Dear Richard,

Thank you very much for your clarifications. Almost all is clear now.

You wrote: "3) If you disable NTP on the external interface then you will prevent  your router from learning NTP from any Internet source."

I see here: http://oreilly.com/catalog/hardcisco/chapter/ch10.html

the following:

"ntp disable

The ntp disable command can be used on a per-interface basis. When applied to an interface, the command keeps the interface from acting as an NTP server, but still allows it to serve as an NTP client. This is the recommended configuration for external interfaces."

Who is right?

Dear Richard, you wrote:

"1) In the commands clock timezone and clock summertime the router does  not care what letters you specify, this is just a character string to  the router and is not a time "code". So AMT and AMST will be just fine  (and so would any other characters that you might want to use".

Now I have questions on this. If it is not a time zone standard code, then:

- will the router transfer this info to its NTP clients? (I mean, will they receive and show their time zones as AMT?)

- if not and this code is just for a local display purposes, will the router at least change its clients time to summer time when time comes?

- then what is the right strategy for the clients (local, own) settings for time zone and summer time change? (I am asking both for network devices and for Windows based PCs)

"3) If you disable NTP on the external interface then you will prevent  your router from learning NTP from any Internet source. And NO the  router NTP does not automatically make holes in filters. The filters  will filter as you configure them, and if you configure them to deny UDP  123 then NTP will not work."

In your last post you wrote that I would prevent NTP functioning if I have closed NTP port (UDP 123). Indeed as I said I do not specifically open UDP 123 and all of my ACLs (for ext. interfaces) ends with "deny ip any any".

But! I also have stateful firewall activated on those interfaces, isn't this enough? (Enough for two things: for the border router to be safe and not provide NTP server role, be invisible as NTP server for outsiders, and properly work as NTP client of Internet time servers)

Thank you very much.

P.S. One more thing:

Isn't it necessary to mention also summer time offset (in all examples I saw, the summer time offset was not mentioned, like the router knows it by the time code or there is a default value). Well I have just read that there is a default value for summer-time command = 1hour and this offset is relative to winter time, not UTC. Thus the correct config would be (assuming summer offset is +1 from the winter time):

Router# clock timezone AMT +4

Router# clock summer-time  AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

Is it?

Dear Richard,

It was a pleasure to receive your help.

Thank you very much.

For now I have no more questions about NTP, but when I'll have I'll ask you again.

Alen

I am glad that my information was helpful and that your questions about NTP are resolved. Thank you for the ratings and for marking the question as resolved. It makes the forum more useful when people can read a question and can know that responses were able to successfully resolve the question.

I encourage you to continue your participation in the forum.

HTH

Rick

I am sorry for coming back so soon, but I have a problem while deploying NTP.

The problem is on the Internet border Cisco 871.

Here are the respective parts of my config:

clock timezone AMT 4
clock summer-time AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

! access-list for external interface FA4

ip access-list extended fa4_in
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t
permit udp host 64.125.78.85 eq ntp host x.y.z.t
deny   ip any any

ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85

I had to add permissions for NTP servers, because stateful firewall did not help, may be because I have nat enabled for only one host (Wingate WAN ip, which is connected to border Cisco's LAN, and there is no NAT for the latter).

Anyway, I create permissions and its already 20-30 minutes I see this:

InternetBorderRouter#show ntp as

  address         ref clock       st   when   poll reach  delay  offset   disp
~173.14.47.149   .INIT.          16      -   1024     0  0.000   0.000 15937.
~208.66.175.36   .INIT.          16      -   1024     0  0.000   0.000 15937.
~64.125.78.85    .INIT.          16      -   1024     0  0.000   0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

InternetBorderRouter#show ntp st
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 249.9684 Hz, actual freq is 249.9684 Hz, precision is 2**16
reference time is 00000000.00000000 (04:00:00.000 AMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.06 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 64, never updated.

What did I forget?

Alen

Can you clarify what the address in the access list x.y.z.t represents?

I would think that your access list should work, but you might try adding these lines to it as an experiment:

permit udp host 173.14.47.149 host x.y.z.t eq ntp
permit udp host 208.66.175.36 host x.y.z.t eq ntp
permit udp host 64.125.78.85  host x.y.z.t eq ntp

Also can you post the output of the command

show run | include ntp

HTH

Rick

- Can you clarify what the address in the access list x.y.z.t represents?

It is the routers WAN ip (it is public ip).

Here is InternetBorderRouter#show run | include ntp

ntp disable
ntp disable
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t
permit udp host 64.125.78.85 eq ntp host x.y.z.t
permit udp host 173.14.47.149 eq ntp host a.b.c.d
permit udp host 208.66.175.36 eq ntp host a.b.c.d
permit udp host 64.125.78.85 eq ntp host a.b.c.d
ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85

You can see two filters and two times of "ntp disable" because I have two providers for resilience. ISP2 is the main provider, I used administrative distance and ip sla (pinging of 2 root Internet DNS servers) to provide 2 ISPs functioning.

Here is the full config, just in case:

InternetBorderRouter#show run

Building configuration...

Current configuration : 4862 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname InternetBorderRouter

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 6

logging message-counter syslog

logging buffered 131072 notifications

no logging console

no logging monitor

enable secret 5 $1$A1mG$IBEIdMqCxKDr4EC9H45tA1

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone AMT 4

clock summer-time AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

!

dot11 syslog

no ip source-route

ip arp proxy disable

no ip gratuitous-arps

!

!

!

!

ip cef

no ip bootp server

ip inspect name internet icmp

ip inspect name internet tcp

ip inspect name internet udp

login block-for 60 attempts 3 within 5

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username ----- secret 5 $1$1nfq$z6u1D4a8js2QO83GWYrR20

!

!

!

archive

log config

  logging enable

  logging size 900

  notify syslog contenttype plaintext

  hidekeys

path flash:Backed-up-Config

maximum 5

write-memory

time-period 1440

!

!

!

track 10 ip sla 1 reachability

delay down 10 up 15

!

track 20 ip sla 2 reachability

delay down 10 up 15

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0

description SwitchPort_VLAN10_To-LAN

switchport access vlan 10

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description SwitchPort_VLAN13_To-ISP1

switchport access vlan 13

!

interface FastEthernet4

description To-ISP2

ip address x.y.z.t 255.255.255.192

ip access-group fa4_in in

no ip redirects

no ip unreachables

ip nat outside

ip inspect internet out

ip virtual-reassembly

duplex auto

speed auto

ntp disable

!

interface Vlan1

no ip address

!

interface Vlan10

description To-LAN

ip address 192.168.200.51 255.255.255.224

ip nat inside

ip virtual-reassembly

!

interface Vlan13

description To-ISP1

ip address a.b.c.d 255.255.255.252

ip access-group vlan13_in in

no ip redirects

no ip unreachables

ip nat outside

ip inspect internet out

ip virtual-reassembly

ntp disable

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 a.b.c.d 4 track 10

ip route 0.0.0.0 0.0.0.0 x.y.z.t track 20

ip route 192.5.5.241 255.255.255.255 a.b.c.d name To_RootDNS-1_ISP1-SLA

ip route 199.7.83.42 255.255.255.255 x.y.z.t name To_RootDNS-2_ISP2-SLA

no ip http server

no ip http secure-server

!

!

ip nat translation timeout 14400

ip nat translation tcp-timeout 14400

ip nat translation icmp-timeout 1800

ip nat inside source route-map fa4 interface FastEthernet4 overload

ip nat inside source route-map vlan13 interface Vlan13 overload

!

ip access-list extended fa4_in

permit icmp host 199.7.83.42 host x.y.z.t

permit udp host 173.14.47.149 eq ntp host x.y.z.t

permit udp host 208.66.175.36 eq ntp host x.y.z.t

permit udp host 64.125.78.85 eq ntp host x.y.z.t

deny   ip any any

ip access-list extended nat_fa4

permit ip host 192.168.200.41 any

deny   ip any any

ip access-list extended nat_vlan13

permit ip host 192.168.200.41 any

deny   ip any any

ip access-list extended vlan13_in

permit icmp host 192.5.5.241 host a.b.c.d

permit udp host 173.14.47.149 eq ntp host a.b.c.d

permit udp host 208.66.175.36 eq ntp host a.b.c.d

permit udp host 64.125.78.85 eq ntp host a.b.c.d

deny   ip any any

!

ip sla 1

icmp-echo 192.5.5.241 source-interface Vlan13

timeout 2000

threshold 1000

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 199.7.83.42 source-interface FastEthernet4

timeout 2000

threshold 1000

frequency 3

ip sla schedule 2 life forever start-time now

logging trap notifications

logging facility local2

logging source-interface Loopback0

no cdp run

!

!

!

!

route-map vlan13 permit 10

match ip address nat_vlan13

match interface Vlan13

!

route-map fa4 permit 10

match ip address nat_fa4

match interface FastEthernet4

!

!

control-plane

!

!

line con 0

exec-timeout 5 0

no modem enable

transport output ssh

line aux 0

exec-timeout 5 0

transport preferred none

transport output none

line vty 0 4

exec-timeout 5 0

privilege level 15

transport input ssh

transport output none

!

scheduler max-task-time 5000

ntp server 173.14.47.149

ntp server 208.66.175.36

ntp server 64.125.78.85

end

BTW, one more question: as you can see, I disabled ntp on both WAN interfaces. Now only LAN can serve as NTP server interface. Besides, 3 Internet NTP servers are set by "ntp server" commands. The question is: do I need to additionaly restrict access to NTP service on LAN (by using "ntp access-group serve-only") to be sure no any host can make control queries to the router's NTP server?

Richard,

One thing is still strange for me, why doesn't stateful firewall make holes? (In case the problem is in access-list)

As you can see I have it enabled.

Dear Richard,

Yesterday I totally removed the access-list from interface FA4 (the one looking on main ISP). Result - no change. => The problem is not in access-lists.

Now I am removing "ntp disable" from both WAN interfaces.

I'll report in several minutes.

Report:

  address         ref clock       st   when   poll reach  delay  offset   disp
~173.14.47.149   .ACTS.           1     14     64    77  0.000   3.807 190.26
~208.66.175.36   .ACTS.           1     21     64    77  0.000  -0.381 190.41
*~64.125.78.85    .ACTS.           1     23     64    77  0.000  -0.191 190.62
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Clock is synchronized, stratum 2, reference is 64.125.78.85
nominal freq is 249.9684 Hz, actual freq is 249.9684 Hz, precision is 2**16
reference time is CFCD7115.E719AFF8 (10:52:21.902 AMST Thu Jun 24 2010)
clock offset is 0.0031 msec, root delay is 0.25 msec
root dispersion is 0.07 msec, peer dispersion is 0.06 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000002 s/s
system poll interval is 64, last update was 1 sec ago.

Finally, it is working. I think we can conclude that: "ntp disable" disables NTP service at all, not only NTP server service!

The source of the info I mentioned earlier was incorrect about this.

About my last question: I want to be sure that no any "inimical" or rogue NTP client\peer\server placed in my LAN\Intranet can control my NTP server - router using NTP control queries. I am just not sure, that it is technically possible in case the latter is setup to synch from the particular external authoritative NTP servers.

So, the main question is: is it possible to control a router - NTP server, configured to synch from authoritative external NTP servers, from inside via sending to its LAN interface NTP control queries and how dangerous is it?