Cisco Router as NTP Client

abob21 · ‎12-30-2022

Hello!

I wish to use cisco router as ntp-client and get time update from internal NTP server (stratum 2) and configured "ntp disable" on all interfaces in order to prevent the router acts as ntp server to other devices. NTP configuration is below. However, router's ntp association status shows as "unsynchronized"

May I know "ntp disable" causes issue between router and NTP server?

!
ntp logging
ntp authentication-key 10 md5
ntp authenticate
ntp trusted-key 10
ntp access-group serve-only 99
ntp server vrf Mgmt-vrf xx.xx.xx.xx prefer

!

ip access-list standard 99
10 remark ***NTP Control List***
10 permit xx.xx.xx.xx
20 deny any

Best regards,

abob21

MHM Cisco World · ‎12-30-2022

I will check your config

abob21 · ‎12-30-2022

Thanks @MHM Cisco World

Just some updates, I have total 3x routers as not-client and initially all routers ntp configuration were same.

Now I did changes different configuration in router as below

RT01:

removed “ntp disable” under interface associated with vrf
Replaced “ntp access-group serv-only 99” with “ntp access-group peer 99”
NTP is working and synchronized

RT02:

replaced “ntp disable” with “ntp broadcast client” under interface associated with vrf
Replaced “ntp access-group serv-only 99” with “ntp access-group peer 99”
NTP is working and synchronized

RT03:

remain “ntp disable” under interface associated with vrf
Replaced “ntp access-group serv-only 99” with “ntp access-group peer 99”
NTP is not working and unsynchronized

I have no clues how and what causes RT01 & RT02 ntp is working just removed/replaced “ntp disable” command.

Regards,

Richard Burts · ‎12-30-2022

The command ntp disable pretty much means do not process ntp on this interface. If you disable ntp on the vrf then it can not learn ntp time.

HTH

Rick

marl12 · ‎12-30-2022

NTP provides two important services, accurate time setting and clock synchronization. Enabling a router to become a NTP master will not guarantee accurate time, but it will ensure that all network components' time remain synchronized. NTP supports authentication, client and server need to use the same settings. Time offset too high: When the time offset between client/server is too large it will take a very long time to synchronize. Stratum level too high: The stratum level is between 1 (best) and 15 (worst).

Georg Pauwen · ‎12-31-2022

Hello,

I agree with @Richard Burts : if you disable NTP on an interface, no NTP packets are being processed. And hence no synchronization with the NTP server will occur. Have a look at the debug output below. After disabling NTP, packets are dropped:

R1#
*Dec 31 08:45:17.172: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
R1#
*Dec 31 08:45:36.337: NTP message sent to 192.168.1.2, from interface 'NULL' (0.0.0.0).
*Dec 31 08:45:36.551: NTP message received from 192.168.1.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
R1#
*Dec 31 08:45:38.480: NTP message sent to 2.2.2.2, from interface 'NULL' (0.0.0.0).
*Dec 31 08:45:38.484: NTP message sent to 192.168.1.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:38.611: NTP message received from 2.2.2.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:38.613: NTP message received from 192.168.1.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
R1#
*Dec 31 08:45:40.331: NTP message sent to 2.2.2.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:40.335: NTP message sent to 192.168.1.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:40.549: NTP message received from 2.2.2.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:40.551: NTP message received from 192.168.1.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
R1#
*Dec 31 08:45:42.526: NTP message sent to 2.2.2.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:42.529: NTP message sent to 192.168.1.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:42.744: NTP message received from 2.2.2.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:42.745: NTP message received from 192.168.1.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
R1#
*Dec 31 08:45:44.493: NTP message sent to 2.2.2.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:44.497: NTP message sent to 192.168.1.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:44.746: NTP message received from 2.2.2.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:44.747: NTP message received from 192.168.1.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
R1#
*Dec 31 08:45:46.491: NTP message sent to 2.2.2.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:46.496: NTP message sent to 192.168.1.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:46.932: NTP message received from 2.2.2.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:46.934: NTP message received from 192.168.1.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
R1#
*Dec 31 08:45:48.467: NTP message sent to 2.2.2.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:45:48.687: NTP message received from 2.2.2.2 on interface 'GigabitEthernet0/0' (192.168.1.1).
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#interface gigabitEthernet0/0
R1(config-if)#ntp disable
R1(config-if)#end
R1#
*Dec 31 08:46:19.039: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Dec 31 08:46:42.331: NTP message sent to 192.168.1.2, from interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec 31 08:46:42.337: NTP IPv4 disabled on interface GigabitEthernet0/0, packet dropped.

abob21 · ‎01-01-2023

Thank you everyone and wishing prosperous happy new year 2023!

I might have misinterpreted ntp disable as it’s preventing router interface being as ntp server but actually its blocked everything

In order to work router as ntp client, which one will be more secure and best approach for my requirement

1) enable ntp by no ntp disable under router’s interface

or

2) ntp broadcast client

regards,

MHM Cisco World · ‎01-01-2023

first happy new years
second I will check this point.