ntp with mgmt vrf

  • 1
  • Problem
  • Updated 3 weeks ago
Hello, all!
I have a switch which I would like to work as ntp server for hosts connected to it. 
I synchronyze switch with ntp in Internet throughout eth0 in mgmt vrf. But servers connected to global routing tabe. 

there are lines in ntp.conf:
# for local clients
restrict 10.0.0.0  mask 255.0.0.0 nomodify notrap
# interface to send ntp requests:
interface listen eth0

ntpq -p:
root@leaf2:mgmt-vrf:~# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ip-79-111-152-1 .GPS.            1 u   11  256  377   29.437   -0.645   0.187
-ftpshare1.corbi 89.175.22.41     2 u  145  256  377    4.070    0.658   0.323
+cello.corbina.n 131.188.3.220    2 u  202  256  377    4.437    0.212   0.117
+ns1.ooonet.ru   89.109.251.24    2 u  193  256  377   31.153   -0.073   0.165



When I do tcpdump on port to which client is connected I see requests, but don't see responses:

10:13:33.099409 ec:0d:9a:a6:a4:22 (oui Unknown) > 44:38:39:ff:00:65 (oui Unknown), ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 58526, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.1.101.53686 > 10.0.1.1.ntp: [udp sum ok] NTPv4, length 48
        Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 10 (1024s), precision 32
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3174975032.184608978 (2000/08/11 13:30:32)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3174975032.184608978 (2000/08/11 13:30:32)

ntpd works in mgmt vrf:
root@leaf2:mgmt-vrf:~# systemctl status ntp@mgmt.service
ntp@mgmt.service - NTP - Network Time Protocol daemon
   Loaded: loaded (/lib/systemd/system/ntp.service; enabled)
  Drop-In: /run/systemd/generator/ntp@.service.d
           └─vrf.conf
   Active: active (running) since Tue 2018-03-27 09:26:14 MSK; 49min ago
     Docs: man:ntpd(8)
 Main PID: 1588 (ntpd)
   CGroup: /system.slice/system-ntp.slice/ntp@mgm...
           └─1588 /usr/sbin/ntpd -n -u ntp:ntp -g


Is there need for some addtional configuration to distribute time from switch for local clients?
Photo of Anton Lopatin

Anton Lopatin

  • 140 Points 100 badge 2x thumb

Posted 3 weeks ago

  • 1
Photo of Dave Olson

Dave Olson, MTS

  • 1,050 Points 1k badge 2x thumb
The primary issue is this comment and line in ntp.conf
# interface to send ntp requests:
interface listen eth0
You'll need to add the swp ports that you want ntp to listen (and reply on) to the config.  Your base ntp config is clearly working in that it's sync'ing time from upstream.  Or remove the listen line completely, so ntp listens on all interfaces.
Photo of Anton Lopatin

Anton Lopatin

  • 140 Points 100 badge 2x thumb
Hello, Dave!
The problem here is in vrf's. I started ntp service for vrf mgmt, because ntp server available only from eth0 address. But interfaces live in default vrf (or other sprecific vrf's), and system can't create sockets for this interaces.
Here syslog grep when I started ntp in mgmt vrf for eth0 (in mgmt) and vlan101 (in default vrf):

2018-03-28T09:12:40.775872+03:00 leaf2 ntpd[1929]: ntpd 4.2.6p5@1.2349-o Wed Sep 27 21:22:40 UTC 2017 (1)
2018-03-28T09:12:40.776841+03:00 leaf2 ntpd[1929]: proto: precision = 0.100 usec
2018-03-28T09:12:40.777790+03:00 leaf2 ntpd[1929]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
2018-03-28T09:12:40.778422+03:00 leaf2 ntpd[1929]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
2018-03-28T09:12:40.781407+03:00 leaf2 ntpd[1929]: Listen and drop on 1 v6wildcard :: UDP 123
2018-03-28T09:12:40.782432+03:00 leaf2 ntpd[1929]: Listen normally on 2 lo 127.0.0.1 UDP 123
2018-03-28T09:12:40.783062+03:00 leaf2 ntpd[1929]: Listen normally on 3 eth0 172.28.50.28 UDP 123
2018-03-28T09:12:40.783714+03:00 leaf2 ntpd[1929]: bind(20) AF_INET 10.0.1.3#123 flags 0x19 failed: Cannot assign requested address
2018-03-28T09:12:40.784319+03:00 leaf2 ntpd[1929]: unable to create socket on vlan101 (4) for 10.0.1.3#123
2018-03-28T09:12:40.784838+03:00 leaf2 ntpd[1929]: failed to init interface for address 10.0.1.3
2018-03-28T09:12:40.785981+03:00 leaf2 ntpd[1929]: Listen normally on 5 eth0 fe80::268a:7ff:fea0:14fa UDP 123
2018-03-28T09:12:40.786649+03:00 leaf2 ntpd[1929]: Listen normally on 6 lo ::1 UDP 123
2018-03-28T09:12:40.788261+03:00 leaf2 ntpd[1929]: Listen normally on 7 vlan101 fe80::268a:7ff:fef2:f500 UDP 123
2018-03-28T09:12:40.788964+03:00 leaf2 ntpd[1929]: peers refreshed
2018-03-28T09:12:40.789552+03:00 leaf2 ntpd[1929]: Listening on routing socket on fd #23 for interface updates
2018-03-28T09:12:44.777327+03:00 leaf2 ntpd[1929]: bind(24) AF_INET 10.0.1.3#123 flags 0x19 failed: Cannot assign requested address
2018-03-28T09:12:44.777802+03:00 leaf2 ntpd[1929]: unable to create socket on vlan101 (8) for 10.0.1.3#123
2018-03-28T09:12:44.778140+03:00 leaf2 ntpd[1929]: failed to init interface for address 10.0.1.3
2018-03-28T09:12:47.778862+03:00 leaf2 ntpd[1929]: bind(24) AF_INET 10.0.1.3#123 flags 0x19 failed: Cannot assign requested address
2018-03-28T09:12:47.779315+03:00 leaf2 ntpd[1929]: unable to create socket on vlan101 (9) for 10.0.1.3#123
2018-03-28T09:12:47.779657+03:00 leaf2 ntpd[1929]: failed to init interface for address 10.0.1.3


Strating ntp service in default vrf does not help. Because in this case we see opposite situation:

2018-03-28T09:09:11.210371+03:00 leaf2 ntpd[1026]: ntpd 4.2.6p5@1.2349-o Wed Sep 27 21:22:40 UTC 2017 (1)
2018-03-28T09:09:11.210853+03:00 leaf2 ntpd[1026]: proto: precision = 0.100 usec
2018-03-28T09:09:11.211215+03:00 leaf2 ntpd[1026]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
2018-03-28T09:09:11.211545+03:00 leaf2 ntpd[1026]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
2018-03-28T09:09:11.213446+03:00 leaf2 ntpd[1026]: Listen and drop on 1 v6wildcard :: UDP 123
2018-03-28T09:09:11.213968+03:00 leaf2 ntpd[1026]: Listen normally on 2 lo 127.0.0.1 UDP 123
2018-03-28T09:09:11.214323+03:00 leaf2 ntpd[1026]: bind(19) AF_INET 172.28.50.28#123 flags 0x19 failed: Cannot assign requested address
2018-03-28T09:09:11.214667+03:00 leaf2 ntpd[1026]: unable to create socket on eth0 (3) for 172.28.50.28#123
2018-03-28T09:09:11.215048+03:00 leaf2 ntpd[1026]: failed to init interface for address 172.28.50.28
2018-03-28T09:09:11.215387+03:00 leaf2 ntpd[1026]: Listen normally on 4 vlan101 10.0.1.3 UDP 123
2018-03-28T09:09:11.215729+03:00 leaf2 ntpd[1026]: Listen normally on 5 eth0 fe80::268a:7ff:fea0:14fa UDP 123
2018-03-28T09:09:11.216128+03:00 leaf2 ntpd[1026]: Listen normally on 6 lo ::1 UDP 123
2018-03-28T09:09:11.216593+03:00 leaf2 ntpd[1026]: Listen normally on 7 vlan101 fe80::268a:7ff:fef2:f500 UDP 123
2018-03-28T09:09:11.217003+03:00 leaf2 ntpd[1026]: peers refreshed
2018-03-28T09:09:11.217424+03:00 leaf2 ntpd[1026]: Listening on routing socket on fd #23 for interface updates
2018-03-28T09:09:13.211114+03:00 leaf2 ntpd[1026]: bind(24) AF_INET 172.28.50.28#123 flags 0x19 failed: Cannot assign requested address
2018-03-28T09:09:13.211549+03:00 leaf2 ntpd[1026]: unable to create socket on eth0 (8) for 172.28.50.28#123
2018-03-28T09:09:13.211911+03:00 leaf2 ntpd[1026]: failed to init interface for address 172.28.50.28
2018-03-28T09:09:17.212676+03:00 leaf2 ntpd[1026]: bind(24) AF_INET 172.28.50.28#123 flags 0x19 failed: Cannot assign requested address
2018-03-28T09:09:17.213158+03:00 leaf2 ntpd[1026]: unable to create socket on eth0 (9) for 172.28.50.28#123
 
Photo of Dave Olson

Dave Olson, MTS

  • 1,050 Points 1k badge 2x thumb
I see you opened a support case on this also; that's good.  I'm pretty sure we don't have an answer to this right now.  I'm the internal Cumulus maintainer for vrf, but I'm not an expert on multiple vrf setups.  Our vrf expert is looking at this now, but I suspect we'll need to modify ntp the way we modified rsyslog, to handle this case.
Photo of Anton Lopatin

Anton Lopatin

  • 140 Points 100 badge 2x thumb
Dave, it is very desirable for us to syncрronize time on servers with default gw's on switches. Servers are in different vlan and vrf's. Right now we have to use workaround with external ntp server. And we will wait for answer in case.