Re: NTP Configuration on Nexus 5Ks

mcbrown@eatontown.org · ‎03-31-2020

I have 2 Nexus 5K switches that I want to make the NTP servers for my network.

Nexus 1: 10.10.10.5

Nexus 2: 10.10.10.6

I have read that you should only use the NTP master command if you basically plan on setting up the switches as their own NTP source (not looking anywhere other than itself for time) so I do not plan on setting them up as NTP masters.

I will issue the following command on both Nexus switches:

ntp server pool.ntp.org

On all of the other switches switches in the network I will issue these commands:

"ntp server 10.10.10.5 prefer"

"ntp server 10.10.10.6 prefer"

My questions are:

Is this the correct config?

Is there a need to setup the Nexus switches as peers? My thought was no since each Nexus will be looking to pool.ntp.org for their time.

Is there a need to setup NTP authentication from the Nexus switches to the rest of the switches in the network?

Thanks.

marce1000 · ‎04-01-2020

- Better is to remove the NTP services from switches and look into an architecture such as : Intranet Ntp (server) -> DMZ Ntp -> ISP Ntp

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Cristian Matei · ‎04-01-2020

Hi,

Except the fact that it's not really recommended to open up the Nexuses for NTP to the Internet (NTP has a sufficient number fo flaws), here are your answers:

- no need to configure peering

- authentication, though optional, should always be configured in order to provide a minimum level of security against unauthorised time sources

- authorization, though optional (via ACL restrictions), should always be configured in order to further enhance security for NTP

Regards,

Cristian Matei.

mcbrown@eatontown.org · ‎04-01-2020

So best bet would be to setup an internal NTP server and point everything to that?

How is syncing the Nexuses to the ISP NTP any safer than syncing to pool.ntp.org?

marce1000 · ‎04-02-2020

>So best bet would be to setup an internal NTP server and point everything to that?

YES

>How is syncing the Nexuses to the ISP NTP any safer than syncing to pool.ntp.org?

- Probably not safer but more optimal in terms of cascading

M,

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Cristian Matei · ‎04-02-2020

Hi,

I would deploy NTP with both authentication and authorization. As in your case, you have to get the clock from outside your network, and you can't afford a DMZ device which gets clock from Internet and your network gets it from your DMZ device, use the ISP as NTP. Technically speaking, a public NTP server is less secure than an ISP provided NTP server, as the ISP provided NTP server is usually not reachable by everyone the Internet, but rather only from the ISP's clients, and thus is less susceptible to being attacked or becoming a relay for NTP attacks. The risk here is not necessarily not getting the correct time (although this is important as well for forensics, where if the time is not right, you just lost), but rather having your NTP client (Nexus device) in this case with high CPU (Which leads too unexpected behaviour) and/or getting BW depletion. Here's one reference, to understand the NTP Amplification attack.

Regards,

Cristian Matei.

mcbrown@eatontown.org · ‎04-02-2020

Got it. So the absolute best case scenario would be to setup a NTP server on a physical machine that sits in the firewall DMZ that will get its time from our ISP NTP server and then point all internal devices to that NTP server through the DMZ?

I have spare servers and have the ability to setup the DMZ so this is definitely doable.

Any recommendations on Intranet NTP Server? This a good option?

https://www.tecmint.com/install-ntp-server-in-centos/

If I setup above and pointed all switches to this ntp server would there still be a need for authentication and authorization?

Cristian Matei · ‎04-02-2020

Hi,

Yes, use the built-in NTP daemon. With that design in mind, i would still configure authentication/authorization (it's just a copy/paste one time); without it configured you just risk some "insider" influencing your clock on the network devices.

Regards,

Cristian Matei.