DNS / NTP Settings
Overview
NSX Advanced Load Balancer (previously Avi Vantage) requires access to valid DNS and NTP (Network Time Protocol) servers for operation. NTP settings are critical to proper functioning of the Controller. The analytics functionality in the Controller relies on the fact that the Controller(s) in the cluster and SE(s) are synchronized. Controller(s) synchronize time from the configured NTP servers and the SE(s) in turn synchronize time from the Controller(s).
Configuring DNS/ NTP Settings
DNS/ NTP settings can be configured using the UI, CLI, or API.
Using the UI
Configure NTP servers from the UI as follows:
-
From the UI navigate to Administration > Settings > DNS/NTP.
-
Click the edit icon to view the Update System Settings screen.
-
Enter DNS Resolver(s). This is a comma-delimited list of DNS server IP addresses. If a DNS server is not configured, NSX Advanced Load Balancer will not be able to accept names for load-balanced servers, virtual services, mail servers, and similar inputs.
-
Enter the DNS Search Domain to use in DNS lookup.
- Configure NTP Authentication Keys.
- Click Add NTP Authentication Key.
- Enter the Key Number from the list of trusted keys used to authenticate this server.
- Select the Message Digest Algorithm used for NTP authentication. Message Digest (MD5) and Secure Hash Algorithm (SH1) are the selected.
- Enter the NTP Authentication Key.
-
Under NTP Authentication Servers, select the Key Number for NTP authentication and IP address of the NTP Server
- Click Save.
Using the CLI
Configure NTP servers from the CLI as follows:
: > configure systemconfiguration
: systemconfiguration> ntp_configuration
: systemconfiguration:ntp_configuration> ntp_server_list 23.239.26.89 ntp_server_list 69.89.207.99
: systemconfiguration:ntp_configuration> exit
: systemconfiguration> exit
+-------------------------------------+----------------------------------+
| Field | Value |
+-------------------------------------+----------------------------------+
| uuid | default |
| dns_configuration | |
| search_domain | |
| ntp_configuration | |
| ntp_server_list[1] | 23.239.26.89 |
| ntp_server_list[2] | 69.89.207.99 |
| tech_support_uploader_configuration | |
| auto_upload | False |
| portal_configuration | |
| enable_https | True |
| redirect_to_https | True |
| enable_http | True |
| sslkeyandcertificate_refs[1] | System-Default-Portal-Cert |
| sslkeyandcertificate_refs[2] | System-Default-Portal-Cert-EC256 |
| use_uuid_from_input | False |
| sslprofile_ref | System-Standard |
| enable_clickjacking_protection | True |
| allow_basic_authentication | True |
| password_strength_check | False |
| disable_remote_cli_shell | False |
| global_tenant_config | |
| tenant_vrf | False |
| se_in_provider_context | True |
| tenant_access_to_provider_se | True |
| email_configuration | |
| smtp_type | SMTP_LOCAL_HOST |
| from_email | admin@avicontroller.net |
| mail_server_name | localhost |
| mail_server_port | 25 |
| docker_mode | False |
+-------------------------------------+----------------------------------+
The DNS Search Domain is the local domain name, which will be appended to a name that is not fully qualified. For instance, if the DNS search domain is set to avinetworks.com, and the name to be resolved is www, then NSX Advanced Load Balancer will look up www.avinetworks.com.
Configure DNS Settings from the CLI
Prior to NSX Advanced Load Balancer version 20.1.3, .local
domains were resolvable implicitly using the configured DNS
server. Starting with NSX Advanced Load Balancer version 20.1.3, .local
domains are not resolvable by default through the
configured DNS server (local domains are not routed to DNS servers). The search domains need to be configured explicitly for “.local” domains to make lookups work within this DNS domain. Configure the DNS settings from the CLI as shown below:
[admin:avictrl]: > configure systemconfiguration
[admin:avictrl]: systemconfiguration> dns_configuration
[admin:avictrl]: systemconfiguration:dns_configuration> search_domain "test.domain1.local test.domain2.com"
Overwriting the previously entered value for search_domain
[admin:avictrl]: systemconfiguration:dns_configuration> save
[admin:avictrl]: systemconfiguration> save
+----------------------------------+------------------------------------+
| Field | Value |
+----------------------------------+------------------------------------+
| uuid | default |
| dns_configuration | |
| server_list[1] | 10.79.16.132 |
| search_domain | test.domain1.local test.domain2.com|
| ntp_configuration | |
| ntp_servers[1] | |
| server | 0.us.pool.ntp.org |
| ntp_servers[2] | |
| server | 1.us.pool.ntp.org |
| ntp_servers[3] | |
| server | 2.us.pool.ntp.org |
| ntp_servers[4] | |
| server | 3.us.pool.ntp.org |
| portal_configuration | |
| enable_https | True |
| redirect_to_https | True |
| enable_http | True |
| sslkeyandcertificate_refs[1] | System-Default-Portal-Cert |
| sslkeyandcertificate_refs[2] | System-Default-Portal-Cert-EC256 |
| use_uuid_from_input | False |
| sslprofile_ref | System-Standard-Portal |
| enable_clickjacking_protection | True |
| allow_basic_authentication | True |
| password_strength_check | False |
| disable_remote_cli_shell | False |
| disable_swagger | False |
| api_force_timeout | 24 hours |
| minimum_password_length | 8 |
| global_tenant_config | |
| tenant_vrf | False |
| se_in_provider_context | False |
| tenant_access_to_provider_se | True |
| email_configuration | |
| smtp_type | SMTP_LOCAL_HOST |
| from_email | admin@avicontroller.net |
| mail_server_name | localhost |
| mail_server_port | 25 |
| disable_tls | False |
| docker_mode | False |
| ssh_ciphers[1] | aes128-ctr |
| ssh_ciphers[2] | aes256-ctr |
| ssh_hmacs[1] | hmac-sha2-512-etm@openssh.com |
| ssh_hmacs[2] | hmac-sha2-256-etm@openssh.com |
| ssh_hmacs[3] | hmac-sha2-512 |
| default_license_tier | ENTERPRISE |
| secure_channel_configuration | |
| sslkeyandcertificate_refs[1] | System-Default-Secure-Channel-Cert |
| welcome_workflow_complete | False |
| fips_mode | False |
| enable_cors | False |
| common_criteria_mode | False |
+----------------------------------+------------------------------------+
Using the API
Configure NTP servers with the API as follows:
PUT api/systemconfiguration
DATA:
{
"email_configuration": {
"from_email": "admin@avicontroller.net",
"mail_server_name": "localhost",
"smtp_type": "SMTP_LOCAL_HOST",
"mail_server_port": 25
},
"global_tenant_config": {
"se_in_provider_context": true,
"tenant_access_to_provider_se": true,
"tenant_vrf": false
},
"uuid": "default",
"url": "https://localhost/api/systemconfiguration",
"tech_support_uploader_configuration": {
"auto_upload": false
},
"portal_configuration": {
"use_uuid_from_input": false,
"redirect_to_https": true,
"sslprofile_ref": "https://localhost/api/sslprofile/sslprofile-7f7b7c61-c469-4aa0-8c2c-e5237ec34601",
"sslkeyandcertificate_refs": [
"https://localhost/api/sslkeyandcertificate/sslkeyandcertificate-25501569-462f-461e-aa82-99e8853c92b5",
"https://localhost/api/sslkeyandcertificate/sslkeyandcertificate-0d8826fd-5242-45ca-9f22-ca3a91f7ead9"
],
"enable_clickjacking_protection": true,
"enable_https": true,
"disable_remote_cli_shell": false,
"password_strength_check": false,
"enable_http": true,
"allow_basic_authentication": true
},
"ntp_configuration": {
"ntp_server_list": [
{
"type": "V4",
"addr": "23.239.26.89"
},
{
"type": "V4",
"addr": "69.89.207.99"
}
]
}
}
Configuring NTP Authentication
NTP authentication can be enabled using either the CLI or the REST API. With NTP authentication, one can specify a set of trusted authentication keys and configure each NTP server peer with a specific authentication key. The NTP authentication key object consists of a key number, key algorithm (SHA1 or MD5) and the key itself.
Configure NTP and NTP authentication using the CLI, as shown below:
[admin:10-10-25-45]: > configure systemconfiguration
[admin:10-10-25-45]: systemconfiguration> ntp_configuration
[admin:10-10-25-45]: systemconfiguration:ntp_configuration> ntp_authentication_keys key_number 1 algorithm ntp_auth_algorithm_md5 key "=I&FBDl,WM,en5Mn~DaG"
New object being created
[admin:10-10-25-45]: systemconfiguration:ntp_configuration:ntp_authentication_keys> exit
[admin:10-10-25-45]: systemconfiguration:ntp_configuration> ntp_authentication_keys key_number 5 algorithm ntp_auth_algorithm_sha1 key ff9a0d589668a0f66649abbd7dfb388d841f1f44
New object being created
[admin:10-10-25-45]: systemconfiguration:ntp_configuration:ntp_authentication_keys> exit
[admin:10-10-25-45]: systemconfiguration:ntp_configuration> exit
[admin:10-10-25-45]: systemconfiguration:ntp_configuration> ntp_servers server 23.239.26.89
New object being created
[admin:10-10-25-45]: systemconfiguration:ntp_configuration:ntp_servers> exit
[admin:10-10-25-45]: systemconfiguration:ntp_configuration> ntp_servers server 69.89.207.99 key_number 5
New object being created
[admin:10-10-25-45]: systemconfiguration:ntp_configuration:ntp_servers> exit
[admin:10-10-25-45]: systemconfiguration:ntp_configuration> exit
[admin:10-10-25-45]: systemconfiguration> exit
+-------------------------------------+------------------------------------------+
| Field | Value |
+-------------------------------------+------------------------------------------+
| uuid | default |
| dns_configuration | |
| search_domain | |
| ntp_configuration | |
| ntp_authentication_keys[1] | |
| key_number | 1 |
| algorithm | NTP_AUTH_ALGORITHM_MD5 |
| key | =I&FBDl,WM,en5Mn~DaG |
| ntp_authentication_keys[2] | |
| key_number | 5 |
| algorithm | NTP_AUTH_ALGORITHM_SHA1 |
| key | ff9a0d589668a0f66649abbd7dfb388d841f1f44 |
| ntp_servers[1] | |
| server | 23.239.26.89 |
| ntp_servers[2] | |
| server | 69.89.207.99 |
| key_number | 5 |
| tech_support_uploader_configuration | |
| auto_upload | False |
| portal_configuration | |
| enable_https | True |
| redirect_to_https | True |
| enable_http | True |
| sslkeyandcertificate_refs[1] | System-Default-Portal-Cert |
| sslkeyandcertificate_refs[2] | System-Default-Portal-Cert-EC256 |
| use_uuid_from_input | False |
| sslprofile_ref | System-Standard |
| enable_clickjacking_protection | True |
| allow_basic_authentication | True |
| password_strength_check | False |
| disable_remote_cli_shell | False |
| global_tenant_config | |
| tenant_vrf | False |
| se_in_provider_context | True |
| tenant_access_to_provider_se | True |
| email_configuration | |
| smtp_type | SMTP_LOCAL_HOST |
| from_email | admin@avicontroller.net |
| mail_server_name | localhost |
| mail_server_port | 25 |
| docker_mode | False |
+-------------------------------------+------------------------------------------+
Configure NTP and NTP authentication with the API as follows:
POST api/systemconfiguration
DATA:
{
"email_configuration": {
"from_email": "admin@avicontroller.net",
"mail_server_name": "localhost",
"smtp_type": "SMTP_LOCAL_HOST",
"mail_server_port": 25
},
"global_tenant_config": {
"se_in_provider_context": true,
"tenant_access_to_provider_se": true,
"tenant_vrf": false
},
"uuid": "default",
"url": "https://localhost/api/systemconfiguration",
"tech_support_uploader_configuration": {
"auto_upload": false
},
"portal_configuration": {
"use_uuid_from_input": false,
"redirect_to_https": true,
"sslprofile_ref": "https://localhost/api/sslprofile/sslprofile-7f7b7c61-c469-4aa0-8c2c-e5237ec34601",
"sslkeyandcertificate_refs": [
"https://localhost/api/sslkeyandcertificate/sslkeyandcertificate-25501569-462f-461e-aa82-99e8853c92b5",
"https://localhost/api/sslkeyandcertificate/sslkeyandcertificate-0d8826fd-5242-45ca-9f22-ca3a91f7ead9"
],
"enable_clickjacking_protection": true,
"enable_https": true,
"disable_remote_cli_shell": false,
"password_strength_check": false,
"enable_http": true,
"allow_basic_authentication": true
},
"ntp_configuration": {
"ntp_servers": [
{
"server": {
"type": "V4",
"addr": "23.239.26.89"
}
},
{
"key_number": 5,
"server": {
"type": "V4",
"addr": "69.89.207.99"
}
}
],
"ntp_authentication_keys": [
{
"key_number": 1,
"algorithm": "NTP_AUTH_ALGORITHM_MD5",
"key": "=I&FBDl,WM,en5Mn~DaG"
},
{
"key_number": 5,
"algorithm": "NTP_AUTH_ALGORITHM_SHA1",
"key": "ff9a0d589668a0f66649abbd7dfb388d841f1f44"
}
]
}
}
Time synchronization for the Service Engine
NTP Support Motivation
NTP synchronization for Service Engines prior to 22.1.1 rely on the Controller to be the NTP server and performs time synchronization on UDP port 123 over management interface. The SE presumes network connectivity with the Controller. Starting with NSX Advanced Load Balancer version 22.1.1, the provision to configure NTP servers on Service Engines is being introduced.
