Showing results for 
Search instead for 
Did you mean: 

NTP Configuration on Nexus 5Ks

I have 2 Nexus 5K switches that I want to make the NTP servers for my network.  

Nexus 1:

Nexus 2:


I have read that you should only use the NTP master command if you basically plan on setting up the switches as their own NTP source (not looking anywhere other than itself for time) so I do not plan on setting them up as NTP masters. 


I will issue the following command on both Nexus switches:

ntp server


On all of the other switches switches in the network I will issue these commands: 

"ntp server prefer"

"ntp server prefer"


My questions are:

Is this the correct config?

Is there a need to setup the Nexus switches as peers?  My thought was no since each Nexus will be looking to for their time.  

Is there a need to setup NTP authentication from the Nexus switches to the rest of the switches in the network?





7 Replies 7

VIP Mentor VIP Mentor
VIP Mentor


 - Better is to remove the NTP services from switches and look into an architecture such as : Intranet Ntp (server)  -> DMZ Ntp -> ISP Ntp


Cristian Matei



    Except the fact that it's not really recommended to open up the Nexuses for NTP to the Internet (NTP has a sufficient number fo flaws), here are your answers:

     - no need to configure peering

     - authentication, though optional, should always be configured in order to provide a minimum level of security against unauthorised time sources

    - authorization, though optional (via ACL restrictions), should always be configured in order to further enhance security for NTP



Cristian Matei.


So best bet would be to setup an internal NTP server and point everything to that?  


How is syncing the Nexuses to the ISP NTP any safer than syncing to


>So best bet would be to setup an internal NTP server and point everything to that?  



>How is syncing the Nexuses to the ISP NTP any safer than syncing to

         - Probably not safer but more optimal in terms of cascading




   I would deploy NTP with both authentication and authorization. As in your case, you have to get the clock from outside your network, and you can't afford a DMZ device which gets clock from Internet and your network gets it from your DMZ device, use the ISP as NTP. Technically speaking, a public NTP server is less secure than an ISP provided NTP server, as the ISP provided NTP server is usually not reachable by everyone the Internet, but rather only from the ISP's clients, and thus is less susceptible to being attacked or becoming a relay for NTP attacks. The risk here is not necessarily not getting the correct time (although this is important as well for forensics, where if the time is not right, you just lost), but rather having your NTP client (Nexus device) in this case with high CPU (Which leads too unexpected behaviour) and/or getting BW depletion. Here's one reference, to understand the NTP Amplification attack.



Cristian Matei.

Got it.  So the absolute best case scenario would be to setup a NTP server on a physical machine that sits in the firewall DMZ that will get its time from our ISP NTP server and then point all internal devices to that NTP server through the DMZ?


I have spare servers and have the ability to setup the DMZ so this is definitely doable. 


Any recommendations on Intranet NTP Server?   This a good option?


If I setup above and pointed all switches to this ntp server would there still be a need for authentication and authorization?



   Yes, use the built-in NTP daemon. With that design in mind, i would still configure authentication/authorization (it's just a copy/paste one time); without it configured you just risk some "insider" influencing your clock on the network devices.



Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers