cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11141
Views
0
Helpful
22
Replies

Need help with NTP service on Cisco routers

Alen Danielyan
Level 1
Level 1

Hi,

I am planning to deploy NTP service in our network, the centralised model: our head office border Internet Cisco 871 will synch with 3 Internet NTP servers, our head office core Cisco 1811 will synch with the latter, and all other network devices, AD domain forest root PDC emulator and all standallone PCs will synch with core Cisco 1811.

I have read the following:

Configuration Fundamentals and Network Management Commands
Performing Basic System Management
Hardening Cisco Routers: Chapter 10: NTP.

Almost everything is clear, but still have some questions.

1. We are located in Armenia, UTC +4, summer time lasts from last Sunday March to last Sunday October.

How should I setup my border router? Does Cisco have timezone code for Armenia?

Googling brings to me AMT and AMST as Armenian time and Armenian Summer time, but I saw also another correspondents for AMT (American time or something like that).

As I know, if AMT and AMST are valid for Cisco routers I can achieve my target this way:

Router# clock timezone AMT +4
Router# clock summer-time AMST +5 recurring last Sun Mar 2:00 last Sun Oct 2:00

Are the codes valid for Cisco?

Are the commands correct?

2. It is written: as soon as Cisco router is setup to synch with an authoritative time server it is ready to serve itself as NTP server.

Question: how the router knows the server is authoritative? Or just any external NTP server will be authoritative? Or this is integrated into NTP protocol: to verify\proof authority?

3. Do I need to disable NTP on external interfaces, if I have access-lists on all my routers ext. interfaces, which do not specifically permit NTP or UDP port 123 and ends with "deny ip any any"?

I know NTP server service is autoactivated on all interfaces as soon as Cisco router is setup to synch with an authoritative time server. Does NTP service also automake holes in filters?

4. Is it reasonable to setup the above mentioned border Cisco as an ntp master just in case. I mean, when there is no connection to time servers => the border Cisco will not function as NTP server and if this happens on the Cristmas holidays we will not have a time server up to 10 days. (Honestly, I don't think it will make problems, especially in case we use "ntp update-calendar" to keep hardware clocks correct).

Thanks in advance,

Alen

4 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Alen

I hope that these help to answer your questions:

1) In the commands clock timezone and clock summertime the router does not care what letters you specify, this is just a character string to the router and is not a time "code". So AMT and AMST will be just fine (and so would any other characters that you might want to use.

2) Part of the NTP negotiation is to determine whether the server is authoritative. The generally recognized Internet time servers will all be authoritative.

3) If you disable NTP on the external interface then you will prevent your router from learning NTP from any Internet source. And NO the router NTP does not automatically make holes in filters. The filters will filter as you configure them, and if you configure them to deny UDP 123 then NTP will not work.

4) I would advocate that you NOT configure your router as "master" just in case. If you have Internet connectivity and if the router is configured with 3 Internet servers then the router should learn NTP from at least one of them.

HTH

Rick

HTH

Rick

View solution in original post

Alen

I misunderstood your point. Since the rest of 3) was asking about access lists I assumed that you were talking about disabling NTP by configuring access lists. Your source is correct about the ntp disable command.

HTH

Rick

HTH

Rick

View solution in original post

Alen

You asked:

- will the router transfer this info to its NTP clients?

No the router will not transfer information about time zone to its clients. The specification of NTP is very clear that it always communicates time using UTC and that any adjustment for loca time zone is the responsibility of the client. So the router learns time in UTC and makes the adjustments that we have been discussing for local time. And the router will communicate time in UTC to its clients and its clients must make their own adjustment for local time.

- if not and this code is just for a local display purposes, will the  router at least change its clients time to summer time when time comes?

No the router will not change its clients time for summer time. It transmits time in UTC and it is up to the client to make adjustments for local environments.

- then what is the right strategy for the clients (local, own) settings  for time zone and summer time change?

For Windows machines the right strategy is pretty simple - Windows provides a setting where you can set the local time zone. Windows assumes that it will learn NTP using UTC and will make the adjustments. For routers and switches in your network you will need to make the configuration changes in them to specify time zone offsets and summer time (as we have been discussing).

If you are running a stateful firewall on the router and the router generates an outgoing NTP request, then I would expect that the stateful firewall would accept the response. I interpreted your previous questions about access lists to be in the context of normal router access lists and not so much in the context of stateful firewall. In normal access list processing the router will not automatically create a hole in your access list for NTP just because NTP is enabled by default.

Yes I believe that the configuration you give is correct.

Router# clock timezone AMT +4

Router# clock summer-time  AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

HTH

Rick

HTH

Rick

View solution in original post

Alen

I agree that the stateful firewall should create a dynamic entry to permit responses from the Internet NTP servers to the request sent by the router. I can not tell from what we see at this point whether the problem is in the access list and the stateful firewall or whether it might be something else.

As an experiment I would suggest that you remove the ntp disable commands from the interfaces and see if that makes any difference.

If the problem still persists then I would suggest that you run debug ntp (perhaps debug ntp packet) to try to determine what you are sending and what, if anything, you get in response. (note that you may need to enable logging monitor or change the severity level of logging buffered to debug to be able to see the debug output)

In your previous post you ask about configuring and using an access list to control ntp activity. I am not sure that I see much reason for that in your situation, and I certainly would not start doing something like that until I had NTP running successfully.

HTH

Rick

HTH

Rick

View solution in original post

22 Replies 22

Richard Burts
Hall of Fame
Hall of Fame

Alen

I hope that these help to answer your questions:

1) In the commands clock timezone and clock summertime the router does not care what letters you specify, this is just a character string to the router and is not a time "code". So AMT and AMST will be just fine (and so would any other characters that you might want to use.

2) Part of the NTP negotiation is to determine whether the server is authoritative. The generally recognized Internet time servers will all be authoritative.

3) If you disable NTP on the external interface then you will prevent your router from learning NTP from any Internet source. And NO the router NTP does not automatically make holes in filters. The filters will filter as you configure them, and if you configure them to deny UDP 123 then NTP will not work.

4) I would advocate that you NOT configure your router as "master" just in case. If you have Internet connectivity and if the router is configured with 3 Internet servers then the router should learn NTP from at least one of them.

HTH

Rick

HTH

Rick

Dear Richard,

Thank you very much for your clarifications. Almost all is clear now.

You wrote: "3) If you disable NTP on the external interface then you will prevent  your router from learning NTP from any Internet source."

I see here: http://oreilly.com/catalog/hardcisco/chapter/ch10.html

the following:

"ntp disable

The ntp disable command can be used on a per-interface basis. When applied to an interface, the command keeps the interface from acting as an NTP server, but still allows it to serve as an NTP client. This is the recommended configuration for external interfaces."

Who is right?

Alen

I misunderstood your point. Since the rest of 3) was asking about access lists I assumed that you were talking about disabling NTP by configuring access lists. Your source is correct about the ntp disable command.

HTH

Rick

HTH

Rick

Dear Richard, you wrote:

"1) In the commands clock timezone and clock summertime the router does  not care what letters you specify, this is just a character string to  the router and is not a time "code". So AMT and AMST will be just fine  (and so would any other characters that you might want to use".

Now I have questions on this. If it is not a time zone standard code, then:

- will the router transfer this info to its NTP clients? (I mean, will they receive and show their time zones as AMT?)

- if not and this code is just for a local display purposes, will the router at least change its clients time to summer time when time comes?

- then what is the right strategy for the clients (local, own) settings for time zone and summer time change? (I am asking both for network devices and for Windows based PCs)

"3) If you disable NTP on the external interface then you will prevent  your router from learning NTP from any Internet source. And NO the  router NTP does not automatically make holes in filters. The filters  will filter as you configure them, and if you configure them to deny UDP  123 then NTP will not work."

In your last post you wrote that I would prevent NTP functioning if I have closed NTP port (UDP 123). Indeed as I said I do not specifically open UDP 123 and all of my ACLs (for ext. interfaces) ends with "deny ip any any".

But! I also have stateful firewall activated on those interfaces, isn't this enough? (Enough for two things: for the border router to be safe and not provide NTP server role, be invisible as NTP server for outsiders, and properly work as NTP client of Internet time servers)

Thank you very much.

P.S. One more thing:

Isn't it necessary to mention also summer time offset (in all examples I saw, the summer time offset was not mentioned, like the router knows it by the time code or there is a default value). Well I have just read that there is a default value for summer-time command = 1hour and this offset is relative to winter time, not UTC. Thus the correct config would be (assuming summer offset is +1 from the winter time):

Router# clock timezone AMT +4

Router# clock summer-time  AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

Is it?

Alen

You asked:

- will the router transfer this info to its NTP clients?

No the router will not transfer information about time zone to its clients. The specification of NTP is very clear that it always communicates time using UTC and that any adjustment for loca time zone is the responsibility of the client. So the router learns time in UTC and makes the adjustments that we have been discussing for local time. And the router will communicate time in UTC to its clients and its clients must make their own adjustment for local time.

- if not and this code is just for a local display purposes, will the  router at least change its clients time to summer time when time comes?

No the router will not change its clients time for summer time. It transmits time in UTC and it is up to the client to make adjustments for local environments.

- then what is the right strategy for the clients (local, own) settings  for time zone and summer time change?

For Windows machines the right strategy is pretty simple - Windows provides a setting where you can set the local time zone. Windows assumes that it will learn NTP using UTC and will make the adjustments. For routers and switches in your network you will need to make the configuration changes in them to specify time zone offsets and summer time (as we have been discussing).

If you are running a stateful firewall on the router and the router generates an outgoing NTP request, then I would expect that the stateful firewall would accept the response. I interpreted your previous questions about access lists to be in the context of normal router access lists and not so much in the context of stateful firewall. In normal access list processing the router will not automatically create a hole in your access list for NTP just because NTP is enabled by default.

Yes I believe that the configuration you give is correct.

Router# clock timezone AMT +4

Router# clock summer-time  AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

HTH

Rick

HTH

Rick

Dear Richard,

It was a pleasure to receive your help.

Thank you very much.

For now I have no more questions about NTP, but when I'll have I'll ask you again.

Alen

I am glad that my information was helpful and that your questions about NTP are resolved. Thank you for the ratings and for marking the question as resolved. It makes the forum more useful when people can read a question and can know that responses were able to successfully resolve the question.

I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick

I am sorry for coming back so soon, but I have a problem while deploying NTP.

The problem is on the Internet border Cisco 871.

Here are the respective parts of my config:

clock timezone AMT 4
clock summer-time AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

! access-list for external interface FA4

ip access-list extended fa4_in
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t
permit udp host 64.125.78.85 eq ntp host x.y.z.t
deny   ip any any

ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85

I had to add permissions for NTP servers, because stateful firewall did not help, may be because I have nat enabled for only one host (Wingate WAN ip, which is connected to border Cisco's LAN, and there is no NAT for the latter).

Anyway, I create permissions and its already 20-30 minutes I see this:

InternetBorderRouter#show ntp as

  address         ref clock       st   when   poll reach  delay  offset   disp
~173.14.47.149   .INIT.          16      -   1024     0  0.000   0.000 15937.
~208.66.175.36   .INIT.          16      -   1024     0  0.000   0.000 15937.
~64.125.78.85    .INIT.          16      -   1024     0  0.000   0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

InternetBorderRouter#show ntp st
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 249.9684 Hz, actual freq is 249.9684 Hz, precision is 2**16
reference time is 00000000.00000000 (04:00:00.000 AMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.06 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 64, never updated.

What did I forget?

Alen

Can you clarify what the address in the access list x.y.z.t represents?

I would think that your access list should work, but you might try adding these lines to it as an experiment:

permit udp host 173.14.47.149 host x.y.z.t eq ntp
permit udp host 208.66.175.36 host x.y.z.t eq ntp
permit udp host 64.125.78.85  host x.y.z.t eq ntp

Also can you post the output of the command

show run | include ntp

HTH

Rick

HTH

Rick

- Can you clarify what the address in the access list x.y.z.t represents?