NTP Configuration for SE deployed as a Virtual Machine
Starting with NSX Advanced Load Balancer version 22.1.1, the SE NTP servers can be configured for virtual machine and LSC based deployments. The SE will synchronize time with the configured servers at start-up and periodically monitor the time sync status.
NTP Configuration for Virtual Machine Deployments
The SE when deployed as a virtual machine, NTP servers can be configured using any of the methods below and applies configuration in the following order of priority:
- DHCP: If DHCP via
dhclient
provides NTP servers over the management interface; the SE uses DHCP provided NTP servers as configuration for SE NTP synchronization.
- Cloud Configuration: If DHCP does not provide NTP servers; NTP servers are acquired from the cloud configuration. NTP servers’ configuration through cloud configuration is a bootup property, and the SE should be restarted to apply this configuration.
- The Controller, whose NTP servers configuration is via system configuration.
NTP Server configuration via Cloud configuration through CLI is as follows:
[admin:ctrl]: > configure cloud Default-Cloud
Updating an existing object. Currently, the object is:
+------------------------------+--------------------------------------------+
| Field | Value |
+------------------------------+--------------------------------------------+
| uuid | cloud-666c8a8f-341d-4225-a189-c128981130c7 |
| name | Default-Cloud |
| vtype | CLOUD_NONE |
| dhcp_enabled | False |
| mtu | 1500 bytes |
| prefer_static_routes | False |
| enable_vip_static_routes | False |
| license_type | LIC_CORES |
| state_based_dns_registration | True |
| ip6_autocfg_enabled | False |
| dns_resolution_on_se | False |
| enable_vip_on_all_interfaces | False |
| maintenance_mode | False |
| tenant_ref | admin |
| license_tier | ENTERPRISE |
| autoscale_polling_interval | 60 seconds |
| vmc_deployment | False |
| metrics_polling_interval | 300 seconds |
+------------------------------+--------------------------------------------+
[admin:ctrl]: cloud> ntp_configuration
[admin:ctrl]: cloud:ntp_configuration>
[admin:ctrl]: cloud:ntp_configuration> ntp_servers index 1 server 23.239.26.89
New object being created
[admin:ctrl]: cloud:ntp_configuration:ntp_servers> save
[admin:ctrl]: cloud:ntp_configuration> save
[admin:ctrl]: cloud> save
+------------------------------+--------------------------------------------+
| Field | Value |
+------------------------------+--------------------------------------------+
| uuid | cloud-666c8a8f-341d-4225-a189-c128981130c7 |
| name | Default-Cloud |
| vtype | CLOUD_NONE |
| dhcp_enabled | False |
| mtu | 1500 bytes |
| prefer_static_routes | False |
| enable_vip_static_routes | False |
| license_type | LIC_CORES |
| state_based_dns_registration | True |
| ip6_autocfg_enabled | False |
| dns_resolution_on_se | False |
| enable_vip_on_all_interfaces | False |
| maintenance_mode | False |
| tenant_ref | admin |
| license_tier | ENTERPRISE |
| autoscale_polling_interval | 60 seconds |
| vmc_deployment | False |
| metrics_polling_interval | 300 seconds |
| ntp_configuration | |
| ntp_servers[1] | |
| server | 23.239.26.89 |
+------------------------------+--------------------------------------------+
[admin:ctrl]: >
NTP Configuration for LSC (Baremetal) Deployments
When SE is deployed as a container on the baremetal, the administrator is required to configure the NTP servers on the host.
LSC NTP synchronization only support the following NTP daemons:
- ntpd: The Network Time Protocol daemon (ntpd) is an operating system program that maintains the system time in synchronization with time-servers using the Network Time Protocol (NTP).
- chronyd: chrony is another implementation of the Network Time Protocol (NTP) and is used:
- to synchronize the system clock with NTP servers.
- to synchronize the system clock with a reference clock, for instance, a GPS receiver.
- to synchronize the system clock with a manual time input.
- to synchronize the system clock with NTP servers.
SE NTP operation
In both mode of deployments (SE deployed as a VM or as a container on LSC), SE periodically verifies if the NTP daemon(s) can acquire and time sync with configured servers and if SE is unable to sync time with the configured servers, an event is raised. The event is periodically repeated in 15 minutes unless the NTP time is synchronised.
Document Revision History
Date | Change Summary |
---|---|
July 15, 2022 | Added Time synchronization for the Service Engine section for 22.1.1 |