cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3526
Views
0
Helpful
10
Replies

Inter VLAN routing- Multiple VLANS Access NTP server

jamesupcott1
Level 1
Level 1

Hi All

I am looking to install an NTP/PTP system in a datacentre, with an aim to be able to sell the service to co-located customers in the datacentre.

I have a solution for the NTP server, however my question is what would be the most effective/scalable solution.

My solution is to use inter VLAN routing on a Layer 3 switch. I would configure the NTP server in its own VLAN, and for every customer who wants the service would be assigned their own unique vlan for connectivity. For each customer I would use a /30 subnet between our L3 switch and themselves and run BGP to advertise the NTP server.

I would like to know if my solution should work, or if anyone has any better solutions I would be interested to hear. We want to make it as straight forward as possible whilst maintaining integrity and performance.

Kind Regards

James

1 Accepted Solution

Accepted Solutions

Create prefix-list or route-maps that will allow only subnet with your NTP to be announced out to any BGP peer. It will prevent your clients to learn routes from other clients, and it will allow you to learn all your clients routes and be able to send them NTP traffic back.

It should be fairly scalable, you'll just re-use same prefix list for every BGP peer, in reality, it adds one more command per peer.

View solution in original post

10 Replies 10

mile.ljepojevic
Level 1
Level 1

Maybe, maybe not.

Still not sure why would anyone pay for NTP from data center, there are atomic and GPS clocks available on the internet for free...

But that's not the point, you didn't specify if IP address of NTP would be private or public. If it's private, you may have IP address overlap with customer's IPs and that's usually not good.

Also, I wouldn't use VLANs since you will be sharing your L2 into other networks (potentional SPT or VTP issues), just use no switchport command on the switch and use port as L3 port.

Make sure you prevent your routing leak between customers. You want to  make sure they do not use your link to access each other.


For some reason, I am thinking this is a bad idea. You should use firewall between clients and you and clients and clients. Put them in different zones, make sure they cannot access anything except NTP, make sure there is no routing leak between your customers, etc. Potentially, scenario like this can be disastrous...

Thanks for your reply Mile.

The reason for the NTP solution is due to co-located customers raising the requirement of a local server as apposed to going out onto the public web.

The thinking was that we would restrict the VLAN's over the trunk link, so customers could only access the NTP VLAN and their own unique VLAN. It would be a totally independent network specifically for the NTP server so separate to our own corporate network.

When I set BGP up (test environment), it works and I can access the NTP server. However as you mentioned there is a routing leak between customers. I can restrict access using ACL's however this isn't ideal and I want to prevent them from seeing eachothers routes advertised over BGP. When I stop advertising customer networks though, it obviously prevents the NTP server to know where to send the return traffic.

Any Thoughts?

Create prefix-list or route-maps that will allow only subnet with your NTP to be announced out to any BGP peer. It will prevent your clients to learn routes from other clients, and it will allow you to learn all your clients routes and be able to send them NTP traffic back.

It should be fairly scalable, you'll just re-use same prefix list for every BGP peer, in reality, it adds one more command per peer.

Thankyou Mile, appreciate your help.

Can you advise what the required prefix-list would look like, I have checked online examples but unable to simulate due to limitations in my test lab? I have pasted my BGP config below, FYI I only want my peer routers to learn the network 10.10.0.0/24.

router bgp 65001

bgp log-neighbor-changes

no synchronization

neighbor 192.168.1.1 remote-as 65000

neighbor 192.168.2.2 remote-as 65002

network 10.10.0.0 mask 255.255.255.0

network 192.168.1.0 mask 255.255.255.252

The remote peers advertise the networks they know about to this router, however this router then advertises all peer networks which is what I wish to prevent.

Again Thankyou

Would my required config look like this:

(Config)# IP prefix-list TO_CUSTOMERS permit 10.10.0.0/24

(Config-router)# Router bgp 65001

 (Config-router)# neighbor 192.168.1.1 prefix-list TO_CUSTOMERS out

(Config-router)# neighbor 192.168.2.2 prefix-list TO_CUSTOMERS out

Lol, yes... I was to slow to reply on previos one...

Here is good Cisco article about BGP and prefix lists...

http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fsbgporf.html

let me know if you still have issues.

Thankyou Mile 

The solution now works, and the prefix command has done the trick.

There is one potential issue now which I'm not sure if you can get around:

When the return traffic from the NTP server hits it's local router and looks for the destination address in its routing table, what happens if 2 customers subnets match and it has 2 or potentially more BGP routes to that destination? For example if 2 customers have a LAN of 192.168.1.0/24.

Or by me using a unique /30 subnet between the end customer and the NTP router, will it be clever enough to determine the correct route back?

Routers are not clever enough to return the traffic same way it came, by using different /30... It will just think there are more paths to the same network and load-balance return traffic...

Easiest way around it is to do NAT on your router or ask your client to do NAT on theirs... That's one of the reasons why I said it should be good to have Firewall in between, so you can only open NTP, NAT your clients, prevent them from accessing each other, etc...

In order to make sure there is no IP address overlapp between the clients, someone has to use the NAT, or you can make sure they are accessing it with their public IPs (so they do NAT on whatever edge device they are using).

Hi,

you don't need:

network 192.168.1.0 mask 255.255.255.252

You don't have to advertise that subnet into BGP (I assume that's directly connected subnet between your router/switch, so router will know about it).

So, you can use prefix list, it's simplest way to limit updates;

ip prefix-list NTP-ONLY permit 10.10.0.0/24

Router bgp 65001

neighbot 192.168.1.1 prefix-list NTP-ONLY out

Review Cisco Networking for a $25 gift card