It is the routers WAN ip (it is public ip).

Here is InternetBorderRouter#show run | include ntp

ntp disable
ntp disable
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t
permit udp host 64.125.78.85 eq ntp host x.y.z.t
permit udp host 173.14.47.149 eq ntp host a.b.c.d
permit udp host 208.66.175.36 eq ntp host a.b.c.d
permit udp host 64.125.78.85 eq ntp host a.b.c.d
ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85

You can see two filters and two times of "ntp disable" because I have two providers for resilience. ISP2 is the main provider, I used administrative distance and ip sla (pinging of 2 root Internet DNS servers) to provide 2 ISPs functioning.

Here is the full config, just in case:

InternetBorderRouter#show run

Building configuration...

Current configuration : 4862 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname InternetBorderRouter

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 6

logging message-counter syslog

logging buffered 131072 notifications

no logging console

no logging monitor

enable secret 5 $1$A1mG$IBEIdMqCxKDr4EC9H45tA1

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone AMT 4

clock summer-time AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

!

dot11 syslog

no ip source-route

ip arp proxy disable

no ip gratuitous-arps

!

!

!

!

ip cef

no ip bootp server

ip inspect name internet icmp

ip inspect name internet tcp

ip inspect name internet udp

login block-for 60 attempts 3 within 5

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username ----- secret 5 $1$1nfq$z6u1D4a8js2QO83GWYrR20

!

!

!

archive

log config

  logging enable

  logging size 900

  notify syslog contenttype plaintext

  hidekeys

path flash:Backed-up-Config

maximum 5

write-memory

time-period 1440

!

!

!

track 10 ip sla 1 reachability

delay down 10 up 15

!

track 20 ip sla 2 reachability

delay down 10 up 15

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0

description SwitchPort_VLAN10_To-LAN

switchport access vlan 10

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description SwitchPort_VLAN13_To-ISP1

switchport access vlan 13

!

interface FastEthernet4

description To-ISP2

ip address x.y.z.t 255.255.255.192

ip access-group fa4_in in

no ip redirects

no ip unreachables

ip nat outside

ip inspect internet out

ip virtual-reassembly

duplex auto

speed auto

ntp disable

!

interface Vlan1

no ip address

!

interface Vlan10

description To-LAN

ip address 192.168.200.51 255.255.255.224

ip nat inside

ip virtual-reassembly

!

interface Vlan13

description To-ISP1

ip address a.b.c.d 255.255.255.252

ip access-group vlan13_in in

no ip redirects

no ip unreachables

ip nat outside

ip inspect internet out

ip virtual-reassembly

ntp disable

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 a.b.c.d 4 track 10

ip route 0.0.0.0 0.0.0.0 x.y.z.t track 20

ip route 192.5.5.241 255.255.255.255 a.b.c.d name To_RootDNS-1_ISP1-SLA

ip route 199.7.83.42 255.255.255.255 x.y.z.t name To_RootDNS-2_ISP2-SLA

no ip http server

no ip http secure-server

!

!

ip nat translation timeout 14400

ip nat translation tcp-timeout 14400

ip nat translation icmp-timeout 1800

ip nat inside source route-map fa4 interface FastEthernet4 overload

ip nat inside source route-map vlan13 interface Vlan13 overload

!

ip access-list extended fa4_in

permit icmp host 199.7.83.42 host x.y.z.t

permit udp host 173.14.47.149 eq ntp host x.y.z.t

permit udp host 208.66.175.36 eq ntp host x.y.z.t

permit udp host 64.125.78.85 eq ntp host x.y.z.t

deny   ip any any

ip access-list extended nat_fa4

permit ip host 192.168.200.41 any

deny   ip any any

ip access-list extended nat_vlan13

permit ip host 192.168.200.41 any

deny   ip any any

ip access-list extended vlan13_in

permit icmp host 192.5.5.241 host a.b.c.d

permit udp host 173.14.47.149 eq ntp host a.b.c.d

permit udp host 208.66.175.36 eq ntp host a.b.c.d

permit udp host 64.125.78.85 eq ntp host a.b.c.d

deny   ip any any

!

ip sla 1

icmp-echo 192.5.5.241 source-interface Vlan13

timeout 2000

threshold 1000

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 199.7.83.42 source-interface FastEthernet4

timeout 2000

threshold 1000

frequency 3

ip sla schedule 2 life forever start-time now

logging trap notifications

logging facility local2

logging source-interface Loopback0

no cdp run

!

!

!

!

route-map vlan13 permit 10

match ip address nat_vlan13

match interface Vlan13

!

route-map fa4 permit 10

match ip address nat_fa4

match interface FastEthernet4

!

!

control-plane

!

!

line con 0

exec-timeout 5 0

no modem enable

transport output ssh

line aux 0

exec-timeout 5 0

transport preferred none

transport output none

line vty 0 4

exec-timeout 5 0

privilege level 15

transport input ssh

transport output none

!

scheduler max-task-time 5000

ntp server 173.14.47.149

ntp server 208.66.175.36

ntp server 64.125.78.85

end

BTW, one more question: as you can see, I disabled ntp on both WAN interfaces. Now only LAN can serve as NTP server interface. Besides, 3 Internet NTP servers are set by "ntp server" commands. The question is: do I need to additionaly restrict access to NTP service on LAN (by using "ntp access-group serve-only") to be sure no any host can make control queries to the router's NTP server?

Richard,

One thing is still strange for me, why doesn't stateful firewall make holes? (In case the problem is in access-list)

As you can see I have it enabled.

Alen

I agree that the stateful firewall should create a dynamic entry to permit responses from the Internet NTP servers to the request sent by the router. I can not tell from what we see at this point whether the problem is in the access list and the stateful firewall or whether it might be something else.

As an experiment I would suggest that you remove the ntp disable commands from the interfaces and see if that makes any difference.

If the problem still persists then I would suggest that you run debug ntp (perhaps debug ntp packet) to try to determine what you are sending and what, if anything, you get in response. (note that you may need to enable logging monitor or change the severity level of logging buffered to debug to be able to see the debug output)

In your previous post you ask about configuring and using an access list to control ntp activity. I am not sure that I see much reason for that in your situation, and I certainly would not start doing something like that until I had NTP running successfully.

HTH

Rick

HTH

Rick

Dear Richard,

Yesterday I totally removed the access-list from interface FA4 (the one looking on main ISP). Result - no change. => The problem is not in access-lists.

Now I am removing "ntp disable" from both WAN interfaces.

I'll report in several minutes.

Report:

  address         ref clock       st   when   poll reach  delay  offset   disp
~173.14.47.149   .ACTS.           1     14     64    77  0.000   3.807 190.26
~208.66.175.36   .ACTS.           1     21     64    77  0.000  -0.381 190.41
*~64.125.78.85    .ACTS.           1     23     64    77  0.000  -0.191 190.62
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Clock is synchronized, stratum 2, reference is 64.125.78.85
nominal freq is 249.9684 Hz, actual freq is 249.9684 Hz, precision is 2**16
reference time is CFCD7115.E719AFF8 (10:52:21.902 AMST Thu Jun 24 2010)
clock offset is 0.0031 msec, root delay is 0.25 msec
root dispersion is 0.07 msec, peer dispersion is 0.06 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000002 s/s
system poll interval is 64, last update was 1 sec ago.

Finally, it is working. I think we can conclude that: "ntp disable" disables NTP service at all, not only NTP server service!

The source of the info I mentioned earlier was incorrect about this.

About my last question: I want to be sure that no any "inimical" or rogue NTP client\peer\server placed in my LAN\Intranet can control my NTP server - router using NTP control queries. I am just not sure, that it is technically possible in case the latter is setup to synch from the particular external authoritative NTP servers.

So, the main question is: is it possible to control a router - NTP server, configured to synch from authoritative external NTP servers, from inside via sending to its LAN interface NTP control queries and how dangerous is it?

Review Cisco Networking for a $25 gift card