Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

NTP on a 3750 & 2970

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


steve.bertrand at gmail

Jun 11, 2012, 9:46 AM

Post #1 of 10 (1846 views)
Permalink
NTP on a 3750 & 2970
Hey all,

I'm just wondering if the aforementioned switches will listen for NTP
requests by default.

We have a rigid Change Management policy, and unfortunately I have no
spares for these units. I'm trying to come up with the appropriate
config so that these units both sync time off the 'net, and allow the
clients connected to them to update from them directly.

Here's what I'm thinking should do the trick, but it is unclear to me if
I need any interface specific or other global config changes to enable
client's to sync time with the switches:

conf t
clock timezone MST -7
clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ntp server ntp.cpsc.ucalgary.ca
ntp server ntp1.cpsc.ucalgary.ca
exit
wr mem

Cheers and thanks!

Steve
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Jun 11, 2012, 10:00 AM

Post #2 of 10 (1793 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
On Mon, 2012-06-11 at 10:46 -0600, Steve Bertrand wrote:
> Here's what I'm thinking should do the trick, but it is unclear to me if
> I need any interface specific or other global config changes to enable
> client's to sync time with the switches:
>
> conf t
> clock timezone MST -7
> clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
> ntp server ntp.cpsc.ucalgary.ca
> ntp server ntp1.cpsc.ucalgary.ca
> exit
> wr mem

The above would make the switch itself sync time with the two specified
server. The timezone commands are in that regard irrelevant, since NTP
is always UTC.

You need "ntp master" command to enable others to sync with this switch.
Beware that this might not be a good idea. They may not be the best time
keepers, and have slow processors meaning that a (possibly accidental)
DoS against NTP might easily disturb e.g. STP and other critical
processes.

--
Peter


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


joshua.morgan at gmail

Jun 11, 2012, 10:03 AM

Post #3 of 10 (1795 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
Last time I tried, 3750 does not. I don't think any Catalyst can do that.

Sent from my iPhone

On 12/06/2012, at 2:46, Steve Bertrand <steve.bertrand [at] gmail> wrote:

> Hey all,
>
> I'm just wondering if the aforementioned switches will listen for NTP requests by default.
>
> We have a rigid Change Management policy, and unfortunately I have no spares for these units. I'm trying to come up with the appropriate config so that these units both sync time off the 'net, and allow the clients connected to them to update from them directly.
>
> Here's what I'm thinking should do the trick, but it is unclear to me if I need any interface specific or other global config changes to enable client's to sync time with the switches:
>
> conf t
> clock timezone MST -7
> clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
> ntp server ntp.cpsc.ucalgary.ca
> ntp server ntp1.cpsc.ucalgary.ca
> exit
> wr mem
>
> Cheers and thanks!
>
> Steve
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Jun 11, 2012, 10:40 AM

Post #4 of 10 (1785 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
On Tue, 2012-06-12 at 03:03 +1000, Joshua Morgan wrote:
> Last time I tried, 3750 does not. I don't think any Catalyst can do that.

We have previously used C6k/Sup720 running SFX for this. I just tested a
3560 running 12.2(58)SE1 IP Services and it works fine.

I actually just tried a regular IP Base switch (also 12.2(58)SE1) and it
also answers to "ntpdate -q", even without "ntp master".

On that note: Use "ntp access-group peer <X>" to limit who can talk NTP
with the switch. I haven't been able to limit who can query and who can
serve via the "query-only" and "serve-only" keywords. I just don't
understand how it's supposed to work.

--
Peter



_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


aledm at qix

Jun 11, 2012, 1:43 PM

Post #5 of 10 (1787 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
On 11 June 2012 18:00, Peter Rathlev <peter [at] rathlev> wrote:

> You need "ntp master" command to enable others to sync with this switch.
>

Any IOS device that is in NTP sync will act as an NTP server.

You only need to set "ntp master" if the switch has a free-running clock
i.e. not synchronized to an NTP source.

Aled
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Jun 11, 2012, 2:14 PM

Post #6 of 10 (1786 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
On Mon, 2012-06-11 at 21:43 +0100, Aled Morris wrote:
> Any IOS device that is in NTP sync will act as an NTP server.

Yeah, I discovered that when testing. It confuses me a little though. I
don't know exactly how much CPU time serving clients take, but "ntp
access-group" seems like a good idea.
>
> You only need to set "ntp master" if the switch has a free-running
> clock i.e. not synchronized to an NTP source.

