[j-nsp] NTP Reflection
Chad Myers
Chad.Myers at theice.com
Tue Jan 14 17:57:47 EST 2014
Loopback address isn't explicitly assigned to an interface. Assigning it resolves various issues. See http://forums.juniper.net/t5/Ethernet-Switching/NTP-Not-working/m-p/224757.
set interfaces lo0.0 family inet address 127.0.0.1/32
As for NTP, and other stuff for the RE itself, I use same approach by explicitly putting 127.0.0.1/32 in the prefix-list. I originally did it because not all of the apply-path lists had the underlying configuration, resulting in an empty prefix-list that matched anything. Now, almost any apply-path based prefix list will have the loopback address specified.
set policy-options prefix-list MY-NTP_SERVERS 127.0.0.1/32
set policy-options prefix-list MY-NTP_SERVERS apply-path "system ntp server <*>"
-Chad
On Jan 14, 2014, at 7:04 AM, Olivier Benghozi wrote:
> But due to another ridiculous way of implementing that, the Juniper KB article suggests to also allow:
> <router-loopback-address>;
> and not only your favorite ntp servers...
>
> Because if you don't do it, you'll obtain some nice "Server Timeout" if you want to issue a "show ntp status" or "show ntp associations".
> So:
> - Junos doesn't use 127.0.0.1 to locally communicate with ntpd
> - In you filters you're obliged to manually authorize internal private IP traffic used by the CLI and that doesn't even leave the RE
>
> Another fine design...
>
>
> --
> Olivier
>
>
> Le 14 janv. 2014 à 03:10, John Kristoff <jtk at cymru.com> a écrit :
>
>> On Tue, 14 Jan 2014 12:38:12 +1100
>> Mark Tees <marktees at gmail.com> wrote:
>>
>>> Can we get detailed lo0 filters listed too please?
>>
>> Hi Mark,
>>
>> While I'll defer to Juniper for their recommendations, we've had this
>> for some time (scroll down to the Juniper section):
>>
>> <http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
This message may contain confidential information and is intended for specific recipients unless explicitly noted otherwise. If you have reason to believe you are not an intended recipient of this message, please delete it and notify the sender. This message may not represent the opinion of IntercontinentalExchange, Inc. (ICE), its subsidiaries or affiliates, and does not constitute a contract or guarantee. Unencrypted electronic mail is not secure and the recipient of this message is expected to provide safeguards from viruses and pursue alternate means of communication where privacy or a binding message is desired.
More information about the juniper-nsp
mailing list