Cisco IOS NTP Essentials

A while ago I've been involved in an interesting discussion focusing on NTP authentication and whether you can actually implement it reliably on Cisco IOS. What I got out of it (apart from a working example :) was the feeling that NTP and it's implementation in Cisco IOS was under-understood and under-documented, so I planned to write an article about it.

However, as I did my research, I figured out there's so much I didn't know about NTP (do you know what's the essential difference between a peer and a server?)that I decided to start with an introductory article explaining the basics of NTP, SNTP and their IOS implementation. It's been published under the name “It’s Good to be on Time” in the IP corner section of our company's web site.

3 comments:

  1. This is part of the problem with NTP. It's way more complicated then it needs to be. You shouldn't have to understand so much of it to use it on your routers. Take a look at openntpd. It's free and runs on bsd or linux. I run it on my dns servers. My routers are pointed at it.

    ReplyDelete
  2. Thanks very much for doing this Ivan.

    ReplyDelete
  3. Ivan,

    This is the basic NTP configuration I use on 'my' routers at work:
    access-list 50 remark NTP Access - apply with:
    access-list 50 remark __ntp access-group peer 50
    access-list 50 remark
    access-list 50 remark Permit only (hostname snipped)
    access-list 50 permit 10.0.0.1
    access-list 50 remark
    access-list 50 remark Deny everyone else
    access-list 50 deny any
    access-list 50 remark

    ntp source loopback 0
    ntp access-group peer 50
    ntp server 10.0.0.1 prefer

    If I don't put in the access-group stuff, then the router will respond to port scans on UDP 123.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.