Network Time Protocol

NTP is used for accurate time-keeping and can, for example, reference atomic clocks that are present on the Internet. NTP is capable of synchronizing clocks within milliseconds and is a useful protocol when reporting error logs (for instance, from Cisco routers). NTP is useful for security/incident event correlation across multiple security devices and helps to determine the exact time of the event.

For NTP, the defined ports are UDP port 123 and TCP port 123. NTP can support a connection-orientated server (TCP guarantees delivery) or a connectionless server (UDP for noncritical applications). NTP applications typically use only UDP port 123.

An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another.

NOTE NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached; a stratum 2 time server receives its time via NTP from a stratum 1 time server, and so on. Cisco routers cannot support stratum 1 (you cannot connect a Cisco router to an atomic clock source) and need to derive an atomic clock source from the Internet. NTP can also authenticate sessions.

A Cisco 7200 series router, however, does support attachment of a GPS clock to the aux port, which would make the router a stratum 1 time source.

Figure 2-7 displays a simple two-router network where Router R1 will be configured to supply a clock source to Router R2. In this example, you will configure authentication and ensure that the NTP peering between the two routers is secure.

Figure 2-7 NTP Sample Configuration

Figure 2-7 NTP Sample Configuration

172.108.2.1/24

Ethernet0/0

172.108.2.1/24

Ethernet0/0

The following steps are required to enable NTP on a Cisco router:

Step 1 Define the time zone with the following command:

clock timezone zone hours [minutes]

Step 2 Configure the master NTP router (which will supply a clock to other routers) with the following command:

ntp master [stratum-value]

stratum-value is 1 to 15, with 1 representing the best clock source.

Step 3 To configure a remote NTP peer to a Cisco router with a better stratum value, use the following Cisco IOS command:

ntp peer ip-address [version number] [key keyid] [ source interface] [ prefer ]

Table 2-4 displays the required parameters for the ntp peer command.

Step 4 To define NTP to authenticate the NTP session, use the following Cisco IOS commands:

ntp trusted-key key-number key-number is the authentication key to be trusted.

ntp authentication-key number md5 value Table 2-4 ntp peer Command Defined

Syntax

Description

Ip-address

IP address of the peer providing, or being provided, the clock

version

(Optional) Defines the NTP version number

number

(Optional) NTP version number (1 to 3)

key

(Optional) Defines the authentication key

keyid

(Optional) Authentication key to use when sending packets to this peer

source

(Optional) Names the interface

interface

(Optional) Name of the interface from which to pick the IP source address

prefer

(Optional) Makes this peer the preferred peer to provide synchronization

To ensure that R1 sends a clock source to R2 via NTP, R1 must be configured to send NTP traffic over the Frame Relay cloud, by using the command ntp broadcast. To specify that a specific interface should send NTP broadcast packets, use the ntp broadcast interface configuration command. Similarly, R2 must receive NTP traffic and is considered an NTP client, which is accomplished by using the Cisco IOS command ntp broadcast client.

R2's Serial0/0 interface is configured with the command ntp broadcast client.

Example 2-8 configures Router R1 in Figure 2-7 to supply a clock source to Router R2.

Example 2-8 NTP Configuration on R1

clock set 10:20:00 9 August 2002 clock timezone UTC 10 {Interface configuration interface serial0/0 ntp broadcast IGlobal configuration ntp authentication-key 1 md5 121A061E17 7 ntp authenticate ntp trusted-key 1 ntp master 2

ntp peer 131.108.2.1 key 1

Notice that the router is set to the correct time with the Cisco IOS command clock set.

The router is configured for the UTC time zone and 10 hours behind UTC time. (This particular router resides in Sydney, Australia, 10 hours behind UTC.) The authentication key is set to 1.

Example 2-9 configures R2 to get the clock from R1 using the same MD5 password (set to ccie) from Example 2-8.

Example 2-9 NTP Configuration on R2

interface serial0/0

ntp broadcast client

IGlobal configuration ntp authentication-key 1 md5 ccie ntp authenticate ntp trusted-key 1

ntp peer 131.108.1.1 key 1

Example 2-10 displays the two clocks on Routers R1 and R2, confirming that R1 is sending the correct time to R2 via NTP. The Cisco IOS command ntp authenticate ensures that the NTP peers are authenticated. Optionally, you can define where a device will source the NTP clock from with the command ntp server ip-address.

Example 2-10 show clock on R1 and R2

R1#show clock

10:47:48.508 UTC

Fri Aug 9

2002

R2#show clock

10:47:48.508 UTC

Fri Aug 9

2002

Example 2-11 confirms that NTP is authenticated (the remote stratum value is 2) by displaying the output of the Cisco IOS command show ntp associations detail.

Example 2-11 show ntp associations detail Command on R2 R2# show ntp associations detail

131.108.1.1 configured, authenticated, selected, sane, valid, stratum 2 ref ID .LOCL., time C0FD8D45.0B1C72E0 (10:37:25.043 UTC Fri Aug 9 2002) our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15878.372 delay 6.67 msec, offset 297909193935.7106 msec, dispersion 15875.02 precision 2**16, version 3

org time C0FD8D45.BA55E231 (10:37:25.727 UTC Fri Aug 9 2002)

rcv time AF3BD17B.CBA5DDF0 (10:04:11.795 UTC Mon Mar 1 1993)

xmt time AF3BD17B.C9CB2BA2 (10:04:11.788 UTC Mon Mar 1 1993)

filtdelay = 6.67 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 2979091 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

131.108.255.1 dynamic, authenticated, our_master, sane, valid, stratum 2

ref ID .LOCL., time C0FD8D05.0AE0774C (10:36:21.042 UTC Fri Aug 9 2002)

our mode passive, peer mode active, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.03, reach 2, sync dist 1.007

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**16, version 3

org time C0FD8D43.0B54AAFA (10:37:23.044 UTC Fri Aug 9 2002)

rcv time AF3BD179.1C9F231D (10:04:09.111 UTC Mon Mar 1 1993)

xmt time AF3BD186.C9CB3361 (10:04:22.788 UTC Mon Mar 1 1993)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Example 2-11 displays that R2 is dynamically peered to R1 and is authenticated. The IP address of the NTP peer server, a configured peer, is 131.108.255.1, as highlighted midway down in Example 2-11.

0 0

Post a comment