Solved: Re: NTP Server Option for Switch and Router

PolarPanda · ‎09-26-2019

Hi there,

I'm asking for your opinions on NTP server for cisco switch or router. My coworker recommended me to setup NTP server on domain controller (DC), but I'm thinking to put time.google.com(external source) as my NTP server directly on switch or router. Will my way cause any potential issues, especially security? Which one is better from these two, or maybe a third option even better? Thank you

Best,

PP

Deepak Kumar · ‎09-26-2019

Hi,

My recommendation to configure NTP server on your Server as DC or other. Why? Because NTP is not a secure protocol as other and many attacks are noticed as DOS, Vulnerabilities, etc.

here I found a best guide for the same as: https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

hunnymonster · ‎09-27-2019

Whatever source(s) you setup should be consistent across your estate - otherwise your logs may not quite match up whilst troubleshooting.

Example when I arrived in my current role there was an unholy mix of approximately 20 separate external NTP sources being used directly by switches, routers, servers,... The time dispersion was visible to the naked eye and hovered between 1 & 5 seconds across the estate.

I have slimmed that down to a pool of 4 routers as internal sources and those 4 routers are being fed from 2 GNSS time sources, with a backup of 2 external sources. Time dispersion now impossible to see but the reporting suggests everything is now agreeing on time within less than 1ms.

If running your own GNSS source is out of budget (they're freely available for ~$500) - my advice would be consistency. Either use your router as the root source internally (fed from NTP service(s) of your choice from the internet) or use the DC as the internal root source (again fed from NTP service(s) of your choice from the internet)

View solution in original post

paul driver · ‎09-27-2019

Hello

You can have your own master ntp server(s) say on your core network that downstream to your distribution layer that intrun support your access layer peer which and lastly your end hosts peer to.

Usually your ntp design would relate to your current network topology( tier system - client/server)

public time servers stratum 1 <-->server teir 2 peer stratum 2 peer<--> server core ntp master stratum 3 peer<-->server distribution peer<-->server access-layer peer<-->hosts

As for security of ntp can be implemented with MD5 authentication, key strings access control lists etc,

Have a looks a the attach documentation for a possible best practice of NTP in a Cisco environment its quite an old doc but I would say its still valid for design purposes <---Cisco NTP best practice

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Deepak Kumar · ‎09-26-2019

Hi,

My recommendation to configure NTP server on your Server as DC or other. Why? Because NTP is not a secure protocol as other and many attacks are noticed as DOS, Vulnerabilities, etc.

here I found a best guide for the same as: https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

hunnymonster · ‎09-27-2019

Whatever source(s) you setup should be consistent across your estate - otherwise your logs may not quite match up whilst troubleshooting.

Example when I arrived in my current role there was an unholy mix of approximately 20 separate external NTP sources being used directly by switches, routers, servers,... The time dispersion was visible to the naked eye and hovered between 1 & 5 seconds across the estate.

I have slimmed that down to a pool of 4 routers as internal sources and those 4 routers are being fed from 2 GNSS time sources, with a backup of 2 external sources. Time dispersion now impossible to see but the reporting suggests everything is now agreeing on time within less than 1ms.

If running your own GNSS source is out of budget (they're freely available for ~$500) - my advice would be consistency. Either use your router as the root source internally (fed from NTP service(s) of your choice from the internet) or use the DC as the internal root source (again fed from NTP service(s) of your choice from the internet)

paul driver · ‎09-27-2019

Hello

You can have your own master ntp server(s) say on your core network that downstream to your distribution layer that intrun support your access layer peer which and lastly your end hosts peer to.

Usually your ntp design would relate to your current network topology( tier system - client/server)

public time servers stratum 1 <-->server teir 2 peer stratum 2 peer<--> server core ntp master stratum 3 peer<-->server distribution peer<-->server access-layer peer<-->hosts

As for security of ntp can be implemented with MD5 authentication, key strings access control lists etc,

Have a looks a the attach documentation for a possible best practice of NTP in a Cisco environment its quite an old doc but I would say its still valid for design purposes <---Cisco NTP best practice

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul