Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

NTP source address

This thread has been viewed 2 times

  • 1.  NTP source address

    Posted Oct 28, 2015 09:26 AM

    Hey!

     

    the WIFI controller sits in the DMZ and got one leg in the MZ. The controller IP is one of the MZ range. But now I want to use a NTP server in the DMZ. As far as I understand the controller uses its controller ip for the NTP lookup in the DMZ. This cant work.

     

    Now I cannot change the source interface of the NTP client on the controller, correct? My idea is to use a NAT rule, but maybe there is a nicer way to do what I want?

     

      remote                                  local                                    st   poll   reach    delay     offset      disp
=========================================================================================================================================
=192.168.0.1                            8.8.8.8                              16 1024       0    0.00000     0.000000    3.99217


  • 2.  RE: NTP source address

    Posted Oct 28, 2015 09:57 AM
    They way you are thinking of doing it , is the best way .

    Unfortunately you can;t change the source IP address it will use the address defined here : "show controller-ip"


  • 3.  RE: NTP source address

    Posted Oct 28, 2015 10:21 AM

    Hmm in a production enviroment... :-) Just to make sure, is that correct what I'm planning?

     

    I make a net pool just for the ip of my DMZ Interface

    ip nat pool NATPool_DMZ2 192.168.0.5 192.168.0.5

    Then I create a policy

    ip access-list session "SNAT_NTP-access"
alias "controller" host 192.168.120.2 "svc-ntp" src-nat pool "NATPool_DMZ2" position 1 queue low
any any any permit position 2 queue low
    !

    But I also need to allow all other traffic coming from and going to the controller, like it was before. Correct?

    ip access-list session "SNAT_NTP-access"
alias "controller" host 192.168.120.2 "svc-ntp" src-nat pool "DREGER_NATPool_DMZ2" position 1 queue low
any any any permit position 2 queue low
    !

    Until here I'm already unsure, but now I have to assign this rule to a port. But what do I choose?

    interface gigabitethernet 1/8
      ip access-group "SNAT_NTP-access" session vlan 120
      ip access-group "SNAT_NTP-access" session
      !

    Thanks for your help.

     

    Greets

     



  • 4.  RE: NTP source address

    Posted Oct 28, 2015 04:01 PM
    I recommend you do this during a maintenance window .

    The last part the only thing I would remove is this
    ip access-group "SNAT_NTP-access" session vlan 120
    Everything else looks good.