labunix's blog

labunixのラボUnix

Cisco892JにNTPクライアントを設定してみる。

■Cisco892JにNTPクライアントを設定してみる。
 NTPサーバが192.168.102.250、NTPクライアントのソースがvlan1の場合

# configure terminal
  clock timezone JST +9
  ntp server 192.168.102.250
  ntp source vlan 1
  ntp update-calendar 
  ntp logging
  end

■Cisco892JのIOSバージョンは15.3。

#show version | include bin
System image file is "flash:c890-universalk9-mz.153-3.M1.bin"

■FortigateのUDPのNAT転送環境。
 syslog転送を確認済みなので、NAT変換出来ないという心配はしていない。

# show | grep -f SYSLOG_DNAT
config firewall vip
    edit "SYSLOG_DNAT" <---
        set extip 192.168.102.250
        set extintf "dmz"
        set mappedip "172.31.31.254"
    next
end
config firewall policy
    edit 4
        set srcintf "dmz"
        set dstintf "internal"
        set srcaddr "Cisco892J"
        set dstaddr "SYSLOG_DNAT" <---
        set action accept
        set schedule "always"
        set service "SYSLOG" "NTP" "SNMP"
        set utm-status enable
        set av-profile "default"
        set spamfilter-profile "default"
        set ips-sensor "default"
        set profile-protocol-options "default"
        set nat enable
    next
end

■アクセスリスト等のセキュリティは上位のNTPサーバが行っている。
 「192.168.102.0/24」に対しては拒否。
 NAT変換後の「172.31.31.250」のみ許可。

$ grep 172.31.31.250 /etc/ntp.conf 
restrict -4 172.31.31.250 kod notrap

■他に設定出来る項目は以下。

# configure terminal
  ntp ?

  access-group        Control NTP access
  allow               Allow processing of packets
  authenticate        Authenticate time sources
  authentication-key  Authentication key for trusted time sources
  broadcastdelay      Estimated round-trip delay
  clock-period        Length of hardware clock tick
  logging             Enable NTP message logging
  master              Act as NTP master clock
  max-associations    Set maximum number of associations
  maxdistance         Maximum Distance for synchronization
  orphan              Threshold Stratum for orphan mode
  panic               Reject time updates > panic threshold (default 1000Sec)
  passive             NTP passive mode
  peer                Configure NTP peer
  server              Configure NTP server
  source              Configure interface for source address
  trusted-key         Key numbers for trusted time sources
  update-calendar     Periodically update calendar with NTP time

■時刻とそのソースの確認
 未同期のため、「*」が先頭に付く。

#show clock 
*00:00:09.559 JST Mon Aug 24 2015

#show clock detail 
*00:00:26.447 JST Mon Aug 24 2015
Time source is NTP

■同期していると、「*」がなくなる。

#show clock 
00:49:32.760 JST Mon Aug 24 2015
#show clock detail 
00:49:54.880 JST Mon Aug 24 2015
Time source is NTP

■ハードウエアクロックへの反映と、確認

#clock update-calendar 
#show calendar

00:01:39 JST Mon Aug 24 2015

■NTP同期確認
 階層が16だと同期しないのはどのNTPクライアントも同じ。

#show ntp status | include stratum
Clock is unsynchronized, stratum 16, no reference clock

■NTP階層が上位NTPサーバ+1になっていることを確認

#show ntp status | include stratum
Clock is synchronized, stratum 3, reference is 192.168.102.250

■「sys.peer」フラグが付いていること。付いてないと同期しない。

#show ntp associations 

  address         ref clock       st   when   poll reach  delay  offset   disp
*~192.168.102.250 133.243.238.164  2      0     64     7  1.145   2.786  0.916
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

#show ntp information 
Ntp Software Name   	:  Cisco-ntpv4 
Ntp Software Version	:  Cisco-ntpv4-1.0 
Ntp Software Vendor 	:  CISCO 
Ntp System Type     	:  Cisco IOS / MPC8300 

■出力だけでなく、入力方向にもNTPパケットがカウントアップされていること。
 カウントアップしていない場合は上位セキュリティで破棄している可能性が高い。

#show ntp packets 
Ntp In packets	   		:  9 
Ntp Out packets           	:  25 
Ntp bad version packets   	:  0 
Ntp protocol error packets	:  0 

■同期間隔は64秒。

#show ntp status 
Clock is synchronized, stratum 3, reference is 192.168.102.250
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**21
ntp uptime is 173700 (1/100 of seconds), resolution is 4000
reference time is D9846A60.5CC1AF5D (00:50:56.362 JST Mon Aug 24 2015)
clock offset is 2.7862 msec, root delay is 11.36 msec
root dispersion is 34.80 msec, peer dispersion is 1.73 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 81 sec ago.

■「root disp」は1000未満。

 The root dispersion value is in excess of 1000 ms,
    which causes the Cisco IOS NTP implementation to reject the association.

 Troubleshoot Network Time Protocol (NTP)
 http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/108076-ntp-troubleshoot.html#wtm

#show ntp associations detail
192.168.102.250 configured, ipv4, our_master, sane, valid, stratum 2
ref ID 133.243.238.164, time D98469A5.2627B5DE (00:47:49.149 JST Mon Aug 24 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 10.22 msec, root disp 33.08, reach 377, sync dist 49.50
delay 1.14 msec, offset 2.7862 msec, dispersion 4.79, jitter 5.10 msec
precision 2**20, version 4
assoc id 2333, assoc name 192.168.102.250
assoc in packets 15, assoc out packets 15, assoc error packets 0
org time 00000000.00000000 (09:00:00.000 JST Mon Jan 1 1900)
rec time D9846BF2.5FE3AB99 (00:57:38.374 JST Mon Aug 24 2015)
xmt time D9846BF2.5FE3AB99 (00:57:38.374 JST Mon Aug 24 2015)
filtdelay =     1.70    2.87    1.22    1.26    1.19    1.25    1.14    1.29
filtoffset =   11.65    9.12    8.50    7.07    5.67    4.21    2.78    1.27
filterror =     0.00    1.03    2.02    3.01    4.00    5.04    6.03    7.02
minpoll = 6, maxpoll = 10