09-26-2019 11:06 AM - edited 09-26-2019 11:08 AM
Hi there,
I'm asking for your opinions on NTP server for cisco switch or router. My coworker recommended me to setup NTP server on domain controller (DC), but I'm thinking to put time.google.com(external source) as my NTP server directly on switch or router. Will my way cause any potential issues, especially security? Which one is better from these two, or maybe a third option even better? Thank you
Best,
PP
Solved! Go to Solution.
09-26-2019 11:39 AM
Hi,
My recommendation to configure NTP server on your Server as DC or other. Why? Because NTP is not a secure protocol as other and many attacks are noticed as DOS, Vulnerabilities, etc.
here I found a best guide for the same as: https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html
09-27-2019 12:22 AM
Whatever source(s) you setup should be consistent across your estate - otherwise your logs may not quite match up whilst troubleshooting.
Example when I arrived in my current role there was an unholy mix of approximately 20 separate external NTP sources being used directly by switches, routers, servers,... The time dispersion was visible to the naked eye and hovered between 1 & 5 seconds across the estate.
I have slimmed that down to a pool of 4 routers as internal sources and those 4 routers are being fed from 2 GNSS time sources, with a backup of 2 external sources. Time dispersion now impossible to see but the reporting suggests everything is now agreeing on time within less than 1ms.
If running your own GNSS source is out of budget (they're freely available for ~$500) - my advice would be consistency. Either use your router as the root source internally (fed from NTP service(s) of your choice from the internet) or use the DC as the internal root source (again fed from NTP service(s) of your choice from the internet)
09-27-2019 01:59 AM
Hello
You can have your own master ntp server(s) say on your core network that downstream to your distribution layer that intrun support your access layer peer which and lastly your end hosts peer to.
Usually your ntp design would relate to your current network topology( tier system - client/server)
public time servers stratum 1 <-->server teir 2 peer stratum 2 peer<--> server core ntp master stratum 3 peer<-->server distribution peer<-->server access-layer peer<-->hosts
As for security of ntp can be implemented with MD5 authentication, key strings access control lists etc,
Have a looks a the attach documentation for a possible best practice of NTP in a Cisco environment its quite an old doc but I would say its still valid for design purposes <---Cisco NTP best practice
09-26-2019 11:39 AM
Hi,
My recommendation to configure NTP server on your Server as DC or other. Why? Because NTP is not a secure protocol as other and many attacks are noticed as DOS, Vulnerabilities, etc.
here I found a best guide for the same as: https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html
09-27-2019 12:22 AM
Whatever source(s) you setup should be consistent across your estate - otherwise your logs may not quite match up whilst troubleshooting.
Example when I arrived in my current role there was an unholy mix of approximately 20 separate external NTP sources being used directly by switches, routers, servers,... The time dispersion was visible to the naked eye and hovered between 1 & 5 seconds across the estate.
I have slimmed that down to a pool of 4 routers as internal sources and those 4 routers are being fed from 2 GNSS time sources, with a backup of 2 external sources. Time dispersion now impossible to see but the reporting suggests everything is now agreeing on time within less than 1ms.
If running your own GNSS source is out of budget (they're freely available for ~$500) - my advice would be consistency. Either use your router as the root source internally (fed from NTP service(s) of your choice from the internet) or use the DC as the internal root source (again fed from NTP service(s) of your choice from the internet)
09-27-2019 01:59 AM
Hello
You can have your own master ntp server(s) say on your core network that downstream to your distribution layer that intrun support your access layer peer which and lastly your end hosts peer to.
Usually your ntp design would relate to your current network topology( tier system - client/server)
public time servers stratum 1 <-->server teir 2 peer stratum 2 peer<--> server core ntp master stratum 3 peer<-->server distribution peer<-->server access-layer peer<-->hosts
As for security of ntp can be implemented with MD5 authentication, key strings access control lists etc,
Have a looks a the attach documentation for a possible best practice of NTP in a Cisco environment its quite an old doc but I would say its still valid for design purposes <---Cisco NTP best practice
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide