Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
9
Helpful
12
Replies

NTP

ronald.ramzy
Level 1
Level 1

‎03-25-2009 09:54 AM - edited ‎03-06-2019 04:48 AM

Hi,

Is it possible to make a Router as an NTP Server.

My requirement is to allow Windows Domain controller to connect to NTP Server to synchronise the time and then all other server will point to Domain Controller.

Looking for a best options

Labels:
0 Helpful
12 Replies 12

Mohamad Qayoom
Level 3
Level 3

‎03-25-2009 10:03 AM

What kind of router are you using? We have our Catalyst 6513 set up as NTP server. Tehse are some of the commands:

ntp authenticate

ntp clock-period xxxxx

ntp master

ntp peer 192.43.244.18

Thanks,

Mohamad

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mohamad Qayoom

‎03-25-2009 10:15 AM

Ronald

It is certainly possible to configure your router to act as an NTP server for the devices in the Windows network. The best solution for this is to configure the router to learn NTP time from one of the available NTP servers in the Internet. If the router has learned authoritative time from an Internet NTP server then it will automatically act as an NTP server for the devices in your network.

If, for some reason, you do not configure your router to learn NTP time from an Internet NTP server, then you would use the ntp master command on your router to have it act as an NTP server for your network. Based on your description you do not need the ntp authenticate command and you should not configure the ntp clock-period command as suggested by Mohamad. The ntp peer command which he suggests is the command to have your router learn NTP time from an NTP server and the 192.43.244.18 is one of the available public NTP servers so it would be good to use this in your router.

note: if you learn time from an Internet NTP server you do not need the ntp master command. You would need the ntp master command only if your router is not learning time from any other source. I suggest that you just use this and be done with it:

ntp peer 192.43.244.18

HTH

Rick

HTH

Rick

lamav
Level 8
Level 8
In response to Richard Burts

‎03-25-2009 10:19 AM

Rick:

As usual, very informative and complete.

Rated it.

Victor

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to lamav

‎03-25-2009 01:06 PM

Do I need to open any ports on the ASA Firewall to allow traffic from Windows Domain Controller to the router and vice-versa

Internet----IRTR---Firewall-----Layer3-Switch-----Windows-Server

Thats the setup I have.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ronald.ramzy

‎03-25-2009 02:28 PM

Ronald

You would need to open up UDP port 123.

HTH

Rick

HTH

Rick
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-25-2009 02:42 PM

Hi Ronald,

I agree with Rick. NTP "clock-period" is auto-generated by the appliance so I always remove this from my config documents.

You can go to the NTP website (http://support.ntp.org/bin/view/Servers/WebHome) and choose from the list of Public Pool, Primary or Secondary and drill down to your region.

Again with Rick, I'd avoid using "NTP Master" if you have your NTP is authoritative.

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to Leo Laohoo

‎03-29-2009 11:42 PM

Hi,

In my scenario.

The Router will learn NTP time from one of the available NTP servers in the Internet.

I have only configured the router with "ntp peer 192.43.244.18"

The output are :-

sh ntp associations

address ref clock st when poll reach delay offset disp

*~192.43.244.18 .ACTS. 1 10 64 175 259.0 3.67 2.1

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Do I need to add any security parameter to it, or any missing config

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to ronald.ramzy

‎03-30-2009 02:49 AM

Hi Ronald,

Do you see the "*" symbol? It means that that IP Address you've provided is now the "master" time. The third column shows that this is an authoritative time, the "1", means that this is the highest.

To verify, do a "show clock". If your time does not have a "." symbol in the beginning, then it means that your appliance is synchronized to a clock source.

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to Leo Laohoo

‎03-30-2009 12:44 PM

Thanks.

If you have noticed I have just entered basic reqd command for NTP, is there any security issues with this.

Bit concern about security, any suggestions

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to ronald.ramzy

‎03-30-2009 02:46 PM

NTP has an option to use either authentication-key or trust-key.

You can also put an ACL.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎03-30-2009 05:48 PM

Ronald

What you have configured is typically enough when you learn time from one of the public Internet NTP servers. You might configure some authentication or access lists as suggested by Leo for NTP within your own network. But it is not common to do that with the public Internet NTP servers.

Most people regard the security risk in doing NTP with public Internet NTP servers as slight risk. If you are concerned about that risk the alternative is to purchase some device with atomic clodk and to generate your own authoritative time without using the public Internet NTP servers.

HTH

Rick

HTH

Rick
0 Helpful

ronald.ramzy
Level 1
Level 1
In response to Richard Burts

‎03-30-2009 10:59 PM

Thanks to all..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card