10-16-2011 10:28 AM
Hello all! Hope all are having a great day!
I'm trying to get caught up with NTP issues. Perhaps someone can assist me with some NTP questions that I have.
I understand what NTP is used for. And I understand the basic premises of how Cisco is using NTP. So, with that in mind, let me give you my scenario.
Our network is a switched network, with a 3750 as the "LANCORE" switch. With have about 6 distro switchs (3750s), and the rest are daisy chained off the distro switches. So, each distro has anywhere from 10-12 switchs as spokes, with the distro being the hub. That's the basics.
Now, as of late, I've become interested in reviewing the syslogs, especially since I"m working on my CCNA security. I suddenly became aware that a lot of the switches in the network have horrible time settings. So let me break down what's occurred as I think happened:
There are a handful of switches that have the ntp server set as the LANCORE switch, let's call it 172.16.1.1. Authentication is set up between these devices. But when you do a "sho NTP status", it shows that the clock is unsynchronized. The LANCORE switch, 172.16.1.1, is set up to point to the DC of the network as it's source. I think when you do a "sho NTP ass" on this switch, it shows the two domain controller's IP addresses in the first column, then a reference time IP address in the 2nd column. If I'm correct, isn't that what the DC is pointing to to get it's time from?
Even so, why isn't it showing the clock synchronized? The DC's, as being servers, SHOULD be using NTP so they talk to each other. Microsoft is very very touchy about the clocks being in synch. My only unanswered question would be if the DC's are set up to talk to the LANCORE switch with NTP, which since they were configured like that, I'm guessing there were.
There are a bunch of devices that are showing incorrect date and time (I'm guessing some kind of default). Their configs are pointing to a device, let's say 172.16.2.1. However, that device is no longer on the network. So I'm guessing that the switches are not contacting that device, and are defaulting to this incorrect date/time combo. It looks like I'll just have to reconfigure all of those switches to point back to the scenario above.
Any thoughts or suggestions would be appreciated
10-16-2011 02:15 PM
Never use a Cisco device as an authoritative NTP master server. Have you seen the following documents before?
How to configure an authoritative time server in Windows XP
How to configure an authoritative time server in Windows Server
How to configure an authoritative time server in Windows 2000
10-16-2011 07:31 PM
To add a bit to the suggestions from Leo - most Windows Domain Controllers use a simplified version of the time protocol and not a full implementation of NTP. So a Cisco device configured for NTP will not learn NTP time from a typical DC. You might follow one of the suggestions from Leo to get the Windows server to function with full NTP or you might try configuring your Cisco to use SNTP to learn time from the DC.
10-17-2011 02:02 AM
well, the concern is security. I want to use NTP authentication. I know from reading not to make the Cisco device the master. But, can't I make the main network switch point to the master time device, and have the remaining switches point to the network's main switch, so they are not all bombarding the master time device?
10-17-2011 06:51 AM
If you can get the main network switch to learn NTP time from an authoritative source then you centainly can (and I would say that you should) make the other switches learn NTP time from the main network switch.
I understand that you want to use authentication for additoinal security. But I would suggest that you configure NTP and get it running successfully without authentication. Once you have NTP working then you can come back and add authentication. But in the beginning I would suggest that you keep it simple and reduce the number of potential problems.
10-17-2011 02:33 PM
I got another solution for you.
Why not get a dedicated NTP server? Not the ones that advertise themselves as an "ntp server" but requires an internet access. I'm talking about a TRUE NTP server that synchronizes itself to the GPS. That way this appliance is inside your secure network.
10-17-2011 07:56 PM
Leo's solution was what we used in a secure environment. A dedicated NTP appliance (Datum Tymserve 2100 if memory serves) connected via a rooftop antenna (with optical isolators for that input signal). I see you can pick one up on e-Bay for about US$500 if you're so inclined.
That said, I've always personally thought NTP authentication was overblown. Exactly what threat are you protecting against? I'd advocate a scheme such I used more recently - point your edge device(s) (e.g. a firewall cluster) to an external (well-known public) NTP source. Point your internal devices (routers, switches and Windows DCs to the firewall as their NTP master. A good firewall (I was using Juniper Netscreens) will report itself as Stratum 1 based on its clock stability.
Regarding load, NTP is a very low load service. Unless you have thousands (or tens of thousands) of devices all hitting the same server, load due to serving NTP should be negligible.
Do be sure to setup your devices to set their calendars as well as clocks using NTP and the other best practices as described in Cisco's various documents.
10-17-2011 09:15 PM
Thanks for all the replies;
I work for the govt..need I say more
I actually found a couple Zytec NTP servers in an unused building. These were used at one time I'm sure. I grabbed them out of the building and "relocated" them to my office. But there's no antennas..I'm guessing they are satellite dishes. Will have to see if they are located somewhere on/near this building.
So as for buying anything..no...
Size? About 100 switches on the network.
Security is utmost important, hence authentication needs.
So, let's say my edge router is going to be my source. I point my main network swtich (core) to it as the NTP source clock. Then, I set all the other switches to point to the main network switch (core) as their NTP source. Do I have to use the client/peer statements? Or can I just use
ntp server xxx.xxx.xxx.xxx for the non-core devices?
I'll try and add the authentication once I get the ntp working again.
10-17-2011 09:27 PM
Size? About 100 switches on the network.
Doesn't really matter if you have 300 switches. SNTP/NTP traffic is "cheap": Traffic doesn't traverse all the time.
Another way is to ensure your core switches goes to the NTP server, distro appliance synchro with the core, access synchro with the distro.
You can put your newly "acquired" Zytec NTP server anywhere in the network. As to the antenna, you can find third-party antenna without any issues.
I know about Government network. I worked in a few of them. That's why I know about the true NTP server and the NTP server-wannabe.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: