Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
8
Replies

ASA and NTP

Go to solution
mahesh18
Level 6
Level 6

‎03-04-2014 09:09 AM - edited ‎03-11-2019 08:53 PM

Hi Everyone,

I have this setup below

ISP-------R1-------OSPF----Sw1--------IPSEC-------OSPF----R2----- ASA--------inside interface --R3

Where R1 has public server as NTP.

Sw1 has its default gateway which points to R1 and this default gateway IP is  NTP server for Sw1.

R2 also has same NTP server IP as Sw1.

R3 has default gateway pointing to ASAs  inside interface IP.

R3 also has same NTP server IP as R2 and Sw1.

ASA has its default gateway IP as NTP server.

Need to confirm what is best way to config NTP on Lan devices

Should we config default gateway of  each Lan device like switch,router or ASA as NTP server?

OR can we use the Public NTP server IP inside all Lan devices?

Regards

Mahesh

Message was edited by: mahesh parmar

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-04-2014 09:29 AM

Mahesh

There may be some aspects of your question that I do not fully understand. But from what I think I do understand here is my advice:

- you should NOT have the hosts on the LAN use the public NTP server. For one thing it would require that their NTP traffic use a much longer path than is necessary. And it would present an unreasonable load on the public NTP server. If you have all your LAN devices use a single server for NTP and the server is yours then that is one thing, but to send all the LAN host NTP traffic to the public NTP server is not fair to the people who operate the public NTP server.

- you should not have the LAN hosts use the ASA as their NTP server.

- It is not clear to me whether the LAN that you refer to is on R3 or is the LAN in places other than R3?

- In general I would suggest that the hosts on the LAN be configured to use the closest IOS based device that is capable of providing NTP time. Remember that for IOS devices (switches and routers) that once they have learned NTP time from an authoritative source then they are capable to function as NTP server to other devices. So it would make sense for the LAN hosts to use their default gateway as their NTP server (as long as their default gateway is not the ASA).

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-04-2014 09:50 AM

Hi Mahesh,

You asked if you can use the public NTP server IP for your inside devices - yes you CAN but many people choose not to. It depends on your access policy - if you allow all inside hosts outbound access to all services and ports then it works fine. If your security policy is locked down to only allow predefined services (say http/https only outbound or something like that) then you cannot - unless you open up the port used by ntp (udp 123).

Also, I tend to try to avoid setups where NTP comes from public IP via router A, then to switch B then to firewall C and then to switch D. That adds unnecessary complexity in my opinion and makes your end system further removed from the Stratum 0 root ntp servers.

I would consider a best practice for network devices to have a given core switch (or pair of switches) to reference a pair of public Stratum 0 servers. It should then report itself as Stratum 1. Then set all your other devices to reference those Stratum 1 internal switches. The same thing goes for your server infrastructure - primary domain controller references the public server and all other computers get time from the PDC.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mahesh18

‎03-04-2014 10:00 AM

Mahesh

Perhaps it is a matter of perspective in how we understand the questions. So let me offer these observations:

- you say that you do not have an NTP server. While I understand that you do not have any device that is a dedicated NTP server, I will point out that when R1 learns NTP time from the public server then R1 does become an NTP server. And when SW1 learns NTP time from R1 then SW1 does become an NTP server. So you do, in  fact, have NTP servers in your network.

- when an IOS device learns NTP time then it becomes capable of acting as an NTP server. So both IOS switches and routers can function as NTP servers. This is not the case with ASA which can learn NTP time but will not function as an NTP server.

- it is appropriate for one (or several) of your network edge routers to learn NTP from the public server. It is not appropriate (and not fair) for all of your devices to use the public server as their NTP server.

- in general it is a Best Practice to develop a hierarchal structure for NTP. So that your edge router learns NTP from the public server and then the edge router becomes an NTP server to devices that connect to it. Those devices then become NTP server to devices that connect to them. and so on. This achieves several desirable goals: 1) each device has as short as possible data path that NTP must traverse. 2) the load of providing NTP is distributed and no single device gets bogged down in servicing NTP requests.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎03-04-2014 10:11 AM

So Marvin and I have different perspectives on the implementation of NTP. He advocates for a flat structure with a couple of primary servers and all other devices use these servers for NTP. That certainly keeps it simple. And no device is lower stratum than 2 - if you really care about that. I advocate for a hierarchal organization. It spreads the load of providing NTP and it reduces the length of the data path for most of the devices. It does mean that some devices may be at stratum 4, or 5, or whatever. But I would suggest that for almost all of our networks there is very little difference between being stratum 2 and being stratum 5. Our timestamps are still going to sync with each other and the other things that we want NTP for will work just fine.

Both approaches have their merits. Both approaches will work. Choose the one that you like the best.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-04-2014 09:29 AM

Mahesh

There may be some aspects of your question that I do not fully understand. But from what I think I do understand here is my advice:

- you should NOT have the hosts on the LAN use the public NTP server. For one thing it would require that their NTP traffic use a much longer path than is necessary. And it would present an unreasonable load on the public NTP server. If you have all your LAN devices use a single server for NTP and the server is yours then that is one thing, but to send all the LAN host NTP traffic to the public NTP server is not fair to the people who operate the public NTP server.

- you should not have the LAN hosts use the ASA as their NTP server.

- It is not clear to me whether the LAN that you refer to is on R3 or is the LAN in places other than R3?

- In general I would suggest that the hosts on the LAN be configured to use the closest IOS based device that is capable of providing NTP time. Remember that for IOS devices (switches and routers) that once they have learned NTP time from an authoritative source then they are capable to function as NTP server to other devices. So it would make sense for the LAN hosts to use their default gateway as their NTP server (as long as their default gateway is not the ASA).

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Richard Burts

‎03-04-2014 09:40 AM

Hi Rick,

Lan i refer here is  all network devices from R1 to R3 no user PC.

I do not have any NTP server on my network.

When you say---So it would make sense for the LAN hosts to use their default gateway as their NTP server (as long as their default gateway is not the ASA.

Does it also point to my Lan hosts which are R3,ASA,R2, and SW1?

Regards

MAhesh

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mahesh18

‎03-04-2014 10:00 AM

Mahesh

Perhaps it is a matter of perspective in how we understand the questions. So let me offer these observations:

- you say that you do not have an NTP server. While I understand that you do not have any device that is a dedicated NTP server, I will point out that when R1 learns NTP time from the public server then R1 does become an NTP server. And when SW1 learns NTP time from R1 then SW1 does become an NTP server. So you do, in  fact, have NTP servers in your network.

- when an IOS device learns NTP time then it becomes capable of acting as an NTP server. So both IOS switches and routers can function as NTP servers. This is not the case with ASA which can learn NTP time but will not function as an NTP server.

- it is appropriate for one (or several) of your network edge routers to learn NTP from the public server. It is not appropriate (and not fair) for all of your devices to use the public server as their NTP server.

- in general it is a Best Practice to develop a hierarchal structure for NTP. So that your edge router learns NTP from the public server and then the edge router becomes an NTP server to devices that connect to it. Those devices then become NTP server to devices that connect to them. and so on. This achieves several desirable goals: 1) each device has as short as possible data path that NTP must traverse. 2) the load of providing NTP is distributed and no single device gets bogged down in servicing NTP requests.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-04-2014 09:50 AM

Hi Mahesh,

You asked if you can use the public NTP server IP for your inside devices - yes you CAN but many people choose not to. It depends on your access policy - if you allow all inside hosts outbound access to all services and ports then it works fine. If your security policy is locked down to only allow predefined services (say http/https only outbound or something like that) then you cannot - unless you open up the port used by ntp (udp 123).

Also, I tend to try to avoid setups where NTP comes from public IP via router A, then to switch B then to firewall C and then to switch D. That adds unnecessary complexity in my opinion and makes your end system further removed from the Stratum 0 root ntp servers.

I would consider a best practice for network devices to have a given core switch (or pair of switches) to reference a pair of public Stratum 0 servers. It should then report itself as Stratum 1. Then set all your other devices to reference those Stratum 1 internal switches. The same thing goes for your server infrastructure - primary domain controller references the public server and all other computers get time from the PDC.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎03-04-2014 10:11 AM

So Marvin and I have different perspectives on the implementation of NTP. He advocates for a flat structure with a couple of primary servers and all other devices use these servers for NTP. That certainly keeps it simple. And no device is lower stratum than 2 - if you really care about that. I advocate for a hierarchal organization. It spreads the load of providing NTP and it reduces the length of the data path for most of the devices. It does mean that some devices may be at stratum 4, or 5, or whatever. But I would suggest that for almost all of our networks there is very little difference between being stratum 2 and being stratum 5. Our timestamps are still going to sync with each other and the other things that we want NTP for will work just fine.

Both approaches have their merits. Both approaches will work. Choose the one that you like the best.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Richard Burts

‎03-04-2014 10:41 AM

Hi Rick & Marvin,

Thanks for explaining so well about config of NTP.

Best regards

MAhesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Richard Burts

‎03-04-2014 10:59 AM

Good point Rick. Either way NTP by it's nature will always be hierarchical to a certain extent.

If you follow the classical recommendations and those written by specialists in NTP, the design would look more like what you're describing. That's more or less how Cisco presents it in the "Network Time Protocol: Best Practices White Paper".

If you look however at the Cisco Validated Design (CVD) references (e.g page 58 of the Campus Wired LAN Technology Design Guide) they advocate a simpler setup akin to what I was saying:

"Configure a synchronized clock by programming network devices to synchronize to a local NTP server in the network. The local NTP server typically references a more accurate clock feed from an outside source."

Either way works.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎03-04-2014 11:07 AM

Marvin

Yes. Either way works. Both approaches have their merits. And it may depend a bit on the size of the network and the architecture chosen for the network. The important thing is that having NTP uniformly implemented over the network is better than not having NTP.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card