NTP authentication

[norteldude78]

Hello,

I am learning about NTP authentication and there is something that I must NOT be getting.

Topology:
R1 ------ R2

R1: 172.12.12.1
R2: 172.12.12.2

R1 config:

ntp authentication-key 2 md5 cisco
ntp authentication-key 3 md5 cisco
ntp authenticate
ntp trusted-key 2
ntp master 2

R2 config:

ntp authentication-key 5 md5 juniper
ntp authenticate
ntp clock-period 17179896
ntp server 172.12.12.1

The issue:

R2 is still synchronizing to R1. Am I not using the wrong key for this to work?

Thanks,
Bryan

 

[norteldude78]

ok, I got it. I had to use this on R2:

ntp server 172.12.12.1 key 5

 

[norteldude78]

well now I can't get authentication to work

R1:

ntp authentication-key 2 md5 070C285F4D06 7 (key = cisco)
ntp authentication-key 3 md5 030752180500 7 (key = cisco)
ntp authenticate
ntp trusted-key 2
ntp trusted-key 3
ntp master 2

R2:

ntp authentication-key 3 md5 02050D480809 7 (key = cisco)
ntp authentication-key 4 md5 104D000A0618 7
ntp authentication-key 5 md5 05011301285C4B1B 7
ntp authenticate
ntp clock-period 17179910
ntp server 172.12.12.1 key 3

Any ideas why R2 will not sync to R2? R2 is set about 10 minutes behind R1 right now.

Thanks,
Bryan

 

[plshlpme]

sho ntp stat on R1
is it in sync with itself?

maybe you need an external ntp connection before it will allow clients to sync to it?

we use ntp auth and the config is very similar.. only difference is that we have an acl on it as well

ntp access-group peer 90 <- 90 being a standard acl

on r2
sh ntp ass
usually you can get some clues from that output..

 

[norteldude78]

thanks. ntp was synced with itself due to the "ntp master" command. I created a peer on R1 pointing to R2 and then it worked...not really sure why I needed to do that.

 

[plshlpme]

im kind of speculating.. but ive seen other times where the stratum value is much higher then what you specify.. so you say master 2 it should be a stratum 2 clock.. but im sure the last time i did that that it showed to be a statum 16 and maybe the peer doesnt trust that source enough to sync to it?

 

[norteldude78]

well 1 is the highest it can go, 16 would be lower...and I got it to sync by putting the peer command on the master. so I dont think the stratum number mattered...I also follwed the example from scratch in the ISCW student guide and it worked. I was just trying to do "logically" on my own without just copying and pasting.

I did play with ACLs and they didnt resolve this particular issue but I was able to figure out how they work.

Anyways, I was studying for the ISCW exam which had a little bit of NTP security in the topics. I took the test and passed today. There wasn't even any NTP on it, so I'm going to play with this some other time...but thanks for the replies.

now on to CCIE...

 

[plshlpme]

ya i was just trying to say that a stratum 16 clock is the worst ntp source you could have and maybe the remote peers dont even trust it at that point to sync.

after you peered with a real ntp server somewhere else your stratum # would have improved based on who you were synced too.. probably a public strat 2 clock?

 

[plshlpme]

congrats on the pass though.. ive just done my bsci recently.. i have a ways to go still.