Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1302
Views
0
Helpful
5
Replies

NTP master and client mode in one router (ACL and MD5)

MrBeginner
Spotlight
Spotlight

‎04-28-2019 07:15 PM - edited ‎02-21-2020 09:37 PM

Hi All,

Can i request to give me a favor to solve my NTP testing.

I trying to test ntp configuration and setup in lab.I want to configure R1 as NPT Master of R2 and R2 as NPT client of R1 and R2 is NTP master of R3. I also want to authenicate with MD5 and configure with ACL.But I got the problem in first step.

 I referenced and followed below guide. 

https://blog.ine.com/2008/07/28/ntp-access-control

https://ccie-or-null.net/tag/ntp-version-3/

NTP.PNG

I can see ntp association and reach time. But when i change Time of R1,the time of R2 and R1 didn't change and syned.How to know it is work properly or not ?i thought it is my weak of understanding NTP configuration .Please advise me what is the best practice ?

 

 

 

 

Labels:
Preview file
6 KB
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎04-28-2019 11:27 PM

Fist step :

 

Setup and Clock in the R1 :

 

Example :

 

config t
!
clock timezone BST 0 0 (Want to set a UK time)
clock summer-time xxx 1 Sunday March 02:00 1 Sunday November 02:00 60
!
ntp master
ntp souce loopback 0 <<- since loopback never go down - but make sure loopback reachable to oteh ddevices)
!
end


CLIENTS :

config t
!
ntp server x.x.x.x <-- this is server loopback address

 

test and advise if any issue post the output below :

show ntp status

show clock

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MrBeginner
Spotlight
Spotlight
In response to balaji.bandi

‎04-29-2019 01:02 AM - edited ‎04-29-2019 04:13 AM

Hi,

My main concern is on R2. Because i want to get  time of R3 from R2.I don't want R3 directly sync time from R1. 

So i would like to know which configuration is correct ?

 

R2#ntp master 

R2#ntp server 1.1.1.1 prefer 

R2#ntp source lo0

 

R3#ntp server 1.1.1.2

R3#ntp source lo0

    (OR)

 

R2#ntp server 1.1.1.1 prefer 

R2#ntp source lo0

 

R3#ntp server 1.1.1.2

R3#ntp source lo0

 

Now i tested as below diagram.

NTP with ACL.PNG

 

  • R1 = NTP master
  • R2 = client of R1 ( ntp server 1.10.1.1)
  • R3= client of R2
  • R4= peer to R2

After configuration without ACL ntp sync is work properly but R3 sync time is a little longer than R4 .

but after i put ACL rule in R2 . All ntp cannot synced.please see below pic

NTP no sync.PNG

R3#sh ntp associations

address ref clock st when poll reach delay offset disp
~1.1.1.2 .INIT. 16 536 1024 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R3#

 

Let me know your advice ?

 

 

Preview file
9 KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to MrBeginner

‎04-29-2019 01:08 PM

On high level i looked at the config, If you want to R3 need to query to R2, you need to Allow R3 IP address in ACL.

 

make sense ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MrBeginner
Spotlight
Spotlight
In response to balaji.bandi

‎04-30-2019 01:54 AM

Hi ,

i already allowed R3 traffic in R2.but still got error.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to MrBeginner

‎04-30-2019 10:47 AM

Post the errors, also enable debug for NTP see wht causing the issue ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents