この記事の目的
IBMCloudではvSRXをオーダした際のデフォルト設定ではIBMCloud内のNTPサーバと時刻同期が取れていない設定になっているため、
設定ガイドを記載いたします。
NTP設定の確認(変更前)
IBMCloudでのvSRXのNTP関連に関連するデフォルト設定は以下の通り。
(NTPサーバ指定)
set system ntp server 10.0.77.54
ただし、vSRX自身へのACL通信制御設定(PROTECT-IN)がデフォルトで有効になっているにもかかわらず、NTP通信に対しての制御許可がないため、Dropしてしまう。
(ACL設定抜粋)
set firewall filter PROTECT-IN term PING from destination-address xx.xx.xx.xx/32
set firewall filter PROTECT-IN term PING from destination-address xx.xx.xx.xx/32
set firewall filter PROTECT-IN term PING from protocol icmp
set firewall filter PROTECT-IN term PING then accept
set firewall filter PROTECT-IN term SSH from destination-address xx.xx.xx.xx/32
set firewall filter PROTECT-IN term SSH from destination-address xx.xx.xx.xx/32
set firewall filter PROTECT-IN term SSH from protocol tcp
set firewall filter PROTECT-IN term SSH from destination-port ssh
set firewall filter PROTECT-IN term SSH then accept
set firewall filter PROTECT-IN term WEB from destination-address xx.xx.xx.xx/32
set firewall filter PROTECT-IN term WEB from destination-address xx.xx.xx.xx/32
set firewall filter PROTECT-IN term WEB from protocol tcp
set firewall filter PROTECT-IN term WEB from port 8443
set firewall filter PROTECT-IN term WEB then accept
set firewall filter PROTECT-IN term DNS from protocol udp
set firewall filter PROTECT-IN term DNS from source-port 53
set firewall filter PROTECT-IN term DNS then accept
set interfaces lo0 unit 0 family inet filter input PROTECT-IN
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
NTP時刻同期のStatus確認を行うと、Timeoutエラーが返る。
admin@xxxx-vsrx-gateway01-vsrx-vSRX-Node0> show ntp associations
localhost: timed out, nothing received
***Request timed out
PROTECT-INにNTP設定を追加
以下の設定をフィルターを追加します。
("10.0.77.54"はIBMCloudにあるDNSサーバ、"127.0.0.1"はvSRX自身のアドレス)
Configure
set firewall filter PROTECT-IN term NTP from source-address 10.0.77.54/32
set firewall filter PROTECT-IN term NTP from source-address 127.0.0.1/32
set firewall filter PROTECT-IN term NTP from protocol udp
set firewall filter PROTECT-IN term NTP from port 123
set firewall filter PROTECT-IN term NTP then accept
Commit
変更後のNTP状態の確認
時刻同期ができていることを確認。
{primary:node0}
admin@xxxx-vsrx-gateway01-vsrx-vSRX-Node0> show ntp associations
remote refid st t when poll reach delay offset jitter
===============================================================================
*10.0.77.54 172.18.1.12 3 - 3 64 1 275.739 0.176 0.254
(補足)NTP通信が行われているかvSRXのCLIでmonitor trafficコマンドを使って確認
Monitorコマンドを使うと、どのIPアドレスからNTP通信が行われているかなど見えるので問題があったときなどに使うと便利です。(以下はLoopBack宛のパケットをキャプチャ)
admin@xxxx-vsrx-gateway01-vsrx-vSRX-Node0> monitor traffic interface lo0 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on lo0, capture size 96 bytes
01:28:32.482265 In IP 127.0.0.1.57778 > 127.0.0.1.123: NTPv2, Reserved, length 12
01:28:32.482734 In IP 127.0.0.1.123 > 127.0.0.1.57778: NTPv2, Reserved, length 16
01:28:32.483111 In IP 127.0.0.1.57778 > 127.0.0.1.123: NTPv2, Reserved, length 12
01:28:32.483532 In IP 127.0.0.1.123 > 127.0.0.1.57778: NTPv2, Reserved, length 480
01:28:32.483584 In IP 127.0.0.1.123 > 127.0.0.1.57778: NTPv2, Reserved, length 144
^C
5 packets received by filter
0 packets dropped by kernel