Professional Documents
Culture Documents
Cisco Network Time Protocol
Cisco Network Time Protocol
NTP (Network Time Protocol) is used to allow network devices to synchronize their clocks
with a central source clock. For network devices like routers, switches or firewalls this is very
important because we want to make sure that logging information and timestamps have the
accurate time and date. If you ever have network issues or get hacked, you want to make sure
you know exactly what and when it happened.
Normally a router or switch will run in NTP client mode which means that it will adjust its
clock based on the time of a NTP server. Basically the NTP protocol describes the algorithm
that the NTP clients use to synchronize their clocks with the NTP server and the packets that
are used between them.
A good example of a NTP server is ntp.pool.org. This is a cluster of NTP servers that many
servers and network devices use to synchronize their clocks.
NTP uses a concept called “stratum” that defines how many NTP hops away a device is from
an authorative time source. For example, a device with stratum 1 is a very accurate device
and might have an atomic clock attached to it. Another NTP server that is using this stratum 1
server to sync its own time would be a stratum 2 device because it’s one NTP hop further
away from the source. When you configure multiple NTP servers, the client will prefer the
NTP server with the lowest stratum value.
The symmetric active mode is used between NTP devices to synchronize with each other, it’s
used as a backup mechanism when they are unable to reach the (external) NTP server.
In the remaining of this tutorial I will demonstrate how to configure NTP on a Cisco router
and switches.
Configuration
This is the topology I will use:
The router on the top is called “CoreRouter” and its the edge of my network. It is connected
to the Internet and will use one of the NTP servers from pool.ntp.org to synchronize its clock.
The network also has two internal switches that require synchronized clocks. Both switches
will become NTP clients of the CoreRouter, thus making the CoreRouter a NTP server.
Router configuration
First we will configure the CoreRouter on top. I will use pool.ntp.org as the external NTP
server for this example. We need to make sure that the router is able to resolve hostnames:
I will use Google DNS for this. Our next step is to configure the NTP server:
Above we see the show ntp associations command that tells us if our clock is synchronized
or not. The ~ in front of the IP address tells us that we configured this server but we are not
synchronized yet. You can see this because there is no * in front of the IP address and the “st”
field (stratum) is currently 16.
There is one more command that gives us more information about the NTP configuration:
The router tells us that we are unsynchronized and that there is no reference clock…we will
just wait a couple of minutes and take a look at these commands again:
A few minutes later and the output has changed. The * in front of the IP address tells us that
we have synchronized and the stratum is 2…that means that this NTP server is pretty close to
a reliable time source. The “poll” field tells us that we will try to synchronize the time every
64 seconds. Let’s check the other command that we just saw:
NTP synchronization can be very slow so you have to be patient when your clocks are not
synchronized. One way to speed it up a bit is to adjust your clock manually so it is closer to
the current time.
Cisco routers have two different clocks, they have a software clock and a hardware clock and
they operate separately from each other. Here’s how to see both clocks:
CoreRouter#show clock
12:41:25.197 UTC Mon Jul 7 2014
CoreRouter#show calendar
12:43:24 UTC Mon Jul 7 2014
The show clock command shows me the software clock while the show calendar command
gives me the hardware clock. The two clocks are not in sync so this is something we should
fix, you can do it like this:
CoreRouter#(config)ntp update-calendar
The ntp update-calendar command will update the hardware clock with the time of the
software clock, here’s the result:
CoreRouter#show clock
12:42:31.853 UTC Mon Jul 7 2014
CoreRouter#show calendar
12:42:30 UTC Mon Jul 7 2014
That’s all I wanted to configure on the CoreRouter for now. We still have to configure two
switches to synchronize their clocks.
Switch Configuration
The two switches will be configured to use the CoreRouter as the NTP server and I will also
configure them to synchronize their clocks with each other. Let’s configure them to use the
CoreRouter first:
Once again it might take a few minutes to synchronize but this is what you will see:
The clock of SW1 has been synchronized and its stratum is 4. This makes sense since it’s one
“hop” further away from its NTP server (CoreRouter). Let’s do the same for SW2:
Let’s be patient for a few more minutes and this is what we’ll get:
SW1 and SW2 are now using CoreRouter to synchronize their clocks. Let’s also configure
them to use each other for synchronization. This is the symmetric active mode I mentioned
before, basically the two switches will “help” each other to synchronize…this might be useful
in case the CoreRouter fails some day:
After waiting a few minutes you’ll see that SW1 and SW2 have synchronized with each
other:
Want to take a look for yourself? Here you will find the configuration of each device.
Are we done? Not quite yet…there are a few more things we can do with NTP. The
CoreRouter and the two switches use unicast (UDP port 123) for synchronization but you can
also use multicast or broadcast. Let me give you an example…
If you have more than 20 network devices or a router that has limited system memory or CPU
resources you might want to consider using NTP broadcast or multicast as it requires less
resources. We can enable multicast or broadcast on the interface level.To demonstrate this I
will add two routers below SW1 and SW2 that will synchronize themselves using multicast
or broadcast. This is what it looks like:
I’ll configure SW1 to use multicast address 239.1.1.1 and SW2 will send NTP updates
through broadcast:
SW1(config)#interface vlan 10
SW1(config-if)#ntp multicast 239.1.1.1
SW2(config-if)#interface vlan 20
SW2(config-if)#ntp broadcast
You can see that it has synchronized itself and it shows the IP address of SW1. Let’s see if
we can get broadcast to work on R6:
Want to take a look for yourself? Here you will find the configuration of each device.
You now know how to configure NTP but there is one more important topic to cover…
security! Right now our routers will accept any source as the NTP server and they will serve
any NTP client that requests updates. To protect our network, we will have to configure
authentication and access-control. Let’s start with authentication.
Authentication
When we enable authentication, all NTP packets that can update the clock have to be
authenticated. The packets will be authenticated using HMAC MD5 which carries a key
number.
I want to make sure that SW1 and SW2 will authenticate the CoreRouter so they don’t just
accept any NTP updates from a device that has IP address 192.168.123.3 configured. We’ll
configure the router first:
CoreRouter(config)#ntp authenticate
CoreRouter(config)#ntp trusted-key 1
CoreRouter(config)#ntp trusted-key 2
CoreRouter(config)#ntp authentication-key 1 md5 NETWORKLESSONS1
CoreRouter(config)#ntp authentication-key 2 md5 NETWORKLESSONS2
Each switch will use a different key for authentication. The ntp authentication-key
command is required to set the key number and the password. The ntp trusted-key command
is a bit weird, if you don’t use it then the key that you configured will not be activated so
don’t forget it.
SW1(config)#ntp authenticate
SW1(config)#ntp authentication-key 1 md5 NETWORKLESSONS1
SW1(config)#ntp trusted-key 1
SW1(config)#ntp server 192.168.123.3 key 1
SW2(config)#ntp authenticate
SW2(config)#ntp authentication-key 2 md5 NETWORKLESSONS2
SW2(config)#ntp trusted-key 2
SW2(config)#ntp server 192.168.123.3 key 2
The configuration on the switches is similar but the difference is that we also specified the
key for the NTP server. SW1 and SW2 will only use 192.168.123.3 to synchronize their
clocks if the MD5 signature is correct.
Earlier we configured SW1 and SW2 to use each other as peers and of course we can also use
authentication for this. It looks like this:
The configuration is similar, configure a key and make it trusted. We change the NTP peer
command to that it requires authentication.
Authentication is great but there is still one security problem to tackle. A NTP server will
serve updates to any NTP client and a NTP client will accept any IP address as the NTP
server. To solve this we can implement some access-list…let’s take a look!
Access-Control
First I will configure the CoreRouter so it only accepts one IP address as its NTP server. This
is tricky since the IP address might change in the future, if you implement this on a
production network you’ll have to make sure that you add all the possible IP address in the
access-list:
The IP address above is what pool.ntp.org resolves to for me. The ntp access-group peer
command is used to activate the access-list. SW1 and SW2 are the NTP clients for the
CoreRouter but right now everyone can use our router as the NTP server. Let’s fix this so
only SW1 and SW2 are allowed as NTP clients:
Problem solved, only SW1 and SW2 are now accepted as NTP clients. Our CoreRouter is
now protected but let’s make some changes on SW1 and SW2 as well:
The configuration above allows SW1 and SW2 to use CoreRouter and each other as NTP
server, no other sources are allowed.
In my example I used a public server for NTP (pool.ntp.org) but you can also configure a
router or switch as the NTP master and set a stratum number yourself. If you do this you’ll
need the NTP master command and your device will synchronize its own clock using the
127.127.7.1 or 127.127.1.1 IP address. Make sure you permit this IP address in your access-
list!
After we configured authentication we can verify if its working or not, here’s an example for
SW1:
That’s all there is to it. Hopefully this NTP tutorial is helpful for you to understand and
configure NTP in your network.
Want to take a look for yourself? Here you will find the configuration of each device.
If you enjoyed reading this, please share it with your friends / colleagues or leave a comment
if you have any questions!