhatkoti@gmail.com]
Sent: Saturday, 3 January 2009 9:24 PM
To: Mr.M
Cc: John Edom; Jared Scrivener; Eric Brouwers; GS; Ed Man
Subject: Re: NTP Server

Interesting.....

What will happen in below scenario?

Server:
ntp authentication-key 1 md5 CISCO1
ntp authentication-key 2 md5 CISCO2
ntp authentication-key 3 md5 CISCO3
ntp trusted-key 2 <----------------------------------?
ntp master 4

Client1:
ntp authentication-key 1 md5 032772382520 7
ntp authenticate
ntp clock-period 17179828
ntp server 1.1.1.1 key 1

NTP server has 3 keys - key1, key2 key3
I want client1 to be authenticated with servers' key#2 only. Will 'ntp
trusted-key2' on sever play any role in this scenario/?

-frog

On Sat, Jan 3, 2009 at 7:28 AM, Mr.M <mnoktes@gmail.com> wrote:

Kewl....thanks for getting back. Just lab it up too..you are right.

 ----- Original Message -----
 From: John Edom
 To: Jared Scrivener
 Cc: Mr.M ; Eric Brouwers ; GS ; Ed Man
 Sent: Friday, January 02, 2009 3:17 PM
 Subject: Re: NTP Server

 Yes, AFAIK, client authenticate server is it valid ntp server so client
will
use trusted-key to verify server...

 Regards

 On Fri, Jan 2, 2009 at 11:58 PM, Jared Scrivener <jscrivener@ipexpert.com>
wrote:

   Hey Guys,

   Eric is right on this one (as is the IE blog). The NTP trusted-key
command
   is only needed on an NTP client to specify which server's NTP packets to
   trust based on their NTP key.

   http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#
<http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#wp
1>
wp1
   015038

   Cheers,

   Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
   Technical Instructor - IPexpert, Inc.
   Telephone: +1.810.326.1444
   Fax: +1.810.454.0130
   Mailto: jscrivener@ipexpert.com

   -----Original Message-----
   From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Mr.M
   Sent: Friday, 2 January 2009 2:39 PM
   To: Eric Brouwers; GS
   Cc: Ed Man
   Subject: Re: NTP Server

   Eric,
    I don't know if that is correct statement. Please refer to cisco website
   below and look at step 4.

   http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdmhelp/5
<http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdmhelp/5_0
p>
_0p
   rocs/conf-ips/ntpserv.htm

   Also I dont' see from internetworkexpert states that this command using
only

   on client. From what i understand, if you have more than one key on
server,
   then you can use this command to specific the one you want.

   Cheers,
   Monty
   ----- Original Message -----
   From: "Eric Brouwers" <EricBrouwers@vodafone.nl>
   To: "GS" <ccielab@groupstudy.com>
   Cc: "Ed Man" <networkexpert08@gmail.com>
   Sent: Friday, January 02, 2009 1:05 PM
   Subject: Re: NTP Server

> Ed,
>
> Note that client authenticates server. ntp trusted-key statement is
only
> needed on client. Server side only needs the ntp authentication-key.
> Check out this link:
> http://www.internetworkexpert.com/resources/ntp-authentication.htm
>
> It shows following example:
>
> Server:
>
> ntp master 1
> ntp authentication-key 1 md5 CISCO
>
> Client:
>
> ntp authenticate
> ntp authentication-key 1 md5 CISCO
> ntp trusted-key 1
> ntp server 12.0.0.1 key 1
>
> Eric Brouwers
>
> Radioactive Frog wrote:
>
> Hi Ed,
> 'ntp trusted-key 1' is to tell router which key is valid for NTP
> authentication.
> Mind you, ntp server will still be syncing time with other
> non-authenticated
> clients. e.g. client not configured to use authentication with server.
> The only way to do that is to apply ACL.
>
> HTH
> -Frog
> CCIE voice#21569
>
> On Sat, Jan 3, 2009 at 12:10 AM, Ed Man <networkexpert08@gmail.com>
> wrote:
>
> Hi Group,
>
> Got confused when labbing with NTP...
>
> Server:
> ntp authentication-key 1 md5 CISCO 0
> ntp trusted-key 1
> ntp master 4
>
> Client:
> ntp authentication-key 1 md5 032772382520 7
> ntp authenticate
> ntp clock-period 17179828
> ntp server 1.1.1.1 key 1
>
> If "ntp trusted-key 1" is removed from server, client can
synchronized
> with
> server.
>
> My question is that do we really need server to have "ntp
trusted-key
> 1"
> configured.
>
> Thanks
> Ed.
>
> Blogs and organic groups at http://www.ccie.net
>

• Next message: Jared Scrivener: "RE: NTP Server"
• Previous message: Pavel Bykov: "Re: disable mls qos on interface level"
• Maybe in reply to: Ed Man: "NTP Server"
• Next in thread: Jared Scrivener: "RE: NTP Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:36 ARST