Thanks for your reply Mile.

The reason for the NTP solution is due to co-located customers raising the requirement of a local server as apposed to going out onto the public web.

The thinking was that we would restrict the VLAN's over the trunk link, so customers could only access the NTP VLAN and their own unique VLAN. It would be a totally independent network specifically for the NTP server so separate to our own corporate network.

When I set BGP up (test environment), it works and I can access the NTP server. However as you mentioned there is a routing leak between customers. I can restrict access using ACL's however this isn't ideal and I want to prevent them from seeing eachothers routes advertised over BGP. When I stop advertising customer networks though, it obviously prevents the NTP server to know where to send the return traffic.

Any Thoughts?

Thankyou Mile, appreciate your help.

Can you advise what the required prefix-list would look like, I have checked online examples but unable to simulate due to limitations in my test lab? I have pasted my BGP config below, FYI I only want my peer routers to learn the network 10.10.0.0/24.

router bgp 65001

bgp log-neighbor-changes

no synchronization

neighbor 192.168.1.1 remote-as 65000

neighbor 192.168.2.2 remote-as 65002

network 10.10.0.0 mask 255.255.255.0

network 192.168.1.0 mask 255.255.255.252

The remote peers advertise the networks they know about to this router, however this router then advertises all peer networks which is what I wish to prevent.

Again Thankyou

Would my required config look like this:

(Config)# IP prefix-list TO_CUSTOMERS permit 10.10.0.0/24

(Config-router)# Router bgp 65001

 (Config-router)# neighbor 192.168.1.1 prefix-list TO_CUSTOMERS out

(Config-router)# neighbor 192.168.2.2 prefix-list TO_CUSTOMERS out

Lol, yes... I was to slow to reply on previos one...

Here is good Cisco article about BGP and prefix lists...

http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fsbgporf.html

let me know if you still have issues.

Thankyou Mile 

The solution now works, and the prefix command has done the trick.

There is one potential issue now which I'm not sure if you can get around:

When the return traffic from the NTP server hits it's local router and looks for the destination address in its routing table, what happens if 2 customers subnets match and it has 2 or potentially more BGP routes to that destination? For example if 2 customers have a LAN of 192.168.1.0/24.

Or by me using a unique /30 subnet between the end customer and the NTP router, will it be clever enough to determine the correct route back?

Routers are not clever enough to return the traffic same way it came, by using different /30... It will just think there are more paths to the same network and load-balance return traffic...

Easiest way around it is to do NAT on your router or ask your client to do NAT on theirs... That's one of the reasons why I said it should be good to have Firewall in between, so you can only open NTP, NAT your clients, prevent them from accessing each other, etc...

In order to make sure there is no IP address overlapp between the clients, someone has to use the NAT, or you can make sure they are accessing it with their public IPs (so they do NAT on whatever edge device they are using).

Hi,

you don't need:

network 192.168.1.0 mask 255.255.255.252

You don't have to advertise that subnet into BGP (I assume that's directly connected subnet between your router/switch, so router will know about it).

So, you can use prefix list, it's simplest way to limit updates;

ip prefix-list NTP-ONLY permit 10.10.0.0/24

Router bgp 65001

neighbot 192.168.1.1 prefix-list NTP-ONLY out