Synchronization of NTP Server and NTP Clients with NTP ACL
The command nomodify ntp acl signifies NTP Clients must be denied ntpq(1) and ntpdc(1) queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information shall be permitted.
The command noquery ntp acl signifies Deny ntpq(1) and ntpdc(1) queries by NTP Clients. But Time service shall not be affected.
The command nopeer ntp acl signifies NTP Clients shall be denied access if unauthenticated packets which would result in mobilizing a new association is sent.
The command notrap ntp acl signifies NTP Clients shall be declined to provide mode 6 control message trap service to matching hosts. The trap service is a sub-system of the ntpq(1) control message protocol which is intended for use by remote event logging programs.
The command KoD ntp acl signifies When an access violation happens by NTP Clients, the server must send the KoD (kiss-o'-death) packets. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped.
Topology
The procedures in this section use the topology as mentioned below:
Setup consists of three nodes. One node acting as NTP Master and the other two nodes acting as NTP Clients.
Figure 44. Synchronization of NTP Master and NTP Clients with NTP ACL
VRF Management Configuration
NTP Master
|
#configure terminal |
Enter configure mode |
|
(config)# feature ntp vrf management |
Enable feature ntp |
|
(config)# ntp enable vrf management |
Enable ntp |
|
(config)# ntp master vrf management |
Configure the node as NTP master |
|
(config)# ntp master stratum 1 vrf management |
Configure the ntp stratum level as 1 indicating that it is using local clock |
|
(config)# ntp authenticate vrf management |
Configure ntp server for authentication |
|
(config)# ntp authentication-key 65 md5 test123 vrf management |
Configure ntp authentication key with password |
|
(config)# ntp trusted-key 65 vrf management |
Configure ntp trusted key |
|
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 nomodify vrf management |
Configure the ntp acl nomodify in the ntp allow list |
|
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 noquery vrf management |
Configure the ntp acl noquery in the ntp allow list |
|
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 nopeer vrf management |
Configure the ntp acl nopeer in the ntp allow list |
|
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 notrap vrf management |
Configure the ntp acl notrap in the ntp allow list |
|
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 kod vrf management |
Configure the ntp acl KoD in the ntp allow list |
|
(config)#commit |
Commit the configuration |
|
(config)# exit |
Exit configure mode |
NTP Client1
|
#configure terminal |
Enter configure mode. |
|
(config)# feature ntp vrf management |
Enable feature ntp. |
|
(config)# ntp enable vrf management |
Enable ntp |
|
(config)# ntp authenticate vrf management |
Configure ntp client for authentication |
|
(config)# ntp authentication-key 65 md5 test123 vrf management |
Configure ntp authentication key with password |
|
(config)# ntp trusted-key 65 vrf management |
Configure ntp trusted key |
|
(config)# ntp server 10.12.20.5 key 65 vrf management |
Configure ntp server address for the sync to happen with authentication key |
|
(config)#commit |
Commit the configuration |
|
(config)# exit |
Exit Configure mode |
NTP Client2
|
#configure terminal |
Enter configure mode. |
|
(config)# feature ntp vrf management |
Enable feature ntp. |
|
(config)# ntp enable vrf management |
Enable ntp |
|
(config)# ntp authenticate vrf management |
Configure ntp client for authentication |
|
(config)# ntp authentication-key 65 md5 test123 vrf management |
Configure ntp authentication key with password |
|
(config)# ntp trusted-key 65 vrf management |
Configure ntp trusted key |
|
(config)# ntp server 10.12.20.5 key 65 vrf management |
Configure ntp server address for the sync to happen with authentication key |
|
(config)#commit |
Commit the configuration |
|
(config)# exit |
Exit Configure mode |
Validation
Check the local clock synchronization in the NTP Master as mentioned below:
Normal Time synchronization is not affected.
VTEP1#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 40 64 377 0.000 0.000 0.000
VTEP1# Check the ntp client1 synchronization status as mentioned below:
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 13 16 377 0.180 0.019 0.013Check the ntp client2 synchronization status as mentioned below:
VTEP2#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 15 16 377 0.185 -0.018 0.017User Defined VRF Configuration
NTP Master
|
#configure terminal |
Enter configure mode |
|
(config)# feature ntp vrf vrf1 |
Enable feature ntp |
|
(config)# ntp enable vrf vrf1 |
Enable ntp |
|
(config)# ntp master vrf vrf1 |
Configure the node as NTP master |
|
(config)# ntp master stratum 1 vrf vrf1 |
Configure the ntp stratum level as 1 indicating that it is using local clock |
|
(config)# ntp authenticate vrf vrf1 |
Configure ntp server for authentication |
|
(config)# ntp authentication-key 1 md5 cisco vrf vrf1 |
Configure ntp authentication key with password |
|
(config)# ntp trusted-key 1 vrf vrf1 |
Configure ntp trusted key |
|
(config)# ntp request-key 1 vrf vrf1 |
Configure ntp request key |
|
(config)# ntp allow 192.168.2.0 mask 255.255.255.0 nomodify vrf vrf1 |
Configure the ntp acl nomodify in the ntp allow list |
|
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 noquery vrf management |
Configure the ntp acl noquery in the ntp allow list |
|
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 nopeer vrf management |
Configure the ntp acl nopeer in the ntp allow list |
|
(config)# ntp allow 192.168.2.0 mask 255.255.255.0 noquery vrf vrf1 |
Configure the ntp acl notrap in the ntp allow list |
|
(config)# ntp allow 192.168.2.0 mask 255.255.255.0 nopeer vrf vrf1 |
Configure the ntp acl nopeer in the ntp allow list |
|
(config)# ntp allow 192.168.2.0 mask 255.255.255.0 notrap vrf vrf1 |
Configure the ntp acl notrap in the ntp allow list |
|
(config)# ntp allow 10.12.20.6+-192.168.2.0 mask 255.255.255.0 kod vrf vrf1 |
Configure the ntp acl KoD in the ntp allow list |
|
(config)#commit |
Commit the configuration |
|
(config)# exit |
Exit configure mode |
NTP Client1
|
#configure terminal |
Enter configure mode. |
|
(config)# feature ntp vrf vrf1 |
Enable feature ntp. |
|
(config)# ntp enable vrf vrf1 |
Enable ntp |
|
(config)# ntp authenticate vrf vrf1 |
Configure ntp client for authentication |
|
(config)# ntp authentication-key 1 md5 cisco vrf vrf1 |
Configure ntp authentication key with password |
|
(config)# ntp trusted-key 1 vrf vrf1 |
Configure ntp trusted key |
|
(config)# ntp request-key 1 vrf vrf1 |
Configure ntp request key |
|
(config)# ntp server 192.168.2.2 key 1 vrf vrf1 |
Configure ntp server address for the sync to happen with authentication key |
|
(config)#commit |
Commit the configuration |
|
(config)# exit |
Exit Configure mode |
NTP Client2
|
#configure terminal |
Enter configure mode. |
|
(config)# feature ntp vrf vrf1 |
Enable feature ntp. |
|
(config)# ntp enable vrf vrf1 |
Enable ntp |
|
(config)# ntp authenticate vrf vrf1 |
Configure ntp client for authentication |
|
(config)# ntp authentication-key 1 md5 cisco vrf vrf1 |
Configure ntp authentication key with password |
|
(config)# ntp trusted-key 1 vrf vrf1 |
Configure ntp trusted key |
|
(config)# ntp request-key 1 vrf vrf1 |
Configure ntp request key |
|
(config)# ntp server 192.168.3.2 key 1 vrf vrf1 |
Configure ntp server address for the sync to happen with authentication key |
|
(config)#commit |
Commit the configuration |
Validation
Check the local clock synchronization in the NTP Master as mentioned below:
Normal Time synchronization is not affected.
VTEP1#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 40 64 377 0.000 0.000 0.000
VTEP1#Check the ntp client1 synchronization status as mentioned below:
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 13 16 377 0.180 0.019 0.013Check the ntp client2 synchronization status as mentioned below:
VTEP2#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 15 16 377 0.185 -0.018 0.017