Versions Compared

Old Version 1

changes.mady.by.user Panna .

Saved on

compared with

New Version 2

changes.mady.by.user Jyothi KP

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can configure a NIOS appliance to function as an NTP client that synchronizes its clock with an NTP server. For more information, see the NIOS Appliances as NTP Clients.  section NTP clients typically use time information from at least three different sources to ensure reliability and a high degree of accuracy. There are a number of public NTP servers on the Internet with which the NIOS appliance can synchronize its clock. For a list of these servers, you can access http://www.ntp.org. When NTP is configured, it listens on all interfaces, including the loopback interface on the NIOS appliance.

In a Grid, the Grid Master and Grid members can function as NTP clients that synchronize their clocks with external NTP servers. They can in turn function as NTP servers to other appliances in the network. For more information, see NIOS Appliances as NTP Servers section.Note that when the Grid Master functions as an NTP server, it synchronizes its local clock with its NTP clients and does not synchronize time with any other external NTP server. This allows you to deploy multiple NTP servers to ensure accurate and reliable time across the network. To configure the Grid Master and Grid members as NTP clients, you must first enable the NTP service and configure external NTP servers at the Grid level. You can then configure the Grid Master and Grid members to override the Grid-level NTP servers and use their own external NTP servers. Note that a Grid member will not function as an NTP client if you do not enable the NTP service at the Grid level. A Grid member synchronizes its clock with the Grid Master if you do not configure it to use external NTP servers. If the Grid Master goes offline (because of a shutdown or a disconnecting network, and so on), the Grid Master Candidate and Grid members synchronize with the external NTP servers.

...

Infoblox Appliances as NTP Servers

Drawio
border1
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramName8.1
zoom1
custContentId7933355
pageId26480183

...

...

lbox1
contentVer1
revision1

Authenticating NTP

To prevent intruders from interfering with the time services on your network, you can authenticate communications between a NIOS appliance and a public NTP server, and between a NIOS appliance and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between members in a Grid.

...

ScenarioBehavior
No authentication on both the NTP client and serverThe NTP client will synchronize with the server
Authentication on the NTP server, no authentication on the NTP clientThe NTP client will synchronize with the server
Authentication on both the NTP server and clientThe NTP client will synchronize with the server
No authentication on the NTP server, authentication on the clientThe NTP client will be out-of-synchronization with the server


NTP Client Administrator Obtaining Secret Key from NTP Server Administrator

Drawio
border1
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramName8.2
zoom1
custContentId7081197
pageId26480183

...

lbox1
contentVer1
revision1

NIOS Appliances as NTP Clients

...

Note
titleNote

Grid member cannot act as an NTP server to the Grid Master.


Grid Master as NTP Client

Drawio
border1
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramName8.3
zoom1
custContentId7933361
pageId26480183

...

lbox1
contentVer1
revision1

Configuring the Grid to Use NTP

...

  • If you want to enable authentication between the Grid members and NTP servers, you must specify the authentication keys before enabling the NTP service. You can specify authentication keys at the Grid and member levels. For information, see the Adding NTP Authentication Keys section.
  • Enable the NTP service on the Grid and specify one or more external NTP servers. For information, see the Synchronizing the Grid with External NTP Servers section.

Adding NTP Authentication Keys

...

  1. From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
  2. In the General tab of the Grid NTP Properties editor, select Synchronize the Grid with these External NTP Servers.
  3. Click the Add icon to add external NTP servers and enter the following information in the Add NTP Server dialog box:
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. Entries may be an IPv4 or IPv6 address. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured. For information, see Enabling DNS Resolution.

    • Enable Authentication: Select this option to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the Grid Master or Grid member in a Grid, an independent NIOS appliance, or the active node in an independent HA pair).

      Note
      titleNote
      To

      Note that to prevent intruders from interfering with the time services on your network, you can authenticate communications between a Grid member and an external NTP server, as well as between a Grid member and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Grid Master and Grid members.
      AuthenticationKey: Select a key that you previously entered from the drop-down list.

    • Click Add to add the NTP server to the list or Cancel to cancel the operation. In the table, you can configure some of the following settings:
      • Preferred: Select this to mark an external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server. NIOS uses the responses from this preferred server over responses from other external NTP servers. A response from a preferred server will be discarded if it differs significantly from the responses of other servers. Infoblox recommends that you select an NTP server that is known to be highly accurate as the preferred server, such as one that has special time monitoring hardware. Note that this option is enabled only when you have selected the checkbox Synchronize the Grid with these External NTP Servers.
      • Server: Displays the FQDN or IP address of the NTP server that you added.
      • Authentication: When you enable authentication, this column displays Yes. Otherwise, it displays No.
      • Key Number: Displays the authentication key that you have selected.
      • BURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this checkbox, the client sends a single packet only once to the server.
      • IBURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this checkbox, the client sends a single packet only once to the server.
        For information about adding NTP authentication keys, see the Adding NTP Authentication Keys section.
  4. Save the configuration and click Restart if it appears at the top of the screen.

...

Once you configure a Grid member to use external NTP server, make sure that the NTP service is enabled at Grid level. Otherwise, the Grid member will not function as an NTP client. For information, see the Synchronizing the Grid with External NTP Servers section.

To configure Grid members to synchronize their time with external NTP servers, complete the following:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox.
  2. Expand the Toolbar and click NTP -> NTP Member Config.
  3. In the General tab of the Member NTP Properties editor, do the following:
    • Enable the NTP Server on this Member: Select this checkbox to configure a Grid Master or a Grid member as an NTP server. If you have configured DNS anycast on the appliance, it can answer NTP requests through the anycast IP address.
    • Synchronize this Member only with the Grid Master: Select this checkbox to enable this Grid member to synchronize its time with the Grid Master. This is the default.
    • Synchronize this Member with other NTP Servers: Select this checkbox to enable this Grid member to use external NTP servers. When you select this checkbox, you must enter at least one external NTP server for the member.
    • Exclude the Grid Master as an NTP Server: Select this checkbox if you want to exclude the Grid Master from being one of the time sources. By default, the appliance automatically configures the Grid Master as the backup NTP server for a Grid member. When the member cannot reach any of its configured NTP servers, it uses the Grid Master as the NTP server. The appliance does not display the Grid Master in the NTP external server list. For a Grid Master, this checkbox has no meaning.
    • External NTP Servers: Click Override and then click the Add icon. In the Add NTP Server dialog box, enter the following information:
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured.

    • Enable Authentication: Select this checkbox to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the Grid Master or Grid member in a Grid, an independent NIOS appliance, or the active node in an independent HA pair).

      Note
      titleNote

      Note: To prevent intruders from interfering with the time services on your network,

      you can

      authenticate communications between a Grid member and an external NTP server, as well as between a Grid member and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Grid Master and Grid members.
      AuthenticationKey: Select a key that you previously entered from the drop-down list. Note that you must enter authentication keys at the Grid level when you configure a Grid Master or Grid member to use external NTP servers.

    • Click Add to add the NTP server to the list or Cancel to cancel the operation. In the table, click Override to override configurable settings. To inherit the same properties as the Grid, click Inherit.
      • Preferred: Select this to mark an external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server. NIOS uses the responses from this preferred server over responses from other external NTP servers. A response from a preferred server will be discarded if it differs significantly from the responses of other servers. Infoblox recommends that you select an NTP server that is known to be highly accurate as the preferred server, such as one that has special time monitoring hardware. Note that this option is enabled only when you have selected the checkbox Synchronize this Member with other NTP Servers.
      • Server: Displays the FQDN or IP address of the NTP server that you added.
      • Authentication: When you enable authentication, this column displays Yes. Otherwise, it displays No.
      • Key Number: Displays the authentication key that you have selected.
      • BURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this checkbox, the client sends a single packet only once to the server.

      • IBURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this checkbox, the client sends a single packet only once to the server.

        note


        title

        Note

        that NTP members inherit NTP properties from the Grid. Click Override in the Member NTP Properties wizard to override configurable settings. To inherit the same properties as the Grid, click Inherit.
        For information about adding NTP authentication keys, see

         

         the Adding NTP Authentication Keys section.

  4. Save the configuration and click Restart if it appears at the top of the screen.

...

After you enable NTP on a Grid, the Grid members—including the Grid Master—can function as NTP servers to clients in different segments of the network. Similarly, after you enable NTP on an independent appliance or an HA pair, and it synchronizes its time with an NTP server, you can configure it to function as an NTP server as well. When you configure DNS anycast addressing on a Grid member and use it as an NTP server, the member can answer NTP requests from other NTP clients through the anycast IP address.

Grid Members as NTP Servers

Drawio
border1
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramName8.4
zoom1
custContentId7933367
pageId26480183

...

...

lbox1
contentVer1
revision1


To configure a NIOS appliance as an NTP server, perform the following tasks:

  • Enable the appliance as an NTP server.
  • Enable authentication between the appliance and its NTP clients.
  • Optionally, specify which clients can access the NTP service of the appliance.
  • Optionally, specify which clients can use ntpq to query the appliance.

Anchor
Configuring a NIOS Appliance as an NTP S
Configuring a NIOS Appliance as an NTP S

...

...

Configuring a NIOS Appliance as an NTP Server

You can configure a Grid member—including the Grid Master—or an independent appliance or HA pair to function as an NTP server. When you enable a NIOS appliance to function as an NTP server, you can enable authentication between a NIOS appliance functioning as an NTP server and its NTP clients. When you enable authentication, you must specify the keys that the appliance and its clients must use for authentication. In a Grid, you can enter NTP authentication keys at the Grid level so that all the members can use them to authenticate their clients. You can also enter keys at the member level, if you want that member to use different keys from those set at the Grid level. After you enter the keys, you can download the key file and distribute the file to the NTP clients.

On an HA member, the NTP service runs on the active node. If there is an HA failover, the NTP service is automatically launched after the passive node becomes active and the NTP traffic uses the HA port on one of the nodes from an HA pair, instead of the LAN1 port. You might receive an error message indicating that the NTP is out of synchronization. During another HA failover, the currently passive node becomes active again and the NTP traffic uses the LAN1 port, and the NTP is back in synchronization. For information, seesee About HA Pairs.

To enable an appliance as an NTP server and authenticate NTP traffic between a NIOS appliance and an NTP client, perform the following tasks:

  • Enable an appliance as an NTP server and define authentication keys. For information, see the Enabling an Appliance as an NTP Server section.
  • Optionally, define NTP access control, including KoD packet configuration. For information, see the Defining NTP Access Control section.
  • Optionally, configure anycast addressing for DNS and use the anycast IP address for NTP requests. For information about how to configure DNS anycast, seesee Configuring Anycast Addresses.

Enabling an Appliance as an NTP Server

...

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox.
  2. Expand the Toolbar and click NTP -> NTP Member Config.
  3. In the General tab of the Member NTP Properties editor, do the following:
    • Enable the NTP Server on this Member: Select this option to configure a Grid Master or a Grid member as an NTP server. If you have configured DNS anycast on the appliance, it can answer NTP requests through the anycast IP address.
    • Click Override in the NTP Keys section to enter NTP authentication keys at the member level. The member uses these keys when acting as an NTP server and authenticates requests from NTP clients. Clear the checkbox to use the Grid-level authentication keys.
  4. Click Add in the NTP Keys section. For information, see the Adding NTP Authentication Keys section..
  5. Save the configuration and click Restart if it appears at the top of the screen.

...

When an NTP server denies service to an NTP client, which has exceeded the rate limit, it typically drops the packets without notifying the client. In this case, the client, unaware of the situation, continues to transmit packets. To notify the client so it either slows down or stops the packet transmission, you can enable the NIOS appliance (when acting as an NTP server) to transmit a KoD (Kiss-o'-Death) packet. This packet contains the stratum field which is set to zero, implying the sent packet was invalid, and the ASCII string that contains RATE in the reference identifier field, indicating the status of the transmitted packet and access control. When the client receives the KoD packet, it may reduce the transmission rate or stop packet transmission to the server. For more information about KoD, refer to RFC 5905 (Network Time Protocol Version 4: Protocol and Algorithms Specification). You can enable KoD at the Grid level and override it at the member level. For more information about enabling KoD, see the Defining NTP Access Control section.

Defining NTP Orphan Mode

...

The following are descriptions of the NTP status icons in the Members Services panel. The type of information that can appear in the Description column corresponds to the SNMP trap messages. For information about the Infoblox SNMP traps, see Configuring SNMP.

Icon

Color

Meaning

Image RemovedImage Added

Green

The NTP service is enabled and running properly.

Image RemovedImage Added

Yellow

The NTP service is enabled, and the appliance is synchronizing its time.

Image RemovedImage Added

Red

The NTP service is enabled, but it is not running properly or is out of synchronization.

Image RemovedImage Added

Gray

The NTP service is disabled.

...