Ah, that's what it's for then. :-)

--
Peter



_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


chuckchurch at gmail

Jun 11, 2012, 2:22 PM

Post #7 of 10 (1799 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
Keep in mind that SNTP clients don't do the sanity checking that normal NTP
does, so an out of sync router could provide bad time to an SNTP client.
I've used a time-based ACL in the past so that if the router's clock was
before a reasonable time, it would block those packets. I can't remember
what the time was, but most devices boot up with a date in the last century.
An ACL blocking all NTP inbound before this router hits Jan 1, 2012 is a
safe way to configure it. This assumes your router doesn't have a calendar.

Chuck


-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Aled Morris
Sent: Monday, June 11, 2012 4:43 PM
To: Peter Rathlev
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] NTP on a 3750 & 2970

On 11 June 2012 18:00, Peter Rathlev <peter [at] rathlev> wrote:

> You need "ntp master" command to enable others to sync with this switch.
>

Any IOS device that is in NTP sync will act as an NTP server.

You only need to set "ntp master" if the switch has a free-running clock
i.e. not synchronized to an NTP source.

Aled
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


steve.bertrand at gmail

Jun 11, 2012, 4:17 PM

Post #8 of 10 (1780 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
On 11/06/2012 10:46 AM, Steve Bertrand wrote:

> I'm just wondering if the aforementioned switches will listen for NTP
> requests by default.

Thank you everyone for all of the on and off-list replies. I've got my
answer and will be implementing tomorrow morning.

This setup is only for one of our global sites with ~60 servers and a
dozen or so switches/routers, so I don't think the load will be an
issue. If it is, I'll back out the changes and build a couple proper
FBSD NTP Blades. I may also visit the NTP broadcast config option as well.

Also, regarding the master config option, I did come across that in the
documentation early on in my research, but neither of these two units
have a free-running (internal) clock anyways.

Again, thanks!

Steve

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


kgraham at industrial-marshmallow

Jun 12, 2012, 9:24 AM

Post #9 of 10 (1769 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
This would either require a severely broken client (that isn't discarding 0 timestamps), or a server that is setting them prior to being initialized. Most likely it'd be due to erroneous configuration (as earlier cited), declaring the local clock to be authoritative.

I'd place a far higher priority on correcting the server's implementation (including deprecating it as a server) than standing up additional configuration to hack around it.

[sent from my mobile]

On Jun 11, 2012, at 2:22 PM, "Chuck Church" <chuckchurch [at] gmail> wrote:

> Keep in mind that SNTP clients don't do the sanity checking that normal NTP
> does, so an out of sync router could provide bad time to an SNTP client.
> I've used a time-based ACL in the past so that if the router's clock was
> before a reasonable time, it would block those packets. I can't remember
> what the time was, but most devices boot up with a date in the last century.
> An ACL blocking all NTP inbound before this router hits Jan 1, 2012 is a
> safe way to configure it. This assumes your router doesn't have a calendar.
>
> Chuck
>
>
> -----Original Message-----
> From: cisco-nsp-bounces [at] puck
> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Aled Morris
> Sent: Monday, June 11, 2012 4:43 PM
> To: Peter Rathlev
> Cc: cisco-nsp [at] puck
> Subject: Re: [c-nsp] NTP on a 3750 & 2970
>
> On 11 June 2012 18:00, Peter Rathlev <peter [at] rathlev> wrote:
>
>> You need "ntp master" command to enable others to sync with this switch.
>>
>
> Any IOS device that is in NTP sync will act as an NTP server.
>
> You only need to set "ntp master" if the switch has a free-running clock
> i.e. not synchronized to an NTP source.
>
> Aled
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


joshua.morgan at gmail

Jun 13, 2012, 12:59 AM

Post #10 of 10 (1752 views)
Permalink
Re: NTP on a 3750 & 2970 [In reply to]
I stand corrected then. I've only ever tried on a 3750G with IP Base, must have been doing something wrong!

Sent from my iPhone

On 12/06/2012, at 3:40, Peter Rathlev <peter [at] rathlev> wrote:

> On Tue, 2012-06-12 at 03:03 +1000, Joshua Morgan wrote:
>> Last time I tried, 3750 does not. I don't think any Catalyst can do that.
>
> We have previously used C6k/Sup720 running SFX for this. I just tested a
> 3560 running 12.2(58)SE1 IP Services and it works fine.
>
> I actually just tried a regular IP Base switch (also 12.2(58)SE1) and it
> also answers to "ntpdate -q", even without "ntp master".
>
> On that note: Use "ntp access-group peer <X>" to limit who can talk NTP
> with the switch. I haven't been able to limit who can query and who can
> serve via the "query-only" and "serve-only" keywords. I just don't
> understand how it's supposed to work.
>
> --
> Peter
>
>
>

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.