Enable NTP client only configuration in the Cisco IOS

Boyan Sotirov · ‎03-07-2014

I have this strange question.about NTP configuration that's bugging me lately.

The scenario:

a Catalyst switch connected to an ISP.

Configration:

ntp server 209.51.161.238

Just that. And it works, it synchronizes. But a week ago I've got a mail from the ISP, saying that on that device there is an NTP service running and they showed me this:

ntpq -c rv my.public.ip.address

assID=0 status=0600 leap_none, sync_ntp, no events, event_unspec,

system="cisco", leap=00, stratum=2, rootdelay=132.280,

rootdispersion=3.070, peer=17746, refid=209.51.161.238,

reftime=d6bfbc26.d3b706d2 Tue, Mar 4 2014 4:42:46.827, poll=10,

clock=d6bfbf45.0fb801b6 Tue, Mar 4 2014 4:56:05.061, phase=-0.359,

freq=-22.46, error=1.98

So they want this service turned off as this is their policy.

1. My understanding up until now was that using the ntp server command configures the device running Cisco IOS as an NTP client only. It turns out it is not like that. This command enables also other devices to synchronize to it.

2. On some sources I found the interface level command "ntp disable". They claim that this command disables the device to act as an NTP server on a particular interface where it's configured. I tested it - it disables everything. So now the switch does not synchronize at all!

3. I was looking at the ntp group command but it seems to limit everything not only the ntp queries to the device. \

The question is. Is there a way to configure NTP client-only configuration on a device running Cisco IOS?

Vinod Arya · ‎03-07-2014

Its hard to find expert on switches/IOS on the Network Management Forum, which is for NMS applications.

You should post this thread on Switching community of CSC forum.

Though, what i can suggest is to use SNTP. Certain low-end Cisco devices only support SNTP. SNTP is a simplified, client-only version of NTP. SNTP can only receive the time from NTP servers and cannot be used to provide time services to other systems. SNTP typically provides time within 100 milliseconds of the accurate time. In addition, SNTP does not authenticate traffic, although you can configure extended access lists to provide some protection. An SNTP client is more vulnerable to misbehaving servers than an NTP client and should only be used in situations where strong authentication is not required.

SNTP may not be much of an alternative because it is not widely supported in software.

You can use command # sntp server. SNTP generally is supported on those platforms that do not provide support for NTP.

Device (config)# sntp server {address | hostname} [version number]

For more clarification post this to Lan Switching and Routing section.

-Thanks
Vinod
**Rating Encourages contributors, and its really free. **

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Marvin Rhoads · ‎03-07-2014

Just put an access-list on your outside interface blocking ntp (udp 123) to all destinations other than the one (or two) public ntp server(s) you use. That way you can still synchronize but they won't see you responding to ntp.

Leo Laohoo · ‎03-07-2014

Why don't you use other NTP pool? All you need is, a minimum of, one appliance to synchronize to the outside NTP pool and the rest of your appliance can synchronize to this one (or two) appliance.

Alternatively, you can get cheap Linux-based box to become your network's NTP server. Clients such as Raspberry Pi or Beagle Bone will support NTP/SNTP and will work very well as long as they are able to synchronize to an outside source.

Boyan Sotirov · ‎03-09-2014

Guys thank you for all your suggestions.

1. SNTP is not supported on this platform.

2. Enabling a Linux based NTP server to synchronize the networking devices and all servers in te network is on the way. But I still have some logistical hurdles for this to happen...

I was able to fix this by using the ntp access-group command. I use ntp accesss-group peer option to anble synchronization with the peers, And ntp access-group serve-only for the internal devices.