Network Time Protocol (NTP) is used for accurate time keeping and can reference atomic clocks that are present on the Internet, for example. NTP is capable of synchronizing clocks within milliseconds and is a useful protocol when reporting error logs (for instance, from Cisco routers).
For NTP, the defined ports are UDP port 123 and TCP 123. NTP can support a connection- orientated server (TCP guarantees delivery) or connectionless (UDP for non-critical applications).
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another.
NOTE NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached; a stratum 2 time server receives its time via NTP from a stratum 1 time server, and so on. Cisco routers cannot support stratum 1 (in other words, you cannot connect a Cisco router to an atomic clock source) and need to derive an atomic clock source from the Internet. NTP can also authenticate sessions.
Figure 3-7 displays a simple two-router network where Router R1 will be configured to supply a clock source to the Router R2. In this example, you will configure authentication and ensure that the NTP peer between the two routers is secure.
Figure 3-7 NTP Sample Configuration
The following steps are required when enabling NTP on a Cisco router:
1 Define the time zone with the following command:
clock timezone zone hours [minutes]
2 Configure the masterNTP router (this router will supply a clock to other routers) with the following command:
ntp master [stratum value]
The stratum value is 1 to 15, with 1 representing the best clock source.
3 To configure a remote NTP peer to a Cisco router with a better stratum value, use the following IOS command:
ntp peer ip-address [version number] [key keyid] [source interface] [prefer]
Table 3-4 displays the required parameters for the ntp peer command.
4 To define NTP to authenticate the NTP session, use the following IOS commands:
ntp trusted-key key-number
The key-number is the authentication key to be trusted.
ntp authentication-key number md5 value 172.108.1.1/24 Ethernet0/0 131.108.3.0/30 Frame Relay 172.108.2.1/24 Ethernet0/0 R1 R2 NTP Server NTP Client Serial0/0.1 Serial0/0.2 Send NTP Receive NTP I have NTP atomic clock source; my stratum
value is 2.
My clock is set to August 9, 2002, time 10:47:48 a.m.
To ensure that R1 sends R2 a clock source via NTP, R1 must be configured to send NTP traffic over the Frame Relay cloud with the command ntp broadcast. To specify that a specific interface should send NTP broadcast packets, use the ntp broadcast interface configuration command. Similarly, R2 must receive NTP traffic and is considered an NTP client with the IOS command ntp broadcast client.
R2’s Serial 0/0 interface is configured with the command ntp broadcast client. Example 3-8 configures Router R1 in Figure 3-7 to supply a clock source to Router R2.
Notice that the router is set to the correct time first with the IOS command clock set. The router is configured for the UTC time zone and 10 hours behind UTC time. The authentication key is set to 1.
Example 3-9 configures R2 to get the clock from R1 using the same MD5 password (set to ccie) from Example 3-8.
Table 3-4 ntp peer Command Defined
Syntax Description
ip-address IP address of the peer providing, or being provided, the clock
version (Optional) Defines the Network Time Protocol (NTP) version number
number (Optional) NTP version number (1 to 3)
key (Optional) Defines the authentication key
keyid (Optional) Authentication key to use when sending packets to this peer
source (Optional) Names the interface
interface (Optional) Name of the interface from which to pick the IP source address
prefer (Optional) Makes this peer the preferred peer to provide synchronization
Example 3-8 NTP Configuration on R1
clock set 10:20:00 9 August 2002 clock timezone UTC 10
!Interface configuration interface serial0/0 ntp broadcast !Global configuration ntp authentication-key 1 md5 121A061E17 7 ntp authenticate ntp trusted-key 1 ntp master 2 ntp peer 131.108.2.1 key 1 1 2 1
Example 3-10 displays the two clocks on Routers R1 and R2 confirming that R1 is sending R2 the correct time via NTP.
Example 3-11 confirms that NTP is authenticated (the remote stratum value is 2) by viewing the output of the IOS command show ntp associations detail.
Example 3-9 NTP Configuration on R2 interface serial0/0 ntp broadcast client !Global configuration ntp authentication-key 1 md5 ccie ntp authenticate ntp trusted-key 1 ntp trusted-key ntp peer 131.108.1.1 key 1
Example 3-10show clock on R1 and R2
R1#show clock
10:47:48.508 UTC Fri Aug 9 2002 R2#show clock
10:47:48.508 UTC Fri Aug 9 2002
Example 3-11show ntp associations detail Command on R2
R2# show ntp associations detail
131.108.1.1 configured, authenticated, selected, sane, valid, stratum 2 ref ID .LOCL., time C0FD8D45.0B1C72E0 (10:37:25.043 UTC Fri Aug 9 2002) our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15878.372 delay 6.67 msec, offset 297909193935.7106 msec, dispersion 15875.02 precision 2**16, version 3
org time C0FD8D45.BA55E231 (10:37:25.727 UTC Fri Aug 9 2002) rcv time AF3BD17B.CBA5DDF0 (10:04:11.795 UTC Mon Mar 1 1993) xmt time AF3BD17B.C9CB2BA2 (10:04:11.788 UTC Mon Mar 1 1993)
filtdelay = 6.67 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = 2979091 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 131.108.255.1 dynamic, authenticated, our_master, sane, valid, stratum 2 ref ID .LOCL., time C0FD8D05.0AE0774C (10:36:21.042 UTC Fri Aug 9 2002) our mode passive, peer mode active, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 2, sync dist 1.007
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00 precision 2**16, version 3
org time C0FD8D43.0B54AAFA (10:37:23.044 UTC Fri Aug 9 2002) rcv time AF3BD179.1C9F231D (10:04:09.111 UTC Mon Mar 1 1993) xmt time AF3BD186.C9CB3361 (10:04:22.788 UTC Mon Mar 1 1993)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
131.108.1.1 configured, authenticated stratum 2
Example 3-11 displays that R2 is dynamically peered to R1 and is authenticated.