Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2204
Views
0
Helpful
5
Replies

Nexus acts as NTP SERVER need them as a Client

Go to solution
hdussa
Level 1
Level 1

‎01-07-2015 04:39 AM - edited ‎03-07-2019 10:07 PM

Hello,

 

we´ve Nexus 5548 with a simple ntp configuration.

ntp server x.x.x.x use-vrf management key 10
ntp source-interface  mgmt0
ntp authenticate
ntp authentication-key 10 md5 xxxxxxxxx
ntp trusted-key 10

Now the switch acts as a NTP SERVER. Because of the known issue with the ntp protocol i want them to act as clients.

Is there a command to configure ?

 

Regards Horst

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to hdussa

‎01-07-2015 06:48 AM

What happens when you specify an access-group...? Though i haven't tried this myself, I am guessing that it will help. Take a look at implementing this:

ip access-list extended DENY_NTP

10 deny ip any any

!

ntp access-group serve DENY_NTP.

 

Configuring NTP Access Restrictions

You can control access to NTP services by using access groups. Specifically, you can specify the types of requests that the device allows and the servers from which it accepts responses.

If you do not configure any access groups, NTP access is granted to all devices. If you configure any access groups, NTP access is granted only to the remote device whose source IP address passes the access list criteria.

Procedure
     Command or ActionPurpose
    Step 1switch# configure terminal  

    Enters global configuration mode.

      
    Step 2switch(config)# [nontp access-group {peer | serve | serve-only | query-onlyaccess-list-name  

    Creates or removes an access group to control NTP access and applies a basic IP access list.

    The access group options are scanned in the following order, from least restrictive to most restrictive. However, if NTP matches a deny ACL rule in a configured peer, ACL processing stops and does not continue to the next access group option.

    •  The peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list. 
    •  The serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers. 
    •  The serve-only keyword enables the device to receive only time requests from servers specified in the access list. 
    •  The query-only keyword enables the device to receive only NTP control queries from the servers specified in the access list. 
      
    Step 3switch(config)# show ntp access-groups  

    (Optional) Displays the NTP access group configuration.

      
    Step 4switch(config)# copy running-config startup-config  (Optional) 

    Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

    Please rate useful posts & remember to mark any solved questions as answered. Thank you.

    View solution in original post

    0 Helpful
    5 Replies 5

    Go to solution
    Reza Sharifi
    Hall of Fame
    Hall of Fame

    ‎01-07-2015 05:36 AM

    Hi,

    What you have already configured is for client not server.

    HTH

     

    0 Helpful

    Go to solution
    hdussa
    Level 1
    Level 1
    In response to Reza Sharifi

    ‎01-07-2015 06:08 AM

    Hi Reza,

    but the Nexus answers to ntp request and propagates the time.

    Starting Nmap 6.25 ( http://nmap.org ) at 2015-01-07 13:06 CET
    Nmap scan report for NEXUS
    Host is up (0.0020s latency).
    PORT STATE SERVICE
    123/udp open ntp
    | ntp-info:
    | receive time stamp: Wed Jan 7 13:06:22 2015
    | version: ntpd 4.2.6p2@1.2194 Tue Sep 6 19:34:01 UTC 2011 (97)
    | processor: i686
    | system: Linux/2.6.27.47
    | leap: 0
    | stratum: 2
    | precision: -21
    | rootdelay: 0.999
    | rootdispersion: 1.846
    | peer: 27481
    | refid: x.x.x.x
    | reftime: 0xd8579fa8.7fefecd0
    | poll: 6
    | clock: 0xd8579fb2.c91fc822
    | offset: -0.176
    | frequency: 42.023
    | noise: 0.139
    | jitter: 0.523
    |_ stability: 0.001
    0 Helpful

    Go to solution
    Bilal Nawaz
    VIP Alumni
    VIP Alumni
    In response to hdussa

    ‎01-07-2015 06:48 AM

    What happens when you specify an access-group...? Though i haven't tried this myself, I am guessing that it will help. Take a look at implementing this:

    ip access-list extended DENY_NTP

    10 deny ip any any

    !

    ntp access-group serve DENY_NTP.

     

    Configuring NTP Access Restrictions

    You can control access to NTP services by using access groups. Specifically, you can specify the types of requests that the device allows and the servers from which it accepts responses.

    If you do not configure any access groups, NTP access is granted to all devices. If you configure any access groups, NTP access is granted only to the remote device whose source IP address passes the access list criteria.

    Procedure
       Command or ActionPurpose
      Step 1switch# configure terminal  

      Enters global configuration mode.

        
      Step 2switch(config)# [nontp access-group {peer | serve | serve-only | query-onlyaccess-list-name  

      Creates or removes an access group to control NTP access and applies a basic IP access list.

      The access group options are scanned in the following order, from least restrictive to most restrictive. However, if NTP matches a deny ACL rule in a configured peer, ACL processing stops and does not continue to the next access group option.

      •  The peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list. 
      •  The serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers. 
      •  The serve-only keyword enables the device to receive only time requests from servers specified in the access list. 
      •  The query-only keyword enables the device to receive only NTP control queries from the servers specified in the access list. 
        
      Step 3switch(config)# show ntp access-groups  

      (Optional) Displays the NTP access group configuration.

        
      Step 4switch(config)# copy running-config startup-config  (Optional) 

      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

      Please rate useful posts & remember to mark any solved questions as answered. Thank you.
      0 Helpful

      Go to solution
      Reza Sharifi
      Hall of Fame
      Hall of Fame
      In response to hdussa

      ‎01-07-2015 06:55 AM

      Hi,

      Can you post the output of

      sh ntp peers

      and

      sh ntp peer-status

      HTH

      0 Helpful

      Go to solution
      hdussa
      Level 1
      Level 1
      In response to Reza Sharifi

      ‎01-07-2015 10:28 PM

      SW# sh ntp peers
      --------------------------------------------------
        Peer IP Address               Serv/Peer          
      --------------------------------------------------
        x.135.x.19                  Server (configured)
        y.131.y.144                Server (configured)


      SW# sh ntp status
      Distribution : Disabled
      Last operational state: No session

      Usually the NEXUS should act as a Client. With ntp master it should act as a MASTER.

      Master is not configured!!!  Seems to me it is a bug.

      0 Helpful
      Customers Also Viewed These Support Documents
      Review Cisco Networking for a $25 gift card