Refer by Cisco cookbook
You want to restrict your router's NTP services.
Solution
You can use the ntp access-group command to restrict which devices you want your router to allow NTP associations with:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 88 permit host 172.25.1.1
Router(config)#access-list 88 permit host 10.1.1.1
Router(config)#access-list 99 permit 172.25.0.0 0.0.255.255
Router(config)#access-list 99 permit 10.2.0.0 0.0.255.255
Router(config)#clock timezone EST -5
Router(config)#clock summer-time EDT recurring
Router(config)#ntp server 172.25.1.1 version 3
Router(config)#ntp server 10.1.1.1 version 3
Router(config)#ntp access-group peer 88
Router(config)#ntp access-group serve-only 99
Router(config)#end
Router#
Discussion
In this example, the router will allow the internal clock to be synchronized by the two NTP servers listed in access list 88, 172.25.1.1 and 10.1.1.1. The router also allows time requests only from the client devices permitted by access list 99.
By default, NTP has no access controls, and it gives full access to all NTP devices. The ntp access-group command limits this access to various NTP services. In the example above, the peer keyword means that the router will only allow its internal clock to be changed by those remote servers and peers permitted by the access list.
The serve-only keyword specifies the clients permitted to obtain time services from the router. In the above example, the serve-only access list (99) permits two entire subnets, 172.2.0.0 255.255.0.0 and 10.2.0.0 255.255.0.0. This means that any NTP clients residing on either of these two subnets can obtain time services from the local router. Using the same method, you can limit the access list to a single subnet, a group of hosts, or no one. Omitting the ntp access-group serve-only command completely prevents the router from providing time services.
NTP access groups provide excellent granularity of access to time services on a global basis. Used in conjunction with the interface command ntp disable, NTP access groups can form the basis of an effective access control strategy.
Saturday, February 26, 2011
How to troubleshoot SSH error on cisco router
Error %SSH-3-PRIVATEKEY Unable to retrieve RSA private key
Feb 24 2011 14:39:56.539 TH: %SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for R4.ruamit.co.cc
-Process= "SSH Process", ipl= 0, pid= 4
-Traceback= 81037CC0 81034670 81035D38 8020D9E8 8021117C
Feb 24 2011 14:39:58.963 TH: %SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for R4.ruamit.co.cc
-Process= "SSH Process", ipl= 0, pid= 4
-Traceback= 81037CC0 81034670 81035D38 8020D9E8 8021117C
Feb 24 2011 14:46:05.540 TH: %SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for R4.ruamit.co.cc
-Process= "SSH Process", ipl= 0, pid= 4
-Traceback= 81037CC0 81034670 81035D38 8020D9E8 8021117C
Feb 24 2011 15:02:01.306 TH: %SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for R4.ruamit.co.cc
-Process= "SSH Process", ipl= 0, pid= 4
Resolve By solution below
1 - Remove ssh or disable by command " crypto key zeroize rsa"
2 - Generate key again by command " crypto key generate rsa"
If still cannot login ssh check by command " sh crypto key mypubkey rsa"
and chose key to used by command " ip ssh rsa keypair-name
sample error when login
root@ssh-server:~$ ssh -l cisco 192.168.1.1
Disconnecting: Corrupted check bytes on input.
root@ssh-server:~$
example
R4#show crypto key mypubkey rsa
% Key pair was generated at: 00:04:12 UTC Mar 1 2002
Key name: R4.ruamit.co.cc
Usage: General Purpose Key
Key is not exportable.
key name is R4.ruamit.co.cc
router (config)# ip ssh rsa keypair-name R4.ruamit.co.cc
Subscribe to:
Posts (Atom)