Document toolboxDocument toolbox

Using NTP for Time Settings

Owned by Panna .
Last updated: Dec 12, 2017
25 min read

Note: vNIOS Grid members on Riverbed can be NTP clients only.

NTP (Network Time Protocol) is a standard protocol that system clocks use to ensure their time is always accurate. Appliances that use NTP try to get their time as close as possible to UTC (Coordinated Universal Time), the standard timescale used worldwide. NTP uses UDP (User Datagram Protocol) on port 123 for communications between clients and servers.
NTP is based on a hierarchy where reference clocks are at the top. Reference clocks use different methods such as special receivers or satellite systems to synchronize their time to UTC. NTP servers on the first level of the hierarchy synchronize their time with the reference clocks, and serve time to clients as well. Each level in the hierarchy is a stratum; stratum-0 is a reference clock. Stratum-1 servers synchronize their clocks with reference clocks. Stratum-2 servers synchronize their clocks with stratum-1 servers, and so forth. The stratum number indicates the number of levels between the NTP server and the reference clock. A higher stratum number could indicate more variance between the NTP server and the reference clock.
You can configure a NIOS appliance to function as an NTP client that synchronizes its clock with an NTP server. For more information, see NIOS Appliances as NTP Clients. NTP clients typically use time information from at least three different sources to ensure reliability and a high degree of accuracy. There are a number of public NTP servers on the Internet with which the NIOS appliance can synchronize its clock. For a list of these servers, you can access http://www.ntp.org . When NTP is configured, it listens on all interfaces, including the loopback interface on the NIOS appliance.
In a Grid, the Grid Master and Grid members can function as NTP clients that synchronize their clocks with external NTP servers. They can in turn function as NTP servers to other appliances in the network. For more information, see NIOS Appliances as NTP Servers. Note that when the Grid Master functions as an NTP server, it synchronizes its local clock with its NTP clients and does not synchronize time with any other external NTP server. This allows you to deploy multiple NTP servers to ensure accurate and reliable time across the network. To configure the Grid Master and Grid members as NTP clients, you must first enable the NTP service and configure external NTP servers at the Grid level. You can then configure the Grid Master and Grid members to override the Grid-level NTP servers and use their own external NTP servers. Note that a Grid member will not function as an NTP client if you do not enable the NTP service at the Grid level. A Grid member synchronizes its clock with the Grid Master if you do not configure it to use external NTP servers.
In case of leap second insertion, the Infoblox Grid handles the leap second over a period of time instead of performing a one-time adjustment. In other words, when using the Grid as the NTP server, it follows the standard NTP recovery process by slewing over a certain period of time when handling the leap second. The slewing process could therefore cause synchronization issues among NTP clients. The out-of-sync state is usually resolved when all NTP clients catch up with the server.
Figure 8.1 illustrates how NIOS appliances (the Grid Master and Grid members) in a Grid function as the NTP server or the NTP client, depending on your NTP configuration.

Note: The NTP service supports both IPv4 and IPv6 networks.


Figure 8.1 Infoblox Appliances as NTP Servers

Authenticating NTP
To prevent intruders from interfering with the time services on your network, you can authenticate communications between a NIOS appliance and a public NTP server, and between a NIOS appliance and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between members in a Grid.
NTP uses symmetric key cryptography, where the server and the client use the same algorithm and key to calculate and verify a MAC (message authentication code). The MAC is a digital thumbprint of the message that the receiver uses to verify the authenticity of a message.
As shown in Figure 8.2, the NTP client administrator must first obtain the secret key information from the administrator of the NTP server. The server and the client must have the same key ID and data. Therefore, when you configure the NIOS appliance as an NTP client and want to use authentication, you must obtain the key information from the administrator of the external NTP server and enter the information on the NIOS appliance. When you configure a NIOS appliance as an NTP server, you must create a key and send the key information to clients in a secure manner. A key consists of the following:

  • Key Number: A positive integer that identifies the key.
  • Key Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message.
    • M: The key is a 1-31 character ASCII string using MD5 (Message Digest).
    • S: The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity.
    • A: The key is a DES key written as a 1-8 character ASCII string.
    • N: The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained.
  • Key String: The key data used to calculate the MAC. The format depends on the Key Type you select.

When the NTP client initiates a request for time services to the NTP server, it creates the MAC by using the agreed upon algorithm to compress the message and then encrypts the compressed message (which is also called a message digest) with the secret key. The client appends the MAC to the message it sends to the NTP server. When the NTP server receives the message from the client, it performs the same procedure on the message — it compresses the message it received, encrypts it with the secret key and generates the MAC. It then compares the MAC it created with the MAC it received. If they match, the server continues to process and respond to the message. If the MACs do not match, the receiver drops the message.

Figure 8.2 NTP Client Administrator Obtaining Secret Key from NTP Server Administrator

NIOS Appliances as NTP Clients

You can configure an independent NIOS appliance, a Grid Master, or any Grid member in a Grid as an NTP client that synchronizes its system clock with an external NTP server.

Note: You can configure NIOS appliance as NTP client in either IPv4, IPv6, or dual mode (IPv4 and IPv6) network environment.

When you enable a NIOS appliance to function as an NTP client, you must specify at least one NTP server with which the appliance can synchronize its clock. Infoblox recommends that you specify multiple NTP servers that synchronize their time with different reference clocks and that have different network paths. This increases stability and reduces risk in case a server fails. For a list of public NTP servers, you can access www.ntp.org.
When you specify multiple NTP servers, the NTP daemon on the appliance determines the best source of time by calculating round-trip time, network delay, and other factors that affect the accuracy of the time. NTP periodically polls the servers and adjusts the time on the appliance until it matches the best source of time. If the difference between the appliance and the server is less than five minutes, the appliance adjusts the time gradually until the clock time matches the NTP server. If the difference in time is more than five minutes, the appliance immediately synchronizes its time to match that of the NTP server.
To secure communications between a NIOS appliance and an NTP server, you can authenticate communications between the appliance and the NTP server. When you configure authentication, you must obtain the key information from the administrator of the NTP server and enter the key on the appliance. For information, see Authenticating NTP.
In a Grid, you can configure the Grid Master and Grid members to synchronize their clocks with external NTP servers. When you enable the NTP service on the Grid, the Grid Master automatically functions as an NTP server to the Grid members. A Grid member can synchronize its time with the Grid Master, an external NTP server, or another Grid member. When Grid members synchronize their times with the Grid Master, the Grid Master and its members send NTP messages through an encrypted VPN tunnel, as shown in Figure 8.3. When a Grid member synchronizes its time with another Grid member, the NTP messages are not sent through a VPN tunnel.

Figure 8.3 Grid Master as NTP Client

Configuring the Grid to Use NTP

In a Grid, the Grid Master and Grid members can synchronize their clocks with external NTP servers. They then forward the clock time to other appliances in the network. Likewise, in an independent HA pair, the active node communicates directly with an external NTP server. The passive node then synchronizes its clock with the active node.
In a Grid, you must first enable the NTP service and configure external NTP servers at the Grid level before you configure the Grid Master and Grid members as NTP clients.
To configure a Grid Master as an NTP client, perform the following tasks:

  • If you want to enable authentication between the Grid members and NTP servers, you must specify the authentication keys before enabling the NTP service. You can specify authentication keys at the Grid and member levels. For information, see Adding NTP Authentication Keys.
  • Enable the NTP service on the Grid and specify one or more external NTP servers. For information, see Synchronizing the Grid with External NTP Servers.


Adding NTP Authentication Keys
To enable authentication between the appliance and the NTP servers, add the authentication keys before enabling the NTP service on the Grid. You can specify authentication keys at the Grid and member levels.
To add NTP authentication keys:

  1. Grid: From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box. Expand the Toolbar and click NTP -> NTP Member Config.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. Click the Add icon in the NTP Keys section and enter the following information.
    • Key Number: A positive integer that identifies a key.
    • Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message.
      • MD5 in ASCII format (M): The key is a 1-31 character ASCII string using MD5 (Message Digest).
      • DES in hex format (S): The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity.
      • DES in ASCII format (A): The key is a DES key written as a 1-8 character ASCII string.
      • DES in NTP format (N): The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained.
    • String: The key data used to calculate the MAC. The format depends on the Key Type you select.
  3. Click Save to save the entry and keep the editor open so you can enable the Grid to synchronize its time with external NTP servers, as described in bookmark840.

Note that if you enter a new key, the appliance checks if the key already exists in the key list. If the key exists, but either the key type or key string does not match, the NIOS appliance sends an error message.
After you enter an authentication key, you can modify or delete it. Note that you cannot delete a key that an NTP server references. You must first delete all NTP servers that reference that key and then delete the key.

Synchronizing the Grid with External NTP Servers

To enable the Grid to synchronize its time with external NTP servers:

  1. From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
  2. In the General tab of the Grid NTP Properties editor, select Synchronize the Grid with these External NTP Servers.
  3. Click the Add icon to add external NTP servers and enter the following information in the Add NTP Server dialog box:
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. Entries may be an IPv4 or IPv6 address. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured. For information, see Enabling DNS Resolution.
    • Enable Authentication: Select this option to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the Grid Master or Grid member in a Grid, an independent NIOS appliance, or the active node in an independent HA pair).
      Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a Grid member and an external NTP server, as well as between a Grid member and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Grid Master and Grid members.
      Authentication Key: Select a key that you previously entered from the drop-down list.
    • Click Add to add the NTP server to the list or Cancel to cancel the operation. In the table, you can configure some of the following settings:
      • Preferred: Select this to mark an external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server. NIOS uses the responses from this preferred server over responses from other external NTP servers. A response from a preferred server will be discarded if it differs significantly from the responses of other servers. Infoblox recommends that you select an NTP server that is known to be highly accurate as the preferred server, such as one that has special time monitoring hardware. Note that this option is enabled only when you have selected the check box Synchronize the Grid with these External NTP Servers.
      • Server: Displays the FQDN or IP address of the NTP server that you added.
      • Authentication: When you enable authentication, this column displays Yes. Otherwise, it displays No.
      • Key Number: Displays the authentication key that you have selected.
      • BURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
      • IBURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
        For information about adding NTP authentication keys, see Adding NTP Authentication Keys.
  4. Save the configuration and click Restart if it appears at the top of the screen.

Configuring Grid Members to Use NTP

Once you configure a Grid member to use external NT P server, make sure that the NTP service is enabled at Grid level. Otherwise, the Grid member will not function as an NTP client. For information, see Synchronizing the Grid with External NTP Servers.
To configure Grid members to synchronize their time with external NTP servers:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box.
  2. Expand the Toolbar and click NTP -> NTP Member Config.
  3. In the General tab of the Member NTP Properties editor, do the following:
    • Enable the NTP Server on this Member: Select this check box to configure a Grid Master or a Grid member as an NTP server. If you have configured DNS anycast on the appliance, it can answer NTP requests through the anycast IP address.
    • Synchronize this Member only with the Grid Master: Select this check box to enable this Grid member to synchronize its time with the Grid Master. This is the default.
    • Synchronize this Member with other NTP Servers: Select this check box to enable this Grid member to use external NTP servers. When you select this check box, you must enter at least one external NTP server for the member.
    • Exclude the Grid Master as an NTP Server: Select this check box if you want to exclude the Grid Master from being one of the time sources. By default, the appliance automatically configures the Grid Master as the backup NTP server for a Grid member. When the member cannot reach any of its configured NTP servers, it uses the Grid Master as the NTP server. The appliance does not display the Grid Master in the NTP external server list. For a Grid Master, this check box has no meaning.
    • External NTP Servers: Click Override and then click the Add icon. In the Add NTP Server dialog box, enter the following information:
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured.
    • Enable Authentication: Select this check box to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the Grid Master or Grid member in a Grid, an independent NIOS appliance, or the active node in an independent HA pair).
      Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a Grid member and an external NTP server, as well as between a Grid member and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Grid Master and Grid members.
      Authentication Key: Select a key that you previously entered from the drop-down list. Note that you must enter authentication keys at the Grid level when you configure a Grid Master or Grid member to use external NTP servers.
    • Click Add to add the NTP server to the list or Cancel to cancel the operation. In the table, click Override in the table to override configurable settings. To inherit the same properties as the Grid, click Inherit.
      • Preferred: Select this to mark an external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server. NIOS uses the responses from this preferred server over responses from other external NTP servers. A response from a preferred server will be discarded if it differs significantly from the responses of other servers. Infoblox recommends that you select an NTP server that is known to be highly accurate as the preferred server, such as one that has special time monitoring hardware. Note that this option is enabled only when you have selected the check box Synchronize this Member with other NTP Servers.
      • Server: Displays the FQDN or IP address of the NTP server that you added.
      • Authentication: When you enable authentication, this column displays Yes. Otherwise, it displays No.
      • Key Number: Displays the authentication key that you have selected.
      • BURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
      • IBURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
        Note: NTP members inherit NTP properties from the Grid. Click Override in the Member NTP Properties wizard to override configurable settings. To inherit the same properties as the Grid, click Inherit.
        For information about adding NTP authentication keys, see Adding NTP Authentication Keys.
  4. Save the configuration and click Restart if it appears at the top of the screen.

Managing External NTP Servers

You can specify multiple NTP servers for failover purposes. The NIOS appliance attempts to connect to the NTP servers in the order they are listed. A Grid member uses the Grid Master as the NTP server when it cannot reach any of its external NTP servers.
You can change the order of the list by selecting an NTP server and dragging it to its new location or by clicking the up and down arrows. You can add and delete servers and modify their information as well.

NIOS Appliances as NTP Servers

After you enable NTP on a Grid, the Grid members—including the Grid Master—can function as NTP servers to clients in different segments of the network. Similarly, after you enable NTP on an independent appliance or an HA pair, and it synchronizes its time with an NTP server, you can configure it to function as an NTP server as well. When you configure DNS anycast addressing on a Grid member and use it as an NTP server, the member can answer NTP requests from other NTP clients through the anycast IP address.

Figure 8.4 Grid Members as NTP Servers



To configure a NIOS appliance as an NTP server, perform the following tasks:

  • Enable the appliance as an NTP server.
  • Enable authentication between the appliance and its NTP clients.
  • Optionally, specify which clients can access the NTP service of the appliance.
  • Optionally, specify which clients can use ntpq to query the appliance.

Configuring a NIOS Appliance as an NTP Server

You can configure a Grid member—including the Grid Master—or an independent appliance or HA pair to function as an NTP server. When you enable a NIOS appliance to function as an NTP server, you can enable authentication between a NIOS appliance functioning as an NTP server and its NTP clients. When you enable authentication, you must specify the keys that the appliance and its clients must use for authentication. In a Grid, you can enter NTP authentication keys at the Grid level so that all the members can use them to authenticate their clients. You can also
enter keys at the member level, if you want that member to use different keys from those set at the Grid level. After you enter the keys, you can download the key file and distribute the file to the NTP clients.
On an HA member, the NTP service runs on the active node. If there is an HA failover, the NTP service is automatically launched after the passive node becomes active and the NTP traffic uses the HA port on one of the nodes from an HA pair, instead of the LAN1 port. You might receive an error message indicating that the NTP is out of synchronization. During another HA failover, the currently passive node becomes active again and the NTP traffic uses the LAN1 port, and the NTP is back in synchronization. For information, see About HA Pairs.
To enable an appliance as an NTP server and authenticate NTP traffic between a NIOS appliance and an NTP client, perform the following tasks:

Enabling an Appliance as an NTP Server

To enable an appliance as an NTP server and add authentication keys:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box.
  2. Expand the Toolbar and click NTP -> NTP Member Config.
  3. In the General tab of the Member NTP Properties editor, do the following:
    • Enable the NTP Server on this Member: Select this option to configure a Grid Master or a Grid member as an NTP server. If you have configured DNS anycast on the appliance, it can answer NTP requests through the anycast IP address.
    • Click Override in the NTP Keys section to enter NTP authentication keys at the member level. The member uses these keys when acting as an NTP server and authenticates requests from NTP clients. Clear the check box to use the Grid-level authentication keys.
  4. Click Add in the NTP Keys section. For information, see Adding NTP Authentication Keys.
  5. Save the configuration and click Restart if it appears at the top of the screen.

After you enter the authentication keys, you can download the key file (usually called ntp.keys) and distribute it to NTP clients as follows:

  1. Grid: From the Grid tab, select the Grid Manager tab.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box.
  2. Expand the Toolbar and click NTP -> Download NTP Keys.
  3. In the Opening ntp.keys dialog box, save the file, and then click OK.
  4. Distribute this to the NTP clients using a secure transport.

Defining NTP Access Control

The NTP access control list specifies which clients can use a NIOS appliance as an NTP server. If you do not configure access control, then the NIOS appliance allows access to all clients. You can configure access control at the NTP Grid level and override that at the member level.
In addition, the NIOS appliance can accept queries from clients using ntpq, the standard utility program used to query NTP servers about their status and operational parameters. You can specify from which clients the NIOS appliance is allowed to accept ntpq queries. The appliance does not accept ntpq queries from any client, by default.
You can use an existing named ACL (access control list) or multiple ACEs (access control entries) to control which clients can use the NIOS appliance as an NTP server, as well as those clients from which the appliance can accept queries using ntpq. For information about access control, see Configuring Access Control.

To specify which clients can access the NTP service of a NIOS appliance and from which clients a NIOS appliance can accept ntpq queries, and to enable or disable KoD, complete the following:

  1. Grid: From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box. Expand the Toolbar and click NTP -> NTP Member Config.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. In the Access Control tab of the Grid or Member NTP Properties editor, select one of the following to configure NTP access control:
    • None: Select this if you do not want to configure access control for NTP service. When you select None, the appliance allows all clients to access the NTP service. This is selected by default.
    • Use Named ACL for Time only: Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service. NTP queries from the named ACL entries specified here are denied. You can click Clear to remove the selected named ACL and the appliance accepts ntpq queries from those NTP clients.
    • Use Named ACL for Time + NTP Control (NTPQ): Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service, and for the appliance to accept ntpq queries from those clients as well. You can click Clear to remove the selected named ACL.
    • Use this set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows:
      • IPv4 Address: Select this to add an IPv4 address. Click the Value field and enter the IPv4 address. The default permission is Allow, which means that the appliance allows access to and from this IPv4 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
      • IPv4 Network: Select this to add an IPv4 network. Click the Value field and enter the IPv4 network. The default permission is Allow, which means that the appliance allows access to and from this IPv4 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
      • IPv6 Address: Select this to add an IPv6 address. Click the Value field and enter the IPv6 address. The default permission is Allow, which means that the appliance allows access to and from this IPv6 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
      • IPv6 Network: Select this to add an IPv6 network. Click the Value field and enter the IPv6 network. The default permission is Allow, which means that the appliance allows access to and from this IPv6 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
      • Any Address/Network: Select this to allow access to all IPv4 and IPv6 addresses and networks. The default permission is Allow, which means that the appliance allows access to and from all IPv4 and IPv6 clients. You cannot change the default permission. In the Service field, select Time only to allow clients for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from all clients.
        After you have added access control entries, you can do the following:
        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.
        • Reorder the list of ACEs using the up and down arrows next to the table.
        • Select an ACE and click the Edit icon to modify the entry.
        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.
      • Enable KoD: When you select this check box, the appliance (when acting as an NTP server) sends a KoD (Kiss-o'-Death) packet to the NTP client if the client has exceeded the rate limit. The KoD packet contains the stratum field set to zero and the ASCII string in the Reference Source Identifier field set to RATE, indicating the packets sent by the client have been dropped by the server. When you clear the check box, the NTP server drops the packets but does not send any KoD packet to the client. This check box is deselected by default. For more information about KoD, see Enabling Kiss-o'-Death for NTP.
  3. Save the configuration and click Restart if it appears at the top of the screen.


Enabling Kiss-o'-Death for NTP
When an NTP server denies service to an NTP client, which has exceeded the rate limit, it typically drops the packets without notifying the client. In this case, the client, unaware of the situation, continues to transmit packets. To notify the client so it either slows down or stops the packet transmission, you can enable the NIOS appliance (when acting as an NTP server) to transmit a KoD (Kiss-o'-Death) packet. This packet contains the stratum field which is set to zero, implying the sent packet was invalid, and the ASCII string that contains RATE in the reference identifier field, indicating the status of the transmitted packet and access control. When the client receives the KoD packet, it may reduce transmission rate or stop packet transmission to the server. For more information about KoD, refer to RFC 5905 (Network Time Protocol Version 4: Protocol and Algorithms Specification). You can enable KoD at the Grid level and override it at the member level. For more information about enabling KoD, see Defining NTP Access Control.

Monitoring NTP

When you enable the Grid to synchronize its time with external NTP servers, you can monitor the status of the NTP service by checking the NTP status icons in the Member Services panel. To access the panel, from the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and then select the Manage Member Services icon in the table toolbar of the Members tab.
The following are descriptions of the NTP status icons in the Members Services panel. The type of information that can appear in the Description column corresponds to the SNMP trap messages. For information about the Infoblox SNMP traps, see Chapter 37, Monitoring the Appliance.

Icon

Color

Meaning

Green

The NTP service is enabled and running properly.


Yellow

The NTP service is enabled, and the appliance is synchronizing its time.


Red

The NTP service is enabled, but it is not running properly or is out of synchronization.


Gray

The NTP service is disabled.


After you upgrade the Grid to 6.6.x or later, the color of the Grid status icon changes based on the following:

  • If you activate an external synchronization, or start the NTP service using the Grid Manager, or do not configure any external NTP servers, except local, then the NTP behavior remains the same and the NIOS appliance displays the Grid status icon in green.
  • If you activate an external synchronization and configure one or more external NTP servers, or if the servers are in synchronization with the Grid Master, then the Grid status icon is as follows:
    • Green: NTP is synchronizing with an external server.
    • Red: NTP is synchronizing with the local server and none of the external NTP servers are reachable. This status icon also indicates if there are problems with the NTP service.
    • Yellow: NTP is synchronizing with the local server and at least one external NTP server is reachable; but there could be problems on the external server, such as an exceeded root distance error.