I think I finally figured out why cisco changed that IP address to
127.127.1.1.
For the version of IOS that I am running with 127.127.*1*.1 I didn't have to
add the internal loopback address to that access-group, but for IOS versions
that had 127.127.*7*.1 IP address I had to include that loopback address in
the access group or else the local time sync would not work.. Here is are my
configs and outputs:
.. new IOS version without allowing the loopback address:
Rack1R4#sh run | i ntp
ntp access-group peer *1*
ntp master 5
ntp peer 150.1.6.6
Rack1R4#sh ip access-lists *1*
Standard IP access list 1
20 permit 150.1.6.6 (68 matches)
Rack1R4#sh ntp associations
address ref clock st when poll reach delay offset
disp
**~127.127.1.1 .LOCL. 4 7 16 377 0.000 0.000
0.241*
~150.1.6.6 127.127.1.1 5 22 64 377 0.000 -4.211
5.791
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
Rack1R4#sh ver | i Ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version *
12.4(24)T2*, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
.....now for the old version
BB2#sh run | i ntp
ntp master 4
ntp access-group peer *1*
BB2#sh ip access-lists
Standard IP access list *1*
10 permit 4.4.4.4
BB2#sh ntp associations
address ref clock st when poll reach delay offset
disp
*~127.127.7.1 127.127.7.1 3 972 64 0 0.0 0.00
16000.*
* master (synced), # master (unsynced), + selected, - candidate, ~
configured
BB2#sh ver | i Ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version *
12.4(15)T*, RELEASE SOFTWARE (fc3)
.....as you can see the difference in version, in loopback addresses and
whether the acl with loopback on the master is needed.
Hope that clears things out for people in the future, cause it took me few
hours to get this.
Regards,
Tom Kacprzynski
On Mon, Nov 15, 2010 at 3:53 PM, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
> Dale,
> If you do not have access to the Internet and can't connect to internet NTP
> servers, what you can do is setup a master NTP router. It basically says
> that this router can act as a root and you define which strata it's it (just
> make that up). When you do so the router creates a virtual NTP root server
> using one of it's loopback IP addresses. In this case it's 127.127.1.1.
>
> Now if you would like to apply any NTP access control like who can query
> this ntp server, who can this server sync time with...etc.. in your ACL you
> have to specify 127.127.1.1 or else it won't be able to talk to that
> internal server. This takes a while to expire but eventually no
> communication occurs and it's not synced.
>
> This is also referenced in
> http://blog.ine.com/2008/07/28/ntp-access-control/
>
> Hope that makes sense, I don't think that's that big of an issue in
> production networks, as most will have synch with internet NTP servers, but
> in the lab i don't think you'll have that.
>
>
> Let me know if you have more questions.
>
> Regards,
>
> Tom Kacprzynski
>
>
> On Mon, Nov 15, 2010 at 2:33 PM, Dale Shaw <dale.shaw_at_gmail.com> wrote:
>
>> Hi Tom,
>>
>> On Tue, Nov 16, 2010 at 5:08 AM, Tom Kacprzynski <tom.kac_at_gmail.com>
>> wrote:
>> > I was wondering if anyone else noticed this, but I appears that Cisco
>> > changes their NTP reference IP address on master NTP routers from
>> > 127.127.7.1 to 127.127.1.1. Looks like this change occurs somewhere
>> between
>> > 12.4.15T5 and 12.4.24T2.
>> >
>> > How would this relate to CCIE lab? Well if you have to configure an ntp
>> > access list on a master ntp router you would have to change the ip
>> address
>> > to 127.127.1.1 from 127.127.7.1.
>>
>> What configuration scenario did you envisage that would have this
>> reference clock IP included in an ACL?
>>
>> (legitimately curious)
>>
>> cheers,
>> Dale
Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 15 2010 - 16:06:27 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART