Tuesday, March 24, 2009

Problems Faced During NTP Deployment

During the implementation of NTP we faced lot of issues. I am covering almost all the issues which will be useful for others during its deployment except stratum because you will find lot of information about stratum. The main purpose of writing this document is that I have never seen any of the documents available on internet which describes the issues.
a) Whenever any of the router works as NTP master by default 127.127.7.1 address comes. So care should be taken while securing NTP with acl to permit this ip address. This address is useful for the peer synchronization.
Router# show ntp associations

address ref clock st when poll reach delay offset disp
*~127.127.7.1 127.127.7.1 7 27 64 377 0.0 0.00 0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

b) While using access-list for peer always permit 127.127.7.1 address in the acl. By mistake if it left both the peers will never sync with each other.
Router# ntp access-group peer 1
Router# access-list 1 permit 10.10.10.40 0.0.0.0
Router# ntp peer 10.10.10.40
Router# show ntp associations

address ref clock st when poll reach delay offset disp
*~10.10.10.10 127.127.7.1 8 58 64 37 424.0 -287.6 937.9
~10.10.10.40 10.10.10.10 9 1 64 6 128.0 -402.8 8128.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

If you are getting only tilt(~); it means there might be some problem in the acl or 127.127.7.1 is not permitting in acl. Check your acl and configs. As soon as you add 127.127.7.1 output will be changed.
Note:- NTP doesn’t support named acl. Whatever ip address is defining in peer acl should be manual added with peer command also else it won’t work except 127.127.7.1.
Router# show ntp associations

address ref clock st when poll reach delay offset disp
*~10.10.10.10 127.127.7.1 8 58 64 37 424.0 -287.6 937.9
+~10.10.10.40 10.10.10.10 9 1 64 6 128.0 -402.8 8128.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

c) Slow synchronization
Being a slow protocol, at times clock doesn’t update. For that need to remove the configs and add them again.
d) NTP doesn’t support authentication for clients.


regards
shivlu jain

People who read this post also read :



Share |
Posted by Shivlu Jain at 10:06 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)