[c-nsp] NTP Config

Justin Shore justin at justinshore.com
Wed Jul 11 16:14:01 EDT 2007 

Jay Hennigan wrote:
> Hitesh Vinzoda wrote:
>> I have got 4 6509 cisco in mesh for the core and i want to enable NTP on
>> those to act as a master.
>>
>> i went thru the config, the only option there is
>>
>> config>ntp master stratum 8 ( 8 is the default value )
>>
>> does only this command will enable the device to act as a NTP server and
>> suggestions are invited for config of NTP in mesh of 6509 with etherchannels
>> for redundancy
>> of  NTP.
> 
> This command will cause the local device to assume that its internal 
> local clock/calendar is accurate and advertise it to the rest of the 
> network as a (somewhat) accurate time source.  The (somewhat) depends on 
> the stratum, lower numbers imply higher accuracy.
> 
> If you do this and set the rest of the units to reference this unit as 
> an ntp server, all of the clocks will be synchronized *with each other* 
> but not with any other authoritative time source.  If your master thinks 
> it's January 1982, so will the rest of your network.
> 
> You probably want one (or more) of your devices to also reference one 
> (or more) time sources of substantially higher authority than the 
> crystal oscillator in a 6509.  These can be a local GPS clock, public 
> NTP server, WWVB radio clock, etc.

To add to what Jay already gave you, I'll throw a few more things your way.

1) Always use authentication between your local peers.  Ideally you 
would also take advantage of NIST's offer of authenticated NTP (or make 
arrangements with another provider with whom you peer).

2) Unless you want to run a public NTP server don't set it up to be one.

3) Pick at least a couple stratum 1 or 2 servers external to your 
network, even if you have a local GPS or WWVB radio.

4) Don't forget to set your source interface for NTP messages.

5) Ask before you use an external NTP server that doesn't give implicit 
permission for everyone to query it (ie, isn't listed on NIST's NTP 
server page).

I have 3 of our border routers configured as NTP servers.  Each of the 
border routers peer with the other as well as 3 external stratum 1 
servers.  The use of border routers in our case is a must since our 
backbone is privately addressed.  I filter NTP update messages with an 
ACL.  I also control access to the NTP server for the downstream clients 
with another ACL.  This is what the border routers look like:

ntp source Loopback0
ntp access-group peer 5
ntp access-group serve-only 6
ntp server 192.43.244.18 prefer
ntp server 132.163.4.101
ntp server 129.6.15.28
ntp peer <border2> key 1
ntp peer <border3> key 1
ntp update-calendar
ntp master 3
ntp authenticate
ntp authentication-key 1 md5 <key> 7
ntp trusted-key 1

access-list 5 remark NTP Peers
access-list 5 permit 192.43.244.18
access-list 5 permit 132.163.4.101
access-list 5 permit 129.6.15.28
access-list 5 permit <border1>
access-list 5 permit <border2>
access-list 5 deny   any

access-list 6 remark NTP Serve-Only
access-list 6 permit aaa.bbb.ccc.0 0.0.31.255
access-list 6 permit aaa.bbb.ddd.0 0.0.15.255
access-list 6 deny   any


The other network devices point to all 3 border routers and prefer the 
local border router.  They use auth.  They do not permit queries.  I 
don't have that config handy but you can figure it out from what's above.

HTH
  Justin

More information about the cisco-nsp mailing list