Cisco router - NTP Server (master and client)

 

Cisco NTP router can work in 4 modes:

Client - can synchronize time with external ntp server and cannot work as a time source for other devices

Server - allows clients to synchronize their time and does not allow to update its clock.

Peer - mixed mode(client/server). Every router can be client and server at the same time(sharing).There is no authority ntp server in that model. 

Broadcast/multicast  - ntp server share time via broadcast(clients have to be on the same network) or via multicast(clients have to join to the same multicast group).

 

Example 1

NTP server without any limitation

 Configuration - Server

  • Configure time and date manually
#clock set 21:11:00 25 March 2013
 
  • Configure time zone(in our case +1) (optional)

(config)#clock timezone PL 1 0

 
  • Configure summer-time(optional)
(config)#clock summer-time PL recurring last sunday march 01:00 last sunday October 01:00 60
 
Optional configuration is not mandatory to run but is recommended to set on every router.
I also recommend to set hour for changing summer-time on every router the same even in every country it can be different hour. It helps in normal operations.

Enable NTP server on router

(config)#ntp master 2

Number 2 means "stratum". You can choose from 1 to 15, however I do not recommend to use 1 because it should be only used by devices connected to atomic clock,e.g. via serial 232.

Stratum 2 means NTP server receive time form NTP server - stratum 1

Stratum 3 from NTP server - stratum 2 and so on.

NTP Server on network should always start at least from stratum2 or higher.

ntp-master-1.PNG

Master router is synchronized itself on 127.127.7.1 ip address.

ntp-master-2.PNG

* - means synchronized

 

Configuration  - NTP Client


  • Configure NTP server IP

(config)#ntp server 192.168.1.1

192.168.1.1 - IP of NTP server

ntp-master-3.PNG

R3 is synchronized to NTP server 192.168.1.1 - Stratum is 3(because R1 is stratum 2)

ntp-master-4.PNG

 Based on this output we can read master clock is 192.168.1.1 with stratum 2,reference clock is 127.127.7.1

ntp-master-5.PNG

Situation when router is not synchronized.

 

EXAMPLE 2

Our NTP server is stratum 1(not recommended)

 

NTP SERVER

ntp-master-6.PNG

Router is stratum 1(like Atomic clock)

ntp-master-7.PNG

 

NTP CLIENT

ntp-master-8.PNG

ntp-master-9.PNG


EXAMPLE 3

Configure NTP client.to use always the same source IP address(very important)

(config)#ntp source fastEthernet 0/0

This limit ntp client to use always ip from interface 0/0 to contact NTP server.

EXAMPLE 4

Enable logging for ntp event

SERVER and CLIENT

 

(config)#ntp logging

 

EXAMPLE 5

Enable limit for max nnumber of ntp clients(peers).

SERVER

(config)#ntp max-associations 20

EXAMPLE 6

Enable authentication

 SERVER

(config)# ntp authenticate

 (config)#ntp authentication-key 1 md5 password

(config)#ntp trusted-key 1

 You can have more keys than 1 but which key you use is configured by ntp trusted-key command.

  

 CLIENT

(config)# ntp authenticate

 (config)#ntp authentication-key 200 md5 password

(config)#ntp trusted-key 200

 

 WARNING!

Enabling authentication does not force on ntp clients to use authentication.Clients still can use unauthenticated ntp messages as well authenticated.To limit access to NTP server you have use ACL.


EXAMPLE 7

Limit access to NTP server(master) to trusted routers

There are four possibility with limiting access to router to NTP service.

ntp-master-10.PNG

 

peerpermits router to respond to NTP requests,accept NTP updates and control queries.

query-only - permits only control queries.Reject ntp requests, updates and forbide external time synchronization.

serve - permits router to respond to NTP queries and accept control queries.This mode rejects ntp    updates

serve-only - permits responds to ntp queries and rejects control queries and ntp updates.

 SERVER

 (config)#access-list 33 permit host 192.168.1.2

We will allow only host 192.168.1.2 to synchronize time.

Please remember about ntp server itself in other way you will block your ntp synchronization.

"Mar 28 21:29:44.747: %SEC-6-IPACCESSLOGNP: list 33 denied 0 127.127.7.1 -> 0.0.0.0, 1 packet"

(config)#access-list 33 permit 127.127.7.1

Mar 28 21:32:56.747: %NTP-6-PEERREACH: Peer 127.127.7.1 is reachable
Mar 28 21:32:56.751: %NTP-5-PEERSYNC: NTP synced to peer 127.127.7.1

(config)#ntp access-group serve-only 33

Enabling limit access to NTP server.

 

 EXAMPLE 8

Configure prefereable ntp server when more than 1 is configured.

R2(config)#ntp server 1.1.1.1

R2(config)#ntp server 192.168.1.1 prefer

Router will prefer ntp server 192.168.1.1 over 1.1.1.1

 

EXAMPLE 9

NTP via broadcast (not recommended due to security issues)

CLIENT

(config)#interface fastEthernet 0/0

 (config-if)#ntp broadcast client

 

 SERVER

(config)#interface fastEthernet 0/0

(config-if)#ntp broadcast

 

 

 dzbanek 2013-03-27

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.