NTP with domain name

Unanswered Question
Mar 10th, 2009


is it possible configuring 3560 in this way without knowing ip address of the server ntp ?

"ntp server ntp.srv.u"


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 03/10/2009 - 02:18

Hello Xavier,

yes it should be possible see from one of my routers (a c6500 with old sup1A and 12.1E):

ntp server ?

Hostname or A.B.C.D IP address of peer

vrf VPN Routing/Forwarding Information

the hostname is an accepted option

you need also to provide a DNS server for the router to be able to resolve the hostname

Hope to help


xpaquelet Tue, 03/10/2009 - 02:52

but my problem is more complexity.

there are two networks different separated by a firewall. The network where NTP server is external as well as DNS server and I do not have the possibility of knowing their address IP. the network that I configuring(intern) must go to seek hour on this address " ntp.srv.u". Is the question is, that feasible?

Giuseppe Larosa Tue, 03/10/2009 - 03:09

Hello Xavier,

your router needs to consult a DNS server that can be internal.

the firewall has to be configured to allow DNS requests from inside to outside and the answers

Then real problem is that also the FW doesn't know the ip address of the NTP server

so or you open all udp port 123 with source the router and destination any or you need something similar to CBAC:

the firewall can allow the answer after having seen the first udp packet from the router to the NTP server (once the ntp ip address is solved)

both requirements on UDP traffic (DNS and NTP) can be met by using a firewall

A firewall permits the return traffic of flows that are started from the most trusted interface to the less trusted (inside to outside)

this is default behaviour with PIX and ASA.

However, if there is an ACL applied inbound to inside you may need to add lines for DNS and NTP flows to permit them.

So saying it shortly, yes this is feasible.

Hope to help


xpaquelet Tue, 03/10/2009 - 03:23

thanks giuseppe

if i have another question, i will be back.



This Discussion