Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
91
Views
0
Helpful
0
Replies

NTP unexpected behaviour on XR

Mark Pace Balzan
Level 1
Level 1

‎06-06-2024 05:34 AM

Hello,

doing some ntp setup on XR and I observed something odd - i believe this behaviour is not expected but would appreciate feedback from ppl that have dealt with XR NTP behaviour. config is below

So I configure two upstream servers "10.10.10.64 and 10.10.10.68" so that my asr9k running 7.11.2 can be a 'client' and get sync from these two servers. Also it will then be able to become a server for other clients, one stratum further down

With NO acls configured, then all is allowed and indeed the 9k form an association with the two upstreams and clients also form an association with the 9k

When I configure a serve-only ACL, this should mean that all other 'services' ie peer, serve, query-only are automatically denied.  this therefore means that the association with 10.10.10.64 and 10.10.10.68 should go down as the serve-only ACL is the only one configured and it is intended for allowing downstream clients not upstream servers.

Well, if I actually include 10.10.10.64 and 10.10.10.68 in the serve-only ACL, then the upstream association is kept, and only if I remove them frm the serve-only ACL is the association dropped!   this cant be correct as then whats the point of having different ACLs for different 'services'.  

Indeed on IOS-XE the behaviour is as expected - ie adding 10.10.10.64 and 10.10.10.68 to a serve-only ACL does not allow an association to be formed

 

anyone seen this behaviour on XR ?

thanks

 

Mark

RP/0/RSP0/CPU0:ASR9K#sh run ntp
Thu Jun 6 13:53:53.280 CEST
ntp
max-associations 10
server 10.10.10.64
server 10.10.10.68
access-group ipv4 serve-only NTP-SERVE
source Loopback0
update-calendar
log-internal-sync
!

RP/0/RSP0/CPU0:ASR9K#sh run ipv4 access-list NTP-SERVE
Thu Jun 6 13:54:01.413 CEST
ipv4 access-list NTP-SERVE
10 permit ipv4 host 10.10.10.64 any
20 permit ipv4 host 10.10.10.68 any
30 permit ipv4 host 10.10.10.65 any
!

RP/0/RSP0/CPU0:ASR9K#sh ntp assoc
Thu Jun 6 13:54:04.908 CEST

address ref clock st when poll reach delay offset disp
*~10.10.10.64 10.10.10.69 10 6 64 377 2.25 0.709 3.119
+~10.10.10.68 10.10.10.69 10 16 64 377 2.37 -1.128 3.853
* sys_peer, # selected, + candidate, - outlayer, x falseticker, ~ configured

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents