During the implementation of NTP we faced lot of issues. I am covering almost all the issues which will be useful for others during its deployment except stratum because you will find lot of information about stratum. The main purpose of writing this document is that I have never seen any of the documents available on internet which describes the issues.
a) Whenever any of the router works as NTP master by default 127.127.7.1 address comes. So care should be taken while securing NTP with acl to permit this ip address. This address is useful for the peer synchronization.
Router# show ntp associations
address ref clock st when poll reach delay offset disp
*~127.127.7.1 127.127.7.1 7 27 64 377 0.0 0.00 0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
b) While using access-list for peer always permit 127.127.7.1 address in the acl. By mistake if it left both the peers will never sync with each other.
Router# ntp access-group peer 1
Router# access-list 1 permit 10.10.10.40 0.0.0.0
Router# ntp peer 10.10.10.40
Router# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.10.10.10 127.127.7.1 8 58 64 37 424.0 -287.6 937.9
~10.10.10.40 10.10.10.10 9 1 64 6 128.0 -402.8 8128.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
If you are getting only tilt(~); it means there might be some problem in the acl or 127.127.7.1 is not permitting in acl. Check your acl and configs. As soon as you add 127.127.7.1 output will be changed.
Note:- NTP doesn’t support named acl. Whatever ip address is defining in peer acl should be manual added with peer command also else it won’t work except 127.127.7.1.
Router# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.10.10.10 127.127.7.1 8 58 64 37 424.0 -287.6 937.9
+~10.10.10.40 10.10.10.10 9 1 64 6 128.0 -402.8 8128.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
c) Slow synchronization
Being a slow protocol, at times clock doesn’t update. For that need to remove the configs and add them again.
d) NTP doesn’t support authentication for clients.
regards
shivlu jain
Click Here To Read Rest Of The Post...
Showing posts with label NTP. Show all posts
Showing posts with label NTP. Show all posts
Tuesday, March 24, 2009
Monday, March 23, 2009
NTP Implementation In Service Provider Network
This post will cover how to implement NTP in service provider network. The document will be used as reference for enterprise and corporate networks also.
In the given figure two routers which are 7600 are used as client who is getting NTP clock from the global servers. The same clock is being distributed to the downstream GSR routers. Thereafter GSR are distributing clock to the downstream tier 2 routers. This is the hierarchical implementation of NTP. In fact implementation of NTP is really a awesome job if you are having patience.
How NTP flow will work
7600 routers are getting global NTP clock of stratum 0 from global servers. List of global server is given below. Once the clock is received by 7600; both will work as master for the downstream GSR routers. Now GSRs will receive clock from 7600 as client and distribute the same clock to the downstream tier 2 routers. For sending the clock GSR will act as server for tier2 routers and client for 7600. Now tier2 routers will receive the clock from GSR as client and distribute the same clock to the downstream tier2 routers. For this we need to implement tier2 routers as servers for downstream routers and client for GSRs.
Security
Access-list is used for security purpose because once the routers will become as server; internet cloud can use the same routers as reference clock.
List of free servers
Philippines ph.pool.ntp.org
Malaysia my.pool.ntp.org
Turkey tr.pool.ntp.org
Singapore sg.pool.ntp.org
India in.pool.ntp.org
Hong Kong hk.pool.ntp.org
Japan jp.pool.ntp.org
Bangladesh bd.pool.ntp.org
Israel il.pool.ntp.org
Korea kr.pool.ntp.org
Thailand th.pool.ntp.org
Iran ir.pool.ntp.org
Taiwan tw.pool.ntp.org
China cn.pool.ntp.org
Indonesia id.pool.ntp.org
Vietnam vn.pool.ntp.org
Pakistan pk.pool.ntp.org
Oman om.pool.ntp.org
Configuration
On 7600 [Both 7600 will act as server as well as client]
Clock timezone GMT +5 30
Ntp server in.pool.ntp.org
Ntp server sg.pool.ntp.org
Ntp master 2 ---------- This command is used for creating 7600 as server
Ntp access-group peer 2
ntp access-group serve-only 1
Access-list 1 permit
Access-list 1 permit
Access-list 2 permit <7600 loopback> 0.0.0.0
Access-list 2 permit 127.127.7.1 0.0.0.0
On GSR
Clock timezone GMT +5 30
Ntp server <7600 loopback>
Ntp server <7600 loopback>
Ntp master 3
Ntp access-group peer 2
ntp access-group serve-only 1
Access-list 2 permit
Access-list 2 permit 127.127.7.1 0.0.0.0
Access-list 1 permit
On Tier2
Clock timezone GMT +5 30
Ntp server 172.29.255.254
Ntp server 172.30.255.254
Ntp master 4
Tier 2 Downstream Routers
Clock timezone GMT +5 30
Ntp server
Note:- 127.127.7.1 is used for synchronization of clock between the servers in case of failure on global NTP server.
Verfification
Show ntp associations
Show ntp status
Show ntp clock
regards
shivlu jain
Click Here To Read Rest Of The Post...
Subscribe to:
Posts (Atom)