Re: NTP issue on vrf enabled 65k

AJAZ NAWAZ · ‎05-19-2008

switchA-----switchB-----switchC

SwitchA is providing NTPsource. SwitchB receives time ok from switchA.

switchC is vrf and can route to switchA timesrcIP but is unable to syn. swtC&swtB are the same physical cat.

ntp server vrf swtC 172.18.1.1 <-swtA

ntp server 172.18.1.1 <- global is good.

what's missing... IP is in place.

tia

Ajaz

guruprasadr · ‎05-19-2008

HI Ajaz, [Pls Rate if HELPS]

The NTP Server IP @ Address 172.18.1.1 should be in the VRF Mesh.

The IP Address 172.18.1.1 is available in the Global Routing Table and you need a NTP Server leg in the VRF Mesh to get the Time Sync.

One best Option is: Create a Management VRF and use VRF Leak Techniq (or) Have a seperate NTP Server for the VRF Cloud.

Using of Global NTP Server is not possible inside the VRF Cloud.

Hope I am Informative.

Pls RATE if HELPS

Best Regards,

Guru Prasad R

AJAZ NAWAZ · ‎05-19-2008

hmm...

Well in due course swtC will src NTP from internet. Are you suggesting this is not going to be possible, and so will need to deploy ntp appliance (or server), locally to reside within the vrf mesh?

I don't think route leaking is option for me, although would probably need to assess the risks carefully before considering.

Ajaz

guruprasadr · ‎05-19-2008

HI Ajaz, [Pls Rate if HELPS]

If you have Multiple VRF Instances, then creating a Management VRF and have the NTP Server leg available in the Mgmt VRF is the best Option.

VRF Leak will be only between the SwC VRF & Mgmt VRF Cloud. This will not involve any spoofing of Traffic.

In addition another option is, to have a third NIC Card available in the NTP Server and the leg to be added in the SwC VRF Cloud. The NTP SYNC will happen.

Hope I am Informative.

Pls Rate if HELPS

Best Regards,

Guru Prasad R

ariela · ‎05-19-2008

Hi,

if I well understood, 172.18.1.1 is in GR, and you have to use that IP to sync devices in VRF swtC, is it?

So, today the best workaround to permit a communication between GR and VRF is to use a loop-cable and a configuration like this (on the same physical cat):

!

interface GigabitEthernet1/30

description VRF to GR loopcable

mac-address 0013.7f01.1030

ip vrf forwarding swtC

ip address 10.1.5.1 255.255.255.252

!

interface GigabitEthernet1/31

description GR to VRF loopcable

mac-address 0013.7f01.1031

ip address 10.1.5.2 255.255.255.252

!

and obviously a static route in VRF pointing the next-hop in the loopcable to reach 172.18.1.1:

ip route vrf swtC 172.18.1.1 255.255.255.255 10.1.5.2

and for two-way communications please remember to put a specific ip route in GR too.

Remember to set a different 'not-present' mac-address per port.

HTH

Regards

Andrea

AJAZ NAWAZ · ‎05-19-2008

I already have full IP connectivity from swtC to swtA, and can ping the NTP IP.. everything.

This issue is specific to NTP at the momment.

Of course the other issue is the there aren't any specific ntp vrf show commands, but i'm not bothered about that at the momment.

Ajaz

ariela · ‎05-19-2008

please post the specific configuration of ntp on catalyst that has a VRF and a GR connection to NTP server.

Thanks

Andrea

AJAZ NAWAZ · ‎05-20-2008

I think it's better if you ask me a qtns if you don't mind. I have IP connectivity in place between vrf and global. The ntp specific config has already been posted.

Our friend has suggested the NTP src must reside within the vrf itself. My qtn is that what happens if I decide to source NTP from Internet?

Perhaps it's time now to try it out...

Ajaz