06-21-2010 06:50 AM - edited 03-06-2019 11:40 AM
Hi,
I am planning to deploy NTP service in our network, the centralised model: our head office border Internet Cisco 871 will synch with 3 Internet NTP servers, our head office core Cisco 1811 will synch with the latter, and all other network devices, AD domain forest root PDC emulator and all standallone PCs will synch with core Cisco 1811.
I have read the following:
Configuration Fundamentals and Network Management Commands
Performing Basic System Management
Hardening Cisco Routers: Chapter 10: NTP.
Almost everything is clear, but still have some questions.
1. We are located in Armenia, UTC +4, summer time lasts from last Sunday March to last Sunday October.
How should I setup my border router? Does Cisco have timezone code for Armenia?
Googling brings to me AMT and AMST as Armenian time and Armenian Summer time, but I saw also another correspondents for AMT (American time or something like that).
As I know, if AMT and AMST are valid for Cisco routers I can achieve my target this way:
Router# clock timezone AMT +4
Router# clock summer-time AMST +5 recurring last Sun Mar 2:00 last Sun Oct 2:00
Are the codes valid for Cisco?
Are the commands correct?
2. It is written: as soon as Cisco router is setup to synch with an authoritative time server it is ready to serve itself as NTP server.
Question: how the router knows the server is authoritative? Or just any external NTP server will be authoritative? Or this is integrated into NTP protocol: to verify\proof authority?
3. Do I need to disable NTP on external interfaces, if I have access-lists on all my routers ext. interfaces, which do not specifically permit NTP or UDP port 123 and ends with "deny ip any any"?
I know NTP server service is autoactivated on all interfaces as soon as Cisco router is setup to synch with an authoritative time server. Does NTP service also automake holes in filters?
4. Is it reasonable to setup the above mentioned border Cisco as an ntp master just in case. I mean, when there is no connection to time servers => the border Cisco will not function as NTP server and if this happens on the Cristmas holidays we will not have a time server up to 10 days. (Honestly, I don't think it will make problems, especially in case we use "ntp update-calendar" to keep hardware clocks correct).
Thanks in advance,
Alen
Solved! Go to Solution.
06-25-2010 04:25 AM
Well, everything is working fine now.
I want to add one more thing for the people who will go the same way: there is a problem while making Windows systems to synch from Cisco routers. The official way MS proposed for setting external NTP server on Windows is not working properly in the case.
http://support.microsoft.com/kb/314054#EXTERNAL
http://support.microsoft.com/kb/816042/
As a working alternative I found this receipt:
http://etherealmind.com/ios-configure-windows-2003-xp-use-ntp-server-sync-time-clock-router/
In short you need to do the following:
Configuring Windows 2003 / XP SP2 to Use IOS NTP Server
Stop the Windows Time Service using the CLI.
C:\Program Files\Support Tools>
net stop w32time
Here comes the magic part:
w32tm /config /manualpeerlist:"192.168.0.1,192.168.200.51",0x8 /syncfromflags:MANUAL
The peer list must be enclosed.
Use the 0×8 flag to force W32time to send normal client requests instead of symmetric active mode packets (a la the Microsoft way). The NTP server replies to these normal client requests as usual.
Restart the Windows Time Service and then force a sync.
net start w32time
w32tm /resync
I tried it, it is working since yesterday. Almost properly. Almost, because:
1) "update now" button works not always, but this could be normal / explainable, I watched for autosynch and it was working fine;
2) I see only 3 events and they are for yesterday evening (in the OS event viewer):
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: 24/06/10
Time: 19:32:57
User: N/A
Computer: ITHEAD
Description:
The time service is now synchronizing the system time with the time source 192.168.0.1 (ntp.m|0x8|192.168.0.220:123->192.168.0.1:123).
and that's all. Meanwhile when I look in Date and Time Properties window I can see that today some time ago time was successfully updated from the core Cisco!?).
So it is working, but I don't like these strange things happening. I am worrying because I am going to setup my forest root PDC emulator plus some standalone critical servers to be synched from the Cisco...
06-26-2010 12:48 AM
Oh-h.
Since yesterday evening NTP service is not working. I can't see any reason except "wrong" NTP clients which made border router - our main NTP server crazy.
Even router reloading did not help, which is very strange as one day earlier everything was working fine with the same config!?
Anyway, yesterday I decided to restrict access to NTP service using ntp access-groups. I added this on the border Cisco (according to what I have read from "Hardening Cisco Router", chapter 10, NTP):
access-list 41 permit 192.168.200.41 0.0.0.0
access-list 41 deny any
ntp access-group serve-only 41
(192.168.200.41 is the ip of Wingate, which is also making NAT for the core Cisco 1811. They both: WIngate and core Cisco have to synch from the border Cisco 871. All others will synch from the core router.)
The border router did not synch with public NTP servers, I could not do anything and went home late. At home I decided to check if the access-group could prevent the router from synching from NTP servers. I checked in Internet and found a couple of examples showing that when you use ntp access-groups, you should also create one more access-group to allow your device to synch from its NTP servers!
So today I added this:
access-list 42 permit 64.125.78.85
access-list 42 permit 173.14.47.149
access-list 42 permit 208.66.175.36
access-list 42 deny any
ntp access-group peer 42
And now I have this (a.b.c.d is the ip of interface looking at ISP1, x.y.z.t - ISP2):
InternetBorderRouter#show run | inc ntp
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t
permit udp host 64.125.78.85 eq ntp host x.y.z.t
permit udp host 173.14.47.149 eq ntp host a.b.c.d
permit udp host 208.66.175.36 eq ntp host a.b.c.d
permit udp host 64.125.78.85 eq ntp host a.b.c.d
ntp access-group peer 42
ntp access-group serve-only 41
ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85
And you know, it started to work again!!!
Oh-h.
Now I am going to make the same additions to the core Cisco 1811, and I think I have to do the same for the branches Cisco 871...
P.S. About my last question to Richard, I think now we know the answer.
06-26-2010 12:53 AM
Here is my last question I mentioned above:
"About my last question: I want to be sure that no any "inimical" or rogue NTP client\peer\server placed in my LAN\Intranet can control my NTP server - router using NTP control queries. I am just not sure, that it is technically possible in case the latter is setup to synch from the particular external authoritative NTP servers.
So, the main question is: is it possible to control a router - NTP server, configured to synch from authoritative external NTP servers, from inside via sending to its LAN interface NTP control queries and how dangerous is it?"
And one more thing, I just checked "Hardening Cisco Router", chapter 10, NTP, in their example there were no access-group for the router's NTP servers! So it was not my fault.
06-26-2010 03:49 AM
Alen
It is not particularly well documented but in my experience if a router is learning NTP from some server and also is providing NTP to some clients and if you want to use one of NTP access restrictions (serve-only or peer) then you need to use both of them. It is unfortunate that the discussion in Hardening Cisco Routers did not make that point.
I am glad that you have figured out so much about NTP. Thank you for posting to the forum how you got the Windows clients to work with Cisco for NTP. I think that many people will find that useful.
HTH
Rick
06-26-2010 03:59 AM
Dear Richard, I am happy to do something useful.
BTW: About synching MS Windows machines, in the articles of MS I mentioned earlier, in the section named: "Configuring the Windows Time service to use an external time source", among other steps it is written to change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled to "1".
One following instructions (me, for example) can just mechanically make the change and get as many NTP servers as many machines he "prepare" to be NTP clients of an external NTP server.
I don't know why MS put this step in the section of "Configuring the Windows Time service to use an external time source"...
So be carefull, don't change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled key value, unless you want the windows machine to be a time server.
06-26-2010 04:06 AM
rburts wrote:
It is unfortunate that the discussion in Hardening Cisco Routers did not make that point.
BTW, the mistake about "ntp disable" was also from that book! "Good" book...
06-26-2010 10:12 PM
Alen
You have learned a lot about how to implement NTP (and protect NTP) on Cisco routers. And you have found some errors in the article about Hardening Cisco Routers.
We wish that the technical articles that we use would be flawless, but that rarely happens. It has been quite a while since I looked at that article, but my memory is that they were quite correct about a lot of aspects (and they missed a few). It is in discussion in forums such as this that we can fine tune the presentation of these details. I hope that you will continue to investigate how the details of networking really work and that you will continue to post the results of what you find.
HTH
Rick
06-28-2010 03:10 AM
Dear Richard,
Thank you very much for your help. I think I get almost all answers about deploying centralised NTP service in small company using Cisco routers.
P.S. In fact today I mentioned, that I still have problems with core Cisco, it can not constantly synch from the border Cisco, but I feel I'll fix it.
Possibly the problem is either in fact I (accidentally) made Wingate an NTP server, or because two hosts (core Cisco and Wingate) are both synching from the border router under the same ip (Wingate makes NAT for the core Cisco). I changed Wingate back to NTP client and I will change it to synch from the core Cisco if the first step does not help. Hope this will solve my problems.
I'll report if something interesting happens...
See you in my new threads.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide