NTP not functioning – Segmented Management VLAN

Network protocols
I'm configuring a building wide network of layer2 and layer3 ciscos to use NTP but I'm not getting ntp updates from the ntp servers. Drawing a picture of this would have a Collapsed Core of 2 4500s and 2950 Access switches are 2950s setup based on Cisco's typical building block network diagram. The only deviation from Cisco's typical designs is that the mangement vlan has been changed from the default VLAN on all switches (pretty typical, and obviously the same VLAN on all of the switches). However, we've removed it from the trunk interfaces. Instead, a separate network of 2950 switches is used as the management network that's connected to each of the switches. Everything on the management VLAN works: telnet, ssh, tftp, etc. No problems. When I configure one or even both of the 4500 switches using ntp master, everything looks good on that switch. "show ntp status" shows the switch is configured with it's time deviations, etc. However, I cannot get any other switch to see this ntp server. They are setup with the ntp server <ip of core switch>. Even if options are used such as source or version, it still never sees the ntp master. I've also tried creating ntp peer <ip address> of all the switches on both the core and access switches. Nothing... The peer switches always show "Not connected" I've gone two steps further and possibly more off track to troubleshoot the problem, but nothing works. The other things I've tried is to use a Mandriva system configured as an NTP server (master) that's on that management vlan and set the switches up to look to it as the server. I've also tried to configure the core switch to look at one of the non-management vlan computers for the master (which is crazy at best since the switches IP is on the management vlan, but it was worth testing for a sanity check). Does anyone have any other ideas? I'd include print outs of the CLI, but it wouldn't help. Basically, show ntp status shows "Not connected" on the peer/downlevel switches and even the core doesn't show a connection when using the Mandriva system as the NTP master. All switches are configured to forward UDP ntp and time as well as the management VLAN. I have an access-list on each of the management interfaces for all switches that restrict management only traffic in/out of that interface. If anyone else has any experience with such as setup as this and knows a solution, please let me know. TIA, SF

Answer Wiki

Thanks. We'll let you know when a new response is added.

Are you sure your ACLs allows for NTP?

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Astronomer
    I discovered the hard way that any time you are debugging this kind of problem, the first thing is to disable all filtering rules if you can. This removes the confusion of the protocol vs. the rules. Once the wide open net is functioning, re-enable the rules to see if it breaks again. The philosophy I drilled into my techs at Intel was "reduce the variables". I hope this helps. If you still can't figure it out, put the client and server on the same subnet with everything wide open and test it. If it doesn't work this way, it's not a routing or filtering issue. Check the protocol by sniffing the wire. You should see the requests from the client and the answers from the server. Once you have this setup working, gradually move out toward your desired configuration one step at a time until you reach the complete architecture. rt
    15 pointsBadges:
  • Sonyfreek
    Yep, it was not allowing udp 123. Problem resolved. Thanks.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: