03-25-2009 09:54 AM - edited 03-06-2019 04:48 AM
Hi,
Is it possible to make a Router as an NTP Server.
My requirement is to allow Windows Domain controller to connect to NTP Server to synchronise the time and then all other server will point to Domain Controller.
Looking for a best options
03-25-2009 10:03 AM
What kind of router are you using? We have our Catalyst 6513 set up as NTP server. Tehse are some of the commands:
ntp authenticate
ntp clock-period xxxxx
ntp master
ntp peer 192.43.244.18
Thanks,
Mohamad
03-25-2009 10:15 AM
Ronald
It is certainly possible to configure your router to act as an NTP server for the devices in the Windows network. The best solution for this is to configure the router to learn NTP time from one of the available NTP servers in the Internet. If the router has learned authoritative time from an Internet NTP server then it will automatically act as an NTP server for the devices in your network.
If, for some reason, you do not configure your router to learn NTP time from an Internet NTP server, then you would use the ntp master command on your router to have it act as an NTP server for your network. Based on your description you do not need the ntp authenticate command and you should not configure the ntp clock-period command as suggested by Mohamad. The ntp peer command which he suggests is the command to have your router learn NTP time from an NTP server and the 192.43.244.18 is one of the available public NTP servers so it would be good to use this in your router.
note: if you learn time from an Internet NTP server you do not need the ntp master command. You would need the ntp master command only if your router is not learning time from any other source. I suggest that you just use this and be done with it:
ntp peer 192.43.244.18
HTH
Rick
03-25-2009 10:19 AM
Rick:
As usual, very informative and complete.
Rated it.
Victor
03-25-2009 01:06 PM
Do I need to open any ports on the ASA Firewall to allow traffic from Windows Domain Controller to the router and vice-versa
Internet----IRTR---Firewall-----Layer3-Switch-----Windows-Server
Thats the setup I have.
03-25-2009 02:28 PM
Ronald
You would need to open up UDP port 123.
HTH
Rick
03-25-2009 02:42 PM
Hi Ronald,
I agree with Rick. NTP "clock-period" is auto-generated by the appliance so I always remove this from my config documents.
You can go to the NTP website (http://support.ntp.org/bin/view/Servers/WebHome) and choose from the list of Public Pool, Primary or Secondary and drill down to your region.
Again with Rick, I'd avoid using "NTP Master" if you have your NTP is authoritative.
03-29-2009 11:42 PM
Hi,
In my scenario.
The Router will learn NTP time from one of the available NTP servers in the Internet.
I have only configured the router with "ntp peer 192.43.244.18"
The output are :-
sh ntp associations
address ref clock st when poll reach delay offset disp
*~192.43.244.18 .ACTS. 1 10 64 175 259.0 3.67 2.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Do I need to add any security parameter to it, or any missing config
03-30-2009 02:49 AM
Hi Ronald,
Do you see the "*" symbol? It means that that IP Address you've provided is now the "master" time. The third column shows that this is an authoritative time, the "1", means that this is the highest.
To verify, do a "show clock". If your time does not have a "." symbol in the beginning, then it means that your appliance is synchronized to a clock source.
03-30-2009 12:44 PM
Thanks.
If you have noticed I have just entered basic reqd command for NTP, is there any security issues with this.
Bit concern about security, any suggestions
03-30-2009 02:46 PM
NTP has an option to use either authentication-key or trust-key.
You can also put an ACL.
03-30-2009 05:48 PM
Ronald
What you have configured is typically enough when you learn time from one of the public Internet NTP servers. You might configure some authentication or access lists as suggested by Leo for NTP within your own network. But it is not common to do that with the public Internet NTP servers.
Most people regard the security risk in doing NTP with public Internet NTP servers as slight risk. If you are concerned about that risk the alternative is to purchase some device with atomic clodk and to generate your own authoritative time without using the public Internet NTP servers.
HTH
Rick
03-30-2009 10:59 PM
Thanks to all..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide