Re: NTP Rule is bidirectional ?

MrBeginner · ‎11-22-2022

Hi,

I confuse how to work NTP traffic. My network device need NTP from window server. the firewall is between my network device and Window server .I enable NTP server service on window.

So i would like to know If i open NTP port 123 on firewall for the traffic from my network device to window server ?

Rob Ingram · ‎11-22-2022

@MrBeginner you'd create a rule from source of the network device to the destination of the ntp server on udp/123. As the firewall is stateful the return traffic should be permitted.

Karsten Iwen · ‎11-22-2022

In most situations (which includes yours) the network device is the NTP-client and queries the NTP-server. So, yes, you open the port UDP/123 from device to the server.

MrBeginner · ‎11-22-2022

Hi All,

Thanks. Let me know if i am using window as ntp server,cisco network can get time sync ? it is any limitation ? Because I worry network device didn't understand SNTP or window only SNTP protocol.

if i want to do my router device get ntp for NTP server and other network devices will get ntp from my router, what kind of additional configuration do i need to configure on my router ?

what kind of security configuration can do on my router ? any advantage will have if i use ntp soure as loopback ?

Karsten Iwen · ‎11-23-2022

It depends on the Cisco device if they do NTP or SNTP. And also if they only implement an NTP client or an NTP server.

Assuming that your Windows Server has a correct time, I would point all network devices to this server. The typical command is

ntp server IPADDRESS

MrBeginner · ‎11-25-2022

Hi @Karsten Iwen ,

I only want the to allow on router to access to NTP server and the rest network device want to get NTP from router. It is possible ?

what kind of configuration do i need on my router ? Peer command ?

ammahend · ‎11-25-2022

should be fairly straight forward, by default router works in NTP client as well as server mode, it means it can get NTP info from external source as client, as well be a NTP server for other devices.

so on upstream router just configure the router with ntp server with command

ntp server <IP of NTP server>

if the server supports authentication then configure authentication as well.

on downstream devices, just point to upstream router as NTP server (same command)

show ntp association to verify, play close attention to reference clock, you will see the reference clock on downstream devices/routers will be upstream router IP and for upstream router, it will be the NTP server you configured.

example upstream

downstream

-hope this helps-

Karsten Iwen · ‎11-25-2022

As already explained, it will work straight out of the box as a server if the router already got the time via NTP. The peer functionality is a different way to synchronise the time between different devices. Make also sure that the other devices can reach the router on UDP/123 and this is not blocked by any router ACL.

MHM Cisco World · ‎11-28-2022

I do lab,
NTP Server-inside-FW-outside-NTP client
for FW to allow NTP traffic to pass through you need access-list in OUT direction in
the access-list is eq ntp.

I do lab and test it and client is sync with server inside.

MrBeginner · ‎11-28-2022

Hi @MHM Cisco World ,

do you mean the traffic (port 123) is ntp server to client ? do you mean we don't need to allow client to server traffic ( port 123 ) ?

MHM Cisco World · ‎11-29-2022

**
friend there are known port you can use
permit udp any any eq 123
OR
permit udp any any eq ntp

and for may lab there are two case

***
NTP Server-inside-FW-outside-NTP client <<- this my lab and since traffic from low to high security level we need ACL

or

NTP client-inside -FW-outside-NTP Server <<- here you dont need any thing, since traffic from high to low security level