NTP - jibingl/CCNA-CCNP GitHub Wiki

Network Time Protocol

--designed by David L. Mills.

Stratum

NTP uses stratum to indicate the distance of a device to the reference clock. In other words, it shows how accurate a device's time is.

Level Clocks AKA names
Stratum 0 Atomic clocks Reference clock
Stratum 1 clocks connect to stratum 0 Primary time servers
Stratum 2 clocks connect to stratum 1
...(omit)
Stratum 15 the last clocks level
Stratum 16 clock is unsynchronized (no-NTP)

Notes: Stratum 0 is reserved for atomic clocks. NTP servers cannot advertise themselves as stratum 0. A stratum field set to 0 in NTP packet indicates an unspecified stratum. Stratum 16 means no NTP configured.

Commands of Security

Commands For C/S Security Config on
ntp access-group Server side Server only
ntp authentication Client side Client and server

Configuration Example

image

NTP-Master

  • The NTP-Master syncs its time from two Google public time sources and serves as a time source for internal network. image
  • Restricts time sync to certain peers and clients via ACLs.
    image 
ip name-server 172.31.11.254
clock timezone cst -5

ntp server time.google.com                        //Set the primary NTP server (time source)
ntp server time2.google.com                       //The secondary NTP server

ntp master [stratum-number<1-15>]                 //Act as an NTP server whatever. The default stratum-number is 8.
ntp source loopback0                              //(Optional) Use Loopback 0 as source of NTP traffic
interface loopback0
 ip address 172.16.0.1 255.255.255.0

ip access-list standard 12
 permit host time.google.com
 permit host time1.google.com
 permit 10.0.1.0 0.0.0.255
 permit 10.0.2.0 0.0.0.255
ntp access-group peer 12                          //ACLs restrict only certain peers allowed to sync time
ntp access-group serve-only 12                    //ACLs restrict only certain clients allowed to sync time

R1

  • R1 is failed to sync time with NTP-Master. Because it requires the NTP server's identity auth which is not configured in the server.
    image 
ip name-server 172.31.11.254
clock timezone cst -5

ntp authentication-key 10 sha2 Cisco123           //Set a key/password for NTP server's identity authentication
ntp trusted-key 10                                //Enable the auth key
ntp authenticate                                  //Enable NTP server's identity authentication
ntp server 172.16.0.1 key 10                      //Require a key-auth against the NTP server

R2

  • R2 can sync time with NTP-Master.
    image 
ip name-server 172.31.11.254
clock timezone cst -5

ntp server 172.16.0.1

R3

  • R3 failed to sync time with NTP-Master. Because it is out of the server's ACL permit lists.
    image 
ip name-server 172.31.11.254
clock timezone cst -5

ntp server 172.16.0.1

interface e0/0
 ntp disable                                      //Prevent NTP packages on interface e0/0
⚠️ **GitHub.com Fallback** ⚠️