Manualshelf

R21xx-HP FlexFabric 11900 Network Management and Monitoring Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
11121314151617181920
11
If the IP address of the peer device matches a permit statement in an ACL for more than one access
right, the least restrictive access right is granted to the peer device. If a deny statement or no ACL is
matched, no access right is granted.
If no ACL is created for a specific access right, the associated access right is not granted.
If no ACL is created for any access right, peer is granted.
This feature provides minimal security for a system running NTP. A more secure method is NTP
authentication.
NTP authentication
Use this feature to authenticate the NTP messages for security purposes. If an NTP message passes
authentication, the device can receive it and get time synchronization information. If not, the device
discards the message. This function makes sure the device does not synchronize to an unauthorized time
server.
Figure 7 NTP authentication
As shown in Figure 7, NTP authentication works as follows:
1. The sender uses the MD5 algorithm to calculate the NTP message according to the key identified
by a key ID, and sends the calculated digest together with the NTP message and key ID to the
receiver.
2. Upon receiving the message, the receiver finds the key according to the key ID in the message,
uses the MD5 algorithm to calculate the digest, and compares the digest with the digest contained
in the NTP message. If they are the same, the receiver accepts the message. Otherwise, it discards
the message.
NTP for MPLS VPNs
The device supports multiple VPN instances when it functions as an NTP client or a symmetric active peer
to realize time synchronization with the NTP server or symmetric passive peer in an MPLS VPN network.
Only the client/server and symmetric active/passive modes support VPN instances. For more
information about MPLS L3VPN, VPN instance, and PE, see MPLS Configuration Guide.
As Figure 8 sho
ws, users in VPN 1 and VPN 2 are connected to the MPLS backbone network through
provider edge (PE) devices, and services of the two VPNs are isolated. If you configure the PEs to operate
in NTP client or symmetric active mode, and specify the VPN to which the NTP server or NTP symmetric
passive peer belongs, the time synchronization between PEs and devices of the two VPNs can be
realized.
Key value
Message
Sender
Message
Sends to the
receiver
Digest
Receiver
Compare
Compute the
digest
Compute the
digest
Digest
Key ID
Message
Digest
Key ID
Key value