NTP issue on vrf enabled 65k

Unanswered Question
May 19th, 2008


SwitchA is providing NTPsource. SwitchB receives time ok from switchA.

switchC is vrf and can route to switchA timesrcIP but is unable to syn. swtC&swtB are the same physical cat.

ntp server vrf swtC <-swtA

ntp server <- global is good.

what's missing... IP is in place.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
guruprasadr Mon, 05/19/2008 - 04:30

HI Ajaz, [Pls Rate if HELPS]

The NTP Server IP @ Address should be in the VRF Mesh.

The IP Address is available in the Global Routing Table and you need a NTP Server leg in the VRF Mesh to get the Time Sync.

One best Option is: Create a Management VRF and use VRF Leak Techniq (or) Have a seperate NTP Server for the VRF Cloud.

Using of Global NTP Server is not possible inside the VRF Cloud.

Hope I am Informative.


Best Regards,

Guru Prasad R

AJAZ NAWAZ Mon, 05/19/2008 - 04:42


Well in due course swtC will src NTP from internet. Are you suggesting this is not going to be possible, and so will need to deploy ntp appliance (or server), locally to reside within the vrf mesh?

I don't think route leaking is option for me, although would probably need to assess the risks carefully before considering.


guruprasadr Mon, 05/19/2008 - 04:51

HI Ajaz, [Pls Rate if HELPS]

If you have Multiple VRF Instances, then creating a Management VRF and have the NTP Server leg available in the Mgmt VRF is the best Option.

VRF Leak will be only between the SwC VRF & Mgmt VRF Cloud. This will not involve any spoofing of Traffic.

In addition another option is, to have a third NIC Card available in the NTP Server and the leg to be added in the SwC VRF Cloud. The NTP SYNC will happen.

Hope I am Informative.

Pls Rate if HELPS

Best Regards,

Guru Prasad R

ariela Mon, 05/19/2008 - 04:46


if I well understood, is in GR, and you have to use that IP to sync devices in VRF swtC, is it?

So, today the best workaround to permit a communication between GR and VRF is to use a loop-cable and a configuration like this (on the same physical cat):


interface GigabitEthernet1/30

description VRF to GR loopcable

mac-address 0013.7f01.1030

ip vrf forwarding swtC

ip address


interface GigabitEthernet1/31

description GR to VRF loopcable

mac-address 0013.7f01.1031

ip address


and obviously a static route in VRF pointing the next-hop in the loopcable to reach

ip route vrf swtC

and for two-way communications please remember to put a specific ip route in GR too.

Remember to set a different 'not-present' mac-address per port.




AJAZ NAWAZ Mon, 05/19/2008 - 04:56

I already have full IP connectivity from swtC to swtA, and can ping the NTP IP.. everything.

This issue is specific to NTP at the momment.

Of course the other issue is the there aren't any specific ntp vrf show commands, but i'm not bothered about that at the momment.


ariela Mon, 05/19/2008 - 05:05

please post the specific configuration of ntp on catalyst that has a VRF and a GR connection to NTP server.



AJAZ NAWAZ Tue, 05/20/2008 - 23:44

I think it's better if you ask me a qtns if you don't mind. I have IP connectivity in place between vrf and global. The ntp specific config has already been posted.

Our friend has suggested the NTP src must reside within the vrf itself. My qtn is that what happens if I decide to source NTP from Internet?

Perhaps it's time now to try it out...



This Discussion