NTP 101

1. Software Clock

Each router has a software clock that is set at initialization according to the hardware clock. The software clock can be updated manually, or automatically using NTP, SNTP or VINES Time Service.

!Manual setup:
R(config)# clock set HH:MM:SS DATE MONTH YEAR

The software clock provides the time for time-based ACLs, logging ande debugging messages, and other router features.
The software clock is kept in UTC (GMT) and a timezone can be configured for a more accurate display, as well as the daylight saving time.

R(config)# clock timezone ZONE HOURS-OFFSET [MIN-OFFSET]
! Recurring summer time:
R(config)# clock summer-time ZONE recurring [WEEK DAY MONTH HH:MM WEEK DAY MONTH HH:MM] [OFFSET]
! Absolute summer time:
R(config)# clock summer-time ZONE date DAY MONTH YEAR HH:MM DAY MONTH YEAR HH:MM [offset]

To check the clock, use:

R# show clock [detail]

2. NTP

NTP is a protocol that runs on UPD and offers time accuracy of a milisecond. Stratum represent the number of hops away a machine is from an authoritative time source. A Stratum 1 clock is a radio clock an atomic clock or a GPS clock, while a Stratum 2 clock receives clock information from a Stratum 1 clock, and so on.
To set an NTP server as an authoritative source, use:

R(config)# ntp master [STRATUM]

NTP can work in 2 modes:

2.1 Poll-Based NTP Association

In this mode, we have 2 methods of association: Client mode and Symmetric Active Mode. In client mode, the client polls the server for time information, while in symmetric active mode, a device can poll for time information, but can also respond to NTP polls.

! Client mode:
R(config)# ntp server IP-ADDR [version VER | key KEY | source INTERFACE | prefer]
! Symmetric Active Mode
R(config)# ntp peer IP-ADDR [normal-sync] [version VER | key KEY | source INTERFACE | prefer]

2.2 Broadcast-Based NTP Association

In this mode, the hosts listen to NTP broadcasts from the server. This is a less accurate method and it is recommended in environments with more than 20 clients.

!On the server
R(config-if)# ntp broadcast [version VER]
! On the client
R(config-if)# ntp broadcast client

2.3 NTP Access Group

R(config)# ntp access-group {peer|serve|serve-only|query-only} ACL [kod]
! kod = Sends a "Kiss of Death" packet to the source of an unmatched packet

When a host receives KoD packets, they indicate that the NTP server dropped their packets. They should take appropriate measures, like running sanity checks or rate limiting their NTP outgoing packets.

If the source IP address matches the ACL for more than one type, the first type is granted. They are scanned in the following order:

  1. peer – Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria
  2. serve – Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria
  3. serve-only – Allows only time requests from a system whose address passes the access list criteria
  4. query-only – Allows only NTP control queries from a system whose address passes the access list criteria

2.4 Authentication

NTP provides MD5 authentication, but it is used to authenticate the NTP Server on the NTP Clients.
To enable authentication, follow these steps:

! 1. Enable authentication:
R(config)# ntp authenticate
! 2. Configure the MD5 key:
R(config)# ntp authentication-key KEY-NUMBER md5 KEY
! 3. Configure the key as trusted. Only NTP packets from servers that use the trusted keys will be accepted
R(config)# ntp trusted-key KEY-NUMBER
! 4. On clients only, define the key for each server.
R(config)# ntp server IP-ADDRESS key KEY-NUMBER
<h2>3. Hardware Clock</h2>
R(config)# calendar set HH:MM:SS DAY MONTH YEAR
! sets the hardware clock
R(config)# clock read-calendar
! sets the software clock according to the hardware clock
R(config)# clock update-calendar
! sets the hardware clock according to the software clock
R(config)# ntp update-calendar
! Syncs the hardware clock with NTP
R# show calendar

By default, the time maintained on the software clock is not considered to be reliable and will not be synchronized with NTP or VINES time service. To set the hardware clock as a valid time source, use this command:

R(config)# clock calendar-valid

Leave a Reply

Your email address will not be published. Required fields are marked *