As I've talked about before, having an SRX in your network means that you have a full featured Junos device. I'm going to show you how to configure another useful service, NTP proxy.

 

Any type of proxy seeks to accomplish the same thing, in this case, clients can simply query the SRX for NTP, without having to be aware of any upstream services. This can be useful in many scenarios, in the branch office, a lab, SOHO, and especially anywhere the SRX is providing DHCP or is serving as the default gateway for clients. Whenever you can simply configure all clients, regardless of subnet, to simply ask their default gateway for the services you lessen the chance of configuration errors.

 

 

Configuration is simple for NTP proxy, you'll need only 2 statements for NTP proxy to work

  1. Configure an NTP server on the SRX, so it has accurate time source itself. We'll configure two servers. This relies on the SRX being able to resolve hostnames.
#set system ntp server time.nist.gov

#set system ntp server time-a.nist.gov

 

Force a clock sync to NTP

 

#run set date ntp time-a.nist.gov

 

 

  1. Enable the NTP service for the zone. (see footnote)
#set security zones security-zone trust host-inbound-traffic system-services ntp

 

OR

 

#set security zones security-zone trust interface ge-0/0/0 host-inbound-traffic system-services ntp

 

Verifying your setup

 

1st, make sure that your SRX is syncing with NTP. This output shows two servers, both reachable:

 

lab# run show ntp associations 

 remote refidst t when poll reach delay offsetjitter

==============================================================================

*time-a.nist.gov .ACTS. 1 -8 641 85.724 -0.782 1.768

+time-b.nist.gov .ACTS. 1 -7 641 86.0492.35381.605

 

This output shows two servers, neither of which are reachable:

 

Lab# run show ntp associations 

 remote refidst t when poll reach delay offsetjitter

==============================================================================

 192.168.1.3 .INIT.16 -- 6400.0000.000 4000.00

 192.168.1.4 .INIT.16 -- 6400.0000.000 4000.00

 

2nd, configure your client machines to query the SRX for NTP.

 

 

Now you are all set to use your SRX as your local NTP source. This should work on any SRX since version 9.x. In the next post I'll show you how to use the SRX as a DNS proxy.

 

 

Footnote

1. Make sure you understand which of these two commands is right for you. These services can be enabled at either level of the hierarchy, however the most specific is always going to be applied. For instance, if you configure any service at the interface level, it will not have any service permitted that is configured at the zone level.

 

Posted
AuthorKelly McDowell