RE: VRF aware NTP Access-group Control and Authentication

From: Gavin Schokman <g_schokman_at_yahoo.com.au>
Date: Mon, 14 Mar 2011 18:31:14 -0000

Hi Mohammad,

Based on the three points in your requirement, here is what I believe the
solution looks like:

R1

ntp master 1

R5

ntp server 1.1.1.1
ntp master 2 <-- this ensures R5's local source is at the same stratum
level as R1
ntp authentication-key 1 md5 cisco

R3

ntp authenticate
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp server 10.10.0.5 key 1
ntp source lo0

SW1 / SW2

ntp server 10.10.0.5
ntp source lo0

Because R5 is not allowed to request time from R3, only R3 authenticates the
NTP request (only the peer or client authenticates the received NTP packet).
But R5 needs to include the authentication info in the packet, which is why
the key is configured on R5.

I haven't put in the extra acl's and such because it appears extra to the
requirement, but you can put them in if you want.

Cheers,
Gavin

 

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
mohmmad imran
Sent: 10 March 2011 20:34
To: ccielab_at_groupstudy.com
Subject: VRF aware NTP Access-group Control and Authentication

Hi experts,
 

ccielab_at_groupstudy.com
I have the following Scenario:-
 
 
R5(VRF->VPN-A)---------SW1-----------SW2
   |
   |
   |
   |
   R3
R5 sync its time with server 1.1.1.1(ist in Global Routing table).
now we want to R5 acts as NTP server for the systems in Site-1 under VRF
VPN-A, R3,SW1,Sw2 requirementts are as follows:-
1) R5 should sync its time only from 1.1.1.1 and from internal clock
2) R3 and R5 should authenticate each other
2) Sw1 and SW2 sync thier time with R5

below is my config:-

R5#
ntp server 1.1.1.1
ntp master 2
ntp access-group peer 2
ntp access-group serve-only 1
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp peer vrf VPN-A 10.10.3.3 key 1

access-list 2 permit 127.127.7.1
access-list 2 permit 1.1.1.1
 
access-list 1 permit 10.10.3.3
access-list 1 permit 10.10.7.7
access-list 1 permit 10.10.8.8

R3
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 10.10.0.5 key 1
ntp source lo 0
 
Sw1
ntp server 10.10.0.5
ntp source lo 0

SW2
ntp server 10.10.0.5
ntp source lo 0

just wanted to know, if my config are correct or I mised something, all
systme are able to sync clock with R5.
 
Thanks
Imran
 
 

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 14 2011 - 18:31:14 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART