Archive for the ‘IP and IOS Features’ Category

NTP time service

Donnerstag, Juli 20th, 2006

It’s defined in RFC 1305. It’s an UDP based protocol, with is taken for time syncrounisation with NTP servers. An NTP server can be any source speaking the time protocol. Normaly this server has a atomic or radio clock attached. NTP uses a stratum to describe how many NTP hops away a machine. It stratum 1 if the NTP server with clock is directly available. If there is another stratum 1 time server in between, it a stratum 2 server. Cisco does not provide stratum 1 server with clock attached. Normaly this is a Unix daemon from www.ntp.org. Well i just read cisco provides an external clock. But as an extension kit for the cisco 7200 series routers only. If found this, as there is an „ntp refclock“ variable in the IOS 12.4 documentation. You find this information here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hcf_r/cfn_05h.htm#wp1047024

To configure an NTP server for a router:

ntp server [ip add]

ntp timezone [WORD] +/- hours

The timezone is the difference between the UTC or called GMT and the local time. Here in germany in the summer it’s +2. With the variable

NTP Authentication:

Server:

ntp server [ip]

ntp authentication-key [number] md5 [password]

ntp trusted-key [number]

Client:

ntp server [ip]

ntp authentication-key [number] md5 [password]

ntp authenticate

ntp trusted-key 1

It could be a good idea to keep times on routers and server in sync. This can help a lot, to identify problems. You can always exactly track down the problem to a specific time.

Configuring authentication does not mean other ntp client’s can not connect to an server any more. You have to configure this with access lists.

A good source about NTP on cisco routers:

http://www.oreilly.com/catalog/hardcisco/chapter/ch10.html

traceroute and icmp rate-limit unreachable

Freitag, Mai 26th, 2006

I had this problem, that every second packet of a traceroute from a cisco router to another was lost. I could reproduce this easyly. It doesn’t matter, how many other router’s had been in between. So i thought this might be an IOS bug. But i found out it isn’t. It’s a feature. 🙂 As you can see, the second packet is always missing.

Here an example:

r1#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

1 172.20.44.2 16 msec 16 msec 16 msec
2 172.10.144.2 16 msec * 16 msec

r1#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

1 172.20.44.2 16 msec 16 msec 16 msec
2 172.10.144.2 20 msec * 16 msec

To limit the rate of ICMP unreachable, there is an limit to 500 ms. This is a protection for denial of service attacks.

If you want to turn it of, you can use the

“ no ip icmp rate-limit unreachable“ command.

There is a quite good description of the traceroute command on the ciscowbsite. Cisco site info on traceroute

I found this quite interesting.